TheHive4py
TheHive4py copied to clipboard
TheHive-Project
[BUG] strange behavior with no_proxy settings
Request Type
no_proxy setting to use api in thehive responder from cortex docker [eg virustotal downloader] works only if is the only proxy setting. If you add it to http/https settings it doesn't work
Work Environment
| Question | Answer |
|---|---|
| OS version (server) | cortex docker 3.1.0-1 |
| OS version (client) | thehive docker 4.0.1-1 |
| TheHive4py version / git hash | 1.7.2 |
Steps to Reproduce
>>> from thehive4py.api import TheHiveApi
>>> import requests
>>> proxies = {}
>>> case_id = "~40993000"
>>>
>>> api = TheHiveApi('http://172.23.92.31:9000', 'thehivekey', proxies=proxies)
>>> obs = api.get_case_observables(case_id=case_id, query={"dataType": "file"})
>>> obs.text
'<HEAD><TITLE>Parent proxy is not responding</TITLE></HEAD>\n<BODY BGCOLOR="white" FGCOLOR="black"><H1>Parent proxy is not responding</H1><HR>\n<FONT FACE="Helvetica,Arial"><B>\nDescription: Parent proxy is not responding</B></FONT>\n<HR>\n<!-- default "Parent proxy is not responding" response (502) -->\n</BODY>\n \x00'
>>>
>>> proxies = {'https': 'http://proxy.it', 'http': 'http://proxy.it, 'no_proxy': '172.23.92.31'}
>>> api = TheHiveApi('http://172.23.92.31:9000', 'thehivekey', proxies=proxies)
>>> obs = api.get_case_observables(case_id=case_id, query={"dataType": "file"})
>>> obs.text
'<HEAD><TITLE>Parent proxy is not responding</TITLE></HEAD>\n<BODY BGCOLOR="white" FGCOLOR="black"><H1>Parent proxy is not responding</H1><HR>\n<FONT FACE="Helvetica,Arial"><B>\nDescription: Parent proxy is not responding</B></FONT>\n<HR>\n<!-- default "Parent proxy is not responding" response (502) -->\n</BODY>\n \x00'
>>>
>>> api = TheHiveApi('http://172.23.92.31:9000', 'thehivekey', proxies={'no_proxy': '172.23.92.31'})
>>> obs = api.get_case_observables(case_id=case_id, query={"dataType": "file"})
>>> obs.text
'[{"_id":"~122900520","id":"~122900520","createdBy":"thehive01@admin","createdAt":1605716013172,"_type":"case_artifact","dataType":"file","startDate":1605716013172,"attachment":{"name":"pafish.exe","hashes":["2180f4a13add5e346e8cf6994876a9d2f5eac3fcb695db8569537010d24cd6d5","124f46228d1e220d88ae5e9a24d6e713039a64f9","9159edb64c4a21d8888d088bf2db23f3"],"size":76800,"contentType":"application/x-ms-dos-executable","id":"2180f4a13add5e346e8cf6994876a9d2f5eac3fcb695db8569537010d24cd6d5"},"tlp":2,"tags":["dd"],"ioc":false,"sighted":false,"message":"","reports":{},"stats":{},"ignoreSimilarity":false},{"_id":"~163901464","id":"~163901464","createdBy":"thehive01@admin","createdAt":1605784038075,"_type":"case_artifact","dataType":"file","startDate":1605784038075,"attachment":{"name":"154df0e5a18c811df58c1fab786001c5aa9d3a80640793578759a15a34597acb.exe","hashes":["154df0e5a18c811df58c1fab786001c5aa9d3a80640793578759a15a34597acb","49f11fad9a2522f198fa4cbe2df89171781177d3","77df4a375a27bfecc3c44317eff75bdc"],"size":35840,"contentType":"application/x-dosexec","id":"154df0e5a18c811df58c1fab786001c5aa9d3a80640793578759a15a34597acb"},"tlp":2,"tags":["src=\\"VirusTotal\\"","application/x-msdownload","exe","parent=\\"154df0e5a18c811df58c1fab786001c5aa9d3a80640793578759a15a34597acb\\""],"ioc":true,"sighted":false,"message":"","reports":{},"stats":{}}]'
>>>
Not sure if is only my configuration, at the moment I'm using different proxy settings for external tools and internal api.
In my case.. I have everything on docker so I reach thehive with my workstation ip but, if I don't set no_proxy, it tries to connect to thehive using the proxy considering that an external ip. I tried also to set no_proxy as system env with no luck. For example this is happening when I try to run virustotal responder and the script tries to upload the file observable using API. Instead of having the file I've a 200 message of my proxy error.
I tried the three use cases described above, and wasn't able to reproduce :(
I think no_proxy is system level variable. Not really handled by requests directly. Maybe you can supply proxies variable only to the calls that you want proxied.
