Closed BurntToast-DFIR closed 7 years ago
jbeley
commented
7 years ago I found that this error was related to events starting with the HTML entity """.
I ran a simple MySQL query against my dataset:
UPDATE events SET info = replace(info, '"', '');
After that "--dedup-titles" option began to work again.
SparkyNZL
commented
7 years ago I just tired what you recommended, it did find 158 entries, but this still give the following error when run with --dedupe-titles None is not of type 'string'
jbeley
commented
7 years ago Are there any other entries that start with another non ASCII characters? Check your otx feed to see if there are. On Thu, Jun 1, 2017 at 8:47 PM SparkyNZL notifications@github.com wrote:
I just tired what you recommended, it did find 158 entries, but this still give the following error when run with --dedupe-titles None is not of type 'string'
— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/gcrahay/otx_misp/issues/12#issuecomment-305658902, or mute the thread https://github.com/notifications/unsubscribe-auth/AE7zW32qzyUmTYF4ApuPZSIutt6nJRVwks5r_1ubgaJpZM4NT9iA .
SparkyNZL
commented
7 years ago should i check the feed or my MISP database ? I did find some starting with # and ( and have removed
but got the same error then i removed all of the following and it seems to have fixed it :) | [ { } ]
Cheers
SparkyNZL
commented
7 years ago So i think the biggest issue is that when you use the -a flag it add AlienVault| I think the "|" is playing with the dedup :(
On Fri, Jun 2, 2017 at 1:13 PM, Jeff Beley notifications@github.com wrote:
Are there any other entries that start with another non ASCII characters? Check your otx feed to see if there are. On Thu, Jun 1, 2017 at 8:47 PM SparkyNZL notifications@github.com wrote:
I just tired what you recommended, it did find 158 entries, but this still give the following error when run with --dedupe-titles None is not of type 'string'
— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/gcrahay/otx_misp/issues/12#issuecomment-305658902, or mute the thread https://github.com/notifications/unsubscribe-auth/ AE7zW32qzyUmTYF4ApuPZSIutt6nJRVwks5r_1ubgaJpZM4NT9iA .
— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/gcrahay/otx_misp/issues/12#issuecomment-305662364, or mute the thread https://github.com/notifications/unsubscribe-auth/AQ_imPe5X0qUkGSOe1Mkta4o4wXMaEndks5r_2HGgaJpZM4NT9iA .
SparkyNZL
commented
7 years ago So i have turned Debug on in the DeDupe function,
this is the out put, bit it looks like its more an issue with the tag now the title ?
{ "version": "2.4.74", "perm_sync": true } { "url": "/tags/attachTagToObject", "message": "Cannot attach tag, Event already has the tag attached.", "errors": [ "Cannot attach tag, Event already has the tag attached." ], "name": "Cannot attach tag, Event already has the tag attached." } { "url": "/tags/attachTagToObject", "message": "Cannot attach tag, Event already has the tag attached.", "errors": [ "Cannot attach tag, Event already has the tag attached." ], "name": "Cannot attach tag, Event already has the tag attached." } None is not of type u'string'
SparkyNZL
commented
7 years ago The error that occurs prior to this is as follows --- The below error is fixed when using Python3.5 but when ever it encounters a duplicate is is erroring with the above error, if i delete the duplicate it works fine until it hit another duplicate
The basestring type cannot be instantiated
SparkyNZL
commented
7 years ago From what i can tell the --dedup function of this is broken, as soon as it detects a duplicate it stops with the above (with debug turned on) Is there any chance this can be fixed ? or am i doing something wrong ?
SparkyNZL
commented
7 years ago so there seems to be an issue with the misp.add_blar.blar causing the "None is not of type u'string'" the uses of misp.new.blar.blar works fine and doesnt cause the error, it only causes an error if there is already an event (duplicate) already in the database, i cant tell if this is caused but the fact that misp has had a number of changes recently or not.
SparkyNZL
commented
7 years ago Hi, I would really like to fix this error, can you please point me in the right direction, there seems to be an issue with the misp.add_* commands when ever it trys to do this it caused this "None is not of type "String" error. Im not sure if its with otx-misp or with the API.
Cheers
SparkyNZL
commented
7 years ago I have finally fixed this issue.
the latest version of MISP now returns a Sharing Group, this is currntly set to none ! which is what is causing the error.
I have done a farmers fix, but it works well. what this does is deletes the "SharingGroup" from the list which is compiled.
if you add the following at the shown location it should now work
result = misp.search_index(eventinfo=event_name)
if 'message' in result:
if result['message'] == "No matches.":
event = misp.new_event(distribution, threat_level, analysis, event_name, date=event_date,
published=publish)
else:
for evt in result['response']:
# If it exists, set 'event' to the event
if evt['info'] == event_name:
event = {'Event': evt}
del evt['SharingGroup'] #This deletes the SharingGroup from the list
break
if event == '':
# Event not found, even though search results were returned
# Build new event
event = misp.new_event(distribution, threat_level, analysis, event_name, date=event_date,
published=publish)
I am getting the above error whenever I run otx-misp. I also get it if I invoke the module directly from Python using Python 3 or Python 2.
Versions
Traceback or error