Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Initial Velociraptor Responder #803

Merged
merged 2 commits into from Aug 12, 2020
Merged

Initial Velociraptor Responder #803

merged 2 commits into from Aug 12, 2020

Conversation

weslambert
Copy link
Contributor

No description provided.

@weslambert weslambert mentioned this pull request Jun 23, 2020
Closed
@dadokkio
Copy link
Contributor

I'm trying to run the responder but I'm having some issues.
Some of the key of config yaml file your code is trying to access (ca_certificate, client_private_key, client_cert) in my case are nested under Client. I'm actually missing client_private and client_cert cause I'm running it locally I believe.

The error:

Traceback (most recent call last):  File "/opt/Cortex-Analyzers/responders/Velociraptor/velociraptor_flow.py", line 127, in <module>    Velociraptor().run()  File "/opt/Cortex-Analyzers/responders/Velociraptor/velociraptor_flow.py", line 24, in run    root_certificates=self.config["ca_certificate"].encode("utf8"),KeyError: 'ca_certificate'

My actual status:

>>> a = yaml.load(open('/tmp/client.config.yaml').read(), Loader=yaml.FullLoader)
>>> a.keys()
dict_keys(['version', 'Client'])
>>> a['Client'].keys()
dict_keys(['server_urls', 'ca_certificate', 'nonce', 'writeback_darwin', 'writeback_linux', 'writeback_windows', 'max_poll', 'windows_installer', 'darwin_installer', 'version', 'use_self_signed_ssl', 'pinned_server_name', 'max_upload_size', 'local_buffer'])

If it could be useful I'm using version 0.4.6, commit 1edf062

@weslambert
Copy link
Contributor Author

Thanks for testing! Not sure at the moment -- I'll take a look at this and get back with you.

@weslambert
Copy link
Contributor Author

weslambert commented Jul 23, 2020
edited

@dadokkio , Did you make sure to generate the API client config like so?

velociraptor --config server.config.yaml config api_client --name Fred > api_client.yaml

or were you trying to use a normal client config (sounds like it from your mention of the nested Client entries)?

https://www.velocidex.com/docs/user-interface/api/

@dadokkio
Copy link
Contributor

I didn't see that! I was using the basic config generate -i command.
I'm going to do a new test later 😃

@dadokkio
Copy link
Contributor

Ok, after adding also API configuration everything works as expected.
Probably a readme with some indication could be useful.

@dadokkio dadokkio added this to the 2.9.0 milestone Jul 24, 2020
@dadokkio dadokkio added this to In progress in Release 2.9.0 via automation Jul 24, 2020
@dadokkio dadokkio moved this from In progress to Reviewer approved in Release 2.9.0 Jul 24, 2020
@weslambert
Copy link
Contributor Author

Awesome, will get on that as soon as I can!

@weslambert weslambert mentioned this pull request Jul 25, 2020
Open
@To-om To-om force-pushed the develop branch 3 times, most recently from fb8f5aa to 23be632 Compare July 29, 2020 15:56
@jeromeleonard jeromeleonard self-assigned this Aug 12, 2020
jeromeleonard added a commit that referenced this pull request Aug 12, 2020
@jeromeleonard
#803 include documentation
44392c6
@jeromeleonard jeromeleonard merged commit 6c9d3e2 into TheHive-Project:develop Aug 12, 2020
Release 2.9.0 automation moved this from Reviewer approved to Done Aug 12, 2020
@jeromeleonard
Copy link
Contributor

jeromeleonard commented Aug 12, 2020
edited

Thanks @weslambert. FYI I included your PR from CortexDocs in a README.md file to support our new documentation (https://thehive-project.github.io/Cortex-Analyzers/)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jeromeleonard jeromeleonard Awaiting requested review from jeromeleonard

@dadokkio dadokkio Awaiting requested review from dadokkio

Assignees

@jeromeleonard jeromeleonard

Labels
category:new-responder
Projects
No open projects
Release 2.9.0
  
Done
Milestone
2.9.0
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@weslambert @dadokkio @jeromeleonard