fix: Properly check the URL and if it is recent in MISP

2024-04-10 13:59:14 +02:00 · 2024-04-10 13:59:14 +02:00 · f55b9f66f1
parent 5162e6bffd
commit f55b9f66f1
1 changed files with 16 additions and 19 deletions
--- a/lookyloo/lookyloo.py
+++ b/lookyloo/lookyloo.py
@ -822,6 +822,7 @@ class Lookyloo():
        smtp_auth = get_config('generic', 'email_smtp_auth')
        redirects = ''
        initial_url = ''
        misp = ''
        if cache := self.capture_cache(capture_uuid):
            if hasattr(cache, 'url'):
                if email_config['defang_urls']:
@ -841,25 +842,21 @@ class Lookyloo():
                    redirects += '\n'.join(cache.redirects)
            else:
                redirects = "No redirects."
-        misp = ''
+
-        if not self.misps.available:
+            if not self.misps.available:
-            self.logger.info('There are no MISP instances available for a lookup.')
+                self.logger.info('There are no MISP instances available for a lookup.')
-        else:
+            else:
-            for instance_name in self.misps.keys():
+                for instance_name in self.misps.keys():
-                if occurrences := self.get_misp_occurrences(capture_uuid, instance_name=instance_name):
+                    if occurrences := self.get_misp_occurrences(capture_uuid, instance_name=instance_name):
-                    misp_url = occurrences[1]
+                        elements, misp_url = occurrences
-                    for element in occurrences[0]:
+                        for event_id, attributes in elements.items():
-                        for attribute in occurrences[0][element]:
+                            for value, ts in attributes:
-                            if not isinstance(attribute, tuple):
+                                if value == cache.url:
-                                # Issue with the response of the search, ignore
+                                    now = datetime.now(timezone.utc)
-                                continue
+                                    diff = now - ts
-                            value, timestamp = attribute
+                                    if diff.days < 1:  # MISP event should not be older than 24hours
-                            if value == initial_url:
+                                        misp += f"\n{ts.isoformat()} : {misp_url}events/{event_id}"
-                                now = datetime.now(timezone.utc)
+                                    break  # some events have more than just one timestamp, we just take the first one
                                diff = now - timestamp
                                if diff.days < 1:  # MISP event should not be older than 24hours
                                    misp += f"\n{attribute[1]:%a %m-%d-%y %I:%M%p(%z %Z)} : {misp_url}events/{element}"
                                break  # some events have more than just one timestamp, we just take the first one
        msg = EmailMessage()
        msg['From'] = email_config['from']
        if email: