misp-stix icon indicating copy to clipboard operation
misp-stix copied to clipboard
verified publisher icon MISP

Bug: converter fails to convert STIX directory object required and optional fields

Open kwr2 opened this issue 2 years ago • 0 comments

MISP-STIX usage

Using the misp_stix_converter script to import STIX into MISP

Expected behavior

The converter was expected to generate a MISP file with the information from the STIX file. The data elements in the STIX file are not represented in the MISP file.

If the converter failed to process part or all of the file, then in normal mode we expected to see a warning about that instead of simply seeing a message about the successful conversion of the file.

Actual behavior

The conversion of a STIX file reported that it successfully processed the file and gave no warnings or indications that the data from the file had not been successfully processed. The file generated had none of the data items from the directory object that was in the STIX file.

When run in normal mode, no error or warning is provided and successful conversion is reported. See console output below: The output of the converter is the following: Successfully processed your file. Results available in:

  • misp-output/misp_183_from_directory_d.20240131_091545.json

And the resultant file contained the following contents (which did not include the path or the timestamps from the STIX file): The resulting misp output has no information about the directory. See the misp provided as output below: { "uuid": "fecaf84a-9648-4628-8e75-7ae4e713b3d1", "info": "STIX 2.1 Bundle imported with the MISP-STIX import feature.", "distribution": "0", "published": false }

When run with the debug flag the following error is displayed:

Errors encountered during the STIX to MISP conversion process:

  • bundle--fecaf84a-9648-4628-8e75-7ae4e713b3d1
    • Error parsing the Observable object with id directory--92b0db6d-c396-4dfd-a6e1-5a0aef1e615c: File "/var/local/misp/misp-stix/v2.4.183/frompip/venv399misp183/lib/python3.9/site-packages/misp_stix_converter/stix2misp/external_stix2_to_misp.py", line 382, in _handle_unparsed_content getattr(self.observable_object_parser, to_call)(object_id) File "/var/local/misp/misp-stix/v2.4.183/frompip/venv399misp183/lib/python3.9/site-packages/misp_stix_converter/stix2misp/converters/stix2_observable_objects_converter.py", line 126, in _parse_directory_observable_object attributes = tuple(self._parse_directory_observable(directory)) File "/var/local/misp/misp-stix/v2.4.183/frompip/venv399misp183/lib/python3.9/site-packages/misp_stix_converter/stix2misp/converters/stix2_observable_converter.py", line 550, in _parse_directory_observable yield from self._populate_object_attributes( File "/var/local/misp/misp-stix/v2.4.183/frompip/venv399misp183/lib/python3.9/site-packages/misp_stix_converter/stix2misp/converters/stix2converter.py", line 117, in _populate_object_attributes reference = f"{object_id} - {mapping['object_relation']}" 'object_relation'

Steps to reproduce

misp_stix_converter import --version 2 -f ./stix-input/small_stix_directory.json --output_name ./misp-output/misp_from_small_stix_directory.json

where small_stix_directory.json contains the following: { "type": "bundle", "id": "bundle--fecaf84a-9648-4628-8e75-7ae4e713b3d1", "objects": [ { "type": "directory", "spec_version": "2.1", "path": "/policy/drop.pdf", "path_enc": "character", "ctime": "2021-07-17T05:07:53Z", "mtime": "2020-03-21T20:27:06Z", "atime": "2020-12-06T13:53:21Z", "id": "directory--92b0db6d-c396-4dfd-a6e1-5a0aef1e615c", "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "marking-definition", "spec_version": "2.1", "id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9", "created": "2017-01-20T00:00:00.000Z", "definition_type": "tlp", "name": "TLP:WHITE", "definition": { "tlp": "white" } } ] }

Version

2.4.183

Python version

3.9.9

Relevant log output

When run in normal mode, no error or warning is provided and successful conversion is reported.  See console output below: 
Successfully processed your file. Results available in:
 - misp-output/misp_183_from_directory_d.20240131_091545.json



When run with the debug flag the following error is displayed: 

Errors encountered during the STIX to MISP conversion process:
 - bundle--fecaf84a-9648-4628-8e75-7ae4e713b3d1
   - Error parsing the Observable object with id directory--92b0db6d-c396-4dfd-a6e1-5a0aef1e615c:   File "/var/local/misp/misp-stix/v2.4.183/frompip/venv399misp183/lib/python3.9/site-packages/misp_stix_converter/stix2misp/external_stix2_to_misp.py", line 382, in _handle_unparsed_content
    getattr(self.observable_object_parser, to_call)(object_id)
  File "/var/local/misp/misp-stix/v2.4.183/frompip/venv399misp183/lib/python3.9/site-packages/misp_stix_converter/stix2misp/converters/stix2_observable_objects_converter.py", line 126, in _parse_directory_observable_object
    attributes = tuple(self._parse_directory_observable(directory))
  File "/var/local/misp/misp-stix/v2.4.183/frompip/venv399misp183/lib/python3.9/site-packages/misp_stix_converter/stix2misp/converters/stix2_observable_converter.py", line 550, in _parse_directory_observable
    yield from self._populate_object_attributes(
  File "/var/local/misp/misp-stix/v2.4.183/frompip/venv399misp183/lib/python3.9/site-packages/misp_stix_converter/stix2misp/converters/stix2converter.py", line 117, in _populate_object_attributes
    reference = f"{object_id} - {mapping['object_relation']}"
'object_relation'

Extra attachments

No response

Code of Conduct

  • [X] I agree to follow this project's Code of Conduct

kwr2 avatar Feb 02 '24 20:02 kwr2