I want to propose a new version of the “misp_taxii_hook” package included in the “MISP-TAXII-Server” available on the official MISP repository.

Preamble

The purpose is to improve the STIX import via TAXII on MISP. Actually the import system, before importing the IoC, checks for its existence in any event. If the item has been found, it will be discarded. If MISP receives the same IoC qualified for differents reasons in two or more STIX reports or if it has been imported before in others ways, it will be imported just the first time the system checks for it, and it will be discarded for the future in any other STIX report.

From a Security Analyst point of view, I think it’s better add the attribute, even if it has been yet imported by a previous import.

From a Data Analyst point of view, I don’t want to duplicate informations, because relationships check should result in deprecated performances and false positives.

The proposed “misp_taxii_hook” package (go to GitHub)

The new hook try to define a title and a correspondent filename for the STIX report (def detect_title) using the and the header’s elements.
If this operation successed, it performs a search to detect if the STIX file has been imported before. It searchs for a MISP event having the correspondent “title” and an attachment attribute named as the “filename”. It must have it boths!

If nothing found, a new event will be created with the previous defined title, attachment and the attributes included in the report.

New event for new STIX Report

New event for new STIX Report

But, if these search conditions (title and attachment) are true, the hook try to update the detected event. If new attributes are detected, it will be pushed and a the STIX report will be attached.

Updated event for updated STIX Report

Updated event for updated STIX Report

If the STIX report has no title and description in the stix_header element, the hook will import the file using the old hook code.

How to test it

Someone noticed the old Pentest.it is now “infosec.cert-pa.it”. Since last time I wrote about it, the service has been improved with new features and sections focused on IoC collection and correlation.

What’s new.
Two new modules added to the web application:

Blocklist Module

The blocklist module collects IoCs from a large number of public lists. The web application allow you to search for URLs, IPs and FQDNs. You can search a single item using the “Search” tab. The query result display you if an exact match will be found and also the similar results.

text
Using the “Bulk Search” tab you can submit 100 items per query, but in this case only the exact match will be displayed. In any case you can export the results in CSV format.

Analyzer Module

The analyzer module consists in a automatic souspicious file analyzer. Any page contains the static analysis of the file and a basic bahavior analysis. The submitted files are taken by OSINT sources (and not only). You can subscribe the RSS feed, if you want to be notified for every submitted file.

The easiest way to find information is the use of the dedicated search engine. You can search by MD5, SHA1 and SHA256 just submitting the correspondent hash.

Special searches are available with the use of the following keywords:

  • imphash:$IMPORT_TABLE_HASH
  • domain:$FQDN
  • url:$URL_HOSTING_MALWARE

The search results page use a permalink structure you can use for further searches. The search results are exportable in CSV format. The CSV link is availables on the same page and reflects the permalink structure of the web search.

A new way to aggregate data is the use of the tagging system. Occasionally a report includes comments. Often comments are used to add a keywords, making the report aggregable via tag search. Just an example using one of the latest detected threat: #EternalRocks.

Any report can be exported in PDF format, at this time with limited information.

Hope this help.