Open garanews opened 3 years ago
After a lengthy debug session, it looks like this is what is happening:
The export of a case containing a sample calls upload_sample on MISP and transmits the b64 encoded sample in a JSON, with a chunked POST query. The chunked requests however don't contain the chunk_size information in the headers, which causes MISPs being served via FastCGI / PHP-FPM to drop the message and the transfer.
MISP instances running mod_php will not be affected. Setting the chunk size headers would make the request compliant with the RFC parsing strategy (https://tools.ietf.org/html/rfc2616#section-19.4.6).
Sounds like a small change in our side? @To-om
@garanews don't be lazy and install mod_php :D
I'm joking :)
Having 2 MISP (2.4.120) server installed on 2 different machines (same OS) with 2 different methods (with script and with rpm package). The issue is that during the export of case with an observable file from The Hive to MISP 2.4.120 installed with script cause the creation of an event in MISP without the file as attribute. Exporting any other observable type (domain, ip, etc) works correctly: the event is created in MISP with right attributes. Pointing the same The Hive instance to the second MISP with same version 2.4.120 but installed with rpm package, the export of case containing observable file works as expected.
OS: Red Hat Enterprise Linux Server release 7.9 (Maipo) kernel: 3.10.0-1160.el7.x86_64 TheHive version: 4.0.5-1 (installed with rpm)
OS: Red Hat Enterprise Linux Server release 7.9 (Maipo) kernel: 3.10.0-1160.el7.x86_64 MISP1 installed with script (https://raw.githubusercontent.com/MISP/MISP/2.4/INSTALL/INSTALL.sh)
OS: Red Hat Enterprise Linux Server release 7.9 (Maipo) kernel: 3.10.0-1160.el7.x86_64 MISP2 installed with rpm (https://github.com/amuehlem/MISP-RPM)
The Hive logs
MISP logs