Closed kittrCZ closed 8 years ago
hiya,
i want to say this may have been fixed in ~RC16 ?
https://github.com/csirtgadgets/massive-octo-spice/releases/tag/2.00.00-rc.16 https://github.com/csirtgadgets/massive-octo-spice/commit/cd046e87aca88e08b04b22658a092ca77de55330
$ cif -d -q http://www.emorybox.com/ny/all/us/help/ios1548/uix/630bddcbf996914f1b1f9f9947565828
2016-06-27 08:35:08,187 - DEBUG - cifsdk.client[94] - uri: https://localhost/observables
2016-06-27 08:35:08,187 - DEBUG - cifsdk.client[95] - params: {"nolog":null,"observable":"http:\/\/www.emorybox.com\/ny\/all\/us\/help\/ios1548\/uix\/630bddcbf996914f1b1f9f9947565828","limit":500,"gzip":1}
2016-06-27 08:35:08,187 - INFO - cifsdk.client[97] - searching...
2016-06-27 08:35:08,295 - INFO - requests.packages.urllib3.connectionpool[735] - Starting new HTTPS connection (1): localhost
2016-06-27 08:35:09,838 - DEBUG - requests.packages.urllib3.connectionpool[383] - "GET /observables?gzip=1&observable=http%3A%2F%2Fwww.emorybox.com%2Fny%2Fall%2Fus%2Fhelp%2Fios1548%2Fuix%2F630bddcbf996914f1b1f9f9947565828&limit=500 HTTP/1.1" 200 7153
2016-06-27 08:35:09,838 - DEBUG - cifsdk.client[101] - status code: 200
...
2016-06-27 08:35:09,839 - INFO - cifsdk.client[416] - returned: 73 records
+---------+----------+----------------------+----------------------+----------------------------------+-------+----+-----+----------+------------+-------------+---------+-------+-------+-----------------------------+----------------------------------+-----------+
| tlp | group | lasttime | reporttime | observable | otype | cc | asn | asn_desc | confidence | description | tags | rdata | rtype | provider | altid | altid_tlp |
+---------+----------+----------------------+----------------------+----------------------------------+-------+----+-----+----------+------------+-------------+---------+-------+-------+-----------------------------+----------------------------------+-----------+
| limited | everyone | 2016-04-16T00:23:58Z | 2016-04-16T00:23:46Z | http://www.emorybox.com/ny/all.. | url | | | | 65 | | malware | | | malwareurls.joxeankoret.com | http://malwareurls.joxeankoret.. | public |
| limited | everyone | 2016-04-17T00:23:28Z | 2016-04-17T00:23:14Z | http://www.emorybox.com/ny/all.. | url | | | | 65 | | malware | | | malwareurls.joxeankoret.com | http://malwareurls.joxeankoret.. | public |
| limited | everyone | 2016-04-18T00:28:34Z | 2016-04-18T00:28:21Z | http://www.emorybox.com/ny/all.. | url | | | | 65 | | malware | | | malwareurls.joxeankoret.com | http://malwareurls.joxeankoret.. | public |
you can see via the -d
flag in the python client how the url is getting encoded "so the server recognizeds is", mine is a little diff than your's (and we try to normalize it, lower case it, and .rstrip('/') trailing '/').
let me know if RC16 doesn't solve this for you (assuming you're doing the lower(), strip, escaping properly too).
Hey @wesyoung, so good news! We updated the CIF to the latest version and following cURL is working:
curl -v -XGET -H "Accept: application/vnd.cif.v2+json" -H "Authorization: Token token=x" "http://localhost:5000/observables?q=http://www.emorybox.com/ny/all/us/help/ios1548/uix/630bddcbf996914f1b1f9f9947565828"
Thank you for your help.
Additionally, I have encountered following error SSL3_GET_SERVER_CERTIFICATE
when using CIF command line tool:
root@cifserver:/etc/cif# cif --token=X -d -q http://www.emorybox.com/ny/all/us/help/ios1548/uix/630bddcbf996914f1b1f9f9947565828[2016-06-30T13:44:40,404Z][INFO][main:268]: starting up client...
[2016-06-30T13:44:40,404Z][INFO][main:303]: running search...
[2016-06-30T13:44:40,404Z][DEBUG][CIF::SDK::Client:170]: uri created: https://localhost/observables?observable=http://www.emorybox.com/ny/all/us/help/ios1548/uix/630bddcbf996914f1b1f9f9947565828&limit=50000&gzip=1
[2016-06-30T13:44:40,405Z][DEBUG][CIF::SDK::Client:171]: making request...
[2016-06-30T13:44:40,459Z][INFO][CIF::SDK::Client:175]: status: 599
[2016-06-30T13:44:40,459Z][INFO][CIF::SDK::Client:181]: response size: < 1MB
SSL connection failed for localhost: SSL connect attempt failed with unknown error error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
at /usr/local/bin/cif line 321.
I believe that it is just a misconfiguration on my side though...
Thanks for the help!
if it's a local TLS cert, try the --no-verify-ssl
flag. that should fix it...
(you're very welcome!, cheers!)
Hi,
I also tried to post message to the mailing list, but I hope I'll be able to find answer here faster. I have problem to query otypes URL by providing URL to the search query. I have tried several approaches and nothing seems to work. Could someone please help me/advice me on how to query observables by provided URL.
I'm sure that observable http://cloud02.conquistasc.com/anexo-0029304902940-1.zip?662239604036014079 exists in the elasticache. Examples I tried:
From Elasticache: