PyMISP icon indicating copy to clipboard operation
PyMISP copied to clipboard

Published 20 hours ago verified publisher icon MISP

The response is not in JSON

Open MasterControl00 opened this issue 4 years ago • 7 comments

Hi Team Pymisp,

I'm trying to send events to Azure Sentinel but receive the error Unknown error: the response is not in JSON.

Config.py content excluding graph_auth


targetProduct = 'Azure Sentinel'
misp_event_filters = []
action = 'alert'
passiveOnly = False
days_to_expire = 30
misp_key = 'XXXXXXXXXXXXXX'
misp_domain = 'XXXXXXXXXXXXXXXXX'
misp_verifycert = False

Error Log

(mispToSentinel) XXX@XXX:~/mispToSentinel/security-api-solutions/Samples/MISP$ sudo python3 script.py
fetching & parsing data from misp...
Unknown error: the response is not in JSON.
Something is broken server-side, please send us everything that follows (careful with the auth key):
Request headers:
{'User-Agent': 'PyMISP 2.4.144 - Python 3.6', 'Accept-Encoding': 'gzip, deflate', 'Accept': 'application/json', 'Connection': 'keep-alive', 'Cookie': 'MISP-2906f9eb-3ab4-4838-8a5b-6c42305b4b8c=r4vcgpirqpcbve8onbfhoroi6n', 'Content-Length': '265', 'Authorization': '', 'content-type': 'application/json'}
Request body:
{"returnFormat": "json", "withAttachments": 0, "metadata": 0, "enforceWarninglist": 0, "includeEventUuid": 0, "includeEventTags": 0, "sgReferenceOnly": 0, "includeContext": 0, "headerless": 0, "includeSightings": 0, "includeDecayScore": 0, "includeCorrelations": 0}
Response (if any):

Traceback (most recent call last):
  File "script.py", line 100, in <module>
    main()
  File "script.py", line 69, in main
    events = _get_events()
  File "script.py", line 16, in _get_events
    return [event['Event'] for event in misp.search(controller='events', return_format='json')]
  File "/usr/local/lib/python3.6/dist-packages/pymisp/api.py", line 2473, in search
    normalized_response = self._check_json_response(response)
  File "/usr/local/lib/python3.6/dist-packages/pymisp/api.py", line 3400, in _check_json_response
    r = self._check_response(response, expect_json=True)
  File "/usr/local/lib/python3.6/dist-packages/pymisp/api.py", line 3417, in _check_response
    raise MISPServerError(f'Error code 500:\n{response.text}')
pymisp.exceptions.MISPServerError: Error code 500:

Can you help?

MasterControl00 avatar Jun 29 '21 20:06 MasterControl00

Yes: you need to add some limits to your query, as it is, it will return the complete database which will either timeout, or run out of memory. If you really want to get the complete database, you need to use page and limit and iterate.

Rafiot avatar Jun 29 '21 20:06 Rafiot

hi @Rafiot How can I write that, could you please help,

arunsingh0 avatar Nov 04 '22 10:11 arunsingh0

In theory, it just means adding limit=100, page=1 (and incrementing the page) to the search call, but it depends on what you're doing. Can you please share the call that is failing?

Rafiot avatar Nov 04 '22 10:11 Rafiot

When I am running command (python3 script.py) to send TI feeds from MISP to Sentinel, getting the same error as @MasterControl00 mentioned.

Please help

arunsingh0 avatar Nov 04 '22 10:11 arunsingh0

(mispToSentinel) XXX@XXX:~/mispToSentinel/security-api-solutions/Samples/MISP$ sudo python3 script.py fetching & parsing data from misp... Unknown error: the response is not in JSON. Something is broken server-side, please send us everything that follows (careful with the auth key): Request headers: {'User-Agent': 'PyMISP 2.4.144 - Python 3.6', 'Accept-Encoding': 'gzip, deflate', 'Accept': 'application/json', 'Connection': 'keep-alive', 'Cookie': 'MISP-2906f9eb-3ab4-4838-8a5b-6c42305b4b8c=r4vcgpirqpcbve8onbfhoroi6n', 'Content-Length': '265', 'Authorization': '', 'content-type': 'application/json'} Request body: {"returnFormat": "json", "withAttachments": 0, "metadata": 0, "enforceWarninglist": 0, "includeEventUuid": 0, "includeEventTags": 0, "sgReferenceOnly": 0, "includeContext": 0, "headerless": 0, "includeSightings": 0, "includeDecayScore": 0, "includeCorrelations": 0} Response (if any):

Traceback (most recent call last): File "script.py", line 100, in main() File "script.py", line 69, in main events = _get_events() File "script.py", line 16, in _get_events return [event['Event'] for event in misp.search(controller='events', return_format='json')] File "/usr/local/lib/python3.6/dist-packages/pymisp/api.py", line 2473, in search normalized_response = self._check_json_response(response) File "/usr/local/lib/python3.6/dist-packages/pymisp/api.py", line 3400, in _check_json_response r = self._check_response(response, expect_json=True) File "/usr/local/lib/python3.6/dist-packages/pymisp/api.py", line 3417, in _check_response raise MISPServerError(f'Error code 500:\n{response.text}') pymisp.exceptions.MISPServerError: Error code 500:

Let me know what query can help.

arunsingh0 avatar Nov 04 '22 10:11 arunsingh0

ok, so you're trying to get all the events from the MISP instance, that's probably a bad idea, but if you want to do that, your call should look like that:

misp.search(controller='events', return_format='json', limit=10, page=1)

Which will give you 10 events, and the 1st page. Then, you can increment the page number to get the other events.

Rafiot avatar Nov 04 '22 11:11 Rafiot

@arunsingh0

Were you able to resolve the above error? I have the same problem. Can you share the solution.

fpsilva-source avatar Jan 06 '23 03:01 fpsilva-source