Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

MISP server doesn't add ip related object's attributes to an event. #1317

Open
vvozzy opened this issue Jan 24, 2024 · 1 comment
Open

MISP server doesn't add ip related object's attributes to an event. #1317

vvozzy opened this issue Jan 24, 2024 · 1 comment
Labels
T: support Type: support. This issue is seeking support on a problem or question

Comments

@vvozzy
Copy link

vvozzy commented Jan 24, 2024

I created my custom object template and placed it both into MISP server directory and PyMISP directory.

{ "attributes": { "fqdn": { "description": "Fully Qualified Domain Name", "misp-attribute": "domain", "ui-priority": 2 }, "tenant": { "description": "Name of an endpoint's owner", "misp-attribute": "text", "ui-priority": 0 }, "endpoint": { "description": "IP address of an endpoint", "misp-attribute": "ip-dst", "ui-priority": 1 }, "time": { "description": "Exact time of an alert", "disable_correlation": true, "misp-attribute": "text", "ui-priority": 0 } }, "description": "Alert metadata", "meta-category": "reputation", "name": "alert", "required": [ "fqdn", "tenant", "endpoint", "time" ], "uuid": "e2fbbb13-0723-4b6d-a4f1-00b13689078c", "version": 1 }

Then locally I created the object, added it to previously already created event and added event to MISP server.

misp = PyMISP(misp_url, misp_key, False)

event = MISPEvent()
event.set_date(i_dict['time']) 
event.info = f'DNS reputation: {i_dict['fqdn']}

obj = MISPObject('myobj') 
obj.add_attribute('fqdn', i_dict['fqdn'], type = 'domain')
obj.add_attribute('tenant', i_dict['tenant'], type = 'text') 
obj.add_attribute('endpoint', i_dict['endpoint], type = 'ip-dst') 
obj.add_attribute('time', i_dict['time'], type = 'text')  

event.add_object(obj, pythonify = True)

misp_event = misp.add_event(event, pythonify = True)

On MISP server side all object's attributtes are added to the created event EXCEPT the 'endpoint' with 'ip-dst' type of misp-attribute. I've already tried to change its type to 'text' (which worked) and 'ip-dst|port' (which didn't work).

I also tried to create an object with the default 'domain-ip' template. I added 'ip-dst' attribute to the object. Still, when I added the object to the event and added the event to MISP server there was no 'ip-dst' attribute shown on MISP server.

What could be the problem?
@adulau adulau transferred this issue from MISP/misp-objects Feb 11, 2025
@Rafiot
Copy link
Member

Rafiot commented Feb 11, 2025

You say that the domain-ip template is not working either, right? That's very odd, and it makes me think that MISP rejects the IP because it's not validating.

If you take the IP and try to add it manually on MISP as a standalone attribute of format ip-dst, does it works?

@Rafiot Rafiot added the T: support Type: support. This issue is seeking support on a problem or question label Feb 11, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
T: support Type: support. This issue is seeking support on a problem or question
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@Rafiot @vvozzy