Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Bug] Observables not present in some events imported from MISP #1819

Closed
Tyrell20 opened this issue Mar 5, 2021 · 1 comment
Closed

[Bug] Observables not present in some events imported from MISP #1819

Tyrell20 opened this issue Mar 5, 2021 · 1 comment
Assignees
@To-om
Labels
bug scope:misp TheHive4 TheHive4 related issues
Milestone
4.1.0

Comments

@Tyrell20
Copy link

Tyrell20 commented Mar 5, 2021

Request Type

Bug

Work Environment

Question Answer
OS version (server) RedHat 7.9
TheHive version / git hash Version: 4.0.5-1
Package Type RPM

Problem Description

For some MISP events, TheHive fails to import the related observables.

Steps to Reproduce

  1. Publish an event on MISP that contains a "malware-sample" object but without reference to the attachment file;
  2. Wait for MISP sync on TheHive;
  3. The alert is imported and visible on TheHive but it does not contain any observable, even if present on MISP.

Possible Solutions

The problem seems to be only when the MISP event that TheHive try to import contains a "malware-sample" without the related attachment file.
TheHive goes into error, without continuing to import the other observables.
As a possible solution, TheHive could try to retrieve the "malware-sample" and the related attachment and, if it fails, it could proceed to import the other observables.

Complementary information

On application.log, I have the following errors regarding the ID of the event for which TheHive fails to import observables:

2021-03-05 16:08:49,325 [WARN] from play.api.libs.ws.ahc.StandaloneAhcWSClient$ in application-akka.actor.default-dispatcher-12 - blockingToByteString is a $
2021-03-05 16:08:49,347 [ERROR] from org.thp.thehive.connector.misp.services.QueueIterator in application-akka.actor.default-dispatcher-4 - Stream fails
org.thp.client.ApplicationError: ApplicationError(404):
{
  "name" : "File '/var/www/MISP/app/files/33805/10034471' does not exists.",
  "message" : "File '/var/www/MISP/app/files/33805/10034471' does not exists.",
  "url" : "/attributes/download/10034471"
}
        at org.thp.client.ApplicationError$.apply(BaseClient.scala:14)
        at org.thp.misp.client.MispClient.$anonfun$downloadAttachment$1(MispClient.scala:231)
        at scala.concurrent.impl.Promise.liftedTree1$1(Promise.scala:33)
        at scala.concurrent.impl.Promise.$anonfun$transform$1(Promise.scala:33)
        at scala.concurrent.impl.CallbackRunnable.run(Promise.scala:64)
        at org.thp.scalligraph.ContextPropagatingDisptacher$$anon$1.$anonfun$execute$2(ContextPropagatingDisptacher.scala:56)
        at scala.runtime.java8.JFunction0$mcV$sp.apply(JFunction0$mcV$sp.java:23)
        at org.thp.scalligraph.DiagnosticContext$.$anonfun$withDiagnosticContext$2(ContextPropagatingDisptacher.scala:91)
        at org.thp.scalligraph.DiagnosticContext$.saveDiagnosticContext(ContextPropagatingDisptacher.scala:106)
        at org.thp.scalligraph.DiagnosticContext$.withDiagnosticContext(ContextPropagatingDisptacher.scala:89)
        at org.thp.scalligraph.DiagnosticContext$$anon$2.withContext(ContextPropagatingDisptacher.scala:74)
        at org.thp.scalligraph.ContextPropagatingDisptacher$$anon$1.$anonfun$execute$1(ContextPropagatingDisptacher.scala:56)
        at akka.dispatch.TaskInvocation.run(AbstractDispatcher.scala:48)
        at akka.dispatch.ForkJoinExecutorConfigurator$AkkaForkJoinTask.exec(ForkJoinExecutorConfigurator.scala:48)
        at java.util.concurrent.ForkJoinTask.doExec(ForkJoinTask.java:289)
        at java.util.concurrent.ForkJoinPool$WorkQueue.runTask(ForkJoinPool.java:1056)
       at java.util.concurrent.ForkJoinPool.runWorker(ForkJoinPool.java:1692)
        at java.util.concurrent.ForkJoinWorkerThread.run(ForkJoinWorkerThread.java:175)
2021-03-05 16:08:49,348 [INFO] from org.thp.thehive.connector.misp.services.MispImportSrv in application-akka.actor.default-dispatcher-4 - Removing old obse$
2021-03-05 16:08:49,348 [WARN] from play.api.libs.ws.ahc.StandaloneAhcWSClient$ in application-akka.actor.default-dispatcher-12 - blockingToByteString is a $
2021-03-05 16:08:49,522 [WARN] from play.api.libs.ws.ahc.StandaloneAhcWSClient$ in application-akka.actor.default-dispatcher-10 - blockingToByteString is a $
2021-03-05 16:08:49,522 [WARN] from play.api.libs.ws.ahc.StandaloneAhcWSClient$ in application-akka.actor.default-dispatcher-31 - blockingToByteString is a $
2021-03-05 16:08:49,524 [ERROR] from org.thp.thehive.connector.misp.services.QueueIterator in application-akka.actor.default-dispatcher-4 - Stream fails

Instead, when the MISP event imported does not contain any malware-sample object it is imported correctly, with all observables and there aren't errors on the log.
@Tyrell20 Tyrell20 added TheHive4 TheHive4 related issues bug labels Mar 5, 2021
@nadouani nadouani added this to the 4.1.0 milestone Mar 6, 2021
@nadouani
Copy link
Contributor

nadouani commented Mar 6, 2021

@To-om Added in 4.1 milestone for investigation

To-om added a commit that referenced this issue Mar 9, 2021
@To-om
#1819 Prevent MISP sync failure when malware-sample has no attached file
086c7de
@To-om To-om closed this as completed Mar 9, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@To-om To-om

Labels
bug scope:misp TheHive4 TheHive4 related issues
Projects
None yet
Milestone
4.1.0
Development

No branches or pull requests
3 participants
@nadouani @To-om @Tyrell20