Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Email with Attachment creates attachment.zip #137

Open
hanymorcos opened this issue Dec 13, 2018 · 2 comments
Open

Email with Attachment creates attachment.zip #137

hanymorcos opened this issue Dec 13, 2018 · 2 comments

Comments

@hanymorcos
Copy link

hanymorcos commented Dec 13, 2018

I'm using STIX samples from https://stix.mitre.org/language/version1.1.1/samples.html. How are attachments handled in STIX 2.1? Where should the file attachments.zip exist? Should attachments.zip be created part of the transformation process?

https://raw.githubusercontent.com/STIXProject/schemas/version_1.1.1/samples/STIX_Email_wFullAttachment.xml

{
    "id": "bundle--075427ae-4021-410c-8d0b-2cde003a1e7b",
    "objects": [
        {
            "created": "2014-05-08T09:00:00.000Z",
            "first_observed": "2014-05-08T09:00:00.000Z",
            "id": "observed-data--9d299eb7-c089-465a-bf5f-d6283c251645",
            "last_observed": "2014-05-08T09:00:00.000Z",
            "modified": "2014-05-08T09:00:00.000Z",
            "number_observed": 1,
            "objects": {
                "0": {
                    "is_multipart": false,
                    "type": "email-message"
                },
                "1": {
                    "name": "attachments.zip",
                    "type": "file"
                }
            },
            "spec_version": "2.1",
            "type": "observed-data"
        }
    ],
    "type": "bundle"
}
@rpiazza
Copy link
Contributor

rpiazza commented Jan 23, 2019

Thanks @hanymorcos!

The elevator should have created a file or archive file which referenced an artifact. I'll look into this, but it might be beyond the capabilities of the elevator at this time.

@rpiazza
Copy link
Contributor

rpiazza commented Jan 23, 2019

I looked into this, and I was correct - the elevator doesn't handle this content. It is certainly legal STIX 1.x, but I don't think this would have been the optimal way to encode this email message. That was part of the problem with STIX 1.x, there were so many different ways to specify the same content.

For one, there is an <email:attachments> tag that I would probably have used instead of just having the attachment as a related object. Here is an example where that was done, and it is supported by the elevator.

<cybox:Object id="example:EmailMessage-9d56af8e-5588-4ed3-affd-bd769ddd7fe2">
            <cybox:Properties xsi:type="EmailMessageObj:EmailMessageObjectType">
                        <EmailMessageObj:Attachments>
                            <EmailMessageObj:File object_reference="example:File-c182bcb6-8023-44a8-b340-157295abc8a6"/>
                        </EmailMessageObj:Attachments>
            </cybox:Properties>
            <cybox:Related_Objects>
                        <cybox:Related_Object id="example:File-c182bcb6-8023-44a8-b340-157295abc8a6">
                            <cybox:Properties xsi:type="FileObj:FileObjectType">
                                <FileObj:File_Name condition="StartsWith">Final Report</FileObj:File_Name>
                                <FileObj:File_Extension condition="Equals">doc.exe</FileObj:File_Extension>
                            </cybox:Properties>
                            <cybox:Relationship xsi:type="cyboxVocabs:ObjectRelationshipVocab-1.1">Contains</cybox:Relationship>
                        </cybox:Related_Object>
            </cybox:Related_Objects>
</cybox:Object>

I will keep this open as an enhancement request.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

2 participants