Cortex-Analyzers icon indicating copy to clipboard operation
Cortex-Analyzers copied to clipboard
verified publisher icon TheHive-Project

[Bug] Mailer Responder is checking for recipient tags starting with "mail:"

Open jan4401 opened this issue 5 years ago • 3 comments

Describe the bug The Mailer Responder checks the tags list for the recipient mail address. In line 43 it checks for tags starting with "mail:" but with TheHive 4.0 the tags are using equal signs and not colons: "mail=" When using colons instead of equal signs in TheHive 4.0 it's automatically converted into an equal sign.

To Reproduce Steps to reproduce the behavior:

  1. Configure Mailer 1.0 Responder
  2. Create Case
  3. Create Tag: "mail:[email protected]"
  4. Start Responder Mailer for this case.
  5. Check Result of Responder for Error Message: recipient address not found in tags

Expected behavior Normally the email tag should be detected by the responder python script.

Complementary information Before clicking on the green hook: image After clicking: image

Work environment

  • Cortex version: 3.0.1-1
  • TheHive version: 4.0.0-1
  • Cortex Analyzer/Responder name: Mailer
  • Cortex Analyzer/Responder version: 1.0

Possible solutions Change Line 43 from

t.startswith("mail:")

to

t.startswith("mail=")

Additional context Could not test with TheHive 3.x.

jan4401 avatar Sep 08 '20 12:09 jan4401

see pull rquest https://github.com/TheHive-Project/Cortex-Analyzers/pull/848

jan4401 avatar Sep 08 '20 12:09 jan4401

any solutions to this so far?

viszsec avatar Oct 21 '20 06:10 viszsec

The pull proposed by @jan4401 is working. At the moment has been just merged in develop but you can test it.

dadokkio avatar Oct 21 '20 06:10 dadokkio