Cortex-Analyzer - MISP-plugin without proxy support/recognition

[SimonSays4223]

Cortex-Analyzer - MISP-plugin without proxy support/recognition

Request Type

Bug / Analyzer

Work Environment

behind proxy with basic auth

Question	Answer
OS version (server)	CentOS
OS version (client)	CentOS
Cortex Analyzer Name	MISP
Cortex Analyzer Version	2.0
Cortex Version	latest
Browser type & version	not important

Description

The MISP Analyzer in its current version does not support request via proxy even if the proxy-variable in the application.conf is set globally.

Steps to Reproduce

1. configure a global proxy in the cortex application.conf

config {
      global {
            proxy {
                    http="http://myuser:mypass@myproxy:port/"
                    https="https://myuser:mypass@myproxy:port/"
            }
       }
[...]

}
2. Configure MISP-Credentials according to docu (url, key, name)
3. Run MISP plugin via webgui
4. Result = failed because of proxy

Possible Solutions

Change

1. misp.py and add the following: @line16

[...]
try:
     proxies = {
        'http': self.getParam('config.proxy.http'),
         'https': self.getParam('config.proxy.https'),
     }
     self.misp = MISPClient(url=self.getParam('config.url', None, 'No MISP url given.'),
                                key=self.getParam('config.key', None, 'No MISP api key given.'),
                                ssl=self.getParam('config.certpath', True),
                                name=name,
                                proxies=proxies)
[...]

2. Change mispclient.py Constructor: @line35

[...]
:param proxies: proxy config
def __init__(self, url, key, ssl=True, name='Unnamed', proxies=''):
[...]
@line59
self.misp_connections.append(pymisp.PyMISP(url=server,
                                                                            key=key[idx],
                                                                            ssl=verify
                                                                            proxies=proxies))
[...]

@Line69

self.misp_connections.append(pymisp.PyMISP(url=url,
                                                                           key=key,
                                                                           ssl=verify
                                                                           proxies=proxies))
[...]

Complementary information

I'm no python programmer, there might be other (better) solutions to implement this and exception handling is missing as well.

[3c7]

Need to check this.

PyMISP is based on requests which allows setting the proxies using the environment variables HTTP_PROXY and HTTPS_PROXY - they are set by the Analyzer base class, so I'm wondering where the proxy addresses are lost on the way.

[SimonSays4223]

It's a bit strange, because it works out with the global config for other plugins (GoogleSafeBrowsing) etc.

[3c7]

Confirmed. Have a fix for that, but need to check if other analyzers need a hotfix and merge it afterwards.