Closed g4l4drim closed 5 years ago
I just tested, and it is working. Can you show me the code you're using? I strongly recommend to use this method: https://github.com/MISP/PyMISP/blob/master/pymisp/tools/create_misp_object.py#L52
Yes, here is the source:
from pymisp import PyMISP
from pymisp.tools import make_binary_objects
import argparse
import glob
if __name__ == '__main__':
parser = argparse.ArgumentParser(description='file object upload test')
parser.add_argument('-e', '--event', required=True)
parser.add_argument('-p', '--path', required=True)
args= parser.parse_args()
misp_url='http://10.0.2.5/'
misp_key='redacted'
misp_cert=False
pymisp=PyMISP(misp_url, misp_key, misp_cert,'json')
for f in glob.glob(args.path):
fo,peo,seos= make_binary_objects(f)
dbgfile=open('dbg.json','a')
dbgfile.write(fo.to_json())
dbgfile.close()
template_json = pymisp.get_object_template_id(fo.template_uuid)
template_id = template_json['ObjectTemplateElement'][0]['object_template_id']
print(template_id)
r= pymisp.add_object(args.event,template_id,fo)
print(r)
output:
~/Misp$python3 upload.py -e 1 -p /usr/bin/firefox
36
{'errors': ['Could not save object as at least one attribute has failed validation (malware-sample). {"value":["Composite type found but the value not in the composite (value1|value2) format."]}', '403'], 'message': 'Could not add object', 'url': '/objects/add/1/36', 'name': 'Could not add object'}
Misp test vm version 2.4.104 PyMisp version 2.4.103 (pip3 install version) Os: Debian
Soo, right, something changed somewhere and passing a malware-sample without the md5 works if you push the full event with all the MISP Objects in it (what I was testing), but not if you upload the objects one after the other (what you were doing) :man_shrugging:
I'm patching it now... Sorry for that.
Thanks !
\o/ thank you for your patience and sorry for the regression. We have a test case now, that shouldn't happen again :)
When generating a fileobject with fileobject.py and pushing it on MISP, the malware-sample attribute has no downloadable malware-sample in MISP.
I think it might be due to the validation of the "malware-sample" object's attribute when submitting the whole file object to MISP (v2.4.102)