CIRCL
/
lookyloo
mirror of https://github.com/CIRCL/lookyloo
2
0
Fork 0
Code Issues Releases Wiki Activity

fix: Properly check the URL and if it is recent in MISP

pull/907/head
Raphaël Vinot 2024-04-10 13:59:14 +02:00
parent 5162e6bffd
commit f55b9f66f1
1 changed files with 16 additions and 19 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

19
lookyloo/lookyloo.py
View File

@ -822,6 +822,7 @@ class Lookyloo():
smtp_auth = get_config('generic', 'email_smtp_auth')
redirects = ''
initial_url = ''
misp = ''
if cache := self.capture_cache(capture_uuid):
if hasattr(cache, 'url'):
if email_config['defang_urls']:
@ -841,24 +842,20 @@ class Lookyloo():
redirects += '\n'.join(cache.redirects)
else:
redirects = "No redirects."
misp = ''
if not self.misps.available:
self.logger.info('There are no MISP instances available for a lookup.')
else:
for instance_name in self.misps.keys():
if occurrences := self.get_misp_occurrences(capture_uuid, instance_name=instance_name):
misp_url = occurrences[1]
for element in occurrences[0]:
for attribute in occurrences[0][element]:
if not isinstance(attribute, tuple):
# Issue with the response of the search, ignore
continue
value, timestamp = attribute
if value == initial_url:
elements, misp_url = occurrences
for event_id, attributes in elements.items():
for value, ts in attributes:
if value == cache.url:
now = datetime.now(timezone.utc)
diff = now - timestamp
diff = now - ts
if diff.days < 1: # MISP event should not be older than 24hours
misp += f"\n{attribute[1]:%a %m-%d-%y %I:%M%p(%z %Z)} : {misp_url}events/{element}"
misp += f"\n{ts.isoformat()} : {misp_url}events/{event_id}"
break # some events have more than just one timestamp, we just take the first one
msg = EmailMessage()
msg['From'] = email_config['from']