pymisp 2.5.8.1__py3-none-any.whl → 2.5.10__py3-none-any.whl

pymisp/data/misp-objects/objects/network-connection/definition.json

@@ -96,6 +96,7 @@
       "description": "Layer 7 protocol of the network connection.",
       "disable_correlation": true,
       "misp-attribute": "text",
+      "multiple": true,
       "sane_default": [
         "HTTP",
         "HTTPS",

pymisp/mispevent.py

@@ -1120,6 +1120,10 @@ class MISPObject(AnalystDataBehaviorMixin):
         Helper for object_relation when multiple is True in the template.
         It is the same as calling multiple times add_attribute with the same object_relation.
         '''
+        if not attributes:
+            logger.info(f"No attributes provided for object relation '{object_relation}'; skipping attribute addition.")
+            return []
+
         to_return = []
         for attribute in attributes:
             if isinstance(attribute, MISPAttribute):

pymisp/tools/emailobject.py

@@ -373,37 +373,95 @@ class EMailObject(AbstractMISPObjectGenerator):
                 # email object doesn't support display name for all email addrs
                 pass
 
+    def extract_matches(self, pattern: re.Pattern[str], text: str) -> list[tuple[str, ...]]:
+        """Returns all regex matches for a given pattern in a text."""
+        return re.findall(pattern, text)
+
+    def add_ip_attribute(self, ip_candidate: str, received: str, seen_attributes: set[tuple[str, str]]) -> None:
+        """Validates and adds an IP address to MISP if it's public and not already seen during extraction."""
+        try:
+            ip = ipaddress.ip_address(ip_candidate)
+            if not ip.is_private and ("received-header-ip", ip_candidate) not in seen_attributes:
+                self.add_attribute("received-header-ip", ip_candidate, comment=received)
+                seen_attributes.add(("received-header-ip", ip_candidate))
+        except ValueError:
+            pass  # Invalid IPs are ignored
+
+    def add_hostname_attribute(self, hostname: str, received: str, seen_attributes: set[tuple[str, str]]) -> None:
+        """Validates and adds a hostname to MISP if it contains a valid TLD-like format and is not already seen."""
+        if "." in hostname and not hostname.endswith(".") and len(hostname.split(".")[-1]) > 1:
+            if ("received-header-hostname", hostname) not in seen_attributes:
+                self.add_attribute("received-header-hostname", hostname, comment=received)
+                seen_attributes.add(("received-header-hostname", hostname))
+
+    def process_received_header(self, received: str, seen_attributes: set[tuple[str, str]]) -> None:
+        """Processes a single 'Received' header and extracts hostnames and IPs."""
+
+        # Regex patterns
+        received_from_regex = re.compile(
+            r'from\s+([\w.-]+)'  # Declared sending hostname
+            r'(?:\s+\(([^)]+)\))?'  # Reverse DNS hostname inside parentheses
+        )
+        ipv4_regex = re.compile(
+            r'\[(?P<ipv4_brackets>(?:25[0-5]|2[0-4][0-9]|1[0-9]{2}|[1-9]?[0-9])\.'
+            r'(?:25[0-5]|2[0-4][0-9]|1[0-9]{2}|[1-9]?[0-9])\.'
+            r'(?:25[0-5]|2[0-4][0-9]|1[0-9]{2}|[1-9]?[0-9])\.'
+            r'(?:25[0-5]|2[0-4][0-9]|1[0-9]{2}|[1-9]?[0-9]))\]'  # IPv4 inside []
+            r'|\((?P<ipv4_parentheses>(?:25[0-5]|2[0-4][0-9]|1[0-9]{2}|[1-9]?[0-9])\.'
+            r'(?:25[0-5]|2[0-4][0-9]|1[0-9]{2}|[1-9]?[0-9])\.'
+            r'(?:25[0-5]|2[0-4][0-9]|1[0-9]{2}|[1-9]?[0-9])\.'
+            r'(?:25[0-5]|2[0-4][0-9]|1[0-9]{2}|[1-9]?[0-9]))\)'  # IPv4 inside ()
+            r'|(?<=\.\s)(?P<ipv4_after_domain>(?:25[0-5]|2[0-4][0-9]|1[0-9]{2}|[1-9]?[0-9])\.'
+            r'(?:25[0-5]|2[0-4][0-9]|1[0-9]{2}|[1-9]?[0-9])\.'
+            r'(?:25[0-5]|2[0-4][0-9]|1[0-9]{2}|[1-9]?[0-9])\.'
+            r'(?:25[0-5]|2[0-4][0-9]|1[0-9]{2}|[1-9]?[0-9]))\b'  # IPv4 appearing after a domain.
+        )
+        ipv6_regex = re.compile(
+            r'\b(?:[a-fA-F0-9]{1,4}:[a-fA-F0-9]{1,4}(?::[a-fA-F0-9]{1,4}){0,6})\b'
+        )
+
+        # Extract hostnames
+        matches = self.extract_matches(received_from_regex, received)
+        for match in matches:
+            declared_sending_host = match[0].strip() if match[0] else None
+            reverse_dns_host = match[1].split()[0].strip("[]()").rstrip('.') if match[1] else None
+
+            if declared_sending_host:
+                clean_host = declared_sending_host.strip("[]()")
+                try:
+                    ipaddress.ip_address(declared_sending_host)
+                    self.add_ip_attribute(declared_sending_host, received, seen_attributes)
+                except ValueError:
+                    self.add_hostname_attribute(declared_sending_host, received, seen_attributes)
+
+            if reverse_dns_host:
+                try:
+                    ipaddress.ip_address(reverse_dns_host)
+                    self.add_ip_attribute(reverse_dns_host, received, seen_attributes)
+                except ValueError:
+                    self.add_hostname_attribute(reverse_dns_host, received, seen_attributes)
+
+        # Extract and add **only valid** IPv4 addresses
+        for ipv4_match in self.extract_matches(ipv4_regex, received):
+            ip_candidate = ipv4_match[0] or ipv4_match[1] or ipv4_match[2]  # Select first non-empty match
+            if ip_candidate:
+                self.add_ip_attribute(ip_candidate, received, seen_attributes)
+
+        # Extract and add IPv6 addresses
+        for ipv6_match in self.extract_matches(ipv6_regex, received):
+            self.add_ip_attribute(ipv6_match, received, seen_attributes)
+
     def __generate_received(self) -> None:
         """
-        Extract IP addresses from received headers that are not private. Also extract hostnames or domains.
+        Extracts public IP addresses and hostnames from "Received" email headers.
         """
-        received_items = self.email.get_all("received")
-        if received_items is None:
-            return
-        for received in received_items:
-            fromstr = re.split(r"\sby\s", received)[0].strip()
-            if fromstr.startswith('from') is not True:
-                continue
-            for i in ['(', ')', '[', ']']:
-                fromstr = fromstr.replace(i, " ")
-            tokens = fromstr.split(" ")
-            ip = None
-            for token in tokens:
-                try:
-                    ip = ipaddress.ip_address(token)
-                    break
-                except ValueError:
-                    pass  # token is not IP address
 
-            if not ip or ip.is_private:
-                continue  # skip header if IP not found or is private
+        received_items = self.email.get_all("Received")
+        if not received_items:
+            return
 
-            self.add_attribute("received-header-ip", value=str(ip), comment=fromstr)
+        # Track added attributes to prevent duplicates (store as (type, value) tuples)
+        seen_attributes: set[tuple[str, str]] = set()
 
-        # The hostnames and/or domains always come after the "Received: from"
-        # part so we can use regex to pick up those attributes.
-        received_from = re.findall(r'(?<=from\s)[\w\d\.\-]+\.\w{2,24}', str(received_items))
-        try:
-            [self.add_attribute("received-header-hostname", i) for i in received_from]
-        except Exception:
-            pass
+        for received in received_items:
+            self.process_received_header(received, seen_attributes)

{pymisp-2.5.8.1.dist-info → pymisp-2.5.10.dist-info}/METADATA

@@ -1,6 +1,6 @@
 Metadata-Version: 2.3
 Name: pymisp
-Version: 2.5.8.1
+Version: 2.5.10
 Summary: Python API for MISP.
 License: BSD-2-Clause
 Author: Raphaël Vinot
@@ -32,7 +32,7 @@ Requires-Dist: RTFDE (>=0.1.2) ; (python_version <= "3.9") and (extra == "email"
 Requires-Dist: beautifulsoup4 (>=4.13.3) ; extra == "openioc"
 Requires-Dist: deprecated (>=1.2.18)
 Requires-Dist: docutils (>=0.21.2) ; (python_version >= "3.11") and (extra == "docs")
-Requires-Dist: extract_msg (>=0.53.2) ; extra == "email"
+Requires-Dist: extract_msg (>=0.54.0) ; extra == "email"
 Requires-Dist: lief (>=0.16.4) ; extra == "fileobjects"
 Requires-Dist: myst-parser (>=4.0.1) ; (python_version >= "3.11") and (extra == "docs")
 Requires-Dist: oletools (>=0.60.2) ; extra == "email"

{pymisp-2.5.8.1.dist-info → pymisp-2.5.10.dist-info}/RECORD

@@ -206,7 +206,7 @@ pymisp/data/misp-objects/objects/monetary-impact/definition.json,sha256=s44CoduM
 pymisp/data/misp-objects/objects/mutex/definition.json,sha256=zqun14zDa2seXkX5BGtlL_0dkT7LqTTEDagh-1lXKVs,744
 pymisp/data/misp-objects/objects/narrative/definition.json,sha256=VXEm_lcQgR7uFtMalrdbI73-ivv6HJHQVx6lPU0FYzA,2200
 pymisp/data/misp-objects/objects/netflow/definition.json,sha256=pQ_meRpiPEchaTBNTBUyUT5zPmL7QNIQgLGKdd_KTqE,4103
-pymisp/data/misp-objects/objects/network-connection/definition.json,sha256=seFEI1Npj5EHXt3RPP2TrZ_oq3YKDQDe0YGsZQO37LE,4224
+pymisp/data/misp-objects/objects/network-connection/definition.json,sha256=6rGG8ZhW3YxgGAV_l91GFpZXk4QpyJ7iuedH5FU38HE,4248
 pymisp/data/misp-objects/objects/network-profile/definition.json,sha256=urPC6ysgZ5kaiB2L2ilL19iGmR2GNUzjO4pcUngQl5E,6175
 pymisp/data/misp-objects/objects/network-socket/definition.json,sha256=qEE1yvRnrpylHut3jFDJnPWWfsz61ZJO0-Lp40WOSjM,6571
 pymisp/data/misp-objects/objects/network-traffic/definition.json,sha256=jZSGhItwP-1Vxm7fv_IqbijXqnAvPFFKhjxolaDXudE,3144
@@ -367,7 +367,7 @@ pymisp/data/misp-objects/schema_relationships.json,sha256=MCusp9GAyuHTo3lLyBrsvl
 pymisp/data/schema-lax.json,sha256=2QICdCbtfXRJkTVjwb7xjF3ypys2wOtrUyE1ZDz_qes,8561
 pymisp/data/schema.json,sha256=79N2hObemthb_syUHksDqM4djFttsWZQDg1sTYZYxys,9178
 pymisp/exceptions.py,sha256=IgGGadv5lnLAvO7Q6AjF0vEbjoWwwDWLYwMn-8pkU_k,1965
-pymisp/mispevent.py,sha256=OkU-PyoKIVQ9cUyUmxD3hPnCsOW5Tn7EJcGLm81LYJQ,121354
+pymisp/mispevent.py,sha256=mgIiXFj-RKJud2TBpqL8AefQOcYM2zxJsOqOmSDovPI,121525
 pymisp/py.typed,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
 pymisp/tools/__init__.py,sha256=_KCihYo82e8G5cHV321ak2sgbao2GyFjf4sSTMiN_IM,2233
 pymisp/tools/_psl_faup.py,sha256=JyK8RQm8DPWvNuoF4rQpiE0rBm-Az-sr38Kl46dmWcs,7034
@@ -377,7 +377,7 @@ pymisp/tools/create_misp_object.py,sha256=PP78t4Gc7jiZtjt3MGC-0NuH976vSadSmhbaSk
 pymisp/tools/csvloader.py,sha256=d-Ox4KEehuXi9YxPE3hhf62etaj7D0pUHr5Qy4rPoqo,2588
 pymisp/tools/domainipobject.py,sha256=2w1ckOWPZvp9EW6TOAguT1Kwov72K1jJuJLqgU1whoo,847
 pymisp/tools/elfobject.py,sha256=thylyAVcAdF31II8ykVzG75Fe4Fgokc9qR90g1ybI8s,4966
-pymisp/tools/emailobject.py,sha256=R9y6SzXDanPSD4g5d0NB5rvrW7rnOzu6E-o8O961XsI,19143
+pymisp/tools/emailobject.py,sha256=sPgVAvQFyRiONMiXYDJNibSSMWsjX1df9J3EDZ5LDEE,22680
 pymisp/tools/ext_lookups.py,sha256=acRbOVQftw7XpbjDZDrrdYzDmLDU4HmhoW48Og3UfaY,1022
 pymisp/tools/fail2banobject.py,sha256=VWxK8qWVL0AqO_YZSKmsOcaEnG_5j0jOok7OfEXWfMQ,740
 pymisp/tools/feed.py,sha256=eRG1D4fnG-2hZTFFy7SYUhGVozaAMVSiJXwxHoLP5Gg,700
@@ -398,7 +398,7 @@ pymisp/tools/update_objects.py,sha256=sp_XshzgtRjAU0Mqg8FgRTaokjVKLImyQ02xIcPSrH
 pymisp/tools/urlobject.py,sha256=PIucy1356zaljUm1NbeKmEpHpAUK9yiK2lAugcMp2t8,2489
 pymisp/tools/vehicleobject.py,sha256=bs7f4d47IBi2-VumssSM3HlqkH0viyHTLmIHQxe8Iz8,3687
 pymisp/tools/vtreportobject.py,sha256=NsdYzgqm47dywYeW8UnWmEDeIsf07xZreD2iJzFm2wg,3217
-pymisp-2.5.8.1.dist-info/LICENSE,sha256=1oPSVvs96qLjbJVi3mPn0yvWs-6aoIF6BNXi6pVlFmY,1615
-pymisp-2.5.8.1.dist-info/METADATA,sha256=yILojnXoJl-KvWP7U9zLGkw2yC3438Z4x0qkmPPOAkI,8883
-pymisp-2.5.8.1.dist-info/WHEEL,sha256=XbeZDeTWKc1w7CSIyre5aMDU_-PohRwTQceYnisIYYY,88
-pymisp-2.5.8.1.dist-info/RECORD,,
+pymisp-2.5.10.dist-info/LICENSE,sha256=1oPSVvs96qLjbJVi3mPn0yvWs-6aoIF6BNXi6pVlFmY,1615
+pymisp-2.5.10.dist-info/METADATA,sha256=aakG8Az0H27y7lEAPrqMrPEden9Gr1y8K5DJ_S5huwY,8882
+pymisp-2.5.10.dist-info/WHEEL,sha256=fGIA9gx4Qxk2KDKeNJCbOEwSrmLtjWCwzBz351GyrPQ,88
+pymisp-2.5.10.dist-info/RECORD,,

{pymisp-2.5.8.1.dist-info → pymisp-2.5.10.dist-info}/WHEEL

@@ -1,4 +1,4 @@
 Wheel-Version: 1.0
-Generator: poetry-core 2.1.1
+Generator: poetry-core 2.1.2
 Root-Is-Purelib: true
 Tag: py3-none-any