tylabs
commented
6 years ago Hello, thanks for trying out Dovehawk! I think the issue is the SSL certificate isn't passing validation.
There's a couple places in scripts/dovehawk.bro where you can add the -k:
--header \"Authorization: %s\"change to:
-k --header \"Authorization: %s\"Let me know if that works and I can probably add a config option for that situation. For the bro-pkg - I submitted a pull request to have it added, hopefully soon.
Hey, awesome package, i was keen to try it out so i built 2 new vm's one with bro 2.5.4 and latest misp with a dummy dataset. first issue is i couldnt install dovehawk via bro-pkg, the package doesnt exist on the cli or web interface to bro packages.
Once i downloaded it and installed manually i could get it to invoke fine and i was able to define my misp api key and IP address. Then if i run bro on a pcap file or on a network interface i receive the below error
bro -C -i ens33 /usr/local/bro/share/bro/site/packages/dovehawk/ listening on ens33
Downloading Signatures 2018/08/29 03:40:20 [1.00.002] Local Directory: /usr/local/bro/share/bro/site/packages/dovehawk/./scripts MISP Server: https://192.168.247.130/ Downloading Indicators... Downloading Signatures... 1535539221.640420 error: curl --header "Authorization: APIKEY" -s -g -o "/tmp/bro-activehttp-C0OBIAJA1Me_body" -D "/tmp/bro-activehttp-C0OBIAJA1Me_headers" -X "GET" -m 60 "https://192.168.247.130/attributes/bro/download/all" && touch /tmp/bro-activehttp-C0OBIAJA1Me_body |/Input::READER_RAW: Child process exited with non-zero return code 60 1535539221.640420 error: curl --header "Authorization: APIKEY" -s -g -o "/tmp/bro-activehttp-hqdYPmgmf7i_body" -D "/tmp/bro-activehttp-hqdYPmgmf7i_headers" -X "GET" -m 60 "https://192.168.247.130/attributes/text/download/bro" && touch /tmp/bro-activehttp-hqdYPmgmf7i_body |/Input::READER_RAW: Child process exited with non-zero return code 60 1535539221.643126 error: /tmp/bro-activehttp-C0OBIAJA1Me_body/Input::READER_RAW: Init: cannot open /tmp/bro-activehttp-C0OBIAJA1Me_body 1535539221.643126 error: /tmp/bro-activehttp-C0OBIAJA1Me_body/Input::READER_RAW: Init failed 1535539221.643126 error: /tmp/bro-activehttp-C0OBIAJA1Me_body/Input::READER_RAW: terminating thread 1535539221.643126 error: /tmp/bro-activehttp-hqdYPmgmf7i_body/Input::READER_RAW: Init: cannot open /tmp/bro-activehttp-hqdYPmgmf7i_body 1535539221.643126 error: /tmp/bro-activehttp-hqdYPmgmf7i_body/Input::READER_RAW: Init failed 1535539221.643126 error: /tmp/bro-activehttp-hqdYPmgmf7i_body/Input::READER_RAW: terminating thread
If i curl my url with the correct authorization api key i can download all the bro signatures i need so the data is definitely coming down from misp. the command i tested api with was a little different
curl -k --header "Authorization: APIKEY" https://192.168.247.130/attributes/bro/download/all >> /tmp/bro-test.intel
That command downloads everything i need into bro-test.intel file. im skipping SSL check and -s -g -o options and not building a tmp-dir etc.
I can just wait until the bro-pkg version is put back up and test again or happy to debug this if you want to know any more info?
Thanks again!