eml_parser Unexpected Error: list index out of range

[ghuser0234]

Request Type

Bug

Description

eml_parser Unexpected Error: list index out of range

I'm using eml_parser with TheHive project and all analysis fails with
Unexpected Error: list index out of range
I'm not sure where else to find any other logging or info to troubleshoot this. I think there may be an issue with the different versions EmlParser & eml_parser.

[ninSmith]

Does it fail with one and only eml ?

[ghuser0234]

I guess i'm not sure what you mean? I've only tried to add one file at a time in .eml format to the analyzer and always same results.
I go to Cortex > Analyzers > EMLParser_1_0 > Run > add a file (email in .eml format) > click Start. Here are a couple of the analyzer job reports:

{ "errorMessage": "Unexpected Error: list index out of range", "input": "{\"pap\":2,\"message\":\"\",\"contentType\":\"message/rfc822\",\"filename\":\"testmessage.eml\",\"config\":{\"check_pap\":true,\"proxy_http\":null,\"check_tlp\":false,\"proxy_https\":null,\"auto_extract_artifacts\":true,\"service\":\"\",\"max_pap\":2,\"max_tlp\":3},\"tlp\":2,\"file\":\"/tmp/cortex-job-AWZfFAbpAZOm6PYMY2El-6191139475538346792\",\"parameters\":{},\"dataType\":\"file\"}", "success": false }

{ "errorMessage": "Unexpected Error: list index out of range", "input": "{\"tlp\":2,\"parameters\":{},\"filename\":\"testmessage.eml\",\"message\":\"\",\"config\":{\"service\":\"\",\"proxy_http\":null,\"max_pap\":2,\"max_tlp\":3,\"check_tlp\":false,\"check_pap\":true,\"auto_extract_artifacts\":true,\"proxy_https\":null},\"pap\":2,\"contentType\":\"message/rfc822\",\"dataType\":\"file\",\"file\":\"/tmp/cortex-job-AWZfEnJHAZOm6PYMY2Ek-1356359546964002773\"}", "success": false }

[ninSmith]

Sorry for the misunderstanding.

Did you try with other eml file or only with testmessage.eml ?

[ghuser0234]

No worries! I've tried it with probably 10 different messages

[megan201296]

@ninSmith I can confirm I am having the same issue with multiple .eml files.

[ninSmith]

Unfortunately I can't reproduce the bug.
Would one of you be able to share an eml file where the analysis fails ?
If so, please forward it to support[@]thehive-project.org and I'll try to debug that.

Thanks,

[arnydo]

@ninSmith Same issue here. It is not every eml but several .eml's that have the same structure.
I have sent a copy of one to support[@]thehive-project.org if you can take a peak.

[ninSmith]

I think I've solved the issue, could you try it and confirm me: https://github.com/TheHive-Project/Cortex-Analyzers/tree/hotfix/EmlParser/analyzers/EmlParser

I'm scared that the fix works only with the eml you provided me so feel free to try several samples

[arnydo]

@ninSmith This worked for me. I tried multiple eml files and they seem to run as expected. It does look like the ones with issues had html in the body...

[ninSmith]

So what I've found is that when parsed, the eml doesn't have any body.
Instead, it has 2 attachments, 1 with the email body as text and one with the email body as html.
I figured that best would be to render the html version (I'm not sure how links are processed in the text version).

Good then I'll add this for the next release.