fix: [internal] Handle the upload of original versions of ingested files via a helper function instead of leaving it to external tools

2018-12-06 11:47:14 +01:00 · 2018-12-06 11:47:14 +01:00 · 211ac07372
parent 3e4e75014b
commit 211ac07372
2 changed files with 55 additions and 15 deletions
--- a/app/Model/Event.php
+++ b/app/Model/Event.php
@ -5079,7 +5079,7 @@ class Event extends AppModel
        } else {
            throw new MethodNotAllowedException('Invalid STIX version');
        }
-        $shell_command .=  ' ' . $original_file . ' ' . escapeshellarg(Configure::read('MISP.default_event_distribution')) . ' ' . escapeshellarg(Configure::read('MISP.default_attribute_distribution')) . ' 2>' . APP . 'tmp/logs/exec-errors.log';
+        $shell_command .=  ' ' . escapeshellarg(Configure::read('MISP.default_event_distribution')) . ' ' . escapeshellarg(Configure::read('MISP.default_attribute_distribution')) . ' 2>' . APP . 'tmp/logs/exec-errors.log';
        $result = shell_exec($shell_command);
        unlink($tempFilePath);
        if (trim($result) == '1') {
@ -5090,6 +5090,7 @@ class Event extends AppModel
            $validationIssues = false;
            $result = $this->_add($data, true, $user, '', null, false, null, $created_id, $validationIssues);
            if ($result) {
+                $this->add_original_file($tempFilePath, $original_filename, $created_id, 'STIX 1.1');
                return $created_id;
            }
            return $validationIssues;
@ -5643,4 +5644,55 @@ class Event extends AppModel
        }
        return $eventIdList;
    }
+
+    public function add_original_file($file_path, $original_filename, $event_id, $format)
+    {
+        if (!Configure::check('MISP.default_attribute_distribution') || Configure::read('MISP.default_attribute_distribution') === 'event') {
+            $distribution = 5;
+        } else {
+            $distribution = Configure::read('MISP.default_attribute_distribution');
+        }
+        $this->MispObject->create();
+        $object = array(
+            'name' => 'original-imported-file',
+            'meta-category' => 'file',
+            'description' => 'Object describing the original file used to import data in MISP.',
+            'template_uuid' => '4cd560e9-2cfe-40a1-9964-7b2e797ecac5',
+            'template_version' => '2',
+            'event_id' => $event_id,
+            'distribution' => $distribution
+        );
+        $this->MispObject->save($object);
+        $object_id = $this->MispObject->id;
+        $file = file_get_contents($file_path);
+        $attributes = array(
+            array(
+                'type' => 'attachment',
+                'category' => 'External analysis',
+                'to_ids' => false,
+                'event_id' => $event_id,
+                'distribution' => $distribution,
+                'object_relation' => 'imported-sample',
+                'value' => $original_filename,
+                'data' => base64_encode($file),
+                'object_id' => $object_id,
+            ),
+            array(
+                'type' => 'text',
+                'category' => 'Other',
+                'to_ids' => false,
+                'uuid' => '5c08f00d-2174-4ab7-ad0d-1b1a011fb688',
+                'event_id' => $event_id,
+                'distribution' => $distribution,
+                'object_id' => $object_id,
+                'object_relation' => 'format',
+                'value' => 'STIX 1.1'
+            )
+        );
+        foreach ($attributes as $attribute) {
+            $this->Attribute->create();
+            $this->Attribute->save($attribute);
+        }
+        return true;
+    }
 }
--- a/app/files/scripts/stix2misp.py
+++ b/app/files/scripts/stix2misp.py
@ -53,16 +53,14 @@ class StixParser():
    # Load data from STIX document, and other usefull data
    def load_event(self, args, filename, from_misp, stix_version):
        self.outputname = '{}.json'.format(filename)
-        if len(args) > 0 and args[0]:
-            self.add_original_file(filename, args[0], stix_version)
        try:
-            event_distribution = args[1]
+            event_distribution = args[0]
            if not isinstance(event_distribution, int):
                event_distribution = int(event_distribution) if event_distribution.isdigit() else 5
        except IndexError:
            event_distribution = 5
        try:
-            attribute_distribution = args[2]
+            attribute_distribution = args[1]
            if attribute_distribution == 'event':
                attribute_distribution = event_distribution
            elif not isinstance(attribute_distribution, int):
@ -81,16 +79,6 @@ class StixParser():
        with open(self.outputname, 'wt', encoding='utf-8') as f:
            f.write(eventDict)

-    def add_original_file(self, filename, original_filename, version):
-        with open(filename, 'rb') as f:
-            sample = base64.b64encode(f.read()).decode('utf-8')
-        original_file = MISPObject('original-imported-file')
-        original_file.add_attribute(**{'type': 'attachment', 'value': original_filename,
-                                       'object_relation': 'imported-sample', 'data': sample})
-        original_file.add_attribute(**{'type': 'text', 'object_relation': 'format',
-                                       'value': 'STIX {}'.format(version)})
-        self.misp_event.add_object(**original_file)
-
    # Load the mapping dictionary for STIX object types
    def load_mapping(self):
        self.attribute_types_mapping = {