search

MISP / MISP-STIX-Converter

A utility repo to assist with converting between MISP and STIX formats
GNU Lesser General Public License v3.0
64 stars 31 forks source link

Header, Title, or Name added to the MISP event? #38

Open mathurin68 opened 4 years ago

mathurin68 commented 4 years ago

This is just terrific and can't believe @FloatingGhost got this to work(comments are worth reading)

At the moment I'm just concerned with getting some type of 'referencing' information with the event back into MISP.

For whatever reason it doesn't pick up the header or title and just uses STIX_File.xml and event info = STIX Import

but there's definitely a 

    <stix:STIX_Header>
        <stix:Package_Intent

and a 


 <stixCommon:Identity>
                <stixCommon:Name

and I thought that was what this was doing --

    if isinstance(stix, str) and "\n" not in stix:
        # It's probably just a filename
        filename = stix
    elif hasattr(stix, "name"):
        # Steal this one!
        filename = stix.name
    elif hasattr(stixPackage, "stix_header"):
        # Well it has a header, maybe we can steal it
        if stixPackage.stix_header:
            if stixPackage.stix_header.title not in ["", None]:
                filename = stixPackage.stix_header.title + ".xml"

I swear it used to grab that information and add it to the event.

I don't know if there's any suggestions you can give AND sorry if I haven't given any good 'examples' in here, I'm not sure what I'm allowed to copy and paste.

Thank you for your work on this!

========================================================= Also, in case anyone else looks for this, I did get it to start tagging by modifying convert.py

    if misp_event.attributes:
        log.debug("Attributes exist. Pushing...")
        if mispAPI:
            response = mispAPI.add_event(
                json.dumps(misp_event, cls=MISPEncode))
            event_id = response['Event']['id']
            event = mispAPI.get_event(event_id)
            uuid = response['Event']['uuid']
            mispAPI.tag(uuid,"TAG_Taxii")
            if response.get('errors'):
                raise Exception("PACKAGE: {}\nERROR: {}".format(
                    json.dumps(misp_event, cls=MISPEncode),
                    response.get('errors')))
            return response
        else:
            return True