Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Hybrid Analysis analyzer successful even if rate limit reached #215

Closed
srilumpa opened this issue Mar 30, 2018 · 5 comments
Closed

Hybrid Analysis analyzer successful even if rate limit reached #215

srilumpa opened this issue Mar 30, 2018 · 5 comments
Assignees
@3c7
Labels
category:bug Issue is related to a bug scope:analyzer Issue is analyzer related

Comments

@srilumpa
Copy link
Contributor

Request Type

Bug

Work Environment

Question Answer
OS version (server) Debian
Cortex Analyzer Name HybridAnalysis
Cortex Analyzer Version 1.0
Cortex Version 1.1.4-1

Description

If the rate limit is reached when querying the Hybrid Analysis service, the analyzer return a successful state instead of an error, like the VirusTotal analyzer for example.

I know that with Cortex 2, rate limit can be handled in the configuration, but the analyzer shoudl still alert for this kind of problem instead of letting go smoothly the fact that the query failed.

Steps to Reproduce

(keep this section only if the issue relates to a bug)

  1. Reach your limit of query for the Hybrid Analysis service
  2. Submit a new job with the analyzer
  3. See the job set as successful even if the result states the rate limit was reached

Possible Solutions

Apply a logic similar to the VirusTotal analyzer and trigger an error if the rate limit is reached.

Complementary information

Current report when the rate limiter is triggered:

{
  "artifacts": [],
  "full": {
    "results": {
      "response_code": -1,
      "response": {
        "error": "Exceeded maximum API requests per minute (5). Please try again later or contact support for other options."
      }
    }
  },
  "summary": {},
  "success": true
}

Expected report when rate limiter is triggered

{
  "errorMessage": "Exceeded maximum API requests per minute (5). Please try again later or contact support for other options.",
  "input": {
    "dataType": "hash",
    "config": {
      "max_tlp": 3,
      "check_tlp": true,
      "service": "get",
      "key": "REMOVED"
    },
    "tlp": 2,
    "data": "[redacted]"
  },
  "success": false
}
@saadkadhi
Copy link
Contributor

@srilumpa please confirm that you are not analyzing the same observable with the same TLP within cache.job period (10 mins).

@nadouani nadouani added scope:cortex category:bug Issue is related to a bug and removed scope:cortex labels Apr 3, 2018
@nadouani
Copy link
Contributor

nadouani commented Apr 3, 2018

@saadkadhi This is an issue on the Analyzer side that doesn't handle the "Hybrid Analysis" rate limit reached error. It's not related to the rate limiting configured on Cortex.

@3c7 3c7 added the scope:analyzer Issue is analyzer related label Apr 3, 2018
@srilumpa
Copy link
Contributor Author

srilumpa commented Apr 3, 2018

Yes, we are not using Cortex2 for now (we are currently planning the migration to it)

@nadouani
Copy link
Contributor

nadouani commented Apr 3, 2018

Well, I've just took a look to the analyzer and found this:

if "error" in r.json().get('response') == "Exceeded maximum API requests per minute(5). Please try again later."

It looks like the rate limit text has been changed from HybridAnalysis, so the Analyzer is no longer handling the error correctly. This is bad :)

@3c7 3c7 self-assigned this Apr 3, 2018
@3c7
Copy link
Contributor

3c7 commented Apr 3, 2018

Check for that specific error fits now for both error message variations.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@3c7 3c7

Labels
category:bug Issue is related to a bug scope:analyzer Issue is analyzer related
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@nadouani @3c7 @saadkadhi @srilumpa