alfa-group / bron Goto Github PK

Make sure the latest versions are used

Hi!
I installed everything as specified in the instructions.
When starting the file bron_arango.py returns the error: Module Not Found Error: No module named 'meta_analysis'.

What to do?

How do I get the capec_id instead of bron_id in the final graph? Is there any way to do that? Thanks

2023-06-30 11:17:06,011 INFO: Begin parse CAPEC and CWE connections
Traceback (most recent call last):
File "tutorials/build_bron.py", line 264, in
main(
File "tutorials/build_bron.py", line 233, in main
_parse()
File "tutorials/build_bron.py", line 90, in _parse
parse_capec_cwe.parse_capec_cwe_files(
File "/usr/local/bron/download_threat_information/parsing_scripts/parse_capec_cwe.py", line 323, in parse_capec_cwe_files
for _, row in cwe_data[
File "/usr/local/lib/python3.8/site-packages/pandas/core/frame.py", line 3767, in getitem
indexer = self.columns._get_indexer_strict(key, "columns")[1]
File "/usr/local/lib/python3.8/site-packages/pandas/core/indexes/base.py", line 5877, in _get_indexer_strict
self._raise_if_missing(keyarr, indexer, axis_name)
File "/usr/local/lib/python3.8/site-packages/pandas/core/indexes/base.py", line 5938, in _raise_if_missing
raise KeyError(f"None of [{key}] are in the [{axis_name}]")
KeyError: "None of [Index(['ID', 'Name', 'Description', 'Extended_Description',\n 'Applicable Platforms', 'Common Consequences', 'Likelihood of Exploit'],\n dtype='object')] are in the [columns]"

When I queried the corresponding cpe for CVE-2017-0146, I found that the query came up empty.

I then downloaded the 2017 cve data from nvd's official website to compare, for example, CVE-2017-0146 and CVE-2017-0149 they are both very close to each other, but there is a corresponding cpe at 0149, and I then checked the corresponding fields.

Then I looked at the code that corresponds to processing cpe, line 24 of parse_cve.py. The code is written to determine whether "cpe_match" exists in cve["configurations"]["nodes"], but we can find that in CVE-2017-0146, "cpe_match" is not a field alongside nodes, but is in the "children" field under "nodes", which causes the If the statement succeeds, it directly executes continue and skips the subsequent processing, resulting in no corresponding cpe data being generated.

I have downloaded and deployed Bron locally.
It works but not as it should be.
The public version returns matches for CVEs that the local version does not.(not duplicates)
I tried multiple times to redeploy it locally, but it's still the same.
Am i the only one getting this problem?

I wanted to get the list of all the CVE's linked for a particular CWE, so I referred to the Linking Threat Tactics paper itself for a CWE and took CWE-787 as an example and queried it( In the paper it was mentioned that CWE-787 has a total of 1150 CVE's linked to it approximately)

I knew that I would be getting more CVE's linked to it because of the addition of new vulnerability for that particular weakness but there were actually 132999 CVE's linked to CWE-787. So when I randomly checked if the following CVE's where linked to CWE-787( for that I actually took the respective id's of the CVE's and googled them and checked with the NVD website) , in the list of 132999 the first 1000 - 1500 where ALMOST linked to CWE-787 but after that only 2/10 or something like that were linked to CWE-787, and after that they were linked to some other CWE's

So I queried BRON as follows:
First got the CWE _id for CWE-787

Then used _id to get all the CVE's linked to it

and this was the result

(There were too many duplicates over here, so I filtered them by using return distinct v._to)

So when I randomly took the below CVE _id

took the corresponding CVE number and googled it

So this particular one was linked with CWE-476

I even tried checking if CWE-476 and CWE-787 were linked together in the CweCwe collection, but unfortunately they were not.

So this is just an example for one particular CWE. I tried the above methods on 8-9 CWE's and all of them produced the same results

bootstrap logs:

raise ConnectionError(e, request=request)
requests.exceptions.ConnectionError: HTTPSConnectionPool(host='raw.githubusercontent.com', port=443): Max retries exceeded with url: /mitre/cti/master/enterprise-attack/enterprise-attack.json (Caused by NewConnectionError('<urllib3.connection.HTTPSConnection object at 0x7f861a1fe6d0>: Failed to establish a new connection: [Errno 111] Connection refused'))

After the container bronbootstrap finished downloading the data, there should be something wrong when associating the capec and technique data, resulting in no data transfer with the database.

When checking the front end of the database, I found that all other data were intact, only TechniqueCapec was empty.

At first I thought there was a problem with the transfer, so I opened the container to check the TechiniqueCapec.json and found that it was empty, but the capec.json and Techinique.json were normal.

Please allow me to ask if there is some problem with the code that causes the association to fail.

This is the result of my notes.

Hello,

When building BRON, it gives the following error:

FileNotFoundError: [Errno 2] No such file or directory: 'example_data/example_input_data/tactic_id_name_map.json'

What do you advise?

Thanks and best regards

Hello ! This is not an issue, but maybe my misunderstanding of the README files.

It's just, there are so many READMEs and, for me, it is not clear enough which steps to follow in order to fully populate the db from scratch.
It seems to complex, and I would like to ask you, if there is a chance for the creation of a simplified README, which will only concern the population of the arangodb, from the first step, e.g., the download of the files, to the last.

Or at least some information about the propoer order of the tutorials in that case.

Thank you in advance for your time.

So in my locally downloaded version of BRON all the '_from' is linked to 'cwe_02029'

But in the public version of this file seems normal, so I guess replacing my local file with the public version will solve the problem but I just wanted to highlight this issue

I am puzzled as to occurrence of duplicates in the cve collection. This is on the demo at http://bron.alfa.csail.mit.edu/. For example, the following query returns five elements:

FOR c in cve
FILTER c.original_id == "CVE-2015-9251"
RETURN c

The only difference in the five elements returned are the _key, _id and _rev. However, these do not appear to be meaningful differences to me. Despite searching this repository, I am not able to find an explanation. Any ideas?

Hi,
everytime I try to build everything using docker-compose up -d I end up with an empty DB. Looking at the logs of the 'bootstrap' container, I get:

2023-07-18 16:14:01,552 INFO: BEGIN Import BRON into Arangodb
Save data/attacks/technique_mitigation.jsonl 43
Save data/attacks/software.jsonl 635
Save data/attacks/technique_detection.jsonl 579
Save data/attacks/group.jsonl 136
Save data/attacks/software_technique_mapping.jsonl 8318
Save data/attacks/technique_mitigation_technique_mapping.jsonl 1156
Save data/attacks/group_technique_mapping.jsonl 3016
Save data/attacks/group_software_mapping.jsonl 830
Traceback (most recent call last):
  File "tutorials/build_bron.py", line 268, in <module>
    main(
  File "tutorials/build_bron.py", line 245, in main
    _arangodb(username, password, ip, no_validation)
  File "tutorials/build_bron.py", line 123, in _arangodb
    bron_arango.main(
  File "/usr/local/bron/graph_db/bron_arango.py", line 83, in main
    create_db(username, password, ip)
  File "/usr/local/bron/graph_db/bron_arango.py", line 174, in create_db
    if not sys_db.has_database(DB):
  File "/usr/local/lib/python3.8/site-packages/arango/database.py", line 773, in has_database
    return self._execute(request, response_handler)
  File "/usr/local/lib/python3.8/site-packages/arango/api.py", line 74, in _execute
    return self._executor.execute(request, response_handler)
  File "/usr/local/lib/python3.8/site-packages/arango/executor.py", line 68, in execute
    return response_handler(resp)
  File "/usr/local/lib/python3.8/site-packages/arango/database.py", line 770, in response_handler
    raise DatabaseListError(resp, request)
arango.exceptions.DatabaseListError: [HTTP 401][ERR 11] not authorized to execute this request

I tried to figure out by myself what's the problem, but I had no success. (The 'brondb' container seems to be ok, since I'm able to populate it from the host machine by running manually python3 tutorials/build_bron.py --username=root --password=${BRON_PWD} --ip=${BRON_SERVER_IP})

When setting up BRON through docker, I repeatedly get this JSON schema error. This does not seem to be a local environment issue.

'D3A-AAD' does not match 'D3-[A-Z]+'

Failed validating 'pattern' in schema['properties']['original_id']:
    {'description': 'ID from MITRE D3FEND. E.g. '
                    "'ActiveCertificateAnalysis'. TODO pattern",
     'pattern': 'D3-[A-Z]+',
     'type': 'string'}

On instance['original_id']:
    'D3A-AAD'
Traceback (most recent call last):
  File "tutorials/build_bron.py", line 268, in <module>
    main(
  File "tutorials/build_bron.py", line 249, in main
    _mitigations(username, password, ip, not no_validation)
  File "tutorials/build_bron.py", line 175, in _mitigations
    d3fend.update_BRON_graph_db(username, password, ip, validation)
  File "/usr/local/bron/mitigations/d3fend_mitigations.py", line 113, in update_BRON_graph_db
    validate_entry(entry, schema)
  File "/usr/local/bron/graph_db/bron_arango.py", line 322, in validate_entry
    raise jsonschema.exceptions.ValidationError(err)
jsonschema.exceptions.ValidationError: <exception str() failed>

Hi Dear Author,

Thanks for contributing this brilliant work! After constructing a BRON graph followed by your instructions, I found that the tactics only contain the "enterprise tactics", which is shown in https://attack.mitre.org/tactics/enterprise/

At the same time, MITRE ATT&CK also contains a group of "mobile tactics", as shown in https://attack.mitre.org/tactics/mobile/ . Does BRON also contain this part of tactics linking to techniques (then attack patterns -> CWEs -> etc) ?

Additionally, could I ask about how do you link the techniques (from MITRE ATT&CK) with attack patterns (from CAPEC)? It seems challenging to find data sources that directly link those two parts.

Thanks!