New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

STIX 2.x support #2046

Closed
berggren opened this Issue Mar 14, 2017 · 9 comments

Comments

@berggren
Copy link

berggren commented Mar 14, 2017

Do the MISP project have any plans on supporting STIX 2.x format for threat intel sharing? The format is backed by OASIS, and is a bit simpler to implement seeing it is now serialised as JSON instead of XML. No more dependency on XPath etc.

Have you considered using STIX2 instead of the home grown MISP format?

Ref: https://docs.google.com/document/d/1yvqWaPPnPW-2NiVCLqzRszcx91ffMowfT5MmE9Nsy_w/edit

@iglocska

This comment has been minimized.

Copy link
Member

iglocska commented Mar 14, 2017

As members of the OASIS CTI group, we fully support STIX as an import/export format and will of course support STIX 2 once it is mature enough. We also firmly believe that our simpler, more versatile format is superior for the use-cases that we cover and will as such keep it, along with our ability to rapidly evolve it, as our primary format.

@adulau

This comment has been minimized.

Copy link
Member

adulau commented Mar 14, 2017

Another significant issue for many open source/free software project with STIX 2, it's the current lack of a full featured STIX library (compared to the current STIX 1.x Python library which is kind of reference implementation).

There is an ongoing effort done by MITRE called cti-python-stix2 but there is still some work to be done before reaching a level of usability for export/import. We would be glad if some sponsors would invest some time/resources into the improvement of cti-python-stix2 as a reference implementation.

@berggren

This comment has been minimized.

Copy link

berggren commented Mar 14, 2017

Thanks for the quick reply. I'm planning on supporting STIX 2.x in Timesketch for automatically search for indicators in forensic timelines. It would be really cool to see integration with MISP in this regard as a way to push indicators to Timesketch. STIX2 has nice features like object versioning, identification and revocation etc.

Regarding Python libraries, it is a pretty small spec (the 2.x version that is, much more simple than before) so that is not much to code up.

Does MISP support TAXII as transport and federation? If it does and it can export to STIX 2.x then we are all good.

@iglocska

This comment has been minimized.

Copy link
Member

iglocska commented Mar 14, 2017

There is a sub-project for TAXII support that you can find here: https://github.com/MISP/MISP-Taxii-Server
However, we're still on STIX 1.1 as no STIX 2.x implementation exists so far. Of course we'll look into migrating to STIX 2.x and TAXII 2.x the moment the specs are stable and a standard implementation exists.

However, I wouldn't call STIX 2.x all that simple, in many ways it is more complex than STIX 1.x was.

@guestdryan

This comment has been minimized.

Copy link

guestdryan commented May 9, 2017

I apologize for chiming in late to this conversation. I see the point regarding the implementation of STIX 2.x, however I was wondering if supporting the newer versions of STIX 1.x beyond 1.1.1.4? Highly interested in the export capabilities built in MISP which includes STIX but would also like to see the usage of DHS Automated Information Sharing or AIS markings.

@iglocska

This comment has been minimized.

Copy link
Member

iglocska commented May 9, 2017

I am sure that the developers of DHS AIS are also eagerly expecting the imminent release of STIX 2.0 and will be making the transition rapidly, I am not sure if building STIX 1.2 support at this point is at all feasible.

Also, we are currently having some mapping deficiencies with STIX, which we hope STIX 2.0 will fix for us (such as allowing taxonomies/tags to be shared via STIX labels with tools such as AIS).

@FloatingGhost

This comment has been minimized.

Copy link
Member

FloatingGhost commented May 9, 2017

Slight correction: our converter defaults to STIX 1.2, but you can also use 1.1.1

STIX 2.x (peace and good recursive data structures be upon it) support will come as and when there's a python impl, which might take several millennia knowing STIX.

So I mean if you feel like being slightly masochistic, you could export MISP JSON and feed it through the converter for some horrifyingly bad technically valid STIX

@guestdryan

This comment has been minimized.

Copy link

guestdryan commented May 9, 2017

Thank you for the responses.

@SteveClement SteveClement added this to To do features in Feature Enhancements via automation Jul 6, 2018

@iglocska

This comment has been minimized.

Copy link
Member

iglocska commented Jul 7, 2018

This is already implemented by @chrisr3d .

@iglocska iglocska closed this Jul 7, 2018

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment