From 2a4c7ff1502b8e42e07c296fd38c0a6ca74c83a5 Mon Sep 17 00:00:00 2001
From: Braden Laverick <blav62@gmail.com>
Date: Tue, 29 Oct 2019 20:22:41 +0000
Subject: [PATCH] Added ors for compound queries

---
 misp_modules/modules/export_mod/endgame_export.py | 13 ++++++-------
 1 file changed, 6 insertions(+), 7 deletions(-)

diff --git a/misp_modules/modules/export_mod/endgame_export.py b/misp_modules/modules/export_mod/endgame_export.py
index 5ba7ea4..dab15f9 100644
--- a/misp_modules/modules/export_mod/endgame_export.py
+++ b/misp_modules/modules/export_mod/endgame_export.py
@@ -16,10 +16,6 @@ moduleinfo = {
     "module-type": ["export"]
 }
 
-# config fields expected from the MISP administrator
-#   Default_Source: The source of the data. Typically this won't be changed from the default
-moduleconfig = ["Default_Source"]
-
 # Map of MISP fields => ThreatConnect fields
 fieldmap = {
 #    "domain": "Host",
@@ -72,11 +68,14 @@ def handler(q=False):
                 if event_type not in queryDict.keys():
                     queryDict[event_type] = {}
                 queryDict[event_type][attribute["value"]] = fieldmap[attribute["type"]]
-    
+    i = 0
     for query in queryDict.keys():
         response.write("{} where\n".format(query))
         for value in queryDict[query].keys():
-            response.write("\t{} == \"{}\"\n".format(queryDict[query][value], value))
+            if i != 0:
+                response.write(" or\n")
+            response.write("\t{} == \"{}\"".format(queryDict[query][value], value))
+            i += 1
 
     return {"response": [], "data": str(base64.b64encode(bytes(response.getvalue(), 'utf-8')), 'utf-8')}
 
@@ -104,5 +103,5 @@ def version():
     Output
         moduleinfo: metadata output containing all potential configuration values
     """
-    moduleinfo["config"] = moduleconfig
+#    moduleinfo["config"] = moduleconfig
     return moduleinfo