Observation pattern not handled #235
Comments
|
Hi @mahyarkarimi, Here is your observable: This is a reference to an Observable defined elsewhere - but you do not include it in the XML The same is true for the indicated TTP The xml content you sent was malformed, so I corrected it and included it. Please include the definition of the objects you referenced using idrefs and you should get better results. If not please send back the changed file and I will continue to look into this issue. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
elevating stix version 1 containing an indicator which indicates an observable as the pattern is not correctly handled. due to this error the relationship object which it has to relate indicator to observable has no target_ref parameter and validation fails.
here is the stix1.xml file contents:
<stix:STIX_Package xmlns:cyboxCommon="http://cybox.mitre.org/common-2" xmlns:cybox="http://cybox.mitre.org/cybox-2" xmlns:cyboxVocabs="http://cybox.mitre.org/default_vocabularies-2" xmlns:marking="http://data-marking.mitre.org/Marking-1" xmlns:simpleMarking="http://data-marking.mitre.org/extensions/MarkingStructure#Simple-1" xmlns:tlpMarking="http://data-marking.mitre.org/extensions/MarkingStructure#TLP-1" xmlns:TOUMarking="http://data-marking.mitre.org/extensions/MarkingStructure#Terms_Of_Use-1" xmlns:opensource="http://hailataxii.com" xmlns:edge="http://soltra.com/" xmlns:indicator="http://stix.mitre.org/Indicator-2" xmlns:ttp="http://stix.mitre.org/TTP-1" xmlns:stixCommon="http://stix.mitre.org/common-1" xmlns:stixVocabs="http://stix.mitre.org/default_vocabularies-1" xmlns:stix="http://stix.mitre.org/stix-1" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:taxii="http://taxii.mitre.org/messages/taxii_xml_binding-1" xmlns:taxii_11="http://taxii.mitre.org/messages/taxii_xml_binding-1.1" xmlns:tdq="http://taxii.mitre.org/query/taxii_default_query-1" id="edge:Package-b3dc8722-2c72-4375-90fb-14812edda992" version="1.1.1" timestamp="2020-06-21T09:08:15.518871+00:00">
stix:STIX_Header
stix:Handling
marking:Marking
marking:Controlled_Structure../../../../descendant-or-self::node()</marking:Controlled_Structure>
<marking:Marking_Structure xsi:type="tlpMarking:TLPMarkingStructureType" color="WHITE"/>
<marking:Marking_Structure xsi:type="TOUMarking:TermsOfUseMarkingStructureType">
TOUMarking:Terms_Of_Usecybercrime-tracker.net | Cybercrime Tracker - no TOU found. A best effort attempt was made to find a TOU (Terms of Use) document on the http://cybercrime-tracker.net/ site, however none was found. We assume that all rights are reserved by Cybercrime Tracker and attribution is required.
</TOUMarking:Terms_Of_Use>
</marking:Marking_Structure>
<marking:Marking_Structure xsi:type="simpleMarking:SimpleMarkingStructureType">
simpleMarking:StatementUnclassified (Public)</simpleMarking:Statement>
</marking:Marking_Structure>
</marking:Marking>
</stix:Handling>
</stix:STIX_Header>
stix:Indicators
<stix:Indicator id="opensource:indicator-0009653e-1576-4f83-a9a4-186485356b00" timestamp="2015-01-02T14:29:25.190267+00:00" xsi:type="indicator:IndicatorType" version="2.1.1">
indicator:TitleC2C Site: onlineservices.ng</indicator:Title>
<indicator:Type xsi:type="stixVocabs:IndicatorTypeVocab-1.1">Domain Watchlist</indicator:Type>
<indicator:Type xsi:type="stixVocabs:IndicatorTypeVocab-1.1">URL Watchlist</indicator:Type>
indicator:DescriptionThis domain onlineservices.ng has been identified as a command and control site for JackPos malware by cybercrime-tracker.net. For more detailed infomation about this indicator go to [CAUTION!!Read-URL-Before-Click] [http://cybercrime-tracker.net/index.php].</indicator:Description>
<indicator:Observable idref="opensource:Observable-1bfd9505-043c-4996-8bea-a18f93d61755">
</indicator:Observable>
indicator:Indicated_TTP
<stixCommon:TTP idref="opensource:ttp-5e7b3ebd-d1b3-48d9-9244-f7a80a656913" xsi:type="ttp:TTPType"/>
</indicator:Indicated_TTP>
indicator:Producer
<stixCommon:Identity id="opensource:Identity-09aa2edc-ff5f-4e3a-9e19-71e8b23d1bc9">
stixCommon:Namecybercrime-tracker.net</stixCommon:Name>
</stixCommon:Identity>
stixCommon:Time
cyboxCommon:Produced_Time2014-12-16T00:00:00+00:00</cyboxCommon:Produced_Time>
cyboxCommon:Received_Time2014-12-19T03:05:08+00:00</cyboxCommon:Received_Time>
</stixCommon:Time>
</indicator:Producer>
</stix:Indicator>
</stix:Indicators>
</stix:STIX_Package>
and the stix2_validator output:
[X] STIX JSON: Invalid
[!] Warning: indicator--0009653e-1576-4f83-a9a4-186485356b00: {214} indicator_types contains a value not in the indicator-type-ov vocabulary.
[X] relationship--984ebba0-75bf-483b-beab-3a4de4df14f0: 'target_ref' is a required property
[X] indicator--0009653e-1576-4f83-a9a4-186485356b00: Pattern failed to validate: FAIL: Error found at line 1:0. input is missing square brackets.
[X] indicator--0009653e-1576-4f83-a9a4-186485356b00: Pattern failed to validate: FAIL: Error found at line 1:0. mismatched input 'PLACEHOLDER' expecting {'(', '['}.
and stix version 2 of elevated with errors is:
{
"id": "bundle--b3dc8722-2c72-4375-90fb-14812edda992",
"objects": [
{
"created": "2020-06-21T09:08:15.518Z",
"definition": {
"statement": "Unclassified (Public)"
},
"definition_type": "statement",
"id": "marking-definition--b207f2de-8262-4e09-b308-2234e4a1fd1d",
"object_marking_refs": [
"marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9",
"marking-definition--00d7a850-36fb-4da7-9859-d1bf339102d4"
],
"spec_version": "2.1",
"type": "marking-definition"
},
{
"created": "2020-06-21T09:08:15.518Z",
"definition": {
"statement": "cybercrime-tracker.net | Cybercrime Tracker - no TOU found. A best effort attempt was made to find a TOU (Terms of Use) document on the http://cybercrime-tracker.net/ site, however none was found. We assume that all rights are reserved by Cybercrime Tracker and attribution is required.\n"
},
"definition_type": "statement",
"id": "marking-definition--00d7a850-36fb-4da7-9859-d1bf339102d4",
"object_marking_refs": [
"marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9",
"marking-definition--b207f2de-8262-4e09-b308-2234e4a1fd1d"
],
"spec_version": "2.1",
"type": "marking-definition"
},
{
"created": "2015-01-02T14:29:25.190Z",
"id": "identity--09aa2edc-ff5f-4e3a-9e19-71e8b23d1bc9",
"modified": "2015-01-02T14:29:25.190Z",
"name": "cybercrime-tracker.net",
"object_marking_refs": [
"marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9",
"marking-definition--00d7a850-36fb-4da7-9859-d1bf339102d4",
"marking-definition--b207f2de-8262-4e09-b308-2234e4a1fd1d"
],
"spec_version": "2.1",
"type": "identity"
},
{
"created": "2015-01-02T14:29:25.190Z",
"created_by_ref": "identity--09aa2edc-ff5f-4e3a-9e19-71e8b23d1bc9",
"description": "This domain onlineservices.ng has been identified as a command and control site for JackPos malware by cybercrime-tracker.net. For more detailed infomation about this indicator go to [CAUTION!!Read-URL-Before-Click] [http://cybercrime-tracker.net/index.php].",
"id": "indicator--0009653e-1576-4f83-a9a4-186485356b00",
"indicator_types": [
"domain-watchlist",
"url-watchlist"
],
"modified": "2015-01-02T14:29:25.190Z",
"name": "C2C Site: onlineservices.ng",
"object_marking_refs": [
"marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9",
"marking-definition--00d7a850-36fb-4da7-9859-d1bf339102d4",
"marking-definition--b207f2de-8262-4e09-b308-2234e4a1fd1d"
],
"pattern": "PLACEHOLDER:opensource:Observable-1bfd9505-043c-4996-8bea-a18f93d61755",
"pattern_type": "stix",
"spec_version": "2.1",
"type": "indicator",
"valid_from": "2015-01-02T14:29:25.190267Z"
},
{
"created": "2015-01-02T14:29:25.190Z",
"created_by_ref": "identity--09aa2edc-ff5f-4e3a-9e19-71e8b23d1bc9",
"id": "relationship--984ebba0-75bf-483b-beab-3a4de4df14f0",
"modified": "2015-01-02T14:29:25.190Z",
"relationship_type": "indicates",
"source_ref": "indicator--0009653e-1576-4f83-a9a4-186485356b00",
"spec_version": "2.1",
"type": "relationship"
}
],
"type": "bundle"
}
The text was updated successfully, but these errors were encountered: