MISP
Exception while reading/searching events with last_seen or first_seen set to 0
Hi,
I often search for all events in our internal MISP and since some time I'm getting an exception.
When reading events where first_seen or last_seen contains the string "0" exception handling is not as good as it could be.
I've located the lines of code in mispevent.py (the lines under the # Faster comment is raising the exception):
if kwargs.get('first_seen'):
fs = kwargs.pop('first_seen')
try:
# Faster
self.first_seen = datetime.fromisoformat(fs)
except Exception:
# Use __setattr__
self.first_seen = fs
if kwargs.get('last_seen'):
ls = kwargs.pop('last_seen')
try:
# Faster
self.last_seen = datetime.fromisoformat(ls)
except Exception:
# Use __setattr__
self.last_seen = ls
I've made a local patch in my pymisp library.
Since I don't have access to the production database, I can't play around with the values there.
Thanks, Peter Gunnarsson Truesec AB Sweden
this can be reproduced by running the code:
misp.search(org=1, pythonify=True)
I suspect that one of the attributes need to have first_seen='0' set.
What is the exception you're getting? If it is a 500, it's (probably) because the server tries to return everything in the MISP instance and it times out/barfs.
this is on the client side.. the exception I get is:
ParserError: day is out of range for month: 0
I know now that first_seen is set to "0" in the event that causes this problem.
I've just bumped on this issue also. One of the feeds I consume somehow sent a first_seen to 1970 and MISP accepted it "as is" :
I was forced to reset this date to another day, as the line self.first_seen = fs will call upon datetime.fromisoformat wich raise an exception, not expecting 0 as a value. it is used in the faster section but also in the set_attr of both dates.
