Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Bug: Could not add object due to incomplete attribute value "malware-sample" in FileObject #1084

Open
Bayerischen opened this issue Oct 19, 2023 · 1 comment
Open

Bug: Could not add object due to incomplete attribute value "malware-sample" in FileObject #1084

Bayerischen opened this issue Oct 19, 2023 · 1 comment

Comments

@Bayerischen
Copy link

Bayerischen commented Oct 19, 2023
edited
Loading

pymisp showed me an error when I was trying to upload a malware sample file using below really simple code:

from pymisp import PyMISP
from pymisp.tools import make_binary_objects

misp = PyMISP(MISP_URL, MISP_KEY)

fo, peo, seo = make_binary_objects(FILE_PATH)
misp.add_object(EVENT_ID, fo)

Something went wrong (403): {'saved': False, 'name': 'Could not add object', 'message': 'Could not add object', 'url': '/objects/add/3/', 'errors': 'Could not save object as at least one attribute has failed validation (malware-sample). {"value":["Composite type found but the value not in the composite (value1|value2) format."]}', 'id': '3/'}

I checked the "malware-sample" attribute value and found that it is just the file name, but if I upload a sample manually it would be something like FILENAME|MD5, so I changed the attribute value to that and it works fine.

I checked the code in https://github.com/MISP/PyMISP/blob/main/pymisp/tools/fileobject.py line 67 and I believe it should be changed

from

self.add_attribute('malware-sample', value=self.__filename, data=self.__pseudofile, disable_correlation=True)~~

to

self.add_attribute('malware-sample', value=f"{self.__filename}|{md5(self.__data).hexdigest()}", data=self.__pseudofile, disable_correlation=True)

EDIT:

MISPAttribute.value will be reset in method "_prepare_new_malware_sample" so https://github.com/MISP/PyMISP/blob/main/pymisp/mispevent.py#L645 should also be changed as below

    def _prepare_new_malware_sample(self):
        if '|' in self.value:
            # Get the filename, ignore the md5, because humans.
            self.malware_filename, md5 = self.value.split('|')
        else:
            # Assuming the user only passed the filename
            self.malware_filename = self.value
        #self.value = self.malware_filename    #comment this line
        self._malware_binary = self.data
        self.encrypt = True
@Rafiot
Copy link
Member

Rafiot commented Oct 20, 2023

MISP is supposed to generate the md5 itself: we cannot trust the user to submit the appropriate value. Removing the hash if it is provided is what we want, and it works when we add a complete event to MISP, but this feature may not be present when you add an object directly (?). It is what's happening @mokaddem @iglocska @righel?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@Rafiot @Bayerischen