Comments (11)
I'm very confused you can get to the point where it adds anything to MISP, as the PyMISP.add_attribute doesn't accept these parameters. If you're using the latest version of PyMISP (or anything from the last couple of years), this should result in an exception.
Can you add the code that leads to the first screenshot? And the version of PyMISP you're using.
What should work is using MISPEvent.add_attribute.
from pymisp.
Sorry Rafi, I can't reconstruct the exact function call. I think it consisted of the event ID, the attribute in form of a dict und the file as a binary. The version used is "pymisp2:1.0.0.63745".
But the problem of my usecase is still relevant, as the screenshots are intact in instance A and broken in instance B after posting the event to B with PyMISP.add_event(event)
and I think it has to do with the potentially buggy add_attribute()
method.
from pymisp.
"pymisp2:1.0.0.63745"
is not a version of PyMISP. they should look like that: https://github.com/MISP/PyMISP/tags
There are different add_attribute
methods in different classes, and the one in the PyMISP
class isn't the same as the one in the MISPEvent
or MISPObject
classes.
PyMISP.add_attribute(event_id, type=attachment, value=file_name, data=screenshot_binary
is not a valid call at all, and it should raise an exception. That's why I really need more details on the code you're using so I can reproduce and figure out what's going on. Also, the actual version of the pymisp
package is very important.
from pymisp.
Sorry, what I posted was the name of the docker image. The used version is "2.4.169.3".
I used the PyMISP.add_attribute()
function, not the ones of the MISPEvent
or MISPObject
.
The call was not exactly like that (PyMISP.add_attribute(event_id, type=attachment, value=file_name, data=screenshot_binary
), but I got the PyMISP.add_attribute()
function working in a way that the attribute got added to the MISPEvent
, but the binary was broken.
Could you check if the data in the PyMISP.add_attribute()
function really is a binary or a binary object? I am opening the binary in such a way and this works fine:
with open(file_path, 'rb') as f:
screenshot_binary = BytesIO(f.read())
from pymisp.
Look at the documentation for PyMISP.add_attribute, it is not expecting the parameters you're using.
If you run the call you wrote above, which would be something like:
pm.add_attribute(64, type='attachment', value='foo', data=screenshot_binary)
you get the exception
TypeError: PyMISP.add_attribute() got an unexpected keyword argument 'type'
.
I really need more details if you want me to help you. And a sample code that doesn't raise an exception would be a good start.
from pymisp.
Maybe I didn't use the type parameter - as I mentioned, the function call should just serve as an example π
The core of my problem is the one with the screenshots being broken after getting an event from instance A and posting it to instance B.
from pymisp.
Sure. How did it go from instance A to instance B? Did you export the json on one side and pushed it to the other? How did you do that? Is it a synchronisation using the sync mechanism? There are many ways to do what you describe and without a way for me to reproduce it, I cannot identify what went wrong.
from pymisp.
Ah, I finally got it reconstructed!
This here works, but uploads a broken screenshot:
PYMISP.add_attribute(
event_id,
{
'value':file_name,
'type': 'attachment',
'object_relation':'attachment',
'data':screenshot_binary
}
)
from pymisp.
As for the A -> B topic:
The 'synchronization' is done manually by calling a function, because I only want to publish specific events. Said function works like that:
I create two instances of PyMISP, one with the URL of instance A (PYMISP_internal
) and one with the URL of instance B (PYMISP_public
).
I call get_event(event_id)
on PYMISP_internal
and store said event in a variable. After that I call add_event(event)
on PYMISP_public
.
Code:
try:
''' GET MISP event from INTERNAL instance '''
event_to_post = get_misp_event_by_id(event_id)
''' POST MISP event to PUBLIC instance '''
event_posted = PYMISP_public.add_event(
event=event_to_post,
pythonify=True)
def get_misp_event_by_id(event_id):
""" This function validates if a MISP event exists by the given event ID.
Parameters
----------
event_id: int
The event id of the MISP event.
Raises
------
Exception
If no MISP event can be found by the given ID.
"""
event = PYMISP.search(
controller='events',
eventid=event_id,
pythonify=True
)
if not event:
raise Exception("No MISP event could be found by the given event ID.")
return event[0]
from pymisp.
Ok, so yes, this won't work. As per the documentation, PYMISP.add_attribute
expects a parameter of type MISPAttribute
, not a dict. The reason it that the data
key needs to be base64 encoded and the MISPAttribute
will take care of that.
If you want the code above to work, you need to encode it yourself (and it won't need the MISPAttribute
step):
pm.add_attribute(64,
{'type':'attachment',
'value':'baz.png',
'data':base64.b64encode(screenshot_binary.getvalue()).decode()
}
)
I tried that and it works.
But the sync issue is totally unrelated. The reason your copy doesn't work is because you didn't pass with_attachments=True
to the search method. The attachment isn't in the response, so it won't be pushed to instance B.
If I may, I'd recommend using the PyMISP.get_event
method instead of search
. If you know the event_id
anyway, it is a lot faster.
from pymisp.
Right, I totally forgot about the with_attachments
flag. I will use PyMISP.get_event()
instead of the PyMISP.search()` as well now.
As always, thanks a lot! Highly appreciate your help
from pymisp.
Related Issues (20)
- Complex Build Query TAG parameter not working
- EventSearch returns all events HOT 1
- PyMISP.search does not include events with 0 attributes HOT 3
- Bug: Could not add object due to incomplete attribute value "malware-sample" in FileObject HOT 1
- Return value does not respect the parameter `expanded=True` HOT 1
- Requirement of a new MISP object
- Bug: `update_event()` with `add_event_report()` doesn't add a report to existing Event HOT 5
- Enhancement: PyMISP API Custom HTTPS Adapters HOT 1
- Remove test files containing malicious objects HOT 1
- Bug - Exported event schema validation fails HOT 10
- Error code 403 over remote event update using only local tags HOT 11
- PyMISP.search does not allow searching for attributes with first_seen as None HOT 3
- Issue with Adding a Tag to Event via PyMISP HOT 5
- Email parsing for email-body attribute is broken from PyMISP v2.4.184 to v2.4.184.2 HOT 4
- AttributeError: module 'pymisp' has no attribute 'EmailObject' when doing from pymisp import * HOT 2
- PyMISP.toggle_warninglist() sends GET method HOT 4
- PyMISP.disable_warninglist() doesn't disable, but toggle instead HOT 1
- Is it possible to change the timestamp for an attribute programatically? HOT 2
- IBM SOAR application with MISP error HOT 4
- upload_stix function return nothing when using in-memory file
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
π Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. πππ
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google β€οΈ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from pymisp.