search

MISP / PyMISP

Python library using the MISP Rest API
Other
442 stars 278 forks source link

fileobject.py doesn't generate a downloadable malware-sample #371

Closed g4l4drim closed 5 years ago

g4l4drim commented 5 years ago

When generating a fileobject with fileobject.py and pushing it on MISP, the malware-sample attribute has no downloadable malware-sample in MISP.

I think it might be due to the validation of the "malware-sample" object's attribute when submitting the whole file object to MISP (v2.4.102)

Rafiot commented 5 years ago

I just tested, and it is working. Can you show me the code you're using? I strongly recommend to use this method: https://github.com/MISP/PyMISP/blob/master/pymisp/tools/create_misp_object.py#L52

g4l4drim commented 5 years ago

Yes, here is the source:

from pymisp import PyMISP
from pymisp.tools import make_binary_objects
import argparse
import glob

if __name__ == '__main__':
    parser = argparse.ArgumentParser(description='file object upload test')
    parser.add_argument('-e', '--event', required=True)
    parser.add_argument('-p', '--path', required=True)

    args= parser.parse_args()
    misp_url='http://10.0.2.5/'
    misp_key='redacted'
    misp_cert=False
    pymisp=PyMISP(misp_url, misp_key, misp_cert,'json')

    for f in glob.glob(args.path):
        fo,peo,seos= make_binary_objects(f)
        dbgfile=open('dbg.json','a')
        dbgfile.write(fo.to_json())
        dbgfile.close()
        template_json = pymisp.get_object_template_id(fo.template_uuid)
        template_id = template_json['ObjectTemplateElement'][0]['object_template_id']
        print(template_id)
        r= pymisp.add_object(args.event,template_id,fo)
        print(r)

output:

~/Misp$python3 upload.py -e 1 -p /usr/bin/firefox
36
{'errors': ['Could not save object as at least one attribute has failed validation (malware-sample). {"value":["Composite type found but the value not in the composite (value1|value2) format."]}', '403'], 'message': 'Could not add object', 'url': '/objects/add/1/36', 'name': 'Could not add object'}

Misp test vm version 2.4.104 PyMisp version 2.4.103 (pip3 install version) Os: Debian

Rafiot commented 5 years ago

Soo, right, something changed somewhere and passing a malware-sample without the md5 works if you push the full event with all the MISP Objects in it (what I was testing), but not if you upload the objects one after the other (what you were doing) :man_shrugging:

I'm patching it now... Sorry for that.

g4l4drim commented 5 years ago

Thanks !

Rafiot commented 5 years ago

\o/ thank you for your patience and sorry for the regression. We have a test case now, that shouldn't happen again :)