Merge pull request #2053 from vdebergue/fix/2050

Fix #2050: add max-attributes to misp filters
TheHive-Project · Jun 3, 2021 · 6a7a20d · 6a7a20d
2 parents a4c64d7 + 39b5374
commit 6a7a20d
Show file tree

Hide file tree

Showing 3 changed files with 12 additions and 0 deletions.
diff --git a/misp/client/src/main/scala/org/thp/misp/client/MispClient.scala b/misp/client/src/main/scala/org/thp/misp/client/MispClient.scala
@@ -27,6 +27,7 @@ class MispClient(
     val baseUrl: String,
     auth: Authentication,
     ws: WSClient,
+    maxAttributes: Option[Int],
     maxAge: Option[Duration],
     excludedOrganisations: Seq[String],
     whitelistOrganisations: Seq[String],
@@ -55,6 +56,7 @@ class MispClient(
                  |  url:              $baseUrl
                  |  proxy:            ${configuredProxy.getOrElse("<not set>")}
                  |  filters:
+                 |    max attributes: ${maxAttributes.getOrElse("<not set>")}
                  |    max age:        ${maxAge.fold("<not set>")(_.toCoarsest.toString)}
                  |    excluded orgs:  ${excludedOrganisations.mkString}
                  |    excluded tags:  ${excludedTags.mkString}
@@ -183,6 +185,7 @@ class MispClient(
         val maybeEvent = Try(Json.parse(data.toArray[Byte]).as[Event])
         maybeEvent.fold(error => { logger.warn(s"Event has invalid format: ${data.decodeString("UTF-8")}", error); Nil }, List(_))
       }
+      .filter(event => maxAttributes.fold(true)(max => event.attributes.length < max))
       .mapMaterializedValue(_ => NotUsed)
   }
 

diff --git a/.../connector/src/main/scala/org/thp/thehive/connector/misp/services/TheHiveMispClient.scala b/.../connector/src/main/scala/org/thp/thehive/connector/misp/services/TheHiveMispClient.scala
@@ -21,6 +21,7 @@ case class TheHiveMispClientConfig(
     url: String,
     auth: Authentication,
     wsConfig: ProxyWSConfig = ProxyWSConfig(AhcWSClientConfig(), None),
+    maxAttributes: Option[Int],
     maxAge: Option[Duration],
     excludedOrganisations: Seq[String] = Nil,
     whitelistOrganisations: Seq[String] = Nil,
@@ -37,12 +38,14 @@ case class TheHiveMispClientConfig(
 
 object TheHiveMispClientConfig {
   implicit val purposeFormat: Format[MispPurpose.Value] = Json.formatEnum(MispPurpose)
+
   val reads: Reads[TheHiveMispClientConfig] = {
     for {
       name                         <- (JsPath \ "name").read[String]
       url                          <- (JsPath \ "url").read[String]
       auth                         <- (JsPath \ "auth").read[Authentication]
       wsConfig                     <- (JsPath \ "wsConfig").readWithDefault[ProxyWSConfig](ProxyWSConfig(AhcWSClientConfig(), None))
+      maxAttributes                <- (JsPath \ "max-attributes").readNullable[Int]
       maxAge                       <- (JsPath \ "maxAge").readNullable[Duration]
       excludedOrganisations        <- (JsPath \ "exclusion" \ "organisations").readWithDefault[Seq[String]](Nil)
       whitelistOrganisations       <- (JsPath \ "whitelist" \ "organisations").readWithDefault[Seq[String]](Nil)
@@ -60,6 +63,7 @@ object TheHiveMispClientConfig {
       url,
       auth,
       wsConfig,
+      maxAttributes,
       maxAge,
       excludedOrganisations,
       whitelistOrganisations,
@@ -80,6 +84,7 @@ object TheHiveMispClientConfig {
       "url"                          -> cfg.url,
       "auth"                         -> cfg.auth,
       "wsConfig"                     -> cfg.wsConfig,
+      "maxAttributes"                -> cfg.maxAttributes,
       "maxAge"                       -> cfg.maxAge,
       "exclusion"                    -> Json.obj("organisations" -> cfg.excludedOrganisations, "tags" -> cfg.excludedTags),
       "whitelistTags"                -> Json.obj("whitelist" -> cfg.whitelistTags),
@@ -99,6 +104,7 @@ class TheHiveMispClient(
     baseUrl: String,
     auth: Authentication,
     ws: WSClient,
+    maxAttributes: Option[Int],
     maxAge: Option[Duration],
     excludedOrganisations: Seq[String],
     whitelistOrganisations: Seq[String],
@@ -116,6 +122,7 @@ class TheHiveMispClient(
       baseUrl,
       auth,
       ws,
+      maxAttributes,
       maxAge,
       excludedOrganisations,
       whitelistOrganisations,
@@ -129,6 +136,7 @@ class TheHiveMispClient(
       config.url,
       config.auth,
       new ProxyWS(config.wsConfig, mat),
+      config.maxAttributes,
       config.maxAge,
       config.excludedOrganisations,
       config.whitelistOrganisations,

diff --git a/...ector/src/test/scala/org/thp/thehive/connector/misp/services/TestMispClientProvider.scala b/...ector/src/test/scala/org/thp/thehive/connector/misp/services/TestMispClientProvider.scala
@@ -57,6 +57,7 @@ class TestMispClientProvider @Inject() (Action: DefaultActionBuilder, implicit v
       baseUrl = baseUrl,
       auth = NoAuthentication,
       ws = ws,
+      maxAttributes = None,
       maxAge = None,
       excludedOrganisations = Nil,
       whitelistOrganisations = Nil,