Open Bayerischen opened 1 year ago
MISP is supposed to generate the md5 itself: we cannot trust the user to submit the appropriate value. Removing the hash if it is provided is what we want, and it works when we add a complete event to MISP, but this feature may not be present when you add an object directly (?). It is what's happening @mokaddem @iglocska @righel?
pymisp showed me an error when I was trying to upload a malware sample file using below really simple code:
Something went wrong (403): {'saved': False, 'name': 'Could not add object', 'message': 'Could not add object', 'url': '/objects/add/3/', 'errors': 'Could not save object as at least one attribute has failed validation (malware-sample). {"value":["Composite type found but the value not in the composite (value1|value2) format."]}', 'id': '3/'}
I checked the "malware-sample" attribute value and found that it is just the file name, but if I upload a sample manually it would be something like FILENAME|MD5, so I changed the attribute value to that and it works fine.
I checked the code in [https://github.com/MISP/PyMISP/blob/main/pymisp/tools/fileobject.py]() line 67 and I believe it should be changed
from
self.add_attribute('malware-sample', value=self.__filename, data=self.__pseudofile, disable_correlation=True)
~~to
self.add_attribute('malware-sample', value=f"{self.__filename}|{md5(self.__data).hexdigest()}", data=self.__pseudofile, disable_correlation=True)
EDIT:
MISPAttribute.value will be reset in method "_prepare_new_malware_sample" so [https://github.com/MISP/PyMISP/blob/main/pymisp/mispevent.py#L645]() should also be changed as below