Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

MISP-Warninglists Analyzer Outdated #569

Closed
bowserkn opened this issue Dec 10, 2019 · 6 comments
Closed

MISP-Warninglists Analyzer Outdated #569

bowserkn opened this issue Dec 10, 2019 · 6 comments

Comments

@bowserkn
Copy link

bowserkn commented Dec 10, 2019
edited
Loading

MISP-Warninglists shows as outdated... I think maybe I just did not set it up properly, or are the lists just permanently outdated?

I followed the "Requirements" listed at https://github.com/TheHive-Project/CortexDocs/blob/master/analyzer_requirements.md#misp-warninglists (see below):
"
This analyzer needs you to download the MISP WarningLists first to a directory. Use git for that purpose:

$ mkdir /path/to/misp-warninglists/repository
$ cd /path/to/misp-warninglists/repository
$ git clone https://github.com/MISP/misp-warninglists
"

In the Cortex Web UI, I set the "warninglists" path in "Analyzers" AND "Analyzers Config" to "/opt/Cortex-Analyzers/analyzers/MISPWarningLists/misp-warninglists/lists"

I also changed the following line in "analyzers/MISPWarningLists/mispwarninglist.py" from self.path = self.get_param('config.path', 'misp-warninglists') to self.path = self.get_param('config.path', '/opt/Cortex-Analyzers/analyzers/MISPWarningLists/misp-warninglists/lists')

This is my Cortex job report:

{
  "summary": {
    "taxonomies": [
      {
        "predicate": "Warninglists",
        "namespace": "MISP",
        "value": "No hits",
        "level": "info"
      },
      {
        "predicate": "Warninglists",
        "namespace": "MISP",
        "value": "Outdated",
        "level": "info"
      }
    ]
  },
  "full": {
    "is_uptodate": false,
    "results": []
  },
  "success": true,
  "artifacts": [],
  "operations": []
}

x@x:/opt/Cortex-Analyzers/analyzers/MISPWarningLists$ sudo git pull
Already up to date.

x@x:/opt/Cortex-Analyzers/analyzers/MISPWarningLists$ cd misp-warninglists

x@x:/opt/Cortex-Analyzers/analyzers/MISPWarningLists/misp-warninglists$ sudo git pull
Already up to date.

I also made sure to restart thehive, cortex, nginx, as well as refresh the Analyzers in my organization.

If someone could provide the complete documentation needed to get the lists up to date that would be super helpful.
@bowserkn bowserkn changed the title MISP-Warninglists Analyzer Setup Help MISP-Warninglists Analyzer Outdated Dec 10, 2019
@garanews
Copy link
Contributor

garanews commented Jan 24, 2020
edited
Loading

Hello,
can you verify that the file /opt/Cortex-Analyzers/analyzers/MISPWarningLists/misp-warninglists/.git/refs/heads/master contains the same value of sha at https://api.github.com/repos/misp/misp-warninglists/branches/master
?
immagine

@quesako-dev
Copy link

quesako-dev commented Jan 31, 2020
edited
Loading

Hi ! Same issue here with identical actions.
I followed the requirements and checked /opt/Cortex-Analyzers/analyzers/MISPWarningLists/misp-warninglists/.git/refs/heads/master but the sha value is identical. All services have been restarted.

Screenshot :
image

@LaZyDK
Copy link
Contributor

LaZyDK commented Mar 17, 2020

Hi

I have the same issues as well.

I also get "is_uptodate: false" at every lookup.
Along with that, nothing actually matches the warninglists. Ever.

I have narrowed it down a bit. It seems like all reads from disk is not returning anything. Unless I do it in python manually - then everything works as intended.

I suspect that we need some chmod / chown stuff to get this working.

@dadokkio
Copy link
Contributor

Hello,
some quick updates/comments regarding this issue:

1- looking at the code:
files = glob("{}/lists/*/*.json".format(self.path))
the analyzer appends /lists/ to the configured path so you need to specify the path in this way
/opt/Cortex-Analyzers/analyzers/MISPWarningLists/misp-warninglists

2- permissions: for similar analyzer I had to set 644 for all subfolders recursively. I think is something you can check easily

3- for this analyzer there is a old pull [#538] to fix some errors on Extractor keys that will be merged in next release

4- If you'll be able to run the analyzer I'm very curious if you can provide elapsed time to perform an analysis. We are working on improve the speed of this analyzer so initial feedback could be useful.

@LaZyDK
Copy link
Contributor

LaZyDK commented Mar 18, 2020

  1. Got that. :)

  2. I just tried with "sudo chmod -R 655 misp-warninglists/" and "sudo chown -R root:cortex misp-warninglists/".

  3. Applied.

  4. It actually seemed to be working. Unfortunately it took more than 30 minutes, so the Cortex job timed out.

@dadokkio
Copy link
Contributor

Good, at least until 4 even if in our case it took several hours.
I'll close this issue and regarding analyzer speed we are trying a database backend so soon you'll find an update on that.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@dadokkio @LaZyDK @garanews @bowserkn @quesako-dev