search

MISP / SkillAegis

SkillAegis is a platform to design, run, and monitor exercise scenarios, enhancing skills in applications like MISP and training users in best practices for information management and protective tools. Its gamification system makes learning engaging, ensuring users acquire essential technical skills and adhere to industry standards.
GNU Affero General Public License v3.0
14 stars 3 forks source link

Attribute.to_ids mis-represented? #2

Open cudeso opened 2 months ago

cudeso commented 2 months ago

When I add an attribute "194.78.89.250" to an event, the ZMQ output is

{"Attribute":{"id":"2840933","event_id":"3508","object_id":"0","object_relation":null,"category":"Network activity","type":"ip-dst","value1":"194.78.89.250","value2":"","to_ids":true,"uuid":"7b3f2758-86ce-45d3-b7fd-b1f77ac85328","timestamp":"1726511683","distribution":"5","sharing_group_id":"0","comment":"","deleted":false,"disable_correlation":false,"first_seen":null,"last_seen":null,"value":"194.78.89.250","Sighting":[]},"Event":{"id":"3508","date":"2024-09-16","info":"Received a new scam call","uuid":"dd3ad20b-f820-401a-8376-6ab69d506ca5","published":false,"analysis":"0","threat_level_id":"4","org_id":"1","orgc_id":"1","distribution":"1","sharing_group_id":"0","Orgc":{"id":"1","uuid":"5c1eb4f8-bae5-45f5-a772-06d4a3f64c3e","name":"DEMO"}},"action":"add"}

In the SkillAegis Dashboard the payload is displayed as:

{
  "Attribute.type": "ip-dst",
  "Attribute.distribution": "5",
  "Attribute.sharing_group_id": "4",
  "Attribute.value": "194.78.89.250",
  "Attribute.batch_import": "0",
  "Attribute.to_ids": [
    "0",
    "1"
  ],
  "Attribute.disable_correlation": "0"
}

After this, the inject is not considered as successfully done by the player.

Could this be because of "Attribute.to_ids" having both "0" and "1" in the payload?

MISP version 2.4.194

cudeso commented 2 months ago

Inject 2 ("IP Address") for https://github.com/MISP/SkillAegis/blob/main/scenarios/scam-call-encoding.json

cudeso commented 2 months ago

Same happens when adding the SHA1. The IDS field was set on submission.

{
  "Attribute.type": "sha1",
  "Attribute.distribution": "5",
  "Attribute.sharing_group_id": "4",
  "Attribute.value": "04d496d39bc9409bfdabdeb07002b97093b58f77",
  "Attribute.batch_import": "0",
  "Attribute.to_ids": [
    "0",
    "1"
  ],
  "Attribute.disable_correlation": "0"
}
mokaddem commented 2 months ago

Hey. It looks like it's a MISP thing rather than SkillAegis. I could be coming from the way cakephp parses the urlencoded form when using paranoid mode.

After this, the inject is not considered as successfully done by the player. But that shouldn't have a big impact on the scenario since the event is fully fetched by SA.

That being said, this scenario has many issues. It will receive an update soon to be more lax and flexible.