Open lmahoney1 opened 3 years ago
Also, I tried spinning this up in apphost after adding all of the required apphost files, but I wasn't able to communicate with it. Maybe I was doing it wrong?
I uncommented the EXPOSE 9000
line in the Dockerfile
I used to generate my docker image. The problem was communicating with the pod/container the app runs on from outside the apphost server. I tried sending requests to both the app host server's IP as well as the container ID (retrieved from sudo kubectl describe pod <rc-cts-urlscanio pod ID>
.
Custom Threat Feeds cannot be deployed inside a container. This is because containers don't have fixed IP Addresses which the webhook requires when registering it with Resilient.
That's too bad but it makes sense. The following line in the Dockerfile gave me hope
# uncomment to expose port only if a custom threat feed
#EXPOSE 9000
Description
Our analysts mentioned that they had not seen a hit from the urlscan.io cts in awhile. We deployed rc-cts-urlscanio from the community.
It appears that the check the CTS does to determine if the results are malicious or not no longer works (around line 136). Maybe URL Scan.io changed their API response?
We used the following url https://urlscan.io/result/38135c02-509d-471f-91a7-0466060c3474/ for testing. We found that the urlscan.io GUI marked the URL as 'potentially malicious', however when submitting it to a running CTS we got an empty hit.
The following code sample may explain better:
In the example above I'm only checking one of the two (at the time of writing this) analyses available for the URL. This is just for the example, I verified that both of the analysis have the same issue.
Describe How to Reproduce
Submit a 'potentially malicious' URL to the rc-cts-urlscanio CTS.