search

LetMeR00t / TA-thehive-cortex

Technical add-on for Splunk related to TheHive/Cortex from TheHive project
GNU Lesser General Public License v3.0
47 stars 11 forks source link

New TA install throughs REST error 500 #11

Closed drejoe closed 3 years ago

drejoe commented 3 years ago

Hi, We just installed version 2.0.0 of ta_thehive_cortex. After Splunk restart the TA logs REST error 500 in splunkd.log. Any idea why? Thanks //T

LetMeR00t commented 3 years ago

Hi @drejoe , Could you provide me some logs concerning this error ? Do you have some details ? What is your OS environment ? With which version of Splunk ? Did you configured something more or is it only a new installation ? Most of the code was reviewed so you will need to configure the app as described in the documentation Thank you

drejoe commented 3 years ago

hello :-)

Sure, just here at Git?

LetMeR00t commented 3 years ago

Yes, just drop any sensitive information that can contains your logs if so

drejoe commented 3 years ago

The 2 following events are from splunkd.log

02-26-2021 10:34:24.161 +0000 ERROR AdminManagerExternal - Unexpected error "<class 'splunktaucclib.rest_handler.error.RestError'>" from python handler: "REST Error [500]: Internal Server Error -- Traceback (most recent call last):\n File "/pack/splunk/etc/apps/TA-thehive-cortex/bin/ta_thehive_cortex/aob_py3/splunktaucclib/rest_handler/handler.py", line 117, in wrapper\n for name, data, acl in meth(self, *args, *kwargs):\n File "/pack/splunk/etc/apps/TA-thehive-cortex/bin/ta_thehive_cortex/aob_py3/splunktaucclib/rest_handler/handler.py", line 352, in _format_all_response\n self._encrypt_raw_credentials(cont['entry'])\n File "/pack/splunk/etc/apps/TA-thehive-cortex/bin/ta_thehive_cortex/aob_py3/splunktaucclib/rest_handler/handler.py", line 386, in _encrypt_raw_credentials\n change_list = rest_credentials.decrypt_all(data)\n File "/pack/splunk/etc/apps/TA-thehive-cortex/bin/ta_thehive_cortex/aob_py3/splunktaucclib/rest_handler/credentials.py", line 290, in decrypt_all\n all_passwords = credential_manager._get_all_passwords()\n File "/pack/splunk/etc/apps/TA-thehive-cortex/bin/ta_thehive_cortex/aob_py3/solnlib/utils.py", line 159, in wrapper\n return func(args, **kwargs)\n File "/pack/splunk/etc/apps/TA-thehive-cortex/bin/ta_thehive_cortex/aob_py3/solnlib/credentials.py", line 272, in _get_all_passwords\n clear_password += field_clear[index]\nTypeError: can only concatenate str (not "NoneType") to str\n". See splunkd.log for more details.

02-26-2021 10:34:24.160 +0000 ERROR AdminManagerExternal - Stack trace from python handler:\nTraceback (most recent call last):\n File "/pack/splunk/etc/apps/TA-thehive-cortex/bin/ta_thehive_cortex/aob_py3/splunktaucclib/rest_handler/handler.py", line 117, in wrapper\n for name, data, acl in meth(self, *args, kwargs):\n File "/pack/splunk/etc/apps/TA-thehive-cortex/bin/ta_thehive_cortex/aob_py3/splunktaucclib/rest_handler/handler.py", line 352, in _format_all_response\n self._encrypt_raw_credentials(cont['entry'])\n File "/pack/splunk/etc/apps/TA-thehive-cortex/bin/ta_thehive_cortex/aob_py3/splunktaucclib/rest_handler/handler.py", line 386, in _encrypt_raw_credentials\n change_list = rest_credentials.decrypt_all(data)\n File "/pack/splunk/etc/apps/TA-thehive-cortex/bin/ta_thehive_cortex/aob_py3/splunktaucclib/rest_handler/credentials.py", line 290, in decrypt_all\n all_passwords = credential_manager._get_all_passwords()\n File "/pack/splunk/etc/apps/TA-thehive-cortex/bin/ta_thehive_cortex/aob_py3/solnlib/utils.py", line 159, in wrapper\n return func(*args, *kwargs)\n File "/pack/splunk/etc/apps/TA-thehive-cortex/bin/ta_thehive_cortex/aob_py3/solnlib/credentials.py", line 272, in _get_all_passwords\n clear_password += field_clear[index]\nTypeError: can only concatenate str (not "NoneType") to str\n\nDuring handling of the above exception, another exception occurred:\n\nTraceback (most recent call last):\n File "/pack/splunk/lib/python3.7/site-packages/splunk/admin.py", line 148, in init\n hand.execute(info)\n File "/pack/splunk/lib/python3.7/site-packages/splunk/admin.py", line 634, in execute\n if self.requestedAction == ACTION_LIST: self.handleList(confInfo)\n File "/pack/splunk/etc/apps/TA-thehive-cortex/bin/ta_thehive_cortex/aob_py3/splunk_aoblib/rest_migration.py", line 39, in handleList\n AdminExternalHandler.handleList(self, confInfo)\n File "/pack/splunk/etc/apps/TA-thehive-cortex/bin/ta_thehive_cortex/aob_py3/splunktaucclib/rest_handler/admin_external.py", line 40, in wrapper\n for entity in result:\n File "/pack/splunk/etc/apps/TA-thehive-cortex/bin/ta_thehive_cortex/aob_py3/splunktaucclib/rest_handler/handler.py", line 124, in wrapper\n raise RestError(500, traceback.format_exc())\nsplunktaucclib.rest_handler.error.RestError: REST Error [500]: Internal Server Error -- Traceback (most recent call last):\n File "/pack/splunk/etc/apps/TA-thehive-cortex/bin/ta_thehive_cortex/aob_py3/splunktaucclib/rest_handler/handler.py", line 117, in wrapper\n for name, data, acl in meth(self, args, kwargs):\n File "/pack/splunk/etc/apps/TA-thehive-cortex/bin/ta_thehive_cortex/aob_py3/splunktaucclib/rest_handler/handler.py", line 352, in _format_all_response\n self._encrypt_raw_credentials(cont['entry'])\n File "/pack/splunk/etc/apps/TA-thehive-cortex/bin/ta_thehive_cortex/aob_py3/splunktaucclib/rest_handler/handler.py", line 386, in _encrypt_raw_credentials\n change_list = rest_credentials.decrypt_all(data)\n File "/pack/splunk/etc/apps/TA-thehive-cortex/bin/ta_thehive_cortex/aob_py3/splunktaucclib/rest_handler/credentials.py", line 290, in decrypt_all\n all_passwords = credential_manager._get_all_passwords()\n File "/pack/splunk/etc/apps/TA-thehive-cortex/bin/ta_thehive_cortex/aob_py3/solnlib/utils.py", line 159, in wrapper\n return func(*args, **kwargs)\n File "/pack/splunk/etc/apps/TA-thehive-cortex/bin/ta_thehive_cortex/aob_py3/solnlib/credentials.py", line 272, in _get_all_passwords\n clear_password += field_clear[index]\nTypeError: can only concatenate str (not "NoneType") to str\n\n

LetMeR00t commented 3 years ago

Hi @drejoe,

Could you follow the documentation and add at least one account in the app ? (User+password) : https://github.com/LetMeR00t/TA-thehive-cortex#accounts

see if you have the error again when you restart

LetMeR00t commented 3 years ago

If you have the same error again, it can comes from another problem. If you added a new app (not necessarily this one) on your Splunk instance with a defaut/local file passwords.conf that contains a password imported from the app itself and not added by you using Splunk, it can generate an issue on the usage of the password storage of Splunk. More information here :

https://community.splunk.com/t5/All-Apps-and-Add-ons/CrowdStrike-app-fails-Fail-to-decrypt-the-encrypted-credential/m-p/469486

https://www.gnzlabs.io/gnzlabs-blog/splunk-aes-gcm-decryption-failed/

drejoe commented 3 years ago

Hi again, You was right - it was a credential what couldn't be decrypted. I fixed the "key" and now I haven't any error 500 issue with TheHive-Cortex anymore :-) Thanks for fast help. //T