MAEC import/export (or another format?) #3
Comments
|
MAEC - Malware Attribute Enumeration and Characterization is one standard among many from MITRE and being part of STIX - Structured Threat Information eXpression. Some attributes stored in MISP are covered under CybOX - Cyber Observable eXpression which is another standard being part of STIX. |
cvandeplas
added
import/export
|
Is an explicit MAEC import feature still planned/on the roadmap for MISP 3.0? I see 'Import of STIX data and better support for OpenIOC' is listed on your front page. |
|
MAEC import is not directly planned, the main plan is to align our datamodel to facilitate the STIX + CyBox import/export. However, we also have a modular import/export feature on the roadmap that will allow anyone out there to develop their own modules with relative ease and without having to know the inner workings of MISP. We're also constantly gauging the community's feedback for additional import/export features. |
|
Thanks for the quick response. As far as I see it, 'MAEC' is often just another layer put ontop of CyBox elements (e.g. using the associated objects), but I have to agree it's not as standardized and stable as STIX + CyBox overall. I'll just keep my fingers crossed somebody can convince the development team behind MISP to implement support for it nevertheless. In that case I could automatically upload any MAEC reports generated on our public webservice (www.hybrid-analysis.com) to MISP instances, as we are generating MAEC reports as of now. <maecBundle:Action id="VxStream:action-28a93112-654e-403a-b2fb-23eb9b5b728d">
<cybox:Name xsi:type="maecVocabs:FileActionNameVocab-1.0">create file</cybox:Name>
<cybox:Associated_Objects>
<cybox:Associated_Object id="VxStream:Object-d630f418-4648-4aa6-9ef2-1e68561d8310">
<cybox:Properties xsi:type="FileObj:FileObjectType">
<FileObj:File_Name>TeamViewer8_Host_Setup.exe</FileObj:File_Name>
<FileObj:Full_Path>%TEMP%\TeamViewer8_Host_Setup.exe</FileObj:Full_Path>
<FileObj:Size_In_Bytes>6118512</FileObj:Size_In_Bytes>
<FileObj:File_Format>PE32 executable (GUI) Intel 80386, for MS Windows</FileObj:File_Format>
<FileObj:Hashes>
<cyboxCommon:Hash>
<cyboxCommon:Type xsi:type="cyboxVocabs:HashNameVocab-1.0">MD5</cyboxCommon:Type>
<cyboxCommon:Simple_Hash_Value>8868c56017bf6e029123adbd5ea7e698</cyboxCommon:Simple_Hash_Value>
</cyboxCommon:Hash>
<cyboxCommon:Hash>
<cyboxCommon:Type xsi:type="cyboxVocabs:HashNameVocab-1.0">SHA1</cyboxCommon:Type>
<cyboxCommon:Simple_Hash_Value>f741f780333260cfdcea97bcd5d1f6cff75ad6dd</cyboxCommon:Simple_Hash_Value>
</cyboxCommon:Hash>
<cyboxCommon:Hash>
<cyboxCommon:Type xsi:type="cyboxVocabs:HashNameVocab-1.0">SHA256</cyboxCommon:Type>
<cyboxCommon:Simple_Hash_Value>52f4f40d629927f13d10ec50c1828be53e01137ef85a3f2f6c55ff0cbccf39a9</cyboxCommon:Simple_Hash_Value>
</cyboxCommon:Hash>
<cyboxCommon:Hash>
<cyboxCommon:Type xsi:type="cyboxVocabs:HashNameVocab-1.0">SHA512</cyboxCommon:Type>
<cyboxCommon:Simple_Hash_Value>524d9f307955eb16b7aa1039c316c64df5dfabac6f6a7dd7c86c07764b6b0166fe6fed44e9934cf5a1856b5aa4b578bb5e9c862ca7286c01f7bcbac9f5d8598b</cyboxCommon:Simple_Hash_Value>
</cyboxCommon:Hash>
</FileObj:Hashes>
</cybox:Properties>
<cybox:Association_Type xsi:type="maecVocabs:ActionObjectAssociationTypeVocab-1.0">output</cybox:Association_Type>
</cybox:Associated_Object>
</cybox:Associated_Objects>
</maecBundle:Action> |
Reported by Andrzej Dereszowski, Oct 31, 2012
MAEC is a format that is getting adopted now by many organization. I
think we should have support for import/export.
Comment 1 by David André, Nov 27, 2012
Issue 8, issue 10 and issue 74 are related to this.
Comment 2 by Andras Iklody, Dec 5, 2012
there is a GFI Sandbox to MAEC (import).
we export as xml and in CakePHP exec a python xslt conform the above
mentioned sandbox(es) imports.
(noud)
The text was updated successfully, but these errors were encountered: