Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Bug: Observable without data breaks display of observables #1080

Closed
ITServ-DE opened this issue Jul 26, 2019 · 4 comments
Closed

Bug: Observable without data breaks display of observables #1080

ITServ-DE opened this issue Jul 26, 2019 · 4 comments
Assignees
@To-om
Labels
bug
Milestone
3.4.1

Comments

@ITServ-DE
Copy link

ITServ-DE commented Jul 26, 2019
edited
Loading

Request Type

Bug

Work Environment

Question Answer
OS version (server) Ubuntu
OS version (client) Winddows 7
TheHive version / git hash 3.4.0-RC2
Package Type DEB

Problem Description

Originally found by @presianbg in [Issue 1079] (#1079)

When importing a case from an alert which has observables, which have a type but no value, none of the observables in the imported case can be displayed.

Steps to Reproduce

  1. run this hive4py script. It will create an alert with some observables, where the last one does not contain any data (AlertArtifact(dataType='domain', data=None):
#!/usr/bin/env python3
# -*- coding: utf-8 -*-

from __future__ import print_function
from __future__ import unicode_literals

import requests
import sys
import json
import time
import uuid
from thehive4py.api import TheHiveApi
from thehive4py.models import Alert, AlertArtifact, CustomFieldHelper

api = TheHiveApi('http://127.0.0.1:9000', '2OHHc7SWlpvOsA8jSzY5pQzYDpmg8N3y')

artifacts = [
    AlertArtifact(dataType='ip', data='8.8.8.8'),
    AlertArtifact(dataType='ip', data='10.20.30.40'),
    AlertArtifact(dataType='domain', data='google.com'),
    AlertArtifact(dataType='url', data='http://www.example.com/site'),
    AlertArtifact(dataType='domain', data=None)       # <-------------!!!!!!
]

# Prepare the sample Alert
sourceRef = str(uuid.uuid4())[0:6]
alert = Alert(title='Alert with Observable without data',
              tlp=3,
              tags=['siem=' + sourceRef],
              description='UserAdd executed',
              type='external',
              source='DataFeed',
              sourceRef="1111" + sourceRef,
              artifacts=artifacts)

# Create the Alert
print('Create Alert')
print('-----------------------------')
id = None
response = api.create_alert(alert)
if response.status_code == 201:
    print(json.dumps(response.json(), indent=4, sort_keys=True))
    print('')
    id = response.json()['id']
else:
    print('ko: {}/{}'.format(response.status_code, response.text))
    sys.exit(0)


# Get all the details of the created alert
print('Get created alert {}'.format(id))
print('-----------------------------')
response = api.get_alert(id)
if response.status_code == requests.codes.ok:
    print(json.dumps(response.json(), indent=4, sort_keys=True))
    print('')
else:
    print('ko: {}/{}'.format(response.status_code, response.text))

The alarm is stored without any error message, and the retrievel shows all observables, including the one without a value:

Get created alert 536b41c5e48d9963de605a05135da8d0
-------------------------
[...]
        {
            "data": null,
            "dataType": "domain",
            "message": null,
            "tags": [],
            "tlp": 2
        }
[...]

  1. Import the alert. While previewing the alert for import, all observables - including the one without data - are shown:
    EmptyObservable

  2. Display the observables of the newly created case. They are correctly counted, but not displayed:
    EmptyObservable2

Possible Solutions

I think, it does not make sense to have observables of any type, but without a value. However, some feeds might deliver such.

Two possible solutions:

  • TheHive could deny the creation of such an observable, or deny the creation of the entire alert
  • TheHive could accept observables without a value (as it does now), but then must display them.
@ITServ-DE ITServ-DE changed the title Observable without data breaks display of observables Bug: Observable without data breaks display of observables Jul 26, 2019
@ITServ-DE ITServ-DE mentioned this issue Jul 26, 2019
Closed
@ITServ-DE
Copy link
Author

Additional info:
When the observable is created with an empty string as data (AlertArtifact(dataType='domain', data='')) (instead of None), all works well and all observables are shown:

EmptyObservable

So the real problem is the None data

@saadkadhi saadkadhi added the bug label Jul 26, 2019
@saadkadhi
Copy link
Contributor

Thanks @github-pba. This is clearly how we love receiving bug reports. We'll hopefully fix it sooner than later.

@To-om / @nadouani can you please look at this one and see if we could include it in RC3?

@ITServ-DE
Copy link
Author

You're welcome. You developers do such an awesome job, you deserve good reproducable issue reports. I currently have some time I can invest in supporting other users, so you can do more programming stuff - where I would miserable fail :-)

@secdav3
Copy link

secdav3 commented Nov 12, 2019

Are there any updates on this? I just ran into this exact issue today. I'm running a fairly new install of 3.3.0-1.

@To-om To-om added this to the 3.4.1 milestone Apr 1, 2020
To-om added a commit that referenced this issue Apr 14, 2020
@To-om
#1080 check alert observable validity
4103b71
@To-om To-om closed this as completed Apr 14, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@To-om To-om

Labels
bug
Projects
None yet
Milestone
3.4.1
Development

No branches or pull requests
4 participants
@saadkadhi @To-om @ITServ-DE @secdav3