Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Worker cannot be run #248

Closed
Prodian0013 opened this issue Feb 5, 2020 · 8 comments
Closed

Worker cannot be run #248

Prodian0013 opened this issue Feb 5, 2020 · 8 comments

Comments

@Prodian0013
Copy link

Request Type

Bug

Work Environment

Question Answer
OS version (server) Red Hat Enterprise Linux Server
OS version (client) release 7.7 (Maipo)
Cortex version / git hash 3.0.1
Package Type Docker
Browser type & version If applicable

Problem Description

Running analyzer returns the following error message:

{
  "errorMessage": "Worker cannot be run",
  "input": "{\"data\":\"1.1.1.1\",\"dataType\":\"ip\",\"tlp\":2,\"message\":\"\",\"parameters\":{},\"config\":{\"proxy_https\":null,\"cacerts\":null,\"check_tlp\":true,\"max_tlp\":2,\"auto_extract_artifacts\":false,\"jobCache\":10,\"check_pap\":true,\"max_pap\":2,\"jobTimeout\":30,\"service\":\"get\",\"proxy_http\":null,\"polling_interval\":60,\"key\":\"MY_API_KEY\"},\"pap\":2}",
  "success": false
}

Steps to Reproduce

  1. Running any analyzers

Complementary information

(add anything that can help identifying the problem such as log excerpts, screenshots, configuration dumps etc.)
@Prodian0013
Copy link
Author

Error from logs:

[info] o.t.c.s.JobSrv - Looking for similar job in the last 10 minutes (worker=c908fbc1e5d46104d32b8cbf3a08b2d4, dataType=url, data=Left(1.1.1.1), tlp=2, parameters={})
[info] o.t.c.s.AuditActor - Job KJTxGnAB92tolkDmFVbo has be updated (JsDefined("InProgress"))
[warn] o.t.c.s.JobRunnerSrv - worker c908fbc1e5d46104d32b8cbf3a08b2d4 can't be run with process (doesn't have image)
[info] o.t.c.s.AuditActor - Job KJTxGnAB92tolkDmFVbo has be updated (JsDefined("Failure"))
[info] o.t.c.s.JobSrv - Job KJTxGnAB92tolkDmFVbo has finished with status Failure

@Prodian0013
Copy link
Author

Figured it out. The sample config provided doesnt work. It has the wrong defaults for the analyzers and responders. After changing from

analyzer {
urls = [
    "https://dl.bintray.com/thehive-project/cortexneurons/analyzers.json"
    #"/absolute/path/of/analyzers"
  ]
...
responder { 
urls = [
    "https://dl.bintray.com/thehive-project/cortexneurons/reponders.json"
    #"/absolute/path/of/responders"
  ]
...

to

analyzer {      
urls = [
        "/opt/Cortex-Analyzers/analyzers"
      ]
...
responder {
urls = [
        "/opt/Cortex-Analyzers/responders"
      ]
...

I was able to run the virustotal analyzer without error.

@dadokkio dadokkio mentioned this issue Mar 21, 2020
Closed
@Xeteskian
Copy link

Xeteskian commented Mar 30, 2020
edited
Loading

I'm getting this exact same issue with the only difference being that I'm running on Ubuntu:
Installation of Cortex was done using the deb method.

cortex/application.log:

2020-03-30 16:59:22,091 [INFO] from org.thp.cortex.services.JobSrv in application-akka.actor.default-dispatcher-30 - Looking for similar job in the last 10 minutes (worker=06e11deb8f3b4f606f6fefde391fb4f3, dataType=domain, data=Left(hitnrun.com.my), tlp=2, parameters={})
2020-03-30 16:59:23,481 [INFO] from org.thp.cortex.services.AuditActor in application-akka.actor.default-dispatcher-20 - Register new listener for job AXEsYiaJOEOgkQvvH0FS (Actor[akka://application/temp/$b])
2020-03-30 16:59:24,114 [INFO] from org.thp.cortex.services.AuditActor in application-akka.actor.default-dispatcher-21 - Job AXEsYiaJOEOgkQvvH0FS has be updated (JsDefined("InProgress"))
2020-03-30 16:59:24,115 [WARN] from org.thp.cortex.services.JobRunnerSrv in application-akka.actor.default-dispatcher-11 - worker 06e11deb8f3b4f606f6fefde391fb4f3 can't be run with process (doesn't have image)
2020-03-30 16:59:25,121 [INFO] from org.thp.cortex.services.AuditActor in application-akka.actor.default-dispatcher-11 - Job AXEsYiaJOEOgkQvvH0FS has be updated (JsDefined("Failure"))
2020-03-30 16:59:25,122 [INFO] from org.thp.cortex.services.JobSrv in application-akka.actor.default-dispatcher-21 - Job AXEsYiaJOEOgkQvvH0FS has finished with status Failure
2020-03-30 17:00:23,500 [INFO] from org.thp.cortex.services.AuditActor in application-akka.actor.default-dispatcher-7 - Unregister listener for job AXEsYiaJOEOgkQvvH0FS (Actor[akka://application/temp/$b])

Cortex Config for Analyzers and Responders is as follows:

## ANALYZERS
#
analyzer {
  # analyzer location
  # url can be point to:
  # - directory where analyzers are installed
  # - json file containing the list of analyzer descriptions
  urls = [
    #"https://dl.bintray.com/thehive-project/cortexneurons/analyzers.json"
    "/opt/Cortex-Analyzers/analyzers"
  ]

  # Sane defaults. Do not change unless you know what you are doing.
  fork-join-executor {
    # Min number of threads available for analysis.
    parallelism-min = 2
    # Parallelism (threads) ... ceil(available processors * factor).
    parallelism-factor = 2.0
    # Max number of threads available for analysis.
    parallelism-max = 4
  }
}

# RESPONDERS
#
responder {
  # responder location (same format as analyzer.urls)
  urls = [
    #"https://dl.bintray.com/thehive-project/cortexneurons/reponders.json"
    "/opt/Cortex-Analyzers/responders"
  ]

  # Sane defaults. Do not change unless you know what you are doing.
  fork-join-executor {
    # Min number of threads available for analysis.
    parallelism-min = 2
    # Parallelism (threads) ... ceil(available processors * factor).
    parallelism-factor = 2.0
    # Max number of threads available for analysis.
    parallelism-max = 4
  }
}

I'm wondering if it's an ACL issue, as /opt/Cortex-Analyzers/ is owned by root:root but Cortex runs as cortex user.
If I su to the cortex user and try to run /opt/Cortex-Analyzers/analyzers/VirusTotal/virustotal.py manually, I get the following result, which I'd expect considering I'm not providing any runtime options:

{"success": false, "input": {}, "errorMessage": "Input file doesnt exist"}

Can anyone advise?

@Xeteskian
Copy link

I figured it out - I'd enabled a bunch of Analyzers before actually installing and configuring them locally (List was based off the URL in the original config). If I disable the analyser and then re-enable them, then they start working with the local install

@jdlgispert
Copy link

I figured it out - I'd enabled a bunch of Analyzers before actually installing and configuring them locally (List was based off the URL in the original config). If I disable the analyser and then re-enable them, then they start working with the local install

It worked for me too. Thanks

@tomsfb
Copy link

tomsfb commented Jul 8, 2021

I figured it out - I'd enabled a bunch of Analyzers before actually installing and configuring them locally (List was based off the URL in the original config). If I disable the analyser and then re-enable them, then they start working with the local install

It worked for me too. Thanks

same

@gru3zi
Copy link

gru3zi commented Nov 4, 2022

Im following this guide ( https://docs.thehive-project.org/cortex/installation-and-configuration/analyzers-responders/) but im a little confused as at the end it says restart cortex? Does that mean restart the docker container? When I restart the container I lose any changes I made. Can someone give me advice?

@Jonesckevin
Copy link

Im following this guide ( https://docs.thehive-project.org/cortex/installation-and-configuration/analyzers-responders/) but im a little confused as at the end it says restart cortex? Does that mean restart the docker container? When I restart the container I lose any changes I made. Can someone give me advice?

If you are using docker compose, just do a docker restart cortex instead of shutting it down.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
6 participants
@Prodian0013 @Xeteskian @gru3zi @Jonesckevin @tomsfb @jdlgispert