search

csirtgadgets / massive-octo-spice

DEPRECATED - USE v3 (bearded-avenger)
https://github.com/csirtgadgets/bearded-avenger-deploymentkit/wiki
GNU Lesser General Public License v3.0
227 stars 60 forks source link

cif-worker: Not a SCALAR reference at ...Net/Abuse/Utils.pm #401

Closed giovino closed 8 years ago

giovino commented 8 years ago 
massive-octo-spice$ bash src/bin/version.sh -p
2.00.00-rc.13-1-g898e538

Seen this error ~219 times between 2016-04-24T07:22:03 - 2016-04-25T04:23:33.

$ tail /var/log/cif-worker.log

...
[2016-04-25T04:30:32,048Z][26954][ERROR]: Not a SCALAR reference at /usr/local/share/perl/5.18.2/Net/Abuse/Utils.pm line 159.
[2016-04-25T04:30:32,048Z][26954][ERROR]: $VAR1 = '{
   "portlist" : null,
   "@version" : 2,
   "tags" : [
      "suspicious",
      "rdata"
   ],
   "@timestamp" : "2016-04-25T13:25:36.620Z",
   "protocol" : -1,
   "firsttime" : "2016-04-25T13:25:36Z",
   "otype" : "fqdn",
   "id" : "ed5a037cb0b112764eb945de3441498622767d6cdf2341af5ba75b531ebad89a",
   "rtype" : "NS",
   "tlp" : "green",
   "altid" : "http://www.spamhaus.org/query/dbl?domain=kdrccwnansnan.com",
   "related" : "2224ec4f282e973bab3acc781970a438de05339e11f42ac9e1cfa8488e3f17c9",
   "altid_tlp" : "green",
   "lang" : "EN",
   "rdata" : "kdrccwnansnan.com",
   "group" : [
      "everyone"
   ],
   "provider" : "spamhaus.org",
   "reporttime" : "2016-04-25T13:25:36Z",
   "lasttime" : "2016-04-25T13:25:36Z",
   "observable" : "dns2.registrar-servers.com",
   "application" : "dns",
   "confidence" : 35
}
';
wesyoung commented 8 years ago

do you know what ver of Net::Abuse::Utils you have installed?

giovino commented 8 years ago 
$ cpan -D Net::Abuse::Utils

CPAN: Storable loaded ok (v2.41)
Reading '/home/xxx/.cpan/Metadata'
  Database was generated on Mon, 25 Apr 2016 17:17:02 GMT
Net::Abuse::Utils
-------------------------------------------------------------------------
    CPAN: Module::CoreList loaded ok (v3.03)
(no description)
    M/MI/MIKEGRB/Net-Abuse-Utils-0.24.tar.gz
    /usr/local/share/perl/5.18.2/Net/Abuse/Utils.pm
    Installed: 0.24
    CPAN:      0.24  up to date
    Michael Greb (MIKEGRB)
    michael@thegrebs.com
wesyoung commented 8 years ago 
bender:~ wes$ tc 216.87.155.0
AS      | IP               | AS Name
36619   | 216.87.155.0     | CGTLD - VeriSign Global Registry Services, US
36624   | 216.87.155.0     | GGTLD - VeriSign Global Registry Services, US
36625   | 216.87.155.0     | KGTLD - VeriSign Global Registry Services, US
36628   | 216.87.155.0     | LGTLD - VeriSign Global Registry Services, US
36632   | 216.87.155.0     | XGTLD - VeriSign Global Registry Services, US

think this is an upstream mis-handling, closing and moving upstream.

giovino commented 8 years ago

re-opening for visibility.

villain commented 8 years ago

any idea when this one is expected to be fixed?

wesyoung commented 8 years ago

https://github.com/mikegrb/Net-Abuse-Utils/pull/24

wesyoung commented 8 years ago

see if @mikegrb can cut a release sometime soon...

coonsmatthew commented 8 years ago

I'm guessing this also affects observables submitted via the Chrome CIF plugin? I've noticed that some observables I try to enter are not getting into the database and I noticed this error in the cif-worker log.

wesyoung commented 8 years ago

it's possible. do you have some examples we can test and verify? i may need to fork that repo and point the installer at a local version.

on your local instance, try something like:

$ sudo cpanm https://github.com/csirtgadgets/Net-Abuse-Utils/archive/master.tar.gz

and lmk if that solves it? (make sure to re-load all cif-services stuff, or boot the box, whichevers easier)