search

MISP / MISP-STIX-Converter

A utility repo to assist with converting between MISP and STIX formats
GNU Lesser General Public License v3.0
64 stars 31 forks source link

MISPtoSTIX failed to load event #20

Closed FliegenEinhorn closed 6 years ago

FliegenEinhorn commented 7 years ago

Hi,

I tried to convert all events of the galaxy misp-galaxy:tool=ETERNALBLUE with misp-to-stix.py. But when the code tries to load events (in convert.py MISPtoSTIX(mispJson)), some of them triggers an error.

This is my command line :

misp-to-stix.py -t "misp-galaxy:tool=\"ETERNALBLUE\"" -o ./results/out.{}.xml

And it raises this error :

[] is not of type 'object'
Failed validating 'type' in schema['properties']['Event']['properties']['Galaxy']['items']['properties']['GalaxyCluster']['items']['properties']['meta']:
    {'type': 'object'}
On instance['Event']['Galaxy'][0]['GalaxyCluster'][0]['meta']:
    []

So I looked for galaxy_cluster in schema.json from pymisp and I saw that meta should be a dict** :

"galaxy_cluster": { "type": "object", "additionalProperties": false, "properties": { "id": { "type": "string" }, "uuid": { "type": "string" }, "value": { "type": "string" }, "description": { "type": "string" }, "tag_id": { "type": "string" }, "meta": { "type": "object" } }}

But when I searched the event manually (8188 on misppriv) and looked at "Galaxy" key, meta was an empty list**:

u'Galaxy': [{u'GalaxyCluster': [{u'description': u'SMBv2 exploit for Windows 7 SP1 (MS17-010)', u'galaxy_id': u'79', u'value': u'ETERNALBLUE', u'source': u'MISP Project', u'tag_name': u'misp-galaxy:tool="ETERNALBLUE"', u'meta': [], u'type': u'tool''}]}]

So it can't match the json schema and it fails while loading the event.

For now I did an ugly but working trick (still in convert.py MISPtoSTIX(mispJson)): 

for galaxy in mispJSON['Event']['Galaxy'] : 
        for galaxy_cluster in galaxy['GalaxyCluster']:
            if galaxy_cluster['meta'] == [] :
                galaxy_cluster["meta"] = {}

So, I think that when there is no value for meta, meta should be {} rather than []. Or all items in galaxies clusters should have meta dict completed.

Thanks for your reading :)

** i cut some of the fields for visibility

FloatingGhost commented 7 years ago

I can't replicate with my instance, trying to get access to MISPPRIV to test on that specific event

FloatingGhost commented 7 years ago

Also: STOP USING PYTHON2

FliegenEinhorn commented 7 years ago

Thanks for your advice, i'm using Python3. Maybe i'm not python3 compliant yet but it's on progress

FloatingGhost commented 7 years ago

u'Galaxy': [{u'GalaxyCluster':

this is py2 :<

FliegenEinhorn commented 7 years ago

Erf you're right, this is an extract from a quick test with ipython notebook which is still in python2 on my computer. I didn't pay attention

FloatingGhost commented 7 years ago

But anyhow, I'll see if I can get access to Misp priv and see if I can replicate

FloatingGhost commented 7 years ago

Ok, got access. This is a bug with MISP itself!

It exports in contradiction to its own schema~

I'll go bug andras to tell me where the export is done

FloatingGhost commented 7 years ago

Ok, I put a PR into MISP to fix it - once MISPPriv is updated, this should sort itself out for you

FliegenEinhorn commented 7 years ago

That was fast ! Thanks :)

Rafiot commented 6 years ago

Closing then :)