TheHive-Project / TheHiveDocs

Documentation of TheHive
https://docs.strangebee.com/
GNU Affero General Public License v3.0
393 stars 280 forks source link

TheHive4 mailer responder issue #197

Open viszsec opened 4 years ago

viszsec commented 4 years ago

Hi guys,

I had issues getting the mailer responder work as intended. The phish feedback v1.0 also do not work as designed. Anyone have had similar issues and get it fixed and mind share the solutions ? Much appreciated with the help! Thanks

kwouffe commented 4 years ago

Hello,

the issue for us on a modified version of the mailer responder was due to the way TheHive4 automatically transform case tags. from mail:recipient@domain.com to mail="recipient@domain.com".

Because of that the responder was not able to find the mail address

https://github.com/TheHive-Project/Cortex-Analyzers/blob/master/responders/Mailer/mailer.py

Has to be replaced by:

regards,

Emilien

viszsec commented 4 years ago

Hi Emilien,

With this replacement, mail_tags = [t[5:].strip('"') for t in tags if t.startswith('mail:') or t.startswith('mail=')]

You got it work on your end?

kwouffe commented 4 years ago

Yes, it worked for us. but as I said it is a modified version of the responder. Can you put here the full error msg from Cortex ?

viszsec commented 4 years ago

I modified as what you advised and got this error:.. in my case i use gmail account to send an email to the recipient which is already been set.

Traceback (most recent call last): File "/opt/Cortex-Analyzers/responders/Mailer/mailer.py", line 82, in Mailer().run() File "/opt/Cortex-Analyzers/responders/Mailer/mailer.py", line 61, in run s = smtplib.SMTP(self.smtp_host, self.smtp_port) File "/usr/lib/python3.8/smtplib.py", line 253, in init (code, msg) = self.connect(host, port) File "/usr/lib/python3.8/smtplib.py", line 341, in connect (code, msg) = self.getreply() File "/usr/lib/python3.8/smtplib.py", line 398, in getreply raise SMTPServerDisconnected("Connection unexpectedly closed")smtplib.SMTPServerDisconnected: Connection unexpectedly closed

viszsec commented 4 years ago

Yes, it worked for us. but as I said it is a modified version of the responder. Can you put here the full error msg from Cortex ?

Another one , this one is pretty odd.. i setup everything in the config as it supposed to be and got this error:

Missing auth pass