maec_to_oval script is not working properly.

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

maec_to_oval script is not working properly.

Veerendra GG
Hi All,

Tried playing around with maec_to_oval script, but it's not working.
https://github.com/MAECProject/Tools/tree/master/Scripts/maec_to_oval

Tried converting examples given at,
http://maec.mitre.org/archive/version1.1/maec_example_email_harvesting_behavior.xml
http://maec.mitre.org/archive/version1.1/maec_example_service_disable_behavior.xml
http://maec.mitre.org/archive/version1.1/maec_example_wepawet_pdf_analysis.xml

Any one got it working or am i doing any thing wrong here?

Please can any one help me on this.


o/p :
python maec_to_oval.py -v -i
tmp/maec_example_email_harvesting_behavior.xml -o oval.xml

Extracting MAEC objects and generating OVAL definitions...

0 valid objects found. No OVAL exported.


Thanks!
Veerendra
Reply | Threaded
Open this post in threaded view
|

RE: maec_to_oval script is not working properly.

Kirillov, Ivan A.
Veerendra,

The initial version of the MAEC -> OVAL translator was done as a proof-of-concept, and as such only supports the creation of OVAL tests for file, directory, and registry objects that are defined as being created by the malware (via an Action) inside the MAEC Bundle. This was done to help eliminate false positives, as such artifacts are likely to be the ones that can be used for host-based detection.

The examples that you linked to do not have any such actions which is why you're seeing that output. We're in the process of updating the script to support MAEC v2.1 and additional OVAL objects, but if you'd like to use it in the meanwhile I'd recommend a sandbox translator for creating MAEC v1.1 output, e.g. ThreatExpert (https://github.com/MAECProject/Tools/tree/master/Scripts/threatexpert_to_maec/0.90%20(MAEC%201.1)), and then translating it into OVAL with the script. If the report defines any files, registry keys, or directories that are created, they should be converted into their appropriate OVAL representations.

Regards,
Ivan

Ivan Kirillov
MAEC Project
The MITRE Corporation

-----Original Message-----
From: [hidden email] [mailto:[hidden email]] On Behalf Of Veerendra GG
Sent: Thursday, August 16, 2012 6:47 AM
To: maec-discussion-list Malware Attribute Enumeration Discussion
Subject: maec_to_oval script is not working properly.

Hi All,

Tried playing around with maec_to_oval script, but it's not working.
https://github.com/MAECProject/Tools/tree/master/Scripts/maec_to_oval

Tried converting examples given at,
http://maec.mitre.org/archive/version1.1/maec_example_email_harvesting_behavior.xml
http://maec.mitre.org/archive/version1.1/maec_example_service_disable_behavior.xml
http://maec.mitre.org/archive/version1.1/maec_example_wepawet_pdf_analysis.xml

Any one got it working or am i doing any thing wrong here?

Please can any one help me on this.


o/p :
python maec_to_oval.py -v -i
tmp/maec_example_email_harvesting_behavior.xml -o oval.xml

Extracting MAEC objects and generating OVAL definitions...

0 valid objects found. No OVAL exported.


Thanks!
Veerendra