Composites are not taken into account

[truckydev]

I make some update to openioc tool in PyMISP https://github.com/truckydev/PyMISP/blob/master/pymisp/tools/openioc.py

My code detect composites supported by misp. It may need some refactoring :)

Here is my problem : When I try with this IOC : https://github.com/fireeye/iocs/blob/master/BlogPosts/9cee306d-5441-4cd3-932d-f3119752634c.ioc

<Indicator id="4b8e8c05-a8f9-4aff-9b7b-bd7301e1cfd7" operator="AND">
        <IndicatorItem id="317dc9d2-bd92-4fb1-87b1-cb5a158a4828" condition="is">
          <Context document="FileItem" search="FileItem/Md5sum" type="mir"/>
          <Content type="md5">1F338BDD92F08803A2AC7022A34D98FD</Content>
        </IndicatorItem>
        <IndicatorItem id="ec96b850-238a-4b1a-a40e-717b88522191" condition="is">
          <Context document="FileItem" search="FileItem/FileName" type="mir"/>
          <Content type="string">install.exe</Content>
        </IndicatorItem>
      </Indicator>

when I print ( with main in python code) I have the correct type

{'type': 'filename|md5', 'comment': '', 'to_ids': True, 'distribution': '5', 'category': 'External analysis', 'value': 'install.exe|1F338BDD92F08803A2AC7022A34D98FD', 'disable_correlation': False}

but with Openioc module import, this type is not recognized and add element line by line

[Rafiot]

I'm on it!

[truckydev]

thanks :)

[Rafiot]

I wanted to compare the changes you made, can you please revert the change from spaces to tab, please? it makes it very hard to review.

Just to make sure we're talking bout the same thing: you made changes in the openioc library, and it isn't reflected in the misp-modules, but works properly when you dump the json from the library?

Did you make sure you installed the pymisp version containing your changes? Because the misp-modules openioc module is picking the output of the openioc library as-is: https://github.com/MISP/misp-modules/blob/master/misp_modules/modules/import_mod/openiocimport.py#L56

[truckydev]

Done

[truckydev]

ha ok :( I don't merge misp-modules ...

all my bad :( I work with multiple instance sorry again

[truckydev]

[Rafiot]

\o/ Looks great.

Just one thing: are you sure you want to use "External Analysis" as category? This is an information you can pass as a tag for example. I'd recommend to use the default sane values set by the server for each types

[truckydev]

I thinks "External Analysis" is maybe the good category because when you import an ioc it often comes from an external analysis. No ?

Can I add some tag on attribut when I import an ioc. The idea is to define in "userConfig" or in "moduleconfig" a "tag by default" (ex : tlp:white). But I do not think that misp can take it into account on its side.

[Rafiot]

Well, not necessarily: it can come from an internal tool and be push into MISP.

We generally recommend to use "External Analysis" for a few attributes in an event (for example the link to the external analysis).

[truckydev]

And suddenly what are you recommend ?

Next, I make change and do the pull/request

[Rafiot]

Not sure I get your question. The recommended values per type are here: https://github.com/MISP/PyMISP/blob/master/pymisp/data/describeTypes.json But you don't need to care, they are set automatically by the server.

[truckydev]

Not sure I get your question. For default tag ?

Otherwise ok, I will remove the category :)

[truckydev]

Thanks Raphaël,

You can close this issue. I have make the request https://github.com/MISP/PyMISP/pull/82

I think I open a new issue to add possibility to set default tag when you import something with module.

[Rafiot]

Excellent, thanks!