bro-scripts icon indicating copy to clipboard operation
bro-scripts copied to clipboard

Published 20 hours ago verified publisher icon sooshie

vt_check on bro 2.5 not working

Open akefallonitis opened this issue 8 years ago • 6 comments

i get this error

1490780707.065084 error in /opt/bro/share/bro/bro-extra/vt_check.bro, line 79: no such index (VTCHECK::temp[2]) 1490780707.065084 error in /opt/bro/share/bro/bro-extra/vt_check.bro, line 74: no such index (VTCHECK::temp[2]) 1490780707.065084 error in /opt/bro/share/bro/bro-extra/vt_check.bro, line 91: value used but not set (VTCHECK::positives)

After a while error stops i get requests to virultotal but no results even with file hashes i manually check that are reported

akefallonitis avatar Mar 29 '17 09:03 akefallonitis

Update curl is running and returns json .. but stil same error

akefallonitis avatar Apr 04 '17 15:04 akefallonitis

in bro 2.5 i am getting below error while running vt_check.bro

1491343971.786777 error in ./vt_check.bro, line 93: value used but not set (VTCHECK::positives)

binups avatar Apr 05 '17 18:04 binups

if ( result?$files && bodyfile in result$files ) { local body = fmt("%s", result$files[bodyfile]); local context = ""; local subcon = "-"; if ( |body| > 0 ) { local positives: string; local total: string; local elements = split_string(body, /,/); local results: vector of string; local virustotal_url = fmt(match_sub_url, f$info$sha256); for ( e in elements ) { print e; local temp: string_vec; if ( /"positives":/ in elements[e] ) { temp = split_string(elements[e], /:/); positives = sub_bytes(temp[1], 1, |temp[3]|); print positives; } else if ( /"total":/ in elements[e] ) { temp = split_string(elements[e], /:/); total = sub_bytes(temp[1], 1, |temp[3]|); print total; } else if ( /"result":/ in elements[e] ) { if ( ! ( / null/ in elements[e] ) ) { temp = split_string(elements[e], /"/); print temp[3]; results[|results|] = temp[3]; }

Change this part and check what is printed

akefallonitis avatar Apr 05 '17 18:04 akefallonitis

The fix doesn't seem to be working, it can't find the function match_sub_url in match_sub_url and after rem oving that it gives an error on line 98, about regex parsing.

RealLinkers avatar Dec 05 '17 08:12 RealLinkers

I'll try and take a look at it. I haven't been doing much Bro stuff lately. If you get it figured out before I do I'll happily take a PR.

sooshie avatar Jan 02 '18 04:01 sooshie

@RealLinkers: I believe it is not so much a fix as a suggestion to use a print statement for troubleshooting.

As far as the issue goes, it appears it is because VT is returning json in the case of not finding results. The hash is in the "resource" field of the json, so the conditionals at lines 55 and 60 both fall through.

The json from VT also contains a "response_code" field (0 if not found, and 1 if found), so changing line 60 to: if ( |body| > 0 && /\"response_code\": 1/ in body) will make sure there is a result to work with.

That said, I noticed the tracking of hashes that have previously been checked, and I'm not sure the behavior is what is expected. The script only raises notices the first time a hash is seen, and only if it is in VT at the time it is first spotted. The hash is also added before any of the other code executes, so failure anywhere else in the code will leave the hash unchecked.

jbaggs avatar Apr 10 '18 03:04 jbaggs