malformed query sent to solr

[jjguy]

from /var/log/cb/solr/debug.log:

36555   params={facet.range={!ex%3Dhost_count}host_count&facet.range={!ex%3Dalliance_score_virustotal}alliance_score_virustotal&facet.range={!ex%3Dserver_added_timestamp}server_added_timestamp&facet.range={!ex%3Ddigsig_sign_time}digsig_sign_time&facet.field={!ex%3Ddigsig_result}digsig_result&facet.field={!ex%3Ddigsig_publisher_facet}digsig_publisher_facet&facet.field={!ex%3Dcompany_name_facet}company_name_facet&facet.field={!ex%3Dfile_version_facet}file_version_facet&facet.field={!ex%3Dproduct_name_facet}product_name_facet&facet.field={!ex%3Dobserved_filename_facet}observed_filename_facet&facet.field={!ex%3Dgroup}group&facet.field={!ex%3Dhostname}hostname&start=0&f.alliance_score_virustotal.facet.range.start=0&sort=server_added_timestamp+asc&rows=10&q=server_added_timestamp:[2016-08-11T03:02:25Z+TO+*]+%26%26+!(md5:ALLIANCE_SCORE_YARA+||+digsig_result:Alliance_Score_Yara+||+digsig_publisher:alliance_score_yara+||+digsig_prog_name:alliance_score_yara+||+digsig_issuer:alliance_score_yara+||+digsig_subject:alliance_score_yara+||+observed_filename:alliance_score_yara+||+internal_name:alliance_score_yara+||+original_filename:alliance_score_yara+||+company_name:alliance_score_yara+||+product_name:alliance_score_yara+||+file_desc:alliance_score_yara+||+product_desc:alliance_score_yara+||+product_version:alliance_score_yara+||+file_version:alliance_score_yara+||+legal_trademark:alliance_score_yara+||+legal_copyright:alliance_score_yara+||+comments:alliance_score_yara+||+special_build:alliance_score_yara+||+private_build:alliance_score_yara+||+hostname:alliance_score_yara+||+group:alliance_score_yara)&facet.limit=200&f.alliance_score_virustotal.facet.range.gap=1&facet.fuzzy=true&f.server_added_timestamp.facet.range.gap=%2B1DAY&f.digsig_sign_time.facet.range.end=NOW&f.host_count.facet.range.start=0&f.host_count.facet.range.end=675&facet.threads=1&facet.mincount=1&f.digsig_sign_time.facet.range.gap=%2B1MONTH&f.server_added_timestamp.facet.range.end=NOW&wt=json&facet=true&f.host_count.facet.range.gap=14&f.alliance_score_virustotal.facet.range.end=47&f.server_added_timestamp.facet.range.start=NOW/DAY-30DAYS&f.digsig_sign_time.facet.range.start=NOW/MONTH-60MONTHS}

alliance_score_yara is expanded across all default fields in the cbmodules core. that indicates a syntax error in the query where alliance_score_yara was treated as a value vs. a field to search.

[jjguy]

yara connector logs:

2016-08-11 03:04:32,254: logging: INFO: synchronizing feed: yara
2016-08-11 03:04:37,067: werkzeug: INFO: 127.0.0.1 - - [11/Aug/2016 03:04:37] "GET /feed.json?start_time=1470323774&server_token=xxx HTTP/1.1" 200 -
2016-08-11 03:04:47,567: logging: INFO: synchronizing feed: yara
2016-08-11 03:04:52,172: werkzeug: INFO: 127.0.0.1 - - [11/Aug/2016 03:04:52] "GET /feed.json?start_time=1470323774&server_token=xxx HTTP/1.1" 200 -
2016-08-11 03:05:02,795: logging: INFO: synchronizing feed: yara
2016-08-11 03:05:07,645: werkzeug: INFO: 127.0.0.1 - - [11/Aug/2016 03:05:07] "GET /feed.json?start_time=1470323774&server_token=xxx HTTP/1.1" 200 -
2016-08-11 03:11:09,436: cbint.utils.detonation: ERROR: Error during binary enumeration: 500 Server Error: INTERNAL SERVER ERROR. Sleeping for 30.000000 seconds and retrying.
2016-08-11 03:12:39,623: cbint.utils.detonation: ERROR: Error during binary enumeration: 500 Server Error: INTERNAL SERVER ERROR. Sleeping for 30.000000 seconds and retrying.
2016-08-11 03:14:10,239: cbint.utils.detonation: ERROR: Error during binary enumeration: 500 Server Error: INTERNAL SERVER ERROR. Sleeping for 30.000000 seconds and retrying.
2016-08-11 03:15:40,373: cbint.utils.detonation: ERROR: Error during binary enumeration: 500 Server Error: INTERNAL SERVER ERROR. Sleeping for 30.000000 seconds and retrying.
2016-08-11 03:16:30,193: requests.packages.urllib3: INFO: Resetting dropped connection: xxx.my.carbonblack.io
2016-08-11 03:17:10,427: cbint.utils.detonation: ERROR: Error during binary enumeration: 500 Server Error: INTERNAL SERVER ERROR. Sleeping for 30.000000 seconds and retrying.
2016-08-11 03:17:30,398: cbint.utils.detonation: ERROR: Error during binary enumeration: 500 Server Error: INTERNAL SERVER ERROR. Sleeping for 1200.000000 seconds and retrying.
2016-08-11 03:37:32,979: requests.packages.urllib3: INFO: Resetting dropped connection: xxx.my.carbonblack.io
2016-08-11 03:44:10,620: cbint.utils.detonation: ERROR: Error during binary enumeration: 500 Server Error: INTERNAL SERVER ERROR. Sleeping for 30.000000 seconds and retrying.
2016-08-11 03:46:38,080: werkzeug: INFO: 127.0.0.1 - - [11/Aug/2016 03:46:38] "GET /feed.json?start_time=1470323774&server_token=xxx HTTP/1.1" 200 -
2016-08-11 03:46:58,031: cbint.utils.detonation: ERROR: Error during binary enumeration: 504 Server Error: Gateway Time-out. Sleeping for 30.000000 seconds and retrying.
2016-08-11 03:56:02,810: cbint.utils.detonation: ERROR: Error during binary enumeration: 500 Server Error: INTERNAL SERVER ERROR. Sleeping for 30.000000 seconds and retrying.
2016-08-11 03:57:39,981: cbint.utils.detonation: ERROR: Error during binary enumeration: 500 Server Error: INTERNAL SERVER ERROR. Sleeping for 30.000000 seconds and retrying.

[jjguy]

config:

[bridge]

;
; core configuration options
;

;
; listener_port
; port to listen for incoming feed requests
;
listener_port=7000

;
; listener_address
; ipv4 address to listen; defaults to 127.0.0.1
; 0.0.0.0 binds to all interfaces
;
listener_address=127.0.0.1

;
; yara_rule_directory
; directory where yara rules live.
;
yara_rule_directory=/usr/share/cb/integrations/yara/example_rules

;
; Carbon Black Enterprise Server options
;

;
; Carbon Black Enterprise Server URL
;
carbonblack_server_url=https://xxx.my.carbonblack.io

;
; Carbon Black Enterprise Server API Token
;
carbonblack_server_token=xxx

;
; Carbon Black Enterprise Server SSL Verfication
;
carbonblack_server_sslverify=1

;
; debugging options
;

; debug
; enables various debug output
;
debug=1