openIOC in CRITs

[paulpc]

I know that CRITs is originally a MITRE project and MITRE backs the STIX Indicators of Compromise sharing format, but it would be great to be able to import openIOC directly into CRITs without having to go through a conversion script.

[mgoffin]

Hey Paul!

I think this is a great idea. The more formats CRITs can import and export the easier it will be for analysts to quickly work with the data they get.

As far as support for another format, these are the things to take into consideration:

• What top-level objects can be imported in this format?
  • Implement importing
• What top-level objects can be exported in this format?
  • Implement exporting
• What data doesn't fit into the format and will be left out?
  • How do we educate users about the gap in information?
• Where to implement the code?
  • If the format will be something all top-level objects can use in a generic way, adding it to the core CritsBaseAttributes class as methods (to_[format]() and from_[format]()) would be best. If it is unique for each top-level object, then adding those functions to the appropriate classes would be best.
  • In the standards folder, it would make sense to do the bulk of the implementation. Creating a class that can be instantiated, fed the formatted data, and generate appropriate output is how we've modeled this in the past. If we can stick with this model that would be beneficial.

[mgoffin]

Since STIX support was moved out to a service, I think if this were to happen it would be done as a service as well.