[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: STIX2.1 Extension Example - custom properties
Folks, On today’s TC call, Rich asked folks who are using custom STIX extensions to kick the tires on the new extension proposal. We (FS-ISAC) use custom properties on the STIX2.1 Vulnerability SDO, in order to make some custom vulnerability reporting available via a TAXII2.1 feed. The intent is for the content to be STIX/TAXII-compliant (since it’s being published to our TAXII server), yet still easy for non-STIX/TAXII applications (such as a vulnerability management system that has no idea what STIX and TAXII are)
to be able to ingest it as a RESTful API. I’ve attached 4 JSON files:
My take-aways:
Also attached is a chicken-scratch python code (process_vulns-json.txt) to illustrate what I’m talking about. The original JSON and the Option 2 JSON can be processed without any knowledge of STIX or understanding
of STIX extensions. However, Option 1 requires an understanding of STIX extensions, and some hand-waving to unpack the custom properties. Hope this makes sense. Please let me know if I misunderstood anything. Chris Ricard Sr. Tech Engineer, FS-ISAC work: +1 571-446-3888 cell: +1 703-673-8621 |
Attachment:
stix21-option2.json
Description: stix21-option2.json
Attachment:
stix21-option3.json
Description: stix21-option3.json
Attachment:
stix21-option1.json
Description: stix21-option1.json
Attachment:
stix21-orig.json
Description: stix21-orig.json
import sys import json from pprint import pprint #Demonstrate a non-STIX aware client parsing STIX objects with custom properties. #Prints a native property value ("name"), and a custom property value ("cvss_base_score") for each. #Example of how we're doing custom properties today original_json=json.loads(''' [{ "type": "vulnerability", "spec_version": "2.1", "id": "vulnerability--55574b84-2f9e-48de-97f7-9b5cc6711f09", "created": "2020-10-15T21:40:52.746Z", "modified": "2020-10-15T21:40:52.746Z", "name": "Juniper SBR Carrier Multiple Vulnerabilities", "description": "Multiple vulnerabilities have been reported in Juniper SBR Carrier, which can be exploited by malicious people to disclose sensitive information and cause a DoS (Denial of Service).<br><br>For more information:<br>SA83669 (#1)<br>SA89677 (#1)<br>SA90843 (#1)<br>SA91027 (#1)<br>SA94476 (#1)<br><br>The vulnerabilities are reported in versions prior to 8.5.0-R17 and prior to 8.6.0-R12.<br><br><b>Secunia CVSS Scores: </b>Base: 7.5 Overall: 6.5 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C)<div><br><b>Advisory ID: </b>SA98310</div>", "labels": [ "vulnerability:CVE-2019-1563", "vulnerability:CVE-2020-1967", "vendor:Juniper Networks", "vulnerability:CVE-2018-0732", "vulnerability:CVE-2018-20843", "vulnerability:CVE-2019-15903" ], "lang": "en", "external_references": [ { "source_name": "sa83669", "description": "External Reference objects from Flexera", "url": "https://app.flexerasoftware.com/#/vt/advisory-database/advisories/?advisory_id=SA83669" }, { "source_name": "sa89677", "description": "External Reference objects from Flexera", "url": "https://app.flexerasoftware.com/#/vt/advisory-database/advisories/?advisory_id=SA89677" }, { "source_name": "sa90843", "description": "External Reference objects from Flexera", "url": "https://app.flexerasoftware.com/#/vt/advisory-database/advisories/?advisory_id=SA90843" }, { "source_name": "sa91027", "description": "External Reference objects from Flexera", "url": "https://app.flexerasoftware.com/#/vt/advisory-database/advisories/?advisory_id=SA91027" }, { "source_name": "sa94476", "description": "External Reference objects from Flexera", "url": "https://app.flexerasoftware.com/#/vt/advisory-database/advisories/?advisory_id=SA94476" }, { "source_name": "juniper (1517427)", "description": "External Reference objects from Flexera", "url": "https://kb.juniper.net/InfoCenter/JSA11074" }, { "source_name": "cve", "description": "External Reference objects from Flexera", "external_id": "CVE-2019-1563" } ], "object_marking_refs": [ "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" ], "x_ctix_advisory_id": "SA98310", "x_ctix_credibility": "5 - Verified", "x_ctix_criticality": "3 - Moderately critical", "x_ctix_cves": [ "CVE-2019-1563", "CVE-2018-0732", "CVE-2018-20843", "CVE-2020-1967", "CVE-2019-15903" ], "x_ctix_cvss_info": { "cvss_base_score": 7.5, "cvss_overall_score": 6.5, "cvss_vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C" }, "x_ctix_impacts": [ "DoS", "Exposure of sensitive information" ], "x_ctix_products": [ "Juniper SBR Carrier" ], "x_ctix_response_action": "Update to version 8.5.0-R17 or 8.6.0-R12.", "x_ctix_revisions": [ { "description": "Initial release", "released_date": "2020-10-15T21:10:10Z" } ], "x_ctix_risk": "6", "x_ctix_severity": "3 - Moderate Impact", "x_ctix_source": "Secunia Research from Flexera", "x_ctix_urgency": "3 - Action Highly Recommended" }] ''') #Example STIX object with custom properies using Option 1 option1_json=json.loads(''' [{ "type": "stix-extension", "spec_version": "2.1", "id": "stix-extension--55574b84-2f9e-48de-97f7-9b5cc6711f08", "created": "2020-10-15T21:40:52.746Z", "modified": "2020-10-15T21:40:52.746Z", "name": "FS-ISAC CTIX Vulnerability Extension", "created_by_ref": "identity--eafca5be-e6f2-4ef4-ba3e-7f0eb1b55d28", "schema": "https://www.fsisac.com/stixtaxii/schemas/ctix-vuln/v1/", "version": "1.0", "extension_types": [ "property-extension" ], "extension_properties": ["advisory_id","credibility","criticality","cves","cvss_info","impacts","products","response_action","revisions","risk","severity","source","urgency"] }, { "type": "vulnerability", "spec_version": "2.1", "id": "vulnerability--55574b84-2f9e-48de-97f7-9b5cc6711f09", "created": "2020-10-15T21:40:52.746Z", "modified": "2020-10-15T21:40:52.746Z", "name": "Juniper SBR Carrier Multiple Vulnerabilities", "description": "Multiple vulnerabilities have been reported in Juniper SBR Carrier, which can be exploited by malicious people to disclose sensitive information and cause a DoS (Denial of Service).<br><br>For more information:<br>SA83669 (#1)<br>SA89677 (#1)<br>SA90843 (#1)<br>SA91027 (#1)<br>SA94476 (#1)<br><br>The vulnerabilities are reported in versions prior to 8.5.0-R17 and prior to 8.6.0-R12.<br><br><b>Secunia CVSS Scores: </b>Base: 7.5 Overall: 6.5 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C)<div><br><b>Advisory ID: </b>SA98310</div>", "labels": [ "vulnerability:CVE-2019-1563", "vulnerability:CVE-2020-1967", "vendor:Juniper Networks", "vulnerability:CVE-2018-0732", "vulnerability:CVE-2018-20843", "vulnerability:CVE-2019-15903" ], "lang": "en", "external_references": [ { "source_name": "sa83669", "description": "External Reference objects from Flexera", "url": "https://app.flexerasoftware.com/#/vt/advisory-database/advisories/?advisory_id=SA83669" }, { "source_name": "sa89677", "description": "External Reference objects from Flexera", "url": "https://app.flexerasoftware.com/#/vt/advisory-database/advisories/?advisory_id=SA89677" }, { "source_name": "sa90843", "description": "External Reference objects from Flexera", "url": "https://app.flexerasoftware.com/#/vt/advisory-database/advisories/?advisory_id=SA90843" }, { "source_name": "sa91027", "description": "External Reference objects from Flexera", "url": "https://app.flexerasoftware.com/#/vt/advisory-database/advisories/?advisory_id=SA91027" }, { "source_name": "sa94476", "description": "External Reference objects from Flexera", "url": "https://app.flexerasoftware.com/#/vt/advisory-database/advisories/?advisory_id=SA94476" }, { "source_name": "juniper (1517427)", "description": "External Reference objects from Flexera", "url": "https://kb.juniper.net/InfoCenter/JSA11074" }, { "source_name": "cve", "description": "External Reference objects from Flexera", "external_id": "CVE-2019-1563" } ], "object_marking_refs": [ "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" ], "extensions": { "stix-extension--55574b84-2f9e-48de-97f7-9b5cc6711f08" : { "advisory_id": "SA98310", "credibility": "5 - Verified", "criticality": "3 - Moderately critical", "cves": [ "CVE-2019-1563", "CVE-2018-0732", "CVE-2018-20843", "CVE-2020-1967", "CVE-2019-15903" ], "cvss_info": { "cvss_base_score": 7.5, "cvss_overall_score": 6.5, "cvss_vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C" }, "impacts": [ "DoS", "Exposure of sensitive information" ], "products": [ "Juniper SBR Carrier" ], "response_action": "Update to version 8.5.0-R17 or 8.6.0-R12.", "revisions": [ { "description": "Initial release", "released_date": "2020-10-15T21:10:10Z" } ], "risk": "6", "severity": "3 - Moderate Impact", "source": "Secunia Research from Flexera", "urgency": "3 - Action Highly Recommended" } } }, { "id":"identity--eafca5be-e6f2-4ef4-ba3e-7f0eb1b55d28", "identity_class":"organization", "lang":"en", "name":"FS-ISAC", "type":"identity", "spec_version":"2.1", "created":"2020-10-15T23:40:56.152Z", "modified":"2020-10-15T23:40:56.152Z" }] ''') #Example STIX object with custom properies using Option 2 option2_json=json.loads(''' [{ "type": "stix-extension", "spec_version": "2.1", "id": "stix-extension--55574b84-2f9e-48de-97f7-9b5cc6711f08", "created": "2020-10-15T21:40:52.746Z", "modified": "2020-10-15T21:40:52.746Z", "name": "FS-ISAC CTIX Vulnerability Extension", "created_by_ref": "identity--eafca5be-e6f2-4ef4-ba3e-7f0eb1b55d28", "schema": "https://www.fsisac.com/stixtaxii/schemas/ctix-vuln/v1/", "version": "1.0", "extension_types": [ "toplevel-property-extension" ], "extension_properties": ["advisory_id","credibility","criticality","cves","cvss_info","impacts","products","response_action","revisions","risk","severity","source","urgency"] }, { "type": "vulnerability", "spec_version": "2.1", "id": "vulnerability--55574b84-2f9e-48de-97f7-9b5cc6711f09", "created": "2020-10-15T21:40:52.746Z", "modified": "2020-10-15T21:40:52.746Z", "name": "Juniper SBR Carrier Multiple Vulnerabilities", "description": "Multiple vulnerabilities have been reported in Juniper SBR Carrier, which can be exploited by malicious people to disclose sensitive information and cause a DoS (Denial of Service).<br><br>For more information:<br>SA83669 (#1)<br>SA89677 (#1)<br>SA90843 (#1)<br>SA91027 (#1)<br>SA94476 (#1)<br><br>The vulnerabilities are reported in versions prior to 8.5.0-R17 and prior to 8.6.0-R12.<br><br><b>Secunia CVSS Scores: </b>Base: 7.5 Overall: 6.5 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C)<div><br><b>Advisory ID: </b>SA98310</div>", "labels": [ "vulnerability:CVE-2019-1563", "vulnerability:CVE-2020-1967", "vendor:Juniper Networks", "vulnerability:CVE-2018-0732", "vulnerability:CVE-2018-20843", "vulnerability:CVE-2019-15903" ], "lang": "en", "external_references": [ { "source_name": "sa83669", "description": "External Reference objects from Flexera", "url": "https://app.flexerasoftware.com/#/vt/advisory-database/advisories/?advisory_id=SA83669" }, { "source_name": "sa89677", "description": "External Reference objects from Flexera", "url": "https://app.flexerasoftware.com/#/vt/advisory-database/advisories/?advisory_id=SA89677" }, { "source_name": "sa90843", "description": "External Reference objects from Flexera", "url": "https://app.flexerasoftware.com/#/vt/advisory-database/advisories/?advisory_id=SA90843" }, { "source_name": "sa91027", "description": "External Reference objects from Flexera", "url": "https://app.flexerasoftware.com/#/vt/advisory-database/advisories/?advisory_id=SA91027" }, { "source_name": "sa94476", "description": "External Reference objects from Flexera", "url": "https://app.flexerasoftware.com/#/vt/advisory-database/advisories/?advisory_id=SA94476" }, { "source_name": "juniper (1517427)", "description": "External Reference objects from Flexera", "url": "https://kb.juniper.net/InfoCenter/JSA11074" }, { "source_name": "cve", "description": "External Reference objects from Flexera", "external_id": "CVE-2019-1563" } ], "object_marking_refs": [ "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" ], "advisory_id": "SA98310", "credibility": "5 - Verified", "criticality": "3 - Moderately critical", "cves": [ "CVE-2019-1563", "CVE-2018-0732", "CVE-2018-20843", "CVE-2020-1967", "CVE-2019-15903" ], "cvss_info": { "cvss_base_score": 7.5, "cvss_overall_score": 6.5, "cvss_vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C" }, "impacts": [ "DoS", "Exposure of sensitive information" ], "products": [ "Juniper SBR Carrier" ], "response_action": "Update to version 8.5.0-R17 or 8.6.0-R12.", "revisions": [ { "description": "Initial release", "released_date": "2020-10-15T21:10:10Z" } ], "risk": "6", "severity": "3 - Moderate Impact", "source": "Secunia Research from Flexera", "urgency": "3 - Action Highly Recommended", "extensions": { "stix-extension--55574b84-2f9e-48de-97f7-9b5cc6711f08" : { "extends_stix_object_definition": true } } }, { "id":"identity--eafca5be-e6f2-4ef4-ba3e-7f0eb1b55d28", "identity_class":"organization", "lang":"en", "name":"FS-ISAC", "type":"identity", "spec_version":"2.1", "created":"2020-10-15T23:40:56.152Z", "modified":"2020-10-15T23:40:56.152Z" }] ''') #Prints the title and CVSS score def printVulnTitleAndCvssScore(title,score): print('%s:%s' % (title,score)) return True ################################## # Original - native and custom properties are all top-level, custom properties are namespaced. for obj in original_json: if obj['type']=='vulnerability': result=printVulnTitleAndCvssScore(obj['name'],obj['x_ctix_cvss_info']['cvss_base_score']) # Option 2 - native and custom properties are all top-level for obj in option2_json: if obj['type']=='vulnerability': result=printVulnTitleAndCvssScore(obj['name'],obj['cvss_info']['cvss_base_score']) #Option 1: native properties are top-level, custom properties are nested under the "extensions" property. So the custom properties must be wrangled out of the extensions property. for obj in option1_json: if obj['type']=='vulnerability': #wrangle the custom properties out of the "extensions" property cust_properties={} extensions=obj['extensions'] for custs in obj['extensions'].values(): for (k,v) in custs.items(): cust_properties[k]=v result=printVulnTitleAndCvssScore(obj['name'],cust_properties['cvss_info']['cvss_base_score'])
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]