search

CybOXProject / mixbox

A library of common code leveraged by python-cybox, python-maec, and python-stix
BSD 3-Clause "New" or "Revised" License
8 stars 15 forks source link

parse STIX package from xml that contains CIQIdentity content #42

Closed tlhampton13 closed 6 years ago

tlhampton13 commented 6 years ago

I need to parse a STIX package (v 1.2) that is using the CIQIdentity extension points. My code uses the mixbox/parser. It seem the mixbox/parser does not parse the CIQIdentity but only the Identity. Is there a way to get the mixbox parser to work with the CIQIdentity extension points?

Here is a trivial example xml. When parsed uning the mixbox parser the Identity information is lost.

<stix:STIX_Package xmlns:ds="http://www.w3.org/2000/09/xmldsig#" xmlns:xpil="urn:oasis:names:tc:ciq:xpil:3"
                   xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
                   xmlns:xal="urn:oasis:names:tc:ciq:xal:3" xmlns:stix="http://stix.mitre.org/stix-1"
                   xmlns:ttp="http://stix.mitre.org/TTP-1"
                   xmlns:indicator="http://stix.mitre.org/Indicator-2"
                   xmlns:xs="http://www.w3.org/2001/XMLSchema"
                   xmlns:stixCommon="http://stix.mitre.org/common-1" xmlns:example="http://example.com"
                   xmlns:ciqIdentity="http://stix.mitre.org/extensions/Identity#CIQIdentity3.0-1"
                   xmlns:xlink="http://www.w3.org/1999/xlink"
                   id="example:Package-50a0c04a-892d-4936-9c94-7c007fb38fe2" version="1.2">
    <stix:Indicators>
        <stix:Indicator id="example:indicator-d38762ca-8cab-404f-a2ab-73fc6e83ceef"
                        timestamp="2018-01-09T17:38:28.711456Z" xsi:type="indicator:IndicatorType">
            <indicator:Title>Malicious executable</indicator:Title>
            <indicator:Description>Resident binary which implements infostealing and credit card grabber
            </indicator:Description>
            <indicator:Indicated_TTP>
                <stixCommon:TTP id="example:ttp-79c84e01-b399-443e-8f47-c9e2310d77fb"
                                timestamp="2018-01-09T17:38:28.707208Z" xsi:type="ttp:TTPType">
                    <ttp:Title>Victim Targeting: Country</ttp:Title>
                    <ttp:Victim_Targeting>
                        <ttp:Identity xsi:type="ciqIdentity:CIQIdentity3.0InstanceType">
                            <ciqIdentity:Specification>
                                <xpil:Addresses>
                                    <xpil:Address>
                                        <xal:Country>
                                            <xal:NameElement>US</xal:NameElement>
                                        </xal:Country>
                                    </xpil:Address>
                                </xpil:Addresses>
                            </ciqIdentity:Specification>
                        </ttp:Identity>
                    </ttp:Victim_Targeting>
                </stixCommon:TTP>
            </indicator:Indicated_TTP>
            <indicator:Kill_Chain_Phases>
                <stixCommon:Kill_Chain_Phase name="Infect Machine"
                                             phase_id="stix:TTP-e1e4e3f7-be3b-4b39-b80a-a593cfd99a4f"
                                             kill_chain_id="stix:TTP-af3e707f-2fb9-49e5-8c37-14026ca0a5ff"/>
            </indicator:Kill_Chain_Phases>
        </stix:Indicator>
    </stix:Indicators>
</stix:STIX_Package>
gtback commented 6 years ago

Thanks, @tlhampton13 I though we'd knocked out the bugs in CIQ, but maybe there are still some left. Hopefully I'll get a chance to look into this soon.

tlhampton13 commented 6 years ago

Thanks, @gtback I appreciate your help.

This turned out to be a problem with the VictimTargeting class in STIX that has been fixed in a more recent version. I was using STIX 1.2.0.1 this issue has been fixed in 1.2.0.4.

gtback commented 6 years ago

Glad you figured it out, @tlhampton13 . If you run into anything else, let us know!