HTTP errors - [MC503] DEBUG urlib3 POST request failed error=Expecting value: line 1 column 2 (char 1) url=xxxx

[hkelley]

We recently started receiving errors like the following. I believe this started when we updated to misp42splunk 4.2.2

| mispcollect misp_instance=MISP_xxxx eventid=9999

[MC503] DEBUG urlib3 POST request failed error=Expecting value: line 1 column 2 (char 1) url=https://xxx.com/attributes/restSearch

We don't see any errors in _internal or cim_modactions, and the errors seems very python-ish.

This seems to be an error even before the HTTP request, https://github.com/remg427/misp42splunk/blob/fc97aedcc4bfc29a00685c1a0110dadeccee99fd/package/bin/misp_common.py#L285

Is anyone else seeing this? Tips?

[hkelley]

I think the issue is that the app update wiped out our API key. Resetting it in the app configuration seemed to fix it.

headers['Authorization'] = config['misp_key']

[J1mb0S1ic3]

Hi, I'm getting the exact same issue. However... Ours is on Splunk Cloud (this app is said to be compatible with SC, I don't think it is).

We installed the base version of the app from the store (earlier than v4 i think?), configured it - it didn't work, so we upgraded to 4.2.2.

The upgrade broke the app - we had to get Splunk Cloud support to add us the capability required for passwords, and to delete the app and re-install, then upgrade, effectively giving us a clean slate.

The app now works on the front-end. But when we perform mispcollect, identical error to what you are seeing appears. mispgetioc just doesn't give anything in return, not even an error. We also have zero logs to go by too, for some reason, in this version, logging is not working.

We have re-added the instance, updated the API key, disabled certificate validation, tried everything, none of it works.

Can anyone here confirm that the previous version 4.2.0 actually does work and is worth installing on Splunk Cloud? We are running out of options, I am not sure that this app is compatible either, it has come to the attention of Splunk Support too.

[hkelley]

We had been using the previous version on Splunk cloud. The new version works like the previous version now that we have updated the API key.

I don't recall having the issues you mention when we set it up initially.

[J1mb0S1ic3]

Another note: I just ran the upgrade readyness app and it states that this app is not compatible with Python 3.

[J1mb0S1ic3]

I think we have a bad instance of MISP perhaps, maybe I will spin up my ubuntu instance at home and zone cloud it in to that for testing, will get back to you all with results.

[remg427]

Hi sorry to read having issues with MISP42 v4.2.2. this app is compatible with version 3 and passed all checks for appinspect. with Splunk version 9.0.0. I started getting reports on errors to lib request not working well that's why 4.2.0 was a switch to urllib3 and it works on my side. (splunk enterprise) I don't have SC this app needs the capability list_storage_passwords to use it.

for logging i have tried to replace log on system files (not working that well) with graceful message on the GUI

if you receive feedback from splunk support, thank you to pass it here to improve.

[hkelley]

At the risk of stating the obvious, I'd start with a very simple side-by-side troubleshooting with a command like this from the Splunk search:

| mispcollect misp_instance=<MISP_CONFIG>  eventid="9999"     endpoint="events"

And then the equivalent from your REST client of choice

https://www.misp-project.org/openapi/#tag/Events/operation/searchEvents

It can be a bit tricky (at least for me) remembering which messages go to _internal and which ones go to cim_modactions. I think the catch block in this particular section of code is actually written to the Splunk UI, not to an index.

[J1mb0S1ic3]

OK - appinspect must not be the same as the python upgrade readyness app in SC.

[J1mb0S1ic3]

@hkelley for your MISP config in splunk cloud - did you configure it with a pem/crt, do you use a proxy, do you use a client cert?

Our MISP instance is behind cloudflare and has TLS with a good cert on the front-end, usual port 443...

[hkelley]

@J1mb0S1ic3 , we don't use a client cert, just an auth key.

[remg427]

Hello while investigating another issue, i got that error when there was a problem with the api key incorrect one or not getting proper right

Next version fixes the logging issue to return the error message from the request.

[J1mb0S1ic3]

Hi, I think that is correct, and if you use an assigned API token rather than the global one, this error happens, it seems... We also had some issues with cloudflare that we resolved, which lead us to discovering this.

[merteminoglu]

Hi, I was having the same error and interestingly, using AuthKey under "List Users" tab instead of "List Auth Keys" solved the issue. Or that's what we think anyway. Hope that helps. PS: We are using Splunk Cloud.

[0x636b]

Same error here. Tested from a VM to our external reachable MISP and to an only internally reachable MISP. The same error message for both configs. Auth key is correct, renewed several times.

Tested a "GetEvent" via curl from the same SplunkVM (to make sure MISP is reachable and VM is able to talk outwards) is successful.

Anyone up with a solution yet?

[0x636b]

Looks like I found the reason why it didn't work without understanding why: The Auth-Keys created in user context are NOT working when using MISP42, you'll get HTTP 403 when using them. The initially generated Auth-Key for your user is the ONLY one that works.

In MISP the auth key managament changed from "basic" to "advanced" some versions ago (optional). When using "advanced" you cannot see the initial auth key for every user and are only "limited" to created several ones for every user. But these generated ones will not work.... I cannot explain nor understand why since there is no hint in the documentation that they are different from the initial one.

[AmitKulkarni9]

The initially generated Auth-Key for your user is also not working. Anyone got working ?

[remg427]

Hello Sorry for delay but I have misp42 working perfectly for 4 instances Next week I could generate a key again and publish a step by step

Le 31 mai 2024 14:27:06 GMT+02:00, amtoya @.***> a écrit :

The initially generated Auth-Key for your user is also not working. Anyone got working ?

-- Reply to this email directly or view it on GitHub: https://github.com/remg427/misp42splunk/issues/232#issuecomment-2141977652 You are receiving this because you commented.

Message ID: @.***> -- Sent with K-9 Mail.

[AmitKulkarni9]

Hi @remg427 any updates on this ?

[RobIv]

I have this problem too when I set the limit number to 0 or a value greater than 280000, using lower values works fine. Additionaly I don't get events using logical "last" or "date" values, I mean, I have events updated this same day, or events updated in last 30 days, I only get events if I set "last" or "date" to 30000d, a little weird, I can't understand the reason

[Chawicha]

SOLVED Configuration on the MISP server changed to allow only TLS1.3 then it was refusing connections from Splunk that was using TLS1.2. As it was after the upgrade we though that would be something related to the APP.

QUESTION For us, it was working fine with the previous version, but suddenly we started receiving some errors that, according to GitHub, were resolved in the latest version. So, we updated the app from version 4.2.2 to 4.3.2, and now we are getting TLS errors when running queries. We have verified the app configuration and there are no certificates, proxies, or other settings configured. Just the instance, URL, and key.

Addon is installed on a Heavy Forwarder that forwards fetched events to SplunkCloud.

Error: [MC503] DEBUG urlib3 POST request failed error=[SSL: TLSV1_ALERT_PROTOCOL_VERSION] tlsv1 alert protocol version (_ssl.c:1106) url=https://X.X.X.X/events/restSearch body={'eventid': '9999', 'returnFormat': 'json', 'withAttachments': False, 'deleted': False, 'includeEventUuid': True, 'page': 1, 'limit': 1000}

Any tip is welcome