Bug: Stix2.1 to misp conversion #60
Labels
bug
Something isn't working
Comments
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
MISP-STIX usage
No response
Expected behavior
I tried converting stix2.1 bundle of type identity to misp using misp-stix.
But in the output file, was getting duplicate objects.
Example_stix_2.1:
{ "type": "bundle", "id": "bundle--5d9692b0-842d-44a3-91ae-438c4db78e45", "objects": [ { "type": "marking-definition", "spec_version": "2.1", "id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9", "created": "2017-01-20T00:00:00.000Z", "definition_type": "tlp", "name": "TLP:WHITE", "definition": { "tlp": "white" } }, { "type": "identity", "spec_version": "2.1", "id": "identity--c2cc2c57-98f5-4804-9e79-8df735f52921", "created": "2024-01-25T10:18:28.125Z", "modified": "2024-01-25T10:18:29.125Z", "name": "Industrial", "identity_class": "unknown", "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] } ] }The output was:
{ "uuid": "5d9692b0-842d-44a3-91ae-438c4db78e45", "Object": [ { "name": "identity", "meta-category": "misc", "template_uuid": "ae85b960-b507-4de2-a32c-9cfb8f25f990", "description": "Identities can represent actual individuals, organizations, or groups (e.g., ACME, Inc.) as well as classes of individuals, organizations, systems or groups (e.g., the finance sector). The Identity SDO can capture basic identifying information, contact information, and the sectors that the Identity belongs to. Identity is used in STIX to represent, among other things, targets of attacks, information sources, object creators, and threat actor identities. (ref. STIX 2.1 - 4.5)", "template_version": "1", "uuid": "c2cc2c57-98f5-4804-9e79-8df735f52921", "Attribute": [ { "uuid": "a5a0e267-ac5c-5354-adbb-2fc9b731c309", "Tag": [ { "name": "tlp:white" } ], "object_relation": "name", "value": "Industrial", "type": "text", "disable_correlation": false, "to_ids": false, "category": "Other" }, { "uuid": "dc804726-5ac3-5174-a2da-ba5e55013120", "Tag": [ { "name": "tlp:white" } ], "object_relation": "identity_class", "value": "unknown", "type": "text", "disable_correlation": false, "to_ids": false, "category": "Other" } ], "distribution": "5", "sharing_group_id": "0", "timestamp": "1706177909" }, { "name": "identity", "meta-category": "misc", "template_uuid": "ae85b960-b507-4de2-a32c-9cfb8f25f990", "description": "Identities can represent actual individuals, organizations, or groups (e.g., ACME, Inc.) as well as classes of individuals, organizations, systems or groups (e.g., the finance sector). The Identity SDO can capture basic identifying information, contact information, and the sectors that the Identity belongs to. Identity is used in STIX to represent, among other things, targets of attacks, information sources, object creators, and threat actor identities. (ref. STIX 2.1 - 4.5)", "template_version": "1", "uuid": "c2cc2c57-98f5-4804-9e79-8df735f52921", "Attribute": [ { "uuid": "a5a0e267-ac5c-5354-adbb-2fc9b731c309", "Tag": [ { "name": "tlp:white" } ], "object_relation": "name", "value": "Industrial", "type": "text", "disable_correlation": false, "to_ids": false, "category": "Other" }, { "uuid": "dc804726-5ac3-5174-a2da-ba5e55013120", "Tag": [ { "name": "tlp:white" } ], "object_relation": "identity_class", "value": "unknown", "type": "text", "disable_correlation": false, "to_ids": false, "category": "Other" } ], "distribution": "5", "sharing_group_id": "0", "timestamp": "1706177909" } ], "info": "STIX 2.1 Bundle imported with the MISP-STIX import feature.", "distribution": "0", "published": false }As we can see, we have duplicate value in objects field.
code:
`from misp_stix_converter import stix_2_to_misp
file_name = "./bundle.json"
stix_2_to_misp(file_name)`
Actual behavior
It should create one single file with one object.
like this:
{ "uuid": "5d9692b0-842d-44a3-91ae-438c4db78e45", "Object": [ { "name": "identity", "meta-category": "misc", "template_uuid": "ae85b960-b507-4de2-a32c-9cfb8f25f990", "description": "Identities can represent actual individuals, organizations, or groups (e.g., ACME, Inc.) as well as classes of individuals, organizations, systems or groups (e.g., the finance sector). The Identity SDO can capture basic identifying information, contact information, and the sectors that the Identity belongs to. Identity is used in STIX to represent, among other things, targets of attacks, information sources, object creators, and threat actor identities. (ref. STIX 2.1 - 4.5)", "template_version": "1", "uuid": "c2cc2c57-98f5-4804-9e79-8df735f52921", "Attribute": [ { "uuid": "a5a0e267-ac5c-5354-adbb-2fc9b731c309", "Tag": [ { "name": "tlp:white" } ], "object_relation": "name", "value": "Industrial", "type": "text", "disable_correlation": false, "to_ids": false, "category": "Other" }, { "uuid": "dc804726-5ac3-5174-a2da-ba5e55013120", "Tag": [ { "name": "tlp:white" } ], "object_relation": "identity_class", "value": "unknown", "type": "text", "disable_correlation": false, "to_ids": false, "category": "Other" } ], "distribution": "5", "sharing_group_id": "0", "timestamp": "1706177909" } ], "info": "STIX 2.1 Bundle imported with the MISP-STIX import feature.", "distribution": "0", "published": false }Steps to reproduce
`from misp_stix_converter import stix_2_to_misp
file_name = "./bundle.json"
stix_2_to_misp(file_name)`
Version
2.4.183
Python version
3.10
Relevant log output
No response
Extra attachments
No response
Code of Conduct
The text was updated successfully, but these errors were encountered: