Python-STIX or Java-STIX to read Bro log and generate STIX document

[MAH Shahi <ahshahi@outlook.com>]

Dear All,

 

I am new to STIX. I am looking for some published/reviewed article references and step by step guidance relevant to implementation of the following,

 

“Using Python-STIX library to implement a proof-of-concept code to read Bro log file and create a STIX document”.

I am thinking about doing the following,

1. Build an inline Intrusion Detection System (IDS) using Security Onion with Bro
2. Write a Bro rule to detect an attack (XSS, botnet etc. or any)
3. Write a Python or _javascript_ importing STIX library that will analyze the log file and create a STIX document to share (with TAXII ?)
4. The Python or _javascript_ should also block the IP of the infected machine

 

I have been looking into the following so far,

• STIX 1.x Archive - https://stixproject.github.io/
• STIX 2 Documentation - https://oasis-open.github.io/cti-documentation/
• STIX 2 Training Videos - https://www.youtube.com/watch?v=dv-Zt4k1zt0&list=PLKlb5WJ6g-84lzPQDg1a64TueEFXjtXSb
• threatTRANSFORM - https://www.threattransform.com/try.html
• PyPi Libraries - http://stix.readthedocs.io/en/stable/  and  https://pypi.python.org/pypi/stix/1.2.0.2
• STIX Samples - https://stix.mitre.org/language/version1.0.1/samples.html

 

I am ok with Step 1 and 2 above. But as I am new to STIX, I am having a hard time to grasp the process of identifying indicators from a log file and generate STIX document. Would really appreciate if anyone can point me to the right direction.  

 

Also, Is it safe to start implementing the above with STIX 2.0 considering the development and availability of PyPi/Java libraries? Python vs Java, which one is easier to implement? Do I need to involve CybOX or TAXII for doing the above?

 

Please excuse my limited knowledge about STIX at this moment while replying.

 

Sincerely,

Shahi