EMailObject and ExpandedPyMISP.upload_sample deprecated

[johnnywilkes]

Sorry if this is discussed somewhere else, but why are these two portions of PyMISP getting deprecated? I find them incredibly useful and I know the first is used in https://github.com/MISP/misp-modules/blob/master/misp_modules/modules/import_mod/email_import.py

Anything else we can use that will do the same/similar thing in newer (after pymisp==2.4.99) versions of PyMISP?

[Rafiot]

• EMailObject is not deprecated, is there an issue with it?
• The recommended way to push a malware sample to MISP is to do it this way: https://github.com/MISP/PyMISP/blob/main/tests/testlive_comprehensive.py#L1290

Note that pymisp==2.4.99 is extremely old, but I guess we missed an upgrade somewhere. The email import module should still be working, what is the problem with it? I haven't tested it so it might be totally broken, can you share the error you're getting?

[johnnywilkes]

I use a product called Palo Alto Cortex XSOAR and they say that some of the commands are not supported by new versions of PyMISP. Any ideas why that would be? https://xsoar.pan.dev/docs/reference/integrations/misp-v3#breaking-changes-from-the-previous-version-of-this-integration---misp-v3

[Rafiot]

I never heard of this tool, and have no access to the platform, so no, not so much. If they implemented something that worked on pymisp 2.4.99 and not after that, I fear it's so outdated it won't be the only problem.

We're happy to talk to them if they wish, and/or help them update their integration, but sadly, I can't help you much without their involvement, sorry.

[ArtemProc]

python 3.9.7 pymisp-2.4.148.1 installed with pip install. Attempt to:

>>> from pymisp.tools import EMailObject
Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
ImportError: cannot import name 'EMailObject' from 'pymisp.tools' (/usr/local/lib/python3.9/site-packages/pymisp/tools/__init__.py)

[johnnywilkes]

yes, i saw the same thing

[Rafiot]

Have you installed pymisp this way? pip install pymisp[email]

The email support needs a few extra dependencies that aren't installed by default. Depending on what yo want to do, you may need more parameters as described there: https://pymisp.readthedocs.io/en/latest/README.html#install-from-pip

[ArtemProc]

Have you installed pymisp this way? pip install pymisp[email]

yes The email support needs a few extra dependencies that aren't installed by default. Depending on what yo want to do, you may need more parameters as described there: https://pymisp.readthedocs.io/en/latest/README.html#install-from-pip I will check this out.

[ArtemProc]

@Rafiot - thank you for input. I have managed to make EMailObject work with suggested steps. pip install pymisp[email]

Although (I suspect it is not related to this issue, but you might point to correct direction).

They use following code to init MISP:

import logging
import warnings
from typing import Union, List, Any, Tuple, Dict
from urllib.parse import urlparse

import requests
from pymisp import ExpandedPyMISP, PyMISPError, MISPObject
from pymisp.tools import EMailObject, GenericObjectGenerator
import copy

MISP_KEY = 'api_key'
MISP_URL = 'https://IP'
USE_SSL = False
proxies = False
MISP_PATH = 'MISP.Event(obj.ID === val.ID)'
MISP_ATTRIBUTE_PATH = 'MISP.Attribute(obj.ID === val.ID)'
MISP = ExpandedPyMISP(url=MISP_URL, key=MISP_KEY, ssl=USE_SSL, proxies=proxies)

And in version of 2.4.99 MISP will have methods: 'download_samples' 'upload_sample' I could find ticket https://github.com/MISP/PyMISP/issues/496

Just to confirm with you are both methods deprecated in latest pymisp builds?

[Rafiot]

Yes, you are correct, it was marked as deprecated around mid 2019 and removed from the release 2.4.120 in January 2020. see https://github.com/MISP/PyMISP/blob/v2.4.119/pymisp/api.py#L1016

[johnnywilkes]

Do you have an example of doing the same in 'download_samples' with MISPEvent.add_attribute?

[Rafiot]

Seems this method wasn't directly reimplemented. But you can use the search method, either with the event or the attribute controller and the with_attachments parameter.

For example, if you want to get all the malwares of an event, you can do something like search(controller='attributes', event_id=<id>, type_attribute='malware', with_attachments=True). Note that I haven't tested it, but that should work just fine. If it doesn't work, let me know and I'll give it a shot (and add a test case).

[johnnywilkes]

does that allow you to upload an actual sample though?

[Rafiot]

I'm confused now. You just asked download, so the code above should work for downloading samples.

For uploading, the example here works: https://github.com/MISP/PyMISP/blob/main/tests/testlive_comprehensive.py#L1290

[johnnywilkes]

yes, i meant uploading, thank you!

[johnnywilkes]

were there any versions of pyMISP that EMailObject didn't work? The XSOAR Dev team said they had issues with certain versions

[Rafiot]

It it was the case, it was a bug, and was fixed asap, so maybe? but I have no idea. The class evolved quite a bit, and at some point in time, it required a non-python package, and was definitely incomplete. They should really use the latest release, it is the only one we support.