Cortex-Analyzers icon indicating copy to clipboard operation
Cortex-Analyzers copied to clipboard
verified publisher icon TheHive-Project

[Bug] A custom responder return with an empty error

Open dragsu opened this issue 2 years ago • 1 comments

Describe the bug I have written a bare minimal responder that just returns a success message for a request from TheHive. However, I get the status failure without much information.

#!/usr/bin/env python3

from cortexutils.responder import Responder

class SampleService(Responder):
    def __init__(self):
        Responder.__init__(self)

    def run(self):
        Responder.run(self)
        self.report({'message': "success"})

    def operations(self, raw):
        return [self.build_operation("AddTagToCase", tag="sampleId:id-1")]

if __name__ == "__main__":
    SampleService().run()

When I run the responder from TheHive, I get the below output in the application logs with a warning saying [warn] o.t.c.s.DockerJobRunnerSrv - The worker didn't generate output file.

[info] o.t.c.s.DockerJobRunnerSrv - Execute container bf99c645848c9ca0f9f00d573b7f1b8d21220f272f9003b4fb44b8c87c0370b9
  timeout: 30 minutes
  image  : cortex-neurons/sample_service:0.2
  volume : /tmp/cortex-jobs/cortex-job-Fk2v5ocBSFpERmG9YbQq-7518629213985387577:/job
[info] c.s.d.c.DefaultDockerClient - Starting container with Id: bf99c645848c9ca0f9f00d573b7f1b8d21220f272f9003b4fb44b8c87c0370b9
[info] o.t.c.s.AccessLogFilter - 192.168.65.205 GET /api/alert took 17ms and returned 200 2 bytes
[warn] o.t.c.s.DockerJobRunnerSrv - The worker didn't generate output file.
[info] o.t.c.s.JobSrv - Job Fk2v5ocBSFpERmG9YbQq has finished with status Failure
[info] o.t.c.s.AuditActor - Job Fk2v5ocBSFpERmG9YbQq has be updated (JsDefined("Failure"))

In cortex UI I can see the observable information as input and output(Report) only contains,

{
  "errorMessage": "",
  "input": null,
  "success": false
}

Work environment

  • Cortex version: thehiveproject/cortex:3.1.7-withdeps
  • TheHive version: strangebee/thehive:5.1
  • Elasticsearch version: docker.elastic.co/elasticsearch/elasticsearch:7.17.9
  • Cassandra version: cassandra:4

Additional information

  • I have setup services based on information provided at https://docs.strangebee.com/thehive/setup/installation/docker/#using-your-own-configuration-file
  • I can successfully run MISP Analyser without any issues and get the correct output in TheHive
  • I have been pulling my hair for hours

dragsu avatar May 04 '23 12:05 dragsu

I found a fix for this. I was following https://thehive-project.github.io/Cortex-Analyzers/dev_guides/dockerize-your-custom-analyzers-responders/ and when you build the docker image the ENTRYPOINT command is set as ENTRYPOINT \$command This is only passing the file path and not prefixed with python command.

I had to modify the build_image() as follows.

build_image() {
 JSON=$1
cat << EOF > /tmp/default_dockerfile
FROM python:3
WORKDIR /worker
ARG workername
ARG command
**ENV env_arg=\$command**
COPY . \$workername
RUN test ! -e \$workername/requirements.txt || pip install --no-cache-dir -r \$workername/requirements.txt
**ENTRYPOINT python \$(echo \$env_arg)**
EOF

    DEFAULT_DOCKERFILE=/tmp/default_dockerfile
      TAG=`cat ${JSON} | jq -r '( "'"$DOCKER_REPOSITORY"'" + "/" + (.name | ascii_downcase) + ":" + (.version))'`
    WORKER_NAME=`cat ${JSON} | jq -r '(.version)'`  
    COMMAND=`cat ${JSON} | jq -r '(.command)'`
    DIRNAME=`dirname ${JSON}`
      WORKER_NAME=`basename ${DIRNAME}`
    if test -f ${DIRNAME}/Dockerfile
    then
          docker build -t ${TAG} `dirname ${JSON}`
    else
          docker build --build-arg workername=${WORKER_NAME} --build-arg command=${COMMAND} -f ${DEFAULT_DOCKERFILE} -t ${TAG} `dirname ${JSON}`
    fi
}

dragsu avatar May 05 '23 05:05 dragsu