search

MISP / MISP-Taxii-Server

An OpenTAXII Configuration for MISP
BSD 3-Clause "New" or "Revised" License
80 stars 30 forks source link

import stix v2.1 to MISP #95

Open tahaconfiant opened 3 years ago

tahaconfiant commented 3 years ago

in the file MISP-Taxii-Server/misp_taxii_hooks/hooks.py

line containing, package = pymisp.tools.stix.load_stix(StringIO(block))

it seems here we can only load stix v1. tried with stix v2, stix v2.1 the file just get skipped, because misp attributes aren't recognized, therefore still an empty event is uploaded to misp.

it seems there's some mapping that needs to be done between misp and stix v2.1

I would assume the main code for this mapping should be implemented in the pymisp library.

btw when uploading a stix v2.1 directly to misp via the GUI (in the menu add event, import from stix 2.0) it works perfectly, because they dont rely on pymisp to load the file.

question is simple: I want to push stix2.1 files, to MISP-Taxii-Server, but doesnt seems to be implemented yet.

see attached file for a sample stix v2.1 file

blast.json.zip

tahaconfiant commented 3 years ago

I opened an issue in PyMISP project as well https://github.com/MISP/PyMISP/issues/704

adulau commented 3 years ago

Could you use and test the following approach for ingesting your stix files ?

https://github.com/MISP/MISP/tree/2.4/tools/ingest_stix

Thanks a lot.

tahaconfiant commented 3 years ago

nearly there, running the suggested script:

x@misp:/var/www/MISP/tools/ingest_stix$
 sudo -H -u www-data /var/www/MISP/venv/bin/python3 ingest_stix.py --version 2 --path stix2.json

gave me a

<Response [403]>
Error with the ingestion of the following file: stix2.json

checking error logs :

tail: /var/www/MISP/app/tmp/logs/exec-errors.log: file truncated
Traceback (most recent call last):
  File "/var/www/MISP/app/files/scripts/stix2/stix2misp.py", line 2061, in <module>
    main(sys.argv)
  File "/var/www/MISP/app/files/scripts/stix2/stix2misp.py", line 2053, in main
    event = stix2.parse(f.read(), allow_custom=True, interoperability=True)
TypeError: parse() got an unexpected keyword argument 'interoperability'

my packages versions , I think I have the last version of everything stix related, just upgraded them all:

x@misp:/var/www/MISP/tools/ingest_stix$ sudo -H -u www-data /var/www/MISP/venv/bin/pip3 list  | grep stix
stix                   1.2.0.11
stix2                  2.1.0
stix2-patterns         1.3.2