Joe Sandbox Analyzer returning error

[Foneman38]

Joe Sandbox Analyzer not working

Request Type

Analyzer

Work Environment

N/A

Description

Joe Sandbox Analyzer not working on Joe Sandbox Complete (On Premise)

Complementary information

1. I am using the analyzer that was rewritten to support api V2 found here: Joe Sandbox API version 2 support #141

2. extracted from my conf file:
   JoeSandbox {
   url = "https://xxx.xxx.xxx.xxx/joesandbox/index.php/"
   apikey = "my-api-key"
   }

3. Results =

{
"errorMessage": "Unexpected Error: Expecting value: line 1 column 1 (char 0)",
"input": {
"dataType": "url",
"config": {
"url": "https://xxx.xxx.xxx.xxx/joesandbox/index.php/",
"apikey": "REMOVED",
"check_tlp": false,
"service": "url_analysis"
},
"tlp": 1,
"data": "http://some-url-for-analysis.com/"
},
"success": false
}

[ant1]

Does the analyzer with API v1 only work for you or not?
Is your Joe Sandbox using https not http?
If using https, do you have the CA Root certificate installed for it?

[Foneman38]

The analyzer does not work with the v1 only code. The Joe Sandbox API uses https, but I have set requests to verify=false

[saadkadhi]

@ant1 can you please check and let us know if we can go ahead and close this issue? Thanks mate.

[ant1]

I suggest doing a network capture with SSL disabled or using an SSL interception tool like burp/mitmproxy/sslsplit to debug the issue.

[ant1]

Also, make sure you have automatic system selection in the php configuration file

$config['jbx']['autosystem'] = true;

[Foneman38]

Packet capture shows the first post is checking to see if the Joe server is online. Joe responds with the answer and triggers an unexpected value error.

Here is the Cortex Data:
{ "errorMessage": "Unexpected Error: 'data'", "input": { "dataType": "url", "config": { "url": "http://sccfanjoe02.gacfanet.com/joesandbox/index.php/", "apikey": "REMOVED", "check_tlp": false, "service": "url_analysis" }, "tlp": 0, "data": "http://198.100.119.11/d1.jpg?rnd=53171" }, "success": false }
Here is the transcript of the packet capture:
`POST /joesandbox/index.php/api/v2/server/online HTTP/1.1
Host: JOESANDBOX-HOSTNAME
Connection: keep-alive
Accept-Encoding: gzip, deflate
Accept: /
User-Agent: python-requests/2.18.4
Content-Length: 71
Content-Type: application/x-www-form-urlencoded
apikey=KEY REMOVED
HTTP/1.1 200 OK
Date: Tue, 13 Mar 2018 15:26:14 GMT
Server: Apache/2.4.7 (Ubuntu)
X-Powered-By: PHP/5.5.9-1ubuntu4.23
Set-Cookie: PHPSESSID=n15k7t5rdpbluv1m7eamb6hlf0; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 24
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: application/json

{"data":{"online":true}}`

[Foneman38]

So after further investigation, it appears that response.status_code returns a string, so the analyzer code should be modified as follows:
` if response.status_code == 200:
self.runv2()
else:
self.runv1()

if response.status_code == '200':
self.runv2()
else:
self.runv1()`

[ant1]

According to requests documentation and to my tests, status_code is an int.

[Foneman38]

Thank you for your assistance. Your original suggestion for automatic system selection was the solution.
$config['jbx']['autosystem'] = true;

I'm a dumba$$ for not trying it earlier. :(