From 50f07a0e4bbe564d86838d704b04af0f4a499752 Mon Sep 17 00:00:00 2001 From: Christophe Vandeplas Date: Thu, 14 May 2020 20:29:50 +0200 Subject: [PATCH] fix: [transform] Search in MISP works with object attributes --- .../transforms/attributetoevent.py | 7 +++ src/MISP_maltego/transforms/common/util.py | 43 ++++++++++++++++++- 2 files changed, 49 insertions(+), 1 deletion(-) diff --git a/src/MISP_maltego/transforms/attributetoevent.py b/src/MISP_maltego/transforms/attributetoevent.py index e79eb0e..14b3cbc 100644 --- a/src/MISP_maltego/transforms/attributetoevent.py +++ b/src/MISP_maltego/transforms/attributetoevent.py @@ -84,10 +84,17 @@ class SearchInMISP(Transform): events_json = misp.search(controller='events', value=request.entity.value, with_attachments=False) # we need to do really rebuild the Entity from scratch as request.entity is of type Unknown for e in events_json: + # find the value as attribute attr = get_attribute_in_event(e, request.entity.value, substring=True) if attr: for item in attribute_to_entity(attr, only_self=True): response += item + # find the value as object, and return the object + if 'Object' in e['Event']: + for o in e['Event']['Object']: + if get_attribute_in_object(o, attribute_value=request.entity.value, substring=True).get('value'): + response += object_to_entity(o, link_label=link_label) + return response # placeholder for https://github.com/MISP/MISP-maltego/issues/11 diff --git a/src/MISP_maltego/transforms/common/util.py b/src/MISP_maltego/transforms/common/util.py index 435d1e4..02c9f39 100644 --- a/src/MISP_maltego/transforms/common/util.py +++ b/src/MISP_maltego/transforms/common/util.py @@ -278,7 +278,7 @@ def get_object_in_event(uuid, e): return o -def get_attribute_in_object(o, attribute_type=False, attribute_value=False, drop=False): +def get_attribute_in_object(o, attribute_type=False, attribute_value=False, drop=False, substring=False): '''Gets the first attribute of a specific type within an object''' found_attribute = {'value': ''} for i, a in enumerate(o['Attribute']): @@ -291,12 +291,53 @@ def get_attribute_in_object(o, attribute_type=False, attribute_value=False, drop found_attribute = a.copy() if drop: # drop the attribute from the object o['Attribute'].pop(i) + break if '|' in a['type'] or a['type'] == 'malware-sample': if attribute_value in a['value'].split('|'): found_attribute = a.copy() if drop: # drop the attribute from the object o['Attribute'].pop(i) + break + # TODO implement substring matching + if substring: + keyword = attribute_value.strip('%') + if attribute_value.startswith('%') and attribute_value.endswith('%'): + if attribute_value in a['value']: + found_attribute = a.copy() + if drop: # drop the attribute from the object + o['Attribute'].pop(i) + break + if '|' in a['type'] or a['type'] == 'malware-sample': + val1, val2 = a['value'].split('|') + if attribute_value in val1 or attribute_value in val2: + found_attribute = a.copy() + if drop: # drop the attribute from the object + o['Attribute'].pop(i) + break + elif attribute_value.startswith('%'): + if a['value'].endswith(keyword): + found_attribute = a.copy() + if drop: # drop the attribute from the object + o['Attribute'].pop(i) + break + if '|' in a['type'] or a['type'] == 'malware-sample': + val1, val2 = a['value'].split('|') + if val1.endswith(keyword) or val2.endswith(keyword): + found_attribute = a.copy() + if drop: # drop the attribute from the object + o['Attribute'].pop(i) + break + elif attribute_value.endswith('%'): + if a['value'].startswith(keyword): + return a + if '|' in a['type'] or a['type'] == 'malware-sample': + val1, val2 = a['value'].split('|') + if val1.startswith(keyword) or val2.startswith(keyword): + found_attribute = a.copy() + if drop: # drop the attribute from the object + o['Attribute'].pop(i) + break return found_attribute