search

LetMeR00t / TA-thehive-cortex

Technical add-on for Splunk related to TheHive/Cortex from TheHive project
GNU Lesser General Public License v3.0
47 stars 11 forks source link

Source Ref Too Long -> Unexpected error: BadRequest #70

Closed kwizzz closed 8 months ago

kwizzz commented 10 months ago

When I switch from ES Mode to Alert Mode, some additional string is added to sourceRef:

sourceRef = "SPLUNK_JOB:"+ helper.sid + newSource
sourceRef = "SPLUNK_JOB:"+ helper.sid + alert_reference_time

(see code starting at https://github.com/LetMeR00t/TA-thehive-cortex/blob/597445b60ba2372f97c4076f3c8e24a8590f530f/TA-thehive-cortex/bin/ta_thehive_cortex/modalert_thehive_common.py#L166C10-L166C10)

This regularly results in an Unexpected error: BadRequest, as the string length is greater than 128

...
(!isEmpty(SPLUNK_JOB:<too long string>) && (!143 < 0) && (!143 > 128))
...

(143 is the string length of SPLUNK_JOB:<too long string>)

Especially newSource can be a string of arbitrary length, but most of the time alert_reference_time causes the length>128 characters error.

LetMeR00t commented 10 months ago

Hi Thank you for your submission I’ll take a look to find a more suitable solution for the next release

LetMeR00t commented 8 months ago

Hi,

A new version (v3.1) is available and fix your issue.

Thank you