[Bug] MaxMind_GeoIP_3_0 #564

KRUXLEX · 2019-12-04T10:42:18Z

Describe the bug
MaxMind_GeoIP_3_0 analyzer don't work. When you try analize a some IP you receive error
"errorMessage": "Invalid IP address",

To Reproduce
Standard run analyzer by hive or create a job on cortex.

Expected behavior
Working

Complementary information

{
  "errorMessage": "Invalid IP address",
  "input": "{\"pap\":2,\"tlp\":2,\"parameters\":{},\"dataType\":\"ip\",\"data\":\"8.8.8.8\",\"message\":\"\",\"config\":{\"check_pap\":true,\"check_tlp\":true,\"proxy_https\":\"http://our.proxy.com:8080\",\"proxy_http\":\"http://our.proxy.com:8080\",\"max_tlp\":2,\"auto_extract_artifacts\":true,\"cacerts\":null,\"jobTimeout\":30,\"proxy\":{\"http\":\"http://our.proxy.com:8080\",\"https\":\"http://our.proxy.com:8080\"},\"jobCache\":10,\"max_pap\":2}}",
  "success": false
}

Work environment

Client OS: Debian9
Server OS: CentOS7
Browse type and version:
Cortex version:
Cortex Analyzer/Responder name:MaxMind_GeoIP_3_0
Cortex Analyzer/Responder version:3.0

Possible solutions
Don't know

Additional context
nOpe

The text was updated successfully, but these errors were encountered:

emp4556 · 2020-01-08T14:28:59Z

Hello, i have the same bug. Did you find a solution ?

nadouani · 2020-01-08T14:33:22Z

Can you please give more context about Cortex version, if you use dockerize analyzers etc...

garanews · 2020-01-20T13:57:14Z

The problem seems to be related with name/names fields for country, continent and city dicts because they can contain non utf 8 chars (like russian, french, chinese translations).
Simply switching from python2 to python3, it resolve the issue, change the first row in geo.py :

#!/usr/bin/env python3

Output returned correctly:

{
  "city": {
    "confidence": null,
    "geoname_id": 5380748,
    "name": "Palo Alto",
    "names": "{'de': 'Palo Alto', 'en': 'Palo Alto', 'es': 'Palo Alto', 'fr': 'Palo Alto', 'ja': 'パロアルト', 'pt-BR': 'Palo Alto', 'ru': 'Пало Альто'}"
  }

A workaround for python2 can be something like this:

    def dump_city(self, city):
        return {
            'confidence': city.confidence,
            'geoname_id': city.geoname_id,
            'name': str(city.name),
            'names': str(city.names)
        }

in this way, when non utf8 comes, it will shown as this:

  "city": {
    "geoname_id": 5380748,
    "confidence": null,
    "name": "Palo Alto",
    "names": "{u'ru': u'\\u041f\\u0430\\u043b\\u043e \\u0410\\u043b\\u044c\\u0442\\u043e', u'fr': u'Palo Alto', u'en': u'Palo Alto', u'de': u'Palo Alto', u'pt-BR': u'Palo Alto', u'ja': u'\\u30d1\\u30ed\\u30a2\\u30eb\\u30c8', u'es': u'Palo Alto'}"
  },

We would support python3 only in official analyzer 😸

KRUXLEX · 2020-01-23T08:08:20Z

Can you please give more context about Cortex version, if you use dockerize analyzers etc...

This is a python3 issue. I check upper workaround. It's work's but I need official fix.

jeromeleonard · 2020-02-10T15:33:18Z

Should be fixed with 2.4.0, shebang has been updated with python3. Closing the issue.

KRUXLEX added the category:bug Issue is related to a bug label Dec 4, 2019

jeromeleonard closed this as completed Feb 10, 2020

dadokkio mentioned this issue Apr 22, 2020

[Bug] MaxMind #752

Closed

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

[Bug] MaxMind_GeoIP_3_0 #564

[Bug] MaxMind_GeoIP_3_0 #564

KRUXLEX commented Dec 4, 2019

emp4556 commented Jan 8, 2020

nadouani commented Jan 8, 2020

garanews commented Jan 20, 2020

KRUXLEX commented Jan 23, 2020

jeromeleonard commented Feb 10, 2020

[Bug] MaxMind_GeoIP_3_0 #564

[Bug] MaxMind_GeoIP_3_0 #564

Comments

KRUXLEX commented Dec 4, 2019

emp4556 commented Jan 8, 2020

nadouani commented Jan 8, 2020

garanews commented Jan 20, 2020

KRUXLEX commented Jan 23, 2020

jeromeleonard commented Feb 10, 2020