[stix-importer] Unable to import (seemingly valid) STIX json bundles

OpenCTI-Platform / connectors

OpenCTI Connectors

https://www.opencti.io

Apache License 2.0

374 stars 407 forks source link

[stix-importer] Unable to import (seemingly valid) STIX json bundles #465

Closed securitiz closed 3 years ago

securitiz commented 3 years ago

Description

Upon importing a seemingly valid STIX json bundle from Alienvault, the importer returns an error:

Unexpected properties for Bundle: (spec_version)

After removing every instance of the spec_version property, the error was:

Unexpected properties for Bundle 'objects': Unexpected properties for Indicator: (indicator_types, pattern_type, pattern_version)

As far as I can tell from STIX documentation, all of these properties are legitimate. Please let me know if there is an issue with the STIX data (attached), or if this is a bug.

Environment

OS (where OpenCTI server runs): Ubuntu 18
OpenCTI version: OpenCTI 4.5.5
OpenCTI client: frontend
Other environment details:

Reproducible Steps

Steps to create the smallest reproducible scenario:

Go to Reports -> Select Report -> Files
Upload STIX .json file, import file
Error: see above. No data is parsed

Expected Output

STIX data parsed :)

Actual Output

Error: see above

Additional information

EmergingRansomware_20210903.txt

^note, changed from .json to .txt extension so I could upload to Github

Screenshots (optional)

nor3th commented 3 years ago

Hey @securitiz

The STIX file you uploaded seems to be faulty. If you run the official stix2_validator with your STIX file, then this is the output:

$ stix2_validator EmergingRansomware_20210903.json                   
================================================================================
[-] Results for: EmergingRansomware_20210903.json
[X] STIX JSON: Invalid
    [X] Fatal Error: 'NoneType' object has no attribute 'islower'

From what I saw during a quick test, is that the indicator_types values are wrong.

"indicator_types": [
        null
      ],

A quick side note: The STIX file parsing is done using the official STIX2 python library and the connector only handles everything around (ingestion, report updating, ...). https://github.com/OpenCTI-Platform/connectors/blob/ed21f982660e36ce193b2aab9fea15bf4264af09/internal-import-file/import-file-stix/src/import-file-stix.py#L37

Regards,

securitiz commented 3 years ago

Thanks @nor3th , this feedback was very helpful. I'll close this issue, I figured it out. I do want to ask what you meant by the side note. Aka - what is not being handled that I might be concerned about?

nor3th commented 3 years ago

Hey @securitiz

Great :) What I wanted to say with that side note was that if something breaks with that connector, it's exceptionally not our fault and the stix people are able to be blamed. Contrary to most of the other connectors, where it is most likely up to us to fix something ;P

Regards,