Open BannersSecret opened 3 years ago
dadokkio
commented
3 years ago Hello,
I've just tested the application and everything was fine.
One of the issue could be the misp url, can you please double check if you set that properly?
For example, this was my application configuration:
BannersSecret
commented
3 years ago Hi dadokkio,
Thanks for coming back to me. My config screen layout looks a little different to yours, however the settings appear to be correct. I can successfully use the MISP analyzer to query IP addresses and domains, but hashes fail with the error above.
I originally raised this on the MISP Git, and their response was as follows:
"For me it looks like bug in Cortext script, because it queries /events/restSearch endpoint, but the query looks like it should go to /attributes/restSearch. So I would recommend to you to open issue in https://github.com/TheHive-Project/Cortex-Analyzers repo."
By the way, here's a screenshot of my MISP analyzer config screen, in case I am using wrong version, etc.
dadokkio
commented
3 years ago I'm not able to reproduce the issue. I tried both md5 and sha1 without any issue. Regarding the event/attribute search I think search is ok, you want to count the number of event with particular attributes.
BannersSecret
commented
3 years ago Strange. As an example, I have tried the following hash: fd77b5dd0ca45d110a897d650e9fb146d4b4aae5
By searching directly in MISP, I only get two events.
Interestingly, I get the same error on my test environment too.
Is there anything in the error which you can use to point me in the right direction?
Describe the bug When I execute an analyzer job to search MISP for file hashes, I get the following error:
When submitting the hash, I receive the following error:
Request headers:{'User-Agent': 'PyMISP 2.4.134 - Python 3.6', 'Accept-Encoding': 'gzip, deflate', 'Accept': 'application/json', 'Connection': 'keep-alive', 'Cookie': 'MISP-ba7f1640-8e16-48b3-8761-e21906a9d5a5=7mjnurnjj6nv6frhe2nvkh1q6b', 'Content-Length': '661', 'Authorization': '[REDACTED]', 'content-type': 'application/json'}Request body:{"returnFormat": "json", "value": "fd77b5dd0ca45d110a897d650e9fb146d4b4aae5", "type": ["md5", "sha1", "sha256", "ssdeep", "sha224", "sha384", "sha512", "sha512/224", "sha512/256", "tlsh", "authentihash", "filename|md5", "filename|sha1", "filename|sha256", "filename|ssdeep", "filename|sha224", "filename|sha384", "filename|sha512", "filename|sha512/224", "filename|sha512/256", "filename|tlsh", "filename|authentihash"], "withAttachments": 0, "metadata": 0, "enforceWarninglist": 0, "includeEventUuid": 0, "includeEventTags": 0, "sgReferenceOnly": 0, "includeContext": 0, "headerless": 0, "includeSightings": 0, "includeDecayScore": 0, "includeCorrelations": 0}Response (if any):{"name":"An Internal Error Has Occurred.","message":"An Internal Error Has Occurred.","url":"/events/restSearch"}Traceback (most recent call last): File "/opt/Cortex-Analyzers/analyzers/MISP/misp.py", line 80, in MISPAnalyzer().run() File "/opt/Cortex-Analyzers/analyzers/MISP/misp.py", line 60, in run response = self.misp.search_hash(self.get_data()) File "/opt/Cortex-Analyzers/analyzers/MISP/mispclient.py", line 252, in search_hash return self.__search(type_attribute=self.misphashtypes(), value=searchterm) File "/opt/Cortex-Analyzers/analyzers/MISP/mispclient.py", line 225, in search misp_response = connection.search(type_attribute=type_attribute, value=value) File "/usr/local/lib/python3.6/dist-packages/pymisp/api.py", line 2050, in search normalized_response = self._check_json_response(response) File "/usr/local/lib/python3.6/dist-packages/pymisp/api.py", line 2943, in _check_json_response r = self._check_response(response, expect_json=True) File "/usr/local/lib/python3.6/dist-packages/pymisp/api.py", line 2952, in _check_response raise MISPServerError(f'Error code 500:\n{response.text}')pymisp.exceptions.MISPServerError: Error code 500:{"name":"An Internal Error Has Occurred.","message":"An Internal Error Has Occurred.","url":"/events/restSearch"}
Weirdly, I am able to successfully submit IPs and domains for analysis against MISP.
To Reproduce Steps to reproduce the behavior:
Expected behavior Submit file hash for analysis via the MISP Cortex analyzer and receive results.
Work environment