[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: [Non-DoD Source] Re: [cti-users] Help with python-stix
Classification: UNCLASSIFIED ====================================================== Hello, I encountered a similar problem with parsing embedded JSON elements. You have to use a recursive function to convert it into a Python dictionary. Warm Regards, Eli -----Original Message----- From: cti-users@lists.oasis-open.org [mailto:cti-users@lists.oasis-open.org] On Behalf Of Nicholas George Sent: Tuesday, March 28, 2017 3:42 AM To: Back, Greg <gback@mitre.org> Cc: cti-users@lists.oasis-open.org Subject: [Non-DoD Source] Re: [cti-users] Help with python-stix This email was sent from a non-Department of Defense email account, and contained active links. Please verify the identity of the sender, and confirm authenticity of all links contained within the message. This email was sent from a non-Department of Defense email account, and contained active links. Please verify the identity of the sender, and confirm authenticity of all links contained within the message. Thanks for that Greg, I had been experimenting with converting the STIX objects to python dictionaries, and then doing exactly as you have to store them by ID, so I can lookup references. Before devoting too much time to it however, I thought I should ask if there was a better way as I'd hate to waste time developing lookup code if it was already in the API. I might continue down this route. Cheers, Nick On Mon, Mar 27, 2017 at 9:09 PM Back, Greg <gback@mitre.org<mailto:gback@mitre.org>> wrote: Hi Nick, python-stix (for STIX 1.x) does not automatically resolve ID references for you, even for objects within the same STIX Package. STIX 1.x allows some ???related??? objects to be ???embedded??? in other objects (vs. being ???references??? to external objects); python-stix will create these relationships for you. For non-???embedded??? relationships, python-stix will only create a relationship to a ???stub??? object that contains the idref. One approach I???ve seen useful is to keep a dictionary mapping IDs to the full python-stix objects, and use that dictionary to look objects up by ID. (pseudo-code, untested) id_map = {} for incident in stix_package.incidents: id_map[incident.id_] = incident for ttp in stix_package.ttps: id_map[ttp.id_] = indicator ??? if indicator.related_ttps[0].id_: # embedded ttp = indicator.related_ttps[0] else: # referenced ttp = id_map.get(indicator.related_ttps[0].idref) Keep in mind that the referenced object may occur later in the same XML document (which is why it???s better to parse the entire document before attempting to resolve any IDs), or may not even occur in any of the XML documents. The difficulties in the approach from STIX 1 is one of the reasons that STIX 2 uses references for all relationships. python-stix2 will provide mechanisms for more easily resolving these references, but it will still be semi-manual. If you have any more questions, feel free to ask. Greg On 2017-03-27, 4:44 AM, "cti-users@lists.oasis-open.org<mailto:cti-users@lists.oasis-open.org> on behalf of Nicholas George" <cti-users@lists.oasis-open.org<mailto:cti-users@lists.oasis-open.org> on behalf of nick.george@countersight.co<mailto:nick.george@countersight.co>> wrote: Hi cti-users, Python is not my strong point, I am trying to use the python-stix library to consume many stix packages from hailataxii. I have created an array of STIXPackages and am trying to iterate through them. What I don't get is how references (idref) between indicators, ttps, observables can work between packages. Will libstix magically link everything up for me? Or do I need to manually resolve idref references? I have attempted to see if it will 'just work' but am failing. I find the consumer examples on the stixproject website to be too trivial, are there any good examples of stix consumers that pull together lots of observables, indicators and ttps from a source like Hailataxii? Kind regards, Nick This publicly archived list provides a forum for asking questions, offering answers, and discussing topics of interest on STIX, TAXII, and CybOX. Users and developers of solutions that leverage STIX, TAXII and CybOX are invited to participate. In order to verify user consent to OASIS mailing list guidelines and to minimize spam in the list archive, subscription is required before posting. Subscribe: cti-users-subscribe@lists.oasis-open.org<mailto:cti-users-subscribe@lists.oasis-open.org> Unsubscribe: cti-users-unsubscribe@lists.oasis-open.org<mailto:cti-users-unsubscribe@lists.oasis-open.org> Post: cti-users@lists.oasis-open.org<mailto:cti-users@lists.oasis-open.org> List help: cti-users-help@lists.oasis-open.org<mailto:cti-users-help@lists.oasis-open.org> List archive: Caution-lists.oasis-open.org/archives/cti-users/ List Guidelines: Caution-www.oasis-open.org/maillists/guidelines.php CTI Technical Committee: Caution-www.oasis-open.org/committees/cti/ Join OASIS: Caution-www.oasis-open.org/join/ -- Nick George Director of Engineering Countersight +61 (0) 405 546 228 nick.george@countersight.co<mailto:nick.george@countersight.co> countersight.co<Caution-countersight.co/> [Caution-docs.google.com/a/countersight.co/uc?id=0B7_lXjFhULpwNnBXRkV4Tkc0U1U&export=download] ====================================================== Classification: UNCLASSIFIED
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]