Proofpoint analyzer fails Unexpected Error: Unicode-objects must be encoded before hashing #162
Labels
Comments
|
Issues related to analyzers should be created in https://github.com/TheHive-Project/Cortex-Analyzers repo |
|
Hello @blainedw, Could you provide an example of URL to reproduce the issue ? |
|
I switched the script to Python3 which fixed this issue. But now I get TLP is higher than allowed.
Dave
…----------------------------------------------------------------------
This is an e-mail from General Dynamics Land Systems. It is for the intended recipient only and may contain confidential and privileged information. No one else may read, print, store, copy, forward or act in reliance on it or its attachments. If you are not the intended recipient, please return this message to the sender and delete the message and any attachments from your computer. Your cooperation is appreciated.
|
|
@blainedw the analyzers and responders enforce the TLP and the PAP. So if you have submitted an observable with a TLP greater than the max one accepted by the analyzer, you'll get that error. This is a safeguard against OPSEC mishaps and mistakes made by analysts who would end up leaking data to an external service if the data should have stayed private in the first place. |
|
I turned off TLP and PAP checking and the. Put both to white but neither worked. I just read about a bug in how this works.
Dave
…---
Sent from Workspace ONE Boxer<https://whatisworkspaceone.com/boxer>
On February 12, 2019 at 1:38:40 PM EST, Saad Kadhi <notifications@github.com> wrote:
CAUTION: THIS EMAIL WAS SENT FROM OUTSIDE GDLS. PLEASE DO NOT OPEN ANY URL LINKS, OPEN ATTACHMENTS OR REPLY TO THIS EMAIL IF YOU ARE UNABLE TO VERIFY THE SENDER’S EMAIL ADDRESS.
************************************
@blainedw [github.com]<https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_blainedw&d=DwMFaQ&c=NGt3eTFKeC-HdGM3w9bJ1g&r=ODOcTxUG1nrye26SpubOfO_opNcwK6G9bFendtm-UB0&m=YOHicleyHYC8dwSDXgDU4Qi2S9-SQty-QbrULFZo46M&s=tGA22T5pJFSgN571uk062iu1i_1AVDsMBrRoiYB78CM&e=> the analyzers and responders enforce the TLP and the PAP. So if you have submitted an observable with a TLP greater than the max one accepted by the analyzer, you'll get that error. This is a safeguard against OPSEC mishaps and mistakes made by analysts who would end up leaking data to an external service if the data should have stayed private in the first place.
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub [github.com]<https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_TheHive-2DProject_Cortex_issues_162-23issuecomment-2D462881103&d=DwMFaQ&c=NGt3eTFKeC-HdGM3w9bJ1g&r=ODOcTxUG1nrye26SpubOfO_opNcwK6G9bFendtm-UB0&m=YOHicleyHYC8dwSDXgDU4Qi2S9-SQty-QbrULFZo46M&s=EJk4ZchjgAQIia9M28gQZ7MPaNVW4qTN6e0P4DwranM&e=>, or mute the thread [github.com]<https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_notifications_unsubscribe-2Dauth_AsrH7GoFEgoIZxfor6HLURXIQ3P5o9-2Dyks5vMwovgaJpZM4aJct6&d=DwMFaQ&c=NGt3eTFKeC-HdGM3w9bJ1g&r=ODOcTxUG1nrye26SpubOfO_opNcwK6G9bFendtm-UB0&m=YOHicleyHYC8dwSDXgDU4Qi2S9-SQty-QbrULFZo46M&s=gpUe4_Rcw8vr_oCDi0stzNrEq12R9wQgb4iO0THtGLM&e=>.
----------------------------------------------------------------------
This is an e-mail from General Dynamics Land Systems. It is for the intended recipient only and may contain confidential and privileged information. No one else may read, print, store, copy, forward or act in reliance on it or its attachments. If you are not the intended recipient, please return this message to the sender and delete the message and any attachments from your computer. Your cooperation is appreciated.
|
|
TLP and PAP are not related to the origin of the analyzer issue. Please provide an example to reroduce the problem, otherwise it’s hard to understand what happens :) |
|
Log into Cortex
Configure Proofpoint analyzer to ignore TLP/PAP
Run Proofpoint analyzer
Enter URL http://zupaservices.info
Analyzer returns failure TLP higher than allowed
Dave
…----------------------------------------------------------------------
This is an e-mail from General Dynamics Land Systems. It is for the intended recipient only and may contain confidential and privileged information. No one else may read, print, store, copy, forward or act in reliance on it or its attachments. If you are not the intended recipient, please return this message to the sender and delete the message and any attachments from your computer. Your cooperation is appreciated.
|
|
@blainedw could you please copy and paste here the complete report output you can find in Cortex when you click on the "View" button in Jobs history when the analyzer fails ? Thanks in advance, |
|
{
"errorMessage": "TLP is higher than allowed.",
"input": "{\"data\":\"http://zupaservices.info\",\"pap\":2,\"message\":\"\",\"tlp\":2,\"parameters\":{},\"dataType\":\"url\",\"config\":{\"proxy_http\":null,\"max_tlp\":1,\"verifyssl\":true,\"check_pap\":true,\"secret\":\"3b8ebc6d52966d7a183433341a89734ffad63c20f5b8ef3d4dce4d999f6fe7e5\",\"check_tlp\":true,\"auto_extract_artifacts\":true,\"max_pap\":2,\"url\":\"https://tap-api-v2.proofpoint.com\",\"apikey\":\"REMOVED\",\"proxy_https\":null,\"service\":\"query\"}}",
"success": false
}
Dave
…----------------------------------------------------------------------
This is an e-mail from General Dynamics Land Systems. It is for the intended recipient only and may contain confidential and privileged information. No one else may read, print, store, copy, forward or act in reliance on it or its attachments. If you are not the intended recipient, please return this message to the sender and delete the message and any attachments from your computer. Your cooperation is appreciated.
|
|
thx. From what is reported, PAP and TLP checks are enabled and set to AMBER. Regards, |
|
As it is currently configured:
[cid:image001.png@01D4CDF2.3FA95A30]
Dave
…----------------------------------------------------------------------
This is an e-mail from General Dynamics Land Systems. It is for the intended recipient only and may contain confidential and privileged information. No one else may read, print, store, copy, forward or act in reliance on it or its attachments. If you are not the intended recipient, please return this message to the sender and delete the message and any attachments from your computer. Your cooperation is appreciated.
|
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Request Type
(select Bug or Feature Request and remove this line)
Bug / Feature Request
Work Environment
RHEL7
Cortex 2.1.3-1
Elastic4Play 1.7.2
Play 2.6.20
Elastic4s 5.6.6
ElasticSearch client 5.6.9
ElasticSearch cluster 5.6.14
IE 11
Problem Description
Proofpoint analyzer fails with Unexpected Error: Unicode-objects must be encoded before hashing.
Steps to Reproduce
Provide url to Proofpoint analyzer and run.
The text was updated successfully, but these errors were encountered: