Merge branch 'stix_no_random_ids' into hotfix-2.3.59

app/files/scripts/misp2cybox.py

@@ -1,4 +1,4 @@
-from cybox.core import Observable, ObservableComposition
+from cybox.core import Object, Observable, ObservableComposition
 from cybox.objects.file_object import File
 from cybox.objects.address_object import Address
 from cybox.objects.hostname_object import Hostname
@@ -40,7 +40,11 @@ def generateObservable(indicator, attribute):
         if (attribute["type"] in simple_type_to_method.keys()):
             action = getattr(this_module, simple_type_to_method[attribute["type"]], None)
             if (action != None):
-                observable = action(attribute)
+                property = action(attribute)
+                object = Object(property)
+                object.id_ = cybox.utils.idgen.__generator.namespace.prefix + ":" + property.__class__.__name__ + "-" + attribute["uuid"]
+                observable = Observable(object)
+                observable.id_ = cybox.utils.idgen.__generator.namespace.prefix + ":observable-" + attribute["uuid"]
                 indicator.add_observable(observable)
 
 def resolveFileObservable(attribute):
@@ -177,30 +181,44 @@ def resolvePatternObservable(attribute):
 # create an artifact object for the malware-sample type.
 def createArtifactObject(indicator, attribute):
     artifact = Artifact(data = attribute["data"])
-    indicator.add_observable(artifact)
+    artifact.parent.id_ = cybox.utils.idgen.__generator.namespace.prefix + ":artifact-" + attribute["uuid"]
+    observable = Observable(artifact)
+    observable.id_ = cybox.utils.idgen.__generator.namespace.prefix + ":observable-artifact-" + attribute["uuid"]
+    indicator.add_observable(observable)
 
 # return either a composition if data is set in attribute, or just an observable with a filename if it's not set
 def returnAttachmentComposition(attribute):
     file_object = File()
     file_object.file_name = attribute["value"]
+    file_object.parent.id_ = cybox.utils.idgen.__generator.namespace.prefix + ":file-" + attribute["uuid"]
     observable = Observable()
     if "data" in attribute:
         artifact = Artifact(data = attribute["data"])
-        composition = ObservableComposition(observables = [artifact, file_object])
+        artifact.parent.id_ = cybox.utils.idgen.__generator.namespace.prefix + ":artifact-" + attribute["uuid"]
+        observable_artifact = Observable(artifact)
+        observable_artifact.id_ = cybox.utils.idgen.__generator.namespace.prefix + ":observable-artifact-" + attribute["uuid"]
+        observable_file = Observable(file_object)
+        observable_file.id_ = cybox.utils.idgen.__generator.namespace.prefix + ":observable-file-" + attribute["uuid"]
+        composition = ObservableComposition(observables = [observable_artifact, observable_file])
         observable.observable_composition = composition
     else:
         observable = Observable(file_object)
+    observable.id_ = cybox.utils.idgen.__generator.namespace.prefix + ":observable-" + attribute["uuid"]
     if attribute["comment"] != "":
         observable.description = attribute["comment"]
     return observable
 
 # email-attachment are mapped to an email message observable that contains the attachment as a file object
-def generateEmailAttachmentObject(indicator, filename):
+def generateEmailAttachmentObject(indicator, attribute):
     file_object = File()
-    file_object.file_name = filename
+    file_object.file_name = attribute["value"]
     email = EmailMessage()
     email.attachments = Attachments()
     email.add_related(file_object, "Contains", inline=True)
+    file_object.parent.id_ = cybox.utils.idgen.__generator.namespace.prefix + ":file-" + attribute["uuid"]
     email.attachments.append(file_object.parent.id_)
-    indicator.observable = email
+    email.parent.id_ = cybox.utils.idgen.__generator.namespace.prefix + ":EmailMessage-" + attribute["uuid"]
+    observable = Observable(email)
+    observable.id_ = cybox.utils.idgen.__generator.namespace.prefix + ":observable-" + attribute["uuid"]
+    indicator.observable = observable
 

app/files/scripts/misp2stix.py

@@ -129,7 +129,8 @@ def generateMainPackage(events):
 # generate a package for each event
 def generateEventPackage(event):
     package_name = namespace[1] + ':STIXPackage-' + event["Event"]["uuid"]
-    stix_package = STIXPackage(id_=package_name)
+    timestamp = getDateFromTimestamp(int(event["Event"]["timestamp"]))
+    stix_package = STIXPackage(id_=package_name, timestamp=timestamp)
     stix_header = STIXHeader()
     stix_header.title=event["Event"]["info"] + " (MISP Event #" + event["Event"]["id"] + ")"
     stix_header.package_intents="Threat Report"
@@ -185,7 +186,7 @@ def resolveAttributes(incident, ttps, attributes):
 def handleIndicatorAttribute(incident, ttps, attribute):
     indicator = generateIndicator(attribute)
     if attribute["type"] == "email-attachment":
-        generateEmailAttachmentObject(indicator, attribute["value"])
+        generateEmailAttachmentObject(indicator, attribute)
     else:
         generateObservable(indicator, attribute)
     if "data" in attribute:
@@ -230,14 +231,14 @@ def handleNonIndicatorAttribute(incident, ttps, attribute):
 
 # TTPs are only used to describe malware names currently (attribute with category Payload Type and type text/comment/other)
 def generateTTP(incident, attribute):
-    ttp = TTP()
+    ttp = TTP(timestamp=getDateFromTimestamp(int(attribute["timestamp"])))
     ttp.id_= namespace[1] + ":ttp-" + attribute["uuid"]
     setTLP(ttp, attribute["distribution"])
     ttp.title = attribute["category"] + ": " + attribute["value"] + " (MISP Attribute #" + attribute["id"] + ")"
     if attribute["type"] == "vulnerability":
         vulnerability = Vulnerability()
         vulnerability.cve_id = attribute["value"]
-        et = ExploitTarget()
+        et = ExploitTarget(timestamp=getDateFromTimestamp(int(attribute["timestamp"])))
         et.add_vulnerability(vulnerability)
         ttp.exploit_targets.append(et)
     else:
@@ -252,7 +253,7 @@ def generateTTP(incident, attribute):
 
 # Threat actors are currently only used for the category:attribution / type:(text|comment|other) attributes 
 def generateThreatActor(attribute):
-    ta = ThreatActor()
+    ta = ThreatActor(timestamp=getDateFromTimestamp(int(attribute["timestamp"])))
     ta.id_= namespace[1] + ":threatactor-" + attribute["uuid"]
     ta.title = attribute["category"] + ": " + attribute["value"] + " (MISP Attribute #" + attribute["id"] + ")"
     if attribute["comment"] != "":
@@ -263,7 +264,7 @@ def generateThreatActor(attribute):
 
 # generate the indicator and add the relevant information
 def generateIndicator(attribute):
-    indicator = Indicator()
+    indicator = Indicator(timestamp=getDateFromTimestamp(int(attribute["timestamp"])))
     indicator.id_= namespace[1] + ":indicator-" + attribute["uuid"]
     if attribute["comment"] != "":
         indicator.description = attribute["comment"]
@@ -273,7 +274,7 @@ def generateIndicator(attribute):
     confidence_value = confidence_mapping.get(attribute["to_ids"], None)
     if confidence_value is None:
         return indicator
-    indicator.confidence = Confidence(value=confidence_value, description=confidence_description)
+    indicator.confidence = Confidence(value=confidence_value, description=confidence_description, timestamp=getDateFromTimestamp(int(attribute["timestamp"])))
     return indicator
 
 # converts timestamp to the format used by STIX