Cortex Responder - Invalid Output

[jordisk]

Cortex Responder - Invalid Output

I'm trying to write a simple responder using the latest version of cortex (2.1.0-RC1
Based on Mailer responder, I wrote the following code:

#!/usr/bin/env python3
# encoding: utf-8

from cortexutils.responder import Responder
class Sigmaexport(Responder):
    def __init__(self):
        Responder.__init__(self)
        #My code
        self.thehive_apiurl = self.get_param(
            'config.thehive_apiurl', None, 'Missing api URL')
        self.thehive_apikey = self.get_param(
            'config.thehive_apikey', None, 'Missing api key')

    def run(self):
        #Responder.run(self)
        title = self.get_param('data.title', None, 'title is missing')
        description = self.get_param('data.description', None, 'description is missing')
        if self.data_type == 'thehive:case':
            self.report({'message': 'messageOK'})
        else:
            self.error('Invalid dataType')

    def operations(self, raw):
        return [self.build_operation('AddTagToCase', tag='responderOK')]
if __name__ == '__main__':
    Sigmaexport().run()

And Json file has the following code:

{
  "name": "SigmaExport",
  "version": "0.1",
  "author": "jordisk",
  "url": "https://github.com/Jordisk",
  "license": "AGPL-V3",
  "description": "Export Observables in SIGMA Rule format",
  "dataTypeList": ["thehive:case", "thehive:alert"],
  "command": "SigmaExport/sigmaexport.py",
  "baseConfig": "SigmaExport",
  "configurationItems": [
    {
      "name": "thehive_apiurl",
      "description": "URL of your The Hive instance (including port)",
      "type": "string",
      "multi": false,
      "required": true,
      "defaultValue": "http://localhost:9000/api"
    },
    {
      "name": "thehive_apikey",
      "description": "API Key to get obserbables from a case",
      "type": "string",
      "multi": false,
      "required": true
    }
  ]
}

New responder is detected by cortex and I've setup the url and api key, but when running the responder in case on The Hive, it fails.

Here the info From the cortex Job:

Input

{
  "customFields": {},
  "pap": 2,
  "metrics": {},
  "createdBy": "jvazquez",
  "flag": false,
  "caseId": 4,
  "status": "Open",
  "createdAt": 1533630826133,
  "owner": "jvazquez",
  "severity": 2,
  "title": "ips",
  "tlp": 2,
  "startDate": 1533630780000,
  "description": "case for testing",
  "updatedBy": "jvazquez",
  "updatedAt": 1533655233899,
  "_type": "case",
  "_routing": "AWUThUdGDIAO2ONGHUtQ",
  "_parent": null,
  "_id": "AWUThUdGDIAO2ONGHUtQ",
  "_version": 3,
  "id": "AWUThUdGDIAO2ONGHUtQ"
}

Report

{
  "errorMessage": "Invalid output\n",
  "input": null,
  "success": false
}

Any idea regarding where might be the problem?

I've tried with cortexutils 1.2.4 and 1.3.0 without any success

[crackytsi]

Has the python script the executable flag set?

[3c7]

Think you have to add a shebang, e.g.: #!/usr/bin/env python3

…

Am 15.08.2018 um 17:57 schrieb crackytsi ***@***.***>: Has the python script the executable flag set? — You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub, or mute the thread.

[jordisk]

Yes, the script has a executable flag set. Updated the initial post with full code (just added the first two lines)

#!/usr/bin/env python3
# encoding: utf-8

Also, I've tested with python3 and python (2) and I got the same error.

[3c7]

Is there any responder related output in the cortex log?

[jordisk]

There is only few lines related and all of them are INFO...

2018-08-16 21:08:36,677 [INFO] from org.thp.cortex.services.JobSrv in application-akka.actor.default-dispatcher-2 - Job cache is disabled
2018-08-16 21:08:37,028 [INFO] from org.thp.cortex.services.JobSrv in application-responder-47 - Execute SigmaExport/sigmaexport.py in /opt/Cortex-Analyzers/responders
2018-08-16 21:08:37,750 [INFO] from org.thp.cortex.services.AuditActor in application-akka.actor.default-dispatcher-11 - Register new listener for job AWVEkZbQOTnr0bTni0mv (Actor[akka://application/temp/$a])
2018-08-16 21:08:38,028 [INFO] from org.thp.cortex.services.JobSrv in application-akka.actor.default-dispatcher-29 - Job AWVEkZbQOTnr0bTni0mv has finished with status Failure
2018-08-16 21:08:38,029 [INFO] from org.thp.cortex.services.AuditActor in application-akka.actor.default-dispatcher-11 - Job AWVEkZbQOTnr0bTni0mv has be updated (JsDefined("Failure"))
2018-08-16 21:09:37,771 [INFO] from org.thp.cortex.services.AuditActor in application-akka.actor.default-dispatcher-2 - Unregister listener for job AWVEkZbQOTnr0bTni0mv (Actor[akka://application/temp/$a])

[saadkadhi]

@To-om can you please help @jordisk? Thanks!

[crackytsi]

@jordisk is owner set to cortex:cortex?

[jordisk]

Hi @crackytsi yes it was owned by root. I have to say I'm using the training VM. I've changed the owner of the responder to cortex:cortex and still getting same error.
After changing permisions to 777 I'm getting a new error...

Invalid output
Traceback (most recent call last):
  File "SigmaExport/sigmaexport.py", line 4, in <module>
    from cortexutils.responder import Responder
ImportError: No module named 'cortexutils.responder'

After removing and installing again cortexutil It finally works.

Many thanks for your help!

[ErnHem]

Hi All,
I had the same problem. After the launch of the Responder I received "Invalid Output", but after I changed rights of the Responder's folder everything work. Thanks.

[arnydo]

@crackytsi this is one of those that just makes you want to punch yourself in the nose. I don't know how much time I spent trying to figure out why the output was invalid...it wasnt...just wasnt there because the program never had the permission to run! lol thanks for the tip.