Skip to content

Commit

Permalink
Merge pull request #247 from oasis-open/issue-246
Browse files Browse the repository at this point in the history 
Fixes to issues 246, 248
  • Loading branch information
@emmanvg
emmanvg authored Feb 25, 2021
2 parents 943e8fc + 78b2bcb commit 5f0b91e
Show file tree
Hide file tree
Showing 141 changed files with 72,861 additions and 766 deletions.
45 changes: 27 additions & 18 deletions docs/warnings.rst
View file
Original file line number Diff line number Diff line change
Expand Up @@ -9,23 +9,26 @@ When the elevator makes an assumption during the conversion of some content, or
General
---------------

=============================================================================================================== ==== =====
Message Code Level
=============================================================================================================== ==== =====
Results produced by the stix2-elevator may generate warning messages which should be investigated 201 warn
Observable Expressions should not contain placeholders 202 error
Placeholder *[id]* should be resolved 203 error
Found definition for *[id]* 204 info
At least one PLACEHOLDER idref was not resolved in *[id]* 205 error
At least one observable could not be converted in *[id]* 206 error
Options not initialized 207 error
EMPTY BUNDLE -- No objects created from 1.x input document! 208 warn
Both console and output log have disabled messages. 209 warn
OSError *[message]* 210 error
silent option is not compatible with a policy 211 warn
Created Marking Structure for *[id]* 212 warn
custom_property_prefix is provided, but the missing policy is not 'use-custom-properies'. It will be ignored. 213 warn
=============================================================================================================== ==== =====
================================================================================================================== ==== =====
Message Code Level
================================================================================================================== ==== =====
Results produced by the stix2-elevator may generate warning messages which should be investigated 201 warn
Observable Expressions should not contain placeholders 202 error
Placeholder *[id]* should be resolved 203 error
Found definition for *[id]* 204 info
At least one PLACEHOLDER idref was not resolved in *[id]* 205 error
At least one observable could not be converted in *[id]* 206 error
Options not initialized 207 error
EMPTY BUNDLE -- No objects created from 1.x input document! 208 warn
Both console and output log have disabled messages. 209 warn
OSError *[message]* 210 error
silent option is not compatible with a policy 211 warn
Created Marking Structure for *[id]* 212 warn
custom_property_prefix is provided, but the missing policy is not 'use-custom-properies'. It will be ignored. 213 warn
*[type]* option was not given, but it defaults to true for version 2.1" 214 warn
Custom properties/objects/extensions are deprecated in version 2.1. Suggest using 'use-extensions' instead 215 warn
The missing policy option of 'use-extensions' cannot be used with version 2.0. 'use-custom-properies' is suggested 216 error
================================================================================================================== ==== =====


Handle STIX 1.x Content not supported in STIX 2.x
Expand All @@ -42,6 +45,12 @@ Appended ``Statement`` type content to description of *[id]*
Appended ``Tool`` type content to description of *[id]* 306 warn
Missing property *[property_name]* of *[id]* is ignored 307 warn
Used custom property for *[property_name]* of *[id]* 308 warn
Missing property *[property_name]* of *[id]* is ignored, because there is no description property 309 warn
The Short_Description property in *[id]* is not supported in STIX 2.x. 310 warn
Used an extension for objective of *[id]* 311 warn
No extension-definition was found for STIX 1 type *[type]* in *[id]* 312 warn
Used extension property for *[property_name]* of *[id]* 313 warn
Missing property *[property_name]* of *[id]* is ignored, because it can't be represented in an extension 314 warn
============================================================================================================================== ==== =====


Expand Down Expand Up @@ -146,7 +155,7 @@ Unable to determine the STIX 2.x type for *[id]*, which is malformed
Multiple administrative areas with multiple countries in *[id]* is not handled" 631 warn
Unknown phase_id *[phase_id]* in *[id]* 632 warn
File path directory is empty *[file_path]* 633 warn
Any artifact packaging data on *[id]* is not recoverable 634 warn
Any artifact additional artifact info on *[id]* is not recoverable 634 warn
*[id]* contains a observable composition, which implies it not an observation, but a pattern and needs to be contained within an indicator. 635 warn
Address direction in *[id]* is not provided, using 'src' 636 warn
=========================================================================================================================================== ==== =====
Expand Down
17 changes: 13 additions & 4 deletions idioms-json-2.0-custom/Mandiant_APT1_Report.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -54,7 +54,10 @@
"marking-definition--7dbf637e-40c3-4c7a-8ec9-ce575a5d061d"
],
"type": "identity",
"x_elevator_information_source_role": "Nation-State,Military"
"x_elevator_information_source_roles": [
"Nation-State",
"Military"
]
},
{
"created": "2015-05-15T09:00:00.000Z",
Expand Down Expand Up @@ -147,7 +150,9 @@
"marking-definition--40983c4a-6b5b-4d8b-8aff-13f0c894ab0f"
],
"type": "identity",
"x_elevator_information_source_role": "Research and Development"
"x_elevator_information_source_roles": [
"Research and Development"
]
},
{
"created": "2015-05-15T09:00:00.000Z",
Expand Down Expand Up @@ -358,7 +363,9 @@
"marking-definition--40983c4a-6b5b-4d8b-8aff-13f0c894ab0f"
],
"type": "identity",
"x_elevator_information_source_role": "Nation-State"
"x_elevator_information_source_roles": [
"Nation-State"
]
},
{
"created": "2015-05-15T09:00:00.000Z",
Expand All @@ -385,7 +392,9 @@
"marking-definition--40983c4a-6b5b-4d8b-8aff-13f0c894ab0f"
],
"type": "identity",
"x_elevator_information_source_role": "State-influenced Commercial Entity"
"x_elevator_information_source_roles": [
"State-influenced Commercial Entity"
]
},
{
"created": "2015-05-15T09:00:00.000Z",
Expand Down
3 changes: 2 additions & 1 deletion idioms-json-2.0-custom/archive-file.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -15,7 +15,8 @@
"contains_refs": [
"1",
"3"
]
],
"version": "1.2"
}
},
"name": "iprip32.zip",
Expand Down
40 changes: 36 additions & 4 deletions idioms-json-2.0-custom/campaign-v-actors.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -8,7 +8,9 @@
"modified": "2014-08-08T15:50:10.983Z",
"name": "Victim Targeting: Customer PII and Financial Data",
"type": "identity",
"x_elevator_targeted_information": "Information Assets - Financial Data"
"x_elevator_targeted_information": [
"Information Assets - Financial Data"
]
},
{
"created": "2014-08-08T15:50:10.983Z",
Expand Down Expand Up @@ -42,11 +44,14 @@
"modified": "2014-08-08T15:50:10.983Z",
"name": "Compromise of ATM Machines",
"type": "campaign",
"x_elevator_information_source_role": "Aggregator,Initial Author"
"x_elevator_information_source_roles": [
"Aggregator",
"Initial Author"
]
},
{
"created": "2014-08-08T15:50:10.983Z",
"id": "relationship--fd297788-9c1f-4701-ab1e-9a35f11e6dd9",
"id": "relationship--c6ad8a94-edd3-4625-b5b3-24061c615a4b",
"modified": "2014-08-08T15:50:10.983Z",
"relationship_type": "targets",
"source_ref": "campaign--e5268b6e-4931-42f1-b379-87f48eb41b1e",
Expand All @@ -55,7 +60,34 @@
},
{
"created": "2014-08-08T15:50:10.983Z",
"id": "relationship--3dcf59c3-30e3-4aa5-9c05-2cbffcee5922",
"id": "relationship--5dcfc21e-c88c-4a3b-b68a-9d207995b0c8",
"modified": "2014-08-08T15:50:10.983Z",
"relationship_type": "attributed-to",
"source_ref": "incident--229ab6ba-0eb2-415b-bdf2-079e6b42f51e",
"target_ref": "campaign--e5268b6e-4931-42f1-b379-87f48eb41b1e",
"type": "relationship"
},
{
"created": "2014-08-08T15:50:10.983Z",
"id": "relationship--66602cba-bf53-4d70-a8c3-83f089f6b693",
"modified": "2014-08-08T15:50:10.983Z",
"relationship_type": "attributed-to",
"source_ref": "incident--517cf274-038d-4ed4-a3ec-3ac18ad9db8a",
"target_ref": "campaign--e5268b6e-4931-42f1-b379-87f48eb41b1e",
"type": "relationship"
},
{
"created": "2014-08-08T15:50:10.983Z",
"id": "relationship--7611b8f0-5869-495f-9a97-ff5b81d95d03",
"modified": "2014-08-08T15:50:10.983Z",
"relationship_type": "attributed-to",
"source_ref": "incident--7d8cf96f-91cb-42d0-a1e0-bfa38ea08621",
"target_ref": "campaign--e5268b6e-4931-42f1-b379-87f48eb41b1e",
"type": "relationship"
},
{
"created": "2014-08-08T15:50:10.983Z",
"id": "relationship--6a592f33-f088-4211-860a-9121bd5059b6",
"modified": "2014-08-08T15:50:10.983Z",
"relationship_type": "attributed-to",
"source_ref": "campaign--e5268b6e-4931-42f1-b379-87f48eb41b1e",
Expand Down
33 changes: 33 additions & 0 deletions idioms-json-2.0-custom/email-links-pattern.json
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,33 @@
{
"id": "bundle--7d188f68-9b6d-40d8-96a6-667ce3677874",
"objects": [
{
"created": "2014-05-08T09:00:00.000Z",
"id": "indicator--53fe3b22-0201-47cf-85d0-97c02164528d",
"labels": [
"ip-watchlist"
],
"modified": "2014-05-08T09:00:00.000Z",
"pattern": "[(email-message:subject = 'Fix The Error On Your Account.' AND email-message:from_ref.value = 'chase@ee.duke.edu' AND email-message:message_id = '201602112058.u1BKfrXh004925@mail-gw-01.oit.duke.edu') AND email-message:additional_header_fields.'X-Mailer' = 'Microsoft Outlook Express 6.00.2800.1437']",
"type": "indicator",
"valid_from": "2014-05-08T09:00:00.000000Z"
},
{
"created": "2020-12-30T15:35:45.081Z",
"first_observed": "2020-12-30T15:35:45.081Z",
"id": "observed-data--6355649f-ad9a-4cc1-8edc-28effcf451c5",
"last_observed": "2020-12-30T15:35:45.081Z",
"modified": "2020-12-30T15:35:45.081Z",
"number_observed": 1,
"objects": {
"0": {
"type": "url",
"value": "http://thereelin.com/mac/htm"
}
},
"type": "observed-data"
}
],
"spec_version": "2.0",
"type": "bundle"
}
3 changes: 2 additions & 1 deletion idioms-json-2.0-custom/icmp_observable.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -13,7 +13,8 @@
"extensions": {
"icmp-ext": {
"icmp_code_hex": "00",
"icmp_type_hex": "08"
"icmp_type_hex": "08",
"x_elevator_checksum": "97c02164528d"
}
},
"type": "network-traffic"
Expand Down
44 changes: 41 additions & 3 deletions idioms-json-2.0-custom/incident-malware.json
View file
Original file line number Diff line number Diff line change
@@ -1,18 +1,56 @@
{
"id": "bundle--65184e82-b693-11e3-bfd7-0800271e87d2",
"id": "bundle--65184e82-b693-41e3-bfd7-0800271e87d2",
"objects": [
{
"created": "2014-05-08T09:00:00.000Z",
"id": "malware--6516102d-b693-11e3-bfd7-0800271e87d2",
"id": "identity--6aedbecd-7323-4308-9cac-8fc71b9e10d2",
"identity_class": "unknown",
"modified": "2014-05-08T09:00:00.000Z",
"name": "Fred",
"type": "identity"
},
{
"created": "2014-05-08T09:00:00.000Z",
"id": "identity--f854887d-9e74-4e95-a2a0-f79af678768e",
"identity_class": "unknown",
"modified": "2014-05-08T09:00:00.000Z",
"name": "Barney",
"type": "identity"
},
{
"created": "2014-05-08T09:00:00.000Z",
"id": "x-elevator-incident--1b75ee8f-44d6-819a-d729-09ab52c91fdb",
"modified": "2014-05-08T09:00:00.000Z",
"name": "Detected Poison Ivy beaconing through perimeter firewalls",
"type": "x-elevator-incident",
"x_elevator_contacts": [
"identity--6aedbecd-7323-4308-9cac-8fc71b9e10d2",
"identity--f854887d-9e74-4e95-a2a0-f79af678768e"
],
"x_elevator_status": "New"
},
{
"created": "2014-05-08T09:00:00.000Z",
"id": "malware--6516102d-b693-41e3-bfd7-0800271e87d2",
"labels": [
"remote-access-trojan"
],
"modified": "2014-05-08T09:00:00.000Z",
"name": "Poison Ivy",
"type": "malware",
"x_elevator_title": "Poison Ivy"
},
{
"created": "2014-05-08T09:00:00.000Z",
"description": "Uses Malware",
"id": "relationship--dfc77494-4990-4d86-a4fc-0a20963fe6e2",
"modified": "2014-05-08T09:00:00.000Z",
"relationship_type": "related-to",
"source_ref": "x-elevator-incident--1b75ee8f-44d6-819a-d729-09ab52c91fdb",
"target_ref": "malware--6516102d-b693-41e3-bfd7-0800271e87d2",
"type": "relationship"
}
],
"spec_version": "2.0",
"type": "bundle"
}
}
5 changes: 5 additions & 0 deletions idioms-json-2.0-custom/ioc-indicator.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -10,6 +10,11 @@
"modified": "2020-02-24T16:07:27.201Z",
"name": "Zeus",
"type": "malware",
"x_elevator_other_names": [
"twexts",
"sdra64",
"ntos"
],
"x_elevator_title": "Zeus"
},
{
Expand Down
2 changes: 1 addition & 1 deletion idioms-json-2.0-custom/network-socket-pattern.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -9,7 +9,7 @@
],
"modified": "2018-08-03T10:23:55.329Z",
"name": "A Network Socket example",
"pattern": "[network-traffic:extensions.'socket-ext'.address_family = 'AF_INET' AND network-traffic:extensions.'socket-ext'.options.IP_MULTICAST_LOOP = 1 AND network-traffic:extensions.'socket-ext'.x_elevator_local_address = '198.51.100.2' AND network-traffic:protocols[*] = 'TCP']",
"pattern": "[network-traffic:extensions.'socket-ext'.address_family = 'AF_INET' AND network-traffic:extensions.'socket-ext'.options.IP_MULTICAST_LOOP = 1 AND network-traffic:protocols[*] = 'TCP' AND network-traffic:extensions.'socket-ext'.x_elevator_local_address = '198.51.100.2']",
"type": "indicator",
"valid_from": "2018-08-03T10:23:55.330197Z"
}
Expand Down
Loading

0 comments on commit 5f0b91e

Please sign in to comment.