PyMISP icon indicating copy to clipboard operation
PyMISP copied to clipboard

Published 20 hours ago verified publisher icon MISP

Bug: Could not add object due to incomplete attribute value "malware-sample" in FileObject

Open Bayerischen opened this issue 1 year ago • 1 comments

pymisp showed me an error when I was trying to upload a malware sample file using below really simple code:

from pymisp import PyMISP
from pymisp.tools import make_binary_objects

misp = PyMISP(MISP_URL, MISP_KEY)

fo, peo, seo = make_binary_objects(FILE_PATH)
misp.add_object(EVENT_ID, fo)

Something went wrong (403): {'saved': False, 'name': 'Could not add object', 'message': 'Could not add object', 'url': '/objects/add/3/', 'errors': 'Could not save object as at least one attribute has failed validation (malware-sample). {"value":["Composite type found but the value not in the composite (value1|value2) format."]}', 'id': '3/'}

I checked the "malware-sample" attribute value and found that it is just the file name, but if I upload a sample manually it would be something like FILENAME|MD5, so I changed the attribute value to that and it works fine.

I checked the code in https://github.com/MISP/PyMISP/blob/main/pymisp/tools/fileobject.py line 67 and I believe it should be changed

from

self.add_attribute('malware-sample', value=self.__filename, data=self.__pseudofile, disable_correlation=True)~~

to

self.add_attribute('malware-sample', value=f"{self.__filename}|{md5(self.__data).hexdigest()}", data=self.__pseudofile, disable_correlation=True)

EDIT:

MISPAttribute.value will be reset in method "_prepare_new_malware_sample" so https://github.com/MISP/PyMISP/blob/main/pymisp/mispevent.py#L645 should also be changed as below

    def _prepare_new_malware_sample(self):
        if '|' in self.value:
            # Get the filename, ignore the md5, because humans.
            self.malware_filename, md5 = self.value.split('|')
        else:
            # Assuming the user only passed the filename
            self.malware_filename = self.value
        #self.value = self.malware_filename    #comment this line
        self._malware_binary = self.data
        self.encrypt = True

Bayerischen avatar Oct 19 '23 10:10 Bayerischen

MISP is supposed to generate the md5 itself: we cannot trust the user to submit the appropriate value. Removing the hash if it is provided is what we want, and it works when we add a complete event to MISP, but this feature may not be present when you add an object directly (?). It is what's happening @mokaddem @iglocska @righel?

Rafiot avatar Oct 20 '23 12:10 Rafiot