txt2stix 1.0.2__tar.gz → 1.0.4__tar.gz

{txt2stix-1.0.2 → txt2stix-1.0.4}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: txt2stix
-Version: 1.0.2
+Version: 1.0.4
 Summary: txt2stix is a Python script that is designed to identify and extract IoCs and TTPs from text files, identify the relationships between them, convert them to STIX 2.1 objects, and output as a STIX 2.1 bundle.
 Project-URL: Homepage, https://github.com/muchdogesec/txt2stix
 Project-URL: Issues, https://github.com/muchdogesec/txt2stix/issues

{txt2stix-1.0.2 → txt2stix-1.0.4}/pyproject.toml

@@ -4,7 +4,7 @@ build-backend = "hatchling.build"
 
 [project]
 name = "txt2stix"
-version = "1.0.2"
+version = "1.0.4"
 authors = [{ name = "dogesec" }]
 maintainers = [{ name = "dogesec" }]
 description = "txt2stix is a Python script that is designed to identify and extract IoCs and TTPs from text files, identify the relationships between them, convert them to STIX 2.1 objects, and output as a STIX 2.1 bundle."

{txt2stix-1.0.2 → txt2stix-1.0.4}/tests/src/test_attack_flow.py

@@ -3,9 +3,7 @@ import pytest
 from unittest.mock import MagicMock, patch
 from stix2extensions._extensions import attack_flow_ExtensionDefinitionSMO
 
-from txt2stix.ai_extractor.utils import (
-    AttackFlowList,
-)
+from txt2stix.ai_extractor.utils import AttackFlowList, AttackFlowItem
 from txt2stix.attack_flow import (
     create_navigator_layer,
     get_all_tactics,
@@ -55,6 +53,7 @@ def test_parse_flow__no_success(dummy_report):
             success=False,
             matrix="enterprise",
             items=[],
+            tactic_selection=[],
         ),
         None,
         None,
@@ -71,28 +70,28 @@ def test_get_techniques_from_extracted_objects(dummy_objects):
         "T0814": {
             "domain": "ics-attack",
             "name": "Denial of Service",
-            "possible_tactics": {"TA0107": "inhibit-response-function"},
+            "possible_tactics": {"inhibit-response-function": "TA0107"},
             "id": "T0814",
             "platforms": [],
         },
         "T0887": {
             "domain": "ics-attack",
             "name": "Wireless Sniffing",
-            "possible_tactics": {"TA0102": "discovery" , "TA0100": "collection"},
+            "possible_tactics": {"discovery": "TA0102", "collection": "TA0100"},
             "id": "T0887",
             "platforms": [],
         },
         "T1505.001": {
             "domain": "enterprise-attack",
             "name": "SQL Stored Procedures",
-            "possible_tactics": {"TA0003":"persistence"},
+            "possible_tactics": {"persistence": "TA0003"},
             "id": "T1505.001",
             "platforms": ["Windows", "Linux"],
         },
         "T1555.002": {
             "domain": "enterprise-attack",
             "name": "Securityd Memory",
-            "possible_tactics": {"TA0006": "credential-access"},
+            "possible_tactics": {"credential-access": "TA0006"},
             "id": "T1555.002",
             "platforms": ["Linux", "macOS"],
         },
@@ -128,7 +127,7 @@ def test_extract_attack_flow_and_navigator(dummy_objects, dummy_report):
             "txt2stix.attack_flow.create_navigator_layer"
         ) as mock_create_navigator_layer,
     ):
-        ## Both flow and navigator
+        # ================= Both flow and navigator ===================
         flow, nav = extract_attack_flow_and_navigator(
             bundler, text, True, True, ai_extractor
         )
@@ -151,7 +150,7 @@ def test_extract_attack_flow_and_navigator(dummy_objects, dummy_report):
         mock_create_navigator_layer.reset_mock()
         mock_extract_flow.reset_mock()
 
-        ## only flow
+        # ================= only flow ===================
         flow, nav = extract_attack_flow_and_navigator(
             bundler, text, True, False, ai_extractor
         )
@@ -169,7 +168,7 @@ def test_extract_attack_flow_and_navigator(dummy_objects, dummy_report):
         mock_create_navigator_layer.reset_mock()
         mock_extract_flow.reset_mock()
 
-        ## only navigator
+        # ================= only navigator ===================
         flow, nav = extract_attack_flow_and_navigator(
             bundler, text, False, True, ai_extractor
         )
@@ -185,6 +184,21 @@ def test_extract_attack_flow_and_navigator(dummy_objects, dummy_report):
             bundler.report, bundler.summary, mock_extract_flow.return_value, techniques
         )
 
+        ### reset mocks
+        mock_parse_flow.reset_mock()
+        mock_create_navigator_layer.reset_mock()
+        mock_extract_flow.reset_mock()
+        # ============ no technique object ============
+        bundler.bundle.objects = []
+        flow, nav = extract_attack_flow_and_navigator(
+            bundler, text, True, True, ai_extractor
+        )
+        mock_extract_flow.assert_not_called()
+        assert (flow, nav) == (None, None)
+        mock_parse_flow.assert_not_called()
+
+        mock_create_navigator_layer.assert_not_called()
+
 
 def test_create_navigator_layer(dummy_report):
     summary = "this is a summary"
@@ -202,15 +216,36 @@ def test_create_navigator_layer(dummy_report):
         "TA91": "exfiltration",
     }
     flow.items = [
-        SimpleNamespace(attack_technique_id="T0001", attack_tactic_id="TA01"),
-        SimpleNamespace(attack_technique_id="T0002", attack_tactic_id="TA02"),
-        SimpleNamespace(attack_technique_id="T0003", attack_tactic_id="TA03"),
-        SimpleNamespace(attack_technique_id="T1001", attack_tactic_id="TA11"),
-        SimpleNamespace(attack_technique_id="T1002", attack_tactic_id="TA12"),
-        SimpleNamespace(attack_technique_id="T1003", attack_tactic_id="TA25"),
-        SimpleNamespace(attack_technique_id="T2001", attack_tactic_id="TA11"),
-        SimpleNamespace(attack_technique_id="T2002", attack_tactic_id="TA123"),
-        SimpleNamespace(attack_technique_id="T2003", attack_tactic_id="TA91"),
+        SimpleNamespace(
+            attack_technique_id="T0001",
+            attack_tactic_id="TA01",
+            description="description 1",
+        ),
+        SimpleNamespace(
+            attack_technique_id="T0003",
+            attack_tactic_id="TA03",
+            description="description 2",
+        ),
+        SimpleNamespace(
+            attack_technique_id="T1001",
+            attack_tactic_id="TA11",
+            description="description 3",
+        ),
+        SimpleNamespace(
+            attack_technique_id="T1002",
+            attack_tactic_id="TA12",
+            description="description 4",
+        ),
+        SimpleNamespace(
+            attack_technique_id="T2001",
+            attack_tactic_id="TA11",
+            description="description 28jhsjhs",
+        ),
+        SimpleNamespace(
+            attack_technique_id="T2003",
+            attack_tactic_id="TA91",
+            description="description sasa",
+        ),
     ]
     techniques = {
         "T0001": dict(
@@ -232,25 +267,31 @@ def test_create_navigator_layer(dummy_report):
 
     retval = create_navigator_layer(dummy_report, summary, flow, techniques)
     assert len(retval) == 3
-    print(retval)
     assert retval == [
         {
             "version": "4.5",
             "name": "some markdown document",
             "domain": "enterprise-attack",
             "description": "this is a summary",
-            "techniques": [
-                {"techniqueID": "T0001", "tactic": "initial-access"},
-                {"techniqueID": "T0002", "tactic": "lateral-movement"},
-                {"techniqueID": "T0003", "tactic": "command-and-control"},
-            ],
+            "techniques": [],
             "gradient": {
                 "colors": ["#ffffff", "#ff6666"],
                 "minValue": 0,
                 "maxValue": 100,
             },
             "legendItems": [],
-            "metadata": [],
+            "metadata": [
+                {
+                    "name": "report_id",
+                    "value": "report--9c88fbcb-8c0d-4124-868b-3dcb1e9b696c",
+                }
+            ],
+            "links": [
+                {
+                    "label": "Generated using txt2stix",
+                    "url": "https://github.com/muchdogesec/txt2stix/",
+                }
+            ],
             "layout": {"layout": "side"},
         },
         {
@@ -258,18 +299,25 @@ def test_create_navigator_layer(dummy_report):
             "name": "some markdown document",
             "domain": "ics-attack",
             "description": "this is a summary",
-            "techniques": [
-                {"techniqueID": "T1001", "tactic": "initial-access"},
-                {"techniqueID": "T1002", "tactic": "lateral-movement"},
-                {"techniqueID": "T1003", "tactic": "command-and-control"},
-            ],
+            "techniques": [],
             "gradient": {
                 "colors": ["#ffffff", "#ff6666"],
                 "minValue": 0,
                 "maxValue": 100,
             },
             "legendItems": [],
-            "metadata": [],
+            "metadata": [
+                {
+                    "name": "report_id",
+                    "value": "report--9c88fbcb-8c0d-4124-868b-3dcb1e9b696c",
+                }
+            ],
+            "links": [
+                {
+                    "label": "Generated using txt2stix",
+                    "url": "https://github.com/muchdogesec/txt2stix/",
+                }
+            ],
             "layout": {"layout": "side"},
         },
         {
@@ -277,18 +325,25 @@ def test_create_navigator_layer(dummy_report):
             "name": "some markdown document",
             "domain": "mobile-attack",
             "description": "this is a summary",
-            "techniques": [
-                {"techniqueID": "T2001", "tactic": "initial-access"},
-                {"techniqueID": "T2002", "tactic": "persistence"},
-                {"techniqueID": "T2003", "tactic": "exfiltration"},
-            ],
+            "techniques": [],
             "gradient": {
                 "colors": ["#ffffff", "#ff6666"],
                 "minValue": 0,
                 "maxValue": 100,
             },
             "legendItems": [],
-            "metadata": [],
+            "metadata": [
+                {
+                    "name": "report_id",
+                    "value": "report--9c88fbcb-8c0d-4124-868b-3dcb1e9b696c",
+                }
+            ],
+            "links": [
+                {
+                    "label": "Generated using txt2stix",
+                    "url": "https://github.com/muchdogesec/txt2stix/",
+                }
+            ],
             "layout": {"layout": "side"},
         },
     ]
@@ -307,8 +362,20 @@ def test_create_navigator_layer__real_flow(dummy_report, dummy_flow, dummy_objec
             "domain": "ics-attack",
             "description": "a summary",
             "techniques": [
-                {"techniqueID": "T0814", "tactic": "inhibit-response-function"},
-                {"techniqueID": "T0887", "tactic": "discovery"},
+                {
+                    "techniqueID": "T0814",
+                    "tactic": "inhibit-response-function",
+                    "score": 100,
+                    "showSubtechniques": True,
+                    "comment": "The SQL injection requests lead to a denial of service condition, disrupting the availability of the targeted service.",
+                },
+                {
+                    "techniqueID": "T0887",
+                    "tactic": "discovery",
+                    "score": 100,
+                    "showSubtechniques": True,
+                    "comment": "The attack begins by using Wireshark to sniff network packets with a specific source, indicating a reconnaissance or discovery phase to gather information about the network traffic.",
+                },
             ],
             "gradient": {
                 "colors": ["#ffffff", "#ff6666"],
@@ -316,7 +383,18 @@ def test_create_navigator_layer__real_flow(dummy_report, dummy_flow, dummy_objec
                 "maxValue": 100,
             },
             "legendItems": [],
-            "metadata": [],
+            "metadata": [
+                {
+                    "name": "report_id",
+                    "value": "report--9c88fbcb-8c0d-4124-868b-3dcb1e9b696c",
+                }
+            ],
+            "links": [
+                {
+                    "label": "Generated using txt2stix",
+                    "url": "https://github.com/muchdogesec/txt2stix/",
+                }
+            ],
             "layout": {"layout": "side"},
         },
         {
@@ -325,8 +403,20 @@ def test_create_navigator_layer__real_flow(dummy_report, dummy_flow, dummy_objec
             "domain": "enterprise-attack",
             "description": "a summary",
             "techniques": [
-                {"techniqueID": "T1505.001", "tactic": "persistence"},
-                {"techniqueID": "T1555.002", "tactic": "credential-access"},
+                {
+                    "techniqueID": "T1505.001",
+                    "tactic": "persistence",
+                    "score": 100,
+                    "showSubtechniques": True,
+                    "comment": "A series of SQL injection requests are sent to a specific port, potentially to establish persistence or manipulate database operations.",
+                },
+                {
+                    "techniqueID": "T1555.002",
+                    "tactic": "credential-access",
+                    "score": 100,
+                    "showSubtechniques": True,
+                    "comment": "An additional method is employed to bypass Securityd, likely to gain unauthorized access to credentials or sensitive information.",
+                },
             ],
             "gradient": {
                 "colors": ["#ffffff", "#ff6666"],
@@ -334,7 +424,18 @@ def test_create_navigator_layer__real_flow(dummy_report, dummy_flow, dummy_objec
                 "maxValue": 100,
             },
             "legendItems": [],
-            "metadata": [],
+            "metadata": [
+                {
+                    "name": "report_id",
+                    "value": "report--9c88fbcb-8c0d-4124-868b-3dcb1e9b696c",
+                }
+            ],
+            "links": [
+                {
+                    "label": "Generated using txt2stix",
+                    "url": "https://github.com/muchdogesec/txt2stix/",
+                }
+            ],
             "layout": {"layout": "side"},
         },
     ]
@@ -623,33 +724,35 @@ def dummy_flow():
             "items": [
                 {
                     "position": 0,
-                    "attack_tactic_id": "TA0102",
                     "attack_technique_id": "T0887",
                     "name": "Packet Sniffing with Wireshark",
                     "description": "The attack begins by using Wireshark to sniff network packets with a specific source, indicating a reconnaissance or discovery phase to gather information about the network traffic.",
                 },
                 {
                     "position": 1,
-                    "attack_tactic_id": "TA0003",
                     "attack_technique_id": "T1505.001",
                     "name": "SQL Injection for Persistence",
                     "description": "A series of SQL injection requests are sent to a specific port, potentially to establish persistence or manipulate database operations.",
                 },
                 {
                     "position": 2,
-                    "attack_tactic_id": "TA0107",
                     "attack_technique_id": "T0814",
                     "name": "Denial of Service via SQLi",
                     "description": "The SQL injection requests lead to a denial of service condition, disrupting the availability of the targeted service.",
                 },
                 {
                     "position": 3,
-                    "attack_tactic_id": "TA0006",
                     "attack_technique_id": "T1555.002",
                     "name": "Bypassing Securityd",
                     "description": "An additional method is employed to bypass Securityd, likely to gain unauthorized access to credentials or sensitive information.",
                 },
             ],
             "success": True,
+            "tactic_selection": [
+                ("T0887", "discovery"),
+                ("T1505.001", "persistence"),
+                ("T0814", "inhibit-response-function"),
+                ("T1555.002", "credential-access"),
+            ],
         }
     )

{txt2stix-1.0.2 → txt2stix-1.0.4}/tests/src/test_main.py

@@ -146,7 +146,21 @@ def test_parse_args_fails(monkeypatch):
         "standard",
         "--ai_create_attack_flow",
     ])
-    with pytest.raises(argparse.ArgumentError, match="--ai_create_attack_flow requires --ai_settings_relationships"):
+    with pytest.raises(argparse.ArgumentError, match="argument --ai_create_attack_flow: --ai_settings_relationships must be set"):
+        parse_args()
+
+
+    monkeypatch.setattr(sys, 'argv', [
+        "program",
+        "--input-file",
+        tmp.name,
+        "--name",
+        "a",
+        "--relationship_mode",
+        "standard",
+        "--ai_create_attack_navigator_layer",
+    ])
+    with pytest.raises(argparse.ArgumentError, match="argument --ai_create_attack_navigator_layer: --ai_settings_relationships must be set"):
         parse_args()
 
     monkeypatch.setattr(sys, 'argv', [

{txt2stix-1.0.2 → txt2stix-1.0.4}/txt2stix/attack_flow.py

@@ -21,14 +21,14 @@ def parse_flow(report, flow: AttackFlowList, techniques, tactics):
     for i, item in enumerate(flow.items):
         try:
             technique = techniques[item.attack_technique_id]
-            tactic_id = technique['possible_tactics'][flow.tactic_mapping[item.attack_technique_id]]
+            tactic_id = technique["possible_tactics"][
+                flow.tactic_mapping[item.attack_technique_id]
+            ]
             technique_obj = technique["stix_obj"]
             tactic_obj = tactics[technique["domain"]][tactic_id]
             action_obj = AttackAction(
                 **{
-                    "id": flow_id(
-                        report["id"], item.attack_technique_id, tactic_id
-                    ),
+                    "id": flow_id(report["id"], item.attack_technique_id, tactic_id),
                     "effect_refs": [f"attack-action--{str(uuid.uuid4())}"],
                     "technique_id": item.attack_technique_id,
                     "technique_ref": technique_obj["id"],
@@ -149,14 +149,21 @@ def get_techniques_from_extracted_objects(objects: dict, tactics: dict):
 
 def create_navigator_layer(report, summary, flow: AttackFlowList, techniques):
     domains = {}
+    comments = {item.attack_technique_id: item.description for item in flow.items}
     for technique in techniques.values():
         domain_techniques = domains.setdefault(technique["domain"], [])
         technique_id = technique["id"]
         if technique_id not in flow.tactic_mapping:
             continue
-        domain_techniques.append(
-            dict(techniqueID=technique_id, tactic=flow.tactic_mapping[technique_id])
+        technique_item = dict(
+            techniqueID=technique_id,
+            tactic=flow.tactic_mapping[technique_id],
+            score=100,
+            showSubtechniques=True,
         )
+        if comment := comments.get(technique_id):
+            technique_item["comment"] = comment
+        domain_techniques.append(technique_item)
 
     retval = []
 
@@ -174,7 +181,13 @@ def create_navigator_layer(report, summary, flow: AttackFlowList, techniques):
                     "maxValue": 100,
                 },
                 "legendItems": [],
-                "metadata": [],
+                "metadata": [{"name": "report_id", "value": report.id}],
+                "links": [
+                    {
+                        "label": "Generated using txt2stix",
+                        "url": "https://github.com/muchdogesec/txt2stix/",
+                    }
+                ],
                 "layout": {"layout": "side"},
             }
         )
@@ -191,10 +204,12 @@ def extract_attack_flow_and_navigator(
     ex: BaseAIExtractor = ai_settings_relationships
     tactics = get_all_tactics()
     techniques = get_techniques_from_extracted_objects(bundler.bundle.objects, tactics)
+    if not techniques:
+        return None, None
+    
     logged_techniques = [
-            {k: v for k, v in t.items() if k != "stix_obj"}
-            for t in techniques.values()
-        ]
+        {k: v for k, v in t.items() if k != "stix_obj"} for t in techniques.values()
+    ]
     logging.debug(f"parsed techniques: {json.dumps(logged_techniques, indent=4)}")
 
     flow = ex.extract_attack_flow(preprocessed_text, techniques)
@@ -204,5 +219,7 @@ def extract_attack_flow_and_navigator(
         bundler.flow_objects = parse_flow(bundler.report, flow, techniques, tactics)
 
     if ai_create_attack_navigator_layer:
-        navigator = create_navigator_layer(bundler.report, bundler.summary, flow, techniques)
+        navigator = create_navigator_layer(
+            bundler.report, bundler.summary, flow, techniques
+        )
     return flow, navigator

{txt2stix-1.0.2 → txt2stix-1.0.4}/txt2stix/txt2stix.py

@@ -440,11 +440,11 @@ def main():
         output_path = output_dir/f"{bundler.bundle.id}.json"
         output_path.write_text(out)
         logger.info(f"Wrote bundle output to `{output_path}`")
-        data_path = output_dir/"data.json"
+        data_path = output_dir/f"data--{args.report_id}.json"
         data_path.write_text(data.model_dump_json(indent=4))
         logger.info(f"Wrote data output to `{data_path}`")
         for nav_layer in data.navigator_layer or []:
-            nav_path = output_dir/f"navigator-{nav_layer['domain']}.json"
+            nav_path = output_dir/f"navigator-{nav_layer['domain']}----{args.report_id}.json"
             nav_path.write_text(json.dumps(nav_layer, indent=4))
             logger.info(f"Wrote navigator output to `{nav_path}`")
     except argparse.ArgumentError as e: