MISP events not populating with attributes about misp-taxii-server HOT 6 CLOSED

I did some more checks and believe MISP does not like email addresses within this particular (fsisac) STIX format. IPs are no problem and translate into MISP event attributes, email addresses don't. Would anybody know how this can be fixed? I assume buildMISPAttribute.py is where the magic happens...

from misp-taxii-server.

Yeah I see the issue here

I expected AddressObjects to well... be IP addresses.

It never once states in the STIX docs that email addresses count as that - I was expecting them to be in the EmailMessageAttribute fields :<

I think I can hack around it by checking category (maybe)

from misp-taxii-server.

Tests pass

I've updated MISP-STIX-Converter to hopefully fix this issue - try re-installing that and trying again

Might work might not

from misp-taxii-server.

Thank you, you are really helpful! I have pulled and re-installed MISP-STIX-Converter but the error persists (event created with no attributes). Could you please try again with the attached samples?

I'm puzzled, it should really be caught by your new line

    else:
        mispEvent.add_attribute("email-src", ast_eval(str(obj.address_value)),
                                comment=pkg.title or None)

sorry about the Python, we upgraded the box but it's not having any of it ;-)

Push-success:

root@lbg-cuckoobox:~/MISP-Taxii-Server/FSISAC/stix_files# taxii-push --path http://localhost:9000/services/inbox -f system.Default_STIX111_2018_01_05T11_24_54_703983_00_00.xml --dest collection --username taxii --password xxxxx
2018-01-17 10:34:05,912 INFO: Sending Inbox_Message to http://localhost:9000/services/inbox
2018-01-17 10:34:06,693 INFO: Content block successfully pushed

Gunicorn event log:

{"hooks": "misp_taxii_hooks.hooks", "logger": "opentaxii.server", "event": "signal_hooks.imported", "timestamp": "2018-01-17T10:33:11.767578Z", "level": "info"}
{"timestamp": "2018-01-17T10:33:11.767823Z", "logger": "opentaxii.server", "event": "opentaxii.server_configured", "level": "info"}
("'dGF4aWk6bWlzcHRheGlpMQ=='", 24)
Posting STIX...
/usr/local/lib/pythonlookaunicorn!/dist-packages/stix/utils/deprecated.py:48: UserWarning: The use of this field has been deprecated. Received 'datetime' object.
warnings.warn(msg)
Building Event...
Using title STIX Import
STIX loaded succesfully.
Extracted ['[email protected]']
Checking for existence of [email protected]
/usr/local/lib/python2.7/dist-packages/urllib3/connectionpool.py:858: InsecureRequestWarning: Unverified HTTPS request is being made. Adding certificate verification is strongly advised. See: https://urllib3.readthedocs.io/en/latest/advanced-usage.html#ssl-warnings
InsecureRequestWarning)
[email protected] is unique, we'll keep it
Uploading event to MISP with attributes ['[email protected]']
/usr/local/lib/python2.7/dist-packages/urllib3/connectionpool.py:858: InsecureRequestWarning: Unverified HTTPS request is being made. Adding certificate verification is strongly advised. See: https://urllib3.readthedocs.io/en/latest/advanced-usage.html#ssl-warnings
InsecureRequestWarning)

not_working.xml.txt
working.xml.txt

from misp-taxii-server.

Bizarrely not_working.xml does work for me

MISP 2.4.81, but that shouldn't matter

Maybe Python's messing with you, try

sudo pip uninstall misp_stix_converter
cd /path/to/MISP-STIX-Converter
sudo python setup.py install
# Restart TAXII server

might work

from misp-taxii-server.

and it totally does, thank you ever so much! how does this "turn-it-off-and-on-again" thing still work lol

from misp-taxii-server.