search

STIXProject / python-stix

A Python library for parsing, manipulating, and generating STIX content.
http://stix.readthedocs.org/
BSD 3-Clause "New" or "Revised" License
241 stars 88 forks source link

stix_package.add_observable() and IDs #324

Closed dilyanpalauzov closed 7 years ago

dilyanpalauzov commented 7 years ago

This code

import stix.core
import cybox.core
import cybox.objects.address_object

p = stix.core.STIXPackage()

p.add_observable(cybox.objects.address_object.Address('1.2.3.4'))
p.add_observable(cybox.core.Event())

print(p.to_xml())

produces

<stix:STIX_Package
  xmlns:xs="http://www.w3.org/2001/XMLSchema"
  xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
  xmlns:cyboxCommon="http://cybox.mitre.org/common-2"
  xmlns:cybox="http://cybox.mitre.org/cybox-2"
  xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
  xmlns:xlink="http://www.w3.org/1999/xlink"
  xmlns:stix="http://stix.mitre.org/stix-1"
  xmlns:AddressObj="http://cybox.mitre.org/objects#AddressObject-2"
  xmlns:example="http://example.com"
  id="example:Package-858fc4b4-648e-41b0-90fe-299c44e5a765"
  version="1.2">
    <stix:Observables cybox_major_version="2" cybox_minor_version="1" cybox_update_version="0">
        <cybox:Observable id="example:Observable-60e703c5-d717-482a-9b0a-3ed3d5fbdf27">
            <cybox:Object id="example:Address-397f22b1-cd16-4d76-bcd5-86066eb82b69">
                <cybox:Properties xsi:type="AddressObj:AddressObjectType">
                    <AddressObj:Address_Value>1.2.3.4</AddressObj:Address_Value>
                </cybox:Properties>
            </cybox:Object>
        </cybox:Observable>
        <cybox:Observable id="example:Observable-d2a00877-b46e-48df-8dbe-45ffe7f95551">
            <cybox:Event/>
        </cybox:Observable>
    </stix:Observables>
</stix:STIX_Package>

Why does the address have an id, but not the event?

gtback commented 7 years ago

Thanks for the question, @dilyanpalauzov.

In CybOX, Observable, Object and Event objects have (optional) IDs. We designed the python-cybox API so that you can create an Address "object", and add it directly to the STIXPackage, and the intermediate Observable and Object objects get created along the way. Both of these are defined to automatically create IDs (see here and here) if not provided, which (while not strictly required) is a best practice.

There's nothing equivalent for Event, though there certainly could be; it would need to be done in python-cybox, though, not python-stix. In my experience, Events are much, much less common in CybOX than Objects, so to be honest we haven't really put much time into them.

As a workaround, you can do:

import mixbox.idgen

ev = cybox.core.Event()
ev.id_ = mixbox.idgen.create_id(prefix="Event")
p.add_observable(ev)
dilyanpalauzov commented 7 years ago

For the above file stix-validator.py --best-practices produces:

[-] Performing xml schema validation on z.xml
[-] Performing best practice validation on z.xml
==============================================================================
[-] Results: z.xml
[+] XML Schema: True
[!] Best Practices: False
    [!] Missing IDs
        [-] line : 21
        [-] message : None
        [-] id : None
        [-] idref : None
        [-] tag : {http://cybox.mitre.org/cybox-2}Event