New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

HybridAnalysis analyzer does not properly handle filenames on some cases #323

srilumpa opened this Issue Aug 1, 2018 · 3 comments


None yet
2 participants

srilumpa commented Aug 1, 2018

Request Type


Work Environment

(replace with N/A if not applicable)

Question Answer
OS version (server) Debian
Cortex Analyzer Name HybridAnalysis
Cortex Analyzer Version 1.0
Cortex Version 2.0.4


This is a follow up of TheHive-Project/TheHive#530.

On some cases, the HybridAnalys_GetReport analyzer fails when applied on a filename. I think this happens when the filename contains a ' character.

Steps to Reproduce

  1. submit analysis of a filename containing a "'"

Complementary information

Here is one result of this kind of analysis:

  "errorMessage": "Phrase 'srilumpa's file' should be in double quote.",
  "input": "{\"tlp\":2,\"parameters\":{},\"dataType\":\"filename\",\"config\":{\"check_tlp\":true,\"proxy_https\":null,\"max_tlp\":2,\"auto_extract_artifacts\":false,\"secret\":\"[REDACTED]\",\"proxy_http\":null,\"key\":\"REMOVED\"},\"message\":\"\",\"data\":\"srilumpa's file\"}",
  "success": false

@3c7 3c7 added the bug label Aug 2, 2018


This comment has been minimized.


srilumpa commented Aug 3, 2018

In fact, it seems more generic than that. Example below:

  "errorMessage": "Phrase 'DHL ITALY - Intraship Shipment Notification.bat' should be in double quote.",
  "input": "{\"tlp\":2,\"parameters\":{},\"dataType\":\"filename\",\"config\":{\"check_tlp\":true,\"proxy_https\":null,\"max_tlp\":2,\"auto_extract_artifacts\":false,\"secret\":\"[REDACTED]\",\"proxy_http\":null,\"key\":\"REMOVED\"},\"message\":\"41907\",\"data\":\"DHL ITALY - Intraship Shipment Notification.bat\"}",
  "success": false

This comment has been minimized.


3c7 commented Aug 3, 2018

Will look into it, but right now it's too hot to do anything. :D

3c7 added a commit that referenced this issue Oct 23, 2018


This comment has been minimized.


3c7 commented Oct 23, 2018

Sorry, I forgot about this. :/ Fixed now.

@3c7 3c7 closed this Oct 23, 2018

@3c7 3c7 added this to the 1.14.0 milestone Oct 23, 2018

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment