topic Re: MineMeld for importing STIX XML files in General Topics

MineMeld for importing STIX XML files

Vladimir_S — Thu, 31 May 2018 15:51:12 GMT

Hey guys,

I hope you are all doing great.

Its my first touch to both STIX XML files and MindMeld, so I was hoping to get a shed of light with at least if it is possible?

I am trying to find a way to import manually a STIX file (which I have attached) to the MindMeld so that it can feed my VM-100 FWs, is that possible and how can I accomplish it?

Thanks in advance for your awesomeness!

Best regards,
Petar

Re: MineMeld for importing STIX XML files

xhoms — Thu, 07 Jun 2018 21:44:48 GMT

Hi @Vladimir_S,

how often do you need to feed such a file content to MineMeld?

I'd suggest pipelining it through a xslt transformation to extract the indicators and the push the result to MineMeld using its localDB miner API.

For example, the following XSLT file extract the indicators in the file you just shared.

<?xml version="1.0"?>
<xsl:stylesheet version="1.0"
	xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
	xmlns:AddressObj="http://cybox.mitre.org/objects#AddressObject-2"
	xmlns:indicator="http://stix.mitre.org/Indicator-2"
	xmlns:stix="http://stix.mitre.org/stix-1"
	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">

<xsl:output method="text" omit-xml-declaration="yes" />

<xsl:template match="//stix:Indicator/indicator:Observable//AddressObj:Address_Value">
<xsl:value-of select="." />
    <xsl:text>&#xa;</xsl:text>
</xsl:template>

<xsl:template match="node()|@*">
  <xsl:apply-templates select="node()|@*"/>
</xsl:template>

</xsl:stylesheet>

Pipeline example:

xhoms$ cat TA18-149A.stix.xml | xsltproc stixx_address.xslt -
181.1.253.234
200.82.62.24
81.243.151.226
81.247.219.196
138.204.211.197
...

Re: MineMeld for importing STIX XML files

Vladimir_S — Mon, 11 Jun 2018 08:17:54 GMT

Hey @xhoms,

Really appreciate the help!

Can you provide me instructions how to pipeline it through a xslt transformation to extract the indicators and the push the result to MineMeld using its localDB miner API?

Sorry for the pain-in-the-arse, but I am really kinda new to this method of feed.

Thanks in advance.

Best regards,

Petar Trifonov

Re: MineMeld for importing STIX XML files

Vladimir_S — Mon, 11 Jun 2018 08:22:36 GMT

Sorry for the split reply.

However, this is not extracting the MD5 of the detected files. Any ideas?

Thanks!

BR,

Petar