new: [stix import] Adding object describing the original STIX 1.X / 2.X used for import

- Depending if the variable passed to those scripts are not None, then it is the name of the original file used to import data
2018-09-06 13:51:00 +02:00 · 2018-09-06 13:51:00 +02:00 · eb9aa7ce71
parent 71d1b9075a
commit eb9aa7ce71
2 changed files with 32 additions and 6 deletions
--- a/app/files/scripts/stix2/stix2misp.py
+++ b/app/files/scripts/stix2/stix2misp.py
@ -23,6 +23,7 @@ import time
 import uuid
 import io
 import stix2
+from base64 import b64encode
 from pymisp import MISPEvent, MISPObject, __path__
 from stix2misp_mapping import *
 from collections import defaultdict
@ -43,7 +44,7 @@ class StixParser():
        with open(filename, 'r', encoding='utf-8') as f:
            event = json.loads(f.read())
        self.filename = filename
-        self.stix_version = 'stix {}'.format(event.get('spec_version'))
+        self.stix_version = 'STIX {}'.format(event.get('spec_version'))
        for o in event.get('objects'):
            parsed_object = stix2.parse(o, allow_custom=True)
            try:
@ -57,14 +58,16 @@ class StixParser():
        if not self.event:
            print(json.dumps({'success': 0, 'message': 'There is no valid STIX object to import'}))
            sys.exit(1)
+        if args[2] is not None:
+            self.add_original_file(args[2])
        try:
-            event_distribution = args[2]
+            event_distribution = args[3]
            if not isinstance(event_distribution, int):
                event_distribution = int(event_distribution) if event_distribution.isdigit() else 5
        except IndexError:
            event_distribution = 5
        try:
-            attribute_distribution = args[3]
+            attribute_distribution = args[4]
            if attribute_distribution != 'event' and not isinstance(attribute_distribution, int):
                attribute_distribution = int(attribute_distribution) if attribute_distribution.isdigit() else 5
        except IndexError:
@ -73,6 +76,16 @@ class StixParser():
        self.__attribute_distribution = event_distribution if attribute_distribution == 'event' else attribute_distribution
        self.load_mapping()

+    def add_original_file(self, original_filename):
+        with open(self.filename, 'r') as f:
+            sample = b64encode(f.read().encode('utf-8'))
+        original_file = MISPObject('original-imported-file')
+        types = ['filename', 'attachment', 'text']
+        relations = ['filename', 'imported-sample', 'type']
+        for t, v, r in zip(types, [original_filename,  sample, self.stix_version], relations):
+            original_file.add_attribute(**{"type": t, "value": v, "object_relation": r})
+        self.misp_event.add_object(**original_file)
+
    def load_mapping(self):
        self.objects_mapping = {'asn': {'observable': observable_asn, 'pattern': pattern_asn},
                                'domain-ip': {'observable': observable_domain_ip, 'pattern': pattern_domain_ip},
--- a/app/files/scripts/stix2misp.py
+++ b/app/files/scripts/stix2misp.py
@ -20,6 +20,7 @@ import json
 import os
 import time
 import uuid
+import base64
 import stix2misp_mapping
 from operator import attrgetter
 from pymisp import MISPEvent, MISPObject, MISPAttribute, __path__
@ -57,6 +58,7 @@ class StixParser():
            except ModuleNotFoundError:
                print(3)
            sys.exit(0)
+        self.filename = filename
        title = event.stix_header.title
        fromMISP = (title is not None and "Export from " in title and "MISP" in title)
        if fromMISP:
@ -65,14 +67,16 @@ class StixParser():
            self.ttps = package.ttps.ttps if package.ttps else None
        else:
            self.event = event
+        if args[2] is not None:
+            self.add_original_file(args[2])
        try:
-            event_distribution = args[2]
+            event_distribution = args[3]
            if not isinstance(event_distribution, int):
                event_distribution = int(event_distribution) if event_distribution.isdigit() else 5
        except IndexError:
            event_distribution = 5
        try:
-            attribute_distribution = args[3]
+            attribute_distribution = args[4]
            if attribute_distribution != 'event' and not isinstance(attribute_distribution, int):
                attribute_distribution = int(attribute_distribution) if attribute_distribution.isdigit() else 5
        except IndexError:
@ -80,9 +84,18 @@ class StixParser():
        self.misp_event.distribution = event_distribution
        self.__attribute_distribution = event_distribution if attribute_distribution == 'event' else attribute_distribution
        self.fromMISP = fromMISP
-        self.filename = filename
        self.load_mapping()

+    def add_original_file(self, original_filename):
+        with open(self.filename, 'r') as f:
+            sample = base64.b64encode(f.read().encode('utf-8'))
+        original_file = MISPObject('original-imported_file')
+        types = ['filename', 'attachment', 'text']
+        relations = ['filename', 'imported-sample', 'type']
+        for t, v, r in zip(types, [original_filename, sample, "STIX {}".format(self.event.version)], relations):
+            original_file.add_attribute(**{"type": t, "value":v, "object_relation": r})
+        self.misp_event.add_object(**original_file)
+
    # Load the mapping dictionary for STIX object types
    def load_mapping(self):
        self.attribute_types_mapping = {