ValueError: too many values to unpack (expected 2)

Question

ValueError: too many values to unpack (expected 2)

juancar1979 opened this issue 2 years ago · comments

juancar1979 commented 2 years ago

Describe the bug
The problem is with the Industroyer malware. It seems that the data_source used to get the info from it is not well formed. When doing a split it gives more than two values (the expected)
attack-datasources/network_traffic.yml at main - mitre-attack/attack-datasources

It happens since the last pyattack update.

To Reproduce
Steps to reproduce the behavior:

"for technique in malware.techniques:" with malware "Industroyer"

Go to '...'
Click on '....'
Scroll down to '....'
See error

Expected behavior
A clear and concise description of what you expected to happen.
NA

Screenshots
If applicable, add screenshots to help explain your problem.
Added in explanation

Desktop (please complete the following information):

OS: [e.g. iOS]. Windows 10
Browser [e.g. chrome, safari] NA
Version [e.g. 22] NA

Smartphone (please complete the following information): NA

Device: [e.g. iPhone6]
OS: [e.g. iOS8.1]
Browser [e.g. stock browser, safari]
Version [e.g. 22]

Additional context
Add any other context about the problem here.

Josh Rickard · Answer 1 · Fri Apr 29 2022 03:59:51 GMT+0800 (China Standard Time)

@juancar1979 I am unable to reproduce this - can you provide the code you used to reproduce this ?

I tried

from pyattck import Attck

attack = Attck()

for malware in attack.enterprise.malwares:
    if malware.name == 'Industroyer':
        for tech in malware.techniques:
            print(tech.data_sources)

juancar1979 · Answer 2 · Tue May 03 2022 23:47:11 GMT+0800 (China Standard Time)

attack = Attck()
malware_name = "Industroyer"
for malware in attack.ics.malwares:
print(malware.name)
if malware.name == malware_name:
techMatrixICS = {}
for technique in malware.techniques:
tacticas = {}
mitigations = {}

juancar1979 · Answer 3 · Tue May 03 2022 23:47:24 GMT+0800 (China Standard Time)

is ICS matrix :)
@MSAdministrator

juancar1979 · Answer 4 · Wed May 04 2022 20:25:40 GMT+0800 (China Standard Time)

@juancar1979 I am unable to reproduce this - can you provide the code you used to reproduce this ?

I tried
from pyattck import Attck

attack = Attck()

for malware in attack.enterprise.malwares:
    if malware.name == 'Industroyer':
        for tech in malware.techniques:
            print(tech.data_sources)
  

attack = Attck()
malware_name = "Industroyer"
for malware in attack.ics.malwares:
print(malware.name)
if malware.name == malware_name:
techMatrixICS = {}
for technique in malware.techniques:
tacticas = {}
mitigations = {}

Jon · Answer 5 · Thu May 05 2022 18:28:37 GMT+0800 (China Standard Time)

This code reproduces the stacktrace listed in this ticket using pyattck 5.4.0:

from pyattck import Attck
attck = Attck()
print(attck.ics.techniques)

The code on line 94 of pyattck/ics/attckobject.py assumes that the data item only contains 1 colon:

data_source, data_component = item.split(':')

However, I'm seeing this present in an "item" variable:

Network Traffic: Network Traffic Flow [https://github.com/mitre-attack/attack-datasources/blob/main/contribution-ics/network_traffic.yml Network Traffic: Network Connection Creation

So either the data for this item needs to be correct, or the line of code needs to be updated to only split on the first colon:

data_source, data_component = item.split(':', 1)