FloatingGhost
commented
7 years ago Working as intended. No representation of WinDriver exists in the MISP type list.
Closing as WONTFIX.
Closed combobulator closed 7 years ago
FloatingGhost
commented
7 years ago Working as intended. No representation of WinDriver exists in the MISP type list.
Closing as WONTFIX.
FloatingGhost
commented
7 years ago Interestingly that STIX file does throw AST errors though, implying there are some really weird strings in there
FloatingGhost
commented
7 years ago There you go, fixed the weird string issues. Update the converter and try again
adulau
commented
7 years ago @combobulator Could you share with us the STIX file or at least the Windows Driver Device Object Struct shared? I would like to make a misp-object out of it. misp-objects
combobulator
commented
7 years ago @adulau Here's a copy of the specific STIX: stuxnet.stix.xml.txt. It was pulled from this repo
adulau
commented
7 years ago Interesting so it's just the name of driver in the example:
<cybox:Object>
<cybox:Properties xsi:type="WinDriverObj:WindowsDriverObjectType">
<WinDriverObj:Device_Object_List>
<WinDriverObj:Device_Object_Struct>
<WinDriverObj:Attached_To_Driver_Name condition="Contains">fs_rec.sys</WinDriverObj:Attached_To_Driver_Name>
</WinDriverObj:Device_Object_Struct>
</WinDriverObj:Device_Object_List>
</cybox:Properties>
</cybox:Object>Not the complete struct as mentioned in the specification. Now the funky part, is "fs_rec.sys" really the driver name? or the filename as used it here? (http://docs.oasis-open.org/cti/cybox/v2.1.1/csprd01/part66-win-driver/cybox-v2.1.1-csprd01-part66-win-driver.html#_Toc458614796)
Work environment
Expected behavior
Pushing the example STIX file (OpenTAXII/examples/stix/stuxnet.stix.xml) MISP via TAXII using "taxii-push \<args>" converts the STIX and publishes the info as an event on the target MISP instance.
Actual behavior
When the example STIX is pushed with "taxii-push \<args>", TAXII reports "Content block successfully pushed" (as expected), but the event does not appear on MISP. The log reports "Type not syncing <class 'cybox.objects.win_driver_object.WinDriver'>", four times, followed by a 200 response from the server.
Steps to reproduce the behavior
Logs, screenshots, configuration dump, ...
Console: # taxii-push --path http://localhost:9000/taxii/inbox -f ./MISP-Taxii-Server/OpenTAXII/examples/stix/stuxnet.stix.xml --dest \<collection> --username \<taxii_user> --password \<taxii_password> 2017-06-19 10:01:57,995 INFO: Sending Inbox_Message to http://localhost:9000/taxii/inbox 2017-06-19 10:01:58,103 INFO: Content block successfully pushed
Log: 'b3RheGlpOmNsWUJhaFpiWXVxS1pGcnR0c3V1' 36 2017-06-19T10:01:58.057743Z [opentaxii.taxii.services.inbox.InboxService] debug: Processing message {level=debug, service_id=inbox, message_version=urn:taxii.mitre.org:message:xml:1.1, timestamp=2017-06-19T10:01:58.057743Z, message_id=e6e06260-0b19-41d6-b359-ada1ac9588fb, logger=opentaxii.taxii.services.inbox.InboxService, event=Processing message, message_type=Inbox_Message} 2017-06-19T10:01:58.075250Z [opentaxii.persistence.sqldb.api] debug: Content block added to collections {content_block=11, level=debug, timestamp=2017-06-19T10:01:58.075250Z, collections=1, logger=opentaxii.persistence.sqldb.api, event=Content block added to collections} Building Event... STIX Import Type not syncing <class 'cybox.objects.win_driver_object.WinDriver'> Type not syncing <class 'cybox.objects.win_driver_object.WinDriver'> Type not syncing <class 'cybox.objects.win_driver_object.WinDriver'> Type not syncing <class 'cybox.objects.win_driver_object.WinDriver'> 127.0.0.1 - - [19/Jun/2017 10:01:58] "POST /taxii/inbox HTTP/1.1" 200 -