weixin_39593498
2020-12-01 14:32 阅读 0

fileobject.py doesn't generate a downloadable malware-sample

When generating a fileobject with fileobject.py and pushing it on MISP, the malware-sample attribute has no downloadable malware-sample in MISP.

I think it might be due to the validation of the "malware-sample" object's attribute when submitting the whole file object to MISP (v2.4.102)

该提问来源于开源项目:MISP/PyMISP

  • 点赞
  • 写回答
  • 关注问题
  • 收藏
  • 复制链接分享

5条回答 默认 最新

  • weixin_39784460 weixin_39784460 2020-12-01 14:32

    I just tested, and it is working. Can you show me the code you're using? I strongly recommend to use this method: https://github.com/MISP/PyMISP/blob/master/pymisp/tools/create_misp_object.py#L52

    点赞 评论 复制链接分享
  • weixin_39593498 weixin_39593498 2020-12-01 14:32

    Yes, here is the source:

    python
    from pymisp import PyMISP
    from pymisp.tools import make_binary_objects
    import argparse
    import glob
    
    if __name__ == '__main__':
        parser = argparse.ArgumentParser(description='file object upload test')
        parser.add_argument('-e', '--event', required=True)
        parser.add_argument('-p', '--path', required=True)
    
        args= parser.parse_args()
        misp_url='http://10.0.2.5/'
        misp_key='redacted'
        misp_cert=False
        pymisp=PyMISP(misp_url, misp_key, misp_cert,'json')
    
        for f in glob.glob(args.path):
            fo,peo,seos= make_binary_objects(f)
            dbgfile=open('dbg.json','a')
            dbgfile.write(fo.to_json())
            dbgfile.close()
            template_json = pymisp.get_object_template_id(fo.template_uuid)
            template_id = template_json['ObjectTemplateElement'][0]['object_template_id']
            print(template_id)
            r= pymisp.add_object(args.event,template_id,fo)
            print(r)
    

    output:

    
    ~/Misp$python3 upload.py -e 1 -p /usr/bin/firefox
    36
    {'errors': ['Could not save object as at least one attribute has failed validation (malware-sample). {"value":["Composite type found but the value not in the composite (value1|value2) format."]}', '403'], 'message': 'Could not add object', 'url': '/objects/add/1/36', 'name': 'Could not add object'}
    

    Misp test vm version 2.4.104 PyMisp version 2.4.103 (pip3 install version) Os: Debian

    点赞 评论 复制链接分享
  • weixin_39784460 weixin_39784460 2020-12-01 14:32

    Soo, right, something changed somewhere and passing a malware-sample without the md5 works if you push the full event with all the MISP Objects in it (what I was testing), but not if you upload the objects one after the other (what you were doing) :man_shrugging:

    I'm patching it now... Sorry for that.

    点赞 评论 复制链接分享
  • weixin_39593498 weixin_39593498 2020-12-01 14:32

    Thanks !

    点赞 评论 复制链接分享
  • weixin_39784460 weixin_39784460 2020-12-01 14:32

    \o/ thank you for your patience and sorry for the regression. We have a test case now, that shouldn't happen again :)

    点赞 评论 复制链接分享

相关推荐