search

TheHive-Project / Cortex-Analyzers

Cortex Analyzers Repository
https://TheHive-Project.github.io/Cortex-Analyzers/
GNU Affero General Public License v3.0
431 stars 374 forks source link

[Bug] Requirements don't get installed for new responder #1259

Closed Kusko25 closed 3 months ago

Kusko25 commented 5 months ago

I am trying to write a new Responder following the instructions here (http://docs.thehive-project.org/cortex/api/how-to-create-a-responder/) but if I try to run it I get Traceback (most recent call last): File "/opt/Custom-Analyzers/responders/Nailer/nailer.py", line 6, in <module> from cortexutils.responder import ResponderModuleNotFoundError: No module named 'cortexutils'

To Reproduce Cortex is running in a Docker container with the Responder directory mounted to a Windows filesystem. This is what my filetree looks like:

└── NOKI_Cortex_Responder
    ├── noki_responder.json
    ├── requirements.txt
    ├── responder.py

And the contents of noki_responder.json:

    "name" : "NOKI Reporter",
    "version" : "1.0",
    "author" : "Fraunhofer",
    "url": "TODO",
    "license": "TODO",
    "description": "Prepares a NOKI report and shares it via MISP",
    "dataTypeList": ["thehive:case"],
    "command": "NOKI_Cortex_Responder/responder.py",
    "baseConfig": "noki_responder",
    "config": {
      "misp-url": "http://localhost:8082",
      "misp-key": "LEbYEjTaco9247MpziThmiVc7yJATnOgDdRaneDF"
    },
    "configurationItems": [
      {
        "name": "misp-url",
        "description": "The URL of the MISP instance",
        "type": "string",
        "multi": false,
        "required": true
      },
      {
        "name": "misp-key",
        "description": "MISP API key",
        "type": "string",
        "multi": false,
        "required": true
      },
      {
        "name": "timeformat",
        "description": "The format of the time in the report (timestamp, iso or as taken by the python strftime function)",
        "type": "string",
        "multi": false,
        "required": true
      }
    ]
  }

I'd expect Cortex to install the requirements from the file and run the Responder (probably still with errors but at least get past the import statements)

Work environment

nadouani commented 3 months ago

Hi @Kusko25:

Cortex doesn't install the dependencies, you need to install them.

Kusko25 commented 3 months ago

Thanks for the reply I was trying to run the responder as a process and kind of assumed cortex would install the requirements at some point when you add the new responder, but did then discover that, as you pointed out, it does not. That of course means in a docker version of cortex running as a script is almost impossible because it doesn't even ship with pip.

But I have since build the responder as an image and that works fine so I'll close this issue.

Again thanks for the reply, had honestly forgotten about it