PyMISP icon indicating copy to clipboard operation
PyMISP copied to clipboard
verified publisher icon MISP

MISP server doesn't add ip related object's attributes to an event.

Open vvozzy opened this issue 1 year ago • 1 comments

I created my custom object template and placed it both into MISP server directory and PyMISP directory.

{ "attributes": { "fqdn": { "description": "Fully Qualified Domain Name", "misp-attribute": "domain", "ui-priority": 2 }, "tenant": { "description": "Name of an endpoint's owner", "misp-attribute": "text", "ui-priority": 0 }, "endpoint": { "description": "IP address of an endpoint", "misp-attribute": "ip-dst", "ui-priority": 1 }, "time": { "description": "Exact time of an alert", "disable_correlation": true, "misp-attribute": "text", "ui-priority": 0 } }, "description": "Alert metadata", "meta-category": "reputation", "name": "alert", "required": [ "fqdn", "tenant", "endpoint", "time" ], "uuid": "e2fbbb13-0723-4b6d-a4f1-00b13689078c", "version": 1 }

Then locally I created the object, added it to previously already created event and added event to MISP server.

misp = PyMISP(misp_url, misp_key, False)

event = MISPEvent()
event.set_date(i_dict['time']) 
event.info = f'DNS reputation: {i_dict['fqdn']}

obj = MISPObject('myobj') 
obj.add_attribute('fqdn', i_dict['fqdn'], type = 'domain')
obj.add_attribute('tenant', i_dict['tenant'], type = 'text') 
obj.add_attribute('endpoint', i_dict['endpoint], type = 'ip-dst') 
obj.add_attribute('time', i_dict['time'], type = 'text')  

event.add_object(obj, pythonify = True)

misp_event = misp.add_event(event, pythonify = True)

On MISP server side all object's attributtes are added to the created event EXCEPT the 'endpoint' with 'ip-dst' type of misp-attribute. I've already tried to change its type to 'text' (which worked) and 'ip-dst|port' (which didn't work).

I also tried to create an object with the default 'domain-ip' template. I added 'ip-dst' attribute to the object. Still, when I added the object to the event and added the event to MISP server there was no 'ip-dst' attribute shown on MISP server.

What could be the problem?

vvozzy avatar Jan 24 '24 15:01 vvozzy

You say that the domain-ip template is not working either, right? That's very odd, and it makes me think that MISP rejects the IP because it's not validating.

If you take the IP and try to add it manually on MISP as a standalone attribute of format ip-dst, does it works?

Rafiot avatar Feb 11 '25 09:02 Rafiot