Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Bug] Short templates not used and/or not imported ? #1269

Open
julienloizelet opened this issue Jul 24, 2024 · 0 comments
Open

[Bug] Short templates not used and/or not imported ? #1269

julienloizelet opened this issue Jul 24, 2024 · 0 comments

Comments

@julienloizelet
Copy link
Contributor

Describe the bug

Some analyzers come with a short.html template. But I can't use it.
As I'm a new user, I wonder if it's my fault or if it's a bug.

  • When I import an zip file containing long.html and short.html, only 1 model is imported (the long one).

  • On a fresh installation of an Analyzer that should have a long and a short template, I can see only the long one in the list of Analyzer template

  • When I inspect the html source code of the short report, it does not look like the short.html file (probably looks like the built-in template for short report).

To Reproduce
Steps to reproduce the "short template not used" behavior:

  1. Enable IP-API_1_0 analyzer (or any other analyzer that provides a short.html template)
  2. Run the Analyzer against the 1.2.3.4 IP
  3. Inspect the result of the short report: we can't see a span with the class="label" whereas we do see such a class in the short.html

image

Steps to reproduce the "short template not imported" behavior:

  1. Enable IP-API_1_0 analyzer (or any other analyzer that provides a short.html template)

  2. Import a zip that contains short and long report:
    IP-API_1_0.zip

  3. There is a success message saying that 1 model has been imported (and we can see that this is the long one)

image

Expected behavior

The short.html template should be used for short report as mentioned in documentation.

We should be able to import it with the "upload zip" feature

Complementary information
N/A

Work environment

I'm using the following docker-compose.yml file :

docker-compose.yml 
services:
  thehive:
    image: strangebee/thehive:5.2
    depends_on:
      - cassandra
      - elasticsearch
      - minio
      - cortex
    ports:
      - "9000:9000"
    environment:
      - JVM_OPTS="-Xms1024M -Xmx1024M"
      - HIVE_SECRET="${HIVE_SECRET}"
      - CORTEX_KEY="${CORTEX_KEY}"
    command:
      - --secret
      - "${HIVE_SECRET}"
      - "--cql-hostnames"
      - "cassandra"
      - "--index-backend"
      - "elasticsearch"
      - "--es-hostnames"
      - "elasticsearch"
      - "--s3-endpoint"
      - "http://minio:9000"
      - "--s3-access-key"
      - "minioadmin"
      - "--s3-secret-key"
      - "minioadmin"
      - "--s3-bucket"
      - "thehive"
      - "--s3-use-path-access-style"
      - "--cortex-hostnames"
      - "cortex"
      - "--cortex-keys"
      # put cortex api key once cortex is bootstraped
      - "${CORTEX_KEY}"
    restart: on-failure

  cassandra:
    image: 'cassandra:4'
    ports:
      - "9042:9042"
    environment:
      - MAX_HEAP_SIZE=1024M
      - HEAP_NEWSIZE=1024M
      - CASSANDRA_CLUSTER_NAME=TheHive
    volumes:
      - cassandradata:/var/lib/cassandra
    restart: on-failure

  elasticsearch:
    image: docker.elastic.co/elasticsearch/elasticsearch:7.17.12
    ports:
      - "9200:9200"
    environment:
      - discovery.type=single-node
      - xpack.security.enabled=false
      - "ES_JAVA_OPTS=-Xms${ELASTIC_MEMORY_SIZE} -Xmx${ELASTIC_MEMORY_SIZE}"
    volumes:
      - elasticsearchdata:/usr/share/elasticsearch/data
    restart: on-failure

  minio:
    image: quay.io/minio/minio
    mem_limit: 512m
    command: ["minio", "server", "/data", "--console-address", ":9090"]
    environment:
      - MINIO_ROOT_USER=minioadmin
      - MINIO_ROOT_PASSWORD=minioadmin
    ports:
      - "9090:9090"
    volumes:
      - "miniodata:/data"

  cortex:
    image: thehiveproject/cortex:3.1.7
    depends_on:
      - elasticsearch
    environment:
      - job_directory=/tmp/cortex-jobs
      - HIVE_SECRET="${HIVE_SECRET}"
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock
      - /tmp/cortex-jobs:/tmp/cortex-jobs
    ports:
      - "9001:9001"
    restart: on-failure
    command:
      - --secret
      - "${HIVE_SECRET}"

  kibana:
    image: docker.elastic.co/kibana/kibana:7.17.12
    ports:
      - "5601:5601"
    environment:
      - ELASTICSEARCH_HOSTS=http://elasticsearch:9200
    depends_on:
      - elasticsearch

volumes:
  miniodata:
  cassandradata:
  elasticsearchdata:
  • Cortex version: Cortex container from Docker file: thehiveproject/cortex:3.1.7
  • Cortex Analyzer/Responder name: Any analyzers with short and long template
  • Cortex Analyzer/Responder version: Any analyzers version with short and long template

Possible solutions

N/A

Additional context

Looking in Elasticsearch (with Kibana), I can't see anything related to short templates: indices with _label=AnalyzerTemplate are only long ones.

Thanks !
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@julienloizelet