Im getting a weird reset from the server when doing a test or accessing the port. Its establishing a connection (See tcpdump below) but its resting the connection after the post. I'm guessing its something with the http server. Thanks for the help, really want to get this working.
Im getting a weird reset from the server when doing a test or accessing the port. Its establishing a connection (See tcpdump below) but its resting the connection after the post. I'm guessing its something with the http server. Thanks for the help, really want to get this working.
strace poll([{fd=3, events=POLLIN}], 1, 500) = 1 ([{fd=3, revents=POLLIN}]) accept4(3, {sa_family=AF_INET, sin_port=htons(48042), sin_addr=inet_addr("172.31.74.93")}, [16], SOCK_CLOEXEC) = 4 getsockopt(4, SOL_SOCKET, SO_TYPE, [1], [4]) = 0 ioctl(4, FIONBIO, [0]) = 0 getpeername(4, {sa_family=AF_INET, sin_port=htons(48042), sin_addr=inet_addr("172.31.74.93")}, [16]) = 0 read(4, "POST / HTTP", 11) = 11 ioctl(4, FIONBIO, [0]) = 0 close(4) = 0 clock_gettime(CLOCK_MONOTONIC, {6477550, 132108430}) = 0
Requirement already satisfied (use --upgrade to upgrade): simplejson>=3.6.5 in /usr/local/lib/python3.5/dist-packages (from -r requirements.txt (line 1)) Requirement already satisfied (use --upgrade to upgrade): pymisp>=2.4.62 in /usr/local/lib/python3.5/dist-packages (from -r requirements.txt (line 2)) Requirement already satisfied (use --upgrade to upgrade): httplib2>=0.8 in /usr/local/lib/python3.5/dist-packages (from -r requirements.txt (line 3)) Requirement already satisfied (use --upgrade to upgrade): configparser in /usr/local/lib/python3.5/dist-packages (from -r requirements.txt (line 4)) Requirement already satisfied (use --upgrade to upgrade): urllib3 in /usr/lib/python3/dist-packages (from -r requirements.txt (line 5)) Requirement already satisfied (use --upgrade to upgrade): six in /usr/lib/python3/dist-packages (from pymisp>=2.4.62->-r requirements.txt (line 2)) Requirement already satisfied (use --upgrade to upgrade): requests in /usr/lib/python3/dist-packages (from pymisp>=2.4.62->-r requirements.txt (line 2)) Requirement already satisfied (use --upgrade to upgrade): python-dateutil in /usr/local/lib/python3.5/dist-packages (from pymisp>=2.4.62->-r requirements.txt (line 2)) Requirement already satisfied (use --upgrade to upgrade): jsonschema in /usr/local/lib/python3.5/dist-packages (from pymisp>=2.4.62->-r requirements.txt (line 2))
tcpdump -Anni lo port 8080 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on lo, link-type EN10MB (Ethernet), capture size 262144 bytes 17:29:31.716449 IP 172.31.74.93.47976 > 172.31.74.93.8080: Flags [S], seq 657993979, win 43690, options [mss 65495,sackOK,TS val 1618276462 ecr 0,nop,wscale 7], length 0 E..<..@.@..-..J]..J].h..'80..........'.........
t.n........ 17:29:31.716461 IP 172.31.74.93.8080 > 172.31.74.93.47976: Flags [S.], seq 1921625788, ack 657993980, win 43690, options [mss 65495,sackOK,TS val 1618276462 ecr 1618276462,nop,wscale 7], length 0 E..<..@.@.M...J]..J]...hr...'80......'.........t.nt.n.... 17:29:31.716469 IP 172.31.74.93.47976 > 172.31.74.93.8080: Flags [.], ack 1, win 342, options [nop,nop,TS val 1618276462 ecr 1618276462], length 0 E..4..@.@..4..J]..J].h..'80.r......V.......t.nt.n 17:29:31.716672 IP 172.31.74.93.47976 > 172.31.74.93.8080: Flags [P.], seq 1:203, ack 1, win 342, options [nop,nop,TS val 1618276463 ecr 1618276462], length 202: HTTP: POST / HTTP/1.1 E.....@.@..i..J]..J].h..'80.r......V.......t.o`t.nPOST / HTTP/1.1 Host: 172.31.74.93:8080 Accept: / User-Agent: python-requests/2.9.1 Accept-Encoding: gzip, deflate content-type: application/json Content-Length: 1595 Connection: keep-alive17:29:31.716682 IP 172.31.74.93.8080 > 172.31.74.93.47976: Flags [.], ack 203, win 350, options [nop,nop,TS val 1618276463 ecr 1618276463], length 0 E..4^.@.@.....J]..J]...hr...'81....^.......
t.ot.o 17:29:31.716715 IP 172.31.74.93.8080 > 172.31.74.93.47976: Flags [R.], seq 1, ack 203, win 350, options [nop,nop,TS val 1618276463 ecr 1618276463], length 0 E..4^.@.@.....J]..J]...hr...'81....^.......t.ot.opython3 fmtest.py -f alert-details.json -u 172.31.74.93 -p 8080 "{\"msg\": \"extended\", \"product\": \"Web MPS\", \"version\": \"7.7.0.123456\", \"appliance\": \"fireeye.foo.bar\", \"appliance-id\": \"00:11:11:11:11:11\",\"alert\": [{ \"src\": { \"ip\": \"10.1.2.3\", \"host\": \"internalclient.intra.net\", \"vlan\": \"0\", \"mac\": \"00:24:aa:aa:aa:aa\" }, \"severity\": \"minr\", \"alert-url\": \"https://fireeye.foo.bar/event_stream/events_for_bot?ma_id=12345678\", \"explanation\": { \"malware-detected\": { \"malware\": { \"profile\": \"win7x64-sp1\", \"http-header\": \"POST http://malicious.com\", \"name\": \"Misc.Eicar-Test-File\", \"md5sum\": \"44d88612fea8a8f36de82e1278abb02f\", \"executed-at\": \"2016-01-19T08:30:21Z\", \"application\": \"Windows Explorer\", \"type\": \"exe\", \"original\": \"driver.exe\", \"stype\": \"24\" } }, \"protocol\": \"\", \"analysis\": \"binary\", \"cnc-services\": { \"cnc-service\": [ { \"protocol\": \"tcp\", \"port\": \"4143\", \"channel\": \"\\\\026\\\\003\\\\001\", \"address\": \"198.50.234.211\" }, { \"protocol\": \"tcp\", \"port\": \"9943\", \"channel\": \"\\\\026\\\\003\\\\001\", \"address\": \"80.96.150.201\" }, { \"protocol\": \"tcp\", \"port\": \"4493\", \"channel\": \"\\\\026\\\\003\\\\001\", \"address\": \"1.179.170.7\" } ] }, \"anomaly\": \"98816\" }, \"occurred\": \"2016-01-19 08:30:21+00\", \"id\": \"12345678\", \"action\": \"notified\", \"interface\": { \"mode\": \"tap\" }, \"dst\": { \"ip\": \"10.1.2.4\", \"mac\": \"00:24:bb:bb:bb:bb\" }, \"name\": \"malware-object\"}]}" COMMUNICATION ERROR : ('Connection aborted.', ConnectionResetError(104, 'Connection reset by peer'))