Skip to content

Bug: Hash names of STIX 2.1 output do not comply with the official specification #78

New issue
New issue
Open
Open
Bug: Hash names of STIX 2.1 output do not comply with the official specification#78
Labels
bugSomething isn't working
@railisac

Description

@railisac
railisac
opened on Nov 27, 2025

MISP-STIX usage

Within misp_to_stix2

Expected behavior

The STIX 2.1 specification has a section on hashing algorithms that specifies the names of hashing algorithms. For instance, according to the specification, a SHA256 pattern should look like this:

[file:hashes.'SHA-256' = 'a3894003ad1d293ba96d77881ccd2071446dc3f65f434669b49b3da92421901a']

Actual behavior

However, misp-stix uses names without dashes, like this:

[file:hashes.SHA256 = 'a3894003ad1d293ba96d77881ccd2071446dc3f65f434669b49b3da92421901a']

For now, to get STIX according to spec one needs to do a search and replace on the output to get the a STIX 2.1 compliant version. It would be great to have an option to generate the much uglier, but more correct hash names with dashes.

Steps to reproduce

  • Get a MISP file with sha256, sha512 or sha1 hashes
  • Convert to STIX 2.1

Version

2.4.159

Python version

3.10

Relevant log output



Extra attachments


No response


Code of Conduct


    

  •  I agree to follow this project's Code of Conduct
    • 

Metadata
Metadata
Assignees
No one assigned
    Labels
    bugSomething isn't working
    Type
    No type
    Projects
    No projects
    Milestone
    No milestone
    Relationships
    None yet
    Development
    No branches or pull requests
    Issue actions