pymisp 2.5.8__py3-none-any.whl → 2.5.9__py3-none-any.whl

pymisp/data/misp-objects/objects/github-repo/definition.json

@@ -0,0 +1,142 @@
+{
+  "attributes": {
+    "archived": {
+      "description": "Is the repository archived?",
+      "disable_correlation": true,
+      "misp-attribute": "text",
+      "sane_default": [
+        "True",
+        "False"
+      ],
+      "ui-priority": 1
+    },
+    "created-at": {
+      "description": "Date of the repository creation",
+      "misp-attribute": "datetime",
+      "ui-priority": 0
+    },
+    "description": {
+      "description": "Repository description",
+      "misp-attribute": "text",
+      "ui-priority": 1
+    },
+    "disabled": {
+      "description": "Is the repository disabled?",
+      "disable_correlation": true,
+      "misp-attribute": "text",
+      "sane_default": [
+        "True",
+        "False"
+      ],
+      "ui-priority": 1
+    },
+    "fork": {
+      "description": "Is the repository a forked repository?",
+      "disable_correlation": true,
+      "misp-attribute": "text",
+      "sane_default": [
+        "True",
+        "False"
+      ],
+      "ui-priority": 1
+    },
+    "forks-count": {
+      "description": "Number of forks",
+      "misp-attribute": "counter",
+      "ui-priority": 1
+    },
+    "full-name": {
+      "description": "Full name of the repository. [Username/Repository name]",
+      "misp-attribute": "text",
+      "ui-priority": 1
+    },
+    "has-downloads": {
+      "description": "Have the repository been downloaded?",
+      "disable_correlation": true,
+      "misp-attribute": "text",
+      "sane_default": [
+        "True",
+        "False"
+      ],
+      "ui-priority": 1
+    },
+    "has-wiki": {
+      "description": "Does the repository have a wiki?",
+      "disable_correlation": true,
+      "misp-attribute": "text",
+      "sane_default": [
+        "True",
+        "False"
+      ],
+      "ui-priority": 1
+    },
+    "id": {
+      "description": "Repository id",
+      "misp-attribute": "text",
+      "ui-priority": 1
+    },
+    "languages": {
+      "description": "Languages used in the repository",
+      "misp-attribute": "text",
+      "multiple": true,
+      "ui-priority": 1
+    },
+    "link": {
+      "description": "Link to the GitHub repository.",
+      "misp-attribute": "link",
+      "multiple": true,
+      "ui-priority": 1
+    },
+    "name": {
+      "description": "name of the repository. [Repository name]",
+      "misp-attribute": "text",
+      "ui-priority": 1
+    },
+    "open-issues": {
+      "description": "Number of open issues",
+      "misp-attribute": "counter",
+      "ui-priority": 1
+    },
+    "private": {
+      "description": "Is the repository private?",
+      "disable_correlation": true,
+      "misp-attribute": "text",
+      "sane_default": [
+        "True",
+        "False"
+      ],
+      "ui-priority": 1
+    },
+    "pushed-at": {
+      "description": "Date of last push",
+      "misp-attribute": "datetime",
+      "ui-priority": 0
+    },
+    "topics": {
+      "description": "Topics linked to the repository",
+      "misp-attribute": "text",
+      "multiple": true,
+      "ui-priority": 1
+    },
+    "updated-at": {
+      "description": "Date of the last update",
+      "misp-attribute": "datetime",
+      "ui-priority": 0
+    },
+    "username": {
+      "description": "Owner of the repository. [Username]",
+      "misp-attribute": "text",
+      "ui-priority": 1
+    }
+  },
+  "description": "GitHub repository",
+  "meta-category": "misc",
+  "name": "github-repo",
+  "requiredOneOf": [
+    "name",
+    "full-name",
+    "link"
+  ],
+  "uuid": "d2e93321-3d0c-4215-88a7-62ccb56fef89",
+  "version": 2
+}

pymisp/mispevent.py

@@ -1120,6 +1120,10 @@ class MISPObject(AnalystDataBehaviorMixin):
         Helper for object_relation when multiple is True in the template.
         It is the same as calling multiple times add_attribute with the same object_relation.
         '''
+        if not attributes:
+            logger.warning(f"No attributes provided for object relation '{object_relation}'; skipping attribute addition.")
+            return []
+
         to_return = []
         for attribute in attributes:
             if isinstance(attribute, MISPAttribute):

pymisp/tools/emailobject.py

@@ -373,37 +373,95 @@ class EMailObject(AbstractMISPObjectGenerator):
                 # email object doesn't support display name for all email addrs
                 pass
 
+    def extract_matches(self, pattern: re.Pattern[str], text: str) -> list[tuple[str, ...]]:
+        """Returns all regex matches for a given pattern in a text."""
+        return re.findall(pattern, text)
+
+    def add_ip_attribute(self, ip_candidate: str, received: str, seen_attributes: set[tuple[str, str]]) -> None:
+        """Validates and adds an IP address to MISP if it's public and not already seen during extraction."""
+        try:
+            ip = ipaddress.ip_address(ip_candidate)
+            if not ip.is_private and ("received-header-ip", ip_candidate) not in seen_attributes:
+                self.add_attribute("received-header-ip", ip_candidate, comment=received)
+                seen_attributes.add(("received-header-ip", ip_candidate))
+        except ValueError:
+            pass  # Invalid IPs are ignored
+
+    def add_hostname_attribute(self, hostname: str, received: str, seen_attributes: set[tuple[str, str]]) -> None:
+        """Validates and adds a hostname to MISP if it contains a valid TLD-like format and is not already seen."""
+        if "." in hostname and not hostname.endswith(".") and len(hostname.split(".")[-1]) > 1:
+            if ("received-header-hostname", hostname) not in seen_attributes:
+                self.add_attribute("received-header-hostname", hostname, comment=received)
+                seen_attributes.add(("received-header-hostname", hostname))
+
+    def process_received_header(self, received: str, seen_attributes: set[tuple[str, str]]) -> None:
+        """Processes a single 'Received' header and extracts hostnames and IPs."""
+
+        # Regex patterns
+        received_from_regex = re.compile(
+            r'from\s+([\w.-]+)'  # Declared sending hostname
+            r'(?:\s+\(([^)]+)\))?'  # Reverse DNS hostname inside parentheses
+        )
+        ipv4_regex = re.compile(
+            r'\[(?P<ipv4_brackets>(?:25[0-5]|2[0-4][0-9]|1[0-9]{2}|[1-9]?[0-9])\.'
+            r'(?:25[0-5]|2[0-4][0-9]|1[0-9]{2}|[1-9]?[0-9])\.'
+            r'(?:25[0-5]|2[0-4][0-9]|1[0-9]{2}|[1-9]?[0-9])\.'
+            r'(?:25[0-5]|2[0-4][0-9]|1[0-9]{2}|[1-9]?[0-9]))\]'  # IPv4 inside []
+            r'|\((?P<ipv4_parentheses>(?:25[0-5]|2[0-4][0-9]|1[0-9]{2}|[1-9]?[0-9])\.'
+            r'(?:25[0-5]|2[0-4][0-9]|1[0-9]{2}|[1-9]?[0-9])\.'
+            r'(?:25[0-5]|2[0-4][0-9]|1[0-9]{2}|[1-9]?[0-9])\.'
+            r'(?:25[0-5]|2[0-4][0-9]|1[0-9]{2}|[1-9]?[0-9]))\)'  # IPv4 inside ()
+            r'|(?<=\.\s)(?P<ipv4_after_domain>(?:25[0-5]|2[0-4][0-9]|1[0-9]{2}|[1-9]?[0-9])\.'
+            r'(?:25[0-5]|2[0-4][0-9]|1[0-9]{2}|[1-9]?[0-9])\.'
+            r'(?:25[0-5]|2[0-4][0-9]|1[0-9]{2}|[1-9]?[0-9])\.'
+            r'(?:25[0-5]|2[0-4][0-9]|1[0-9]{2}|[1-9]?[0-9]))\b'  # IPv4 appearing after a domain.
+        )
+        ipv6_regex = re.compile(
+            r'\b(?:[a-fA-F0-9]{1,4}:[a-fA-F0-9]{1,4}(?::[a-fA-F0-9]{1,4}){0,6})\b'
+        )
+
+        # Extract hostnames
+        matches = self.extract_matches(received_from_regex, received)
+        for match in matches:
+            declared_sending_host = match[0].strip() if match[0] else None
+            reverse_dns_host = match[1].split()[0].strip("[]()").rstrip('.') if match[1] else None
+
+            if declared_sending_host:
+                clean_host = declared_sending_host.strip("[]()")
+                try:
+                    ipaddress.ip_address(declared_sending_host)
+                    self.add_ip_attribute(declared_sending_host, received, seen_attributes)
+                except ValueError:
+                    self.add_hostname_attribute(declared_sending_host, received, seen_attributes)
+
+            if reverse_dns_host:
+                try:
+                    ipaddress.ip_address(reverse_dns_host)
+                    self.add_ip_attribute(reverse_dns_host, received, seen_attributes)
+                except ValueError:
+                    self.add_hostname_attribute(reverse_dns_host, received, seen_attributes)
+
+        # Extract and add **only valid** IPv4 addresses
+        for ipv4_match in self.extract_matches(ipv4_regex, received):
+            ip_candidate = ipv4_match[0] or ipv4_match[1] or ipv4_match[2]  # Select first non-empty match
+            if ip_candidate:
+                self.add_ip_attribute(ip_candidate, received, seen_attributes)
+
+        # Extract and add IPv6 addresses
+        for ipv6_match in self.extract_matches(ipv6_regex, received):
+            self.add_ip_attribute(ipv6_match, received, seen_attributes)
+
     def __generate_received(self) -> None:
         """
-        Extract IP addresses from received headers that are not private. Also extract hostnames or domains.
+        Extracts public IP addresses and hostnames from "Received" email headers.
         """
-        received_items = self.email.get_all("received")
-        if received_items is None:
-            return
-        for received in received_items:
-            fromstr = re.split(r"\sby\s", received)[0].strip()
-            if fromstr.startswith('from') is not True:
-                continue
-            for i in ['(', ')', '[', ']']:
-                fromstr = fromstr.replace(i, " ")
-            tokens = fromstr.split(" ")
-            ip = None
-            for token in tokens:
-                try:
-                    ip = ipaddress.ip_address(token)
-                    break
-                except ValueError:
-                    pass  # token is not IP address
 
-            if not ip or ip.is_private:
-                continue  # skip header if IP not found or is private
+        received_items = self.email.get_all("Received")
+        if not received_items:
+            return
 
-            self.add_attribute("received-header-ip", value=str(ip), comment=fromstr)
+        # Track added attributes to prevent duplicates (store as (type, value) tuples)
+        seen_attributes: set[tuple[str, str]] = set()
 
-        # The hostnames and/or domains always come after the "Received: from"
-        # part so we can use regex to pick up those attributes.
-        received_from = re.findall(r'(?<=from\s)[\w\d\.\-]+\.\w{2,24}', str(received_items))
-        try:
-            [self.add_attribute("received-header-hostname", i) for i in received_from]
-        except Exception:
-            pass
+        for received in received_items:
+            self.process_received_header(received, seen_attributes)

{pymisp-2.5.8.dist-info → pymisp-2.5.9.dist-info}/METADATA

@@ -1,6 +1,6 @@
 Metadata-Version: 2.3
 Name: pymisp
-Version: 2.5.8
+Version: 2.5.9
 Summary: Python API for MISP.
 License: BSD-2-Clause
 Author: Raphaël Vinot
@@ -32,7 +32,7 @@ Requires-Dist: RTFDE (>=0.1.2) ; (python_version <= "3.9") and (extra == "email"
 Requires-Dist: beautifulsoup4 (>=4.13.3) ; extra == "openioc"
 Requires-Dist: deprecated (>=1.2.18)
 Requires-Dist: docutils (>=0.21.2) ; (python_version >= "3.11") and (extra == "docs")
-Requires-Dist: extract_msg (>=0.53.2) ; extra == "email"
+Requires-Dist: extract_msg (>=0.54.0) ; extra == "email"
 Requires-Dist: lief (>=0.16.4) ; extra == "fileobjects"
 Requires-Dist: myst-parser (>=4.0.1) ; (python_version >= "3.11") and (extra == "docs")
 Requires-Dist: oletools (>=0.60.2) ; extra == "email"

{pymisp-2.5.8.dist-info → pymisp-2.5.9.dist-info}/RECORD

@@ -152,6 +152,7 @@ pymisp/data/misp-objects/objects/game-cheat/definition.json,sha256=4xqSM9PzOzuWZ
 pymisp/data/misp-objects/objects/generalizing-persuasion-framework/definition.json,sha256=6EFw1OW2Qzbp1tip2PgwYhjvqh2koo5Rl75h1TzNE-s,5590
 pymisp/data/misp-objects/objects/geolocation/definition.json,sha256=mvbU1_yi-9m69SJQWn7fh5k1MLUFIagPU2Mfp4GpjP8,3308
 pymisp/data/misp-objects/objects/git-vuln-finder/definition.json,sha256=_b_Ux9biIpYXK0gmCzGxmp0AHi1dGEaW3H_MiftHx3s,3644
+pymisp/data/misp-objects/objects/github-repo/definition.json,sha256=zmGO6g5fRlvp419DKXo3HYQc3-i6_VqCGyIxnb4i4II,3483
 pymisp/data/misp-objects/objects/github-user/definition.json,sha256=CdHNDa0oLpPB25h5S-7ybEb9MSx92KbqAT7DmNckeNM,3463
 pymisp/data/misp-objects/objects/gitlab-user/definition.json,sha256=xCqY6NAG1DhtyHDCGVik6yXCGhPie4AfnXAvCk9z6qg,1188
 pymisp/data/misp-objects/objects/google-safe-browsing/definition.json,sha256=Bxo1eu_EbY8Q1mMv0y0lDv9Rn0xDwmPtesuZ8jtk4Xc,739
@@ -366,7 +367,7 @@ pymisp/data/misp-objects/schema_relationships.json,sha256=MCusp9GAyuHTo3lLyBrsvl
 pymisp/data/schema-lax.json,sha256=2QICdCbtfXRJkTVjwb7xjF3ypys2wOtrUyE1ZDz_qes,8561
 pymisp/data/schema.json,sha256=79N2hObemthb_syUHksDqM4djFttsWZQDg1sTYZYxys,9178
 pymisp/exceptions.py,sha256=IgGGadv5lnLAvO7Q6AjF0vEbjoWwwDWLYwMn-8pkU_k,1965
-pymisp/mispevent.py,sha256=OkU-PyoKIVQ9cUyUmxD3hPnCsOW5Tn7EJcGLm81LYJQ,121354
+pymisp/mispevent.py,sha256=G6TLW-laRQRAJPb47EwZEb7ehYBn0rH4VF9oRUfDPMo,121528
 pymisp/py.typed,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
 pymisp/tools/__init__.py,sha256=_KCihYo82e8G5cHV321ak2sgbao2GyFjf4sSTMiN_IM,2233
 pymisp/tools/_psl_faup.py,sha256=JyK8RQm8DPWvNuoF4rQpiE0rBm-Az-sr38Kl46dmWcs,7034
@@ -376,7 +377,7 @@ pymisp/tools/create_misp_object.py,sha256=PP78t4Gc7jiZtjt3MGC-0NuH976vSadSmhbaSk
 pymisp/tools/csvloader.py,sha256=d-Ox4KEehuXi9YxPE3hhf62etaj7D0pUHr5Qy4rPoqo,2588
 pymisp/tools/domainipobject.py,sha256=2w1ckOWPZvp9EW6TOAguT1Kwov72K1jJuJLqgU1whoo,847
 pymisp/tools/elfobject.py,sha256=thylyAVcAdF31II8ykVzG75Fe4Fgokc9qR90g1ybI8s,4966
-pymisp/tools/emailobject.py,sha256=R9y6SzXDanPSD4g5d0NB5rvrW7rnOzu6E-o8O961XsI,19143
+pymisp/tools/emailobject.py,sha256=sPgVAvQFyRiONMiXYDJNibSSMWsjX1df9J3EDZ5LDEE,22680
 pymisp/tools/ext_lookups.py,sha256=acRbOVQftw7XpbjDZDrrdYzDmLDU4HmhoW48Og3UfaY,1022
 pymisp/tools/fail2banobject.py,sha256=VWxK8qWVL0AqO_YZSKmsOcaEnG_5j0jOok7OfEXWfMQ,740
 pymisp/tools/feed.py,sha256=eRG1D4fnG-2hZTFFy7SYUhGVozaAMVSiJXwxHoLP5Gg,700
@@ -397,7 +398,7 @@ pymisp/tools/update_objects.py,sha256=sp_XshzgtRjAU0Mqg8FgRTaokjVKLImyQ02xIcPSrH
 pymisp/tools/urlobject.py,sha256=PIucy1356zaljUm1NbeKmEpHpAUK9yiK2lAugcMp2t8,2489
 pymisp/tools/vehicleobject.py,sha256=bs7f4d47IBi2-VumssSM3HlqkH0viyHTLmIHQxe8Iz8,3687
 pymisp/tools/vtreportobject.py,sha256=NsdYzgqm47dywYeW8UnWmEDeIsf07xZreD2iJzFm2wg,3217
-pymisp-2.5.8.dist-info/LICENSE,sha256=1oPSVvs96qLjbJVi3mPn0yvWs-6aoIF6BNXi6pVlFmY,1615
-pymisp-2.5.8.dist-info/METADATA,sha256=B9sJiYfBYOAjRC0_JnQJRN788bXUNqQymcD80bWhSTQ,8881
-pymisp-2.5.8.dist-info/WHEEL,sha256=XbeZDeTWKc1w7CSIyre5aMDU_-PohRwTQceYnisIYYY,88
-pymisp-2.5.8.dist-info/RECORD,,
+pymisp-2.5.9.dist-info/LICENSE,sha256=1oPSVvs96qLjbJVi3mPn0yvWs-6aoIF6BNXi6pVlFmY,1615
+pymisp-2.5.9.dist-info/METADATA,sha256=YNrgux5KH0_ShGiW-FinobWdFpRqPeCEqonvdY2U2oQ,8881
+pymisp-2.5.9.dist-info/WHEEL,sha256=XbeZDeTWKc1w7CSIyre5aMDU_-PohRwTQceYnisIYYY,88
+pymisp-2.5.9.dist-info/RECORD,,