Query regarding create_event from viper to misp

[MxResearch]

Hi,

Is there any automated way to create multiple events and its attributes for multiple samples stored inside viper rather than manual create_event entry for each sample? Current I am creating manual entry like: misp create_event -d 0 -t 3 -a 1 -i 'info' and then add its md5/sh1 hashes from viper to misp.

[Rafiot]

The next version of pymisp will make it easier to to create events with default values. But in your case, I'd add a function to the Viper MISP module to mass create events based on the current viper project, it doesn't exists for now, and I wont promise I will have time to do it any time soon.

[MxResearch]

Ok thank you for your response, I would look onto adding this new functionality to Viper MISP module. There is one more query regarding cuckoo sandbox and viper. From web console of viper there is an option to send file directly to cuckoo. when I click on it , it shows Error Connecting To Cuckoo. Note: I have already made changes in viper.conf file as cuckoo_modified = False , cuckoo_host = CuckooURL. Through command line when I open session (inside specific sample) and type command cuckoo -f nothing happens further it remains blank. Is there any additional settings that need to be done in either cuckoo or viper? Viper version is v1.3-dev. Cuckoo version is 2.0

[MxResearch]

Hi again,

Facing a new issue in misp which is when I create a event from viper to misp , new event gets created with a new ID, suppose misp already has 2 events in it so the new ID will be 3. When I delete this new ID from misp interface and again create a new event from viper ; the new event ID should be 3 again but due to some unknown reason the ID keeps incrementing, the new entry is created for 4th ID even though 3rd entry is deleted. I also deleted misp mysql database contents and again tried creating new event from misp but still it is working in append mode i guess , the event ID should get created by 1 but is taking ID as 4 (1-3 entries are already deleted). any solution to this issue

[Rafiot]

I never used the Cuckoo module, so I don't know :/ maybe you want to create a new issue, that would be easier to follow cc @botherder

Yes, if you delete an event, this event ID will never be re-attributed, this is the way MySQL works.

[MxResearch]

Thanks Rafiot for your answer, so the issue is in auto increment after delete in MySQL.

[MxResearch]

Hi Rafiot I had created this script which select md5 value from viper.db and create events inside misp for number of records present in viper.db.

Script:

from pymisp import PyMISP from keys import misp_url, misp_key import argparse import os import sqlite3 db = sqlite3.connect('/home/viper.db') cursor = db.cursor() cursor.execute('SELECT md5 FROM malwaretable') for row1 in cursor: dist= 0 analys=1 threat=1 count=0 try: input = raw_input except NameError: pass def init(url, key): return PyMISP(url, key, True, 'json', debug=True) misp = init(misp_url, misp_key) event = misp.new_event(dist,analys,threat,row1[count]) count=count+1 print(event)

This will create records for events. There is a function misp.add_hashes(event, category="Payload delivery", md5='md5value') in pymisp , so I am not understanding how can I use this function while creating events that would also create attributes having category="Payload delivery", md5='ChangeAsPerFile', as the md5 value needs to be specified every time manually for each event (hardcoded value) . Is there a way to do this ?

[MxResearch]

Hi @Rafiot ,

I updated pymisp to new version v2.4.53 and made this changes to my code : misp.add_hashes(event, category="Payload delivery", md5=row1[count]) This worked now I am able to create event & its attribute having md5.

Thanks for your support

[Rafiot]

Excellent, feel free to close the bug then :)