search

tylabs / dovehawk

Dovehawk is a Zeek module that automatically imports MISP indicators and reports Sightings
MIT License
122 stars 24 forks source link

Error with Zeek 4.0.5 LTS #9

Open clopmz opened 2 years ago

clopmz commented 2 years ago

Good morning,

After updating my zeek nodes from 4.0.4 to 4.0.5, I am receiving the following errors when I try to retrieve events from my internal MISP instance:

{"ts":"2022-01-31T08:51:05.607207Z","level":"Reporter::ERROR","message":"curl --header \"Authorization: \"HZt3bmlDstJZq7Wuy0NUARfGLCKAjFF8zogCA9oa\"\" -s -g -o \"\"/tmp/zeek-activehttp-FNJSb0Kya4_body\"\" -D \"\"/tmp/zeek-activehttp-FNJSb0Kya4_headers\"\" -X \"\"GET\"\" -m 60 -k \"\"https://iceland.lab.uxdom.org/attributes/bro/download/all\"\" && touch \"/tmp/zeek-activehttp-FNJSb0Kya4_body\" |/Input::READER_RAW: Child process exited with non-zero return code 28","location":""} {"ts":"2022-01-31T08:51:05.607661Z","level":"Reporter::ERROR","message":"/tmp/zeek-activehttp-FNJSb0Kya4_body/Input::READER_RAW: Init: cannot open /tmp/zeek-activehttp-FNJSb0Kya4_body","location":""} {"ts":"2022-01-31T08:51:05.607661Z","level":"Reporter::ERROR","message":"/tmp/zeek-activehttp-FNJSb0Kya4_body/Input::READER_RAW: Init failed","location":""} {"ts":"2022-01-31T08:51:05.607661Z","level":"Reporter::ERROR","message":"/tmp/zeek-activehttp-FNJSb0Kya4_body/Input::READER_RAW: terminating thread","location":""}

Auth key is valid for sure (retrieving events using curl works without problems).

Any idea?