Issue with an idicator which contains an ipv4-addr and email-addr property.

oasis-open / cti-stix-slider

OASIS TC Open Repository: The repository cti-stix-slider supports development of a Python application to convert STIX 2.0 content to STIX 1.x content

https://cti-stix-slider.readthedocs.io/en/latest/

BSD 3-Clause "New" or "Revised" License

21 stars 15 forks source link

Issue with an idicator which contains an ipv4-addr and email-addr property. #52

Closed stmtstk closed 3 years ago

stmtstk commented 4 years ago

I found that an indicator which contains "ipv4-addr" pattern strings was skipped to slide.

            "pattern": "[ipv4-addr:value = '8.8.8.8']",

I checked sources, and it seems that there is something wrong in stix2slider/convert_pattrn.py

Line 143:

    def toSTIX1x(self, id2x, existing_obj=None):
        if not existing_obj:
            cyboxClassConstructor = map_extensions_to_cybox_class(self.determine_expression_type())
            existing_obj = cyboxClassConstructor()

map_extensions_to_cybox_class returns cybox.objects.address_object.Address. However, cyboxClassConstror() returns None. I think that an Address Constructor shuld call with an indicator value like this.

# return None
obj_ = Address()
# return some instance
obj_ = Address('8.8.8.8')

I have also failed to slide if a pattern string contains email-addr:value.

"pattern": "[email-addr:value = 'test@test.net']",

I guess that we should append a "email-addr" : EmailAddress element in _CYBOX_OBJECT_MAP.

Thanks!

rpiazza commented 4 years ago

@stmtstk - good catch - email-addr was missing from _CYBOX_OBJECT_MAP.

I tested it with this pattern:

"pattern": "[ipv4-addr:value = '10.0.0.0'] AND [email-addr:value = 'fred@bedrock.gov']"

However, I didn't see any issues with the pattern:

"pattern": "[ipv4-addr:value = '10.0.0.0']

Can you send me the STIX 2.1 file that was causing that problem.

stmtstk commented 4 years ago

@rpiazza

Thank you for your kind reply.

I tried to slide an indicator with ipv4-addr again and I confirmed that ipv4-addr was converted to STIX 1.x successfully. It seems that I missed the ipv4-addr indicator in STIX 1.x. I apologize.

However, it still fails about email-addr.

rpiazza commented 4 years ago

I will be pushing the fix soon.

thamamo commented 3 years ago

Hello @rpiazza,

I also ran into an error with ipv4-addr: value.

AttributeError: 'EqualityComparisonExpressionForSlider' object has no attribute 'root_type'

I want to convert the STIX 2.1 Indicator to STIX 1.1.1.

I attach the STIX 2.1 data and the pip freeze results. datas.zip

Could you please tell me what's wrong?

Best regards, thamamo

rpiazza commented 3 years ago

@thamamo

When I ran it in my environment I was able to generate STIX 1.1.1 with no problems.

Can you perhaps include some extra info - like a stack trace?

thamamo commented 3 years ago

Hello @rpiazza,

Thank you for your reply.

I attach the stack trace information.

stacktrace.zip

Best Regards, thamamo

rpiazza commented 3 years ago

Hi @thamamo,

I realized that the current published version of the slider is out of date. A new version will be out soon after the latest version of python-stix2 is released. As a stop-gap measure, you could go to github and get the latest version.

https://github.com/oasis-open/cti-stix-slider

thamamo commented 3 years ago

Hi @rpiazza,

I installed the latest version from Git and it worked fine.

Thank you for your kind and quick support.

Thanks and Regards, thamamo