ninoseki
commented
7 months ago json.query submit_ioc indicates that you don't quote submit_ioc.
You have to double or single quote it.
Closed r0ny123 closed 7 months ago
ninoseki
commented
7 months ago json.query submit_ioc indicates that you don't quote submit_ioc.
You have to double or single quote it.
r0ny123
commented
7 months ago @ninoseki Sorry, I pasted the wrong logs before, I tried with both double or single quotes, but the error exists for both cases.
/var/lib/gems/3.0.0/gems/rack-3.0.8/lib/rack/auth/digest.rb:8: warning: Rack::Auth::Digest is deprecated and will be removed in Rack 3.1
2024-04-06 07:50:04.179412 I [2189:8000] Mihari -- Emission by Mihari::Emitters::Database is succeeded
2024-04-06 07:50:04.179815 I [2189:8000] Mihari -- Emission by Mihari::Emitters::Webhook is failed: 809: unexpected token at 'json.query "submit_ioc"
json.threat_type "botnet_cc"
json.ioc_type "ip:port"
json.malware "win.icedid"
json.confidence_level 60
json.anonymous 0
json.iocs artifacts.map(&:data)
'Now I think your setup is wrong or broken.
You said you are using Mihari v7.5.0. But Mihari v7.5.0 is shipped with Rack v3.0.10. (https://github.com/ninoseki/mihari/blob/master/mihari.gemspec#L100)
So there is no way to have /var/lib/gems/3.0.0/gems/rack-3.0.8.
r0ny123
commented
7 months ago Okay, I fixed the issue with the latest version not pulling the latest Rack. Now, I'm not seeing the warnings I mentioned before, but the IoCs are still not being pushed to ThreatFox. I checked the generated alerts, and they are not listed on the ThreatFox website.
I tried to run mihari using --debug mode but it's not generating debug logs.
ninoseki
commented
7 months ago You set ip:port as an IOC type but you sent ip IOCs. So ThreatFox denies your submission I guess.
You have to provide proper data. This may help you to customize the Jbuilder template for that.
r0ny123
commented
7 months ago You set
ip:portas an IOC type but you sentipIOCs. So ThreatFox denies your submission I guess.
Ah, now I understand. Thanks for the heads-up and help! @ninoseki
r0ny123
commented
7 months ago Can you provide me with an example?
Ok I did something like this this one for associating IPs with only those ports for which they have been matched (not worked)
json.threat_type "botnet_cc"
json.ioc_type "ip:port"
json.malware "win.icedid"
json.confidence_level 60
json.anonymous 0
json.iocs artifacts.map { |artifact|
artifact.metadata['matched_services'].map do |service|
"#{artifact.data}:#{service['port']}"
end
}.flattenand this one for all the ports associated with IPs (this worked!)
json.query "submit_ioc"
json.threat_type "botnet_cc"
json.ioc_type "ip:port"
json.malware "win.icedid"
json.confidence_level 60
json.anonymous 0
json.iocs artifacts.map { |artifact|
artifact.ports.map do |port|
"#{artifact.data}:#{port.number}"
end
}.flattenand this is for fixed port: (not worked)
json.query "submit_ioc"
json.threat_type "botnet_cc"
json.ioc_type "ip:port"
json.malware "win.icedid"
json.confidence_level 60
json.anonymous 0
json.iocs artifacts.map { |artifact|
"#{artifact.data}:443"
}Can you guide? Thanks
Describe the bug
I have a rule for hunting Bokbot back connect C2 servers and a JBuilder query named "bokbot_backconnect.json.jbuilder."
The format is same as described in the mihari documentation here.
But when I run
mihari search bokbot_backconnect.ymlthe database emission succeeds but fails to submit to threatfox.Steps to reproduce
mihari search bokbot_backconnect.ymlwith JBuilder file in the same directoryExpected behavior
It should submit the IoCs to ThreatFox.
Actual-behavior
Screenshots
Add screenshots to help explain your problem.
System Information:
Additional context
Also, note the warning in Actual-behavior section i.e.
var/lib/gems/3.0.0/gems/rack-3.0.8/lib/rack/auth/digest.rb:8: warning: Rack::Auth::Digest is deprecated and will be removed in Rack 3.1