search

LetMeR00t / TA-thehive-cortex

Technical add-on for Splunk related to TheHive/Cortex from TheHive project
GNU Lesser General Public License v3.0
47 stars 11 forks source link

[BUG] Issue with passwords #50

Closed srek3502 closed 1 year ago

srek3502 commented 1 year ago

Request Type

Bug

Work Environment

Question Answer
OS version (server) Splunk Cloud
TheHive version / git hash Hive Version 4
Add-on version 2.3.1

Problem Description

External search command 'thehivecreate' returned error code 1

Steps to Reproduce

  1. Installed the TheHive-Cortex Add-on
  2. Configured the Add-on with API key information
  3. Integrated Splunk Alert with the HIve custom alert action, but it didnot create any Cases or Alert.

Possible Solutions

-

Logs (issued from the search.log with logging mode set to DEBUG under Settings/Configuration)

- 05-02-2023 11:57:14.969 INFO ServerConfig [464391 phase_1] - Will add app jailing prefix /opt/splunk/bin/nsjail-wrapper for TA-thehive-cortex 05-02-2023 11:57:15.396 ERROR ScriptRunner [464391 phase_1] - stderr from '/opt/splunk/bin/nsjail-wrapper /opt/splunk/bin/python3.7 /opt/splunk/etc/apps/TA-thehive-cortex/bin/thehive_create_case.py 6f1XXXXX': Traceback (most recent call last): 05-02-2023 11:57:15.397 ERROR ScriptRunner [464391 phase_1] - stderr from '/opt/splunk/bin/nsjail-wrapper /opt/splunk/bin/python3.7 /opt/splunk/etc/apps/TA-thehive-cortex/bin/thehive_create_case.py 6f1XXXXX': File "/opt/splunk/etc/apps/TA-thehive-cortex/bin/thehive_create_case.py", line 25, in 05-02-2023 11:57:15.397 ERROR ScriptRunner [464391 phase_1] - stderr from '/opt/splunk/bin/nsjail-wrapper /opt/splunk/bin/python3.7 /opt/splunk/etc/apps/TA-thehive-cortex/bin/thehive_create_case.py 6f1XXXXX': (thehive, configuration, defaults, logger) = initialize_thehive_instance(keywords, settings ,logger_name="thehive_create_cases") 05-02-2023 11:57:15.397 ERROR ScriptRunner [464391 phase_1] - stderr from '/opt/splunk/bin/nsjail-wrapper /opt/splunk/bin/python3.7 /opt/splunk/etc/apps/TA-thehive-cortex/bin/thehive_create_case.py 6f1XXXXX': File "/opt/splunk/etc/apps/TA-thehive-cortex/bin/thehive.py", line 23, in initialize_thehive_instance 05-02-2023 11:57:15.397 ERROR ScriptRunner [464391 phase_1] - stderr from '/opt/splunk/bin/nsjail-wrapper /opt/splunk/bin/python3.7 /opt/splunk/etc/apps/TA-thehive-cortex/bin/thehive_create_case.py 6f1XXXXX': return create_thehive_instance(instance_id, settings, logger) 05-02-2023 11:57:15.397 ERROR ScriptRunner [464391 phase_1] - stderr from '/opt/splunk/bin/nsjail-wrapper /opt/splunk/bin/python3.7 /opt/splunk/etc/apps/TA-thehive-cortex/bin/thehive_create_case.py 6f1XXXXX': File "/opt/splunk/etc/apps/TA-thehive-cortex/bin/thehive.py", line 31, in create_thehive_instance 05-02-2023 11:57:15.397 ERROR ScriptRunner [464391 phase_1] - stderr from '/opt/splunk/bin/nsjail-wrapper /opt/splunk/bin/python3.7 /opt/splunk/etc/apps/TA-thehive-cortex/bin/thehive_create_case.py 6f1XXXXX': configuration = Settings(spl, settings, logger) 05-02-2023 11:57:15.397 ERROR ScriptRunner [464391 phase_1] - stderr from '/opt/splunk/bin/nsjail-wrapper /opt/splunk/bin/python3.7 /opt/splunk/etc/apps/TA-thehive-cortex/bin/thehive_create_case.py 6f1XXXXX': File "/opt/splunk/etc/apps/TA-thehive-cortex/bin/common.py", line 125, in init 05-02-2023 11:57:15.397 ERROR ScriptRunner [464391 phase_1] - stderr from '/opt/splunk/bin/nsjail-wrapper /opt/splunk/bin/python3.7 /opt/splunk/etc/apps/TA-thehive-cortex/bin/thehive_create_case.py 6f1XXXXX': password = self.getAccountPassword(account) 05-02-2023 11:57:15.397 ERROR ScriptRunner [464391 phase_1] - stderr from '/opt/splunk/bin/nsjail-wrapper /opt/splunk/bin/python3.7 /opt/splunk/etc/apps/TA-thehive-cortex/bin/thehive_create_case.py 6f1XXXXX': File "/opt/splunk/etc/apps/TA-thehive-cortex/bin/common.py", line 150, in getAccountPassword 05-02-2023 11:57:15.397 ERROR ScriptRunner [464391 phase_1] - stderr from '/opt/splunk/bin/nsjail-wrapper /opt/splunk/bin/python3.7 /opt/splunk/etc/apps/TA-thehive-cortex/bin/thehive_create_case.py 6f1XXXXX': password = str(json.loads(s["clear_password"])["password"]) 05-02-2023 11:57:15.397 ERROR ScriptRunner [464391 phase_1] - stderr from '/opt/splunk/bin/nsjail-wrapper /opt/splunk/bin/python3.7 /opt/splunk/etc/apps/TA-thehive-cortex/bin/thehive_create_case.py 6f1XXXXX': File "/opt/splunk/lib/python3.7/json/init.py", line 348, in loads 05-02-2023 11:57:15.397 ERROR ScriptRunner [464391 phase_1] - stderr from '/opt/splunk/bin/nsjail-wrapper /opt/splunk/bin/python3.7 /opt/splunk/etc/apps/TA-thehive-cortex/bin/thehive_create_case.py 6f1XXXXX': return _default_decoder.decode(s) 05-02-2023 11:57:15.397 ERROR ScriptRunner [464391 phase_1] - stderr from '/opt/splunk/bin/nsjail-wrapper /opt/splunk/bin/python3.7 /opt/splunk/etc/apps/TA-thehive-cortex/bin/thehive_create_case.py 6f1XXXXX': File "/opt/splunk/lib/python3.7/json/decoder.py", line 337, in decode 05-02-2023 11:57:15.397 ERROR ScriptRunner [464391 phase_1] - stderr from '/opt/splunk/bin/nsjail-wrapper /opt/splunk/bin/python3.7 /opt/splunk/etc/apps/TA-thehive-cortex/bin/thehive_create_case.py 6f1XXXXX': obj, end = self.raw_decode(s, idx=_w(s, 0).end()) 05-02-2023 11:57:15.397 ERROR ScriptRunner [464391 phase_1] - stderr from '/opt/splunk/bin/nsjail-wrapper /opt/splunk/bin/python3.7 /opt/splunk/etc/apps/TA-thehive-cortex/bin/thehive_create_case.py 6f1XXXXX': File "/opt/splunk/lib/python3.7/json/decoder.py", line 353, in raw_decode 05-02-2023 11:57:15.397 ERROR ScriptRunner [464391 phase_1] - stderr from '/opt/splunk/bin/nsjail-wrapper /opt/splunk/bin/python3.7 /opt/splunk/etc/apps/TA-thehive-cortex/bin/thehive_create_case.py 6f1XXXXX': obj, end = self.scan_once(s, idx) 05-02-2023 11:57:15.397 ERROR ScriptRunner [464391 phase_1] - stderr from '/opt/splunk/bin/nsjail-wrapper /opt/splunk/bin/python3.7 /opt/splunk/etc/apps/TA-thehive-cortex/bin/thehive_create_case.py 6f1XXXXX': json.decoder.JSONDecodeError: Expecting ',' delimiter: line 1 column 256 (char 255) 05-02-2023 11:57:15.423 ERROR script [464391 phase_1] - SearchMessage orig_component=script sid=1683028634.142701 message_key=EXTERN:SCRIPT_NONZERO_RETURN_%s%d_%s message=External search command 'thehivecreate' returned error code 1. .

LetMeR00t commented 1 year ago

Hello @srek3502 , Thank you for your submission. It seems to be linked to a recent fix provided in the 'develop' branch. If you want, you can directly update this line in your own app code by this new one: https://github.com/LetMeR00t/TA-thehive-cortex/blob/662b56035f32c5069a42bf7b8ac00effe17a1f3d/TA-thehive-cortex/bin/thehive.py#L28

Let me know if it solve your issue or not.

See https://github.com/LetMeR00t/TA-thehive-cortex/compare/main...develop for the complete changes to be pushed as soon as possible on Splunkbase

srek3502 commented 1 year ago

Hi,

I have checked the thehive.py script and it appears that, the same line is updated in the code. I am using the add-on version 2.3.1. Are you referring this change on latest 3.x version. ? Please advise

# Initialize settings
token = settings["sessionKey"] if "sessionKey" in settings else settings["session_key"]
spl = client.connect(app="TA-thehive-cortex",owner="nobody",token=token)
LetMeR00t commented 1 year ago

Hi The issue might be elsewhere actually Could you check this answer and see if the fix is helping you ? https://github.com/LetMeR00t/TA-thehive-cortex/issues/48#issuecomment-1532468713

Thank you

srek3502 commented 1 year ago

Hi,

This fix applies for the 3.x version correct ? Does it also apply to 2.3.1 ? because i see that the changes are mentioned specifically to 3.x.

If you could provide me specific changes to be completed for the 2.3.1 it will be good. I do have the hive version 4 and i think it doesn't support the latest version of the add-on correct ?

Thanks,

LetMeR00t commented 1 year ago

Hello @srek3502, The part you see regarding the credential app check on the if could be done on your version without any major impact If it’s complicated for you I can work on a fix in a different branch but it might take time

srek3502 commented 1 year ago

Hi,

I have modified the common.py to include the "credential app check". Does it make sense ?

BEFORE:

    proxy_clear_password = None
    for credential in self.client.storage_passwords:
        username = credential.content.get('username')
        if 'proxy' in username:
            clear_credentials = credential.content.get('clear_password')
            if 'proxy_password' in clear_credentials:
                proxy_creds = json.loads(clear_credentials)
                proxy_clear_password = str(proxy_creds['proxy_password'])

AFTER:

    proxy_clear_password = None
    for credential in self.client.storage_passwords:
        if credential.access["app"] == "TA-thehive-cortex":      <=== (Added Line here)
            username = credential.content.get('username')
        if 'proxy' in username:
            clear_credentials = credential.content.get('clear_password')
            if 'proxy_password' in clear_credentials:
                proxy_creds = json.loads(clear_credentials)
                proxy_clear_password = str(proxy_creds['proxy_password'])
LetMeR00t commented 1 year ago

No the if added should be for the all stuff behind , including the if behind

here it’s for the proxy password but it should be done for the password too

srek3502 commented 1 year ago

Like this ?

    proxy_clear_password = None
    for credential in self.client.storage_passwords:
        if credential.access["app"] == "TA-thehive-cortex":
            username = credential.content.get('username')
            if 'proxy' in username:
                clear_credentials = credential.content.get('clear_password')
                if 'proxy_password' in clear_credentials:
                    proxy_creds = json.loads(clear_credentials)
                    proxy_clear_password = str(proxy_creds['proxy_password'])

Can you please also point out appropriate block for "password" as well. ?

LetMeR00t commented 1 year ago

Hello, Sorry for the late answer, so here we are: https://github.com/LetMeR00t/TA-thehive-cortex/blob/9363b2a1e6f91ad9675fc276d0082bee95d560a9/TA-thehive-cortex/bin/common.py#L145

You should use this instead:

    def getAccountPassword(self, account):
        """ Get storage passwords for the account password """
        password = None
        for s in self.client.storage_passwords:
            if account in s['username'] and s.access["app"] == "TA-thehive-cortex" and "password" in s['clear_password']:
                password = str(json.loads(s["clear_password"])["password"])
        return password

I didn't tested it but it should work. Let me know if you have any issue

srek3502 commented 1 year ago

Hi,

I have modified the add-on with the above mentioned line of code and tried to upload the app in splunk cloud but i am getting the error.

This app is available for installation directly from Splunkbase. To install this app, use the App Browser page in Splunk Web

Thanks,

LetMeR00t commented 1 year ago

Hi It means that you must install it from the Splunkbase so that I need to provide a fix and wait for the cloud vet to let you be able to install it Honestly it can take up to 2 weeks to have the Splunk vet so are sure to not go on TheHive5 soon ? I’m not against providing you a fix but you know the delay :)

LetMeR00t commented 1 year ago

Hi The new version 2.3.2 is available on Splunkbase and provide a fix for this issue. You’ll have to wait a little more until Splunk is giving the Cloud Vet. Thank you