Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

name parameter for the MISP analyzer does behave as expected #94

Closed
srilumpa opened this issue Sep 13, 2017 · 3 comments
Closed

name parameter for the MISP analyzer does behave as expected #94

srilumpa opened this issue Sep 13, 2017 · 3 comments
Assignees
@jeromeleonard
Labels
category:bug Issue is related to a bug

Comments

@srilumpa
Copy link
Contributor

Request Type

(select Bug, Analyzer or Feature and remove this line)
Bug

Work Environment

Question Answer
OS version (server) Debian
Cortex Analyzer Name MISP_2_0
Cortex Analyzer Version 1.6.3
Cortex Version 1.1.3

Description

  1. When no name parameter is set in the Cortex configuration file, the MISP analyzer throws an error
  2. When a name is set up as a string and not a list, only the first character is used as the name of the MISP instance

Steps to Reproduce

  • nameis undefined
    1. do not set up ̀MISP.name` in application.conf file
    2. Start a job
    3. The following output is displayed
Traceback (most recent call last):
  File \"./misp.py\", line 62, in <module>
    MISPAnalyzer().run()
  File \"./misp.py\", line 51, in run
    response = self.misp.search_ip(self.getData())
  File \"/opt/Cortex-Analyzers/analyzers/MISP/mispclient.py\", line 246, in search_ip
    return self.__search(type_attribute=self.__mispiptypes(), value=searchterm)
  File \"/opt/Cortex-Analyzers/analyzers/MISP/mispclient.py\", line 204, in __search
    'name': self.misp_name[idx],
TypeError: 'NoneType' object has no attribute '__getitem__'
  • name is defined as a string
    1. set up MISP.name as the string "MISP instance"
    2. Start a job
    3. The job complete successfully but the name of the instance in the report (json path: full.results[].name) is M

Possible Solutions

The default value in the MISPClient constructor doesn't seem to be used properly when not set in the configuration. I think it might come from the fact that None is passed to the constructor so the variable is defined (even if it is defined to None) and the default value is then ignored.
When the name parameter is set, there is no check whether it is a string or a list (like the other variables) and, at line 204, it is assumed that the variable is a list and then extract only the first character from the string to be used as the name of the MISP instance.
@saadkadhi saadkadhi added the category:bug Issue is related to a bug label Sep 13, 2017
@saadkadhi
Copy link
Contributor

@3c7 Can you look at this one please with @jeromeleonard? Thanks.

@3c7
Copy link
Contributor

3c7 commented Sep 13, 2017 via email

3c7 added a commit to 3c7/Cortex-Analyzers that referenced this issue Sep 13, 2017
@3c7
Fixes TheHive-Project#94, some PEP8
6e6c0bd
@garanews
Copy link
Contributor

I tried the fix and it is working:
image

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@jeromeleonard jeromeleonard

Labels
category:bug Issue is related to a bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@3c7 @saadkadhi @srilumpa @jeromeleonard @garanews