Where communities thrive


  • Join over 1.5M+ people
  • Join over 100K+ communities
  • Free without limits
  • Create your own community
People
Activity
  • Jun 27 04:44

    cvandeplas on main

    Fixes broken GH taxonomy links Merge pull request #282 from 00… (compare)

  • Jun 27 04:44
    cvandeplas closed #282
  • Jun 27 04:44
    cvandeplas commented #282
  • Jun 26 21:36
    00willo opened #282
  • Jun 02 12:32

    SteveClement on main

    chg: [doc] removed trailing spa… fix: [pdf] PDF conversion works… Merge branch 'MISP:main' into m… and 1 more (compare)

  • Jun 02 12:32
    SteveClement closed #281
  • Jun 02 12:31
    SteveClement opened #281
  • Jun 01 19:56

    SteveClement on main

    chg: [workflow] PDF fails, putt… chg: [workflow] PDF fails, remo… Merge branch 'MISP:main' into m… and 1 more (compare)

  • Jun 01 19:56
    SteveClement closed #280
  • Jun 01 19:56
    SteveClement opened #280
  • Jun 01 15:58

    SteveClement on main

    chg: [workflow] use node_module… chg: [dbg] Workflow chg: [dbg] Workflow, split plug… and 8 more (compare)

  • Jun 01 15:58
    SteveClement closed #279
  • Jun 01 15:57
    SteveClement opened #279
  • Jun 01 14:06

    SteveClement on main

    chg: [doc] Made it working with… new: [workflow] first tentative… chg: [workflow] because npm is … and 4 more (compare)

  • Jun 01 14:06
    SteveClement closed #278
  • Jun 01 14:06
    SteveClement opened #278
  • Jun 01 09:36

    adulau on main

    chg: [honkit] fixes (compare)

  • Jun 01 09:31

    adulau on main

    chg: [workflow] because npm is … (compare)

  • Jun 01 09:23

    adulau on main

    chg: [workflow] because npm is … (compare)

  • Jun 01 09:19

    adulau on main

    new: [workflow] first tentative… Merge branch 'main' of github.c… (compare)

Luca
@lucacyber
curl --location --request POST 'https://MY IP/events/add' --header 'Accept: application/json' --header 'Content-Type: application/json'--header 'Authorization: MY KEY' --data "@filename.json"

i run this and give me a ssl error: curl: (60) SSL certificate problem: self signed certificate
More details here: https://curl.haxx.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.
curl: (3) Port number ended with 'R'

is strange cause if i run the comand to export: curl --insecure -H "Authorization: APY KEY" -H "Content-type: application/json" -H "Accept: application/json" -X "POST" https://ip/events/restSearch -d '{"returnFormat": "stix", "publish_timestamp": "24h"}', don't give me errors
andras
@andras:matrix.circl.lu
[m]
ok, debugging basic curl usage isn't really my thing - but just a hint: have a look at what the --insecure flag (used in the second query) does ;)
Luca
@lucacyber
curl --location --request "POST" https://172.x.x.x/events/add -H "Accept: application/json" -H "Content-Type: application/json"--header --insecure "Authorization: xxxxxx" --data "@2337982.json"
i did this and give me this error: {"name":"No valid event data received.","message":"No valid event data received.","url":"\/events\/add"}
Luca
@lucacyber
this is the first part of the file
{"response":[{
"Event": {
"id": "xx",
"orgc_id": "xx",
"org_id": "xx",
"date": "2021-08-04",
"threat_level_id": "2",
"info": "xxxxx",
"published": true,
"uuid": "xxxx",
"attribute_count": "45",
"analysis": "2",
"timestamp": "xx",
"distribution": "2",
"proposal_email_lock": false,
"locked": false,
"publish_timestamp": "xx",
"sharing_group_id": "0",
"disable_correlation": false,
"extends_uuid": "",
"Org": {
"id": "295",
"name": "x",
"uuid": "xxx"
},
"Orgc": {
"id": "x",
"name": "x",
"uuid": "x"
},
"Attribute": [
{
Sascha Rommelfangen
@rommelfs
I see two potential problems: (1) you didn’t specify the path (2) check if 2337982.json is valid json
29 replies
andras
@andras:matrix.circl.lu
[m]
strip this:
{"response":[
it should be {"Event":...
andras
@andras:matrix.circl.lu
[m]
I think that the error messages are pretty clear.
curl -d "@curl101.json" --insecure -H "Authorization: YOUR_API_KEY" -H "Accept: application/json" -H "Content-type: application/json" -X POST https://foo.bar.baz/events/add
Luca
@lucacyber
yes now the result is different, if i run---> curl -d "@filename.json" --insecure -H "Authorization: MY KEY" -H "Accept: application/json" -H "Content-type: application/json" -X POST https://172.29.3.38/events/add
i have ---> {
"saved": false,
"name": "Could not add Event",
"message": "Could not add Event",
"url": "\/events\/add",
"errors": []
}
"saved": false,
"name": "Could not add Event",
"message": "Could not add Event",
"url": "\/events\/add",
"errors": {
"Event": {
"info": [
"valueNotEmpty"
]
}
}
3 replies
luciano (righel)
@luciano:matrix.circl.lu
[m]

that JSON is invalid, the response key must be removed. the payload should be:

{
   "Event": {
      "id": "xx",
      "orgc_id": "xx",
      ...

or:

{
   "id": "xx",
   "orgc_id": "xx",
    ...

but NOT with response key:

{
   "response":[{ <--- NO
      "Event": {
      ...
Luca
@lucacyber
ok, but why if import this json from the MISP web interface works?
andras
@andras:matrix.circl.lu
[m]
Because it’s a different endpoint
Luca
@lucacyber
yes okay now i change into {
"Event": {
"id": "xxxxx",
"orgc_id": "xxxxx",
"org_id": "xxxxx",
"date": "2021-08-10",
"threat_level_id": "3",
"info": "Ixxxxx",
"published": true,
"uuid": "xxxxx",
"attribute_count": "21",
"analysis": "2",
"timestamp": "xxxxx",
"distribution": "2",
"proposal_email_lock": false,
"locked": false,
"publish_timestamp": "xxxxx",
"sharing_group_id": "0",
"disable_correlation": false,
"extends_uuid": "",
and give me this
{
"saved": false,
"name": "Could not add Event",
"message": "Could not add Event",
"url": "\/events\/add",
"errors": []
}
i run this----> curl -d "@filename.json" --insecure -H "Authorization: KEY" -H "Accept: application/json" -H "Content-type: application/json" -X POST https://MY_IP/events/add
Sascha Rommelfangen
@rommelfs
what have you changed?
Or shall we ask all the questions again?
andras
@andras:matrix.circl.lu
[m]
😭
Luca
@lucacyber
i put {
"Event": {
"id": "xxxxx",
or
{
"id": "xx",
"orgc_id": "xx",
"org_id": "xx", }
but is the same i have {
"saved": false,
"name": "Could not add Event",
"message": "Could not add Event",
"url": "\/events\/add",
"errors": []
}
Sascha Rommelfangen
@rommelfs
If you allow to share an approach that helps both sides: create a synthetic example of your working and not-working files. In addition share the command you use to upload it. Then we can try to reproduce it.
Luca
@lucacyber

1) i run this --> curl -d "@2343038.json" --insecure -H "Authorization: KEY" -H "Accept: application/json" -H "Content-type: application/json" -X POST https://172.x.x.x/events/add

2) this is the json file called 2343038.json:

{
"id": "xxxx",
"orgc_id": "xxx",
"org_id": "xxx",
"date": "2021-08-10",
"threat_level_id": "3",
"info": "xxx",
"published": true,
"uuid": "xxx",
"attribute_count": "21",
"analysis": "2",
"timestamp": "1628675907",
"distribution": "2",
"proposal_email_lock": false,
"locked": false,
"publish_timestamp": "1628675971",
"sharing_group_id": "0",
"disable_correlation": false,
"extends_uuid": "",
"Org": {
"id": "xxx",
"name": "xxx",
"uuid": "xxx"
},
"Orgc": {
"id": "xxx",
"name": "xxx",
"uuid": "xxx"
},
"Attribute": [
{
"id": "xxx",
"type": "link",
"category": "External analysis",
"to_ids": false,
"uuid": "xxx",
"event_id": "2343038",
"distribution": "5",
"timestamp": "1628610665",
"comment": "",
"sharing_group_id": "0",
"deleted": false,
"disable_correlation": false,
"object_id": "0",
"object_relation": null,
"value": "xxx",
"ShadowAttribute": []
},
{
"id": "139562452",
"type": "filename",
"category": "Payload delivery",
"to_ids": false,
"uuid": "",
"event_id": "2343038",
"distribution": "5",
"timestamp": "1628611134",
"comment": "",
"sharing_group_id": "0",
"deleted": false,
"disable_correlation": false,
"object_id": "0",
"object_relation": null,
"value": "cache.dll",
"ShadowAttribute": []
}

the json file is tool long i take just the first part.
Sascha Rommelfangen
@rommelfs
Ok, now can you create two synthetic examples? Short and anonymous enough to be shared? One that works and one that fails?
Luca
@lucacyber
do you mean error that this comand give me ?
can you sand me a json file to import, i can try so change the file, so if is the file the problem it will be ok and will be work
Sascha Rommelfangen
@rommelfs
I think that’s exactly what you want to do now. Reducing the complexity of your problem to a bare minimum.
You had a working file and modified something. Since then it doesn’t work.
Luca
@lucacyber
no never work the import of the events using curl
Sascha Rommelfangen
@rommelfs
Then I don’t know what I read earlier today in this channel
Luca
@lucacyber
i'd like just to import json misp event using curl
Sascha Rommelfangen
@rommelfs
please share your full json file or create one that you can share.
Luca
@lucacyber
now it works, mabye syntax error of json file. How can i understand if curl will b successful exeduted or not? Cause i'd like to run the script with cron job so i'd like to know witch json file are successful imported and witch are not imported on misp. Thank you
3 replies
luciano (righel)
@luciano:matrix.circl.lu
[m]
/var/www/MISP/app/tmp/logs
match-markhattarki
@match-markhattarki

hello... I just stood up my own misp instance. I installed it on a ubuntu system, following the instructions as best as I could. I ran the INSTALL.SH -c, as per the instructions. I am not sure if I need to install modules or other components.

When I try to add a feed, I get a "feed not added" banner at the top. I don't see any errors in the logs. I am guessing that something might not be writable.

PLEASE! Any help or pointers would be greatly appreciated!!!!

1 reply
Milann SHRESTHA
@milannshrestha
How do i revert to Org Name from Org Logo.. I don't see any option..
Luca
@lucacyber
if i use "timestamp" to export events that i have imported on the last 24 hours is correct? I want to export just events that i have imported on my SIEM on the last 24 hours
this is my curl:
curl --insecure -H "Authorization: KEY " -H "Content-type: application/json" -H "Accept: application/json" -X "POST" https://MYIP/events/restSearch -d '{"returnFormat": "stix", "publish_timestamp": "24h"}'