Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Traceback when running Yeti analyzer in Timesketch #3276

Open
Cap333333 opened this issue Feb 1, 2025 · 2 comments
Open

Traceback when running Yeti analyzer in Timesketch #3276

Cap333333 opened this issue Feb 1, 2025 · 2 comments
Assignees
@tomchop
Labels
Bug

Comments

@Cap333333
Copy link

Cap333333 commented Feb 1, 2025
edited
Loading

Describe the bug
I got an error while analyzing a timeline using the Yeti analyzer in Timesketch, both running in Docker. Although they can ping each other, Timesketch shows a connection error when using the Yeti API, despite Yeti receiving authorized requests from Timesketch.

Steps of reproduce
Run example from https://yeti-platform.io/guides/indicators-timesketch/infrastructure-setup/

  1. I am using Docker to manage both Timesketch and Yeti, I ensured both containers are on the same network and can ping each other.
  2. I did configure the YETI API in the timesketch conf:
    # URI root to Yeti's API, e.g. 'https://localhost:8000/api/v2'
    YETI_API_ROOT = 'http://localhost:8000/api/v2'
    
    # API key to authenticate requests
    YETI_API_KEY = 'my_API_key'
  1. I set up the Docker configuration for Yeti, using port 8000 for the Yeti API and port 80 for the frontend.

Connection Errors:
Timesketch is unable to connect to the Yeti API, resulting in connection refused errors as below:
2025-02-01 15:37:05 yetiinvestigations

Traceback (most recent call last): File "/usr/local/lib/python3.10/dist-packages/urllib3/connection.py", line 199, in _new_conn sock = connection.create_connection( File "/usr/local/lib/python3.10/dist-packages/urllib3/util/connection.py", line 85, in create_connection raise err File "/usr/local/lib/python3.10/dist-packages/urllib3/util/connection.py", line 73, in create_connection sock.connect(sa) ConnectionRefusedError: [Errno 111] Connection refused The above exception was the direct cause of the following exception: Traceback (most recent call last): File "/usr/local/lib/python3.10/dist-packages/urllib3/connectionpool.py", line 789, in urlopen response = self._make_request( File "/usr/local/lib/python3.10/dist-packages/urllib3/connectionpool.py", line 495, in _make_request conn.request( File "/usr/local/lib/python3.10/dist-packages/urllib3/connection.py", line 441, in request self.endheaders() File "/usr/lib/python3.10/http/client.py", line 1278, in endheaders self._send_output(message_body, encode_chunked=encode_chunked) File "/usr/lib/python3.10/http/client.py", line 1038, in _send_output self.send(msg) File "/usr/lib/python3.10/http/client.py", line 976, in send self.connect() File "/usr/local/lib/python3.10/dist-packages/urllib3/connection.py", line 279, in connect self.sock = self._new_conn() File "/usr/local/lib/python3.10/dist-packages/urllib3/connection.py", line 214, in _new_conn raise NewConnectionError( urllib3.exceptions.NewConnectionError: <urllib3.connection.HTTPConnection object at 0x7fb0a4b7ee60>: Failed to establish a new connection: [Errno 111] Connection refused The above exception was the direct cause of the following exception: Traceback (most recent call last): File "/usr/local/lib/python3.10/dist-packages/requests/adapters.py", line 667, in send resp = conn.urlopen( File "/usr/local/lib/python3.10/dist-packages/urllib3/connectionpool.py", line 843, in urlopen retries = retries.increment( File "/usr/local/lib/python3.10/dist-packages/urllib3/util/retry.py", line 519, in increment raise MaxRetryError(_pool, url, reason) from reason # type: ignore[arg-type] urllib3.exceptions.MaxRetryError: HTTPConnectionPool(host='localhost', port=8000): Max retries exceeded with url: /api/v2/auth/api-token (Caused by NewConnectionError('<urllib3.connection.HTTPConnection object at 0x7fb0a4b7ee60>: Failed to establish a new connection: [Errno 111] Connection refused')) During handling of the above exception, another exception occurred: Traceback (most recent call last): File "/usr/local/lib/python3.10/dist-packages/timesketch/lib/analyzers/interface.py", line 1188, in run_wrapper result = self.run() File "/usr/local/lib/python3.10/dist-packages/timesketch/lib/analyzers/yetiindicators.py", line 479, in run entities = self.get_entities(type_selector=self._TYPE_SELECTOR) File "/usr/local/lib/python3.10/dist-packages/timesketch/lib/analyzers/yetiindicators.py", line 212, in get_entities data = self._get_entities_request({"query": query, "count": 0}) File "/usr/local/lib/python3.10/dist-packages/timesketch/lib/analyzers/yetiindicators.py", line 180, in _get_entities_request results = self.authenticated_session.post( File "/usr/local/lib/python3.10/dist-packages/timesketch/lib/analyzers/yetiindicators.py", line 113, in authenticated_session self.authenticate_session() File "/usr/local/lib/python3.10/dist-packages/timesketch/lib/analyzers/yetiindicators.py", line 119, in authenticate_session response = self._yeti_session.post( File "/usr/local/lib/python3.10/dist-packages/requests/sessions.py", line 637, in post return self.request("POST", url, data=data, json=json, **kwargs) File "/usr/local/lib/python3.10/dist-packages/requests/sessions.py", line 589, in request resp = self.send(prep, **send_kwargs) File "/usr/local/lib/python3.10/dist-packages/requests/sessions.py", line 703, in send r = adapter.send(request, **kwargs) File "/usr/local/lib/python3.10/dist-packages/requests/adapters.py", line 700, in send raise ConnectionError(e, request=request) requests.exceptions.ConnectionError: HTTPConnectionPool(host='localhost', port=8000): Max retries exceeded with url: /api/v2/auth/api-token (Caused by NewConnectionError('<urllib3.connection.HTTPConnection object at 0x7fb0a4b7ee60>: Failed to establish a new connection: [Errno 111] Connection refused')) ERROR

Yeti frontend log:

172.18.0.1 - - [01/Feb/2025:15:33:30 +0000] "POST /api/v2/entities/search HTTP/1.1" 200 390 "http://127.0.0.1/entities" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:134.0) Gecko/20100101 Firefox/134.0" "-"

172.18.0.1 - - [01/Feb/2025:15:33:30 +0000] "POST /api/v2/entities/search HTTP/1.1" 200 25 "http://127.0.0.1/entities" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:134.0) Gecko/20100101 Firefox/134.0" "-"

172.18.0.1 - - [01/Feb/2025:15:33:30 +0000] "POST /api/v2/entities/search HTTP/1.1" 200 25 "http://127.0.0.1/entities" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:134.0) Gecko/20100101 Firefox/134.0" "-"

172.18.0.1 - - [01/Feb/2025:15:33:30 +0000] "POST /api/v2/entities/search HTTP/1.1" 200 25 "http://127.0.0.1/entities" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:134.0) Gecko/20100101 Firefox/134.0" "-"

172.18.0.1 - - [01/Feb/2025:15:33:30 +0000] "POST /api/v2/entities/search HTTP/1.1" 200 25 "http://127.0.0.1/entities" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:134.0) Gecko/20100101 Firefox/134.0" "-"

172.18.0.1 - - [01/Feb/2025:15:33:30 +0000] "POST /api/v2/entities/search HTTP/1.1" 200 25 "http://127.0.0.1/entities" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:134.0) Gecko/20100101 Firefox/134.0" "-"

172.18.0.1 - - [01/Feb/2025:15:33:30 +0000] "POST /api/v2/entities/search HTTP/1.1" 200 25 "http://127.0.0.1/entities" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:134.0) Gecko/20100101 Firefox/134.0" "-"

172.18.0.1 - - [01/Feb/2025:15:33:30 +0000] "POST /api/v2/entities/search HTTP/1.1" 200 25 "http://127.0.0.1/entities" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:134.0) Gecko/20100101 Firefox/134.0" "-"

172.18.0.1 - - [01/Feb/2025:15:33:31 +0000] "POST /api/v2/indicators/search HTTP/1.1" 200 27 "http://127.0.0.1/indicators" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:134.0) Gecko/20100101 Firefox/134.0" "-"

172.18.0.1 - - [01/Feb/2025:15:33:31 +0000] "POST /api/v2/indicators/search HTTP/1.1" 200 8946 "http://127.0.0.1/indicators" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:134.0) Gecko/20100101 Firefox/134.0" "-"

172.18.0.1 - - [01/Feb/2025:15:33:31 +0000] "POST /api/v2/indicators/search HTTP/1.1" 200 27 "http://127.0.0.1/indicators" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:134.0) Gecko/20100101 Firefox/134.0" "-"

172.18.0.1 - - [01/Feb/2025:15:33:31 +0000] "POST /api/v2/indicators/search HTTP/1.1" 200 27 "http://127.0.0.1/indicators" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:134.0) Gecko/20100101 Firefox/134.0" "-"

172.18.0.1 - - [01/Feb/2025:15:33:31 +0000] "POST /api/v2/indicators/search HTTP/1.1" 200 27 "http://127.0.0.1/indicators" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:134.0) Gecko/20100101 Firefox/134.0" "-"

172.18.0.1 - - [01/Feb/2025:15:33:31 +0000] "POST /api/v2/indicators/search HTTP/1.1" 200 50740 "http://127.0.0.1/indicators" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:134.0) Gecko/20100101 Firefox/134.0" "-"

Yeti API log:

2025-02-01 15:33:31,038 - yeti.audit.log - INFO - Authorized request - yeti - /api/v2/indicators/search - POST - {"page": 0, "count": 20, "query": {}, "filter_aliases": [["aliases", "list"]], "sorting": [["name", true]], "type": "forensicartifact"} - 172.19.0.8 - 200

INFO:     172.19.0.8:40792 - "POST /api/v2/indicators/search HTTP/1.0" 200 OK

2025-02-01 15:33:31,060 - yeti.audit.log - INFO - Authorized request - yeti - /api/v2/indicators/search - POST - {"page": 0, "count": 20, "query": {}, "filter_aliases": [], "sorting": [["name", true]], "type": "regex"} - 172.19.0.8 - 200

INFO:     172.19.0.8:40806 - "POST /api/v2/indicators/search HTTP/1.0" 200 OK

2025-02-01 15:33:31,078 - yeti.audit.log - INFO - Authorized request - yeti - /api/v2/indicators/search - POST - {"page": 0, "count": 20, "query": {}, "filter_aliases": [["target_systems", "list"]], "sorting": [["name", true]], "type": "query"} - 172.19.0.8 - 200

INFO:     172.19.0.8:40812 - "POST /api/v2/indicators/search HTTP/1.0" 200 OK

2025-02-01 15:33:31,093 - yeti.audit.log - INFO - Authorized request - yeti - /api/v2/indicators/search - POST - {"page": 0, "count": 20, "query": {}, "filter_aliases": [], "sorting": [["name", true]], "type": "yara"} - 172.19.0.8 - 200

INFO:     172.19.0.8:40828 - "POST /api/v2/indicators/search HTTP/1.0" 200 OK

2025-02-01 15:33:31,108 - yeti.audit.log - INFO - Authorized request - yeti - /api/v2/indicators/search - POST - {"page": 0, "count": 20, "query": {}, "filter_aliases": [], "sorting": [["name", true]], "type": "suricata"} - 172.19.0.8 - 200

INFO:     172.19.0.8:40834 - "POST /api/v2/indicators/search HTTP/1.0" 200 OK

2025-02-01 15:33:31,127 - yeti.audit.log - INFO - Authorized request - yeti - /api/v2/indicators/search - POST - {"page": 0, "count": 20, "query": {}, "filter_aliases": [], "sorting": [["name", true]], "type": "sigma"} - 172.19.0.8 - 200

Screenshots of timesketch error
Image

Additional context
timesketch version: deploy docker through https://github.com/google/timesketch/blob/master/contrib/deploy_timesketch.sh
yeti version: deploy through https://github.com/yeti-platform/yeti-docker
@Cap333333 Cap333333 added the Bug label Feb 1, 2025
@Cap333333 Cap333333 changed the title YETI analyzer does not work Traceback when running Yeti analyzer in Timesketch Feb 1, 2025
@jkppr
Copy link
Collaborator

jkppr commented Feb 6, 2025

@tomchop any idea?

@tomchop
Copy link
Collaborator

tomchop commented Feb 7, 2025
edited
Loading

Hey @Cap333333, this error probably comes from the fact that you're instructing yeti to connect to localhost but nothing is listening on that port on the docker container. You need to use the hostname that is attributed to the container in the docker network (the same one you used to test for ping connectivity)

e.g. change

    YETI_API_ROOT = 'http://localhost:8000/api/v2'

to

    YETI_API_ROOT = 'http://yeti-frontend:8000/api/v2'

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@tomchop tomchop

Labels
Bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@tomchop @jkppr @Cap333333