Where communities thrive


  • Join over 1.5M+ people
  • Join over 100K+ communities
  • Free without limits
  • Create your own community
People
Activity
  • Jun 30 14:58

    chrisr3d on main

    fix: [python doc] Updated instr… (compare)

  • Jun 27 04:44

    cvandeplas on main

    Fixes broken GH taxonomy links Merge pull request #282 from 00… (compare)

  • Jun 27 04:44
    cvandeplas closed #282
  • Jun 27 04:44
    cvandeplas commented #282
  • Jun 26 21:36
    00willo opened #282
  • Jun 02 12:32

    SteveClement on main

    chg: [doc] removed trailing spa… fix: [pdf] PDF conversion works… Merge branch 'MISP:main' into m… and 1 more (compare)

  • Jun 02 12:32
    SteveClement closed #281
  • Jun 02 12:31
    SteveClement opened #281
  • Jun 01 19:56

    SteveClement on main

    chg: [workflow] PDF fails, putt… chg: [workflow] PDF fails, remo… Merge branch 'MISP:main' into m… and 1 more (compare)

  • Jun 01 19:56
    SteveClement closed #280
  • Jun 01 19:56
    SteveClement opened #280
  • Jun 01 15:58

    SteveClement on main

    chg: [workflow] use node_module… chg: [dbg] Workflow chg: [dbg] Workflow, split plug… and 8 more (compare)

  • Jun 01 15:58
    SteveClement closed #279
  • Jun 01 15:57
    SteveClement opened #279
  • Jun 01 14:06

    SteveClement on main

    chg: [doc] Made it working with… new: [workflow] first tentative… chg: [workflow] because npm is … and 4 more (compare)

  • Jun 01 14:06
    SteveClement closed #278
  • Jun 01 14:06
    SteveClement opened #278
  • Jun 01 09:36

    adulau on main

    chg: [honkit] fixes (compare)

  • Jun 01 09:31

    adulau on main

    chg: [workflow] because npm is … (compare)

  • Jun 01 09:23

    adulau on main

    chg: [workflow] because npm is … (compare)

cybgit
@cybgit
Presume the above is for @lucatrabalza :)
andras
@andras:matrix.circl.lu
[m]
content type and accept should both be application/json
otherwise your parameters are ignored
cybgit
@cybgit
yeah as you are sending json data in the -d
Also, probably worth obfuscating your API token when posting or at least delete that one :)
andras
@andras:matrix.circl.lu
[m]
yeah probably a good oment to invalidate that key :)
moment* even
Luca
@lucacyber
@lucatrabalza
i try this:
cat 2337982.json | curl --insecure -H "Authorization: xxxxxxx" -H "Content-type: application/json" -H "Accept: application/json" -X "POST" https://xxxxx/events/add
and give me this error:
{"name":"No valid event data received.","message":"No valid event data received.","url":"\/events\/add\/"}
3 replies
andras
@andras:matrix.circl.lu
[m]
--data "@/foo/bar/baz.json"
Luca
@lucacyber
curl --location --request POST 'https://MY IP/events/add' --header 'Accept: application/json' --header 'Content-Type: application/json'--header 'Authorization: MY KEY' --data "@filename.json"

i run this and give me a ssl error: curl: (60) SSL certificate problem: self signed certificate
More details here: https://curl.haxx.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.
curl: (3) Port number ended with 'R'

is strange cause if i run the comand to export: curl --insecure -H "Authorization: APY KEY" -H "Content-type: application/json" -H "Accept: application/json" -X "POST" https://ip/events/restSearch -d '{"returnFormat": "stix", "publish_timestamp": "24h"}', don't give me errors
andras
@andras:matrix.circl.lu
[m]
ok, debugging basic curl usage isn't really my thing - but just a hint: have a look at what the --insecure flag (used in the second query) does ;)
Luca
@lucacyber
curl --location --request "POST" https://172.x.x.x/events/add -H "Accept: application/json" -H "Content-Type: application/json"--header --insecure "Authorization: xxxxxx" --data "@2337982.json"
i did this and give me this error: {"name":"No valid event data received.","message":"No valid event data received.","url":"\/events\/add"}
Luca
@lucacyber
this is the first part of the file
{"response":[{
"Event": {
"id": "xx",
"orgc_id": "xx",
"org_id": "xx",
"date": "2021-08-04",
"threat_level_id": "2",
"info": "xxxxx",
"published": true,
"uuid": "xxxx",
"attribute_count": "45",
"analysis": "2",
"timestamp": "xx",
"distribution": "2",
"proposal_email_lock": false,
"locked": false,
"publish_timestamp": "xx",
"sharing_group_id": "0",
"disable_correlation": false,
"extends_uuid": "",
"Org": {
"id": "295",
"name": "x",
"uuid": "xxx"
},
"Orgc": {
"id": "x",
"name": "x",
"uuid": "x"
},
"Attribute": [
{
Sascha Rommelfangen
@rommelfs
I see two potential problems: (1) you didn’t specify the path (2) check if 2337982.json is valid json
29 replies
andras
@andras:matrix.circl.lu
[m]
strip this:
{"response":[
it should be {"Event":...
andras
@andras:matrix.circl.lu
[m]
I think that the error messages are pretty clear.
curl -d "@curl101.json" --insecure -H "Authorization: YOUR_API_KEY" -H "Accept: application/json" -H "Content-type: application/json" -X POST https://foo.bar.baz/events/add
Luca
@lucacyber
yes now the result is different, if i run---> curl -d "@filename.json" --insecure -H "Authorization: MY KEY" -H "Accept: application/json" -H "Content-type: application/json" -X POST https://172.29.3.38/events/add
i have ---> {
"saved": false,
"name": "Could not add Event",
"message": "Could not add Event",
"url": "\/events\/add",
"errors": []
}
"saved": false,
"name": "Could not add Event",
"message": "Could not add Event",
"url": "\/events\/add",
"errors": {
"Event": {
"info": [
"valueNotEmpty"
]
}
}
3 replies
luciano (righel)
@luciano:matrix.circl.lu
[m]

that JSON is invalid, the response key must be removed. the payload should be:

{
   "Event": {
      "id": "xx",
      "orgc_id": "xx",
      ...

or:

{
   "id": "xx",
   "orgc_id": "xx",
    ...

but NOT with response key:

{
   "response":[{ <--- NO
      "Event": {
      ...
Luca
@lucacyber
ok, but why if import this json from the MISP web interface works?
andras
@andras:matrix.circl.lu
[m]
Because it’s a different endpoint
Luca
@lucacyber
yes okay now i change into {
"Event": {
"id": "xxxxx",
"orgc_id": "xxxxx",
"org_id": "xxxxx",
"date": "2021-08-10",
"threat_level_id": "3",
"info": "Ixxxxx",
"published": true,
"uuid": "xxxxx",
"attribute_count": "21",
"analysis": "2",
"timestamp": "xxxxx",
"distribution": "2",
"proposal_email_lock": false,
"locked": false,
"publish_timestamp": "xxxxx",
"sharing_group_id": "0",
"disable_correlation": false,
"extends_uuid": "",
and give me this
{
"saved": false,
"name": "Could not add Event",
"message": "Could not add Event",
"url": "\/events\/add",
"errors": []
}
i run this----> curl -d "@filename.json" --insecure -H "Authorization: KEY" -H "Accept: application/json" -H "Content-type: application/json" -X POST https://MY_IP/events/add
Sascha Rommelfangen
@rommelfs
what have you changed?
Or shall we ask all the questions again?
andras
@andras:matrix.circl.lu
[m]
😭
Luca
@lucacyber
i put {
"Event": {
"id": "xxxxx",
or
{
"id": "xx",
"orgc_id": "xx",
"org_id": "xx", }
but is the same i have {
"saved": false,
"name": "Could not add Event",
"message": "Could not add Event",
"url": "\/events\/add",
"errors": []
}
Sascha Rommelfangen
@rommelfs
If you allow to share an approach that helps both sides: create a synthetic example of your working and not-working files. In addition share the command you use to upload it. Then we can try to reproduce it.
Luca
@lucacyber

1) i run this --> curl -d "@2343038.json" --insecure -H "Authorization: KEY" -H "Accept: application/json" -H "Content-type: application/json" -X POST https://172.x.x.x/events/add

2) this is the json file called 2343038.json:

{
"id": "xxxx",
"orgc_id": "xxx",
"org_id": "xxx",
"date": "2021-08-10",
"threat_level_id": "3",
"info": "xxx",
"published": true,
"uuid": "xxx",
"attribute_count": "21",
"analysis": "2",
"timestamp": "1628675907",
"distribution": "2",
"proposal_email_lock": false,
"locked": false,
"publish_timestamp": "1628675971",
"sharing_group_id": "0",
"disable_correlation": false,
"extends_uuid": "",
"Org": {
"id": "xxx",
"name": "xxx",
"uuid": "xxx"
},
"Orgc": {
"id": "xxx",
"name": "xxx",
"uuid": "xxx"
},
"Attribute": [
{
"id": "xxx",
"type": "link",
"category": "External analysis",
"to_ids": false,
"uuid": "xxx",
"event_id": "2343038",
"distribution": "5",
"timestamp": "1628610665",
"comment": "",
"sharing_group_id": "0",
"deleted": false,
"disable_correlation": false,
"object_id": "0",
"object_relation": null,
"value": "xxx",
"ShadowAttribute": []
},
{
"id": "139562452",
"type": "filename",
"category": "Payload delivery",
"to_ids": false,
"uuid": "",
"event_id": "2343038",
"distribution": "5",
"timestamp": "1628611134",
"comment": "",
"sharing_group_id": "0",
"deleted": false,
"disable_correlation": false,
"object_id": "0",
"object_relation": null,
"value": "cache.dll",
"ShadowAttribute": []
}

the json file is tool long i take just the first part.
Sascha Rommelfangen
@rommelfs
Ok, now can you create two synthetic examples? Short and anonymous enough to be shared? One that works and one that fails?
Luca
@lucacyber
do you mean error that this comand give me ?
can you sand me a json file to import, i can try so change the file, so if is the file the problem it will be ok and will be work
Sascha Rommelfangen
@rommelfs
I think that’s exactly what you want to do now. Reducing the complexity of your problem to a bare minimum.
You had a working file and modified something. Since then it doesn’t work.
Luca
@lucacyber
no never work the import of the events using curl
Sascha Rommelfangen
@rommelfs
Then I don’t know what I read earlier today in this channel