Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

LDAP3 Module not found on cortex analyser #883

Closed
imad-testing opened this issue Oct 16, 2020 · 20 comments
Closed

LDAP3 Module not found on cortex analyser #883

imad-testing opened this issue Oct 16, 2020 · 20 comments
Labels
category:bug Issue is related to a bug

Comments

@imad-testing
Copy link

Hello, I'm trying to develop an analyser that get the SID from a user in a specific active directory and return user infos. I installed ldap3 module but it always give me an error. Please can someone help?

image

image

image
@imad-testing imad-testing added the category:bug Issue is related to a bug label Oct 16, 2020
@dadokkio
Copy link
Contributor

can you check if ldap3 is properly installed?
A simple pip3 list | grep ldap should return something similar:

>>> pip3 list | grep ldap
ldap3                  2.8

A classic error is to install it with pip (python2) instead of pip3 (python3) or picking the wrong ldap lib.

@imad-testing
Copy link
Author

imad-testing commented Oct 16, 2020
edited
Loading

First I installed it with pip2 first but it didn't worked then I installed it with pip3 and also the same issue . Any recommendations?
image

@garanews
Copy link
Contributor

If you are running cortex in docker, you should install libs inside cortex docker image

@imad-testing
Copy link
Author

Alright, I installed it inside docker with "pip install ldap3" but then it showed me alot of errors. I tried the python code on spyder, it runs without errors. What is the problem here?

image

@dadokkio
Copy link
Contributor

I think is related to selected attributes, can you try using only attributes=['sAMAccountName'] paying attention to capital letters ?

@imad-testing
Copy link
Author

image

I tried this but still errors ...

@dadokkio
Copy link
Contributor

Ok.. then I'll suggest to use attributes = ldap3.ALL_ATTRIBUTES to extract all the attributes and fix that later when you see what is present in your ldap server..

@imad-testing
Copy link
Author

I'm sorry for all my questions. Thank you anw for your help. It showed also some errors.

image

image

@dadokkio
Copy link
Contributor

ok you can add:
import ldap

or add ALL_ATTRIBUTES in
from ldap import Server, Connection, ALL, ALL_ATTRIBUTES
and change ldap.ALL_ATTRIBUTES to just ALL_ATTRIBUTES

@imad-testing
Copy link
Author

It showed me the same error then before.
image
image

@imad-testing
Copy link
Author

I tried it with import ldap3. It showed me that the Server is not defined. But it should be because i imported all the module.
image

@dadokkio
Copy link
Contributor

In this case you had to add the import to the existing one

@imad-testing
Copy link
Author

In this case you had to add the import to the existing one

Sorry but I didn't get your point

@dadokkio
Copy link
Contributor

Keep them both

`import ldap

from ldap import Server, Connection, ALL`

@imad-testing
Copy link
Author

I did that but also the same problem

@dadokkio
Copy link
Contributor

I wrote a test analyzer based from your code and it's working fine.
The strategy to download all the users/group and then check the sid isn't efficient if the number of them is huge (like in my case)

@imad-testing
Copy link
Author

Thank you! It is working also with me

@imad-testing
Copy link
Author

I have also a question, I am writing another script that let me enable disable users. when I test it from analysers it works but when i test it from responders it does not appear in analysers when I choose the datatype = sid. What could be the problem?

json file:
{
"name": "Active Directory Enable Disable",
"version": "1.0",
"author": "Imad Boustany",
"url": "https://github.com/TheHive-Project/Cortex-Analyzers",
"license": "AGPL-v3",
"description": "Enable/Disable Users in active directory",
"baseConfig": "Active_Directory_Enable_Disable",
"dataTypeList": ["sid"],
"command": "Active_Directory_Enable_Disable/Active_Directory_Enable_Disable.py",
"configurationItems": [
{
"name": "domain",
"description": "root domain dc=hello,dc=com",
"type": "string",
"multi": false,
"required": true
},
{
"name": "Administrator",
"description": "Please enter a user with administrative priviledges CN=Administrator,DC=hello,DC=com",
"type": "string",
"multi": false,
"required": true,
"defaultValue": "CN=Administrator "
},
{
"name": "User",
"description": "Please enter the User to Enable/Disable CN=User,DC=hello,DC=com",
"type": "string",
"multi": false,
"required": true
},
{
"name": "Enable_Disable",
"description": "Type E to Enable and D to Disable",
"type": "string",
"multi": false,
"required": true
},
{
"name": "password",
"description": "password",
"type": "string",
"multi": false,
"required": true
},
{
"name": "ip",
"description": "ip address of the domain controller",
"type": "string",
"multi": false,
"required": true
}
]
}

image

@dadokkio
Copy link
Contributor

Responders are located on different position than analyzer.
You can find them in the observable detail: the ⚙️ under the Actions folder on the right.
image

Or in case/observable list: on the top action the ⚙️ Responders link
image

@imad-testing
Copy link
Author

Thanks you for your help

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
category:bug Issue is related to a bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@dadokkio @garanews @imad-testing