MISP_2_0 analyzer throws error when executed on an IP observable inside Cortex docker image

[ParanoidRat]

Request Type

Bug

Work Environment

Question	Answer
OS version (server)	n/a
OS version (client)	n/a
Cortex version / git hash	thehiveproject/cortex:2.1.2-1
Package Type	Docker (Swarm)

Problem Description

Not sure if it is caused by the Cortex docker image or the analyzer's code, but when the latest MISP_2_0 analyzer is run on an IP, Cortex chokes with the following traceback:

Invalid output
WARNING [__init__.py:49 - <module>() ] Unable to load pymisp properly: No module named enum
Traceback (most recent call last):
  File "MISP/misp.py", line 80, in <module>
    MISPAnalyzer().run()
  File "MISP/misp.py", line 29, in __init__
    proxies={'http': self.http_proxy, 'https': self.https_proxy})
  File "/opt/Cortex-Analyzers/analyzers/MISP/mispclient.py", line 59, in __init__
    self.misp_connections.append(pymisp.PyMISP(url=server,
AttributeError: 'module' object has no attribute 'PyMISP'

Steps to Reproduce

1. Deploy Cortex as a docker container or Swarm service
2. Supply latest analyzers as a docker volume
3. Use MISP_2_0 analyzer on an IP observable

Possible Solutions

Perhaps a dependency issue in Cortex docker image for PyMISP? The only place it imports from enum import Enum is here

[3c7]

There are somehow python module dependencies missing. We'll take a look on that.

[3c7]

Found it. Somehow python2 is used for that and because of that the enum module cannot be found.

[3c7]

Cortex-Analyzers 1.14.0 enforces the use of python3 for the misp analyzer

[gnosticdevice]

I seem to be experiencing the same error with Cortex-Analyzers 1.14.0

[infosec-intern]

I'm having the same issue still as well. I was able to get it working by deleting the symlink from python->python2 and replacing it with python->python3. It's a pretty dirty fix though