Upgrade to version 3.1.1 broke reports and preventing ingestion of IOCs

[nicksoysa]

Hi Remi,

First of all, let me say thank you for the great work you're doing with this app.

I've been using the app for a couple of months now to pull IOCs from multiple MISP instances and it's worked without fail.

Following an update to version 3.1.1 last Thursday, however, the reports I used to ingest IOCs into Splunk have failed. A colleague identified the Commit ID: f3c6e01fe5f8439adb83ea356ec5ab409b3ec027 that seems to have broken the reports.

I will try reverting to an older version to see if it fixes the issue.

Appreciate if you could look into why that particular commit could've broken the reports.

Kind regards,

Nick

[remg427]

Hi Nick,

Could you set logging to debug and report error you get? Also is it with custom commands or alert actions?

-- Sent with K-9 Mail.

[nicksoysa]

Hi Remi,

I'm only commands I'm using are mispgetioc, where, collect and addinfo. The searches worked without any issue for months.

This is the major debug 'error' that' can be seen is:

Level=Error, Pid=79653, File=mispgetioc.py, Line=546, logging level is set to DEBUG

[nicksoysa]

Hi Remi,

Another observation from a colleague.

"misp_common.py, line 114: has if proxy['proxy_username'] is not ''. That errors if the user doesn't input a proxy username, however some proxies like ours don't need one so causes issues, need some sort of error checking there.

[nicksoysa]

I reverted the app to version 3.1.7, but I'm still running into the same issue.

[nicksoysa]

Hi Remi,

Looks like MISP42Splunk doesn't support proxy configurations that do not require a user name and password. Would you be able to mod it to allow configs without credentials?

Also, since the update I noticed the field misp_even_info is absent when running the mispgetioc command, even when the add_description parameter is used.

I found the misp_event_info field quite useful to have to get context around an IOC. Is there a reason that field has been removed?

Thanks.

Nick

[remg427]

Hi I am going to look at all these points this weekend regarding misp_get_info now if you use add_description you have field misp_description Remi -- Sent with K-9 Mail.

[nicksoysa]

Hi Remi,

Thanks. I did e d up using the Apireport command instead and still able to get the misp event info thorough it

On Sat, 30 May 2020, 17:04 Rémi Séguy, notifications@github.com wrote:

Hi I am going to look at all these points this weekend Remi

Sent with K-9 Mail.

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/remg427/misp42splunk/issues/146#issuecomment-636289735, or unsubscribe https://github.com/notifications/unsubscribe-auth/AM6A5H6H6IAUI5YA2XKV7GTRUCVWJANCNFSM4NJKD2ZQ .

[remg427]

please test 3.1.13 (master) or 3.2.0

[nicksoysa]

Hi Remi, will give it a go, thanks.

On Tue, 2 Jun 2020, 04:00 Rémi Séguy, notifications@github.com wrote:

please test 3.1.13 (master) or 3.2.0

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/remg427/misp42splunk/issues/146#issuecomment-637016610, or unsubscribe https://github.com/notifications/unsubscribe-auth/AM6A5H2O44ME5J3SMJJDYKLRUPUCPANCNFSM4NJKD2ZQ .

[nicksoysa]

Hi Remi,

A colleague tested out version 3.1.13 in a local instance and there seems to be a line of code that might still be breaking proxy authentication.

He suggests the following change to line 160 in misp_common.py: if 'proxy_username' in proxy and proxy['proxy_username'] not in [None, '']:

Thanks for looking into this.

Regards,

Nick

[nicksoysa]

Hi Remi,

Just one more thing. I also noticed the last version of the app also appeared to drop the field misp_event_info. Could you please consider adding that back as an output field?

I rely on it to get context when importing IOCs into Splunk.

Thanks.

Kind regards,

Nick

[remg427]

This is implemented

Le 2 juin 2020 03:29:59 GMT+02:00, nicksoysa notifications@github.com a écrit :

Hi Remi,

A colleague tested out version 3.1.13 in a local instance and there seems to be a line of code that might still be breaking proxy authentication.

He suggests the following change to line 160 in misp_common.py: if 'proxy_username' in proxy and proxy['proxy_username'] not in [None, '']:

Thanks for looking into this.

Regards,

Nick

-- You are receiving this because you commented. Reply to this email directly or view it on GitHub: https://github.com/remg427/misp42splunk/issues/146#issuecomment-637214076

-- Sent with K-9 Mail.

[remg427]

Param add_description returns misp_description The rationale was to let people building as they want there is open question for objects and multivalued fields

Le 2 juin 2020 03:41:59 GMT+02:00, nicksoysa notifications@github.com a écrit :

Hi Remi,

Just one more thing. I also noticed the last version of the app also appeared to drop the field misp_event_info. Could you please consider adding that back as an output field?

I rely on it to get context when importing IOCs into Splunk.

Thanks.

Kind regards,

Nick

-- You are receiving this because you commented. Reply to this email directly or view it on GitHub: https://github.com/remg427/misp42splunk/issues/146#issuecomment-637217113

-- Sent with K-9 Mail.

[nicksoysa]

Hi, I'm a bit confused. Is this change implemented? He suggests the following change to line 160 in misp_common.py: if 'proxy_username' in proxy and proxy['proxy_username'] not in [None, '']:

[remg427]

Fully adressed in 3.2.0 on github -- Sent with K-9 Mail.

[nicksoysa]

Thank you. Will try it out.

On Wed, 3 Jun 2020, 20:42 Rémi Séguy, notifications@github.com wrote:

Fully adressed in 3.2.0 on github

Sent with K-9 Mail.

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/remg427/misp42splunk/issues/146#issuecomment-638113569, or unsubscribe https://github.com/notifications/unsubscribe-auth/AM6A5H5ZCYIBCNGQEUWYFBLRUYSI5ANCNFSM4NJKD2ZQ .

[nicksoysa]

Hi Remi,

Version 3.2 has fixed all the issues we encountered. Thank you.

Nick