From 57c93f1d681f1cadc853d9a9127f435c65fcddc8 Mon Sep 17 00:00:00 2001 From: Rich Piazza Date: Wed, 26 Jan 2022 13:23:00 -0500 Subject: [PATCH 1/3] fixing hostname condition again --- stix2elevator/convert_pattern.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/stix2elevator/convert_pattern.py b/stix2elevator/convert_pattern.py index ded83c9f..e86e825a 100644 --- a/stix2elevator/convert_pattern.py +++ b/stix2elevator/convert_pattern.py @@ -2040,7 +2040,7 @@ def convert_socket_address_to_pattern(sock_add, direction): any(x.value == "DNS" for x in sock_add.hostname.naming_system)): expressions.append( create_term("network-traffic:" + direction + "_ref.value", - sock_add.hostname.condition, + sock_add.hostname.hostname_value.condition, make_constant(sock_add.hostname.hostname_value.value))) return expressions From f46545c5bfec66a1b1b8f3bbebf56bb2226debdd Mon Sep 17 00:00:00 2001 From: Rich Piazza Date: Wed, 26 Jan 2022 14:39:27 -0500 Subject: [PATCH 2/3] added test cases --- ...rvable-with-networkconnection-pattern.json | 14 ++++++++++++- ...rvable-with-networkconnection-pattern.json | 12 +++++++++++ ...rvable-with-networkconnection-pattern.json | 11 ++++++++++ ...rvable-with-networkconnection-pattern.json | 11 ++++++++++ ...rvable-with-networkconnection-pattern.json | 11 ++++++++++ ...rvable-with-networkconnection-pattern.json | 11 ++++++++++ ...ervable-with-networkconnection-pattern.xml | 21 ++++++++++++++++++- 7 files changed, 89 insertions(+), 2 deletions(-) diff --git a/idioms-json-2.0-custom/observable-with-networkconnection-pattern.json b/idioms-json-2.0-custom/observable-with-networkconnection-pattern.json index 4310bdf3..01166717 100644 --- a/idioms-json-2.0-custom/observable-with-networkconnection-pattern.json +++ b/idioms-json-2.0-custom/observable-with-networkconnection-pattern.json @@ -9,9 +9,21 @@ ], "modified": "2017-03-29T15:21:52.293Z", "name": "A Network Connection example", - "pattern": "[network-traffic:protocols[*] = 'ipv4' AND network-traffic:protocols[*] = 'tcp' AND network-traffic:src_port = 5255 AND network-traffic:src_ref.value = 'example.com' AND network-traffic:dst_port INVALID-CONDITION 80 AND network-traffic:dst_ref.value MATCHES '^198.49']", + "pattern": "[network-traffic:protocols[*] = 'ipv4' AND network-traffic:protocols[*] = 'tcp' AND network-traffic:src_port = 5255 AND network-traffic:src_ref.value = 'example.com' AND network-traffic:dst_port INVALID-CONDITION 80 AND network-traffic:dst_ref.value MATCHES '^198.49']", "type": "indicator", "valid_from": "2017-03-29T15:21:52.293788Z" + }, + { + "created": "2022-01-26T14:20:09.453Z", + "id": "indicator--a9000990-7075-49c0-b789-3dc34f0a6f27", + "labels": [ + "unknown" + ], + "modified": "2022-01-26T14:20:09.453Z", + "name": "A Network Connection example", + "pattern": "[network-traffic:src_ref.value = 'another_example.com']", + "type": "indicator", + "valid_from": "2022-01-26T14:20:09.453Z" } ], "spec_version": "2.0", diff --git a/idioms-json-2.0/observable-with-networkconnection-pattern.json b/idioms-json-2.0/observable-with-networkconnection-pattern.json index 64786647..01166717 100644 --- a/idioms-json-2.0/observable-with-networkconnection-pattern.json +++ b/idioms-json-2.0/observable-with-networkconnection-pattern.json @@ -12,6 +12,18 @@ "pattern": "[network-traffic:protocols[*] = 'ipv4' AND network-traffic:protocols[*] = 'tcp' AND network-traffic:src_port = 5255 AND network-traffic:src_ref.value = 'example.com' AND network-traffic:dst_port INVALID-CONDITION 80 AND network-traffic:dst_ref.value MATCHES '^198.49']", "type": "indicator", "valid_from": "2017-03-29T15:21:52.293788Z" + }, + { + "created": "2022-01-26T14:20:09.453Z", + "id": "indicator--a9000990-7075-49c0-b789-3dc34f0a6f27", + "labels": [ + "unknown" + ], + "modified": "2022-01-26T14:20:09.453Z", + "name": "A Network Connection example", + "pattern": "[network-traffic:src_ref.value = 'another_example.com']", + "type": "indicator", + "valid_from": "2022-01-26T14:20:09.453Z" } ], "spec_version": "2.0", diff --git a/idioms-json-2.1-custom/observable-with-networkconnection-pattern.json b/idioms-json-2.1-custom/observable-with-networkconnection-pattern.json index 4a8245fb..0142c383 100644 --- a/idioms-json-2.1-custom/observable-with-networkconnection-pattern.json +++ b/idioms-json-2.1-custom/observable-with-networkconnection-pattern.json @@ -11,6 +11,17 @@ "spec_version": "2.1", "type": "indicator", "valid_from": "2017-03-29T15:21:52.293788Z" + }, + { + "created": "2022-01-26T14:20:09.453Z", + "id": "indicator--a9000990-7075-49c0-b789-3dc34f0a6f27", + "modified": "2022-01-26T14:20:09.453Z", + "name": "A Network Connection example", + "pattern": "[network-traffic:src_ref.value = 'another_example.com']", + "pattern_type": "stix", + "spec_version": "2.1", + "type": "indicator", + "valid_from": "2022-01-26T14:20:09.453Z" } ], "type": "bundle" diff --git a/idioms-json-2.1-extensions/observable-with-networkconnection-pattern.json b/idioms-json-2.1-extensions/observable-with-networkconnection-pattern.json index a82c7cf9..b1f892c6 100644 --- a/idioms-json-2.1-extensions/observable-with-networkconnection-pattern.json +++ b/idioms-json-2.1-extensions/observable-with-networkconnection-pattern.json @@ -11,6 +11,17 @@ "spec_version": "2.1", "type": "indicator", "valid_from": "2020-12-30T16:03:22.477Z" + }, + { + "created": "2022-01-26T14:20:09.453Z", + "id": "indicator--a9000990-7075-49c0-b789-3dc34f0a6f27", + "modified": "2022-01-26T14:20:09.453Z", + "name": "A Network Connection example", + "pattern": "[network-traffic:src_ref.value = 'another_example.com']", + "pattern_type": "stix", + "spec_version": "2.1", + "type": "indicator", + "valid_from": "2022-01-26T14:20:09.453Z" } ], "type": "bundle" diff --git a/idioms-json-2.1-ignore/observable-with-networkconnection-pattern.json b/idioms-json-2.1-ignore/observable-with-networkconnection-pattern.json index 0e5c1b1e..eef9fab5 100644 --- a/idioms-json-2.1-ignore/observable-with-networkconnection-pattern.json +++ b/idioms-json-2.1-ignore/observable-with-networkconnection-pattern.json @@ -11,6 +11,17 @@ "spec_version": "2.1", "type": "indicator", "valid_from": "2021-04-27T21:09:06.827Z" + }, + { + "created": "2022-01-26T14:20:09.453Z", + "id": "indicator--a9000990-7075-49c0-b789-3dc34f0a6f27", + "modified": "2022-01-26T14:20:09.453Z", + "name": "A Network Connection example", + "pattern": "[network-traffic:src_ref.value = 'another_example.com']", + "pattern_type": "stix", + "spec_version": "2.1", + "type": "indicator", + "valid_from": "2022-01-26T14:20:09.453Z" } ], "type": "bundle" diff --git a/idioms-json-2.1/observable-with-networkconnection-pattern.json b/idioms-json-2.1/observable-with-networkconnection-pattern.json index 4a8245fb..0142c383 100644 --- a/idioms-json-2.1/observable-with-networkconnection-pattern.json +++ b/idioms-json-2.1/observable-with-networkconnection-pattern.json @@ -11,6 +11,17 @@ "spec_version": "2.1", "type": "indicator", "valid_from": "2017-03-29T15:21:52.293788Z" + }, + { + "created": "2022-01-26T14:20:09.453Z", + "id": "indicator--a9000990-7075-49c0-b789-3dc34f0a6f27", + "modified": "2022-01-26T14:20:09.453Z", + "name": "A Network Connection example", + "pattern": "[network-traffic:src_ref.value = 'another_example.com']", + "pattern_type": "stix", + "spec_version": "2.1", + "type": "indicator", + "valid_from": "2022-01-26T14:20:09.453Z" } ], "type": "bundle" diff --git a/idioms-xml/observable-with-networkconnection-pattern.xml b/idioms-xml/observable-with-networkconnection-pattern.xml index 9a05a5f6..a065271a 100644 --- a/idioms-xml/observable-with-networkconnection-pattern.xml +++ b/idioms-xml/observable-with-networkconnection-pattern.xml @@ -45,6 +45,25 @@ - + + + A Network Connection example + + + This Observable specifies an example pattern written against a Network Connection Object, + specifically the Layer 3 and 4 Protocols and Destination Socket IP Address and Port. + + + + + + another_example.com + DNS + + + + + + From 0580a23dbf59fbc5690cae28f54002924ad626b3 Mon Sep 17 00:00:00 2001 From: Rich Piazza Date: Wed, 2 Feb 2022 15:47:19 -0500 Subject: [PATCH 3/3] minor corrections --- docs/stix-mappings.rst | 4 ++-- docs/warnings.rst | 1 + stix2elevator/convert_stix.py | 23 +++++++++++++---------- stix2elevator/options.py | 2 +- 4 files changed, 17 insertions(+), 13 deletions(-) diff --git a/docs/stix-mappings.rst b/docs/stix-mappings.rst index c7b18dec..37d64b53 100644 --- a/docs/stix-mappings.rst +++ b/docs/stix-mappings.rst @@ -167,11 +167,11 @@ In STIX 1.x, an ``id`` contained a "namespace". This was deemed unnecessary in - Kill Chains In STIX 1.x, kill chains, with their phases, were defined using the ``KillChainType``, which is found in the ``Kill_Chains`` property of - a ``TTP``. These kill chains phases were refered to in the ``TTP`` and ``Indicator`` ``Kill_Chain_Phases`` properties. In + a ``TTP``. These kill chains phases were referred to in the ``TTP`` and ``Indicator`` ``Kill_Chain_Phases`` properties. In STIX 2.x, kill chains and their phases are not explicitly defined, but are referenced using their common names. If the Lockheed Martin Cyber Kill Chain™ is used the ``kill_chain_name`` property must be ``lockheed-martin-cyber-kill-chain``, - according to the specification. + according to the specification and the STIX 1.x ids used should be the ones defined in https://stix.mitre.org/language/version1.2/stix_v1.2_lmco_killchain.xml **STIX 1.x Properties Mapped Using STIX 2.x Relationships** diff --git a/docs/warnings.rst b/docs/warnings.rst index 818c7324..3f2fcab3 100644 --- a/docs/warnings.rst +++ b/docs/warnings.rst @@ -177,6 +177,7 @@ Required property *property* is not provided for ACS data marking ACS identifier *identifier* is not valid 643 warn Observable object from pattern cannot be an observed_data_ref of a sighting. See *id* 644 warn Only one of the properties: Hostname and IP_Address is allowed. Dropping Hostname *name* 645 warn +Exploit targets are part of STIX 1x TTP *id*. Assuming they are related 646 warn =========================================================================================================================================== ==== ===== STIX Elevator conversion based on assumptions diff --git a/stix2elevator/convert_stix.py b/stix2elevator/convert_stix.py index 203d070a..e51aa445 100644 --- a/stix2elevator/convert_stix.py +++ b/stix2elevator/convert_stix.py @@ -733,20 +733,20 @@ def handle_existing_ref(stix1_relationship, ref1, ref2, env, default_verb, to_di ) -def handle_existing_refs(ref, id, env, verb, to_direction, marking_refs): +def handle_existing_refs(ref, id_, env, verb, to_direction, marking_refs): for ref_id in get_id_value(ref.item.idref): - handle_existing_ref(ref, ref_id, id, env, verb, to_direction, marking_refs) + handle_existing_ref(ref, ref_id, id_, env, verb, to_direction, marking_refs) -def handle_relationship_ref(ref, item, id, env, default_verb, to_direction=True, marking_refs=None): +def handle_relationship_ref(ref, item, id_, env, default_verb, to_direction=True, marking_refs=None): if item.idref is None: - handle_embedded_ref(ref, item, id, env, default_verb, to_direction, marking_refs) + handle_embedded_ref(ref, item, id_, env, default_verb, to_direction, marking_refs) elif exists_id_key(item.idref): - handle_existing_refs(ref, id, env, default_verb, to_direction, marking_refs) + handle_existing_refs(ref, id_, env, default_verb, to_direction, marking_refs) else: # a forward reference, fix later - source_id = id if to_direction else item.idref - target_id = str(item.idref) if to_direction else id + source_id = id_ if to_direction else item.idref + target_id = str(item.idref) if to_direction else id_ rel_obj = create_relationship(source_id, target_id, env, default_verb, item, marking_refs) if hasattr(ref, "relationship") and ref.relationship is not None: rel_obj["description"] = ref.relationship.value @@ -2266,6 +2266,9 @@ def process_ttp_properties(sdo_instance, ttp, env, kill_chains_in_sdo=True, mark ttp_created_by_ref = process_information_source(ttp.information_source, sdo_instance, env) env.add_to_env(created_by_ref=ttp_created_by_ref) if ttp.exploit_targets is not None: + warn("Exploit targets are part of STIX 1x %s. Assuming they are related.", + 646, + "TTP" + (" " + ttp.id_ if hasattr(ttp,"id_") else "")) handle_relationship_to_refs(ttp.exploit_targets, sdo_instance["id"], env, "targets", marking_refs=marking_refs) if ttp.related_ttps: @@ -2360,9 +2363,9 @@ def convert_malware_instance(mal, ttp, env, ttp_id_used): malware_instance_instance["id"], malware_instance_instance["name"], alias_name) - if mal.title is not None: - if "name" not in malware_instance_instance: - malware_instance_instance["name"] = mal.title + elif mal.title is not None: + malware_instance_instance["name"] = mal.title + # name is optional in STIX 2.x, so don't try to generate a placeholder if aliases: malware_instance_instance["aliases"] = aliases process_description_and_short_description(malware_instance_instance, mal) diff --git a/stix2elevator/options.py b/stix2elevator/options.py index f190fb0a..a69e07eb 100644 --- a/stix2elevator/options.py +++ b/stix2elevator/options.py @@ -336,7 +336,7 @@ def msg_id_enabled(msg_id): 601, 602, 603, 604, 605, 606, 607, 608, 609, 610, 611, 612, 613, 614, 615, 616, 617, 618, 619, 620, 621, 622, 623, 624, 625, 626, 627, 628, 629, 630, 631, 632, 633, 634, 635, 636, 637, 638, 639, - 640, 641, 642, 643, 644, 645, + 640, 641, 642, 643, 644, 645, 646, 701, 702, 703, 704, 705, 706, 707, 708, 709, 710, 711, 712, 713, 714, 715, 716, 717, 718, 719, 720, 721, 722, 723, 724, 725, 726,