-
Notifications
You must be signed in to change notification settings - Fork 1.4k
-
Notifications
You must be signed in to change notification settings - Fork 1.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
MAEC import/export (or another format?) #3
Comments
MAEC - Malware Attribute Enumeration and Characterization is one standard among many from MITRE and being part of STIX - Structured Threat Information eXpression. Some attributes stored in MISP are covered under CybOX - Cyber Observable eXpression which is another standard being part of STIX. |
Is an explicit MAEC import feature still planned/on the roadmap for MISP 3.0? I see 'Import of STIX data and better support for OpenIOC' is listed on your front page. |
MAEC import is not directly planned, the main plan is to align our datamodel to facilitate the STIX + CyBox import/export. However, we also have a modular import/export feature on the roadmap that will allow anyone out there to develop their own modules with relative ease and without having to know the inner workings of MISP. We're also constantly gauging the community's feedback for additional import/export features. |
Thanks for the quick response. As far as I see it, 'MAEC' is often just another layer put ontop of CyBox elements (e.g. using the associated objects), but I have to agree it's not as standardized and stable as STIX + CyBox overall. I'll just keep my fingers crossed somebody can convince the development team behind MISP to implement support for it nevertheless. In that case I could automatically upload any MAEC reports generated on our public webservice (www.hybrid-analysis.com) to MISP instances, as we are generating MAEC reports as of now. <maecBundle:Action id="VxStream:action-28a93112-654e-403a-b2fb-23eb9b5b728d">
<cybox:Name xsi:type="maecVocabs:FileActionNameVocab-1.0">create file</cybox:Name>
<cybox:Associated_Objects>
<cybox:Associated_Object id="VxStream:Object-d630f418-4648-4aa6-9ef2-1e68561d8310">
<cybox:Properties xsi:type="FileObj:FileObjectType">
<FileObj:File_Name>TeamViewer8_Host_Setup.exe</FileObj:File_Name>
<FileObj:Full_Path>%TEMP%\TeamViewer8_Host_Setup.exe</FileObj:Full_Path>
<FileObj:Size_In_Bytes>6118512</FileObj:Size_In_Bytes>
<FileObj:File_Format>PE32 executable (GUI) Intel 80386, for MS Windows</FileObj:File_Format>
<FileObj:Hashes>
<cyboxCommon:Hash>
<cyboxCommon:Type xsi:type="cyboxVocabs:HashNameVocab-1.0">MD5</cyboxCommon:Type>
<cyboxCommon:Simple_Hash_Value>8868c56017bf6e029123adbd5ea7e698</cyboxCommon:Simple_Hash_Value>
</cyboxCommon:Hash>
<cyboxCommon:Hash>
<cyboxCommon:Type xsi:type="cyboxVocabs:HashNameVocab-1.0">SHA1</cyboxCommon:Type>
<cyboxCommon:Simple_Hash_Value>f741f780333260cfdcea97bcd5d1f6cff75ad6dd</cyboxCommon:Simple_Hash_Value>
</cyboxCommon:Hash>
<cyboxCommon:Hash>
<cyboxCommon:Type xsi:type="cyboxVocabs:HashNameVocab-1.0">SHA256</cyboxCommon:Type>
<cyboxCommon:Simple_Hash_Value>52f4f40d629927f13d10ec50c1828be53e01137ef85a3f2f6c55ff0cbccf39a9</cyboxCommon:Simple_Hash_Value>
</cyboxCommon:Hash>
<cyboxCommon:Hash>
<cyboxCommon:Type xsi:type="cyboxVocabs:HashNameVocab-1.0">SHA512</cyboxCommon:Type>
<cyboxCommon:Simple_Hash_Value>524d9f307955eb16b7aa1039c316c64df5dfabac6f6a7dd7c86c07764b6b0166fe6fed44e9934cf5a1856b5aa4b578bb5e9c862ca7286c01f7bcbac9f5d8598b</cyboxCommon:Simple_Hash_Value>
</cyboxCommon:Hash>
</FileObj:Hashes>
</cybox:Properties>
<cybox:Association_Type xsi:type="maecVocabs:ActionObjectAssociationTypeVocab-1.0">output</cybox:Association_Type>
</cybox:Associated_Object>
</cybox:Associated_Objects>
</maecBundle:Action> |
Reported by Andrzej Dereszowski, Oct 31, 2012
MAEC is a format that is getting adopted now by many organization. I
think we should have support for import/export.
Comment 1 by David André, Nov 27, 2012
Issue 8, issue 10 and issue 74 are related to this.
Comment 2 by Andras Iklody, Dec 5, 2012
there is a GFI Sandbox to MAEC (import).
we export as xml and in CakePHP exec a python xslt conform the above
mentioned sandbox(es) imports.
(noud)
The text was updated successfully, but these errors were encountered: