fix: [stix2 import] Better handling of network-traffic patterns

chrisr3d · chrisr3d · commit 70719f893b3a · 2025-08-20T17:24:31.000+02:00
- Patterns that obviously are single ip address,
  even when they look slightly more complex than
  just the single ipv4 or ipv6 address definition,
  are converted as single ip MISP attribute
diff --git a/misp_stix_converter/stix2misp/converters/stix2_indicator_converter.py b/misp_stix_converter/stix2misp/converters/stix2_indicator_converter.py
@@ -375,6 +375,20 @@ def _handle_pattern_mapping(self, indicator: _INDICATOR_TYPING) -> str:
     #                        INDICATORS PARSING METHODS                        #
     ############################################################################
 
+    @staticmethod
+    def _network_traffic_pattern_as_single_attribute(pattern: PatternData) -> bool:
+        if len(pattern.comparisons) > 1:
+            return False
+        comparisons = pattern.comparisons['network-traffic']
+        if len(comparisons) > 2:
+            return False
+        for keys, _, _ in comparisons:
+            if keys[0] == 'extensions':
+                return False
+            if keys[0] not in ('src_ref', 'dst_ref'):
+                return False
+        return True
+
     def _parse_asn_pattern(
             self, pattern: PatternData, indicator: _INDICATOR_TYPING):
         attributes = []
@@ -806,7 +820,18 @@ def _parse_network_traffic_attribute(
 
     def _parse_network_traffic_pattern(
             self, pattern: PatternData, indicator: _INDICATOR_TYPING):
-        if 'socket-ext' in indicator.pattern:
+        if self._network_traffic_pattern_as_single_attribute(pattern):
+            for keys, assertion, value in pattern.comparisons['network-traffic']:
+                if assertion not in self._mapping.valid_pattern_assertions():
+                    continue
+                if 'type' in keys:
+                    continue
+                attribute = {
+                    'type': f"ip-{keys[0].split('_')[0]}", 'value': value,
+                    **self._create_attribute_dict(indicator)
+                }
+                self.main_parser._add_misp_attribute(attribute, indicator)
+        elif 'socket-ext' in indicator.pattern:
             self._parse_network_socket_pattern(pattern, indicator)
         else:
             self._parse_network_connection_pattern(pattern, indicator)
