search

oasis-open / cti-python-stix2

OASIS TC Open Repository: Python APIs for STIX 2
https://stix2.readthedocs.io/
BSD 3-Clause "New" or "Revised" License
367 stars 120 forks source link

Create a stix 2.0 Indicator with a network traffic pattern #410

Closed c52-k closed 4 years ago

c52-k commented 4 years ago

Hello,

I get the following error when trying to create an indicator with a NetworkTraffic pattern in STIX 2.0.

stix2.exceptions.InvalidValueError: Invalid value for Indicator 'pattern': FAIL: Error found at line 1:1. mismatched input '{' expecting {IdentifierWithoutHyphen, IdentifierWithHyphen, '('}

I'm first creating a NetworkTraffic object and converting it into a ObservationExpression as explained in https://stix2.readthedocs.io/en/latest/guide/patterns.html.

Following is the code I am using, to create the pattern and the indicator. 

src_addr_s = stix2.v20.IPv4Address(value="192.168.0.76")
dst_addr_s = stix2.v20.IPv4Address(value="192.168.0.54")
pattern_dict = {"0": src_addr_s, "1": dst_addr_s}
#Network Traffic object
network_traffic = stix2.v20.NetworkTraffic(_valid_refs=pattern_dict, src_ref="0", dst_ref="1", protocols=['ipv4', 'udp'])

#Observation expression
pattern_expr = stix2.ObservationExpression(network_traffic)

#Indicator 
indicator = stix2.v20.Indicator(
    labels=['malicious-activity'],
    created_by_ref=identity_obj,
    description='rule',
    pattern=pattern_expr,
    valid_from=valid_from,
    valid_until=valid_until
)

I have to use STIX 2 .0 for this due to some old dependencies (not STIX 2.1). Any help on this is appreciated.

Thank you!

clenk commented 4 years ago

Hi @c52-k, printing the pattern_expr gives me

[{
    "type": "network-traffic",
    "src_ref": "0",
    "dst_ref": "1",
    "protocols": [
        "ipv4",
        "udp"
    ]
}]

which is not a valid STIX pattern. We could modify the library to not allow this to be created, but in the meantime, the observation expression should contain some kind of comparison expression in it like the examples in the docs. For example, you could do the following to make a pattern match on just the src_addr:

lhs = stix2.ObjectPath("network-traffic", ["src_ref", "value"])
pattern_expr2 = stix2.ObservationExpression(stix2.EqualityComparisonExpression(lhs, src_addr_s.value))

giving you a pattern of

[network-traffic:src_ref.value = '192.168.0.76']

Or, if you wanted to match on all of the properties in the network-traffic object: 

lhs_src = stix2.ObjectPath("network-traffic", ["src_ref", "value"])
lhs_dst = stix2.ObjectPath("network-traffic", ["dst_ref", "value"])
lhs_proto = stix2.ObjectPath("network-traffic", ["protocols"])

eq_src = stix2.EqualityComparisonExpression(lhs_src, src_addr_s.value)
eq_dst = stix2.EqualityComparisonExpression(lhs_dst, dst_addr_s.value)
eq_proto = stix2.EqualityComparisonExpression(lhs_proto, ['ipv4', 'udp'])

and1 = stix2.AndBooleanExpression([eq_src, eq_dst])
and2 = stix2.AndBooleanExpression([and1, eq_proto])

pattern_expr3 = stix2.ObservationExpression(and2)

giving you

[network-traffic:src_ref.value = '192.168.0.76' AND network-traffic:dst_ref.value = '192.168.0.54' AND network-traffic:protocols IN ('ipv4', 'udp')]
c52-k commented 4 years ago

Thanks for the clarification! I understand the concept now. You have to construct the pattern based on properties that needs to be matched when matching 2 indicators.

clenk commented 4 years ago

Closing this as it seems this addressed the problem, but feel free to open another issue if you run into any other problems.