Skip to content
This repository has been archived by the owner on Mar 17, 2022. It is now read-only.

Problem downloading file content in alerts when content pulled from cloudphish cache #110

Open
seanmcfeely opened this issue Aug 7, 2020 · 3 comments
Open

Problem downloading file content in alerts when content pulled from cloudphish cache #110

seanmcfeely opened this issue Aug 7, 2020 · 3 comments
Assignees
@unixfreak0037
Labels
bug Something isn't working invalid This doesn't seem right

Comments

@seanmcfeely
Copy link
Contributor

seanmcfeely commented Aug 7, 2020
edited
Loading

For example, if this content was pulled from the cloudphish cache and added to the alert:

image

We can no longer download/view/access any content for any files, nested any further in the analysis tree.

Everything only says "whitelist" or "un-whitelist" like so:

image
image

Even the cloudphish content itself is not available in the GUI:
image

All files a level up from any Cloudphish Analysis: ALERT, in the analysis tree, can still be accessed normally.

I'm not sure when this change/break happened in the code base because we did a major update. I can confirm it's as far back as cad3a01 but still an issue for us at 86a1aff
@seanmcfeely seanmcfeely added the invalid This doesn't seem right label Aug 7, 2020
@seanmcfeely
Copy link
Contributor Author

seanmcfeely commented Aug 7, 2020
edited
Loading

I just realized that it's not limited to file content, but it appears to be all analysis results:

For example, clicking on this:

image

Throws an internal server error:

[2020-08-07 18:28:02,315] [app] [app.py:1891] [MainThread] [5395] [ERROR] - Exception on /analysis [GET]
Traceback (most recent call last):
  File "/usr/local/lib/python3.6/dist-packages/flask/app.py", line 2446, in wsgi_app
    response = self.full_dispatch_request()
  File "/usr/local/lib/python3.6/dist-packages/flask/app.py", line 1951, in full_dispatch_request
    rv = self.handle_user_exception(e)
  File "/usr/local/lib/python3.6/dist-packages/flask/app.py", line 1820, in handle_user_exception
    reraise(exc_type, exc_value, tb)
  File "/usr/local/lib/python3.6/dist-packages/flask/_compat.py", line 39, in reraise
    raise value
  File "/usr/local/lib/python3.6/dist-packages/flask/app.py", line 1949, in full_dispatch_request
    rv = self.dispatch_request()
  File "/usr/local/lib/python3.6/dist-packages/flask/app.py", line 1935, in dispatch_request
    return self.view_functions[rule.endpoint](**req.view_args)
  File "/usr/local/lib/python3.6/dist-packages/flask_login/utils.py", line 261, in decorated_view
    return func(*args, **kwargs)
  File "/opt/ace/app/analysis/views.py", line 3467, in index
    remediation_history=remediation_history)
  File "/usr/local/lib/python3.6/dist-packages/flask/templating.py", line 140, in render_template
    ctx.app,
  File "/usr/local/lib/python3.6/dist-packages/flask/templating.py", line 120, in _render
    rv = template.render(context)
  File "/usr/local/lib/python3.6/dist-packages/jinja2/environment.py", line 1090, in render
    self.environment.handle_exception()
  File "/usr/local/lib/python3.6/dist-packages/jinja2/environment.py", line 832, in handle_exception
    reraise(*rewrite_traceback_stack(source=source))
  File "/usr/local/lib/python3.6/dist-packages/jinja2/_compat.py", line 28, in reraise
    raise value.with_traceback(tb)
  File "/opt/ace/app/templates/analysis/index.html", line 1, in top-level template code
    {% extends "base.html" %}
  File "/opt/ace/app/templates/base.html", line 1, in top-level template code
    {% extends "core.html" %}
  File "/opt/ace/app/templates/core.html", line 1, in top-level template code
    {% block doc -%}
  File "/opt/ace/app/templates/core.html", line 4, in block "doc"
    {%- block html %}
  File "/opt/ace/app/templates/core.html", line 24, in block "html"
    {% block body -%}
  File "/opt/ace/app/templates/base.html", line 115, in block "body"
    {% block content %}
  File "/opt/ace/app/templates/base.html", line 124, in block "content"
    {% block page_content %}{% endblock %}
  File "/opt/ace/app/templates/analysis/index.html", line 80, in block "page_content"
    {% include analysis.jinja_template_path %}
  File "/opt/ace/app/templates/analysis/yara_analysis_v3_4.html", line 1, in top-level template code
    {% for yara_result in analysis.details %}
TypeError: 'NoneType' object is not iterable

However, most analysis just returns nothing, like this:

image

result:

image

@seanmcfeely seanmcfeely added the bug Something isn't working label Aug 7, 2020
@unixfreak0037 unixfreak0037 self-assigned this Aug 12, 2020
@unixfreak0037
Copy link
Collaborator

It sounds like the cloudphish analysis was not successfully downloaded. I'll work with you to review the logs to figure out what is going on here. Specifically I think we'll want to look at the API logs to see if there was an exception thrown when the data was attempted to be downloaded.

@seanmcfeely
Copy link
Contributor Author

seanmcfeely commented Sep 17, 2020
edited
Loading

We are seeing this less and less. I've noticed that it's only happening when the detection in the cloudphish analysis is no longer valid (been turned off or removed).

I haven't seen any errors when looking through the API logs around the new alerts that come in with these old cloudphish content detections.

I have a fresh example of this I am setting aside.

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@unixfreak0037 unixfreak0037

Labels
bug Something isn't working invalid This doesn't seem right
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@unixfreak0037 @seanmcfeely