From b5579e5e425ffe008f1db7880229e396518d1e54 Mon Sep 17 00:00:00 2001
From: Alexandre Dulaunoy <a@foo.be>
Date: Thu, 9 May 2024 17:43:24 +0200
Subject: [PATCH] chg: [virustotal] support ip-src/ip-dst|port attribute type

Fix #632
---
 misp_modules/modules/expansion/virustotal.py | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/misp_modules/modules/expansion/virustotal.py b/misp_modules/modules/expansion/virustotal.py
index 1b66afa2..8d78f393 100644
--- a/misp_modules/modules/expansion/virustotal.py
+++ b/misp_modules/modules/expansion/virustotal.py
@@ -4,7 +4,7 @@ from . import check_input_attribute, standard_error_message
 from pymisp import MISPAttribute, MISPEvent, MISPObject
 
 misperrors = {'error': 'Error'}
-mispattributes = {'input': ['hostname', 'domain', "ip-src", "ip-dst", "md5", "sha1", "sha256", "url"],
+mispattributes = {'input': ['hostname', 'domain', "ip-src", "ip-dst", "md5", "sha1", "sha256", "url", "ip-src|port", "ip-dst|port"],
                   'format': 'misp_standard'}
 
 # possible module-types: 'expansion', 'hover' or both
@@ -29,7 +29,8 @@ class VirusTotalParser:
         self.input_types_mapping = {'ip-src': self.parse_ip, 'ip-dst': self.parse_ip,
                                     'domain': self.parse_domain, 'hostname': self.parse_domain,
                                     'md5': self.parse_hash, 'sha1': self.parse_hash,
-                                    'sha256': self.parse_hash, 'url': self.parse_url}
+                                    'sha256': self.parse_hash, 'url': self.parse_url,
+                                    'ip-src|port': self.parse_ip_port, 'ip-dst|port': self.parse_ip_port}
         self.proxies = None
 
     @staticmethod
@@ -164,6 +165,9 @@ class VirusTotalParser:
 
         self.misp_event.add_object(**file_object)
         return file_object.uuid
+    def parse_ip_port(self, ipport: str) -> str:
+        ip = ipport.split('|')[0]
+        self.parse_ip(ip)
 
     def parse_ip(self, ip: str) -> str:
         ip_report = self.client.get_object(f'/ip_addresses/{ip}')