Skip to content

Initial Velociraptor Responder #803

New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom
Merged
merged 2 commits into from
Aug 12, 2020
Merged

Initial Velociraptor Responder #803

merged 2 commits into from
Aug 12, 2020

Conversation

weslambert
Copy link
Contributor

No description provided.

@weslambert weslambert mentioned this pull request Jun 23, 2020
Closed
@dadokkio
Copy link
Contributor

I'm trying to run the responder but I'm having some issues.
Some of the key of config yaml file your code is trying to access (ca_certificate, client_private_key, client_cert) in my case are nested under Client. I'm actually missing client_private and client_cert cause I'm running it locally I believe.

The error:

Traceback (most recent call last):  File "/opt/Cortex-Analyzers/responders/Velociraptor/velociraptor_flow.py", line 127, in <module>    Velociraptor().run()  File "/opt/Cortex-Analyzers/responders/Velociraptor/velociraptor_flow.py", line 24, in run    root_certificates=self.config["ca_certificate"].encode("utf8"),KeyError: 'ca_certificate'

My actual status:

>>> a = yaml.load(open('/tmp/client.config.yaml').read(), Loader=yaml.FullLoader)
>>> a.keys()
dict_keys(['version', 'Client'])
>>> a['Client'].keys()
dict_keys(['server_urls', 'ca_certificate', 'nonce', 'writeback_darwin', 'writeback_linux', 'writeback_windows', 'max_poll', 'windows_installer', 'darwin_installer', 'version', 'use_self_signed_ssl', 'pinned_server_name', 'max_upload_size', 'local_buffer'])

If it could be useful I'm using version 0.4.6, commit 1edf062

@weslambert
Copy link
Contributor Author

Thanks for testing! Not sure at the moment -- I'll take a look at this and get back with you.

@weslambert
Copy link
Contributor Author

weslambert commented Jul 23, 2020
edited
Loading

@dadokkio , Did you make sure to generate the API client config like so?

velociraptor --config server.config.yaml config api_client --name Fred > api_client.yaml

or were you trying to use a normal client config (sounds like it from your mention of the nested Client entries)?

https://www.velocidex.com/docs/user-interface/api/

@dadokkio
Copy link
Contributor

I didn't see that! I was using the basic config generate -i command.
I'm going to do a new test later 😃

@dadokkio
Copy link
Contributor

Ok, after adding also API configuration everything works as expected.
Probably a readme with some indication could be useful.

@dadokkio dadokkio added this to the 2.9.0 milestone Jul 24, 2020
@weslambert
Copy link
Contributor Author

Awesome, will get on that as soon as I can!

@weslambert weslambert mentioned this pull request Jul 25, 2020
Open
@To-om To-om force-pushed the develop branch 3 times, most recently from fb8f5aa to 23be632 Compare July 29, 2020 15:56
@jeromeleonard jeromeleonard self-assigned this Aug 12, 2020
jeromeleonard added a commit that referenced this pull request Aug 12, 2020
@jeromeleonard
#803 include documentation
44392c6
@jeromeleonard jeromeleonard merged commit 6c9d3e2 into TheHive-Project:develop Aug 12, 2020
@jeromeleonard
Copy link
Contributor

jeromeleonard commented Aug 12, 2020
edited
Loading

Thanks @weslambert. FYI I included your PR from CortexDocs in a README.md file to support our new documentation (https://thehive-project.github.io/Cortex-Analyzers/)

# for free to join this conversation on GitHub. Already have an account? # to comment
Reviewers

@jeromeleonard jeromeleonard Awaiting requested review from jeromeleonard

@dadokkio dadokkio Awaiting requested review from dadokkio

Assignees

@jeromeleonard jeromeleonard

Labels
category:new-responder
Projects
None yet
Milestone
2.9.0
Development

Successfully merging this pull request may close these issues.
3 participants
@weslambert @dadokkio @jeromeleonard