[Bug] Custom responder not working after upgrade to cortex 3

[anscz]

Describe the bug
After upgrade theHive, Cortex and elasticsearch to:
Cortex:
Cortex3.0.0-1
Elastic4Play1.11.5
Play2.6.23
Elastic4s6.5.1
ElasticSearch client6.5.2
theHive
TheHive3.4.0-1
Elastic4Play1.11.5
Play2.6.23
Elastic4s6.5.1
ElasticSearch6.5.2

I'm using custom responder to reply on reported phishing emails by phish button. This responder is based on official Mailer responder, modifications are just way how email is handled (adding custom body, taking email from tag, different body for different resolution, etc..).
After upgrade all the time I'm recieving error:
"errorMessage": "Cannot run program \"/opt/cortex/Cortex-Analyzers/responders/phishingResponder/phishingResponder.py SPAM\" (in directory \"/opt/cortex/Cortex-Analyzers/responders\"): error=2, No such file or directory",

path doublechecked, as well I run script localy from console on cortex server under cortex user permissions without any issue.

any suggestion would be more than wellcome.

[3c7]

Have you followed https://github.com/TheHive-Project/CortexDocs/blob/master/migration_guide.md for the update and also updated your cortexutils?

[anscz]

I hope so, elastic configuration updated, Cortexutils updated, responder.path changed to responder.urls, I'm using process based responder so there should be no need for any other change.
May be just a question those *.json catalog files are mentioned just for docker based responders or as well for process based?
Thanks
BTW: all updated analyzers work like a charm.

[ptobis]

Have you tried to follow this comment: TheHive-Project/Cortex#182 (comment)

[anscz]

Hi, yes following were tested: - disable / enable - disable / delete folder with responder / rescan responders from GUI / copy folder back / rescan / enable - disable / stop service / delete folder with responder / start service / rescan responders from GUI / stop service / copy folder back / start service / rescan / enable - disable / stop service / delete folder with responder / start service / rescan responders from GUI / stop service / manualy delete config stored in elastic / copy folder back / start service / rescan / enable - sure set rights on script file to 777 ( I know :) )but it was just debug. Current rights on whole folder are for user cortex group cortex rw for user+group, other has 0. Executable/scripts has +x

[ptobis]

Maybe the problem is that Cortex is looking for a script file "phishingResponder.py SPAM" instead of "phishingResponder.py". Are you sure the "command" parameter in a JSON file contains the script name without any additional text?

[anscz]

it contains that "tag" because I have 4 different .json configuration to distinguish between response template I want to use. Script itself without parameter doesn't work there need to be one of VALID | PHISHING | SPAM | REMOVED . Each of them has defined in scrtipt different email body.
Is tehere any change in terms how command parameter is parsed in cortex 2.x and 3.x ? because for cortex 2.x that works fine. If you want you can check script and config here https://github.com/anscz/phishingResponder still some to do needs to be done, like move body template to cortex config to simplify changes in text, etc...

BTW I tried both absolut and relative path in command parameter...

[3c7]

That seems to be the issue at all. You can pass the needed keyword via config like

{
  "name": "reply as SPAM",
  "version": "1.0",
  "author": "Stepan Huzlik",
  "url": "https://github.com/anscz/phishingResponder",
  "license": "AGPL-V3",
  "description": "Send an email response",
  "dataTypeList": ["thehive:case"],
  "command": "phishingResponder/phishingResponder.py SPAM",
  "baseConfig": "phishingResponder",
  "config": {
    "mailType": "spam"
  },
  "configurationItems": [
    {
      "name": "from",
      "description": "email address from which the mail is send",
      "type": "string",
      "multi": false,
      "required": true
    },
    {
      "name": "smtp_host",
      "description": "SMTP server used to send mail",
      "type": "string",
      "multi": false,
      "required": true,
      "defaultValue": "localhost"
    },
    {
      "name": "smtp_port",
      "description": "SMTP server port",
      "type": "number",
      "multi": false,
      "required": true,
      "defaultValue": "25"
    }
  ]
}

and you should be able to check the parameter in your script like self.get_param('config.mailType', None, 'Mail type not given!')

[anscz]

OK i tried to hardcode type directly to .py script to get rid of parameter in command and it's working thanks a lot for hint, but anyway this should be somehow mentioned in migration documentation because for cortex 2.x that way works fine...
Now I need to change config and script to handover type same way as port, ip, etc...
Thanks once again

[anscz]

I did all modifications you can review it in my repo, now it's possible to change body from Cortex GUI and pass Case title to the body text by $title.
It would be super nice to have posibility click on responder and after that on popup window select email type, but I didn't find way how to do that on current theHive.
Thanks once again & BR