search

LetMeR00t / TA-thehive-cortex

Technical add-on for Splunk related to TheHive/Cortex from TheHive project
GNU Lesser General Public License v3.0
47 stars 11 forks source link

[Feature Request] Client Certificate Compatibility #15

Closed tblatrille closed 3 years ago

tblatrille commented 3 years ago

Request Type

Feature Request

Problem Description

The latest version of TA-thehive-cortex does not allow to provide a client certificate as in past versions e.g TA-thehive. The "self-signed certificate of a custom certificate authority" not being enough for many cases.

Steps to Reproduce

Trying to connect to a TheHive instance which requires a client certificate will get in the Splunk side: Error: Error: ('Connection aborted.', RemoteDisconnected('Remote end closed connection without response'))

Server Side: "POST /api/case/_search?range=all HTTP/1.1" 444 0 "-" "python-requests/2.22.0" "-"

As a proper client certificate is not possible to be provided.

Possible Solutions

A feature that allows providing a client certificate to the app requests to TheHive.

LetMeR00t commented 3 years ago

Hi @tblatrille , Could you clarify your request as I don’t understand what is the issue ... Is it concerning the fact that you have a TheHive instance with a certificate signed by an official CA and that is not recognized by this app ? Thank you

tblatrille commented 3 years ago

Hey @LetMeR00t thanks for your fast reply!

Sorry if my explanation was not entirely clear still quite new on this.

The issue I am facing is that in prior apps as TA-thehive we were able to provide a client certificate as in the picture.

image

Reading the documentation of this repo I see that:

_Certificate Verification: Indicate if the certificate verification is required. If you use an HTTPS connection with a self-signed certificate of a custom certificate authority, you must add your trusted certificate to the "certifi" library. To do so, append your certificate under "$APP_FOLDER$/bin/ta_thehive_cortex/aob_py3/certifi/cacert.pem" (or aobpy2 if you use Python 2.7). Default to True

This type of certificate does not seem to work as it used to with the old app ( https://github.com/remg427/TA-thehive) making our integration between Splunk and TheHive broken.

That is why I put it as a feature request, do you think it applies?

Thanks a lot.

LetMeR00t commented 3 years ago

Hi @tblatrille If I understand well what you are asking, you want the ability to connect to an instance using a client certificate (using a proxy as it’s not handled directly by TheHive) and not a password/API key, isn’t it ? (Explained here: https://github.com/TheHive-Project/TheHiveDocs/blob/master/admin/certauth.md) Indeed the documentation mentions HTTPS certificate but it’s only to secure the transactions between the app and instances but not use it as an authentication method. Thank you

tblatrille commented 3 years ago

Yes, indeed we want the ability to connect using a client certificate. Would be very useful.

Thanks a lot

LetMeR00t commented 3 years ago

I understand what you need. I will work on this and provide you a solution.

LetMeR00t commented 3 years ago

Hi @tblatrille,

I'm currently integrating this feature in this TA. I requested an upgrade to the TheHive4py Github to support this (https://github.com/TheHive-Project/TheHive4py/pull/215).

Thank you for your understanding

LetMeR00t commented 3 years ago

Hi @tblatrille, Last version of this TA in the "dev" branch is up to date with a proposal for the usage of client certificate. I've tested it on my side and it's working. It's not documented yet but if you want to test it, install the app in the dev branch and when you add your new instance, you will have a "client certificate" input to fill with the name of a PEM file located under the "local" folder of the TA (put the PEM on the "local folder" and just indicate the name of the file in the input). It's also containing an unstable version of proxy usage so I hope for you that you are not using one :) Let me know if you need help.

tblatrille commented 3 years ago

Hey @LetMeR00t, Thanks for the new update! We are trying to use it right now but unfortunately, after completing all the inputs it does not seem to add the instance image Could that mean that the file was not found in the path or a similar issue?

We are not very sure why would this happen, but anyways we will restart Splunk in a couple of hours and see if it might be related to that.

Thanks a lot!

LetMeR00t commented 3 years ago

Hi @tblatrille , It's my fault, I forgot to change some values in this dashboard. I've just pushed a new version with a fix on the dev branch, could you test it please ? Thank you

tblatrille commented 3 years ago

The instance gets added correctly and in the Nginx access logs of thehive we see that requests get status code 200, that is great progress! But when trying to use the app to retrieve cases I can see an error code. I am not sure if this is related to our instance of thehive or the TA-thehive app, but we will keep looking into it. image

LetMeR00t commented 3 years ago

Hi, Could you enable the debug mode in the app and see what is the issue ? To do so, you can open the search and check the search.log file to see the output If you need help on this file, don’t hesitate to forward it to letmer00t@gmail.com (do not paste it here except if you remove all sensitive information)

tblatrille commented 3 years ago

Hi @LetMeR00t,

Looking at the logs we realized that some querys work completely fine while others would give errors. The difference we discovered was in the customfields and their values. With Cases like that had in their custom fields something like: {'timeWeReceived': {'date': XXX, 'order': 5}, 'timeIssue': {'date': XXX, 'order': 3} the query would finish completely fine.

While cases that had in their custom fields something like: {'timeWeReceived': {'date': XXX, 'order': 5}, 'timeIssue': {'date': None, 'order': 3}} the query would give an error of type

ERROR ScriptRunner - stderr from '/pack/splunk/bin/python3.7 /pack/splunk/etc/apps/TA-thehive-cortex/bin/thehive_search_cases.py XXX': File "/pack/splunk/etc/apps/TA-thehive-cortex/bin/thehive_search_cases.py", line 110, in <module>

ERROR ScriptRunner - stderr from '/pack/splunk/bin/python3.7 /pack/splunk/etc/apps/TA-thehive-cortex/bin/thehive_search_cases.py XXX': event["thehive_case_customFields"][cf][cftype] = time.strftime("%c %z",time.gmtime(int(event["thehive_case_customFields"][cf][cftype])/1000))

ERROR ScriptRunner - stderr from '/pack/splunk/bin/python3.7 /pack/splunk/etc/apps/TA-thehive-cortex/bin/thehive_search_cases.py XXX': TypeError: int() argument must be a string, a bytes-like object or a number, not 'NoneType'

ERROR script - XXXXXX External search command 'thehivecases' returned error

This seems to be related to the fact that one of these dates is None and int() won't work on it.

Best regards,

Tomas

LetMeR00t commented 3 years ago

You’re completely right. I will take a look at this part of the code to see how we can handle that. I assume that the main purpose of this issue is now solved with the provided fix ?

LetMeR00t commented 3 years ago

Hi, FYI, I successfully reproduce this error on my side. I will work on this this morning.

LetMeR00t commented 3 years ago

Hi again, I pushed a fix on the dev branch. Could you confirm that this is a good solution for you and this issue could be closed ? Thank you

tblatrille commented 3 years ago

Hi @LetMeR00t, Working well right now. Yes, this issue should be closed!

Thanks a lot,

Tomas

LetMeR00t commented 3 years ago

The complete fix will be available in the next version that will be officially release soon :) Thank you