search

MISP / MISP-STIX-Converter

A utility repo to assist with converting between MISP and STIX formats
GNU Lesser General Public License v3.0
64 stars 31 forks source link

MarkingSpecification removed, why? #28

Open davidonzo opened 6 years ago

davidonzo commented 6 years ago

https://github.com/MISP/MISP-STIX-Converter/blob/8ebdb3d406068d15351cd65eb1b543488b2eed63/misp_stix_converter/converters/convert.py#L123

# Remove any "marking" sections because the US-Cert is evil
log.debug("Removing Marking elements...")
for element in stixXml.findall(".//{http://data-marking.mitre.org/Marking-1}Marking"):
element.getparent().remove(element)

The script remove any marking specification. Why?

I'm working on a "misp_taxii_hook" for the opentaxii's misp implementation that is able to parse the marking structure of the stix package and create the tlp tags as needed.

In my local installation I just tried to edit the file, removing the quoted lines. And it seems to work fine. The stix parsing works as before, bet I have marking specification to parse.

Can you consider to remove the quoted lines.

davidonzo commented 6 years ago

Here is the patch for your evaluation

https://github.com/davidonzo/MISP-STIX-Converter/commit/2b10ea200024db3f0f79b084088c4e9e05f71a1f

FloatingGhost commented 6 years ago

If I remember rightly the US-Cert's marking would crash the entire converter, hence why I purge it

davidonzo commented 6 years ago

Ok, so I can continue to test. ATM all seems to work fine, no error reported, but of course, I need a bit more time.

I'll update you ASAP. Thanks.