search

TheHive-Project / Cortex

Cortex: a Powerful Observable Analysis and Active Response Engine
https://thehive-project.org
GNU Affero General Public License v3.0
1.32k stars 222 forks source link

analyzer 404 errors, worker not found #299

Open smclinden opened 3 years ago

smclinden commented 3 years ago

Request Type

Bug

Work Environment

Question Answer
OS version (server) Debian 18.04
OS version (client)
Cortex version / git hash 3.0.1 relese
Package Type From source
Browser type & version Any

Problem Description

Describe the problem/bug as clearly as possible.

Steps to Reproduce

  1. Install Cortex release and add Cortex to TheHive 4 configuration
  2. Install Analyzers with git
  3. Configure analyzers (about 20 are configured with verifed UIDs/Keys)
  4. Create case in TheHive, add observables and run Responders

Complementary information

Get repeated errors of the form:


2020-10-02 12:53:48,226 [INFO] from org.thp.cortex.services.ErrorHandler in application-akka.actor.default-dispatcher-32 - GET /api/analyzer/URLhaus_2_0 returned 404 org.elastic4play.NotFoundError: worker URLhaus_2_0 not found
        at org.thp.cortex.services.WorkerSrv.$anonfun$getForOrganization$2(WorkerSrv.scala:83)
        at scala.Option.getOrElse(Option.scala:138)
        at org.thp.cortex.services.WorkerSrv.$anonfun$getForOrganization$1(WorkerSrv.scala:83)
        at scala.util.Success.$anonfun$map$1(Try.scala:255)
        at scala.util.Success.map(Try.scala:213)
        at scala.concurrent.Future.$anonfun$map$1(Future.scala:292)
        at scala.concurrent.impl.Promise.liftedTree1$1(Promise.scala:33)
        at scala.concurrent.impl.Promise.$anonfun$transform$1(Promise.scala:33)
        at scala.concurrent.impl.CallbackRunnable.run(Promise.scala:64)
        at akka.dispatch.BatchingExecutor$AbstractBatch.processBatch(BatchingExecutor.scala:55)
        at akka.dispatch.BatchingExecutor$BlockableBatch.$anonfun$run$1(BatchingExecutor.scala:91)
        at scala.runtime.java8.JFunction0$mcV$sp.apply(JFunction0$mcV$sp.java:23)
        at scala.concurrent.BlockContext$.withBlockContext(BlockContext.scala:85)
        at akka.dispatch.BatchingExecutor$BlockableBatch.run(BatchingExecutor.scala:91)
        at akka.dispatch.TaskInvocation.run(AbstractDispatcher.scala:40)
        at akka.dispatch.ForkJoinExecutorConfigurator$AkkaForkJoinTask.exec(ForkJoinExecutorConfigurator.scala:44)
        at akka.dispatch.forkjoin.ForkJoinTask.doExec(ForkJoinTask.java:260)
        at akka.dispatch.forkjoin.ForkJoinPool$WorkQueue.runTask(ForkJoinPool.java:1339)
        at akka.dispatch.forkjoin.ForkJoinPool.runWorker(ForkJoinPool.java:1979)
        at akka.dispatch.forkjoin.ForkJoinWorkerThread.run(ForkJoinWorkerThread.java:107)
spencerprovost commented 3 years ago

Getting the same result.

smclinden commented 3 years ago

Still getting this error. ALL analyzers are failing. I should note that Cortex and TheHive are running on separate systems and using separate instances of Elasticsearch. The Cortex hdfs and Cassandra instances are not available to TheHive (if any of this matters).

The 404 error tells me nothing about what is going on.

2021-05-27 09:47:49,197 [ERROR] from org.elastic4play.controllers.Authenticated in application-akka.actor.default-dispatcher-7 - Authentication failure:
2021-05-27 08:17:21,194 [INFO] from org.thp.cortex.services.ErrorHandler in application-akka.actor.default-dispatcher-6 - GET /api/analyzer/FileInfo_8_0 returned 404
2021-05-27 08:17:21,206 [INFO] from org.thp.cortex.services.ErrorHandler in application-akka.actor.default-dispatcher-6 - GET /api/analyzer/_search returned 404
2021-05-27 08:17:22,177 [INFO] from org.thp.cortex.services.ErrorHandler in application-akka.actor.default-dispatcher-9 - GET /api/analyzer/FalconSandbox_1_0 returned 404
2021-05-27 08:17:22,190 [INFO] from org.thp.cortex.services.ErrorHandler in application-akka.actor.default-dispatcher-6 - GET /api/analyzer/_search returned 404
2021-05-27 08:17:23,213 [INFO] from org.thp.cortex.services.ErrorHandler in application-akka.actor.default-dispatcher-9 - GET /api/analyzer/HybridAnalysis_GetReport_1_0 returned 404
2021-05-27 08:17:23,224 [INFO] from org.thp.cortex.services.ErrorHandler in application-akka.actor.default-dispatcher-15 - GET /api/analyzer/_search returned 404
2021-05-27 08:17:24,305 [INFO] from org.thp.cortex.services.ErrorHandler in application-akka.actor.default-dispatcher-7 - GET /api/analyzer/Malwares_Scan_1_0 returned 404
2021-05-27 08:17:24,316 [INFO] from org.thp.cortex.services.ErrorHandler in application-akka.actor.default-dispatcher-9 - GET /api/analyzer/_search returned 404
2021-05-27 08:17:24,877 [INFO] from org.thp.cortex.services.ErrorHandler in application-akka.actor.default-dispatcher-15 - GET /api/analyzer/Malwares_GetReport_1_0 returned 404
2021-05-27 08:17:24,887 [INFO] from org.thp.cortex.services.ErrorHandler in application-akka.actor.default-dispatcher-9 - GET /api/analyzer/_search returned 404
2021-05-27 08:17:25,408 [INFO] from org.thp.cortex.services.ErrorHandler in application-akka.actor.default-dispatcher-9 - GET /api/analyzer/MalwareClustering_Search_1_0 returned 404
2021-05-27 08:17:25,418 [INFO] from org.thp.cortex.services.ErrorHandler in application-akka.actor.default-dispatcher-9 - GET /api/analyzer/_search returned 404
smclinden commented 3 years ago

More info. The analyzers work fine when run from Cortex, but not when called from TheHive.