Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

API: Resource not found by Assets controller #47

Closed
jschipp-r7 opened this issue Nov 4, 2017 · 4 comments
Closed

API: Resource not found by Assets controller #47

jschipp-r7 opened this issue Nov 4, 2017 · 4 comments

Comments

@jschipp-r7
Copy link

Request Type

Bug

Work Environment

Question Answer
OS version (server) Debian stretch/sid
OS version (client) MacOS
Cortex version / git hash cortex 1.1.4-1
Package Type Binary, thehive 2.13.2-1

Problem Description

I installed the TheHive and can't get the Cortex API to give me anything other than

A client error occurred on GET /api/analyzer : Resource not found by Assets controller

Accessing Cortex and TheHive through the WUI works just fine but not through API calls.

Curl request:

$ curl -v http://cortex-1-1.company.com:9000/api/analyzer
*   Trying 10.4.24.12...
* TCP_NODELAY set
* Connected to cortex-1-1.company.com (10.4.24.12) port 9000 (#0)
> GET /api/analyzer HTTP/1.1
> Host: cortex-1-1.company.com:9000
> User-Agent: curl/7.54.0
> Accept: */*
>
< HTTP/1.1 404 Not Found
< Set-Cookie: XSRF-TOKEN=e72aad4a879067855b4debd3cd2d2b2ff4c2cfa3-1509762781220-fcb9c302f8723d6ff4ac6b00; Path=/
< Date: Sat, 04 Nov 2017 02:33:01 GMT
< Content-Type: text/plain; charset=UTF-8
< Content-Length: 86
<
* Connection #0 to host cortex-1-1.company.com left intact
A client error occurred on GET /api/analyzer : Resource not found by Assets controller

Library request:

>>> from cortex4py.api import CortexApi
>>> api = CortexApi('http://cortex-1-1.company.com:9000', cert=False)
>>> api.get_analyzers()
Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
  File "/usr/local/lib/python3.6/site-packages/cortex4py/api.py", line 75, in get_analyzers
    self.__handle_error(e)
  File "/usr/local/lib/python3.6/site-packages/cortex4py/api.py", line 51, in __handle_error
    raise_from(CortexException("Unexpected exception"), exception)
  File "/usr/local/lib/python3.6/site-packages/future/utils/__init__.py", line 398, in raise_from
    exec(execstr, myglobals, mylocals)
  File "<string>", line 1, in <module>
cortex4py.api.CortexException: Unexpected exception
Unexpected exception

Steps to Reproduce

  1. Make any API call

Possible Solutions

I don't know. I can't find anything in the logs to help point to an issue.

Complementary information

I tailed these log files and then made the API requests (curl, cortex4py).

thehive@cortex-1-1:~$ tail -f /var/log/cortex/application.log /var/log/elasticsearch/hive*.log /var/log/thehive/application.log
==> /var/log/cortex/application.log <==
2017-11-01 00:10:02,290 [INFO] from services.ExternalAnalyzerSrv in application-akka.actor.default-dispatcher-200 - Register analyzer DomainTools_WhoisLookup_IP 2.0 (DomainTools_WhoisLookup_IP_2_0)
2017-11-01 00:10:02,291 [INFO] from services.ExternalAnalyzerSrv in application-akka.actor.default-dispatcher-200 - Register analyzer DomainTools_ReverseNameServer 2.0 (DomainTools_ReverseNameServer_2_0)
2017-11-01 00:10:02,296 [INFO] from services.ExternalAnalyzerSrv in application-akka.actor.default-dispatcher-200 - Register analyzer DomainTools_ReverseIP 2.0 (DomainTools_ReverseIP_2_0)
2017-11-01 00:10:02,300 [INFO] from services.ExternalAnalyzerSrv in application-akka.actor.default-dispatcher-200 - Register analyzer DomainTools_ReverseWhois 2.0 (DomainTools_ReverseWhois_2_0)
2017-11-01 00:10:02,303 [INFO] from services.ExternalAnalyzerSrv in application-akka.actor.default-dispatcher-200 - Register analyzer MISP 2.0 (MISP_2_0)
2017-11-01 00:10:02,305 [INFO] from services.ExternalAnalyzerSrv in application-akka.actor.default-dispatcher-200 - Register analyzer CERTatPassiveDNS 2.0 (CERTatPassiveDNS_2_0)
2017-11-01 00:21:59,290 [INFO] from services.ExternalAnalyzerSrv in application-analyzer-216 - Execute sh -c "./WOT_lookup.py"  in WOT
2017-11-01 00:21:59,298 [INFO] from services.ExternalAnalyzerSrv in application-analyzer-215 - Execute sh -c "./passivetotal_analyzer.py"  in PassiveTotal
2017-11-01 00:21:59,302 [INFO] from services.ExternalAnalyzerSrv in application-analyzer-217 - Execute sh -c "./hippo.py"  in Hippocampe
2017-11-01 00:21:59,314 [INFO] from services.ExternalAnalyzerSrv in application-analyzer-218 - Execute sh -c "./safebrowsing_analyzer.py"  in GoogleSafebrowsing

==> /var/log/elasticsearch/hive-2017-09-27.log <==
[2017-09-27T06:06:21,193][INFO ][o.e.n.Node               ] [Mu2gqAX] starting ...
[2017-09-27T06:06:23,040][INFO ][o.e.t.TransportService   ] [Mu2gqAX] publish_address {127.0.0.1:9300}, bound_addresses {127.0.0.1:9300}
[2017-09-27T06:06:26,537][INFO ][o.e.c.s.ClusterService   ] [Mu2gqAX] new_master {Mu2gqAX}{Mu2gqAXqQz23sDcdhTBChw}{0AMSnT2YRIy82MvbxWVWiA}{127.0.0.1}{127.0.0.1:9300}, reason: zen-disco-elected-as-master ([0] nodes joined)
[2017-09-27T06:06:26,655][INFO ][o.e.h.n.Netty4HttpServerTransport] [Mu2gqAX] publish_address {127.0.0.1:9200}, bound_addresses {127.0.0.1:9200}
[2017-09-27T06:06:26,655][INFO ][o.e.n.Node               ] [Mu2gqAX] started
[2017-09-27T06:06:26,694][INFO ][o.e.g.GatewayService     ] [Mu2gqAX] recovered [0] indices into cluster_state
[2017-09-27T06:06:47,812][INFO ][o.e.n.Node               ] [Mu2gqAX] stopping ...
[2017-09-27T06:06:47,950][INFO ][o.e.n.Node               ] [Mu2gqAX] stopped
[2017-09-27T06:06:47,950][INFO ][o.e.n.Node               ] [Mu2gqAX] closing ...
[2017-09-27T06:06:48,000][INFO ][o.e.n.Node               ] [Mu2gqAX] closed

==> /var/log/elasticsearch/hive-2017-10-24.log <==
[2017-10-24T14:53:17,177][INFO ][o.e.n.Node               ] [Mu2gqAX] starting ...
[2017-10-24T14:53:17,403][INFO ][o.e.t.TransportService   ] [Mu2gqAX] publish_address {127.0.0.1:9300}, bound_addresses {127.0.0.1:9300}
[2017-10-24T14:53:20,494][INFO ][o.e.c.s.ClusterService   ] [Mu2gqAX] new_master {Mu2gqAX}{Mu2gqAXqQz23sDcdhTBChw}{OdYfKRLoTsubjaTXvWQUEw}{127.0.0.1}{127.0.0.1:9300}, reason: zen-disco-elected-as-master ([0] nodes joined)
[2017-10-24T14:53:20,516][INFO ][o.e.h.n.Netty4HttpServerTransport] [Mu2gqAX] publish_address {127.0.0.1:9200}, bound_addresses {127.0.0.1:9200}
[2017-10-24T14:53:20,516][INFO ][o.e.n.Node               ] [Mu2gqAX] started
[2017-10-24T14:53:20,527][INFO ][o.e.g.GatewayService     ] [Mu2gqAX] recovered [0] indices into cluster_state
[2017-10-24T14:54:28,661][INFO ][o.e.n.Node               ] [Mu2gqAX] stopping ...
[2017-10-24T14:54:28,734][INFO ][o.e.n.Node               ] [Mu2gqAX] stopped
[2017-10-24T14:54:28,734][INFO ][o.e.n.Node               ] [Mu2gqAX] closing ...
[2017-10-24T14:54:28,789][INFO ][o.e.n.Node               ] [Mu2gqAX] closed

==> /var/log/elasticsearch/hive-2017-10-26.log <==
[2017-10-26T15:19:23,592][INFO ][o.e.n.Node               ] [Mu2gqAX] starting ...
[2017-10-26T15:19:24,108][INFO ][o.e.t.TransportService   ] [Mu2gqAX] publish_address {127.0.0.1:9300}, bound_addresses {127.0.0.1:9300}
[2017-10-26T15:19:27,232][INFO ][o.e.c.s.ClusterService   ] [Mu2gqAX] new_master {Mu2gqAX}{Mu2gqAXqQz23sDcdhTBChw}{AmjP6OeeSnqyHpWGT7-emQ}{127.0.0.1}{127.0.0.1:9300}, reason: zen-disco-elected-as-master ([0] nodes joined)
[2017-10-26T15:19:27,315][INFO ][o.e.g.GatewayService     ] [Mu2gqAX] recovered [0] indices into cluster_state
[2017-10-26T15:19:27,329][INFO ][o.e.h.n.Netty4HttpServerTransport] [Mu2gqAX] publish_address {127.0.0.1:9200}, bound_addresses {127.0.0.1:9200}
[2017-10-26T15:19:27,329][INFO ][o.e.n.Node               ] [Mu2gqAX] started
[2017-10-26T15:21:13,944][INFO ][o.e.n.Node               ] [Mu2gqAX] stopping ...
[2017-10-26T15:21:14,063][INFO ][o.e.n.Node               ] [Mu2gqAX] stopped
[2017-10-26T15:21:14,063][INFO ][o.e.n.Node               ] [Mu2gqAX] closing ...
[2017-10-26T15:21:14,104][INFO ][o.e.n.Node               ] [Mu2gqAX] closed

==> /var/log/elasticsearch/hive_deprecation.log <==
[2017-10-26T15:16:00,891][WARN ][o.e.d.e.NodeEnvironment  ] ES has detected the [path.data] folder using the cluster name as a folder [/var/lib/elasticsearch], Elasticsearch 6.0 will not allow the cluster name as a folder within the data path
[2017-10-26T15:16:03,511][WARN ][o.e.d.c.s.Settings       ] [script.inline] setting was deprecated in Elasticsearch and will be removed in a future release! See the breaking changes documentation for the next major version.
[2017-10-26T15:19:10,728][WARN ][o.e.d.e.NodeEnvironment  ] ES has detected the [path.data] folder using the cluster name as a folder [/var/lib/elasticsearch], Elasticsearch 6.0 will not allow the cluster name as a folder within the data path
[2017-10-26T15:19:16,387][WARN ][o.e.d.c.s.Settings       ] [script.inline] setting was deprecated in Elasticsearch and will be removed in a future release! See the breaking changes documentation for the next major version.
[2017-10-30T21:51:07,057][WARN ][o.e.d.e.NodeEnvironment  ] ES has detected the [path.data] folder using the cluster name as a folder [/var/lib/elasticsearch], Elasticsearch 6.0 will not allow the cluster name as a folder within the data path
[2017-10-30T21:51:13,085][WARN ][o.e.d.c.s.Settings       ] [script.inline] setting was deprecated in Elasticsearch and will be removed in a future release! See the breaking changes documentation for the next major version.
[2017-10-30T21:58:29,717][WARN ][o.e.d.e.NodeEnvironment  ] ES has detected the [path.data] folder using the cluster name as a folder [/var/lib/elasticsearch], Elasticsearch 6.0 will not allow the cluster name as a folder within the data path
[2017-10-30T21:58:38,293][WARN ][o.e.d.c.s.Settings       ] [script.inline] setting was deprecated in Elasticsearch and will be removed in a future release! See the breaking changes documentation for the next major version.
[2017-10-30T22:27:24,122][WARN ][o.e.d.e.NodeEnvironment  ] ES has detected the [path.data] folder using the cluster name as a folder [/var/lib/elasticsearch], Elasticsearch 6.0 will not allow the cluster name as a folder within the data path
[2017-10-30T22:27:30,237][WARN ][o.e.d.c.s.Settings       ] [script.inline] setting was deprecated in Elasticsearch and will be removed in a future release! See the breaking changes documentation for the next major version.

==> /var/log/elasticsearch/hive_index_indexing_slowlog.log <==

==> /var/log/elasticsearch/hive_index_search_slowlog.log <==

==> /var/log/elasticsearch/hive.log <==
[2017-10-30T22:27:29,207][INFO ][o.e.p.PluginsService     ] [Mu2gqAX] no plugins loaded
[2017-10-30T22:27:37,468][INFO ][o.e.d.DiscoveryModule    ] [Mu2gqAX] using discovery type [zen]
[2017-10-30T22:27:39,227][INFO ][o.e.n.Node               ] initialized
[2017-10-30T22:27:39,228][INFO ][o.e.n.Node               ] [Mu2gqAX] starting ...
[2017-10-30T22:27:39,877][INFO ][o.e.t.TransportService   ] [Mu2gqAX] publish_address {127.0.0.1:9300}, bound_addresses {127.0.0.1:9300}
[2017-10-30T22:27:43,069][INFO ][o.e.c.s.ClusterService   ] [Mu2gqAX] new_master {Mu2gqAX}{Mu2gqAXqQz23sDcdhTBChw}{nEUlWNRUS1Suvo8R4uZ3Ig}{127.0.0.1}{127.0.0.1:9300}, reason: zen-disco-elected-as-master ([0] nodes joined)
[2017-10-30T22:27:43,153][INFO ][o.e.h.n.Netty4HttpServerTransport] [Mu2gqAX] publish_address {127.0.0.1:9200}, bound_addresses {127.0.0.1:9200}
[2017-10-30T22:27:43,154][INFO ][o.e.n.Node               ] [Mu2gqAX] started
[2017-10-30T22:27:43,864][INFO ][o.e.g.GatewayService     ] [Mu2gqAX] recovered [1] indices into cluster_state
[2017-10-30T22:27:44,973][INFO ][o.e.c.r.a.AllocationService] [Mu2gqAX] Cluster health status changed from [RED] to [YELLOW] (reason: [shards started [[the_hive_11][2]] ...]).

==> /var/log/thehive/application.log <==
2017-11-04 03:30:47,587 [INFO] from org.elasticsearch.plugins.PluginsService in main - loaded plugin [org.elasticsearch.percolator.PercolatorPlugin]
2017-11-04 03:30:47,588 [INFO] from org.elasticsearch.plugins.PluginsService in main - loaded plugin [org.elasticsearch.script.mustache.MustachePlugin]
2017-11-04 03:30:47,588 [INFO] from org.elasticsearch.plugins.PluginsService in main - loaded plugin [org.elasticsearch.transport.Netty3Plugin]
2017-11-04 03:30:47,588 [INFO] from org.elasticsearch.plugins.PluginsService in main - loaded plugin [org.elasticsearch.transport.Netty4Plugin]
2017-11-04 03:30:49,813 [INFO] from io.netty.util.internal.PlatformDependent in main - Your platform does not provide complete low-level API for accessing direct buffers reliably. Unless explicitly requested, heap buffer will always be preferred to avoid potential system instability.
2017-11-04 03:30:51,561 [INFO] from connectors.cortex.services.CortexClient in main - new Cortex(LOCAL CORTEX, http://localhost:9999, ) Basic Auth enabled: false
2017-11-04 03:30:51,591 [INFO] from connectors.cortex.services.CortexSrv in main - Search for unfinished job ...
2017-11-04 03:30:51,970 [INFO] from connectors.cortex.services.CortexSrv in application-akka.actor.default-dispatcher-3 - 0 jobs found
2017-11-04 03:30:53,246 [INFO] from play.api.Play in main - Application started (Prod)
2017-11-04 03:30:53,934 [INFO] from play.core.server.AkkaHttpServer in main - Listening for HTTP on /0:0:0:0:0:0:0:0:9000
@saadkadhi
Copy link
Contributor

saadkadhi commented Nov 4, 2017
edited
Loading

@jschipp-r7 from your logs, TheHive and Cortex seem to be installed on the same host. However, TheHive listens on port 9000. Thus you cannot expect TheHive to act like Cortex. If you make Cortex API calls to TheHive it will fail. Please make sure Cortex listens on a different port than TheHive and adjust your requests accordingly.

Here is the expect output on a test box I am running with Cortex on port 9999:

❯ curl -v http://thehive:9999/api/analyzer
*   Trying 172.16.99.133...
* TCP_NODELAY set
* Connected to thehive (172.16.99.133) port 9999 (#0)
> GET /api/analyzer HTTP/1.1
> Host: thehive:9999
> User-Agent: curl/7.54.0
> Accept: */*
> 
< HTTP/1.1 200 OK
< Content-Length: 13588
< Content-Type: application/json
< Date: Sat, 04 Nov 2017 16:02:54 GMT
< 
[{"name":"Fortiguard_URLCategory","version":"2.0","description":"Check the Fortiguard category of a URL or a domain","dataTypeList":["domain","url"],"author":"Eric Capuano","url":"https://github.com/CERT-BDF/Cortex-Analyzers","license":"AGPL-V3","id":"Fortiguard_URLCategory_2_0"},{"name":"JoeSandbox_File_Analysis_Inet","version":"2.0","description":"Joe Sandbox file analysis with Internet access","dataTypeList":["file"],"author":"CERT-BDF","url":"https://github.com/CERT-BDF/Cortex-Analyzers","license":"AGPL-V3","id":"JoeSandbox_File_Analysis_Inet_2_0"},{"name":"JoeSandbox_Url_Analysis","version":"2.0","description":"Joe Sandbox URL analysis","dataTypeList":["url"],"author":"CERT-BDF","url":"https://github.com/CERT-BDF/Cortex-Analyzers","license":"AGPL-V3","id":"JoeSandbox_Url_Analysis_2_0"},{"name":"JoeSandbox_File_Analysis_Noinet","version":"2.0","description":"Joe Sandbox file analysis without Internet access","dataTypeList":["file"],"author":"CERT-BDF","url":"https://github.com/CERT-BDF/Cortex-Analyzers","license":"AGPL-V3","id":"JoeSandbox_File_Analysis_Noinet_2_0"},{"name":"FireHOLBlocklists","version":"2.0","description":"Check IP addresses against the FireHOL blocklists","dataTypeList":["ip"],"author":"Nils Kuhnert, CERT-Bund","url":"https://github.com/BSI-CERT-Bund/cortex-analyzers","license":"AGPL-V3","id":"FireHOLBlocklists_2_0"},{"name":"CuckooSandbox_Url_Analysis","version":"1.0","description":"Cuckoo Sandbox URL analysis","dataTypeList":["url"],"author":"Andrea Garavaglia, LDO-CERT","url":"https://github.com/garanews/Cortex-Analyzers","license":"AGPL-V3","id":"CuckooSandbox_Url_Analysis_1_0"},{"name":"CuckooSandbox_File_Analysis_Inet","version":"1.0","description":"Cuckoo Sandbox file analysis with Internet access","dataTypeList":["file"],"author":"Andrea Garavaglia, LDO-CERT","url":"https://github.com/garanews/Cortex-Analyzers","license":"AGPL-V3","id":"CuckooSandbox_File_Analysis_Inet_1_0"},{"name":"Nessus","version":"2.0","description":"Scan hosts using Tenable's Nessus scanner","dataTypeList":["ip","fqdn"],"author":"Guillaume Rousse","url":"https://github.com/CERT-BDF/Cortex-Analyzers","license":"AGPL-V3","id":"Nessus_2_0"},{"name":"Virusshare","version":"2.0","description":"Search for MD5 hashes in Virusshare.com hash list","dataTypeList":["hash","file"],"author":"Nils Kuhnert, CERT-Bund","url":"https://github.com/BSI-CERT-Bund/cortex-analyzers","license":"AGPL-V3","id":"Virusshare_2_0"},{"name":"VMRay","version":"2.0","description":"VMRay Sandbox file analysis","dataTypeList":["hash","file"],"author":"Nils Kuhnert, CERT-Bund","url":"https://github.com/BSI-CERT-Bund/cortex-analyzers","license":"AGPL-V3","id":"VMRay_2_0"},{"name":"Abuse_Finder","version":"2.0","description":"Find abuse contacts associated with domain names, URLs, IPs and email addresses","dataTypeList":["ip","domain","url","mail"],"author":"CERT-BDF","url":"https://github.com/CERT-BDF/Cortex-Analyzers","license":"AGPL-V3","id":"Abuse_Finder_2_0"},{"name":"Msg_Parser","version":"2.0","description":"Parse Outlook MSG files and extract the main artifacts","dataTypeList":["file"],"author":"CERT-BDF","url":"https://github.com/CERT-BDF/Cortex-Analyzers","license":"AGPL-V3","id":"Msg_Parser_2_0"},{"name":"PassiveTotal_Ssl_Certificate_History","version":"2.0","description":"PassiveTotal Ssl Certificate History Lookup","dataTypeList":["hash","ip"],"author":"CERT-BDF","url":"https://github.com/CERT-BDF/Cortex-Analyzers","license":"AGPL-V3","id":"PassiveTotal_Ssl_Certificate_History_2_0"},{"name":"PassiveTotal_Passive_Dns","version":"2.0","description":"PassiveTotal Passive DNS Lookup","dataTypeList":["domain","fqdn","ip"],"author":"CERT-BDF","url":"https://github.com/CERT-BDF/Cortex-Analyzers","license":"AGPL-V3","id":"PassiveTotal_Passive_Dns_2_0"},{"name":"PassiveTotal_Malware","version":"2.0","description":"PassiveTotal Malware Lookup","dataTypeList":["domain","fqdn","ip"],"author":"CERT-BDF","url":"https://github.com/CERT-BDF/Cortex-Analyzers","license":"AGPL-V3","id":"PassiveTotal_Malware_2_0"},{"name":"PassiveTotal_Osint","version":"2.0","description":"PassiveTotal Osint Lookup","dataTypeList":["domain","fqdn","ip"],"author":"CERT-BDF","url":"https://github.com/CERT-BDF/Cortex-Analyzers","license":"AGPL-V3","id":"PassiveTotal_Osint_2_0"},{"name":"PassiveTotal_Unique_Resolutions","version":"2.0","description":"PassiveTotal Unique Resolutions Lookup","dataTypeList":["domain","fqdn","ip"],"author":"CERT-BDF","url":"https://github.com/CERT-BDF/Cortex-Analyzers","license":"AGPL-V3","id":"PassiveTotal_Unique_Resolutions_2_0"},{"name":"PassiveTotal_Whois_Details","version":"2.0","description":"PassiveTotal Whois Details Lookup","dataTypeList":["domain","fqdn","ip"],"author":"CERT-BDF","url":"https://github.com/CERT-BDF/Cortex-Analyzers","license":"AGPL-V3","id":"PassiveTotal_Whois_Details_2_0"},{"name":"PassiveTotal_Enrichment","version":"2.0","description":"PassiveTotal Enrichment Lookup","dataTypeList":["domain","fqdn","ip"],"author":"CERT-BDF","url":"https://github.com/CERT-BDF/Cortex-Analyzers","license":"AGPL-V3","id":"PassiveTotal_Enrichment_2_0"},{"name":"PassiveTotal_Ssl_Certificate_Details","version":"2.0","description":"PassiveTotal Ssl Certificate Details Lookup","dataTypeList":["hash","ip"],"author":"CERT-BDF","url":"https://github.com/CERT-BDF/Cortex-Analyzers","license":"AGPL-V3","id":"PassiveTotal_Ssl_Certificate_Details_2_0"},{"name":"CIRCLPassiveSSL","version":"2.0","description":"Check CIRCL's Passive SSL for a given IP address or a X509 certificate hash","dataTypeList":["ip","certificate_hash","hash"],"author":"Nils Kuhnert, CERT-Bund","url":"https://github.com/BSI-CERT-Bund/cortex-analyzers","license":"AGPL-V3","id":"CIRCLPassiveSSL_2_0"},{"name":"HippoMore","version":"2.0","description":"Get the Hippocampe detailed report for an IP address, a domain or a URL","dataTypeList":["ip","domain","fqdn","url"],"author":"CERT-BDF","url":"https://github.com/CERT-BDF/Cortex-Analyzers","license":"AGPL-V3","id":"HippoMore_2_0"},{"name":"Hipposcore","version":"2.0","description":"Get the Hippocampe Score report associated with an IP address, a domain or a URL","dataTypeList":["ip","domain","fqdn","url"],"author":"CERT-BDF","url":"https://github.com/CERT-BDF/Cortex-Analyzers","license":"AGPL-V3","id":"Hipposcore_2_0"},{"name":"CIRCLPassiveDNS","version":"2.0","description":"Check CIRCL's Passive DNS for a given domain or URL","dataTypeList":["domain","url"],"author":"Nils Kuhnert, CERT-Bund","url":"https://github.com/BSI-CERT-Bund/cortex-analyzers","license":"AGPL-V3","id":"CIRCLPassiveDNS_2_0"},{"name":"Yara","version":"2.0","description":"Check files against YARA rules","dataTypeList":["file"],"author":"Nils Kuhnert, CERT-Bund","url":"https://github.com/BSI-CERT-Bund/cortex-analyzers","license":"AGPL-V3","id":"Yara_2_0"},{"name":"MaxMind_GeoIP","version":"3.0","description":"Geolocate an IP Address via MaxMind","dataTypeList":["ip"],"author":"CERT-BDF","url":"https://github.com/CERT-BDF/Cortex-Analyzers","license":"AGPL-V3","id":"MaxMind_GeoIP_3_0"},{"name":"File_Info","version":"2.0","description":"Parse files in several formats such as OLE and OpenXML to detect VBA macros, extract their source code, generate useful information on PE, PDF files and much more","dataTypeList":["file"],"author":"CERT-BDF","url":"https://github.com/CERT-BDF/Cortex-Analyzers","license":"AGPL-V3","id":"File_Info_2_0"},{"name":"WOT_Lookup","version":"1.0","description":"Check a Domain against Web of Trust (WOT) a website reputation service","dataTypeList":["domain","fqdn"],"author":"Andrea Garavaglia - LDO-CERT","url":"https://github.com/garanews/Cortex-Analyzers","license":"AGPL-V3","id":"WOT_Lookup_1_0"},{"name":"PhishingInitiative_Lookup","version":"2.0","description":"Check a URL against Phishing Initiative to determine if it's a verified phishing site","dataTypeList":["url"],"author":"CERT-BDF","url":"https://github.com/CERT-BDF/Cortex-Analyzers","license":"AGPL-V3","id":"PhishingInitiative_Lookup_2_0"},{"name":"GoogleSafebrowsing","version":"2.0","description":"Check URLs and domain names against Google Safebrowsing","dataTypeList":["url","domain"],"author":"Nils Kuhnert, CERT-Bund","url":"https://github.com/BSI-CERT-Bund/cortex-analyzers","license":"AGPL-V3","id":"GoogleSafebrowsing_2_0"},{"name":"OTXQuery","version":"2.0","description":"Query AlienVault OTX for IPs, domains, URLs, or file hashes","dataTypeList":["url","domain","file","hash","ip"],"author":"Eric Capuano","url":"https://github.com/CERT-BDF/Cortex-Analyzers","license":"AGPL-V3","id":"OTXQuery_2_0"},{"name":"VirusTotal_Scan","version":"3.0","description":"Scan a file or URL using VirusTotal","dataTypeList":["file","url"],"author":"CERT-BDF","url":"https://github.com/CERT-BDF/Cortex-Analyzers","license":"AGPL-V3","id":"VirusTotal_Scan_3_0"},{"name":"VirusTotal_GetReport","version":"3.0","description":"Get the latest VirusTotal report for a file, hash, domain or an IP address","dataTypeList":["file","hash","domain","ip"],"author":"CERT-BDF","url":"https://github.com/CERT-BDF/Cortex-Analyzers","license":"AGPL-V3","id":"VirusTotal_GetReport_3_0"},{"name":"PhishTank_CheckURL","version":"2.0","description":"Check a URL against PhishTank to determine if it's a verified phishing site","dataTypeList":["url"],"author":"Eric Capuano","url":"https://github.com/CERT-BDF/Cortex-Analyzers","license":"AGPL-V3","id":"PhishTank_CheckURL_2_0"},{"name":"DNSDB_DomainName","version":"2.0","description":"Provide history records for a domain using DNSDB Passive DNS service","dataTypeList":["domain"],"author":"CERT-BDF","url":"https://github.com/CERT-BDF/Cortex-Analyzers","license":"AGPL-V3","id":"DNSDB_DomainName_2_0"},{"name":"DNSDB_NameHistory","version":"2.0","description":"Provide history records for a fully-qualified domain name using DNSDB Passive DNS","dataTypeList":["fqdn"],"author":"CERT-BDF","url":"https://github.com/CERT-BDF/Cortex-Analyzers","license":"AGPL-V3","id":"DNSDB_NameHistory_2_0"},{"name":"DNSDB_IPHistory","version":"2.0","description":"Provide history records for an IP address using DNSDB Passive DNS service","dataTypeList":["ip"],"author":"CERT-BDF","url":"https://github.com/CERT-BDF/Cortex-Analyzers","license":"AGPL-V3","id":"DNSDB_IPHistory_2_0"},{"name":"Yeti","version":"1.0","description":"Fetch observable details from a Yeti","dataTypeList":["domain","fqdn","ip","url","hash"],"author":"CERT-BDF","url":"https://github.com/CERT/cortex-analyzers","license":"AGPL-V3","id":"Yeti_1_0"},{"name":"DomainTools_WhoisHistory","version":"2.0","description":"Get a list of historic Whois records associated with a domain name through DomainTools Whois History service","dataTypeList":["domain"],"author":"CERT-BDF","url":"https://github.com/CERT-BDF/Cortex-Analyzers","license":"AGPL-V3","id":"DomainTools_WhoisHistory_2_0"},{"name":"DomainTools_WhoisLookup","version":"2.0","description":"Get the ownership record for a domain with basic registration details using DomainTools Whois Lookup service","dataTypeList":["domain"],"author":"CERT-BDF","url":"https://github.com/CERT-BDF/Cortex-Analyzers","license":"AGPL-V3","id":"DomainTools_WhoisLookup_2_0"},{"name":"DomainTools_WhoisLookup_IP","version":"2.0","description":"Get the ownership record for an IP address with basic registration details using DomainTools Whois Lookup IP service","dataTypeList":["ip"],"author":"CERT-BDF","url":"https://github.com/CERT-BDF/Cortex-Analyzers","license":"AGPL-V3","id":"DomainTools_WhoisLookup_IP_2_0"},{"name":"DomainTools_ReverseNameServer","version":"2.0","description":"Use DomainTools Reverse Name Server service to get a list of domain names that share the same primary or secondary name server","dataTypeList":["domain"],"author":"CERT-BDF","url":"https://github.com/CERT-BDF/Cortex-Analyzers","license":"AGPL-V3","id":"DomainTools_ReverseNameServer_2_0"},{"name":"DomainTools_ReverseIP","version":"2.0","descrip* Connection #0 to host thehive left intact
tion":"Use DomainTools Reverse IP service to provide a list of domain names sharing the same IP address","dataTypeList":["ip"],"author":"CERT-BDF","url":"https://github.com/CERT-BDF/Cortex-Analyzers","license":"AGPL-V3","id":"DomainTools_ReverseIP_2_0"},{"name":"DomainTools_ReverseWhois","version":"2.0","description":"Get a list of domain names which share the same registrant information through Domaintools Reverse Whois service","dataTypeList":["mail","ip","domain","other"],"author":"CERT-BDF","url":"https://github.com/CERT-BDF/Cortex-Analyzers","license":"AGPL-V3","id":"DomainTools_ReverseWhois_2_0"},{"name":"MISP","version":"2.0","description":"Query multiple MISP instances for events containing an observable.","dataTypeList":["domain","ip","url","fqdn","uri_path","user-agent","hash","email","mail","mail_subject","registry","regexp","other","filename"],"author":"Nils Kuhnert, CERT-Bund","url":"https://github.com/BSI-CERT-Bund/cortex-analyzers","license":"AGPL-V3","id":"MISP_2_0"},{"name":"CERTatPassiveDNS","version":"2.0","description":"Checks CERT.at Passive DNS for a given domain, API Key via cert.at.","dataTypeList":["domain","fqdn"],"author":"Nils Kuhnert, CERT-Bund","url":"https://github.com/BSI-CERT-Bund/cortex-analyzers","license":"AGPL-V3","id":"CERTatPassiveDNS_2_0"}]

@saadkadhi
Copy link
Contributor

I also see in TheHive logs:

from connectors.cortex.services.CortexClient in main - new Cortex(LOCAL CORTEX, http://localhost:9999, ) Basic Auth enabled: false

Cortex seems to be listening on port 9999 and not 9000 hence curl fails.

@jschipp-r7
Copy link
Author

@saadkadhi Oh, silly me. Got it, sorry for the bug report and thanks for your swift help!

@alisp7
Copy link

alisp7 commented Jun 1, 2021

Hi Dear @saadkadhi
I installed TheHive and Cortex on the same host and they talk to each other :
thehive : http://x.x.x.x:9000
cortex : http://x.x.x.x:9001
Capture5

but when i go to Observables tab of Alert section an
![image](https://user-images.githubusercontent.com/35430014/120268516-d0271700-c25a-11eb-80ad-68cbea555d73.pn
d select Run analyzer this message is appeared :
Capture6

and also when i execute the /api/connector/cortex/analyzer to List all analyzers i get this error :
Capture8

this is the log of my thehive/application.log :
Capture9

this is the log of my cortex/application.log :
Capture10

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@saadkadhi @jschipp-r7 @alisp7