Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Bug][EMLParser] incomplete headers #976

Closed
nicodeff opened this issue Apr 12, 2021 · 7 comments
Closed

[Bug][EMLParser] incomplete headers #976

nicodeff opened this issue Apr 12, 2021 · 7 comments
Labels
analyzer-update

Comments

@nicodeff
Copy link

Hello,

For few eml, the analyzer EMLParser display incomplete headers.
The headers interrupt in the "DKIM-Signature" part.

Last Line of headers part in the analyzer :
image

Headers :
image

Work environment

  • Client OS: Windows
  • Server OS: CentOS
  • Browse type and version: Chrome 89
  • Cortex version: 3.1.1-1
  • Cortex Analyzer/Responder name: EMLParser
  • Cortex Analyzer/Responder version: Last Version

Regards,
@nicodeff
Copy link
Author

Hello, I have Additional Information.

For all eml with partial informations, the displayed headers stop to field "h=" in "DKIM-Signature".

Regards,

@nicodeff
Copy link
Author

Hello,

Do, you have informations about this bug ?

Thanks,

Regards,

@ch0wm3in
Copy link
Contributor

This pull request fixes it #962
For some reason at some point someone introduced a 'content-type:' split into the EMLparser analyser on the header extractions even though it only extracts the headers and nothing else, at the very least even tough its unnecessary it should be an .rindex to the get the last index of 'content-type:'

I made the pull request a while ago, but noone wants to merge it :(

@ch0wm3in ch0wm3in mentioned this issue Jun 14, 2021
Open
@jeromeleonard
Copy link
Contributor

a new version of the analyzer is coming. It has been almost completely rewritten and should fix this issue.

@nicodeff
Copy link
Author

nicodeff commented Aug 4, 2021

Hello,

Sorry for this late response.
Thanks @jeromeleonard for this informations. I waiting the new version of this analyzer with impatiently. 🙏

Regards,

@nicodeff
Copy link
Author

nicodeff commented Aug 16, 2021
edited

Hello @jeromeleonard.

I just tried to update all analyzer ans Responder Cortex via this method :

cd path/to/Cortex-Analyzers
git pull
for I in analyzers/*/requirements.txt; do sudo -H pip3 install -U -r $I || true; done
for I in responders/*/requirements.txt; do sudo -H pip3 install -U -r $I || true; done

After reload in cortex EmlParser 2.0, I have this error message :
image

Do you have any idea for resolve this problem ?

The python package eml_parser is already at the latest version.

Thanks,

Regards,

Nicolas

@nicodeff
Copy link
Author

Hello,

On this git it is indicated to update Python.
GOVCERT-LU/eml_parser#53

So I switched to version 3.9.6 and my problem has been solved.
Thank you so much,

By the way, this new version of the EmlParser analyzer is great 😃
Thanks @jeromeleonard

Regards,

Nicolas

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
analyzer-update
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@nadouani @nicodeff @jeromeleonard @ch0wm3in