MISP / MISP-STIX-Converter

A utility repo to assist with converting between MISP and STIX formats
GNU Lesser General Public License v3.0
64 stars 31 forks source link
conversion misp stix threat-sharing

MISP to STIX and back again

Or at least that's the idea

Coverage Status Build Status Code Health

This is the open-sourced version of BAE Systems' internal sync script. It's a bit limited, and it isn't perfect, nor is it bug-free.

But it works™

Installation

If you don't wanna use git,

sudo pip3 install misp_stix_converter

should have you covered. This relies on me actually updating PyPI every time I update the project, so I'd use the git repo wherever possible.

sudo python3 setup.py install

This should install everything it needs!

Useful, huh?

The config file

Copy over the example config to a live version

The default location of this config file is at ~/.misptostix, but this can be overridden with the -c FILE flag when running the scripts.

cp /path/to/config/misp.login.example /path/to/config/misp.login

Then open it and change the variables. This is YAML format, so make sure you don't do a silly and format it wrong!

Usage

For MISP to STIX:

To get all usage information:

misp-to-stix.py -h

So to convert a MISP JSON file to stix json, use

misp-to-stix.py -f INFILE.json --format JSON -o OUTFILE.json (the --format flag is used to specify output format, just for reference)

And to pull a specific event from the MISP instance

misp-to-stix.py -i EVENT_ID...

Alternatively, if you want to pull every event of a certain tag, you can run

misp-to-stix.py -t tlp:white -o out.{}.xml

Which will write all "tlp:white" tagged events to a file formatted by the event's ID, e.g out.29.xml

For STIX to MISP

This only works if you have a live MISP instance to connect the API to.

./stix-to-misp.py INFILE.json

This will convert the file to MISP format and push it. Quite a few bits and bobs get converted, not all of them (I for one blame CyBoX for being weird and layered worse than an onion).

Feel free to add more to the stix-to-misp.py file.