stixproject / openioc-to-stix Goto Github PK

Wondering if the opposite is possible ?

Currently, this utility only handles OpenIOC v1.0 documents. We should add support for the newer version, OpenIOC v1.1.

Currently the OpenIOC -> CybOX translation code uses the python-cybox bindings rather than its APIs. We should update this to natively use the APIs, which should also fix some issues with IDs not being automatically generated, etc.

Hello,

The script as is does not work (both openioc-to-stix and openioc-to-cybox), they return the following error:
Traceback (most recent call last):
File "openioc-to-stix.py", line 106, in
main()
File "openioc-to-stix.py", line 85, in main
stix.utils.set_id_namespace(ns)
AttributeError: 'module' object has no attribute 'set_id_namespace'

If you fix the namespace error, you then get the following error:

TypeError: Indicators must be a <class 'stix.core.Indicators'>, not a <type 'list'>

Would be nice if this was published to the python package server.

We should expand the OpenIOC to STIX utility with modes to allow for the capture of the input OpenIOC document as a test mechanism.

[From STIXProject/Tools#18]

While attempting to parse https://raw.githubusercontent.com/fireeye/iocs/master/FIN4/fb0699e2-23a6-40f9-bf96-4514d629eec3.ioc

I receive a traceback stack of

Traceback (most recent call last):
  File "openioc_to_stix.py", line 55, in main
    observables_cls = Observables.from_obj(observables_obj)
  File "/usr/local/lib/python2.7/dist-packages/cybox/core/observable.py", line 326, in from_obj
    obs.add(Observable.from_obj(o))
  File "/usr/local/lib/python2.7/dist-packages/cybox/core/observable.py", line 214, in from_obj
    obs.observable_composition = ObservableComposition.from_obj(observable_obj.Observable_Composition)
  File "/usr/local/lib/python2.7/dist-packages/cybox/core/observable.py", line 411, in from_obj
    obs_comp.add(Observable.from_obj(o))
  File "/usr/local/lib/python2.7/dist-packages/cybox/core/observable.py", line 212, in from_obj
    obs.object_ = Object.from_obj(observable_obj.Object)
  File "/usr/local/lib/python2.7/dist-packages/cybox/core/object.py", line 130, in from_obj
    obj.properties = ObjectProperties.from_obj(object_obj.Properties)
  File "/usr/local/lib/python2.7/dist-packages/cybox/common/object_properties.py", line 158, in from_obj
    defobj = klass.from_obj(defobj_obj)
  File "/usr/local/lib/python2.7/dist-packages/cybox/common/object_properties.py", line 145, in from_obj
    return super(ObjectProperties, cls()).from_obj(defobj_obj)
  File "/usr/local/lib/python2.7/dist-packages/cybox/__init__.py", line 189, in from_obj
    val = getattr(cls_obj, field.name)
AttributeError: 'DNSRecordObjectType' object has no attribute 'DNS_Cache_Entry'

regards
Alec

Related to line 247 in objectify.py,
email.add_related(attachment) should include the relationship type. Worked around this by changing that like to email.add_related(attachment, "Related_To")

openioc-to-stix still depends on the older python-stix v1.0.1.x and python-cybox v2.0.1.x libraries.

It looks like ServiceItem/descriptiveName maps to the Display_Name inside of the Windows Service Object, yet we currently mark it as unsupported. We should fix this and support for it.

OpenIOC to STIX/OpenIOC to CybOX doesn't seem to translation of range-based indicators properly, like in the following example:

          <IndicatorItem id="4a52cb2b-9c78-4ac0-8b97-cc054a54a3f0" condition="is">
            <Context document="FileItem" search="FileItem/SizeInBytes" type="mir" />
            <Content type="int">145900 TO 146000</Content>
          </IndicatorItem>

We should look into this and fix it.

[From STIXProject/Tools#21]