cti-stix-elevator
cti-stix-elevator copied to clipboard
oasis-open
Observation pattern not handled
elevating stix version 1 containing an indicator which indicates an observable as the pattern is not correctly handled. due to this error the relationship object which it has to relate indicator to observable has no target_ref parameter and validation fails. here is the stix1.xml file contents: <stix:STIX_Package xmlns:cyboxCommon="http://cybox.mitre.org/common-2" xmlns:cybox="http://cybox.mitre.org/cybox-2" xmlns:cyboxVocabs="http://cybox.mitre.org/default_vocabularies-2" xmlns:marking="http://data-marking.mitre.org/Marking-1" xmlns:simpleMarking="http://data-marking.mitre.org/extensions/MarkingStructure#Simple-1" xmlns:tlpMarking="http://data-marking.mitre.org/extensions/MarkingStructure#TLP-1" xmlns:TOUMarking="http://data-marking.mitre.org/extensions/MarkingStructure#Terms_Of_Use-1" xmlns:opensource="http://hailataxii.com" xmlns:edge="http://soltra.com/" xmlns:indicator="http://stix.mitre.org/Indicator-2" xmlns:ttp="http://stix.mitre.org/TTP-1" xmlns:stixCommon="http://stix.mitre.org/common-1" xmlns:stixVocabs="http://stix.mitre.org/default_vocabularies-1" xmlns:stix="http://stix.mitre.org/stix-1" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:taxii="http://taxii.mitre.org/messages/taxii_xml_binding-1" xmlns:taxii_11="http://taxii.mitre.org/messages/taxii_xml_binding-1.1" xmlns:tdq="http://taxii.mitre.org/query/taxii_default_query-1" id="edge:Package-b3dc8722-2c72-4375-90fb-14812edda992" version="1.1.1" timestamp="2020-06-21T09:08:15.518871+00:00"> stix:STIX_Header stix:Handling marking:Marking marking:Controlled_Structure../../../../descendant-or-self::node()</marking:Controlled_Structure> <marking:Marking_Structure xsi:type="tlpMarking:TLPMarkingStructureType" color="WHITE"/> <marking:Marking_Structure xsi:type="TOUMarking:TermsOfUseMarkingStructureType"> TOUMarking:Terms_Of_Usecybercrime-tracker.net | Cybercrime Tracker - no TOU found. A best effort attempt was made to find a TOU (Terms of Use) document on the http://cybercrime-tracker.net/ site, however none was found. We assume that all rights are reserved by Cybercrime Tracker and attribution is required. </TOUMarking:Terms_Of_Use> </marking:Marking_Structure> <marking:Marking_Structure xsi:type="simpleMarking:SimpleMarkingStructureType"> simpleMarking:StatementUnclassified (Public)</simpleMarking:Statement> </marking:Marking_Structure> </marking:Marking> </stix:Handling> </stix:STIX_Header> stix:Indicators <stix:Indicator id="opensource:indicator-0009653e-1576-4f83-a9a4-186485356b00" timestamp="2015-01-02T14:29:25.190267+00:00" xsi:type="indicator:IndicatorType" version="2.1.1"> indicator:TitleC2C Site: onlineservices.ng</indicator:Title> <indicator:Type xsi:type="stixVocabs:IndicatorTypeVocab-1.1">Domain Watchlist</indicator:Type> <indicator:Type xsi:type="stixVocabs:IndicatorTypeVocab-1.1">URL Watchlist</indicator:Type> indicator:DescriptionThis domain onlineservices.ng has been identified as a command and control site for JackPos malware by cybercrime-tracker.net. For more detailed infomation about this indicator go to [CAUTION!!Read-URL-Before-Click] [http://cybercrime-tracker.net/index.php].</indicator:Description> <indicator:Observable idref="opensource:Observable-1bfd9505-043c-4996-8bea-a18f93d61755"> </indicator:Observable> indicator:Indicated_TTP <stixCommon:TTP idref="opensource:ttp-5e7b3ebd-d1b3-48d9-9244-f7a80a656913" xsi:type="ttp:TTPType"/> </indicator:Indicated_TTP> indicator:Producer <stixCommon:Identity id="opensource:Identity-09aa2edc-ff5f-4e3a-9e19-71e8b23d1bc9"> stixCommon:Namecybercrime-tracker.net</stixCommon:Name> </stixCommon:Identity> stixCommon:Time cyboxCommon:Produced_Time2014-12-16T00:00:00+00:00</cyboxCommon:Produced_Time> cyboxCommon:Received_Time2014-12-19T03:05:08+00:00</cyboxCommon:Received_Time> </stixCommon:Time> </indicator:Producer> </stix:Indicator> </stix:Indicators> </stix:STIX_Package>
and the stix2_validator output: [X] STIX JSON: Invalid [!] Warning: indicator--0009653e-1576-4f83-a9a4-186485356b00: {214} indicator_types contains a value not in the indicator-type-ov vocabulary. [X] relationship--984ebba0-75bf-483b-beab-3a4de4df14f0: 'target_ref' is a required property [X] indicator--0009653e-1576-4f83-a9a4-186485356b00: Pattern failed to validate: FAIL: Error found at line 1:0. input is missing square brackets. [X] indicator--0009653e-1576-4f83-a9a4-186485356b00: Pattern failed to validate: FAIL: Error found at line 1:0. mismatched input 'PLACEHOLDER' expecting {'(', '['}.
and stix version 2 of elevated with errors is: { "id": "bundle--b3dc8722-2c72-4375-90fb-14812edda992", "objects": [ { "created": "2020-06-21T09:08:15.518Z", "definition": { "statement": "Unclassified (Public)" }, "definition_type": "statement", "id": "marking-definition--b207f2de-8262-4e09-b308-2234e4a1fd1d", "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9", "marking-definition--00d7a850-36fb-4da7-9859-d1bf339102d4" ], "spec_version": "2.1", "type": "marking-definition" }, { "created": "2020-06-21T09:08:15.518Z", "definition": { "statement": "cybercrime-tracker.net | Cybercrime Tracker - no TOU found. A best effort attempt was made to find a TOU (Terms of Use) document on the http://cybercrime-tracker.net/ site, however none was found. We assume that all rights are reserved by Cybercrime Tracker and attribution is required.\n" }, "definition_type": "statement", "id": "marking-definition--00d7a850-36fb-4da7-9859-d1bf339102d4", "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9", "marking-definition--b207f2de-8262-4e09-b308-2234e4a1fd1d" ], "spec_version": "2.1", "type": "marking-definition" }, { "created": "2015-01-02T14:29:25.190Z", "id": "identity--09aa2edc-ff5f-4e3a-9e19-71e8b23d1bc9", "modified": "2015-01-02T14:29:25.190Z", "name": "cybercrime-tracker.net", "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9", "marking-definition--00d7a850-36fb-4da7-9859-d1bf339102d4", "marking-definition--b207f2de-8262-4e09-b308-2234e4a1fd1d" ], "spec_version": "2.1", "type": "identity" }, { "created": "2015-01-02T14:29:25.190Z", "created_by_ref": "identity--09aa2edc-ff5f-4e3a-9e19-71e8b23d1bc9", "description": "This domain onlineservices.ng has been identified as a command and control site for JackPos malware by cybercrime-tracker.net. For more detailed infomation about this indicator go to [CAUTION!!Read-URL-Before-Click] [http://cybercrime-tracker.net/index.php].", "id": "indicator--0009653e-1576-4f83-a9a4-186485356b00", "indicator_types": [ "domain-watchlist", "url-watchlist" ], "modified": "2015-01-02T14:29:25.190Z", "name": "C2C Site: onlineservices.ng", "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9", "marking-definition--00d7a850-36fb-4da7-9859-d1bf339102d4", "marking-definition--b207f2de-8262-4e09-b308-2234e4a1fd1d" ], "pattern": "PLACEHOLDER:opensource:Observable-1bfd9505-043c-4996-8bea-a18f93d61755", "pattern_type": "stix", "spec_version": "2.1", "type": "indicator", "valid_from": "2015-01-02T14:29:25.190267Z" }, { "created": "2015-01-02T14:29:25.190Z", "created_by_ref": "identity--09aa2edc-ff5f-4e3a-9e19-71e8b23d1bc9", "id": "relationship--984ebba0-75bf-483b-beab-3a4de4df14f0", "modified": "2015-01-02T14:29:25.190Z", "relationship_type": "indicates", "source_ref": "indicator--0009653e-1576-4f83-a9a4-186485356b00", "spec_version": "2.1", "type": "relationship" } ], "type": "bundle" }
Hi @mahyarkarimi,
Here is your observable:
<indicator:Observable idref="opensource:Observable-1bfd9505-043c-4996-8bea-a18f93d61755">
</indicator:Observable>
This is a reference to an Observable defined elsewhere - but you do not include it in the XML
The same is true for the indicated TTP
The xml content you sent was malformed, so I corrected it and included it. Please include the definition of the objects you referenced using idrefs and you should get better results. If not please send back the changed file and I will continue to look into this issue.
