Merge branch '2.4' of github.com:MISP/MISP into 2.4

app/files/scripts/stix2/misp2stix2.py

@@ -536,7 +536,7 @@ class StixBuilder():
                               'first_observed': timestamp, 'last_observed': timestamp,
                               'created_by_ref': self.identity_id}
         try:
-            observed_data = ObservedData(**observed_data_args)
+            observed_data = ObservedData(**observed_data_args, allow_custom=True)
         except exceptions.InvalidValueError:
             observed_data = self.fix_enumeration_issues(name, observed_data_args)
         self.append_object(observed_data, observed_data_id)
@@ -653,7 +653,7 @@ class StixBuilder():
             try:
                 stix_type = asnObjectMapping[relation]
             except KeyError:
-                continue
+                stix_type = "x_misp_{}_{}".format(attribute.type, relation)
             attribute_value = attribute.value
             if relation == "subnet-announced":
                 observable[str(object_num)] = {'type': define_address_type(attribute_value), 'value': attribute_value}
@@ -662,7 +662,7 @@ class StixBuilder():
                 asn[stix_type] = int(attribute_value[2:]) if (stix_type == 'number' and attribute_value.startswith("AS")) else attribute_value
         observable[str(object_num)] = asn
         for n in range(object_num):
-            observable[n]['belongs_to_refs'] = [str(object_num)]
+            observable[str(n)]['belongs_to_refs'] = [str(object_num)]
         return observable
 
     @staticmethod
@@ -674,7 +674,7 @@ class StixBuilder():
             try:
                 stix_type = asnObjectMapping[relation]
             except KeyError:
-                continue
+                stix_type = "'x_misp_{}_{}'".format(attribute.type, relation)
             attribute_value = attribute.value
             if relation == "subnet-announced":
                 pattern += "{0}:{1} = '{2}' AND ".format(define_address_type(attribute_value), stix_type, attribute_value)
@@ -711,36 +711,36 @@ class StixBuilder():
         reply_to = []
         object_num = 0
         for attribute in attributes:
-            attribute_type = attribute.type
+            relation = attribute.object_relation
             attribute_value = attribute.value
             try:
-                mapping = emailObjectMapping[attribute_type]
+                mapping = emailObjectMapping[relation]['stix_type']
             except:
-                continue
+                mapping = "x_misp_{}_{}".format(attribute.type, relation)
-            if attribute_type in ('email-src', 'email-dst'):
+            if relation in ('from', 'to', 'cc'):
                 object_str = str(object_num)
                 observable[object_str] = {'type': 'email-addr', 'value': attribute_value}
-                try:
+                if relation == 'from':
-                    message[mapping['stix_type'][attribute.object_relation]].append(object_str)
+                    message[mapping] = object_str
-                except:
+                else:
-                    message[mapping['stix_type']] = object_str
+                    message[mapping].append(object_str)
                 object_num += 1
-            elif attribute_type == 'email-reply-to':
+            elif relation == 'reply-to':
                 reply_to.append(attribute_value)
-            elif attribute_type == 'email-attachment':
+            elif relation == 'attachment':
                 object_str = str(object_num)
                 body = {"content_disposition": "attachment; filename='{}'".format(attribute_value),
                                   "body_raw_ref": object_str}
                 message['body_multipart'].append(body)
                 observable[object_str] = {'type': 'file', 'name': attribute_value}
                 object_num += 1
-            elif attribute_type == 'email-x-mailer':
+            elif relation == 'x-mailer':
                 if 'additional_header_fields' in message:
                     message['additional_header_fields']['X-Mailer'] = attribute_value
                 else:
                     message['additional_header_fields'] = {'X-Mailer': attribute_value}
             else:
-                message[mapping['stix_type']] = attribute_value
+                message[mapping] = attribute_value
         if reply_to and 'additional_header_fields' in message:
             message['additional_header_fields']['Reply-To'] = reply_to
         message['type'] = 'email-message'
@@ -757,14 +757,13 @@ class StixBuilder():
         pattern = ""
         for attribute in attributes:
             try:
-                mapping = emailObjectMapping[attribute.type]
+                mapping = emailObjectMapping[attribute.object_relation]
-            except:
-                continue
-            try:
-                stix_type = mapping['stix_type'][attribute.object_relation]
-            except:
                 stix_type = mapping['stix_type']
-            pattern += pattern_mapping.format(mapping['email_type'], stix_type, attribute.value)
+                email_type = mapping['email_type']
+            except:
+                stix_type = "'x_misp_{}_{}'".format(attribute.type, attribute.object_relation)
+                email_type = 'message'
+            pattern += pattern_mapping.format(email_type, stix_type, attribute.value)
         return pattern[:-5]
 
     @staticmethod

app/files/scripts/stix2/misp2stix2_mapping.py

@@ -257,15 +257,15 @@ asnObjectMapping = {'asn': 'number', 'description': 'name', 'subnet-announced':
 domainIpObjectMapping = {'ip-dst': 'resolves_to_refs[*].value', 'domain': 'value'}
 
 emailObjectMapping = {'email-body': {'email_type': 'message', 'stix_type': 'body'},
-                      'email-subject': {'email_type': 'message', 'stix_type': 'subject'},
+                      'subject': {'email_type': 'message', 'stix_type': 'subject'},
-                      'email-dst': {'email_type': 'message', 'stix_type': {'to': 'to_refs', 'cc': 'cc_refs'}},
+                      'to': {'email_type': 'message', 'stix_type': 'to_refs'}, 'cc': {'email_type': 'message', 'stix_type': 'cc_refs'},
-                      'email-dst-display-name': {'email_type': 'addr', 'stix_type': 'display_name'},
+                      'to-display-name': {'email_type': 'addr', 'stix_type': 'display_name'},
-                      'email-src': {'email_type': 'message', 'stix_type': 'from_ref'},
+                      'from': {'email_type': 'message', 'stix_type': 'from_ref'},
-                      'email-src-display-name': {'email_type': 'addr', 'stix_type': 'display_name'},
+                      'from-display-name': {'email_type': 'addr', 'stix_type': 'display_name'},
-                      'email-reply-to': {'email_type': 'message', 'stix_type': 'additional_header_fields.reply_to'},
+                      'reply-to': {'email_type': 'message', 'stix_type': 'additional_header_fields.reply_to'},
-                      'email-attachment': {'email_type': 'message', 'stix_type': 'body_multipart[*].body_raw_ref.name'},
+                      'attachment': {'email_type': 'message', 'stix_type': 'body_multipart[*].body_raw_ref.name'},
-                      'datetime': {'email_type': 'message', 'stix_type': 'date'},
+                      'send-date': {'email_type': 'message', 'stix_type': 'date'},
-                      'email-x-mailer': {'email_type': 'message', 'stix_type': 'additional_header_fields.x_mailer'}}
+                      'x-mailer': {'email_type': 'message', 'stix_type': 'additional_header_fields.x_mailer'}}
 
 fileMapping = {'hashes': "hashes.'{0}'", 'size-in-bytes': 'size', 'filename': 'name', 'mime-type': 'mime_type'}