PyMISP.add_attribute() broken (literally) with screenshots about pymisp HOT 11 CLOSED

I'm very confused you can get to the point where it adds anything to MISP, as the PyMISP.add_attribute doesn't accept these parameters. If you're using the latest version of PyMISP (or anything from the last couple of years), this should result in an exception.

Can you add the code that leads to the first screenshot? And the version of PyMISP you're using.

What should work is using MISPEvent.add_attribute.

from pymisp.

Sorry Rafi, I can't reconstruct the exact function call. I think it consisted of the event ID, the attribute in form of a dict und the file as a binary. The version used is "pymisp2:1.0.0.63745".

But the problem of my usecase is still relevant, as the screenshots are intact in instance A and broken in instance B after posting the event to B with PyMISP.add_event(event) and I think it has to do with the potentially buggy add_attribute() method.

from pymisp.

"pymisp2:1.0.0.63745" is not a version of PyMISP. they should look like that: https://github.com/MISP/PyMISP/tags

There are different add_attribute methods in different classes, and the one in the PyMISP class isn't the same as the one in the MISPEvent or MISPObject classes.

PyMISP.add_attribute(event_id, type=attachment, value=file_name, data=screenshot_binary is not a valid call at all, and it should raise an exception. That's why I really need more details on the code you're using so I can reproduce and figure out what's going on. Also, the actual version of the pymisp package is very important.

from pymisp.

Sorry, what I posted was the name of the docker image. The used version is "2.4.169.3".
I used the PyMISP.add_attribute() function, not the ones of the MISPEvent or MISPObject.

The call was not exactly like that (PyMISP.add_attribute(event_id, type=attachment, value=file_name, data=screenshot_binary), but I got the PyMISP.add_attribute() function working in a way that the attribute got added to the MISPEvent, but the binary was broken.

Could you check if the data in the PyMISP.add_attribute() function really is a binary or a binary object? I am opening the binary in such a way and this works fine:

    with open(file_path, 'rb') as f:
        screenshot_binary = BytesIO(f.read())

from pymisp.

Look at the documentation for PyMISP.add_attribute, it is not expecting the parameters you're using.

If you run the call you wrote above, which would be something like:
pm.add_attribute(64, type='attachment', value='foo', data=screenshot_binary)

you get the exception

TypeError: PyMISP.add_attribute() got an unexpected keyword argument 'type'.

I really need more details if you want me to help you. And a sample code that doesn't raise an exception would be a good start.

from pymisp.

Maybe I didn't use the type parameter - as I mentioned, the function call should just serve as an example 😄

The core of my problem is the one with the screenshots being broken after getting an event from instance A and posting it to instance B.

from pymisp.

Sure. How did it go from instance A to instance B? Did you export the json on one side and pushed it to the other? How did you do that? Is it a synchronisation using the sync mechanism? There are many ways to do what you describe and without a way for me to reproduce it, I cannot identify what went wrong.

from pymisp.

Ah, I finally got it reconstructed!

This here works, but uploads a broken screenshot:

PYMISP.add_attribute(
            event_id,
            {
                'value':file_name,
                'type': 'attachment',
                'object_relation':'attachment',
                'data':screenshot_binary
            }
            )

from pymisp.

As for the A -> B topic:

The 'synchronization' is done manually by calling a function, because I only want to publish specific events. Said function works like that:

I create two instances of PyMISP, one with the URL of instance A (PYMISP_internal) and one with the URL of instance B (PYMISP_public).

I call get_event(event_id) on PYMISP_internal and store said event in a variable. After that I call add_event(event) on PYMISP_public.

Code:

try:
        ''' GET MISP event from INTERNAL instance '''
        event_to_post = get_misp_event_by_id(event_id)

        ''' POST MISP event to PUBLIC instance '''
        event_posted = PYMISP_public.add_event(
            event=event_to_post,
            pythonify=True)

def get_misp_event_by_id(event_id):
    """ This function validates if a MISP event exists by the given event ID.

    Parameters
    ----------
    event_id: int
        The event id of the MISP event.

    Raises
    ------
    Exception
        If no MISP event can be found by the given ID.
    """

    event = PYMISP.search(
        controller='events',
        eventid=event_id,
        pythonify=True
        )

    if not event:
        raise Exception("No MISP event could be found by the given event ID.")

    return event[0]

from pymisp.

Ok, so yes, this won't work. As per the documentation, PYMISP.add_attribute expects a parameter of type MISPAttribute, not a dict. The reason it that the data key needs to be base64 encoded and the MISPAttribute will take care of that.

If you want the code above to work, you need to encode it yourself (and it won't need the MISPAttribute step):

pm.add_attribute(64, 
  {'type':'attachment', 
   'value':'baz.png',
   'data':base64.b64encode(screenshot_binary.getvalue()).decode()
  }
)

I tried that and it works.

But the sync issue is totally unrelated. The reason your copy doesn't work is because you didn't pass with_attachments=True to the search method. The attachment isn't in the response, so it won't be pushed to instance B.
If I may, I'd recommend using the PyMISP.get_event method instead of search. If you know the event_id anyway, it is a lot faster.

from pymisp.

Right, I totally forgot about the with_attachments flag. I will use PyMISP.get_event() instead of the PyMISP.search()` as well now.

As always, thanks a lot! Highly appreciate your help ☺️

from pymisp.