A few thoughts on how you might start to tackle STIX having done a bit of this now:
* First choice would be whether to go for STIX 1.2, STIX 2.1, or both. STIX 2.1 is the standard which will grow more into the future, but it's relatively new and there's still certainly STIX 1.2 feeds around.
* There are quite a few entity types (e.g. TTPs, campaigns) in STIX which are more designed for inter-entity relationship glue, which might need some careful thought to represent via reference IDs in IntelMQ events.
* Naturally there's just the initial work of mapping the STIX taxonomy to the IntelMQ taxonomy and managing any differences.
I'd suggest making the scope of a STIX bot limited to begin with rather than trying to implement the entire STIX spec. STIX 2.1 would be the default choice as the more future-proof standard, and I'd just focus on Indicators to start as the STIX entity type which would most easily map to IntelMQ events (e.g. extracting malware hashes, phishing URLs and other observables).
Best regards,
Chris
On 11 Jan 2022, at 10:49 am, L. Aaron Kaplan aaron@lo-res.org wrote:
There is some attempt to try to bring in STIX. I know, this is just a teaser so far... and I can't promise anything. But at least I am aware of an attempt...
What I am wondering about is if adding STIX makes the processing still manageable. Like what would each bot need to look out for? In the internal data format as we have it now, things are quite simple and quite well defined: the IDF format clearly says which key-value pairs may exist. In STIX , things become a bit more complex. Is anyone aware of how other systems solved this problem?
Thanks, Aaron.
On 10.01.2022, at 15:19, Joaquin Cabrera joaquin.cabrera@cert.uy wrote:
Hi Aaron!
That would be great! At the time we don't have a developer team, nor detailed knowledge about STIX format to help : (
We will use another tool in the mean time, thank you for your answer!
Regards,
Joaquín
El 5/1/22 a las 19:26, L. Aaron Kaplan escribió:
Hi Joaquin,
I think that's a really good idea. Note that STIX has more of a graph structure, so - at least currently - that would somehow have to be flattened and mapped to intelMQ's internal data format. As far as I know there is no taxii collector (yet).
I would be interested in one as well.
Let me discuss with a few folks how/if this can be implemented.
Best, Aaron.
On 05.01.2022, at 21:05, Joaquin Cabrera joaquin.cabrera@cert.uy wrote:
Dear community,
I'm looking for a collector bot to retrieve data from a taxii server, but i couldn't find any. We are tying to use intelMQ as our main tool to collect all security feeds and one of them is a taxii feed.
Does anyone have this kind of scenario?
Best regards,
Joaquín Cabrera CERTuy - AGESIC
Torre Ejecutiva Anexo Liniers 1280 piso 1 Tel: (+598) 2901 2929 Int. 8509 (11.000) Montevideo – URUGUAY www.agesic.gub.uy
-- List settings: https://lists.cert.at/cgi-bin/mailman/listinfo/intelmq-users IntelMQ Documentation: https://intelmq.readthedocs.io/
-- Joaquín Cabrera CERTuy - AGESIC
Torre Ejecutiva Anexo Liniers 1280 piso 1 Tel: (+598) 2901 2929 Int. 8509 (11.000) Montevideo – URUGUAY www.agesic.gub.uy
-- List settings: https://lists.cert.at/cgi-bin/mailman/listinfo/intelmq-users IntelMQ Documentation: https://intelmq.readthedocs.io/
-- List settings: https://lists.cert.at/cgi-bin/mailman/listinfo/intelmq-users IntelMQ Documentation: https://intelmq.readthedocs.io/