MISP Analysis failes

[crackytsi]

Request Type

Bug

Work Environment

Question	Answer
OS version (server)	Debian
OS version (client)	Seven
Cortex Analyzer Name	MISP2_0
Cortex Analyzer Version	latest.
Cortex Version	2.1

Description

MISP Analysis failes via Cortex but works locally:

echo '{"data":"1.2.3.4", "dataType":"ip","config":{"url":"https://fqdn", "key":"mykey", "cert_path":"/usr/local/lib/python3.4/dist-packages/requests/cacert.pem"}}' | python misp.py | json_pp
WARNING [abstract.py:19 - <module>() ] You're using python 2, it is strongly recommended to use python >=3.5
WARNING [mispevent.py:26 - <module>() ] You're using python 2, it is strongly recommended to use python >=3.5
WARNING [api.py:31 - <module>() ] You're using python 2, it is strongly recommended to use python >=3.5
{
   "full" : {
      "results" : [
         {
            "result" : [],
            "url" : "https://fqdn",
            "name" : "Unnamed"
         }
      ]
   },
   "success" : true,
   "artifacts" : [
      {
         "type" : "url",
         "value" : "https://fqdn"
      }
   ],
   "summary" : {
      "taxonomies" : [
         {
            "namespace" : "MISP",
            "level" : "info",
            "predicate" : "Search",
            "value" : "0 events"
         }
      ]
   }
}

But using cortex-analysis it failes:

Invalid output
WARNING [abstract.py:19 - <module>() ] You're using python 2, it is strongly recommended to use python >=3.5
WARNING [mispevent.py:26 - <module>() ] You're using python 2, it is strongly recommended to use python >=3.5
WARNING [api.py:31 - <module>() ] You're using python 2, it is strongly recommended to use python >=3.5
Traceback (most recent call last):
  File "MISP/misp.py", line 78, in <module>
    MISPAnalyzer().run()
  File "MISP/misp.py", line 66, in run
    response = self.misp.search_ip(self.get_data())
  File "/opt/Cortex-Analyzers/analyzers/MISP/mispclient.py", line 276, in search_ip
    return self.__search(type_attribute=self.__mispiptypes(), value=searchterm)
  File "/opt/Cortex-Analyzers/analyzers/MISP/mispclient.py", line 229, in __search
    name = self.misp_name[idx]
IndexError: list index out of range

[3c7]

Can you confirm you've entered a name for the MISP instance?

[crackytsi]

Thanks @3c7, indeed I forgot to add the Name.
Shouldn't this field here be a required one?

[3c7]

I need to take a look. Are you using more than one MISP server?

[crackytsi]

No, just one

[3c7]

Okay. So please, set a name. In the mean time I'll take a look at the code. Generally, name will be a requirement if you want to name only one server if you have multiple ones, because you need to process a list of names and therefore don't know which of the server is unnamed and which one not.

Maybe I end up enforcing the name param. ;)

[axpatito]

I had this issue too. I think name need to be enforced.

[crackytsi]

certpath should also be enforced as far as I understand the code...

[3c7]

No, certpath is only used, if your MISPs certificate was not signed by a trusted CA. Hope I have time this weekend to look into a few issues.

[syloktools]

I am having the same issue.

[3c7]

@robertnixon2003 How many MISP instances have you added to the analyzers config? Have you entered names for them?

[syloktools]

Just 1. It has a name. I am on the beta DEB repo just FYI.

[syloktools]

Never mind. The name was in the misp base config but it did not propagate down to the actual analyzer config. Works now.

[3c7]

The error occurs, if name is empty, because Cortex passes an empty list instead of None or similar.

[crackytsi]

@3c7 Why don't we set Name as a required field in json definiton? I don't understand that...