new: Add first seen key to captured element in MISP export

Fix #985
Lookyloo · Nov 6, 2024 · f3db8b9 · f3db8b9
1 parent 50c29f1
commit f3db8b9
Showing 1 changed file with 13 additions and 4 deletions.
diff --git a/lookyloo/modules/misp.py b/lookyloo/modules/misp.py
@@ -8,7 +8,8 @@
 from io import BytesIO
 from collections import defaultdict
 from collections.abc import Mapping
-from typing import Any, TYPE_CHECKING, Iterator
+from typing import Any, TYPE_CHECKING
+from collections.abc import Iterator
 
 import requests
 from har2tree import HostNode, URLNode, Har2TreeError
@@ -93,11 +94,13 @@ def export(self, cache: CaptureCache, is_public_instance: bool=False,
 
             initial_file = FileObject(pseudofile=pseudofile, filename=filename)
             initial_file.comment = 'This is a capture of a file, rendered in the browser'
+            initial_file.first_seen = cache.timestamp
             initial_obj = event.add_object(initial_file)
         else:
             event.info = f'Lookyloo Capture ({cache.url})'
             initial_url = URLObject(cache.url)
             initial_url.comment = 'Submitted URL'
+            initial_url.first_seen = cache.timestamp
             self.__misp_add_ips_to_URLObject(initial_url, cache.tree.root_hartree.hostname_tree)
             initial_obj = event.add_object(initial_url)
 
@@ -132,6 +135,7 @@ def export(self, cache: CaptureCache, is_public_instance: bool=False,
             fo = FileObject(pseudofile=cache.tree.root_hartree.rendered_node.body, filename=cache.tree.root_hartree.rendered_node.filename)
             fo.comment = 'Content received for the final redirect (before rendering)'
             fo.add_reference(final_redirect, 'loaded-by', 'URL loading that content')
+            fo.first_seen = cache.tree.root_hartree.rendered_node.start_time
             event.add_object(fo)
         except Har2TreeError:
             pass
@@ -143,9 +147,14 @@ def export(self, cache: CaptureCache, is_public_instance: bool=False,
     def __misp_add_ips_to_URLObject(self, obj: URLObject, hostname_tree: HostNode) -> None:
         hosts = obj.get_attributes_by_relation('host')
         if hosts:
-            hostnodes = hostname_tree.search_nodes(name=hosts[0].value)
-            if hostnodes and hasattr(hostnodes[0], 'resolved_ips'):
-                obj.add_attributes('ip', *hostnodes[0].resolved_ips)
+            if hostnodes := hostname_tree.search_nodes(name=hosts[0].value):
+                first_host = hostnodes[0]
+                obj.first_seen = first_host.urls[0].start_time
+                if hasattr(first_host, 'resolved_ips'):
+                    if 'v4' in hostnodes[0].resolved_ips:
+                        obj.add_attributes('ip', *first_host.resolved_ips['v4'])
+                    if 'v6' in hostnodes[0].resolved_ips:
+                        obj.add_attributes('ip', *first_host.resolved_ips['v6'])
 
 
 class MISP(AbstractModule):