Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Onyphe_Ports_1_0 return bad data in JSON object #169

Closed
l3m0ntr33 opened this issue Jan 12, 2018 · 6 comments
Closed

Onyphe_Ports_1_0 return bad data in JSON object #169

l3m0ntr33 opened this issue Jan 12, 2018 · 6 comments
Assignees
@3c7
Labels
category:bug Issue is related to a bug scope:analyzer Issue is analyzer related

Comments

@l3m0ntr33
Copy link

Onyphe_Ports_1_0 tested on ip 8.8.8.8 with Cortex

Request Type

Bug

Work Environment

(replace with N/A if not applicable)

Question Answer
Cortex Analyzer Name Onyphe
Cortex Analyzer Version 1.0
Cortex Version 1.1.4

Description

It seems to have a bug when building the returned JSON from Onyphe.

JSON returned :
{
"artifacts": [
{
"data": "0.009", --> not a domain
"attributes": {
"dataType": "domain"
}
},
{
"data": "x.x.x.x", --> my public ip used to request Onyphe
"attributes": {
"dataType": "ip"
}
},

and multiple time the same object hereunder :
{
"data": "8.8.8.8",
"attributes": {
"dataType": "ip"
}
},

The result should be instead the list of ports.

However the "full" report JSON object is correct with list of ports and all details.

Steps to Reproduce

(keep this section only if the issue relates to a bug)

  1. Ask using Cortex Web interface to start a job on Onyphe_Ports on ip 8.8.8.8
@3c7 3c7 mentioned this issue Jan 12, 2018
Closed
@3c7
Copy link
Contributor

3c7 commented Jan 12, 2018

Hey @l3m0ntr33, thanks for reporting the issue. Right now the analyzer base class extracts all artifacts from analyzer reports using a RegEx search over the raw response the analyzer provides. This is the reason why your request - 8.8.8.8 - and 0.009 are mentioned in the artifacts part of the Cortex-response.

At the moment, the artifacts-section is not evaluated by TheHive. While sorting out the request itself is not a big deal, I'm not sure how to deal with the domain part. Having a list of all tlds seems to be the only solution to that. Will think about it.

@3c7 3c7 self-assigned this Jan 12, 2018
@3c7 3c7 added the category:bug Issue is related to a bug label Jan 12, 2018
@l3m0ntr33
Copy link
Author

Thanks for your reply.
I did not test it with TheHive but from MISP. Using the MISP Cortex Plugin it's a problem because it uses the artifacts-section :( so its could be good to consider that artifact section is the reference in my opinion.
image

@3c7
Copy link
Contributor

3c7 commented Jan 13, 2018

Ah okay. Sorry, did not thought about that use case. I definitely will implement filtering out the input (8.8.8.8) and working something out how to get a correct list of allowed tlds.

@l3m0ntr33
Copy link
Author

l3m0ntr33 commented Jan 13, 2018
edited
Loading

I agree with you. May be there could be two updates in cortexutils, one on the extractor and one on the base analyzer class.

For the extractor as you said we need to improve regex rules and check that an observable had not already been add to the artifact object.

For the base analyzer class in cortexutils maybe modify this function:
def report(self, full_report, ensure_ascii=False):
to that:
def report(self, full_report, artifacts=[], ensure_ascii=False):
Then test if you specify artifacts object when the function is called and if so you override it before json.dump:
if artifacts: --> new line of code
____report['artifacts']=artifacts --> new line of code
json.dump(...

I'm not sur if its the best option but its what i did in my analyzer to overwrite the base class function and it works. It permits me to define the artifacts object from my analyzer.

3c7 added a commit to 3c7/Cortex-Analyzers that referenced this issue Jan 13, 2018
@3c7
Quickfix for TheHive-Project#169: filter input from artifacts, only a…
69c47cf 
…llow letters for tld part of domains
@3c7
Copy link
Contributor

3c7 commented Jan 13, 2018

Hey @l3m0ntr33, can you try https://github.com/3c7/Cortex-Analyzers/tree/fixes/169? That's not perfect though, but it would first cover the needs until I'm able to correctly detect domains.

3c7 added a commit to 3c7/Cortex-Analyzers that referenced this issue Jan 14, 2018
@3c7
Quickfix for TheHive-Project#169: added same regex change for fqdn de…
666dd4f 
…tection
@saadkadhi saadkadhi added the scope:analyzer Issue is analyzer related label Jan 26, 2018
@3c7 3c7 mentioned this issue Feb 14, 2018
Merged
3c7 added a commit that referenced this issue Feb 28, 2018
@3c7
Fixes #169: Bug in automatic artifact extraction
938790c 
* Quickfix for #169: filter input from artifacts, only allow letters for tld part of domains

* Forgot to clean-up. :)

* Quickfix for #169: added same regex change for fqdn detection

* Bump version
@3c7
Copy link
Contributor

3c7 commented Feb 28, 2018

Merged #184, automatic extraction needs improvement, though.

@3c7 3c7 closed this as completed Feb 28, 2018
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@3c7 3c7

Labels
category:bug Issue is related to a bug scope:analyzer Issue is analyzer related
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@3c7 @saadkadhi @l3m0ntr33