Miners from complex STIX data

PaloAltoNetworks / minemeld

Main MineMeld documentation repo

380 stars 64 forks source link

Miners from complex STIX data #13

Open Nymeria1 opened 7 years ago

Nymeria1 commented 7 years ago

Hello, I configured correctly miner (TAXII-SERVER)-->aggregator (file,ip,md5 and so on)-->output node (TAXII DATA FEED). This structure works without problem if the STIX is a sample STIX but if I have a STIX with Observable_Composition Operator and several observable _id with several cybox:Properties xsi:type and cybox:Related_Object id Minemeld does not download indicators. Also I do not have any error during the poll into my TAXII Server, I download in fact all STIX package. Thanks for your help

jtschichold commented 7 years ago

Hi @Nymeria1, this depends on the composition operator. Due to the Miner logic, by default only the OR composition is supported - as each observable is extracted separately. If you prefer to ignore composition operator you can set the ignore_composition_operator to true in the prototype:

config:
    [...]
    ignore_composition_operator: true
   [...]

Nymeria1 commented 7 years ago

Thanks for your help. In my case I have an OR composition but no one observable has been extracted. Can I use your suggestion with OR? How does Minemeld work with this option?

Nymeria1 commented 7 years ago

I tested with OR but without success. How does Minemeld extract the indicator from STIX data? In the miner I do not see all indicators from STIX data and not only from STIX with Observable_Composition Operator

jtschichold commented 7 years ago

Hi @Nymeria1, could you provide a sample STIX package from your feed ? This way we can troubleshoot the issue.

Thanks!

Nymeria1 commented 7 years ago

Hi @jtschichold, thanks for your support. In attachment an example of STIX wich Minemeld does not parse
sample_lastline.zip

jtschichold commented 7 years ago

Hi @Nymeria1, sorry for the late reply, what would like to extract from the sample STIX package ? The hashes ?

Thanks, luigi

Nymeria1 commented 7 years ago

Hi @jtschichold, don't worry. I would like to extract the information about hashes,IP,Domain and URL from the STIX package. Also I have others STIX package that Minemeld doesn't parse.
If is it possible to modify independently the logical of parsing or should I send you the new sample? Many thanks for your support.

Nymeria1 commented 6 years ago

Hi @jtschichold, Have you got any update? Thanks