MISP-STIX usage

No response

Expected behavior

Please see MISP/MISP#9095

Actual behavior

Please see MISP/MISP#9095

Steps to reproduce

Please see MISP/MISP#9095

Version

v2.4.170

Python version

3.8

Relevant log output

No response

Extra attachments

No response

Code of Conduct

• I agree to follow this project's Code of Conduct

MISP-STIX usage

No response

Expected behavior

https://docs.oasis-open.org/cti/stix/v2.1/csprd01/stix-v2.1-csprd01.html#_Toc16070588

I believe the correct approach is to handle external analysis:attachment as an external reference with a link.

Actual behavior

File and Artifact objects are created to represent a PDF Report.

Steps to reproduce

Parse an event with an external analysis:attachment attribute.

Version

2.4.168

Python version

3.10

Relevant log output

No response

Extra attachments

No response

Code of Conduct

• I agree to follow this project's Code of Conduct

MISP-STIX usage

Integration for Sentinel

Expected behavior

Only have those attributes of an object that have the to_ids flag set to true included in the pattern of the STIX indicator.

Actual behavior

All attributes of an object are included in the conversion, regardless of to_ids flag.

Steps to reproduce

Example with the file object.

If the attribute "filename" is added to the object, but with the to_ids flag set to False then it is still included in the STIX indicator pattern.

Version

2.4.172

Python version

3.8

Relevant log output

No response

Extra attachments

No response

Code of Conduct

• I agree to follow this project's Code of Conduct

Support Questions

Hello, I am trying to convert galaxy or galaxy_clusters json file to Stix 2.1 format.

Sample:

[
  {
    "GalaxyCluster": {
      "id": "61806",
      "uuid": "5abe8673-4f85-440b-8860-de39fc1b671c",
      "collection_uuid": "312f8714-45cb-11e7-b898-135207cdceb9",
      "type": "rat",
      "value": "Iperius Remote",
      "tag_name": "misp-galaxy:rat=\"Iperius Remote\"",
      "description": "Iperius Remote is advertised with these features: Control remotely any computer with Iperius Remote Desktop Free. For remote support or presentations. Ideal for technical assistance. Easy to use and secure.",
      "galaxy_id": "52",
      "source": "MISP Project",
      "authors": ["Various", "raw-data"],
      "version": "44",
      "distribution": "3",
      "sharing_group_id": null,
      "org_id": "0",
      "orgc_id": "0",
      "default": true,
      "locked": false,
      "extends_uuid": "",
      "extends_version": "0",
      "published": false,
      "deleted": false
    }
  },
  {
    "GalaxyCluster": {
      "id": "61807",
      "uuid": "8ee3c015-3088-4a5f-8c94-602c27d767c0",
      "collection_uuid": "312f8714-45cb-11e7-b898-135207cdceb9",
      "type": "rat",
      "value": "TeamViewer",
      "tag_name": "misp-galaxy:rat=\"TeamViewer\"",
      "description": "TeamViewer is a proprietary computer software package for remote control, desktop sharing, online meetings, web conferencing and file transfer between computers.",
      "galaxy_id": "52",
      "source": "MISP Project",
      "authors": ["Various", "raw-data"],
      "version": "44",
      "distribution": "3",
      "sharing_group_id": null,
      "org_id": "0",
      "orgc_id": "0",
      "default": true,
      "locked": false,
      "extends_uuid": "",
      "extends_version": "0",
      "published": false,
      "deleted": false
    }
  }
]

I can only find functions to convert events to STIX2.1 on documentation, and was wondering if there are any ways to do this.

Thank you in advance.

MISP version

2.4.178

Python version

3.10

Relevant log output

No response

Extra attachments

No response

Code of Conduct

• I agree to follow this project's Code of Conduct

Is your feature request related to a problem? Please describe.

I believe observable objects must be created regardless of the to_ids flag and only when to_ids flag is enabled, an indicator should also be generated and a relationship between the indicator and the originated observable objects.

Describe the solution you'd like

An attribute, even those whithin an object, should originate an observable, independently of the to_ids flag.

An attribute with to_ids flag enabled and which do not belong to an object, should originate an indicator and also a relationship between that indicator and the observable.

An attribute with to_ids flag enabled and which belongs to an object, should contribute to a new indicator and in the end, that indicator should have a relationship between that indicator and the observable.

Scenario 1

Single attribute with to_ids flag disabled.

MISP Event:

• attribute1

STIX Bundle:

• observable1

Scenario 2

Object with multiple attributes with to_ids flag disabled.

MISP Event:

• object1[attribute1, attribute2]

STIX Bundle:

• observable1
• observable2

Scenario 3

Single attribute with to_ids flag enabled.

MISP Event:

• attribute1

STIX Bundle:

• observable1
• indicator1
• relationship1

Scenario 4

Object with multiple attributes with to_ids flag enabled.

MISP Event:

• object1[attribute1, attribute2]

STIX Bundle:

• observable1
• observable2
• indicator1
• relationship-observable1-indicator1
• relationship-observable2-indicator1

Scenario 5

Object with multiple attributes where some has to_ids flag enabled.

MISP Event:

• object1[attribute1, attribute2, attribute3]

STIX Bundle:

• observable1
• observable2 (to_ids flag was disabled)
• observable3
• indicator1
• relationship-observable1-indicator1
• relationship-observable3-indicator1

Describe alternatives you've considered

No response

Additional context

No response

Code of Conduct

• I agree to follow this project's Code of Conduct

Support Questions

MISP version

No response

Python version

No response

Relevant log output

No response

Extra attachments

No response

Code of Conduct

• I agree to follow this project's Code of Conduct

MISP-STIX usage

No response

Expected behavior

Function stix_1_to_misp converts STIX1 to MISP as the main script allows setting STIX1 version:

parser.add_argument('-v', '--version', choices=['1.1.1', '1.2', '2.0', '2.1'], required=True, help='STIX version.')

Actual behavior

It uses:

stix_parser.load_event()
stix_parser.build_misp_event(event)

... but both methods are undefined, so the implementation is completely missing.
However, it fails even prior to that with: TypeError: descriptor '__init__' of 'super' object needs an argument

Steps to reproduce

Run misp_stix_converter -i -v 1.2 -f ../../example_stix1.xml

Version

2.4.168

Python version

3.8

Relevant log output

Traceback (most recent call last):
  File "./ve/bin/misp_stix_converter", line 8, in <module>
    sys.exit(main())
  File "./ve/lib/python3.8/site-packages/misp_stix_converter/__init__.py", line 174, in main
    results = _misp_to_stix(stix_args) if stix_args.export else _stix_to_misp(stix_args)
  File "./ve/lib/python3.8/site-packages/misp_stix_converter/__init__.py", line 150, in _stix_to_misp
    return _process_files(stix_args.file, method)
  File "./ve/lib/python3.8/site-packages/misp_stix_converter/__init__.py", line 137, in _process_files
    status = method(filename)
  File "./ve/lib/python3.8/site-packages/misp_stix_converter/misp_stix_converter.py", line 440, in stix_1_to_misp
    stix_parser = InternalSTIX1toMISPParser() if from_misp else ExternalSTIX1toMISPParser()
  File "./ve/lib/python3.8/site-packages/misp_stix_converter/stix2misp/external_stix1_to_misp.py", line 9, in __init__
    super().__init__()
  File "./ve/lib/python3.8/site-packages/misp_stix_converter/stix2misp/stix1_to_misp.py", line 9, in __init__
    super.__init__()
TypeError: descriptor '__init__' of 'super' object needs an argument

Extra attachments

No response

Code of Conduct

• I agree to follow this project's Code of Conduct

Hello, I was asked to open some issues for things I found with the implementation (so far. I know it's still work in progress). So here is one about the way timestamps are handled.

STIX 2.1 includes temporal order requirements on timestamp properties of certain objects. For indicators, it is valid_from < valid_until; for observed-data, it is first_observed <= last_observed. The conversion logic uses first_seen/last_seen on MISP attributes and objects to map to the relevant timestamp properties on STIX objects, with a fallback to timestamp. I don't see an order requirement on first_seen/last_seen in the MISP spec, but correct order must be enforced on the STIX properties.

Below is code which triggers a timestamp ordering error. It includes not only the MISP content, but the code I used to invoke the translator. In this example, a "filename" attribute is used, which converts to a STIX indicator with valid_from/valid_until. I tried to show a more subtle example of the error, which uses the timestamp fallback behavior. (MISP) first_seen is omitted which causes (STIX) valid_from to come from the (MISP) timestamp. The value for the timestamp is deliberately chosen to be later than last_seen. This triggers the error.

import misp_stix_converter.misp2stix.misp_to_stix21 as m2s

event = {
    'Org': {
        'name': 'Generator org',
        'uuid': 'e2c7cf80-3110-4c30-a649-5c4de8c35d01'
    },
    'Orgc': {
        'name': 'Creator org',
        'uuid': '31666f36-104c-4bc5-abca-61449c3dc0ce'
    },
    'date': '2021-05-25',
    'info': 'Test event',
    'publish_timestamp': '1621994860',
    'published': False,
    'timestamp': '1621994860',
    'uuid': '403b04bd-7952-4525-9cf8-34b991176867',
    'Attribute': [
        {
            'category': 'Payload delivery',
            'last_seen': '2021-05-26T02:07:39.000000',
            'timestamp': '1621994860',
            'to_ids': True,
            'type': 'filename',
            'uuid': 'e0ca6ef1-2c8e-4c50-9b21-9778d4e0add3',
            'value': 'foo'
        }
    ]
}


converter = m2s.MISPtoSTIX21Parser()
converter.parse_misp_event(event)

stix_bundle = converter.bundle

print("Warnings:")
for warning in converter._warnings:
    print(warning)

print()
print("Errors:")
for error in converter._errors:
    print(error)

print()
print(stix_bundle.serialize(pretty=True))

(You don't actually see a stacktrace since the exception is converted to an error message in the error list. You'd have to add some instrumentation to see it.)

MISP-STIX usage

CLI

Expected behavior

To convert the misp json to stix format

Actual behavior

It does not run at all

Steps to reproduce

Just run the misp_stix_converter.py after installing the tool

Version

Latest from this repo

Python version

3.10

Relevant log output

ImportError                               Traceback (most recent call last)
d:\github\misp-stix\misp_stix_converter\misp_stix_converter.py in line 8
      [6](file:///d%3A/github/misp-stix/misp_stix_converter/misp_stix_converter.py?line=5) import re
      [7](file:///d%3A/github/misp-stix/misp_stix_converter/misp_stix_converter.py?line=6) import sys
----> [8](file:///d%3A/github/misp-stix/misp_stix_converter/misp_stix_converter.py?line=7) from .misp2stix.framing import stix1_attributes_framing, stix1_framing
      [9](file:///d%3A/github/misp-stix/misp_stix_converter/misp_stix_converter.py?line=8) from .misp2stix.misp_to_stix1 import MISPtoSTIX1AttributesParser, MISPtoSTIX1EventsParser
     [10](file:///d%3A/github/misp-stix/misp_stix_converter/misp_stix_converter.py?line=9) from .misp2stix.misp_to_stix20 import MISPtoSTIX20Parser

**ImportError: attempted relative import with no known parent package**

Extra attachments

No response

Code of Conduct

• I agree to follow this project's Code of Conduct

MISP-STIX usage

Within MISP core

Expected behavior

I tried to export a MISP Event via the web GUI's "Download as..." functionality with attributes, where there were False Positive Sightings with "source" field set. The export should be successful.

Actual behavior

The export failed with the message on the web GUI: "An Internal Error Has Occurred."
The log excerpts are attached, but the source of the problem is a simple typo (thus the logs are a little misleading in this sense):
a FP sighting is mapped to a custom x-misp-opinion STIX object, which has a custom field: "x_misp_source".
In _handle_opinion_object method, which converts an FP MISP Sighting into x-misp-opinion, L174:
opinion_args['x-misp-source'] = sighting['source']
is used instead of:
opinion_args['x_misp_source'] = sighting['source']

Steps to reproduce

Add an FP Sighting to an attribute with "source" field set, and then try to export the event via the web GUI's "Download as..." functionality.

Version

2.4.164

Python version

3.6.9

Relevant log output

/var/www/MISP/app/tmp/logs/error.log:

2022-11-10 11:32:28 Error: [Exception] Error while processing your query during STIX export: Invalid value for Sighting ‘sighting_of_ref’: reference to custom object type: x-misp-attribute
Request URL: /events/restSearch/stix2/eventid:86577
Stack Trace:
#0 /var/www/MISP/app/Model/Event.php(7036): StixExport->footer(Array)
#1 /var/www/MISP/app/Controller/AppController.php(1260): Event->restSearch(Array, ‘stix2’, Array, false, false, 1, false)
#2 [internal function]: AppController->restSearch(‘stix2’)
#3 /var/www/MISP/app/Lib/cakephp/lib/Cake/Controller/Controller.php(499): ReflectionMethod->invokeArgs(Object(EventsController), Array)
#4 /var/www/MISP/app/Lib/cakephp/lib/Cake/Routing/Dispatcher.php(193): Controller->invokeAction(Object(CakeRequest))
#5 /var/www/MISP/app/Lib/cakephp/lib/Cake/Routing/Dispatcher.php(167): Dispatcher->_invoke(Object(EventsController), Object(CakeRequest))
#6 /var/www/MISP/app/webroot/index.php(99): Dispatcher->dispatch(Object(CakeRequest), Object(CakeResponse))
#7 {main}

/var/www/MISP/app/tmp/logs/exec-errors.log:
[2022-11-10 11:32:27 30732] Running command python3 /var/www/MISP/app/files/scripts/stix2/misp2stix2.py -v 2.0 -i /var/www/MISP/app/tmp/MISPsweSUb
  File “/var/www/MISP/app/files/scripts/stix2/misp2stix2.py”, line 52, in _process_misp_files
    parser.parse_json_content(name)
  File “/var/www/MISP/app/files/scripts/misp-stix/misp_stix_converter/misp2stix/misp_to_stix2.py”, line 57, in parse_json_content
    self._parse_misp_event(event)
  File “/var/www/MISP/app/files/scripts/misp-stix/misp_stix_converter/misp2stix/misp_to_stix2.py”, line 115, in _parse_misp_event
    self._parse_event_data()
  File “/var/www/MISP/app/files/scripts/misp-stix/misp_stix_converter/misp2stix/misp_to_stix20.py”, line 108, in _parse_event_data
    self._resolve_attribute(attribute)
  File “/var/www/MISP/app/files/scripts/misp-stix/misp_stix_converter/misp2stix/misp_to_stix2.py”, line 401, in _resolve_attribute
    self._attribute_error(attribute, exception)
  File “/var/www/MISP/app/files/scripts/misp-stix/misp_stix_converter/misp2stix/exportparser.py”, line 211, in _attribute_error
    self._parse_custom_attribute(attribute)
  File “/var/www/MISP/app/files/scripts/misp-stix/misp_stix_converter/misp2stix/misp_to_stix2.py”, line 549, in _parse_custom_attribute
    self._handle_sightings(attribute[‘Sighting’], custom_id)
  File “/var/www/MISP/app/files/scripts/misp-stix/misp_stix_converter/misp2stix/misp_to_stix2.py”, line 374, in _handle_sightings
    getattr(self, self._results_handling_function)(self._create_sighting(sighting_args))
  File “/var/www/MISP/app/files/scripts/misp-stix/misp_stix_converter/misp2stix/misp_to_stix20.py”, line 1163, in _create_sighting
    return Sighting(**sighting_args)
  File “/var/www/MISP/app/files/scripts/cti-python-stix2/stix2/v20/sro.py”, line 87, in __init__
    super(Sighting, self).__init__(**kwargs)
  File “/var/www/MISP/app/files/scripts/cti-python-stix2/stix2/base.py”, line 213, in __init__
    prop_name, prop, setting_kwargs, allow_custom, interoperability,
  File “/var/www/MISP/app/files/scripts/cti-python-stix2/stix2/base.py”, line 61, in _check_property
    ) from exc

Extra attachments

No response

Code of Conduct

• I agree to follow this project's Code of Conduct

MISP-STIX usage

No response

Expected behavior

I tried converting stix2.1 bundle of type identity to misp using misp-stix.
But in the output file, was getting duplicate objects.

Example_stix_2.1:

{ "type": "bundle", "id": "bundle--5d9692b0-842d-44a3-91ae-438c4db78e45", "objects": [ { "type": "marking-definition", "spec_version": "2.1", "id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9", "created": "2017-01-20T00:00:00.000Z", "definition_type": "tlp", "name": "TLP:WHITE", "definition": { "tlp": "white" } }, { "type": "identity", "spec_version": "2.1", "id": "identity--c2cc2c57-98f5-4804-9e79-8df735f52921", "created": "2024-01-25T10:18:28.125Z", "modified": "2024-01-25T10:18:29.125Z", "name": "Industrial", "identity_class": "unknown", "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] } ] }

The output was:
{ "uuid": "5d9692b0-842d-44a3-91ae-438c4db78e45", "Object": [ { "name": "identity", "meta-category": "misc", "template_uuid": "ae85b960-b507-4de2-a32c-9cfb8f25f990", "description": "Identities can represent actual individuals, organizations, or groups (e.g., ACME, Inc.) as well as classes of individuals, organizations, systems or groups (e.g., the finance sector). The Identity SDO can capture basic identifying information, contact information, and the sectors that the Identity belongs to. Identity is used in STIX to represent, among other things, targets of attacks, information sources, object creators, and threat actor identities. (ref. STIX 2.1 - 4.5)", "template_version": "1", "uuid": "c2cc2c57-98f5-4804-9e79-8df735f52921", "Attribute": [ { "uuid": "a5a0e267-ac5c-5354-adbb-2fc9b731c309", "Tag": [ { "name": "tlp:white" } ], "object_relation": "name", "value": "Industrial", "type": "text", "disable_correlation": false, "to_ids": false, "category": "Other" }, { "uuid": "dc804726-5ac3-5174-a2da-ba5e55013120", "Tag": [ { "name": "tlp:white" } ], "object_relation": "identity_class", "value": "unknown", "type": "text", "disable_correlation": false, "to_ids": false, "category": "Other" } ], "distribution": "5", "sharing_group_id": "0", "timestamp": "1706177909" }, { "name": "identity", "meta-category": "misc", "template_uuid": "ae85b960-b507-4de2-a32c-9cfb8f25f990", "description": "Identities can represent actual individuals, organizations, or groups (e.g., ACME, Inc.) as well as classes of individuals, organizations, systems or groups (e.g., the finance sector). The Identity SDO can capture basic identifying information, contact information, and the sectors that the Identity belongs to. Identity is used in STIX to represent, among other things, targets of attacks, information sources, object creators, and threat actor identities. (ref. STIX 2.1 - 4.5)", "template_version": "1", "uuid": "c2cc2c57-98f5-4804-9e79-8df735f52921", "Attribute": [ { "uuid": "a5a0e267-ac5c-5354-adbb-2fc9b731c309", "Tag": [ { "name": "tlp:white" } ], "object_relation": "name", "value": "Industrial", "type": "text", "disable_correlation": false, "to_ids": false, "category": "Other" }, { "uuid": "dc804726-5ac3-5174-a2da-ba5e55013120", "Tag": [ { "name": "tlp:white" } ], "object_relation": "identity_class", "value": "unknown", "type": "text", "disable_correlation": false, "to_ids": false, "category": "Other" } ], "distribution": "5", "sharing_group_id": "0", "timestamp": "1706177909" } ], "info": "STIX 2.1 Bundle imported with the MISP-STIX import feature.", "distribution": "0", "published": false }

As we can see, we have duplicate value in objects field.

code:
`from misp_stix_converter import stix_2_to_misp

file_name = "./bundle.json"

stix_2_to_misp(file_name)`

Actual behavior

It should create one single file with one object.
like this:

{ "uuid": "5d9692b0-842d-44a3-91ae-438c4db78e45", "Object": [ { "name": "identity", "meta-category": "misc", "template_uuid": "ae85b960-b507-4de2-a32c-9cfb8f25f990", "description": "Identities can represent actual individuals, organizations, or groups (e.g., ACME, Inc.) as well as classes of individuals, organizations, systems or groups (e.g., the finance sector). The Identity SDO can capture basic identifying information, contact information, and the sectors that the Identity belongs to. Identity is used in STIX to represent, among other things, targets of attacks, information sources, object creators, and threat actor identities. (ref. STIX 2.1 - 4.5)", "template_version": "1", "uuid": "c2cc2c57-98f5-4804-9e79-8df735f52921", "Attribute": [ { "uuid": "a5a0e267-ac5c-5354-adbb-2fc9b731c309", "Tag": [ { "name": "tlp:white" } ], "object_relation": "name", "value": "Industrial", "type": "text", "disable_correlation": false, "to_ids": false, "category": "Other" }, { "uuid": "dc804726-5ac3-5174-a2da-ba5e55013120", "Tag": [ { "name": "tlp:white" } ], "object_relation": "identity_class", "value": "unknown", "type": "text", "disable_correlation": false, "to_ids": false, "category": "Other" } ], "distribution": "5", "sharing_group_id": "0", "timestamp": "1706177909" } ], "info": "STIX 2.1 Bundle imported with the MISP-STIX import feature.", "distribution": "0", "published": false }

Steps to reproduce

`from misp_stix_converter import stix_2_to_misp

file_name = "./bundle.json"

stix_2_to_misp(file_name)`

Version

2.4.183

Python version

3.10

Relevant log output

No response

Extra attachments

No response

Code of Conduct

• I agree to follow this project's Code of Conduct

Expected Behavior

This issue is affecting MISPtoSTIX21Parser's "parse_misp_attributes" method.
When translating a set of MISP attributes that contain objects within the Galaxy array,
the "parse_misp_attributes" method should generate a set of STIX2.1 domain objects and any associated references.

Current Behavior

When a set of MISP attributes with objects in their Galaxy arrays are passed to MISPtoSTIX21Parser.parser_misp_attributes,
an AttributeError is raised with the following message:

...
    parser.parse_misp_attributes(full_attr)
  File ".../venv/lib/python3.9/site-packages/misp_stix_converter/misp2stix/misp_to_stix2.py", line 70, in parse_misp_attributes
    self._handle_relationships()
  File ".../venv/lib/python3.9/site-packages/misp_stix_converter/misp2stix/misp_to_stix2.py", line 226, in _handle_relationships
    self._append_SDO(self._create_relationship(relationship))
  File ".../venv/lib/python3.9/site-packages/misp_stix_converter/misp2stix/misp_to_stix2.py", line 129, in _append_SDO
    self.__object_refs.append(stix_object.id)
AttributeError: 'MISPtoSTIX21Parser' object has no attribute '_MISPtoSTIX2Parser__object_refs'

Possible Solution

I've found that adding the following around line 61 of misp_stix_converter/misp2stix/misp_to_stix2.py resolves the issue:

self.__objects_refs = []

This same definition occurs for _parser_misp_events at line 82 of the same file.

Steps to Reproduce

# Sample code showing current behavior
import json
from misp_stix_converter import MISPtoSTIX21Parser


def main(data):
  parser = MISPtoSTIX21Parser()
  parser.parse_misp_attributes(data)


if __name__ == '__main__':
  data = {
      "response": {
          "Attribute": [
              {
                  "uuid": "2972c3a2-dda3-4de7-aca1-e96cf7ce5544",
                  "type": "AS",
                  "category": "Network activity",
                  "timestamp": "1603642920",
                  "value": "AS174",
                  "Galaxy": [
                      {
                          "uuid": "c4e851fa-775f-11e7-8163-b774922098cd",
                          "name": "Attack Pattern",
                          "type": "mitre-attack-pattern",
                          "description": "ATT&CK Tactic",
                          "GalaxyCluster": [
                              {
                                  "uuid": "dcaa092b-7de9-4a21-977f-7fcb77e89c48",
                                  "type": "mitre-attack-pattern",
                                  "value": "Access Token Manipulation - T1134",
                                  "description": "Windows uses access tokens to determine the ownership of a running process.",
                                  "meta": {
                                      "external_id": [
                                          "CAPEC-633"
                                      ]
                                  }
                              }
                          ]
                      }
                  ]
              }
          ]
      }
  }
  main(data)

Associated PR (where applicable)

I've opened a PR with a suggested fix, along with an associated test that exercises the code change.

MISP-STIX usage

Python Script

Expected behavior

Sucessful install

Actual behavior

Exception Error

Steps to reproduce

running a docker container with python 3.8
pip install git+https://github.com/MISP/[email protected]

It looks to be an upstream dependency that causing the issue.
in your requirements.txt file stix2 @ git+https://github.com/MISP/cti-python-stix2.git@main ; python_version >= "3.6"

If i am wrong i would love some direction on how to fix this. I am stumped and it is blocking pipeline builds

Version

2.4.160 and 2.4.159

Python version

3.8

Relevant log output

pip install git+https://github.com/MISP/[email protected]
Looking in indexes: https://pypi.org/simple, https://pypi-01.c.fpint.net/pypi/
Collecting git+https://github.com/MISP/[email protected]
  Cloning https://github.com/MISP/misp-stix (to revision v2.4.160) to /tmp/pip-req-build-thz3zi9r
  Running command git clone --filter=blob:none --quiet https://github.com/MISP/misp-stix /tmp/pip-req-build-thz3zi9r
  Running command git checkout -q 0b9229ba8153a86985cc009b7c40df21e0d08b75
  Resolved https://github.com/MISP/misp-stix to commit 0b9229ba8153a86985cc009b7c40df21e0d08b75
  Running command git submodule update --init --recursive -q
  Installing build dependencies ... done
  Getting requirements to build wheel ... done
  Preparing metadata (pyproject.toml) ... done
Collecting stix2@ git+https://github.com/MISP/cti-python-stix2.git@main
  Cloning https://github.com/MISP/cti-python-stix2.git (to revision main) to /tmp/pip-install-_yl1o_mq/stix2_74a7cbed645140efbeea4e71129fd31c
  Running command git clone --filter=blob:none --quiet https://github.com/MISP/cti-python-stix2.git /tmp/pip-install-_yl1o_mq/stix2_74a7cbed645140efbeea4e71129fd31c
  Resolved https://github.com/MISP/cti-python-stix2.git to commit 78c2c3dd37b28446a1e43a699f61675d52fde5f8
  Installing build dependencies ... done
  Getting requirements to build wheel ... done
  Preparing metadata (pyproject.toml) ... done
  WARNING: Generating metadata for package stix2 produced metadata for project name misp-lib-stix2. Fix your #egg=stix2 fragments.
Discarding git+https://github.com/MISP/cti-python-stix2.git@main: Requested misp-lib-stix2 from git+https://github.com/MISP/cti-python-stix2.git@main (from misp-stix-converter==0.1.0) has inconsistent name: filename has 'stix2', but metadata has 'misp-lib-stix2'
Requirement already satisfied: mixbox<2.0.0,>=1.0.3 in /usr/local/lib/python3.8/site-packages (from misp-stix-converter==0.1.0) (1.0.5)
Requirement already satisfied: maec<5.0.0,>=4.1.0 in /usr/local/lib/python3.8/site-packages (from misp-stix-converter==0.1.0) (4.1.0.17)
ERROR: Could not find a version that satisfies the requirement stix2 (unavailable) (from misp-stix-converter) (from versions: 0.0.1, 0.1.0, 0.2.0, 0.3.0, 0.4.0, 0.5.1, 1.0.0, 1.0.1, 1.0.2, 1.0.3, 1.0.4, 1.1.0, 1.1.1, 1.1.2, 1.1.3, 1.2.0, 1.2.1, 1.3.0, 1.3.1, 1.4.0, 2.0.1, 2.0.2, 2.1.0, 3.0.0, 3.0.1)
ERROR: No matching distribution found for stix2 (unavailable)

Extra attachments

Code of Conduct

• I agree to follow this project's Code of Conduct

MISP-STIX usage

standalone script

Expected behavior

I think I should get a MISP event.

Actual behavior

An error shows up in the log:
"expected str, bytes or os.PathLike object, not Bundle"

Steps to reproduce

from misp_stix_converter.misp_stix_converter import stix2_to_misp

event = stix2_to_misp("test_stix.json")

print(event)

Version

Latest version available through pypi of miso-stix: 2.4.162

Python version

3.9.16

Relevant log output

expected str, bytes or os.PathLike object, not Bundle

Extra attachments

Attached two stix files I've tested
stixes.zip

Code of Conduct

• I agree to follow this project's Code of Conduct

MISP-STIX usage

Standalone

Expected behavior

Parsing of an event with a sighting. Almost all events with sightings are properly parsed, except one event.

Actual behavior

When parsing the event with UUID (5f46b4ae-a1a9-4e3e-ba99-9ead115a74ab - it's on MISPPRIV) these errors are raised:

  File "/home/koenv/misp2sentinel/sentinel/lib/python3.8/site-packages/stix2/base.py", line 59, in _check_property
    raise InvalidValueError(
stix2.exceptions.InvalidValueError: Invalid value for Sighting 'sighting_of_ref': reference to custom object type: x-misp-attribute

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/home/koenv/misp2sentinel/sentinel/lib/python3.8/site-packages/stix2/base.py", line 53, in _check_property
    kwargs[prop_name], has_custom = prop.clean(*arguments)
  File "/home/koenv/misp2sentinel/sentinel/lib/python3.8/site-packages/stix2/properties.py", line 616, in clean
    raise CustomContentError(
stix2.exceptions.CustomContentError: reference to custom object type: x-misp-attribute


  File "/home/koenv/misp2sentinel/sentinel/lib/python3.8/site-packages/stix2/base.py", line 59, in _check_property
    raise InvalidValueError(
stix2.exceptions.InvalidValueError: Invalid value for Sighting 'sighting_of_ref': reference to custom object type: x-misp-attribute

Steps to reproduce

Parse the event with UUID 5f46b4ae-a1a9-4e3e-ba99-9ead115a74ab with

parser = MISPtoSTIX21Parser()
parser.parse_misp_event(event)

Version

2.4.171

Python version

3.8

Relevant log output

No response

Extra attachments

No response

Code of Conduct

• I agree to follow this project's Code of Conduct

Is your feature request related to a problem? Please describe.

If I'm not mistaken misp-stix does not handle MISPEvent class. It would be nice to pass a MISPEvent to

from misp_stix_converter import MISPtoSTIX20Parser

parser20 = MISPtoSTIX20Parser()
parser20.parse_misp_event(event)  # event here is a MISPEvent

Describe the solution you'd like

Handle MISPEvent class when parsing MISP events see parse_misp_event method.

Describe alternatives you've considered

After retrieving a published event from MISP I did some modifications to the event (remove Objects, modifying comments...)
When trying to give it to misp-stix parser I had to use do some tweaks for the STIX parser accepts the event.

parser20 = MISPtoSTIX20Parser()    
for event in events:
  # Dump the class to json str, it recursively dump other classes as well
  # (like MISPObjects).

  # Painful tweak: force_timestamp for MISPEvent, MISPObject and MISPAttribute

  event.force_timestamp = True

  for obj in event.Object:
      obj.force_timestamp = True

  for attr in event.Attribute:
      attr.force_timestamp = True

  # Tweak: you have to give to stix parser a JSON, but `to_json()` return a str of JSON
  event_str = event.to_json()
  event_json = json.loads(event_str)

parser20.parse_misp_event(event_json)

Additional context

The solution will probably require the force_timestamp method that @Rafiot added here MISP/PyMISP@289ce47

Code of Conduct

• I agree to follow this project's Code of Conduct

It seems there are issues with python3.10 - see below

$ cat /etc/redhat-release
Fedora release 35 (Thirty Five)
[misp@misp-fedora ~]$ python -V
Python 3.10.1

${SUDO_WWW} ${PATH_TO_MISP}/venv/bin/pip install ${PATH_TO_MISP}/app/files/scripts/misp-stix
Collecting ordered-set
  Downloading ordered-set-4.0.2.tar.gz (10 kB)
  Preparing metadata (setup.py) ... done
Collecting python-dateutil
  Downloading python_dateutil-2.8.2-py2.py3-none-any.whl (247 kB)
     |████████████████████████████████| 247 kB 6.8 MB/s
Collecting six
  Downloading six-1.16.0-py2.py3-none-any.whl (11 kB)
Collecting weakrefmethod
  Downloading weakrefmethod-1.0.3.tar.gz (7.5 kB)
  Preparing metadata (setup.py) ... done
Building wheels for collected packages: ordered-set, weakrefmethod
  Building wheel for ordered-set (setup.py) ... done
  Created wheel for ordered-set: filename=ordered_set-4.0.2-py2.py3-none-any.whl size=8218 sha256=48c449f
4c13643e96a2114ca9bf967129fc83f1de8264ab8bfcbab99c6994d18
  Stored in directory: /usr/share/httpd/.cache/pip/wheels/a0/7b/e7/13d20d03563090b0f5a6450dc297cd6d858335
8e3755670da6
  Building wheel for weakrefmethod (setup.py) ... done
  Created wheel for weakrefmethod: filename=weakrefmethod-1.0.3-py3-none-any.whl size=7005 sha256=a3169d8
6c94f8cc40df6f8c55e182cd72d9af1aba78b65f1b35e25372495d4c2
  Stored in directory: /usr/share/httpd/.cache/pip/wheels/d8/ef/44/e5d393e56adb51480bb5e83765e1e71009eaf2
29657eff2354
Successfully built ordered-set weakrefmethod
Installing collected packages: six, weakrefmethod, python-dateutil, ordered-set
Successfully installed ordered-set-4.0.2 python-dateutil-2.8.2 six-1.16.0 weakrefmethod-1.0.3
Install misp-stix
Processing ./app/files/scripts/misp-stix
  Installing build dependencies ... done
  Getting requirements to build wheel ... done
ERROR: Exception:
Traceback (most recent call last):
  File "/var/www/MISP/venv/lib/python3.10/site-packages/pip/_internal/cli/base_command.py", line 164, in
exc_logging_wrapper
    status = run_func(*args)
  File "/var/www/MISP/venv/lib/python3.10/site-packages/pip/_internal/cli/req_command.py", line 205, in w
rapper
    return func(self, options, args)
  File "/var/www/MISP/venv/lib/python3.10/site-packages/pip/_internal/commands/install.py", line 338, in
run
    requirement_set = resolver.resolve(
  File "/var/www/MISP/venv/lib/python3.10/site-packages/pip/_internal/resolution/resolvelib/resolver.py",
 line 73, in resolve
    collected = self.factory.collect_root_requirements(root_reqs)
  File "/var/www/MISP/venv/lib/python3.10/site-packages/pip/_internal/resolution/resolvelib/factory.py",
line 468, in collect_root_requirements
    req = self._make_requirement_from_install_req(
  File "/var/www/MISP/venv/lib/python3.10/site-packages/pip/_internal/resolution/resolvelib/factory.py",
line 430, in _make_requirement_from_install_req
    cand = self._make_candidate_from_link(
  File "/var/www/MISP/venv/lib/python3.10/site-packages/pip/_internal/resolution/resolvelib/factory.py",
line 201, in _make_candidate_from_link
    self._link_candidate_cache[link] = LinkCandidate(
  File "/var/www/MISP/venv/lib/python3.10/site-packages/pip/_internal/resolution/resolvelib/candidates.py
", line 281, in __init__
    super().__init__(
  File "/var/www/MISP/venv/lib/python3.10/site-packages/pip/_internal/resolution/resolvelib/candidates.py
", line 156, in __init__
    self.dist = self._prepare()
  File "/var/www/MISP/venv/lib/python3.10/site-packages/pip/_internal/resolution/resolvelib/candidates.py
", line 225, in _prepare
    dist = self._prepare_distribution()
  File "/var/www/MISP/venv/lib/python3.10/site-packages/pip/_internal/resolution/resolvelib/candidates.py
", line 292, in _prepare_distribution
    return preparer.prepare_linked_requirement(self._ireq, parallel_builds=True)
  File "/var/www/MISP/venv/lib/python3.10/site-packages/pip/_internal/operations/prepare.py", line 482, i
n prepare_linked_requirement
    return self._prepare_linked_requirement(req, parallel_builds)
  File "/var/www/MISP/venv/lib/python3.10/site-packages/pip/_internal/operations/prepare.py", line 546, i
n _prepare_linked_requirement
    dist = _get_prepared_distribution(
  File "/var/www/MISP/venv/lib/python3.10/site-packages/pip/_internal/operations/prepare.py", line 58, in
 _get_prepared_distribution
    abstract_dist.prepare_distribution_metadata(finder, build_isolation)
  File "/var/www/MISP/venv/lib/python3.10/site-packages/pip/_internal/distributions/sdist.py", line 47, i
n prepare_distribution_metadata
    self._install_build_reqs(finder)
  File "/var/www/MISP/venv/lib/python3.10/site-packages/pip/_internal/distributions/sdist.py", line 106,
in _install_build_reqs
    build_reqs = self._get_build_requires_wheel()
  File "/var/www/MISP/venv/lib/python3.10/site-packages/pip/_internal/distributions/sdist.py", line 83, i
n _get_build_requires_wheel
    return backend.get_requires_for_build_wheel()
  File "/var/www/MISP/venv/lib/python3.10/site-packages/pip/_vendor/pep517/wrappers.py", line 172, in get
_requires_for_build_wheel
    return self._call_hook('get_requires_for_build_wheel', {
  File "/var/www/MISP/venv/lib/python3.10/site-packages/pip/_vendor/pep517/wrappers.py", line 332, in _ca
ll_hook
    raise BackendUnavailable(data.get('traceback', ''))
pip._vendor.pep517.wrappers.BackendUnavailable: Traceback (most recent call last):
  File "/var/www/MISP/venv/lib/python3.10/site-packages/pip/_vendor/pep517/in_process/_in_process.py", li
ne 89, in _build_backend
    obj = import_module(mod_path)
  File "/usr/lib64/python3.10/importlib/__init__.py", line 126, in import_module
    return _bootstrap._gcd_import(name[level:], package, level)
  File "<frozen importlib._bootstrap>", line 1050, in _gcd_import
  File "<frozen importlib._bootstrap>", line 1027, in _find_and_load
  File "<frozen importlib._bootstrap>", line 1006, in _find_and_load_unlocked
  File "<frozen importlib._bootstrap>", line 688, in _load_unlocked
  File "<frozen importlib._bootstrap_external>", line 883, in exec_module
  File "<frozen importlib._bootstrap>", line 241, in _call_with_frames_removed
  File "/tmp/pip-build-env-4vju0c25/overlay/lib/python3.10/site-packages/poetry/masonry/api.py", line 1,
in <module>
    from poetry.core.masonry.api import build_sdist
  File "/tmp/pip-build-env-4vju0c25/overlay/lib/python3.10/site-packages/poetry/core/masonry/__init__.py"
, line 10, in <module>
    from .builder import Builder
  File "/tmp/pip-build-env-4vju0c25/overlay/lib/python3.10/site-packages/poetry/core/masonry/builder.py",
 line 7, in <module>
    from .builders.sdist import SdistBuilder
  File "/tmp/pip-build-env-4vju0c25/overlay/lib/python3.10/site-packages/poetry/core/masonry/builders/__i
nit__.py", line 2, in <module>
    from .wheel import WheelBuilder
  File "/tmp/pip-build-env-4vju0c25/overlay/lib/python3.10/site-packages/poetry/core/masonry/builders/whe
el.py", line 23, in <module>
    from packaging.tags import sys_tags
  File "/tmp/pip-build-env-4vju0c25/overlay/lib/python3.10/site-packages/poetry/core/_vendor/packaging/ta
gs.py", line 7, in <module>
    import distutils.util
  File "/var/www/MISP/venv/lib/python3.10/site-packages/_distutils_hack/__init__.py", line 92, in create_
module
    return importlib.import_module('setuptools._distutils')
  File "/usr/lib64/python3.10/importlib/__init__.py", line 126, in import_module
    return _bootstrap._gcd_import(name[level:], package, level)
ModuleNotFoundError: No module named 'setuptools'

It would be great to have misp-stix packaged on https://pypi.org/ to facilitate its use in other projects.

MISP-STIX usage

Within MISP core

Expected behavior

I tried to export a MISP Event to STIX2 via the web GUI's 'Download as...' functionality. This event contained Attributes with such Sightings, where the 'source' field was set. The export should be successful.

Actual behavior

The export failed with the message on the web GUI: "An Internal Error Has Occurred."

Looking into var/www/MISP/app/tmp/logs/error.log the following error msg was shown (full log msg below):
2022-11-04 15:43:18 Error: [Exception] Error while processing your query during STIX export: Unexpected properties for Sighting: (description).

Looking into exec-errors.log (log excerpt included below) I found the ExtraPropertiesError, which produces the same error message as I saw in the error.log (Unexpected properties for...) Going up from here it looks like to me, that upon the creation of the Sighting SRO from a MISP Sighting, the 'description' field has been set somewhere.

Looking into STIX2.0 standard, the Sighting SRO does not include a 'description' field (http://docs.oasis-open.org/cti/stix/v2.0/cs01/part2-stix-objects/stix-v2.0-cs01-part2-stix-objects.html#_Toc496714342).
In STIX2.1, it does have one (https://docs.oasis-open.org/cti/stix/v2.1/os/stix-v2.1-os.html#_a795guqsap3r).

In L336 of misp_to_stix2.py, the mapping of MISP Sighting's 'source' field to STIX Sightings 'description' field is made. I believe it is done regardless of the output STIX standard (2.0 or 2.1) to be used.

Steps to reproduce

1. Get an event in MISP with Attributes, whose Sightings have the 'source' field set.
2. Using the web GUI's 'Download as...' functionality, try to export the event in STIX2 format.

Version

2.4.164

Python version

3.6.9

Relevant log output

/var/www/MISP/app/tmp/logs/exec-errors.log:

[2022-11-04 15:43:17 31692] Running command python3 /var/www/MISP/app/files/scripts/stix2/misp2stix2.py -v 2.0 -i /var/www/MISP/app/tmp/MISPPzwAoF
  File "/var/www/MISP/app/files/scripts/stix2/misp2stix2.py", line 52, in _process_misp_files
    parser.parse_json_content(name)
  File "/var/www/MISP/app/files/scripts/misp-stix/misp_stix_converter/misp2stix/misp_to_stix2.py", line 57, in parse_json_content
    self._parse_misp_event(event)
  File "/var/www/MISP/app/files/scripts/misp-stix/misp_stix_converter/misp2stix/misp_to_stix2.py", line 115, in _parse_misp_event
    self._parse_event_data()
  File "/var/www/MISP/app/files/scripts/misp-stix/misp_stix_converter/misp2stix/misp_to_stix20.py", line 108, in _parse_event_data
    self._resolve_attribute(attribute)
  File "/var/www/MISP/app/files/scripts/misp-stix/misp_stix_converter/misp2stix/misp_to_stix2.py", line 363, in _resolve_attribute
    self._attribute_error(attribute, exception)
  File "/var/www/MISP/app/files/scripts/misp-stix/misp_stix_converter/misp2stix/exportparser.py", line 211, in _attribute_error
    self._parse_custom_attribute(attribute)
  File "/var/www/MISP/app/files/scripts/misp-stix/misp_stix_converter/misp2stix/misp_to_stix2.py", line 511, in _parse_custom_attribute
    self._handle_sightings(attribute['Sighting'], custom_id)
  File "/var/www/MISP/app/files/scripts/misp-stix/misp_stix_converter/misp2stix/misp_to_stix2.py", line 337, in _handle_sightings
    getattr(self, self._results_handling_function)(self._create_sighting(sighting_args))
  File "/var/www/MISP/app/files/scripts/misp-stix/misp_stix_converter/misp2stix/misp_to_stix20.py", line 1163, in _create_sighting
    return Sighting(**sighting_args)
  File "/var/www/MISP/app/files/scripts/cti-python-stix2/stix2/v20/sro.py", line 87, in __init__
    super(Sighting, self).__init__(**kwargs)
  File "/var/www/MISP/app/files/scripts/cti-python-stix2/stix2/base.py", line 166, in __init__
    raise ExtraPropertiesError(cls, custom_kwargs)

/var/www/MISP/app/tmp/logs/error.log:

2022-11-04 15:43:18 Error: [Exception] Error while processing your query during STIX export: Unexpected properties for Sighting: (description).
Request URL: /events/restSearch/stix2/eventid:2890
Stack Trace:
#0 /var/www/MISP/app/Model/Event.php(7036): StixExport->footer(Array)
#1 /var/www/MISP/app/Controller/AppController.php(1260): Event->restSearch(Array, 'stix2', Array, false, false, 1, false)
#2 [internal function]: AppController->restSearch('stix2')
#3 /var/www/MISP/app/Lib/cakephp/lib/Cake/Controller/Controller.php(499): ReflectionMethod->invokeArgs(Object(EventsController), Array)
#4 /var/www/MISP/app/Lib/cakephp/lib/Cake/Routing/Dispatcher.php(193): Controller->invokeAction(Object(CakeRequest))
#5 /var/www/MISP/app/Lib/cakephp/lib/Cake/Routing/Dispatcher.php(167): Dispatcher->_invoke(Object(EventsController), Object(CakeRequest))
#6 /var/www/MISP/app/webroot/index.php(99): Dispatcher->dispatch(Object(CakeRequest), Object(CakeResponse))
#7 {main}

Extra attachments

No response

Code of Conduct

• I agree to follow this project's Code of Conduct

MISP-STIX usage

CLI

Expected behavior

Parsing of an event with a note. Almost all events with a note are properly parsed

Actual behavior

When parsing the a event with UUID (1edd5ee1-7c91-4233-840a-6c419d6afc62) these errors are raised:

Failed parsing the following - and the related error message:
 misp.event.1208.json - Invalid value for Note 'object_refs': reference to custom object type: x-misp-attribute
No result from the MISP to STIX conversion.

The problem occurs when there is "EventReport"

Steps to reproduce

misp_stix_converter --debug export --format json -v 2.1 -f misp.event.1208.json

Version

2.4.177

Python version

3.10

Relevant log output

No response

Extra attachments

No response

Code of Conduct

• I agree to follow this project's Code of Conduct

MISP-STIX usage

Integration for Sentinel

Expected behavior

The relevant file attributes in the hashlookup object are converted to indicators, similar as the file object type (meaning SHA1, MD5, etc. should become indicators).

Actual behavior

None of the file attributes are converted to indicators. It's added as a x-misp-object, but the indicators are not extracted.

Steps to reproduce

Add a hashlookup object. Search for the event.

parser = MISPtoSTIX21Parser()
parser.parse_misp_event(misp_event)
stix_objects = parser.stix_objects
for el in stix_objects:
    if el.type == 'indicator':
        print(el)

Version

2.4.182

Python version

3.8

Relevant log output

No response

Extra attachments

No response

Code of Conduct

• I agree to follow this project's Code of Conduct

MISP-STIX usage

MISP core

Expected behavior

Query for stix2 results with pagination and return 0 results instead of an error. Or at least not an "An Internal Error Has Occurred"

Actual behavior

Not sure if this is a bug or by design, but when requesting results (stix2) for pages that do not exist the server returns a 500 error.

Use: to limit memory usage and not have the server return all STIX2 events/attributes in one set I query the server with a limit and page option (a simple counter, query 50 events at once). Unfortunately there's no way (?) in telling how many pages there are or if there is any page left in the query. So the solution is to request the results, until the server returns an empty result set, unfortunately this also throws an error.

Unknown error: the response is not in JSON.
Something is broken server-side, please send us everything that follows (careful with the auth key):
Request headers:
{'User-Agent': 'PyMISP 2.4.171 - Python 3.8', 'Accept-Encoding': 'gzip, deflate', 'Accept': 'application/json', 'Connection': 'keep-alive', 'Cookie': 'removed', 'Content-Length': '353', 'content-type': 'application/json'}
Request body:
{"returnFormat": "stix2", "page": 2, "limit": 50, "tags": ["tlp:clear"], "withAttachments": 0, "metadata": 0, "published": true, "enforceWarninglist": 0, "includeEventUuid": 0, "includeEventTags": 0, "sgReferenceOnly": 0, "includeContext": 0, "headerless": 0, "includeSightings": 0, "includeDecayScore": 0, "includeCorrelations": 0, "excludeDecayed": 0}
Response (if any):
{"name":"An Internal Error Has Occurred.","message":"An Internal Error Has Occurred.","url":"\/events\/restSearch"}

2023-07-03 14:57:25 Error: [Exception] Error while processing your query during STIX export: Arguments error, please check you entered a valid version and provided input file names.
Request URL: /events/restSearch
Stack Trace:
#0 /data/www/MISP/app/Model/Event.php(7277): StixExport->footer()
#1 /data/www/MISP/app/Controller/AppController.php(1314): Event->restSearch()
#2 [internal function]: AppController->restSearch()
#3 /data/www/MISP/app/Lib/cakephp/lib/Cake/Controller/Controller.php(499): ReflectionMethod->invokeArgs()
#4 /data/www/MISP/app/Lib/cakephp/lib/Cake/Routing/Dispatcher.php(193): Controller->invokeAction()
#5 /data/www/MISP/app/Lib/cakephp/lib/Cake/Routing/Dispatcher.php(167): Dispatcher->_invoke()
#6 /data/www/MISP/app/webroot/index.php(99): Dispatcher->dispatch()

Steps to reproduce

misp_page = 0
while remaining_misp_pages:

     try:
            result = misp.search(controller='events', return_format='stix2', **config.misp_event_filters, limit=config.misp_event_limit_per_page, page=misp_page)
            misp_page += 1
     except Exception as e:
            remaining_misp_pages = False
            logger.info("Finished receiving MISP events.")

Version

2.4.171

Python version

3.8

Relevant log output

No response

Extra attachments

No response

Code of Conduct

• I agree to follow this project's Code of Conduct

MISP-STIX usage

No response

Expected behavior

Use the field description from the MISP event to fill the name field in STIX object.

{
    "type": "location",
    "spec_version": "2.1",
    "id": "location--84668357-5a8c-4bdd-9f0f-6b50b2555341",
    "created": "2022-09-15T11:29:38.000Z",
    "modified": "2022-09-15T11:29:38.000Z",
    "name": "United States",
    "description": "Country meta information based on the database provided by geonames.org.",
    "country": "['US']",
    "labels": [
        "misp:galaxy-name=\"Country\"",
        "misp:galaxy-type=\"country\"",
        "misp-galaxy:country=\"united states\""
    ],
    "x_misp_Capital": [
        "Washington"
    ],
    "x_misp_Continent": [
        "NA"
    ],
    "x_misp_CurrencyCode": [
        "USD"
    ],
    "x_misp_CurrencyName": [
        "Dollar"
    ],
    "x_misp_ISO": [
        "US"
    ],
    "x_misp_ISO3": [
        "USA"
    ],
    "x_misp_Languages": [
        "en-US,es-US,haw,fr"
    ],
    "x_misp_Population": [
        "310232863"
    ],
    "x_misp_tld": [
        ".us"
    ]
}

Actual behavior

{
    "type": "location",
    "spec_version": "2.1",
    "id": "location--84668357-5a8c-4bdd-9f0f-6b50b2555341",
    "created": "2022-09-15T11:29:38.000Z",
    "modified": "2022-09-15T11:29:38.000Z",
    "name": "united states",
    "description": "Country meta information based on the database provided by geonames.org. | United States",
    "country": "['US']",
    "labels": [
        "misp:galaxy-name=\"Country\"",
        "misp:galaxy-type=\"country\"",
        "misp-galaxy:country=\"united states\""
    ],
    "x_misp_Capital": [
        "Washington"
    ],
    "x_misp_Continent": [
        "NA"
    ],
    "x_misp_CurrencyCode": [
        "USD"
    ],
    "x_misp_CurrencyName": [
        "Dollar"
    ],
    "x_misp_ISO": [
        "US"
    ],
    "x_misp_ISO3": [
        "USA"
    ],
    "x_misp_Languages": [
        "en-US,es-US,haw,fr"
    ],
    "x_misp_Population": [
        "310232863"
    ],
    "x_misp_tld": [
        ".us"
    ]
}

Steps to reproduce

Process a country associated to an attribute.

Version

2.4.168

Python version

3.10.9

Relevant log output

No response

Extra attachments

No response

Code of Conduct

• I agree to follow this project's Code of Conduct

MISP-STIX usage

MISP core

Expected behavior

Have network related indicators in MISP objects (such as domain-ip and ip-port) use the "Network activity" phase_name in the kill_chain_phases

"kill_chain_phases": [
                    {
                        "kill_chain_name": "misp-category",
                        "phase_name": "Network activity"
                    }
                ]

Actual behavior

Currently they use "phase_name": "network"
https://github.com/MISP/misp-stix/blob/f51194eb59c72d8955a9aa052a3d61c13e113f77/documentation/mapping/misp_objects_to_stix21.json#L779C18-L779C35

"kill_chain_phases": [
                    {
                        "kill_chain_name": "misp-category",
                        "phase_name": "network"
                    }
                ]

Steps to reproduce

Include a domain-ip object in a MISP export

Version

2.4.172

Python version

3.8

Relevant log output

No response

Extra attachments

No response

Code of Conduct

• I agree to follow this project's Code of Conduct

Support Questions

If you use the MISP installation script https://raw.githubusercontent.com/MISP/MISP/2.4/INSTALL/INSTALL .sh and misp modules then there is a conflict:
misp-lib-stix2 3.0.1.1 has requirement pytz<2023.0.0,>=2022.2.1, but you'll have pytz 2019.3 which is incompatible

But if you install pytz 2019.3 then:
apiosintds 1.8.3 has requirement pytz==2019.3, but you'll have pytz 2022.6 which is incompatible.

How can both products be used (apiosintds and misp-lib-stix2)?

MISP version

2.4

Python version

3.8.10

Relevant log output

No response

Extra attachments

No response

Code of Conduct

• I agree to follow this project's Code of Conduct

Hello,

I am currently using MISP v2.4.148. I exported STIX files (both 1.1.1 and 2.0 versions) from Anomali TI and then successfully imported those STIX files inside the MISP instance using Import STIX feature. However, there is one issue: every indicator present in the STIX file has a "Confidence" value (indicator:Confidence), but that value is ignored/dropped by MISP during the import process.

Is there any solution to this problem? I really need that confidence value associated with each imported indicator inside the MISP. I am posting one example below for you to look at:

<stix:Indicators>
        <stix:Indicator id="threatstream:indicator-XXXXXX" timestamp="2021-09-12T18:13:40.701650+00:00" xsi:type='indicator:IndicatorType'>
            <indicator:Title>spam_ip: 80.109.155.86</indicator:Title>
            <indicator:Type xsi:type="stixVocabs:IndicatorTypeVocab-1.1">IP Watchlist</indicator:Type>
            <indicator:Description>TS ID: 57531849646; iType: spam_ip; Date First: 2021-09-10T02:26:53.448Z; State: active; Org: Magenta Telekom; Source: NixSpam; MoreDetail: imported by user 668</indicator:Description>
            <indicator:Observable id="threatstream:Observable-XXXXXXX">
                <cybox:Title>spam_ip: 80.109.155.86</cybox:Title>
                <cybox:Keywords>
                    <cybox:Keyword>low</cybox:Keyword>
                </cybox:Keywords>
                <cybox:Object id="threatstream:Address-XXXXXXX">
                    <cybox:Properties xsi:type="AddressObj:AddressObjectType" category="ipv4-addr">
                        <AddressObj:Address_Value>80.109.155.86</AddressObj:Address_Value>
                    </cybox:Properties>
                </cybox:Object>
            </indicator:Observable>
            <indicator:Handling>
                <marking:Marking>
                    <marking:Controlled_Structure>../../../descendant-or-self::node()</marking:Controlled_Structure>
                    <marking:Marking_Structure xsi:type='tlpMarking:TLPMarkingStructureType' color="AMBER"/>
                </marking:Marking>
            </indicator:Handling>
            <indicator:Confidence timestamp="2021-09-12T18:13:40.702217+00:00">
                <stixCommon:Value vocab_reference="https://en.wikipedia.org/wiki/Percentage" vocab_name="Percentage">37</stixCommon:Value>
            </indicator:Confidence>
            <indicator:Producer>
                <stixCommon:Time>
                    <cyboxCommon:Produced_Time>2021-09-10T02:26:53.448000+00:00</cyboxCommon:Produced_Time>
                </stixCommon:Time>
            </indicator:Producer>
        </stix:Indicator>

MISP-STIX usage

Using the misp_stix_converter CLI script to import STIX into MISP

Expected behavior

The converter was expected to generate a MISP file with the information from the STIX file for all required STIX fields.

If the converter failed to process part or all of the file, then in normal mode we hoped we would see a warning about that.

Actual behavior

The conversion of a STIX file reported that it successfully processed the file and gave no warnings or indications that any of the data from the file had problems being successfully processed. The file generated did not have data for a STIX required property (i.e. the name property) that was in the input file.

When run in normal mode, no error or warning is provided and successful conversion is reported. See console output below:
The output of the converter is the following:
Successfully processed your file. Results available in:

• misp-output/misp_183_from_mutex_diff.20240131_062854.json

And the resultant file contained the following contents (which did not include the STIX-required name property of the mutex).
See the misp provided as output below:
{
"uuid": "a5a9cc35-7b62-4924-ba29-14e9c4d92087",
"info": "STIX 2.1 Bundle imported with the MISP-STIX import feature.",
"distribution": "0",
"published": false
}

Steps to reproduce

misp_stix_converter import --version 2 -f ./stix-input/mutex_d1.json --output_name ./misp-output/misp_183_from_mutex_d1.json

where mutex_d1.json contains the following:
{
"type": "bundle",
"id": "bundle--a5a9cc35-7b62-4924-ba29-14e9c4d92087",
"objects": [
{
"type": "mutex",
"spec_version": "2.1",
"name": "well",
"id": "mutex--548231ca-70ea-4c33-b3ad-0f7985d46587",
"object_marking_refs": [
"marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"
]
},
{
"type": "marking-definition",
"spec_version": "2.1",
"id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9",
"created": "2017-01-20T00:00:00.000Z",
"definition_type": "tlp",
"name": "TLP:WHITE",
"definition": {
"tlp": "white"
}
}
]
}

Version

2.4.183

Python version

3.9.9

Relevant log output

When run with the debug flag the following error is displayed: 

Errors encountered during the STIX to MISP conversion process:
 - bundle--a5a9cc35-7b62-4924-ba29-14e9c4d92087
   - Error parsing the Observable object with id mutex--548231ca-70ea-4c33-b3ad-0f7985d46587:   File "/var/local/misp/misp-stix/v2.4.183/frompip/venv399misp183/lib/python3.9/site-packages/misp_stix_converter/stix2misp/external_stix2_to_misp.py", line 382, in _handle_unparsed_content
    getattr(self.observable_object_parser, to_call)(object_id)
  File "/var/local/misp/misp-stix/v2.4.183/frompip/venv399misp183/lib/python3.9/site-packages/misp_stix_converter/stix2misp/converters/stix2_observable_objects_converter.py", line 409, in _parse_mutex_observable_object
    self._create_misp_attribute('mutex', mutex), mutex
  File "/var/local/misp/misp-stix/v2.4.183/frompip/venv399misp183/lib/python3.9/site-packages/misp_stix_converter/stix2misp/converters/stix2_observable_objects_converter.py", line 47, in _create_misp_attribute
    'value': getattr(observable, feature), 'type': attribute_type,
  File "/var/local/misp/misp-stix/v2.4.183/frompip/venv399misp183/lib/python3.9/site-packages/stix2/base.py", line 278, in __getattr__
    raise AttributeError(
'Mutex' object has no attribute 'value'
Successfully processed your file. Results available in:
 - misp-output/misp_183_from_mutex_diff.json_segment_1.json.20240131_091558.json

Extra attachments

No response

Code of Conduct

• I agree to follow this project's Code of Conduct

Support Questions

With respect to STIX 2.1 is there a listing of all the objects that the converter supports going from STIX 2.1 objects to MISP?
Also, is there a list of all the STIX 2.1 objects that have a corresponding MISP that converts to that object?
I see that you have some MISP-to-STIX-21 documentation and still I am not sure if the STIX 2.1 objects mentioned there should be taken as the complete list of STIX objects supported by the current misp_stix_converter.

MISP version

2.4.183

Python version

3.9.9

Relevant log output

No response

Extra attachments

No response

Code of Conduct

• I agree to follow this project's Code of Conduct

MISP-STIX usage

standalone script

Expected behavior

normal event creation.

Actual behavior

Found issue during parsing on the following objects. dict_items([('bundle--3fc50ef4-4b21-497d-b590-1b8640cf6bce',
{'Error parsing the Observable object with id domain-name--bedb4899-d24b-5401-bc86-8f6b4cc18ec7:
   File "/home/vscode/.local/lib/python3.10/site-packages/misp_stix_converter/stix2misp/external_stix2_to_misp.py", line 315, in _handle_unparsed_content
    getattr(self.observable_object_parser, to_call)(object_id)\n\'STIX2ObservableObjectConverter\' object has no attribute \'_parse_domain_observable\''})])

Steps to reproduce

from misp_stix_converter import ExternalSTIX2toMISPParser
from stix2 import Bundle, DomainName

parser = ExternalSTIX2toMISPParser()

domain = DomainName(value="example.com")

bundle = Bundle([domain])

parser.load_stix_bundle(bundle)
parser.parse_stix_bundle()
event = parser.misp_event

if parser.errors:
    print(f"Found issue during parsing on the following objects. {parser.errors.items()}")

Version

2.4.176

Python version

3.10

Relevant log output

No response

Extra attachments

No response

Code of Conduct

• I agree to follow this project's Code of Conduct

Is your feature request related to a problem? Please describe.

When running the "misp_stix_converter" command there is no switch to select the stix2misp functionality.

Describe the solution you'd like

Add a switch to the "misp_stix_converter" command to select stix2misp functionality. I have noticed in the [misp_stix_converter.py] file the definition for stix2misp is already present. It just needs to be included in the [init.py] file.
Thank you for making this great tool available. Kind regards

Describe alternatives you've considered

No response

Additional context

No response

Code of Conduct

• I agree to follow this project's Code of Conduct

MISP-STIX usage

MISP import Stix 2.1 file

Expected behavior

The expected behavior on this is when parsing a version 2.1 STIX the name is recommended, not required.

https://docs.oasis-open.org/cti/stix/v2.1/os/stix-v2.1-os.html#_s5l7katgbp09

Actual behavior

When trying to import the following file from CISA https://www.cisa.gov/sites/default/files/STIX/MAR-10443863.r1.v1.CLEAR_stix2.json this is the error provided

{"error": "'Malware' object has no attribute 'name'"}
  File "/var/www/MISP/app/files/scripts/stix2/stix2misp.py", line 52, in _process_stix_file
    parser.parse_stix_bundle()
  File "/var/www/MISP/app/files/scripts/misp-stix/misp_stix_converter/stix2misp/stix2_to_misp.py", line 203, in parse_stix_bundle
    getattr(self, feature)()
  File "/var/www/MISP/app/files/scripts/misp-stix/misp_stix_converter/stix2misp/stix2_to_misp.py", line 570, in _parse_bundle_with_single_report
    self._handle_object_refs(report.object_refs)
  File "/var/www/MISP/app/files/scripts/misp-stix/misp_stix_converter/stix2misp/stix2_to_misp.py", line 457, in _handle_object_refs
    self._handle_object(object_type, object_ref)
  File "/var/www/MISP/app/files/scripts/misp-stix/misp_stix_converter/stix2misp/stix2_to_misp.py", line 472, in _handle_object
    parser(object_ref)
  File "/var/www/MISP/app/files/scripts/misp-stix/misp_stix_converter/stix2misp/external_stix2_to_misp.py", line 461, in _parse_malware
    self._clusters[malware_ref] = self._parse_galaxy(malware_ref)
  File "/var/www/MISP/app/files/scripts/misp-stix/misp_stix_converter/stix2misp/external_stix2_to_misp.py", line 311, in _parse_galaxy
    return getattr(self, feature)(stix_object, object_type)
  File "/var/www/MISP/app/files/scripts/misp-stix/misp_stix_converter/stix2misp/external_stix2_to_misp.py", line 330, in _parse_galaxy_as_tag_names
    name = stix_object.name

Steps to reproduce

Login to MISP and import event, choose STIX2 and upload this file
https://www.cisa.gov/sites/default/files/STIX/MAR-10443863.r1.v1.CLEAR_stix2.json

Version

2.4.172

Python version

3.8.12

Relevant log output

No response

Extra attachments

No response

Code of Conduct

• I agree to follow this project's Code of Conduct

Is your feature request related to a problem? Please describe.

No

Describe the solution you'd like

Like countries and regions, sector galaxies can be processed using stix Identity objects.

stix2.Identity(
    name=value,
    description=description,
    identity_class="class",
)

Describe alternatives you've considered

No response

Additional context

No response

Code of Conduct

• I agree to follow this project's Code of Conduct

Is your feature request related to a problem? Please describe.

Conversion of STIX 2.1 to MISP seems to drop STIX report objects. MISP event reports seem like a reasonable candidate for textual STIX report objects to be converted to.

Describe the solution you'd like

Components of STIX 2.1 report objects which can be represented in a MISP event report should be convert to MISP event reports.

Describe alternatives you've considered

No response

Additional context

No response

Code of Conduct

• I agree to follow this project's Code of Conduct

Error while processing your query:

Support Questions

Why is the library inserting a generic description in each SDO and then " | ". Why not put only the custom description and if there is none, leave it none.

I'm referring to this kind of code:

        galaxy_args = {
            'id': object_id,
            'type': object_id.split('--')[0],
            'name': name,
            'description': f"{description} | {cluster['description']}",
            'labels': self._create_galaxy_labels(name, cluster),
            'interoperability': True
        }

MISP version

2.4.168

Python version

3.10

Relevant log output

No response

Extra attachments

No response

Code of Conduct

• I agree to follow this project's Code of Conduct

Create a GitHub action for testing ;-)

doc: Maybe explaining what do we do with objects or attributes in MISP format which cannot expressed in MISP

The email MISP object is documented as allowing multiple "from" attributes. If you try this using the observed-data translation (to_ids=False), the resulting STIX has some corruption. I think the bug is caused by the code not expecting multiple "from" values, though the template does allow it. I wonder if allowing multiple "from" attributes was intended? This may be a template bug.

Here is some test content:

{
    'Object': [
        {
            'Attribute': [
                {
                    'category': 'Payload delivery',
                    'object_relation': 'from',
                    'timestamp': '1623292141',
                    'to_ids': False,
                    'type': 'email-src',
                    'uuid': '479acca7-7435-4055-abda-4243690a9994',
                    'value': '[email protected]'
                },
                {
                    'category': 'Payload delivery',
                    'object_relation': 'from',
                    'timestamp': '1623292141',
                    'to_ids': False,
                    'type': 'email-src',
                    'uuid': '5c0a4e7f-620f-4a58-9f9b-ad20225375fb',
                    'value': '[email protected]'
                }
            ],
            'description': 'Description of email',
            'meta-category': 'network',
            'name': 'email',
            'template_uuid': 'a0c666e0-fc65-4be8-b48f-3423d788b552',
            'template_version': '15',
            'timestamp': '1623292141',
            'uuid': '1d4c1c1b-7263-4781-a9e2-f40a6b7cbd1a'
        }
    ],
    'Org': {
        'name': 'Generator org',
        'uuid': 'f73bf705-b0f4-4378-984b-0e3c6bd9acd6'
    },
    'Orgc': {
        'name': 'Creator org',
        'uuid': 'ce01c0dd-849f-407c-8ed4-5a5a5d6bbbfa'
    },
    'date': '2021-06-09',
    'info': 'Test event',
    'publish_timestamp': '1623292141',
    'published': False,
    'timestamp': '1623292141',
    'uuid': '7293357b-b441-44d1-9631-06355301ef56'
}

And here is the resulting STIX. Note the erroneous UUID in the value of the "x_misp_from" property of the email-message object.

{
    "type": "bundle",
    "id": "bundle--f251b26a-9dca-433e-b47f-477a47754060",
    "objects": [
        {
            "type": "identity",
            "spec_version": "2.1",
            "id": "identity--ce01c0dd-849f-407c-8ed4-5a5a5d6bbbfa",
            "created": "2021-06-10T02:29:01.000Z",
            "modified": "2021-06-10T02:29:01.000Z",
            "name": "Creator org",
            "identity_class": "organization"
        },
        {
            "type": "grouping",
            "spec_version": "2.1",
            "id": "grouping--7293357b-b441-44d1-9631-06355301ef56",
            "created_by_ref": "identity--ce01c0dd-849f-407c-8ed4-5a5a5d6bbbfa",
            "created": "2021-06-10T02:29:01.000Z",
            "modified": "2021-06-10T02:29:01.000Z",
            "name": "Test event",
            "context": "suspicious-activity",
            "object_refs": [
                "observed-data--1d4c1c1b-7263-4781-a9e2-f40a6b7cbd1a",
                "email-message--fed4aeaa-4e82-5885-90a7-c81991ab9253",
                "email-addr--479acca7-7435-4055-abda-4243690a9994"
            ],
            "labels": [
                "Threat-Report",
                "misp:tool=\"MISP-STIX-Converter\""
            ]
        },
        {
            "type": "observed-data",
            "spec_version": "2.1",
            "id": "observed-data--1d4c1c1b-7263-4781-a9e2-f40a6b7cbd1a",
            "created_by_ref": "identity--ce01c0dd-849f-407c-8ed4-5a5a5d6bbbfa",
            "created": "2021-06-10T02:29:01.000Z",
            "modified": "2021-06-10T02:29:01.000Z",
            "first_observed": "2021-06-10T02:29:01Z",
            "last_observed": "2021-06-10T02:29:01Z",
            "number_observed": 1,
            "object_refs": [
                "email-message--fed4aeaa-4e82-5885-90a7-c81991ab9253",
                "email-addr--479acca7-7435-4055-abda-4243690a9994"
            ],
            "labels": [
                "misp:category=\"network\"",
                "misp:name=\"email\"",
                "misp:to_ids=\"False\""
            ]
        },
        {
            "type": "email-message",
            "spec_version": "2.1",
            "id": "email-message--fed4aeaa-4e82-5885-90a7-c81991ab9253",
            "is_multipart": true,
            "from_ref": "email-addr--479acca7-7435-4055-abda-4243690a9994",
            "x_misp_from": [
                "[email protected]",
                "5c0a4e7f-620f-4a58-9f9b-ad20225375fb"
            ]
        },
        {
            "type": "email-addr",
            "spec_version": "2.1",
            "id": "email-addr--479acca7-7435-4055-abda-4243690a9994",
            "value": "[email protected]"
        }
    ]
}

MISP-STIX usage

No response

Expected behavior

The relationship type between Observed Data and Attack Pattern should be related-to.

Actual behavior

The current relationship type between Observed Data and Attack Pattern is has.

Steps to reproduce

It happens where an attribute with category external analysis, type attachment and with Attack Patterns galaxy.

Version

2.4.168

Python version

3.10.9

Relevant log output

No response

Extra attachments

No response

Code of Conduct

• I agree to follow this project's Code of Conduct

Is your feature request related to a problem? Please describe.

I'm receiving a feed of MISP attributes via ZMQ and would like to parse them according to the mapping described in the documentation. I understand that I can parse events as follows:

from misp_stix_converter import MISPtoSTIX21Parser
parser21 = MISPtoSTIX21Parser()
parser21.parse_misp_event(event)

I was looking for the analogous parse_misp_attribute() function, which unfortunately doesn't exist. How should I proceed?

Describe the solution you'd like

It would be great to hear whether a parse_misp_attribute() function makes sense. Maybe it could parse attributes incrementally and the parser could accumulate state?

Or is subscribing to the attribute stream alone futile? I would like to emit a feed of STIX objects/bundles from the 0mq feed of attributes, with exactly the implementation of this library.

Describe alternatives you've considered

n/t

Additional context

n/t

Code of Conduct

• I agree to follow this project's Code of Conduct

MISP-STIX usage

Using the misp_stix_converter script to import STIX into MISP

Expected behavior

The converter was expected to generate a MISP file with the information from the STIX file. The data elements in the STIX file are not represented in the MISP file.

If the converter failed to process part or all of the file, then in normal mode we expected to see a warning about that instead of simply seeing a message about the successful conversion of the file.

Actual behavior

The conversion of a STIX file reported that it successfully processed the file and gave no warnings or indications that the data from the file had not been successfully processed. The file generated had none of the data items from the directory object that was in the STIX file.

When run in normal mode, no error or warning is provided and successful conversion is reported. See console output below:
The output of the converter is the following:
Successfully processed your file. Results available in:

• misp-output/misp_183_from_directory_d.20240131_091545.json

And the resultant file contained the following contents (which did not include the path or the timestamps from the STIX file):
The resulting misp output has no information about the directory. See the misp provided as output below:
{
"uuid": "fecaf84a-9648-4628-8e75-7ae4e713b3d1",
"info": "STIX 2.1 Bundle imported with the MISP-STIX import feature.",
"distribution": "0",
"published": false
}

When run with the debug flag the following error is displayed:

Errors encountered during the STIX to MISP conversion process:

• bundle--fecaf84a-9648-4628-8e75-7ae4e713b3d1
  • Error parsing the Observable object with id directory--92b0db6d-c396-4dfd-a6e1-5a0aef1e615c: File "/var/local/misp/misp-stix/v2.4.183/frompip/venv399misp183/lib/python3.9/site-packages/misp_stix_converter/stix2misp/external_stix2_to_misp.py", line 382, in _handle_unparsed_content
    getattr(self.observable_object_parser, to_call)(object_id)
    File "/var/local/misp/misp-stix/v2.4.183/frompip/venv399misp183/lib/python3.9/site-packages/misp_stix_converter/stix2misp/converters/stix2_observable_objects_converter.py", line 126, in _parse_directory_observable_object
    attributes = tuple(self._parse_directory_observable(directory))
    File "/var/local/misp/misp-stix/v2.4.183/frompip/venv399misp183/lib/python3.9/site-packages/misp_stix_converter/stix2misp/converters/stix2_observable_converter.py", line 550, in _parse_directory_observable
    yield from self._populate_object_attributes(
    File "/var/local/misp/misp-stix/v2.4.183/frompip/venv399misp183/lib/python3.9/site-packages/misp_stix_converter/stix2misp/converters/stix2converter.py", line 117, in _populate_object_attributes
    reference = f"{object_id} - {mapping['object_relation']}"
    'object_relation'

Steps to reproduce

misp_stix_converter import --version 2 -f ./stix-input/small_stix_directory.json --output_name ./misp-output/misp_from_small_stix_directory.json

where small_stix_directory.json contains the following:
{
"type": "bundle",
"id": "bundle--fecaf84a-9648-4628-8e75-7ae4e713b3d1",
"objects": [
{
"type": "directory",
"spec_version": "2.1",
"path": "/policy/drop.pdf",
"path_enc": "character",
"ctime": "2021-07-17T05:07:53Z",
"mtime": "2020-03-21T20:27:06Z",
"atime": "2020-12-06T13:53:21Z",
"id": "directory--92b0db6d-c396-4dfd-a6e1-5a0aef1e615c",
"object_marking_refs": [
"marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"
]
},
{
"type": "marking-definition",
"spec_version": "2.1",
"id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9",
"created": "2017-01-20T00:00:00.000Z",
"definition_type": "tlp",
"name": "TLP:WHITE",
"definition": {
"tlp": "white"
}
}
]
}

Version

2.4.183

Python version

3.9.9

Relevant log output

When run in normal mode, no error or warning is provided and successful conversion is reported.  See console output below: 
Successfully processed your file. Results available in:
 - misp-output/misp_183_from_directory_d.20240131_091545.json



When run with the debug flag the following error is displayed: 

Errors encountered during the STIX to MISP conversion process:
 - bundle--fecaf84a-9648-4628-8e75-7ae4e713b3d1
   - Error parsing the Observable object with id directory--92b0db6d-c396-4dfd-a6e1-5a0aef1e615c:   File "/var/local/misp/misp-stix/v2.4.183/frompip/venv399misp183/lib/python3.9/site-packages/misp_stix_converter/stix2misp/external_stix2_to_misp.py", line 382, in _handle_unparsed_content
    getattr(self.observable_object_parser, to_call)(object_id)
  File "/var/local/misp/misp-stix/v2.4.183/frompip/venv399misp183/lib/python3.9/site-packages/misp_stix_converter/stix2misp/converters/stix2_observable_objects_converter.py", line 126, in _parse_directory_observable_object
    attributes = tuple(self._parse_directory_observable(directory))
  File "/var/local/misp/misp-stix/v2.4.183/frompip/venv399misp183/lib/python3.9/site-packages/misp_stix_converter/stix2misp/converters/stix2_observable_converter.py", line 550, in _parse_directory_observable
    yield from self._populate_object_attributes(
  File "/var/local/misp/misp-stix/v2.4.183/frompip/venv399misp183/lib/python3.9/site-packages/misp_stix_converter/stix2misp/converters/stix2converter.py", line 117, in _populate_object_attributes
    reference = f"{object_id} - {mapping['object_relation']}"
'object_relation'

Extra attachments

No response

Code of Conduct

• I agree to follow this project's Code of Conduct

MISP-STIX usage

Parsing attributes and events from the 0mq feed.

Expected behavior

I can invoke MISPtoSTIX21Parser.parse_misp_event without crashing

Actual behavior

I'm getting an exception:

stix2.exceptions.ExtraPropertiesError: Unexpected properties for Identity: (interoperability).

Steps to reproduce

See the example JSON of the MISP Event that travels via 0mq at the beginning. All I'm doing is invoking parse_misp_event.

This is the JSON going into parse_misp_event that caused the crash:

{'id': '1', 'orgc_id': '1', 'org_id': '1', 'date': '2022-07-06', 'threat_level_id': '1', 'info': 'Test', 'published': False, 'uuid': '7303f304-e8f1-4318-94f3-4df43a77f0b3', 'attribute_count': '1', 'analysis': '0', 'timestamp': '1657180174', 'distribution': '1', 'proposal_email_lock': False, 'locked': False, 'publish_timestamp': '0', 'sharing_group_id': '0', 'disable_correlation': False, 'extends_uuid': '', 'event_creator_email': '[email protected]', 'Org': {'id': '1', 'name': 'ORGNAME', 'uuid': '968006a7-7aab-4b3e-a272-272feac190ae', 'local': True}, 'Orgc': {'id': '1', 'name': 'ORGNAME', 'uuid': '968006a7-7aab-4b3e-a272-272feac190ae', 'local': True}, 'Attribute': [{'id': '1', 'type': 'ip-src', 'category': 'Network activity', 'to_ids': True, 'uuid': 'd4e1e06c-df1a-4171-a288-3488c6c6b115', 'event_id': '1', 'distribution': '5', 'timestamp': '1657180174', 'comment': '', 'sharing_group_id': '0', 'deleted': False, 'disable_correlation': False, 'object_id': '0', 'object_relation': None, 'first_seen': None, 'last_seen': None, 'value': '1.2.3.4', 'Galaxy': [], 'ShadowAttribute': []}], 'ShadowAttribute': [], 'RelatedEvent': [], 'Galaxy': [], 'Object': [], 'EventReport': []}

Version

2.4.145

Python version

3.9.13

Relevant log output

This stacktrace:


DEBUG:MISP:polling 0mq socket
DEBUG:MISP:polling 0mq socket
DEBUG:MISP:polling 0mq socket
DEBUG:MISP:{'Event': {'id': '1', 'orgc_id': '1', 'org_id': '1', 'date': '2022-07-06', 'threat_level_id': '1', 'info': 'Test', 'published': False, 'uuid': '7303f304-e8f1-4318-94f3-4df43a77f0b3', 'attribute_count': '1', 'analysis': '0', 'timestamp': '1657136660', 'distribution': '1', 'proposal_email_lock': False, 'locked': False, 'publish_timestamp': '0', 'sharing_group_id': '0', 'disable_correlation': False, 'extends_uuid': '', 'event_creator_email': '[email protected]', 'Org': {'id': '1', 'name': 'ORGNAME', 'uuid': '968006a7-7aab-4b3e-a272-272feac190ae', 'local': True}, 'Orgc': {'id': '1', 'name': 'ORGNAME', 'uuid': '968006a7-7aab-4b3e-a272-272feac190ae', 'local': True}, 'Attribute': [{'id': '1', 'type': 'ip-src', 'category': 'Network activity', 'to_ids': True, 'uuid': 'd4e1e06c-df1a-4171-a288-3488c6c6b115', 'event_id': '1', 'distribution': '5', 'timestamp': '1657136660', 'comment': '', 'sharing_group_id': '0', 'deleted': False, 'disable_correlation': False, 'object_id': '0', 'object_relation': None, 'first_seen': None, 'last_seen': None, 'value': '1.2.3.4', 'Galaxy': [], 'ShadowAttribute': []}], 'ShadowAttribute': [], 'RelatedEvent': [], 'Galaxy': [], 'Object': [], 'EventReport': []}}
Traceback (most recent call last):
  File "/Users/mavam/code/tenzir/vast-review/fabric/main.py", line 21, in <module>
    asyncio.run(main())
  File "/opt/homebrew/Cellar/[email protected]/3.9.13_1/Frameworks/Python.framework/Versions/3.9/lib/python3.9/asyncio/runners.py", line 44, in run
    return loop.run_until_complete(main)
  File "/opt/homebrew/Cellar/[email protected]/3.9.13_1/Frameworks/Python.framework/Versions/3.9/lib/python3.9/asyncio/base_events.py", line 647, in run_until_complete
    return future.result()
  File "/Users/mavam/code/tenzir/vast-review/fabric/main.py", line 18, in main
    await misp_task
  File "/Users/mavam/code/tenzir/vast-review/fabric/apps/misp.py", line 72, in start
    await misp.run()
  File "/Users/mavam/code/tenzir/vast-review/fabric/apps/misp.py", line 48, in run
    stix = self.stix_parser.parse_misp_event(event)
  File "/Users/mavam/code/tenzir/vast-review/fabric/env/lib/python3.9/site-packages/misp_stix_converter/misp2stix/misp_to_stix2.py", line 81, in parse_misp_event
    self._parse_misp_event(misp_event)
  File "/Users/mavam/code/tenzir/vast-review/fabric/env/lib/python3.9/site-packages/misp_stix_converter/misp2stix/misp_to_stix2.py", line 91, in _parse_misp_event
    self._set_identity()
  File "/Users/mavam/code/tenzir/vast-review/fabric/env/lib/python3.9/site-packages/misp_stix_converter/misp2stix/misp_to_stix2.py", line 2415, in _set_identity
    identity = self._create_identity_object(orgc['name'])
  File "/Users/mavam/code/tenzir/vast-review/fabric/env/lib/python3.9/site-packages/misp_stix_converter/misp2stix/misp_to_stix21.py", line 1269, in _create_identity_object
    return Identity(**identity_args)
  File "/Users/mavam/code/tenzir/vast-review/fabric/env/lib/python3.9/site-packages/stix2/base.py", line 157, in __init__
    raise ExtraPropertiesError(cls, custom_kwargs)
stix2.exceptions.ExtraPropertiesError: Unexpected properties for Identity: (interoperability).

### Extra attachments

n/t

### Code of Conduct

- [X] I agree to follow this project's Code of Conduct

The custom STIX 2.1 types (and others too) are declared with unnecessary extra properties. The @CustomObject decorator implementation supplies definitions for many standard properties, so you shouldn't define those yourself. Some of the properties MISP defines unnecessarily have the wrong definitions anyway. E.g. the id property should use IDProperty, which is designed for that purpose.

(The decorator implementation should probably warn you if you define a property whose name conflicts with one it defines for you, but it doesn't do that right now.)

Is your feature request related to a problem? Please describe.

Currently the URLs in a phishing object are not converted to an indicator.

Describe the solution you'd like

Use URLs in phishing object as indicators

Describe alternatives you've considered

No response

Additional context

No response

Code of Conduct

• I agree to follow this project's Code of Conduct

Is your feature request related to a problem? Please describe.

The misp-stix utilizes misp-lib-stix2, a fork derived from the stix2 project. Challenges arise when concurrently employing pymisp, which relies on the official stix2 package. Notably, conflicts emerge due to the identical naming of the stix2 module in both misp-stix and pymisp

Describe the solution you'd like

In order to address the naming conflicts, I propose updating the stix2 module to misp_lib_stix2. This adjustment has been formalized through a pull request, which can be reviewed at PR #3 within the misp-lib-stix2 repository. Once this modification is merged, I intend to submit a subsequent pull request for misp-stix, ensuring compatibility with the refined module name, misp_lib_stix2. This solution aims to harmonize the integration of both packages seamlessly. Your consideration of this proposed resolution is greatly appreciated.

Describe alternatives you've considered

No response

Additional context

Let me know if we can take any other way.

Code of Conduct

• I agree to follow this project's Code of Conduct

In many places, STIX patterns are created via direct concatenation or interpolation (inserting values directly into strings). Where pattern string constants are concerned, this runs the risk of obtaining an invalid pattern due to improper escaping. In string constants, single quotes and backslashes must be escaped. Below is example content with a filename attribute which produces an error because the name includes a single quote. It results in a pattern like [file:name = 'eat at joe's'], which is invalid. (It is legal to have single quotes in filenames on Windows, for example.) I saw there is some special case escaping when handling Windows registry keys (due to their backslashes). For safety's sake, all values destined to be used as pattern string constants should probably be run through an escaping routine to ensure there are no errors.

{
    'Org': {
        'name': 'Generator org',
        'uuid': '356e6202-335e-4eec-94f2-784a76e2b5aa'
    },
    'Orgc': {
        'name': 'Creator org',
        'uuid': '37374e80-1eee-4ee7-8e6a-c250ee7c59ed'
    },
    'date': '2021-05-26',
    'info': 'Test event',
    'publish_timestamp': '1622074905',
    'published': False,
    'timestamp': '1622074905',
    'uuid': '68ed9741-1f47-4883-a142-5ae50f298200',
    'Attribute': [
        {
            'category': 'Payload delivery',
            'last_seen': '2021-05-27T00:21:46.000000',
            'timestamp': '1622074905',
            'to_ids': True,
            'type': 'filename',
            'uuid': 'e688adbb-2b48-454c-a52f-ca4654c47b5f',
            'value': "eat at joe's"
        }
    ]
}

MISP-STIX usage

No response

Expected behavior

Indicator in provided STIX file contain these labels.

"labels": [
  "misp:type=\"sha256\"",
  "misp:category=\"Payload delivery\"",
  "misp:to_ids=\"True\"",
  "Play"
]

Actual behavior

Error not enough values to unpack (expected 2, got 1) is provided by MISP interface and this backtrace is logged to exec error log.

  File "/var/www/MISP/app/files/scripts/stix2/stix2misp.py", line 63, in _process_stix_file
    parser.parse_stix_bundle()
  File "/var/www/MISP/app/files/scripts/misp-stix/misp_stix_converter/stix2misp/stix2_to_misp.py", line 225, in parse_stix_bundle
    getattr(self, feature)()
  File "/var/www/MISP/app/files/scripts/misp-stix/misp_stix_converter/stix2misp/stix2_to_misp.py", line 572, in _parse_bundle_with_single_report
    self._handle_object_refs(report.object_refs)
  File "/var/www/MISP/app/files/scripts/misp-stix/misp_stix_converter/stix2misp/internal_stix2_to_misp.py", line 189, in _handle_object_refs
    self._handle_object(object_type, object_ref)
  File "/var/www/MISP/app/files/scripts/misp-stix/misp_stix_converter/stix2misp/stix2_to_misp.py", line 484, in _handle_object
    parser(object_ref)
  File "/var/www/MISP/app/files/scripts/misp-stix/misp_stix_converter/stix2misp/internal_stix2_to_misp.py", line 307, in _parse_indicator
    feature = self._handle_indicator_object_mapping(
              ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/var/www/MISP/app/files/scripts/misp-stix/misp_stix_converter/stix2misp/internal_stix2_to_misp.py", line 148, in _handle_indicator_object_mapping
    parsed_labels = {
                    ^
  File "/var/www/MISP/app/files/scripts/misp-stix/misp_stix_converter/stix2misp/internal_stix2_to_misp.py", line 149, in <dictcomp>
    key: value.strip('"') for key, value
                              ^^^^^^^^^^

Steps to reproduce

Try to convert STIX file with label "Play" to MISP.

Version

2.4.180

Python version

3.11

Relevant log output

No response

Extra attachments

No response

Code of Conduct

• I agree to follow this project's Code of Conduct

Support Questions

My use case is as follows. I have a valid instance of a stix2.Sighting object that I'd like to ultimately pass to a PyMISP instance via misp.add_sighting(...). What's the API for that?

I saw there is a class STIX2toMISPParser, but it seems to accept a STIX Bundle, or something else I don't have. Should I wrap my sighting into a STIX Bundle?

My user expectation was: I can call some function convert that takes a given STIX2 object and Does The Right thing in terms of conversion to MISP Object, Event, or Attribute (perhaps with hints).

Code of Conduct

• I agree to follow this project's Code of Conduct

MISP-STIX usage

Python script

Expected behavior

It should convert MISP event to Stix objects

Actual behavior

Case 1:
event.json file content link : https://www.circl.lu/doc/misp/feed-osint/1d87d97f-b67b-499e-b9c2-3b096c949f81.json

AtLeastOnePropertyError(
stix2.exceptions.AtLeastOnePropertyError: At least one of the (child_refs, command_line, created_time, creator_user_ref, cwd, environment_variables, granular_markings, image_ref, is_hidden, object_marking_refs, opened_connection_refs, parent_ref, pid) properties for Process must be populated.

Case 2:
event.json file content link : https://www.circl.lu/doc/misp/feed-osint/0e887f03-5aa2-4a7b-b0f7-66208c6c657b.json

TypeError: tuple indices must be integers or slices, not str

Steps to reproduce

from misp_stix_converter import MISPtoSTIX21Parser, misp_to_stix2_1

response_21 = misp_to_stix2_1("event.json")
print(response_21)

Version

2.4.161

Python version

3.8

Relevant log output

**Case1:**

Traceback (most recent call last):
  File "test11.py", line 3744, in <module>
    response_21 = misp_to_stix2_1("event.json")
  File "/home/chandra/test/PythonTestCode/venv/lib/python3.8/site-packages/misp_stix_converter/misp_stix_converter.py", line 422, in misp_to_stix2_1
    parser.parse_json_content(filename)
  File "/home/chandra/test/PythonTestCode/venv/lib/python3.8/site-packages/misp_stix_converter/misp2stix/misp_to_stix2.py", line 59, in parse_json_content
    self.parse_misp_event(json_content)
  File "/home/chandra/test/PythonTestCode/venv/lib/python3.8/site-packages/misp_stix_converter/misp2stix/misp_to_stix2.py", line 94, in parse_misp_event
    self._parse_misp_event(misp_event)
  File "/home/chandra/test/PythonTestCode/venv/lib/python3.8/site-packages/misp_stix_converter/misp2stix/misp_to_stix2.py", line 104, in _parse_misp_event
    self._parse_event_data()
  File "/home/chandra/test/PythonTestCode/venv/lib/python3.8/site-packages/misp_stix_converter/misp2stix/misp_to_stix21.py", line 98, in _parse_event_data
    self._handle_attributes_and_objects()
  File "/home/chandra/test/PythonTestCode/venv/lib/python3.8/site-packages/misp_stix_converter/misp2stix/misp_to_stix21.py", line 120, in _handle_attributes_and_objects
    self._resolve_objects()
  File "/home/chandra/test/PythonTestCode/venv/lib/python3.8/site-packages/misp_stix_converter/misp2stix/misp_to_stix2.py", line 781, in _resolve_objects
    getattr(self, self._mapping.objects_mapping[object_name])(misp_object)
  File "/home/chandra/test/PythonTestCode/venv/lib/python3.8/site-packages/misp_stix_converter/misp2stix/misp_to_stix21.py", line 1219, in _parse_process_object
    objects.insert(0, Process(**process_args))
  File "/home/chandra/test/PythonTestCode/venv/lib/python3.8/site-packages/stix2/v21/base.py", line 15, in __init__
    super(_Observable, self).__init__(**kwargs)
  File "/home/chandra/test/PythonTestCode/venv/lib/python3.8/site-packages/stix2/base.py", line 390, in __init__
    super(_Observable, self).__init__(**kwargs)
  File "/home/chandra/test/PythonTestCode/venv/lib/python3.8/site-packages/stix2/base.py", line 241, in __init__
    self._check_object_constraints()
  File "/home/chandra/test/PythonTestCode/venv/lib/python3.8/site-packages/stix2/v21/observables.py", line 659, in _check_object_constraints
    raise enclosing_exc
  File "/home/chandra/test/PythonTestCode/venv/lib/python3.8/site-packages/stix2/v21/observables.py", line 654, in _check_object_constraints
    self._check_at_least_one_property()
  File "/home/chandra/test/PythonTestCode/venv/lib/python3.8/site-packages/stix2/base.py", line 99, in _check_at_least_one_property
    raise AtLeastOnePropertyError(
stix2.exceptions.AtLeastOnePropertyError: At least one of the (child_refs, command_line, created_time, creator_user_ref, cwd, environment_variables, granular_markings, image_ref, is_hidden, object_marking_refs, opened_connection_refs, parent_ref, pid) properties for Process must be populated.


**Case 2:**


Traceback (most recent call last):
  File "test11.py", line 3744, in <module>
    response_21 = misp_to_stix2_1("event.json")
  File "/home/chandra/test/PythonTestCode/venv/lib/python3.8/site-packages/misp_stix_converter/misp_stix_converter.py", line 422, in misp_to_stix2_1
    parser.parse_json_content(filename)
  File "/home/chandra/test/PythonTestCode/venv/lib/python3.8/site-packages/misp_stix_converter/misp2stix/misp_to_stix2.py", line 59, in parse_json_content
    self.parse_misp_event(json_content)
  File "/home/chandra/test/PythonTestCode/venv/lib/python3.8/site-packages/misp_stix_converter/misp2stix/misp_to_stix2.py", line 94, in parse_misp_event
    self._parse_misp_event(misp_event)
  File "/home/chandra/test/PythonTestCode/venv/lib/python3.8/site-packages/misp_stix_converter/misp2stix/misp_to_stix2.py", line 104, in _parse_misp_event
    self._parse_event_data()
  File "/home/chandra/test/PythonTestCode/venv/lib/python3.8/site-packages/misp_stix_converter/misp2stix/misp_to_stix21.py", line 98, in _parse_event_data
    self._handle_attributes_and_objects()
  File "/home/chandra/test/PythonTestCode/venv/lib/python3.8/site-packages/misp_stix_converter/misp2stix/misp_to_stix21.py", line 122, in _handle_attributes_and_objects
    self._resolve_objects_to_parse()
  File "/home/chandra/test/PythonTestCode/venv/lib/python3.8/site-packages/misp_stix_converter/misp2stix/misp_to_stix2.py", line 1976, in _resolve_objects_to_parse
    self._parse_custom_object(misp_object)
  File "/home/chandra/test/PythonTestCode/venv/lib/python3.8/site-packages/misp_stix_converter/misp2stix/misp_to_stix2.py", line 1153, in _parse_custom_object
    custom_id = getattr(self, self._id_parsing_function['object'])('x-misp-object', misp_object)
  File "/home/chandra/test/PythonTestCode/venv/lib/python3.8/site-packages/misp_stix_converter/misp2stix/misp_to_stix2.py", line 109, in _define_stix_object_id
    return f"{feature}--{misp_object['uuid']}"
TypeError: tuple indices must be integers or slices, not str

Extra attachments

No response

Code of Conduct

• I agree to follow this project's Code of Conduct