search

oasis-open / cti-stix-slider

OASIS TC Open Repository: The repository cti-stix-slider supports development of a Python application to convert STIX 2.0 content to STIX 1.x content
https://cti-stix-slider.readthedocs.io/en/latest/
BSD 3-Clause "New" or "Revised" License
21 stars 15 forks source link

Stix1.x conversion: missing type="URL" for indicator #65

Closed aryabharat closed 8 months ago

aryabharat commented 9 months ago

For given a stix2.1 bundle, upon converting it to stix1.x the final xml is missing type="URL" in cybox:Properties"> property. This is observed in case of indicator with URL.

Example:

{ "type": "bundle", "id": "bundle--a9d9a0c5-8e15-42b8-9795-45f32a003161", "objects": [ { "type": "marking-definition", "spec_version": "2.1", "id": "marking-definition--f88d31f6-486f-44da-b317-01333bde0b82", "created": "2017-01-20T00:00:00.000Z", "definition_type": "tlp", "name": "TLP:AMBER", "definition": { "tlp": "amber" } }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--f9ca508e-3b75-4d25-955a-e3f150974691", "created": "2024-01-10T22:08:13.811Z", "modified": "2024-01-10T22:08:14.811Z", "name": "aklab3.com/favicon.ico", "indicator_types": [ "anomalous-activity" ], "pattern": "[url:value = 'aklab3.com/favicon.ico']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2024-01-10T22:08:10.07Z", "valid_until": "2024-01-17T22:08:10.07Z", "labels": [ "Recently Reported Spam or Unwanted Content", "Recently Detected Malware Distribution", "Historically Reported Spam or Unwanted Content", "Historically Detected Malware Distribution" ], "confidence": 65, "object_marking_refs": [ "marking-definition--f88d31f6-486f-44da-b317-01333bde0b82" ], "x_ctix_confidence_score": 25 } ] }

After convert it using stix2slider the output is:

`<stix:STIX_Package \n\txmlns:URIObj="http://cybox.mitre.org/objects#URIObject-2"\n\txmlns:tlpMarking="http://data-marking.mitre.org/extensions/MarkingStructure#TLP-1"\n\txmlns:marking="http://data-marking.mitre.org/Marking-1"\n\txmlns:cybox="http://cybox.mitre.org/cybox-2"\n\txmlns:indicator="http://stix.mitre.org/Indicator-2"\n\txmlns:stix="http://stix.mitre.org/stix-1"\n\txmlns:cyboxCommon="http://cybox.mitre.org/common-2"\n\txmlns:stixCommon="http://stix.mitre.org/common-1"\n\txmlns:example="http://example.com"\n\txmlns:xlink="http://www.w3.org/1999/xlink"\n\txmlns:ds="http://www.w3.org/2000/09/xmldsig#"\n\txmlns:xs="http://www.w3.org/2001/XMLSchema"\n\txmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"\n\t id="bundle--a9d9a0c5-8e15-42b8-9795-45f32a003161" version="1.2">\n    
<stix:STIX_Header>\n        
    <stix:Handling>\n            
        <marking:Marking>\n                
            <marking:Marking_Structure id="example:markingstructure-f88d31f6-486f-44da-b317-01333bde0b82" xsi:type=\'tlpMarking:TLPMarkingStructureType\' color="AMBER"/>\n
        </marking:Marking>\n
    </stix:Handling>\n
</stix:STIX_Header>\n
<stix:Indicators>\n        
    <stix:Indicator id="example:indicator-f9ca508e-3b75-4d25-955a-e3f150974691" timestamp="2024-01-10T22:08:14.811000+00:00" xsi:type=\'indicator:IndicatorType\' version="2.2">\n            
        <indicator:Title>aklab3.com/favicon.ico</indicator:Title>\n
        <indicator:Type>anomalous-activity</indicator:Type>\n
        <indicator:Valid_Time_Position>\n                
            <indicator:Start_Time precision="second">2024-01-10T22:08:10.070000+00:00</indicator:Start_Time>\n
            <indicator:End_Time precision="second">2024-01-17T22:08:10.070000+00:00</indicator:End_Time>\n
        </indicator:Valid_Time_Position>\n
        <indicator:Observable id="example:Observable-b6adb005-791f-4107-b2bc-caaf5a6fbc59">\n                
            <cybox:Keywords>\n                    
                <cybox:Keyword>Recently Reported Spam or Unwanted Content</cybox:Keyword>\n
                <cybox:Keyword>Recently Detected Malware Distribution</cybox:Keyword>\n
                <cybox:Keyword>Historically Reported Spam or Unwanted Content</cybox:Keyword>\n
                <cybox:Keyword>Historically Detected Malware Distribution</cybox:Keyword>\n
            </cybox:Keywords>\n
            <cybox:Object id="example:URI-22e7239a-31a7-4d29-8b1a-8c54cc7f51ca">\n                    
                <cybox:Properties xsi:type="URIObj:URIObjectType">\n                        
                    <cyboxCommon:Custom_Properties>\n                            
                        <cyboxCommon:Property name="x_ctix_confidence_score">25</cyboxCommon:Property>\n
                    </cyboxCommon:Custom_Properties>\n
                    <URIObj:Value condition="Equals">aklab3.com/favicon.ico</URIObj:Value>\n
                </cybox:Properties>\n
            </cybox:Object>\n
        </indicator:Observable>\n
        <indicator:Handling>\n                
            <marking:Marking>\n                    
                <marking:Controlled_Structure>../../../descendant-or-self::node() | ../../../descendant-or-self::node()/@*</marking:Controlled_Structure>\n
                <marking:Marking_Structure xsi:type=\'tlpMarking:TLPMarkingStructureType\' color="AMBER"/>\n
            </marking:Marking>\n
        </indicator:Handling>\n
        <indicator:Confidence timestamp="2024-01-12T13:23:28.957386+00:00">\n                
            <stixCommon:Value>Medium</stixCommon:Value>\n
        </indicator:Confidence>\n
    </stix:Indicator>\n
</stix:Indicators>\n

</stix:STIX_Package>\n`

rpiazza commented 9 months ago

Hi @aryabharat,

I wrote the slider years ago, and haven't used STIX 1 in ages - so in order to help you, can you send me what you think the "correct" XML would be. Why isn't this what you want?

\n \n \n 25\n \n aklab3.com/favicon.ico\n \n \n
aryabharat commented 9 months ago

type="URL" Hi @rpiazza Thanks for a quick response:

The response should contains a property type in cyboxCommon:Property field. In the given case:

`\n

\n cyboxCommon:Custom_Properties\n 25\n \n aklab3.com/favicon.ico\n \n \n` Type is a optional field according to Stix documentation. So i need a way to add this field. I am getting type in case of indicator of domain type.
aryabharat commented 9 months ago

Hi @rpiazza Created a PR for the same, Please check. https://github.com/oasis-open/cti-stix-slider/pull/66

rpiazza commented 9 months ago

@aryabharat - I've looked into this - it does appear to be necessary, but I'm not sure why. Do you have any insight? What doesn't work if you don't have type="URL

aryabharat commented 9 months ago

@rpiazza So type is a optional fileld in stix1.x cybox:Properties The issue we faced was while getting polled by a Qradar server, the URL indicator were not getting passed if they don't have a type in the cybox:Properties field in case of 1.x polling.

rpiazza commented 9 months ago

Can you sign the CLA?

aryabharat commented 9 months ago

@rpiazza Already signed. Please let me know if something else ids needed.

rpiazza commented 9 months ago

Please look at https://github.com/oasis-open/cti-stix-slider/pull/66. It doesn't appear to be signed...

aryabharat commented 9 months ago

@rpiazza The CLA is signed.