Last active
February 4, 2019 16:14
-
-
Save traut/fd4b9b8de3c2aa0e161d68c4099656e5 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # This code is an example of how STIX1.2 ids to STIX2 ids conversion | |
| # would work with UUID5 allowed in identifiers by STIX2 spec | |
| # | |
| # by sergey@eclecticiq.com | |
| import uuid | |
| stix12_to_stix2_obj_type_mappings = { | |
| 'indicator': ['indicator'], | |
| 'report': ['report'], | |
| 'ttp': ['attack-pattern', 'tool', 'malware', 'identity'], | |
| 'campaign': ['campaign'], | |
| 'course-of-action': ['course-of-action'], | |
| 'exploit-target': ['vulnerability'], | |
| 'threat-actor': ['intrusion-set', 'threat-actor'], | |
| 'incident': ['campaign'], | |
| 'package': ['bundle'], | |
| } | |
| def stix12_to_stix2_id(stix12_id, namespace_url, stix2_type): | |
| namespace_uuid = uuid.uuid5(uuid.NAMESPACE_URL, namespace_url) | |
| stix2_uuid = uuid.uuid5(namespace_uuid, stix12_id) | |
| return '{}--{}'.format(stix2_type, stix2_uuid) | |
| def stix12_id_to_possible_stix2_ids(stix12_id, | |
| namespaces_map, | |
| default_ns='example.com'): | |
| namespace, _, id_part = stix12_id.partition(':') | |
| obj_type = '-'.join(id_part.split('-')[:-5]) | |
| if not namespace: | |
| print( | |
| "No namespace provided for '{}', using default one '{}'" | |
| .format(stix12_id, default_ns)) | |
| namespace_url = default_ns | |
| elif namespace not in namespaces_map: | |
| raise Exception('Namespace {} is not registered'.format(namespace)) | |
| else: | |
| namespace_url = namespaces_map[namespace] | |
| if obj_type not in stix12_to_stix2_obj_type_mappings: | |
| raise Exception('Unknown STIX1.2 type: {}'.format(obj_type)) | |
| stix2_types = stix12_to_stix2_obj_type_mappings[obj_type] | |
| return [ | |
| stix12_to_stix2_id(stix12_id, namespace_url, stix2_type) | |
| for stix2_type in stix2_types] | |
| if __name__ == '__main__': | |
| assert 'indicator--f648f51c-2e4d-5d8e-9e58-958b8363708c' == ( | |
| stix12_to_stix2_id( | |
| 'eclecticiq:indicator-59f22cdf-e0e1-4cad-a6ad-6bd26df5273f', | |
| 'https://eclecticiq.com/ns', | |
| 'indicator')) | |
| assert ['indicator--a539fe7f-9672-5b61-b6ae-a15fc98b1fb8'] == ( | |
| stix12_id_to_possible_stix2_ids( | |
| 'id-1:indicator-516aa74d-6d94-4ca9-9a9c-d3bd049c1ece', | |
| {'id-1': 'http://eclecticiq.com'})) | |
| assert [ | |
| 'attack-pattern--50fa3ffe-2f23-5281-be7d-06a07f1005dc', | |
| 'tool--50fa3ffe-2f23-5281-be7d-06a07f1005dc', | |
| 'malware--50fa3ffe-2f23-5281-be7d-06a07f1005dc', | |
| 'identity--50fa3ffe-2f23-5281-be7d-06a07f1005dc'] == ( | |
| stix12_id_to_possible_stix2_ids( | |
| 'eclecticiq:ttp-7a795e1d-4a3e-499d-b08f-46bc24356bc4', | |
| {'eclecticiq': 'https://www.eclecticiq.com/ns'})) | |
| assert [ | |
| 'intrusion-set--fe1963c0-5a1c-59ed-8bd7-c50260808377', | |
| 'threat-actor--fe1963c0-5a1c-59ed-8bd7-c50260808377'] == ( | |
| stix12_id_to_possible_stix2_ids( | |
| 'eclecticiq:threat-actor-07fa8672-4bca-46e1-a60f-023882b4a473', | |
| {'eclecticiq': 'https://www.eclecticiq.com/ns'})) | |
| assert [ | |
| 'intrusion-set--5d3b1481-9113-5ff4-b4a9-e650c249be6b', | |
| 'threat-actor--5d3b1481-9113-5ff4-b4a9-e650c249be6b'] == ( | |
| stix12_id_to_possible_stix2_ids( | |
| ':threat-actor-07fa8672-4bca-46e1-a60f-023882b4a473', | |
| {'some': 'https://www.eclecticiq.com/ns'})) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment