Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Attribute.to_ids mis-represented? #2

Open
cudeso opened this issue Sep 16, 2024 · 3 comments
Open

Attribute.to_ids mis-represented? #2

cudeso opened this issue Sep 16, 2024 · 3 comments

Comments

@cudeso
Copy link
Contributor

cudeso commented Sep 16, 2024

When I add an attribute "194.78.89.250" to an event, the ZMQ output is

{"Attribute":{"id":"2840933","event_id":"3508","object_id":"0","object_relation":null,"category":"Network activity","type":"ip-dst","value1":"194.78.89.250","value2":"","to_ids":true,"uuid":"7b3f2758-86ce-45d3-b7fd-b1f77ac85328","timestamp":"1726511683","distribution":"5","sharing_group_id":"0","comment":"","deleted":false,"disable_correlation":false,"first_seen":null,"last_seen":null,"value":"194.78.89.250","Sighting":[]},"Event":{"id":"3508","date":"2024-09-16","info":"Received a new scam call","uuid":"dd3ad20b-f820-401a-8376-6ab69d506ca5","published":false,"analysis":"0","threat_level_id":"4","org_id":"1","orgc_id":"1","distribution":"1","sharing_group_id":"0","Orgc":{"id":"1","uuid":"5c1eb4f8-bae5-45f5-a772-06d4a3f64c3e","name":"DEMO"}},"action":"add"}

In the SkillAegis Dashboard the payload is displayed as:

{
  "Attribute.type": "ip-dst",
  "Attribute.distribution": "5",
  "Attribute.sharing_group_id": "4",
  "Attribute.value": "194.78.89.250",
  "Attribute.batch_import": "0",
  "Attribute.to_ids": [
    "0",
    "1"
  ],
  "Attribute.disable_correlation": "0"
}

After this, the inject is not considered as successfully done by the player.

Could this be because of "Attribute.to_ids" having both "0" and "1" in the payload?

MISP version 2.4.194
@cudeso
Copy link
Contributor Author

cudeso commented Sep 16, 2024

Inject 2 ("IP Address") for https://github.com/MISP/SkillAegis/blob/main/scenarios/scam-call-encoding.json

@cudeso
Copy link
Contributor Author

cudeso commented Sep 16, 2024

Same happens when adding the SHA1. The IDS field was set on submission.

{
  "Attribute.type": "sha1",
  "Attribute.distribution": "5",
  "Attribute.sharing_group_id": "4",
  "Attribute.value": "04d496d39bc9409bfdabdeb07002b97093b58f77",
  "Attribute.batch_import": "0",
  "Attribute.to_ids": [
    "0",
    "1"
  ],
  "Attribute.disable_correlation": "0"
}

@mokaddem
Copy link
Contributor

Hey. It looks like it's a MISP thing rather than SkillAegis. I could be coming from the way cakephp parses the urlencoded form when using paranoid mode.

After this, the inject is not considered as successfully done by the player.
But that shouldn't have a big impact on the scenario since the event is fully fetched by SA.

That being said, this scenario has many issues. It will receive an update soon to be more lax and flexible.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@cudeso @mokaddem