New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Improve error msg when VT Get Report does not have an entry for #248

Closed
mnmnc opened this Issue May 17, 2018 · 7 comments

Comments

Projects
None yet
4 participants
@mnmnc

mnmnc commented May 17, 2018

Request Type

Bug

Work Environment

Question Answer
OS version (server) RedHat
Cortex Analyzer Name VirusTotal
Cortex Analyzer Version 3.0
Cortex Version 2.0.4

Description

IP added as observable. Type: ip
Added as 1.1.1.1, presented in UI as 1[.]1[.]1[.]1
I think VT analyser is taking literal 1[.]1[.]1[.]1 instead of 1.1.1.1 which causes an error (i've changed the IP) displayed in UI as:

Report for VirusTotal_GetReport_3_0 analysis of Thu, May 17th, 2018 14:27 +02:00 Show Raw Report
1[.]1[.]1[.]1
Missing IP address

Steps to Reproduce

(keep this section only if the issue relates to a bug)

  1. add IP as observable to case
  2. start VirusTotal_GetReport analyser from observable details page
  3. get error

Possible Solutions

given_ip.replace('[', '').replace(']', '')

or something better ;)

@saadkadhi

This comment has been minimized.

Contributor

saadkadhi commented May 17, 2018

@mnmnc the problem might be on your side. I've just tested with 1.1.1.1 added as an observable and VT GetReport works like a charm. Also tried directly from Cortex 2.0.4 and everything works perfectly. Make sure you have no extra chars/space at the beginning/end of the IP addr.

screen shot 2018-05-17 at 09 58 59

screen shot 2018-05-17 at 10 00 39

screen shot 2018-05-17 at 10 00 49

Internally, the IP is stored as-is. It is displayed fanged and when you attempt to export it without unfanging it first, you'll get it obviously fanged.

@saadkadhi saadkadhi closed this May 17, 2018

@mnmnc

This comment has been minimized.

mnmnc commented May 17, 2018

Ok. I will check everything on my side.
Here it looks like this at present:

Image

@mnmnc

This comment has been minimized.

mnmnc commented May 17, 2018

Ok. I've tested on a bunch of IP addresses.
So apperently "Missing IP address" is a response in case VirusTotal does not have this IP in a database. Which in my opinion is pretty misleading response.
If this can be clarified on a analyzer level ("VT does not have information about this IP") that would be great.
Currently It looks like a user fault of not providing IP address.

@saadkadhi

This comment has been minimized.

Contributor

saadkadhi commented May 17, 2018

Thanks for testing further. Obviously it has 1.1.1.1 in its database that's why I could not reproduce the problem on my end per your initial issue description ;-).

We'll look into how we can catch the error and display a less cryptic message.

@saadkadhi saadkadhi reopened this May 17, 2018

@saadkadhi saadkadhi changed the title from VirusTotal anylyser can't handle IP address written in TheHive format 1[.]1[.]1[.]1 to Improve error msg when VT Get Report does not have an entry for May 17, 2018

@jeromeleonard jeromeleonard self-assigned this Oct 19, 2018

@jeromeleonard jeromeleonard added this to the 1.14.0 milestone Oct 19, 2018

@jeromeleonard

This comment has been minimized.

Contributor

jeromeleonard commented Oct 21, 2018

Hi,

in fact, this is the message that is returned by VirusTotal API when IP is not in the database.

@3c7

This comment has been minimized.

Member

3c7 commented Oct 21, 2018

We're going to change that virus total error message.

@3c7 3c7 self-assigned this Oct 21, 2018

@3c7

This comment has been minimized.

Member

3c7 commented Oct 21, 2018

Fixed with 8392531.

@3c7 3c7 closed this Oct 21, 2018

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment