From 8b89caf5b9714c90b418576679303ff9042d619b Mon Sep 17 00:00:00 2001 From: Richard van den Berg Date: Tue, 24 Feb 2015 18:02:51 +0100 Subject: [PATCH 1/5] Use attribute uuid for cybox id's --- app/files/scripts/misp2cybox.py | 17 ++++++++++++----- app/files/scripts/misp2stix.py | 2 +- 2 files changed, 13 insertions(+), 6 deletions(-) diff --git a/app/files/scripts/misp2cybox.py b/app/files/scripts/misp2cybox.py index 4579e3415..df3f5069b 100644 --- a/app/files/scripts/misp2cybox.py +++ b/app/files/scripts/misp2cybox.py @@ -1,4 +1,4 @@ -from cybox.core import Observable, ObservableComposition +from cybox.core import Object, Observable, ObservableComposition from cybox.objects.file_object import File from cybox.objects.address_object import Address from cybox.objects.hostname_object import Hostname @@ -40,7 +40,10 @@ def generateObservable(indicator, attribute): if (attribute["type"] in simple_type_to_method.keys()): action = getattr(this_module, simple_type_to_method[attribute["type"]], None) if (action != None): - observable = action(attribute) + object = Object(action(attribute)) + object.id_ = cybox.utils.idgen.__generator.namespace.prefix + ":" + attribute["type"] + "-" + attribute["uuid"] + observable = Observable(object) + observable.id_ = cybox.utils.idgen.__generator.namespace.prefix + ":observable-" + attribute["uuid"] indicator.add_observable(observable) def resolveFileObservable(attribute): @@ -195,12 +198,16 @@ def returnAttachmentComposition(attribute): return observable # email-attachment are mapped to an email message observable that contains the attachment as a file object -def generateEmailAttachmentObject(indicator, filename): +def generateEmailAttachmentObject(indicator, attribute): file_object = File() - file_object.file_name = filename + file_object.file_name = attribute["value"] email = EmailMessage() email.attachments = Attachments() email.add_related(file_object, "Contains", inline=True) + file_object.parent.id_ = cybox.utils.idgen.__generator.namespace.prefix + ":file-" + attribute["uuid"] email.attachments.append(file_object.parent.id_) - indicator.observable = email + email.parent.id_ = cybox.utils.idgen.__generator.namespace.prefix + ":EmailMessage-" + attribute["uuid"] + observable = Observable(email) + observable.id_ = cybox.utils.idgen.__generator.namespace.prefix + ":observable-" + attribute["uuid"] + indicator.observable = observable diff --git a/app/files/scripts/misp2stix.py b/app/files/scripts/misp2stix.py index 28b0659d1..80bed3ce1 100644 --- a/app/files/scripts/misp2stix.py +++ b/app/files/scripts/misp2stix.py @@ -191,7 +191,7 @@ def handleIndicatorAttribute(incident, ttps, attribute): indicator = generateIndicator(attribute) indicator.title = "MISP Attribute #" + attribute["id"] + " uuid: " + attribute["uuid"] if attribute["type"] == "email-attachment": - generateEmailAttachmentObject(indicator, attribute["value"]) + generateEmailAttachmentObject(indicator, attribute) else: generateObservable(indicator, attribute) if "data" in attribute: From a4fd3b957a7b2e9ceaa09c3f4fc8aa560a7f4b3b Mon Sep 17 00:00:00 2001 From: Richard van den Berg Date: Wed, 25 Feb 2015 09:50:00 +0100 Subject: [PATCH 2/5] Use property class name in object ID --- app/files/scripts/misp2cybox.py | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/app/files/scripts/misp2cybox.py b/app/files/scripts/misp2cybox.py index df3f5069b..046bd5aa5 100644 --- a/app/files/scripts/misp2cybox.py +++ b/app/files/scripts/misp2cybox.py @@ -40,8 +40,9 @@ def generateObservable(indicator, attribute): if (attribute["type"] in simple_type_to_method.keys()): action = getattr(this_module, simple_type_to_method[attribute["type"]], None) if (action != None): - object = Object(action(attribute)) - object.id_ = cybox.utils.idgen.__generator.namespace.prefix + ":" + attribute["type"] + "-" + attribute["uuid"] + property = action(attribute) + object = Object(property) + object.id_ = cybox.utils.idgen.__generator.namespace.prefix + ":" + property.__class__.__name__ + "-" + attribute["uuid"] observable = Observable(object) observable.id_ = cybox.utils.idgen.__generator.namespace.prefix + ":observable-" + attribute["uuid"] indicator.add_observable(observable) From bff42361ef7e23600ecfbea77075700601d342ef Mon Sep 17 00:00:00 2001 From: Richard van den Berg Date: Wed, 4 Mar 2015 17:07:32 +0100 Subject: [PATCH 3/5] Consistent id's for observable compositions --- app/files/scripts/misp2cybox.py | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/app/files/scripts/misp2cybox.py b/app/files/scripts/misp2cybox.py index 046bd5aa5..bbda17ffd 100644 --- a/app/files/scripts/misp2cybox.py +++ b/app/files/scripts/misp2cybox.py @@ -187,13 +187,20 @@ def createArtifactObject(indicator, attribute): def returnAttachmentComposition(attribute): file_object = File() file_object.file_name = attribute["value"] + file_object.parent.id_ = cybox.utils.idgen.__generator.namespace.prefix + ":file-" + attribute["uuid"] observable = Observable() if "data" in attribute: artifact = Artifact(data = attribute["data"]) - composition = ObservableComposition(observables = [artifact, file_object]) + artifact.parent.id_ = cybox.utils.idgen.__generator.namespace.prefix + ":artifact-" + attribute["uuid"] + observable_artifact = Observable(artifact) + observable_artifact.id_ = cybox.utils.idgen.__generator.namespace.prefix + ":observable-artifact-" + attribute["uuid"] + observable_file = Observable(file_object) + observable_file.id_ = cybox.utils.idgen.__generator.namespace.prefix + ":observable-file-" + attribute["uuid"] + composition = ObservableComposition(observables = [observable_artifact, observable_file]) observable.observable_composition = composition else: observable = Observable(file_object) + observable.id_ = cybox.utils.idgen.__generator.namespace.prefix + ":observable-" + attribute["uuid"] if attribute["comment"] != "": observable.description = attribute["comment"] return observable From 2a56a00e88825d0d05d09524ca12aca7bf2afc35 Mon Sep 17 00:00:00 2001 From: Richard van den Berg Date: Wed, 4 Mar 2015 17:28:44 +0100 Subject: [PATCH 4/5] Consistent id's for malware-sample artifacts --- app/files/scripts/misp2cybox.py | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/app/files/scripts/misp2cybox.py b/app/files/scripts/misp2cybox.py index bbda17ffd..5e12e7f17 100644 --- a/app/files/scripts/misp2cybox.py +++ b/app/files/scripts/misp2cybox.py @@ -181,7 +181,10 @@ def resolvePatternObservable(attribute): # create an artifact object for the malware-sample type. def createArtifactObject(indicator, attribute): artifact = Artifact(data = attribute["data"]) - indicator.add_observable(artifact) + artifact.parent.id_ = cybox.utils.idgen.__generator.namespace.prefix + ":artifact-" + attribute["uuid"] + observable = Observable(artifact) + observable.id_ = cybox.utils.idgen.__generator.namespace.prefix + ":observable-artifact-" + attribute["uuid"] + indicator.add_observable(observable) # return either a composition if data is set in attribute, or just an observable with a filename if it's not set def returnAttachmentComposition(attribute): From 7f201fdf817084630fd7c9bbe2b8a157d384a3c9 Mon Sep 17 00:00:00 2001 From: Richard van den Berg Date: Thu, 5 Mar 2015 13:26:13 +0100 Subject: [PATCH 5/5] Consistent timestamps for STIX objects --- app/files/scripts/misp2stix.py | 13 +++++++------ 1 file changed, 7 insertions(+), 6 deletions(-) diff --git a/app/files/scripts/misp2stix.py b/app/files/scripts/misp2stix.py index 80bed3ce1..e748eaee9 100644 --- a/app/files/scripts/misp2stix.py +++ b/app/files/scripts/misp2stix.py @@ -134,7 +134,8 @@ def generateMainPackage(events): # generate a package for each event def generateEventPackage(event): package_name = namespace[1] + ':STIXPackage-' + event["Event"]["uuid"] - stix_package = STIXPackage(id_=package_name) + timestamp = getDateFromTimestamp(int(event["Event"]["timestamp"])) + stix_package = STIXPackage(id_=package_name, timestamp=timestamp) stix_header = STIXHeader() stix_header.title="MISP event #" + event["Event"]["id"] + " uuid: " + event["Event"]["uuid"] stix_header.package_intents="Threat Report" @@ -236,14 +237,14 @@ def handleNonIndicatorAttribute(incident, ttps, attribute): # TTPs are only used to describe malware names currently (attribute with category Payload Type and type text/comment/other) def generateTTP(incident, attribute): - ttp = TTP() + ttp = TTP(timestamp=getDateFromTimestamp(int(attribute["timestamp"]))) ttp.id_= namespace[1] + ":ttp-" + attribute["uuid"] setTLP(ttp, attribute["distribution"]) ttp.title = "MISP Attribute #" + attribute["id"] + " uuid: " + attribute["uuid"] if attribute["type"] == "vulnerability": vulnerability = Vulnerability() vulnerability.cve_id = attribute["value"] - et = ExploitTarget() + et = ExploitTarget(timestamp=getDateFromTimestamp(int(attribute["timestamp"]))) et.add_vulnerability(vulnerability) ttp.exploit_targets.append(et) else: @@ -258,7 +259,7 @@ def generateTTP(incident, attribute): # Threat actors are currently only used for the category:attribution / type:(text|comment|other) attributes def generateThreatActor(attribute): - ta = ThreatActor() + ta = ThreatActor(timestamp=getDateFromTimestamp(int(attribute["timestamp"]))) ta.id_= namespace[1] + ":threatactor-" + attribute["uuid"] ta.title = "MISP Attribute #" + attribute["id"] + " uuid: " + attribute["uuid"] if attribute["comment"] != "": @@ -269,7 +270,7 @@ def generateThreatActor(attribute): # generate the indicator and add the relevant information def generateIndicator(attribute): - indicator = Indicator() + indicator = Indicator(timestamp=getDateFromTimestamp(int(attribute["timestamp"]))) indicator.id_= namespace[1] + ":indicator-" + attribute["uuid"] if attribute["comment"] != "": indicator.description = attribute["comment"] @@ -279,7 +280,7 @@ def generateIndicator(attribute): confidence_value = confidence_mapping.get(attribute["to_ids"], None) if confidence_value is None: return indicator - indicator.confidence = Confidence(value=confidence_value, description=confidence_description) + indicator.confidence = Confidence(value=confidence_value, description=confidence_description, timestamp=getDateFromTimestamp(int(attribute["timestamp"]))) return indicator # converts timestamp to the format used by STIX