Issue exporting observables file to MISP (instelled with script)

[garanews]

Having 2 MISP (2.4.120) server installed on 2 different machines (same OS) with 2 different methods (with script and with rpm package). The issue is that during the export of case with an observable file from The Hive to MISP 2.4.120 installed with script cause the creation of an event in MISP without the file as attribute. Exporting any other observable type (domain, ip, etc) works correctly: the event is created in MISP with right attributes. Pointing the same The Hive instance to the second MISP with same version 2.4.120 but installed with rpm package, the export of case containing observable file works as expected.

OS: Red Hat Enterprise Linux Server release 7.9 (Maipo) kernel: 3.10.0-1160.el7.x86_64 TheHive version: 4.0.5-1 (installed with rpm)

OS: Red Hat Enterprise Linux Server release 7.9 (Maipo) kernel: 3.10.0-1160.el7.x86_64 MISP1 installed with script (https://raw.githubusercontent.com/MISP/MISP/2.4/INSTALL/INSTALL.sh)

OS: Red Hat Enterprise Linux Server release 7.9 (Maipo) kernel: 3.10.0-1160.el7.x86_64 MISP2 installed with rpm (https://github.com/amuehlem/MISP-RPM)

The Hive logs

2021-03-23 14:47:40,216 [INFO] from org.thp.thehive.connector.misp.services.MispExportSrv in application-akka.actor.default-dispatcher-10 [00000033|] Exporting case 3 to MISP MISP01
2021-03-23 14:47:40,580 [INFO] from org.thp.scalligraph.AccessLogFilter in application-akka.actor.default-dispatcher-13 [00000033|] 192.168.20.254 POST /api/connector/misp/export/~122884096/MISP01 took 383ms and returned 204 0 bytes
2021-03-23 14:47:40,620 [INFO] from org.thp.scalligraph.AccessLogFilter in application-akka.actor.default-dispatcher-16 [00000034|] 192.168.20.254 POST /api/v1/query?name=get-case-~122884096 took 12ms and returned 200
2021-03-23 14:47:40,767 [INFO] from org.thp.scalligraph.AccessLogFilter in application-akka.actor.default-dispatcher-16 [00000032|] 192.168.20.254 GET /api/stream/IdNq44K6UKaj3du7wi9e took 18649ms and returned 200 1335 bytes
2021-03-23 14:47:40,829 [INFO] from org.thp.scalligraph.AccessLogFilter in application-akka.actor.default-dispatcher-10 [00000035|] 192.168.20.254 POST /api/v1/query?name=unread-alert-count took 31ms and returned 200 1 bytes

MISP logs

HTTP method: POST
Target: /events
Request body: {"Event":{"date":"2021-03-23","threat_level_id":"2","info":"Case X","published":false,"analysis":"0","distribution":0,"Attribute":[],"Tag":[{"name":"tlp:amber"}],"extends_uuid":"11"}}
add     Event (12): Case X      attribute_count () => (0), proposal_email_lock () => (0), locked () => (0), sighting_timestamp () => (0), disable_correlation () => (0), date () => (2021-03-23), threat_level_id () => (2), info () => (Case X), analysis () => (0), extends_uuid () => (749f34e2-edfe-4626-941a-9c415425edec), user_id () => (1), org_id () => (1), orgc_id () => (1), uuid () => (98a79a08-0a1d-4b12-b6c7-a35da9547c80)

[iglocska]

After a lengthy debug session, it looks like this is what is happening:

The export of a case containing a sample calls upload_sample on MISP and transmits the b64 encoded sample in a JSON, with a chunked POST query. The chunked requests however don't contain the chunk_size information in the headers, which causes MISPs being served via FastCGI / PHP-FPM to drop the message and the transfer.

MISP instances running mod_php will not be affected. Setting the chunk size headers would make the request compliant with the RFC parsing strategy (https://tools.ietf.org/html/rfc2616#section-19.4.6).

[nadouani]

Sounds like a small change in our side? @To-om

[nadouani]

@garanews don't be lazy and install mod_php :D

I'm joking :)