Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

import stix v2.1 to MISP #95

Open
tahaconfiant opened this issue Feb 22, 2021 · 3 comments
Open

import stix v2.1 to MISP #95

tahaconfiant opened this issue Feb 22, 2021 · 3 comments

Comments

@tahaconfiant
Copy link

in the file MISP-Taxii-Server/misp_taxii_hooks/hooks.py

line containing, package = pymisp.tools.stix.load_stix(StringIO(block))

it seems here we can only load stix v1. tried with stix v2, stix v2.1 the file just get skipped, because misp attributes aren't recognized, therefore still an empty event is uploaded to misp.

it seems there's some mapping that needs to be done between misp and stix v2.1

I would assume the main code for this mapping should be implemented in the pymisp library.

btw when uploading a stix v2.1 directly to misp via the GUI (in the menu add event, import from stix 2.0) it works perfectly, because they dont rely on pymisp to load the file.

question is simple: I want to push stix2.1 files, to MISP-Taxii-Server, but doesnt seems to be implemented yet.

see attached file for a sample stix v2.1 file

blast.json.zip
@tahaconfiant
Copy link
Author

I opened an issue in PyMISP project as well MISP/PyMISP#704

@adulau
Copy link
Member

adulau commented Feb 23, 2021

Could you use and test the following approach for ingesting your stix files ?

https://github.com/MISP/MISP/tree/2.4/tools/ingest_stix

Thanks a lot.

@tahaconfiant
Copy link
Author

nearly there, running the suggested script:

x@misp:/var/www/MISP/tools/ingest_stix$
 sudo -H -u www-data /var/www/MISP/venv/bin/python3 ingest_stix.py --version 2 --path stix2.json

gave me a

<Response [403]>
Error with the ingestion of the following file: stix2.json

checking error logs :

tail: /var/www/MISP/app/tmp/logs/exec-errors.log: file truncated
Traceback (most recent call last):
  File "/var/www/MISP/app/files/scripts/stix2/stix2misp.py", line 2061, in <module>
    main(sys.argv)
  File "/var/www/MISP/app/files/scripts/stix2/stix2misp.py", line 2053, in main
    event = stix2.parse(f.read(), allow_custom=True, interoperability=True)
TypeError: parse() got an unexpected keyword argument 'interoperability'

my packages versions , I think I have the last version of everything stix related, just upgraded them all:

x@misp:/var/www/MISP/tools/ingest_stix$ sudo -H -u www-data /var/www/MISP/venv/bin/pip3 list  | grep stix
stix                   1.2.0.11
stix2                  2.1.0
stix2-patterns         1.3.2

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@adulau @tahaconfiant