New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

MISP Analysis failes #335

Closed
crackytsi opened this Issue Aug 22, 2018 · 14 comments

Comments

Projects
None yet
4 participants
@crackytsi
Contributor

crackytsi commented Aug 22, 2018

Request Type

Bug

Work Environment

Question Answer
OS version (server) Debian
OS version (client) Seven
Cortex Analyzer Name MISP2_0
Cortex Analyzer Version latest.
Cortex Version 2.1

Description

MISP Analysis failes via Cortex but works locally:

echo '{"data":"1.2.3.4", "dataType":"ip","config":{"url":"https://fqdn", "key":"mykey", "cert_path":"/usr/local/lib/python3.4/dist-packages/requests/cacert.pem"}}' | python misp.py | json_pp
WARNING [abstract.py:19 - <module>() ] You're using python 2, it is strongly recommended to use python >=3.5
WARNING [mispevent.py:26 - <module>() ] You're using python 2, it is strongly recommended to use python >=3.5
WARNING [api.py:31 - <module>() ] You're using python 2, it is strongly recommended to use python >=3.5
{
   "full" : {
      "results" : [
         {
            "result" : [],
            "url" : "https://fqdn",
            "name" : "Unnamed"
         }
      ]
   },
   "success" : true,
   "artifacts" : [
      {
         "type" : "url",
         "value" : "https://fqdn"
      }
   ],
   "summary" : {
      "taxonomies" : [
         {
            "namespace" : "MISP",
            "level" : "info",
            "predicate" : "Search",
            "value" : "0 events"
         }
      ]
   }
}

But using cortex-analysis it failes:

Invalid output
WARNING [abstract.py:19 - <module>() ] You're using python 2, it is strongly recommended to use python >=3.5
WARNING [mispevent.py:26 - <module>() ] You're using python 2, it is strongly recommended to use python >=3.5
WARNING [api.py:31 - <module>() ] You're using python 2, it is strongly recommended to use python >=3.5
Traceback (most recent call last):
  File "MISP/misp.py", line 78, in <module>
    MISPAnalyzer().run()
  File "MISP/misp.py", line 66, in run
    response = self.misp.search_ip(self.get_data())
  File "/opt/Cortex-Analyzers/analyzers/MISP/mispclient.py", line 276, in search_ip
    return self.__search(type_attribute=self.__mispiptypes(), value=searchterm)
  File "/opt/Cortex-Analyzers/analyzers/MISP/mispclient.py", line 229, in __search
    name = self.misp_name[idx]
IndexError: list index out of range

@3c7 3c7 self-assigned this Aug 22, 2018

@3c7 3c7 added the bug label Aug 22, 2018

@3c7

This comment has been minimized.

Show comment
Hide comment
@3c7

3c7 Aug 22, 2018

Member

Can you confirm you've entered a name for the MISP instance?

Member

3c7 commented Aug 22, 2018

Can you confirm you've entered a name for the MISP instance?

@crackytsi

This comment has been minimized.

Show comment
Hide comment
@crackytsi

crackytsi Aug 23, 2018

Contributor

Thanks @3c7, indeed I forgot to add the Name.
Shouldn't this field here be a required one?

Contributor

crackytsi commented Aug 23, 2018

Thanks @3c7, indeed I forgot to add the Name.
Shouldn't this field here be a required one?

@3c7

This comment has been minimized.

Show comment
Hide comment
@3c7

3c7 Aug 23, 2018

Member

I need to take a look. Are you using more than one MISP server?

Member

3c7 commented Aug 23, 2018

I need to take a look. Are you using more than one MISP server?

@crackytsi

This comment has been minimized.

Show comment
Hide comment
@crackytsi

crackytsi Aug 23, 2018

Contributor

No, just one

Contributor

crackytsi commented Aug 23, 2018

No, just one

@3c7

This comment has been minimized.

Show comment
Hide comment
@3c7

3c7 Aug 23, 2018

Member

Okay. So please, set a name. In the mean time I'll take a look at the code. Generally, name will be a requirement if you want to name only one server if you have multiple ones, because you need to process a list of names and therefore don't know which of the server is unnamed and which one not.

Maybe I end up enforcing the name param. ;)

Member

3c7 commented Aug 23, 2018

Okay. So please, set a name. In the mean time I'll take a look at the code. Generally, name will be a requirement if you want to name only one server if you have multiple ones, because you need to process a list of names and therefore don't know which of the server is unnamed and which one not.

Maybe I end up enforcing the name param. ;)

@axpatito

This comment has been minimized.

Show comment
Hide comment
@axpatito

axpatito Aug 23, 2018

I had this issue too. I think name need to be enforced.

axpatito commented Aug 23, 2018

I had this issue too. I think name need to be enforced.

@crackytsi

This comment has been minimized.

Show comment
Hide comment
@crackytsi

crackytsi Aug 24, 2018

Contributor

certpath should also be enforced as far as I understand the code...

Contributor

crackytsi commented Aug 24, 2018

certpath should also be enforced as far as I understand the code...

@3c7

This comment has been minimized.

Show comment
Hide comment
@3c7

3c7 Aug 24, 2018

Member

No, certpath is only used, if your MISPs certificate was not signed by a trusted CA. Hope I have time this weekend to look into a few issues.

Member

3c7 commented Aug 24, 2018

No, certpath is only used, if your MISPs certificate was not signed by a trusted CA. Hope I have time this weekend to look into a few issues.

@robertnixon2003

This comment has been minimized.

Show comment
Hide comment
@robertnixon2003

robertnixon2003 Sep 4, 2018

Contributor

I am having the same issue.

Contributor

robertnixon2003 commented Sep 4, 2018

I am having the same issue.

@3c7

This comment has been minimized.

Show comment
Hide comment
@3c7

3c7 Sep 5, 2018

Member

@robertnixon2003 How many MISP instances have you added to the analyzers config? Have you entered names for them?

Member

3c7 commented Sep 5, 2018

@robertnixon2003 How many MISP instances have you added to the analyzers config? Have you entered names for them?

@robertnixon2003

This comment has been minimized.

Show comment
Hide comment
@robertnixon2003

robertnixon2003 Sep 5, 2018

Contributor

Just 1. It has a name. I am on the beta DEB repo just FYI.

Contributor

robertnixon2003 commented Sep 5, 2018

Just 1. It has a name. I am on the beta DEB repo just FYI.

@robertnixon2003

This comment has been minimized.

Show comment
Hide comment
@robertnixon2003

robertnixon2003 Sep 5, 2018

Contributor

Never mind. The name was in the misp base config but it did not propagate down to the actual analyzer config. Works now.

Contributor

robertnixon2003 commented Sep 5, 2018

Never mind. The name was in the misp base config but it did not propagate down to the actual analyzer config. Works now.

@3c7

This comment has been minimized.

Show comment
Hide comment
@3c7

3c7 Sep 12, 2018

Member

The error occurs, if name is empty, because Cortex passes an empty list instead of None or similar.

Member

3c7 commented Sep 12, 2018

The error occurs, if name is empty, because Cortex passes an empty list instead of None or similar.

3c7 added a commit that referenced this issue Sep 12, 2018

@3c7 3c7 added this to the 1.13.0 milestone Sep 12, 2018

@3c7 3c7 closed this Sep 12, 2018

@crackytsi

This comment has been minimized.

Show comment
Hide comment
@crackytsi

crackytsi Sep 12, 2018

Contributor

@3c7 Why don't we set Name as a required field in json definiton? I don't understand that...

Contributor

crackytsi commented Sep 12, 2018

@3c7 Why don't we set Name as a required field in json definiton? I don't understand that...

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment