fixes #1758 - greynoise labs analyzer #2210
Conversation
|
JSON output: I have not included the whole response JSON as it was too large |
moonpatel
changed the title
| @@ -0,0 +1,33 @@ | |||
| # This file is a part of IntelOwl https://github.com/intelowlproject/IntelOwl | |||
There was a problem hiding this comment.
this file is not required cause this analyzer requires additional configuration
| "topc2s": { | ||
| "query_string": "query TopC2s { topC2s { queryInfo \ | ||
| { resultsAvailable resultsLimit } c2s { source_ip c2_ips \ | ||
| c2_domains payload hits pervasiveness } } } " | ||
| }, | ||
| } | ||
|
|
There was a problem hiding this comment.
I think the analyzer is cool. The only problem regarding this analyzer is this type of query that does not support IP addresses anymore.
For this cases, we usually make the analyzer work in a different way. We maintain a local cache of the data extracted from the Greynoise endpoint (a file in the system) and we open it once the analyzer is triggered.
Thanks to the update method, it is possible to define how to update this file and when.
Please check other analyzers like Tor, Maxmind, Feodo Tracker, etc that do something very similar to what I mentioned
There was a problem hiding this comment.
Hey @mlodic , I have added the update method for this class and some modifications in run method. Here is the new output format after changing the run method.
{
"noiserank": {
"data": {
"noiseRank": {
"queryInfo": { "resultsAvailable": 1, "resultsLimit": 1 },
"ips": [
{
"ip": "20.235.249.22",
"noise_score": 12,
"sensor_pervasiveness": "very low",
"country_pervasiveness": "low",
"payload_diversity": "very low",
"port_diversity": "very low",
"request_rate": "low"
}
]
}
}
},
"topknocks": {
"errors": [
{
"message": "20.235.249.22 was not found in KnockKnock",
"path": ["topKnocks"]
}
],
"data": null
},
"topc2s": { "found": true }
}
|
Hey @mlodic I have made the required changes, can you review them? |
| "health_check_schedule": None, | ||
| "update_schedule": { | ||
| "minute": "0", | ||
| "hour": "*", |
There was a problem hiding this comment.
their docs says:
topC2s
Description
Return the top 1% of C2s ranked by pervasiveness GreyNoise has observed over the previous 24 hours. This data may be up to 4.5 hours old.
so we can reduce the number of update to once every 6 hours I'd say
| def _monkeypatch(cls): | ||
| patches = [ | ||
| if_mock_connections( | ||
| patch("requests.post", return_value=MockUpResponse({}, 200)) |
There was a problem hiding this comment.
can you please write examples of outputs here in the tests? like the ones that you shared with me
In this way tests would run with a real output and we could also save an example of their reports here.
Please do a mock for every requests you do (2). See feodo tracker as an example
There was a problem hiding this comment.
Like one request whose ip is in noiseRank and one which is not in noiseRank, right? @mlodic
There was a problem hiding this comment.
basically here the tests will cycle through the list of mocks that you write and use one of them every time the analyzer would try to do a http request of the chosen method.
So basically one mock for each request that you make, so one for each endpoint in greynoise
| } | ||
|
|
||
| try: | ||
| logger.info("Fetching data from greynoise API.....") |
There was a problem hiding this comment.
please log the observable name too here otherwise static logs like this are useless considering that the base class already generates some generic logs like this
| if not os.path.exists(db_location): | ||
| return False | ||
|
|
||
| logger.info("Data fetched from greynoise API.....") |
| "base_path": "api_app.analyzers_manager.observable_analyzers", | ||
| }, | ||
| "name": "Greynoise_Labs", | ||
| "description": "scan an IP against the Greynoise Labs API (requires authentication token obtained from cookies on greynoise website)", |
There was a problem hiding this comment.
please add markdown with link to the service here so it will be displayed in the gui
… response in greynoise analyzer
|
Hey @mlodic, I made the required changes can you review them? |
|
Done @mlodic ! |
| @@ -104,7 +112,9 @@ def _update_db(cls, auth_token: str): | |||
| } | |||
|
|
|||
| try: | |||
| logger.info("Fetching data from greynoise API (Greynoise_Labs).....") | |||
| logger.info( | |||
| f"Fetching data from greynoise API ({cls._get_observable_name()})....." | |||
There was a problem hiding this comment.
it's enough to use self.observable_name cause it is inherited from the base class :P
There was a problem hiding this comment.
but _update_db is class method and it cannot access observabl_name. I have already trie it but does not work. @mlodic
There was a problem hiding this comment.
ah you are right, my bad. there is no need of anything else in the log so, you can revert to the previous message
There was a problem hiding this comment.
hardcoded? @mlodic
…est mock response in greynoise analyzer" This reverts commit 90a4c22.
|
Done @mlodic ! |
|
you reverted too many things :P |
|
Done @mlodic. I reverted to a different commit by mistake. |
|
Are there any more changes required? @mlodic |
|
you could fix the tests :) |
|
I guess the error occurs when |
|
|
||
| @classmethod | ||
| def update(cls): | ||
| auth_token = cls._get_auth_token() |
There was a problem hiding this comment.
I think this is where the error occurs during testing.. But how to get the auth_token during testing? Like which file should I look for?
There was a problem hiding this comment.
first we would need a new test for the update like we have for Feodo Tracker for instance : https://github.com/intelowlproject/IntelOwl/pull/2126/files
then, do not trigger Exception here:
if not os.path.isfile(value["db_location"]) and not self.update():
raise AnalyzerRunException(f"Failed extraction from {key} db")
in this way not only the test would work but the analyzer should not fail if 1 query out of 3 fails.
Please just write an error log but do not trigger the AnalyzerRunException that makes all the analyzer to fail
|
Now all the test cases are passing @mlodic . |
|
last error remains |
api_app/analyzers_manager/migrations/0071_analyzer_config_greynoise_labs.py
Outdated
Show resolved
Hide resolved
|
I tried logging the details of the response received when
I tried sending the request using greynoise labs playground - https://api.labs.greynoise.io/1/docs/ with this header: So I think the problem is that the |
|
the CI runs with To debug the problem better please use |
|
Now there is a different error! @mlodic |
|
Pull from develop, there have been migrations :) |
|
Idk why a new PR is necessary but ok :P |
Closes #1758 . If your PR is made by a single commit, please add that clause in the commit too. This is all required to automate the closure of related issues.)
Description
Please include a summary of the change and link to the related issue.
Type of change
Please delete options that are not relevant.
Checklist
develop_monkeypatch()was used in its class to apply the necessary decorators.dumpplugincommand and added it in the project as a data migration. ("How to share a plugin with the community")test_files.zipand you added the default tests for that mimetype in test_classes.py.FREE_TO_USE_ANALYZERSplaybook by following this guide.Black,Flake,Isort) gave 0 errors. If you have correctly installed pre-commit, it does these checks and adjustments on your behalf.testsfolder). All the tests (new and old ones) gave 0 errors.Important Rules