Merge pull request #282 from oasis-open/fix-hostname-again

fixing hostname condition again
oasis-open · Feb 3, 2022 · 08f8f08 · 08f8f08
2 parents 49e55fe + 0580a23
commit 08f8f08
Show file tree

Hide file tree

Showing 12 changed files with 107 additions and 16 deletions.
diff --git a/docs/stix-mappings.rst b/docs/stix-mappings.rst
@@ -167,11 +167,11 @@ In STIX 1.x, an ``id`` contained a "namespace".  This was deemed unnecessary in
 - Kill Chains
 
     In STIX 1.x, kill chains, with their phases, were defined using the ``KillChainType``, which is found in the ``Kill_Chains`` property of
-    a ``TTP``.  These kill chains phases were refered to in the ``TTP`` and ``Indicator`` ``Kill_Chain_Phases`` properties.  In
+    a ``TTP``.  These kill chains phases were referred to in the ``TTP`` and ``Indicator`` ``Kill_Chain_Phases`` properties.  In
     STIX 2.x, kill chains and their phases are not explicitly defined, but are referenced using their common names.
 
     If the Lockheed Martin Cyber Kill Chain™ is used the ``kill_chain_name`` property must be ``lockheed-martin-cyber-kill-chain``,
-    according to the specification.
+    according to the specification and the STIX 1.x ids used should be the ones defined in  https://stix.mitre.org/language/version1.2/stix_v1.2_lmco_killchain.xml
 
 
 **STIX 1.x Properties Mapped Using STIX 2.x Relationships**

diff --git a/docs/warnings.rst b/docs/warnings.rst
@@ -177,6 +177,7 @@ Required property *property* is not provided for ACS data marking
 ACS identifier *identifier* is not valid                                                                                                    643     warn
 Observable object from pattern cannot be an observed_data_ref of a sighting. See *id*                                                       644     warn
 Only one of the properties: Hostname and IP_Address  is allowed.  Dropping Hostname *name*                                                  645     warn
+Exploit targets are part of STIX 1x TTP *id*.  Assuming they are related                                                                    646     warn
 =========================================================================================================================================== ====    =====
 
 STIX Elevator conversion based on assumptions

diff --git a/idioms-json-2.0-custom/observable-with-networkconnection-pattern.json b/idioms-json-2.0-custom/observable-with-networkconnection-pattern.json
@@ -9,9 +9,21 @@
             ],
             "modified": "2017-03-29T15:21:52.293Z",
             "name": "A Network Connection example",
-          "pattern": "[network-traffic:protocols[*] = 'ipv4' AND network-traffic:protocols[*] = 'tcp' AND network-traffic:src_port = 5255 AND network-traffic:src_ref.value = 'example.com' AND network-traffic:dst_port INVALID-CONDITION 80 AND network-traffic:dst_ref.value MATCHES '^198.49']",
+            "pattern": "[network-traffic:protocols[*] = 'ipv4' AND network-traffic:protocols[*] = 'tcp' AND network-traffic:src_port = 5255 AND network-traffic:src_ref.value = 'example.com' AND network-traffic:dst_port INVALID-CONDITION 80 AND network-traffic:dst_ref.value MATCHES '^198.49']",
             "type": "indicator",
             "valid_from": "2017-03-29T15:21:52.293788Z"
+        },
+        {
+            "created": "2022-01-26T14:20:09.453Z",
+            "id": "indicator--a9000990-7075-49c0-b789-3dc34f0a6f27",
+            "labels": [
+                "unknown"
+            ],
+            "modified": "2022-01-26T14:20:09.453Z",
+            "name": "A Network Connection example",
+            "pattern": "[network-traffic:src_ref.value = 'another_example.com']",
+            "type": "indicator",
+            "valid_from": "2022-01-26T14:20:09.453Z"
         }
     ],
     "spec_version": "2.0",

diff --git a/idioms-json-2.0/observable-with-networkconnection-pattern.json b/idioms-json-2.0/observable-with-networkconnection-pattern.json
@@ -12,6 +12,18 @@
             "pattern": "[network-traffic:protocols[*] = 'ipv4' AND network-traffic:protocols[*] = 'tcp' AND network-traffic:src_port = 5255 AND network-traffic:src_ref.value = 'example.com' AND network-traffic:dst_port INVALID-CONDITION 80 AND network-traffic:dst_ref.value MATCHES '^198.49']",
             "type": "indicator",
             "valid_from": "2017-03-29T15:21:52.293788Z"
+        },
+        {
+            "created": "2022-01-26T14:20:09.453Z",
+            "id": "indicator--a9000990-7075-49c0-b789-3dc34f0a6f27",
+            "labels": [
+                "unknown"
+            ],
+            "modified": "2022-01-26T14:20:09.453Z",
+            "name": "A Network Connection example",
+            "pattern": "[network-traffic:src_ref.value = 'another_example.com']",
+            "type": "indicator",
+            "valid_from": "2022-01-26T14:20:09.453Z"
         }
     ],
     "spec_version": "2.0",

diff --git a/idioms-json-2.1-custom/observable-with-networkconnection-pattern.json b/idioms-json-2.1-custom/observable-with-networkconnection-pattern.json
@@ -11,6 +11,17 @@
       "spec_version": "2.1",
       "type": "indicator",
       "valid_from": "2017-03-29T15:21:52.293788Z"
+    },
+    {
+        "created": "2022-01-26T14:20:09.453Z",
+        "id": "indicator--a9000990-7075-49c0-b789-3dc34f0a6f27",
+        "modified": "2022-01-26T14:20:09.453Z",
+        "name": "A Network Connection example",
+        "pattern": "[network-traffic:src_ref.value = 'another_example.com']",
+        "pattern_type": "stix",
+        "spec_version": "2.1",
+        "type": "indicator",
+        "valid_from": "2022-01-26T14:20:09.453Z"
     }
   ],
   "type": "bundle"

diff --git a/idioms-json-2.1-extensions/observable-with-networkconnection-pattern.json b/idioms-json-2.1-extensions/observable-with-networkconnection-pattern.json
@@ -11,6 +11,17 @@
             "spec_version": "2.1",
             "type": "indicator",
             "valid_from": "2020-12-30T16:03:22.477Z"
+        },
+        {
+            "created": "2022-01-26T14:20:09.453Z",
+            "id": "indicator--a9000990-7075-49c0-b789-3dc34f0a6f27",
+            "modified": "2022-01-26T14:20:09.453Z",
+            "name": "A Network Connection example",
+            "pattern": "[network-traffic:src_ref.value = 'another_example.com']",
+            "pattern_type": "stix",
+            "spec_version": "2.1",
+            "type": "indicator",
+            "valid_from": "2022-01-26T14:20:09.453Z"
         }
     ],
     "type": "bundle"

diff --git a/idioms-json-2.1-ignore/observable-with-networkconnection-pattern.json b/idioms-json-2.1-ignore/observable-with-networkconnection-pattern.json
@@ -11,6 +11,17 @@
             "spec_version": "2.1",
             "type": "indicator",
             "valid_from": "2021-04-27T21:09:06.827Z"
+        },
+        {
+            "created": "2022-01-26T14:20:09.453Z",
+            "id": "indicator--a9000990-7075-49c0-b789-3dc34f0a6f27",
+            "modified": "2022-01-26T14:20:09.453Z",
+            "name": "A Network Connection example",
+            "pattern": "[network-traffic:src_ref.value = 'another_example.com']",
+            "pattern_type": "stix",
+            "spec_version": "2.1",
+            "type": "indicator",
+            "valid_from": "2022-01-26T14:20:09.453Z"
         }
     ],
     "type": "bundle"

diff --git a/idioms-json-2.1/observable-with-networkconnection-pattern.json b/idioms-json-2.1/observable-with-networkconnection-pattern.json
@@ -11,6 +11,17 @@
       "spec_version": "2.1",
       "type": "indicator",
       "valid_from": "2017-03-29T15:21:52.293788Z"
+    },
+    {
+        "created": "2022-01-26T14:20:09.453Z",
+        "id": "indicator--a9000990-7075-49c0-b789-3dc34f0a6f27",
+        "modified": "2022-01-26T14:20:09.453Z",
+        "name": "A Network Connection example",
+        "pattern": "[network-traffic:src_ref.value = 'another_example.com']",
+        "pattern_type": "stix",
+        "spec_version": "2.1",
+        "type": "indicator",
+        "valid_from": "2022-01-26T14:20:09.453Z"
     }
   ],
   "type": "bundle"

diff --git a/idioms-xml/observable-with-networkconnection-pattern.xml b/idioms-xml/observable-with-networkconnection-pattern.xml
@@ -45,6 +45,25 @@
                     </cybox:Properties>
                 </cybox:Object>
             </indicator:Observable>
-            </stix:Indicator>
+        </stix:Indicator>
+        <stix:Indicator xsi:type="indicator:IndicatorType" id="example:Indicator-a9000990-7075-49c0-b789-3dc34f0a6f27">
+            <indicator:Title>A Network Connection example</indicator:Title>
+            <indicator:Observable id="example:Observable-ef1c249f-94c1-4159-be25-9849be93d68c">
+                <cybox:Description>
+                    This Observable specifies an example pattern written against a Network Connection Object,
+                    specifically the Layer 3 and 4 Protocols and Destination Socket IP Address and Port.
+                </cybox:Description>
+                <cybox:Object id="example:Object-4fb853bf-52af-484e-aff9-696ce401537b">
+                    <cybox:Properties xsi:type="NetworkConnectionObj:NetworkConnectionObjectType">
+                        <NetworkConnectionObj:Source_Socket_Address>
+                            <SocketAddressObj:Hostname>
+                                <HostnameObj:Hostname_Value condition="Equals">another_example.com</HostnameObj:Hostname_Value>
+                                <HostnameObj:Naming_System>DNS</HostnameObj:Naming_System>
+                            </SocketAddressObj:Hostname>
+                        </NetworkConnectionObj:Source_Socket_Address>
+                    </cybox:Properties>
+                </cybox:Object>
+            </indicator:Observable>
+        </stix:Indicator>
     </stix:Indicators>
 </stix:STIX_Package>
diff --git a/stix2elevator/convert_pattern.py b/stix2elevator/convert_pattern.py
@@ -2040,7 +2040,7 @@ def convert_socket_address_to_pattern(sock_add, direction):
               any(x.value == "DNS" for x in sock_add.hostname.naming_system)):
             expressions.append(
                 create_term("network-traffic:" + direction + "_ref.value",
-                            sock_add.hostname.condition,
+                            sock_add.hostname.hostname_value.condition,
                             make_constant(sock_add.hostname.hostname_value.value)))
     return expressions
 

diff --git a/stix2elevator/convert_stix.py b/stix2elevator/convert_stix.py
@@ -733,20 +733,20 @@ def handle_existing_ref(stix1_relationship, ref1, ref2, env, default_verb, to_di
     )
 
 
-def handle_existing_refs(ref, id, env, verb, to_direction, marking_refs):
+def handle_existing_refs(ref, id_, env, verb, to_direction, marking_refs):
     for ref_id in get_id_value(ref.item.idref):
-        handle_existing_ref(ref, ref_id, id, env, verb, to_direction, marking_refs)
+        handle_existing_ref(ref, ref_id, id_, env, verb, to_direction, marking_refs)
 
 
-def handle_relationship_ref(ref, item, id, env, default_verb, to_direction=True, marking_refs=None):
+def handle_relationship_ref(ref, item, id_, env, default_verb, to_direction=True, marking_refs=None):
     if item.idref is None:
-        handle_embedded_ref(ref, item, id, env, default_verb, to_direction, marking_refs)
+        handle_embedded_ref(ref, item, id_, env, default_verb, to_direction, marking_refs)
     elif exists_id_key(item.idref):
-        handle_existing_refs(ref, id, env, default_verb, to_direction, marking_refs)
+        handle_existing_refs(ref, id_, env, default_verb, to_direction, marking_refs)
     else:
         # a forward reference, fix later
-        source_id = id if to_direction else item.idref
-        target_id = str(item.idref) if to_direction else id
+        source_id = id_ if to_direction else item.idref
+        target_id = str(item.idref) if to_direction else id_
         rel_obj = create_relationship(source_id, target_id, env, default_verb, item, marking_refs)
         if hasattr(ref, "relationship") and ref.relationship is not None:
             rel_obj["description"] = ref.relationship.value
@@ -2266,6 +2266,9 @@ def process_ttp_properties(sdo_instance, ttp, env, kill_chains_in_sdo=True, mark
     ttp_created_by_ref = process_information_source(ttp.information_source, sdo_instance, env)
     env.add_to_env(created_by_ref=ttp_created_by_ref)
     if ttp.exploit_targets is not None:
+        warn("Exploit targets are part of STIX 1x %s.  Assuming they are related.",
+             646,
+             "TTP" + (" " + ttp.id_ if hasattr(ttp,"id_") else ""))
         handle_relationship_to_refs(ttp.exploit_targets, sdo_instance["id"], env,
                                     "targets", marking_refs=marking_refs)
     if ttp.related_ttps:
@@ -2360,9 +2363,9 @@ def convert_malware_instance(mal, ttp, env, ttp_id_used):
                      malware_instance_instance["id"],
                      malware_instance_instance["name"],
                      alias_name)
-    if mal.title is not None:
-        if "name" not in malware_instance_instance:
-            malware_instance_instance["name"] = mal.title
+    elif mal.title is not None:
+        malware_instance_instance["name"] = mal.title
+    # name is optional in STIX 2.x, so don't try to generate a placeholder
     if aliases:
         malware_instance_instance["aliases"] = aliases
     process_description_and_short_description(malware_instance_instance, mal)

diff --git a/stix2elevator/options.py b/stix2elevator/options.py
@@ -336,7 +336,7 @@ def msg_id_enabled(msg_id):
                601, 602, 603, 604, 605, 606, 607, 608, 609, 610, 611, 612, 613,
                614, 615, 616, 617, 618, 619, 620, 621, 622, 623, 624, 625, 626,
                627, 628, 629, 630, 631, 632, 633, 634, 635, 636, 637, 638, 639,
-               640, 641, 642, 643, 644, 645,
+               640, 641, 642, 643, 644, 645, 646,
 
                701, 702, 703, 704, 705, 706, 707, 708, 709, 710, 711, 712, 713,
                714, 715, 716, 717, 718, 719, 720, 721, 722, 723, 724, 725, 726,