PyPI - txt2stix - Versions diffs - 1.0.2__tar.gz → 1.0.3__tar.gz - Mend

txt2stix 1.0.2tar.gz → 1.0.3tar.gz

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (258) hide show

{txt2stix-1.0.2 → txt2stix-1.0.3}/PKG-INFO RENAMED Viewed

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: txt2stix
-Version: 1.0.2
+Version: 1.0.3
 Summary: txt2stix is a Python script that is designed to identify and extract IoCs and TTPs from text files, identify the relationships between them, convert them to STIX 2.1 objects, and output as a STIX 2.1 bundle.
 Project-URL: Homepage, https://github.com/muchdogesec/txt2stix
 Project-URL: Issues, https://github.com/muchdogesec/txt2stix/issues

{txt2stix-1.0.2 → txt2stix-1.0.3}/pyproject.toml RENAMED Viewed

@@ -4,7 +4,7 @@ build-backend = "hatchling.build"
 [project]
 name = "txt2stix"
-version = "1.0.2"
+version = "1.0.3"
 authors = [{ name = "dogesec" }]
 maintainers = [{ name = "dogesec" }]
 description = "txt2stix is a Python script that is designed to identify and extract IoCs and TTPs from text files, identify the relationships between them, convert them to STIX 2.1 objects, and output as a STIX 2.1 bundle."

{txt2stix-1.0.2 → txt2stix-1.0.3}/tests/src/test_attack_flow.py RENAMED Viewed

@@ -3,9 +3,7 @@ import pytest
 from unittest.mock import MagicMock, patch
 from stix2extensions._extensions import attack_flow_ExtensionDefinitionSMO
-from txt2stix.ai_extractor.utils import (
-    AttackFlowList,
-)
+from txt2stix.ai_extractor.utils import AttackFlowList, AttackFlowItem
 from txt2stix.attack_flow import (
     create_navigator_layer,
     get_all_tactics,
@@ -55,6 +53,7 @@ def test_parse_flow__no_success(dummy_report):
             success=False,
             matrix="enterprise",
             items=[],
+            tactic_selection=[],
         ),
         None,
         None,
@@ -71,28 +70,28 @@ def test_get_techniques_from_extracted_objects(dummy_objects):
         "T0814": {
             "domain": "ics-attack",
             "name": "Denial of Service",
-            "possible_tactics": {"TA0107": "inhibit-response-function"},
+            "possible_tactics": {"inhibit-response-function": "TA0107"},
             "id": "T0814",
             "platforms": [],
         },
         "T0887": {
             "domain": "ics-attack",
             "name": "Wireless Sniffing",
-            "possible_tactics": {"TA0102": "discovery" , "TA0100": "collection"},
+            "possible_tactics": {"discovery": "TA0102", "collection": "TA0100"},
             "id": "T0887",
             "platforms": [],
         },
         "T1505.001": {
             "domain": "enterprise-attack",
             "name": "SQL Stored Procedures",
-            "possible_tactics": {"TA0003":"persistence"},
+            "possible_tactics": {"persistence": "TA0003"},
             "id": "T1505.001",
             "platforms": ["Windows", "Linux"],
         },
         "T1555.002": {
             "domain": "enterprise-attack",
             "name": "Securityd Memory",
-            "possible_tactics": {"TA0006": "credential-access"},
+            "possible_tactics": {"credential-access": "TA0006"},
             "id": "T1555.002",
             "platforms": ["Linux", "macOS"],
         },
@@ -202,15 +201,36 @@ def test_create_navigator_layer(dummy_report):
         "TA91": "exfiltration",
     }
     flow.items = [
-        SimpleNamespace(attack_technique_id="T0001", attack_tactic_id="TA01"),
-        SimpleNamespace(attack_technique_id="T0002", attack_tactic_id="TA02"),
-        SimpleNamespace(attack_technique_id="T0003", attack_tactic_id="TA03"),
-        SimpleNamespace(attack_technique_id="T1001", attack_tactic_id="TA11"),
-        SimpleNamespace(attack_technique_id="T1002", attack_tactic_id="TA12"),
-        SimpleNamespace(attack_technique_id="T1003", attack_tactic_id="TA25"),
-        SimpleNamespace(attack_technique_id="T2001", attack_tactic_id="TA11"),
-        SimpleNamespace(attack_technique_id="T2002", attack_tactic_id="TA123"),
-        SimpleNamespace(attack_technique_id="T2003", attack_tactic_id="TA91"),
+        SimpleNamespace(
+            attack_technique_id="T0001",
+            attack_tactic_id="TA01",
+            description="description 1",
+        ),
+        SimpleNamespace(
+            attack_technique_id="T0003",
+            attack_tactic_id="TA03",
+            description="description 2",
+        ),
+        SimpleNamespace(
+            attack_technique_id="T1001",
+            attack_tactic_id="TA11",
+            description="description 3",
+        ),
+        SimpleNamespace(
+            attack_technique_id="T1002",
+            attack_tactic_id="TA12",
+            description="description 4",
+        ),
+        SimpleNamespace(
+            attack_technique_id="T2001",
+            attack_tactic_id="TA11",
+            description="description 28jhsjhs",
+        ),
+        SimpleNamespace(
+            attack_technique_id="T2003",
+            attack_tactic_id="TA91",
+            description="description sasa",
+        ),
     ]
     techniques = {
         "T0001": dict(
@@ -239,18 +259,25 @@ def test_create_navigator_layer(dummy_report):
             "name": "some markdown document",
             "domain": "enterprise-attack",
             "description": "this is a summary",
-            "techniques": [
-                {"techniqueID": "T0001", "tactic": "initial-access"},
-                {"techniqueID": "T0002", "tactic": "lateral-movement"},
-                {"techniqueID": "T0003", "tactic": "command-and-control"},
-            ],
+            "techniques": [],
             "gradient": {
                 "colors": ["#ffffff", "#ff6666"],
                 "minValue": 0,
                 "maxValue": 100,
             },
             "legendItems": [],
-            "metadata": [],
+            "metadata": [
+                {
+                    "name": "report_id",
+                    "value": "report--9c88fbcb-8c0d-4124-868b-3dcb1e9b696c",
+                }
+            ],
+            "links": [
+                {
+                    "label": "Generated using txt2stix",
+                    "url": "https://github.com/muchdogesec/txt2stix/",
+                }
+            ],
             "layout": {"layout": "side"},
         },
         {
@@ -258,18 +285,25 @@ def test_create_navigator_layer(dummy_report):
             "name": "some markdown document",
             "domain": "ics-attack",
             "description": "this is a summary",
-            "techniques": [
-                {"techniqueID": "T1001", "tactic": "initial-access"},
-                {"techniqueID": "T1002", "tactic": "lateral-movement"},
-                {"techniqueID": "T1003", "tactic": "command-and-control"},
-            ],
+            "techniques": [],
             "gradient": {
                 "colors": ["#ffffff", "#ff6666"],
                 "minValue": 0,
                 "maxValue": 100,
             },
             "legendItems": [],
-            "metadata": [],
+            "metadata": [
+                {
+                    "name": "report_id",
+                    "value": "report--9c88fbcb-8c0d-4124-868b-3dcb1e9b696c",
+                }
+            ],
+            "links": [
+                {
+                    "label": "Generated using txt2stix",
+                    "url": "https://github.com/muchdogesec/txt2stix/",
+                }
+            ],
             "layout": {"layout": "side"},
         },
         {
@@ -277,18 +311,25 @@ def test_create_navigator_layer(dummy_report):
             "name": "some markdown document",
             "domain": "mobile-attack",
             "description": "this is a summary",
-            "techniques": [
-                {"techniqueID": "T2001", "tactic": "initial-access"},
-                {"techniqueID": "T2002", "tactic": "persistence"},
-                {"techniqueID": "T2003", "tactic": "exfiltration"},
-            ],
+            "techniques": [],
             "gradient": {
                 "colors": ["#ffffff", "#ff6666"],
                 "minValue": 0,
                 "maxValue": 100,
             },
             "legendItems": [],
-            "metadata": [],
+            "metadata": [
+                {
+                    "name": "report_id",
+                    "value": "report--9c88fbcb-8c0d-4124-868b-3dcb1e9b696c",
+                }
+            ],
+            "links": [
+                {
+                    "label": "Generated using txt2stix",
+                    "url": "https://github.com/muchdogesec/txt2stix/",
+                }
+            ],
             "layout": {"layout": "side"},
         },
     ]
@@ -307,8 +348,20 @@ def test_create_navigator_layer__real_flow(dummy_report, dummy_flow, dummy_objec
             "domain": "ics-attack",
             "description": "a summary",
             "techniques": [
-                {"techniqueID": "T0814", "tactic": "inhibit-response-function"},
-                {"techniqueID": "T0887", "tactic": "discovery"},
+                {
+                    "techniqueID": "T0814",
+                    "tactic": "inhibit-response-function",
+                    "score": 100,
+                    "showSubtechniques": True,
+                    "comment": "The SQL injection requests lead to a denial of service condition, disrupting the availability of the targeted service.",
+                },
+                {
+                    "techniqueID": "T0887",
+                    "tactic": "discovery",
+                    "score": 100,
+                    "showSubtechniques": True,
+                    "comment": "The attack begins by using Wireshark to sniff network packets with a specific source, indicating a reconnaissance or discovery phase to gather information about the network traffic.",
+                },
             ],
             "gradient": {
                 "colors": ["#ffffff", "#ff6666"],
@@ -316,7 +369,18 @@ def test_create_navigator_layer__real_flow(dummy_report, dummy_flow, dummy_objec
                 "maxValue": 100,
             },
             "legendItems": [],
-            "metadata": [],
+            "metadata": [
+                {
+                    "name": "report_id",
+                    "value": "report--9c88fbcb-8c0d-4124-868b-3dcb1e9b696c",
+                }
+            ],
+            "links": [
+                {
+                    "label": "Generated using txt2stix",
+                    "url": "https://github.com/muchdogesec/txt2stix/",
+                }
+            ],
             "layout": {"layout": "side"},
         },
         {
@@ -325,8 +389,20 @@ def test_create_navigator_layer__real_flow(dummy_report, dummy_flow, dummy_objec
             "domain": "enterprise-attack",
             "description": "a summary",
             "techniques": [
-                {"techniqueID": "T1505.001", "tactic": "persistence"},
-                {"techniqueID": "T1555.002", "tactic": "credential-access"},
+                {
+                    "techniqueID": "T1505.001",
+                    "tactic": "persistence",
+                    "score": 100,
+                    "showSubtechniques": True,
+                    "comment": "A series of SQL injection requests are sent to a specific port, potentially to establish persistence or manipulate database operations.",
+                },
+                {
+                    "techniqueID": "T1555.002",
+                    "tactic": "credential-access",
+                    "score": 100,
+                    "showSubtechniques": True,
+                    "comment": "An additional method is employed to bypass Securityd, likely to gain unauthorized access to credentials or sensitive information.",
+                },
             ],
             "gradient": {
                 "colors": ["#ffffff", "#ff6666"],
@@ -334,7 +410,18 @@ def test_create_navigator_layer__real_flow(dummy_report, dummy_flow, dummy_objec
                 "maxValue": 100,
             },
             "legendItems": [],
-            "metadata": [],
+            "metadata": [
+                {
+                    "name": "report_id",
+                    "value": "report--9c88fbcb-8c0d-4124-868b-3dcb1e9b696c",
+                }
+            ],
+            "links": [
+                {
+                    "label": "Generated using txt2stix",
+                    "url": "https://github.com/muchdogesec/txt2stix/",
+                }
+            ],
             "layout": {"layout": "side"},
         },
     ]
@@ -623,33 +710,35 @@ def dummy_flow():
             "items": [
                 {
                     "position": 0,
-                    "attack_tactic_id": "TA0102",
                     "attack_technique_id": "T0887",
                     "name": "Packet Sniffing with Wireshark",
                     "description": "The attack begins by using Wireshark to sniff network packets with a specific source, indicating a reconnaissance or discovery phase to gather information about the network traffic.",
                 },
                 {
                     "position": 1,
-                    "attack_tactic_id": "TA0003",
                     "attack_technique_id": "T1505.001",
                     "name": "SQL Injection for Persistence",
                     "description": "A series of SQL injection requests are sent to a specific port, potentially to establish persistence or manipulate database operations.",
                 },
                 {
                     "position": 2,
-                    "attack_tactic_id": "TA0107",
                     "attack_technique_id": "T0814",
                     "name": "Denial of Service via SQLi",
                     "description": "The SQL injection requests lead to a denial of service condition, disrupting the availability of the targeted service.",
                 },
                 {
                     "position": 3,
-                    "attack_tactic_id": "TA0006",
                     "attack_technique_id": "T1555.002",
                     "name": "Bypassing Securityd",
                     "description": "An additional method is employed to bypass Securityd, likely to gain unauthorized access to credentials or sensitive information.",
                 },
             ],
             "success": True,
+            "tactic_selection": [
+                ("T0887", "discovery"),
+                ("T1505.001", "persistence"),
+                ("T0814", "inhibit-response-function"),
+                ("T1555.002", "credential-access"),
+            ],
         }
     )

{txt2stix-1.0.2 → txt2stix-1.0.3}/tests/src/test_main.py RENAMED Viewed

@@ -146,7 +146,21 @@ def test_parse_args_fails(monkeypatch):
         "standard",
         "--ai_create_attack_flow",
     ])
-    with pytest.raises(argparse.ArgumentError, match="--ai_create_attack_flow requires --ai_settings_relationships"):
+    with pytest.raises(argparse.ArgumentError, match="argument --ai_create_attack_flow: --ai_settings_relationships must be set"):
+        parse_args()
+    monkeypatch.setattr(sys, 'argv', [
+        "program",
+        "--input-file",
+        tmp.name,
+        "--name",
+        "a",
+        "--relationship_mode",
+        "standard",
+        "--ai_create_attack_navigator_layer",
+    ])
+    with pytest.raises(argparse.ArgumentError, match="argument --ai_create_attack_navigator_layer: --ai_settings_relationships must be set"):
         parse_args()
     monkeypatch.setattr(sys, 'argv', [

{txt2stix-1.0.2 → txt2stix-1.0.3}/txt2stix/attack_flow.py RENAMED Viewed

@@ -21,14 +21,14 @@ def parse_flow(report, flow: AttackFlowList, techniques, tactics):
     for i, item in enumerate(flow.items):
         try:
             technique = techniques[item.attack_technique_id]
-            tactic_id = technique['possible_tactics'][flow.tactic_mapping[item.attack_technique_id]]
+            tactic_id = technique["possible_tactics"][
+                flow.tactic_mapping[item.attack_technique_id]
+            ]
             technique_obj = technique["stix_obj"]
             tactic_obj = tactics[technique["domain"]][tactic_id]
             action_obj = AttackAction(
                 **{
-                    "id": flow_id(
-                        report["id"], item.attack_technique_id, tactic_id
-                    ),
+                    "id": flow_id(report["id"], item.attack_technique_id, tactic_id),
                     "effect_refs": [f"attack-action--{str(uuid.uuid4())}"],
                     "technique_id": item.attack_technique_id,
                     "technique_ref": technique_obj["id"],
@@ -149,14 +149,21 @@ def get_techniques_from_extracted_objects(objects: dict, tactics: dict):
 def create_navigator_layer(report, summary, flow: AttackFlowList, techniques):
     domains = {}
+    comments = {item.attack_technique_id: item.description for item in flow.items}
     for technique in techniques.values():
         domain_techniques = domains.setdefault(technique["domain"], [])
         technique_id = technique["id"]
         if technique_id not in flow.tactic_mapping:
             continue
-        domain_techniques.append(
-            dict(techniqueID=technique_id, tactic=flow.tactic_mapping[technique_id])
+        technique_item = dict(
+            techniqueID=technique_id,
+            tactic=flow.tactic_mapping[technique_id],
+            score=100,
+            showSubtechniques=True,
         )
+        if comment := comments.get(technique_id):
+            technique_item["comment"] = comment
+        domain_techniques.append(technique_item)
     retval = []
@@ -174,7 +181,13 @@ def create_navigator_layer(report, summary, flow: AttackFlowList, techniques):
                     "maxValue": 100,
                 },
                 "legendItems": [],
-                "metadata": [],
+                "metadata": [{"name": "report_id", "value": report.id}],
+                "links": [
+                    {
+                        "label": "Generated using txt2stix",
+                        "url": "https://github.com/muchdogesec/txt2stix/",
+                    }
+                ],
                 "layout": {"layout": "side"},
             }
         )
@@ -192,9 +205,8 @@ def extract_attack_flow_and_navigator(
     tactics = get_all_tactics()
     techniques = get_techniques_from_extracted_objects(bundler.bundle.objects, tactics)
     logged_techniques = [
-            {k: v for k, v in t.items() if k != "stix_obj"}
-            for t in techniques.values()
-        ]
+        {k: v for k, v in t.items() if k != "stix_obj"} for t in techniques.values()
+    ]
     logging.debug(f"parsed techniques: {json.dumps(logged_techniques, indent=4)}")
     flow = ex.extract_attack_flow(preprocessed_text, techniques)
@@ -204,5 +216,7 @@ def extract_attack_flow_and_navigator(
         bundler.flow_objects = parse_flow(bundler.report, flow, techniques, tactics)
     if ai_create_attack_navigator_layer:
-        navigator = create_navigator_layer(bundler.report, bundler.summary, flow, techniques)
+        navigator = create_navigator_layer(
+            bundler.report, bundler.summary, flow, techniques
+        )
     return flow, navigator

{txt2stix-1.0.2 → txt2stix-1.0.3}/txt2stix/txt2stix.py RENAMED Viewed

@@ -440,11 +440,11 @@ def main():
         output_path = output_dir/f"{bundler.bundle.id}.json"
         output_path.write_text(out)
         logger.info(f"Wrote bundle output to `{output_path}`")
-        data_path = output_dir/"data.json"
+        data_path = output_dir/f"data--{args.report_id}.json"
         data_path.write_text(data.model_dump_json(indent=4))
         logger.info(f"Wrote data output to `{data_path}`")
         for nav_layer in data.navigator_layer or []:
-            nav_path = output_dir/f"navigator-{nav_layer['domain']}.json"
+            nav_path = output_dir/f"navigator-{nav_layer['domain']}----{args.report_id}.json"
             nav_path.write_text(json.dumps(nav_layer, indent=4))
             logger.info(f"Wrote navigator output to `{nav_path}`")
     except argparse.ArgumentError as e: