search

dfir-iris / iris-web

Collaborative Incident Response platform
GNU Lesser General Public License v3.0
1.04k stars 166 forks source link

[BUG] Worker can't run MISP Module #221

Open legoguy1000 opened 1 year ago

legoguy1000 commented 1 year ago

Describe the bug I have DFIR IRIS 2.0.2 setup but when i have DFIR query MISP to enrich an IOC the worker errors out.

[2023-04-20 18:19:19,592: INFO/MainProcess] Task app.iris_engine.module_handler.module_handler.task_hook_wrapper[626f012e-f428-441e-9e13-2b6d78d460b5] received
[2023-04-20 18:19:19,598: ERROR/ForkPoolWorker-9] encoding without a string argument
Traceback (most recent call last):
  File "/iriswebapp/app/iris_engine/module_handler/module_handler.py", line 435, in task_hook_wrapper
    is_verified = hmac_verify(signature, pdata)
  File "/iriswebapp/app/util.py", line 723, in hmac_verify
    key = bytes(app.config.get("SECRET_KEY"), "utf-8")
TypeError: encoding without a string argument
[2023-04-20 18:19:19,638: ERROR/ForkPoolWorker-9] Task app.iris_engine.module_handler.module_handler.task_hook_wrapper[626f012e-f428-441e-9e13-2b6d78d460b5] raised unexpected: Exception(TypeError('encoding without a string argument'))
Traceback (most recent call last):
  File "/iriswebapp/app/iris_engine/module_handler/module_handler.py", line 435, in task_hook_wrapper
    is_verified = hmac_verify(signature, pdata)
  File "/iriswebapp/app/util.py", line 723, in hmac_verify
    key = bytes(app.config.get("SECRET_KEY"), "utf-8")
TypeError: encoding without a string argument

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/opt/venv/lib/python3.9/site-packages/celery/app/trace.py", line 451, in trace_task
    R = retval = fun(*args, **kwargs)
  File "/iriswebapp/app/iris_engine/tasker/celery.py", line 33, in __call__
    return self.run(*args, **kwargs)
  File "/iriswebapp/app/iris_engine/module_handler/module_handler.py", line 444, in task_hook_wrapper
    raise Exception(e)
Exception: encoding without a string argument

To Reproduce Steps to reproduce the behavior:

  1. Setup MISP Module and enable
  2. Add IOC (ip-src)
  3. Enrich IOC with MISP Insights

Expected behavior DFIR queries MISP and adds results to IOC

Screenshots If applicable, add screenshots to help explain your problem.

Additional context The error indicates when app.config.get("SECRET_KEY") is empty. This only seems to happen when IRIS_WORKER=1 on the worker container. The variable is empty due to https://github.com/dfir-iris/iris-web/blob/v2.0.2/source/app/configuration.py#L278. If I comment out IRIS_WORKER=1, the module works just fine however the worker also runs the all the Post Init functions that is also run in teh main container, https://github.com/dfir-iris/iris-web/blob/v2.0.2/source/app/post_init.py#L82.

whikernel commented 1 year ago

Hi @legoguy1000

Thanks for raising that up. IRIS_WORKER was removed from the v2.0.0. The migration script upgrade_to_2.0.0.py should have commented this one out if you used it to upgrade. The fact that post init runs again is not an issue per say it/s not overwriting, just filling gaps. However there seems to be a miss since this IRIS_WORKER env should have been set in the worker instance (but not via the .env).

We'll take a look 👍

legoguy1000 commented 1 year ago

We use kubernetes so the upgrade script wasn't used. I did see that though and I assumed as much that it wasn't being used anymore but it was still the the configuration.md file and didn't know if the running of the post_init was expected or not. Sounds like it is not a problem so, i'll just make sure the IRIS_WORKER env is completely removed from our deployment and call it a day.

Acsigen commented 1 year ago

We have a similar issue with a fresh deployment using docker-compose. Except we get this kind of error for all modules in version v2.3.0.

This is a sample of the log:

[2023-07-12 16:48:48,153: INFO/MainProcess] Task app.iris_engine.module_handler.module_handler.task_hook_wrapper[f0ff8c9e-f105-4a4d-a974-378e2c1fbca8] received
[2023-07-12 16:48:48,158: ERROR/ForkPoolWorker-8] Class 'builtins.int' is not mapped
Traceback (most recent call last):
  File "/iriswebapp/app/iris_engine/module_handler/module_handler.py", line 455, in task_hook_wrapper
    obj = db.session.merge(dse_data)
  File "<string>", line 2, in merge
  File "/opt/venv/lib/python3.9/site-packages/sqlalchemy/orm/session.py", line 2969, in merge
    object_mapper(instance)  # verify mapped
  File "/opt/venv/lib/python3.9/site-packages/sqlalchemy/orm/base.py", line 296, in object_mapper
    return object_state(instance).mapper
  File "/opt/venv/lib/python3.9/site-packages/sqlalchemy/orm/base.py", line 318, in object_state
    raise exc.UnmappedInstanceError(instance)
sqlalchemy.orm.exc.UnmappedInstanceError: Class 'builtins.int' is not mapped