Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Bug][Help Wanted] - Webhook activation issue #2082

Open
luffynextgen opened this issue Jun 14, 2021 · 5 comments
Open

[Bug][Help Wanted] - Webhook activation issue #2082

luffynextgen opened this issue Jun 14, 2021 · 5 comments
Labels
bug TheHive4 TheHive4 related issues

Comments

@luffynextgen
Copy link

luffynextgen commented Jun 14, 2021
edited by nadouani
Loading

Request Type

Bug

Work Environment

Question Answer
OS version (server) CentOS 7
OS version (client) CentOS 7
Virtualized Env. True
vCPU 4 / 8 / 16 / 32
TheHive version 4.1.4-1
Package Type RPM
Database Cassandra

Problem Description

I'm trying to configure the webhooks on thehive4, by following the documentation here: https://docs.thehive-project.org/thehive/installation-and-configuration/configuration/webhooks/.
But fail at step 2 ' Activate webhooks'

Steps to Reproduce

  1. Add the following in application.conf:
notification.webhook.endpoints = [
  {
    name: local
    url: "http://127.0.0.1:5000/"
    version: 0
    wsConfig: {}
    auth: {
      type: "bearer",
      key: "API_KEY"}
    includedTheHiveOrganisations: ["ORG1"]
    excludedTheHiveOrganisations: []
  }
]

Where API_KEY is replaced by the current api key

  1. use the curl command of step with org admin from org1 with the correct right and by replacing the variables with the expected values.
curl -XPUT -u$thehive_user:$thehive_password -H 'Content-type: application/json' $thehive_url/api/config/organisation/notification -d '
{
  "value": [
    {
      "delegate": false,
      "trigger": { "name": "AnyEvent"},
      "notifier": { "name": "webhook", "endpoint": "local" }
    }
  ]
}'

outcome:

{"type":"AuthorizationError","message":"You must be in `admin` organisation to change global configuration"}

Complementary information

I tried to create a new org admin and use it to use the curl command but I got the same error.
As login I tried both toto and [email protected]
@luffynextgen luffynextgen added bug TheHive4 TheHive4 related issues labels Jun 14, 2021
@To-om
Copy link
Contributor

To-om commented Jun 14, 2021

I can't reproduce this behaviour. You probably make a typo on the url. Please double check.

@luffynextgen
Copy link
Author

luffynextgen commented Jun 15, 2021
edited
Loading

Hello @To-om,

You might have been right, I tried again this morning with a cool head and the command seems to have worked.
The output I got:

{"path":"notification","defaultValue":[],"value":[{"delegate":false,"trigger":{"name":"AnyEvent"},"notifier":{"name":"webhook","endpoint":"local"}}]}

And in application.log:

from org.thp.scalligraph.AccessLogFilter in application-akka.actor.default-dispatcher-21 [00000058|] 0:0:0:0:0:0:0:1 PUT /api/config/organisation/notification took 109ms and returned 200 149 bytes

But I still don't get any notification, TheHivehook is active and listening on port 5000 as shown in conf file.

I disabled the auth an put it to type "none" in the conf file, I want to validate the notification first.

I get this error message:
{"type":"scala.MatchError","message":"org.thp.client.NoAuthentication$@616e9be6 (of class org.thp.client.NoAuthentication$)"}

when the auth is set to type "none"

notification.webhook.endpoints = [
  {
    name: "local"
    url: "http://localhost:5000/webhook"
    version: 0
    wsConfig: {}
    auth: { type: "none" }
    includedTheHiveOrganisations: ["*"]
    excludedTheHiveOrganisations: []
  }
]

If you have any idea of what I should do to find the issue, pls let me know.

Kind regards,

@luffynextgen
Copy link
Author

Hello @To-om

I tried to put a different authentication type in the application.conf, even if there is none expected by TheHiveHooks.

notification.webhook.endpoints = [
  {
    name: "local"
    url: "http://localhost:5000/webhook"
    version: 0
    wsConfig: {}
    auth: { type: "basic"
            username: ""
            password: ""
    }
    includedTheHiveOrganisations: ["*"]
    excludedTheHiveOrganisations: []
  }

I used the following command:
curl -u$thehive_user:$thehive_password $thehive_url/api/config/notification.webhook.endpoints

And got the following answer:

{
  "path": "notification.webhook.endpoints",
  "description": "webhook configuration list",
  "defaultValue": [
    {
      "name": "local",
      "url": "http://localhost:5000/webhook",
      "version": 0,
      "auth": {
        "type": "basic",
        "username": "",
        "password": ""
      },
      "wsConfig": {
        "timeout": {
          "connection": "2 minutes",
          "idle": "2 minutes",
          "request": "2 minutes"
        },
        "followRedirects": true,
        "useProxyProperties": true,
        "userAgent": null,
        "compressionEnabled": false,
        "ssl": {
          "default": false,
          "protocol": "TLSv1.2",
          "checkRevocation": null,
          "revocationLists": [
            
          ],
          "debug": {
            "all": false,
            "keymanager": false,
            "ssl": false,
            "sslctx": false,
            "trustmanager": false
          },
          "loose": {
            "acceptAnyCertificate": false,
            "allowLegacyHelloMessages": null,
            "allowUnsafeRenegotiation": null,
            "allowWeakCiphers": false,
            "allowWeakProtocols": false,
            "disableHostnameVerification": false,
            "disableSNI": false
          },
          "enabledCipherSuites": [
            
          ],
          "enabledProtocols": [
            "TLSv1.2",
            "TLSv1.1",
            "TLSv1"
          ],
          "hostnameVerifierClass": "com.typesafe.sslconfig.ssl.NoopHostnameVerifier",
          "disabledSignatureAlgorithms": [
            "MD2",
            "MD4",
            "MD5"
          ],
          "disabledKeyAlgorithms": [
            "RSA keySize < 2048",
            "DSA keySize < 2048",
            "EC keySize < 224"
          ],
          "keyManager": {
            "algorithm": "SunX509",
            "stores": [
              
            ],
            "prototype": {
              "stores": {
                "type": null,
                "path": null,
                "data": null,
                "password": null
              }
            }
          },
          "trustManager": {
            "algorithm": "PKIX",
            "stores": [
              
            ],
            "prototype": {
              "stores": {
                "type": null,
                "path": null,
                "data": null
              }
            }
          },
          "sslParameters": {
            "clientAuth": "Default",
            "protocols": [
              
            ]
          }
        },
        "maxConnectionsPerHost": -1,
        "maxConnectionsTotal": -1,
        "maxConnectionLifetime": "Inf",
        "idleConnectionInPoolTimeout": "1 minute",
        "maxNumberOfRedirects": 5,
        "maxRequestRetry": 5,
        "disableUrlEncoding": false,
        "keepAlive": true,
        "useLaxCookieEncoder": false,
        "useCookieStore": false
      },
      "includedTheHiveOrganisations": [
        "*"
      ],
      "excludedTheHiveOrganisations": [
        
      ]
    }
  ],
  "value": [
    {
      "name": "local",
      "url": "http://localhost:5000/webhook",
      "version": 0,
      "auth": {
        "type": "basic",
        "username": "",
        "password": ""
      },
      "wsConfig": {
        "timeout": {
          "connection": "2 minutes",
          "idle": "2 minutes",
          "request": "2 minutes"
        },
        "followRedirects": true,
        "useProxyProperties": true,
        "userAgent": null,
        "compressionEnabled": false,
        "ssl": {
          "default": false,
          "protocol": "TLSv1.2",
          "checkRevocation": null,
          "revocationLists": [
            
          ],
          "debug": {
            "all": false,
            "keymanager": false,
            "ssl": false,
            "sslctx": false,
            "trustmanager": false
          },
          "loose": {
            "acceptAnyCertificate": false,
            "allowLegacyHelloMessages": null,
            "allowUnsafeRenegotiation": null,
            "allowWeakCiphers": false,
            "allowWeakProtocols": false,
            "disableHostnameVerification": false,
            "disableSNI": false
          },
          "enabledCipherSuites": [
            
          ],
          "enabledProtocols": [
            "TLSv1.2",
            "TLSv1.1",
            "TLSv1"
          ],
          "hostnameVerifierClass": "com.typesafe.sslconfig.ssl.NoopHostnameVerifier",
          "disabledSignatureAlgorithms": [
            "MD2",
            "MD4",
            "MD5"
          ],
          "disabledKeyAlgorithms": [
            "RSA keySize < 2048",
            "DSA keySize < 2048",
            "EC keySize < 224"
          ],
          "keyManager": {
            "algorithm": "SunX509",
            "stores": [
              
            ],
            "prototype": {
              "stores": {
                "type": null,
                "path": null,
                "data": null,
                "password": null
              }
            }
          },
          "trustManager": {
            "algorithm": "PKIX",
            "stores": [
              
            ],
            "prototype": {
              "stores": {
                "type": null,
                "path": null,
                "data": null
              }
            }
          },
          "sslParameters": {
            "clientAuth": "Default",
            "protocols": [
              
            ]
          }
        },
        "maxConnectionsPerHost": -1,
        "maxConnectionsTotal": -1,
        "maxConnectionLifetime": "Inf",
        "idleConnectionInPoolTimeout": "1 minute",
        "maxNumberOfRedirects": 5,
        "maxRequestRetry": 5,
        "disableUrlEncoding": false,
        "keepAlive": true,
        "useLaxCookieEncoder": false,
        "useCookieStore": false
      },
      "includedTheHiveOrganisations": [
        "*"
      ],
      "excludedTheHiveOrganisations": [
        
      ]
    }
  ]
}

But I still got no notification on the webhook endpoint.

Kind regards,

@luffynextgen
Copy link
Author

luffynextgen commented Jun 22, 2021
edited
Loading

Dear @To-om,

I have also taken a look to #1386 and #1457.

I have tried to enable the webhook using an org-admin of the org that needs it and using an org-admin from the admin org and I get the following output in both cases:
{"path":"notification","defaultValue":[],"value":[{"delegate":false,"trigger":{"name":"AnyEvent"},"notifier":{"name":"webhook","endpoint":"local"}}]}

in my application.conf file I have tried the following configurations:

notification.webhook.endpoints = [
  {
    name: "local"
    url: "http://localhost:5000/webhook"
    version: 0
    wsConfig: {}
    auth: { type: "basic"
            username: ""
            password: ""
    }
    includedTheHiveOrganisations: ["*"]
    excludedTheHiveOrganisations: []
  }

notification.webhook.endpoints = [
  {
    name: "local"
    url: "http://localhost:5000/webhook"
    version: 0
    wsConfig: {}
    auth: { type: "basic"
            username: ""
            password: ""
    }
    includedTheHiveOrganisations: ["org1"]
    excludedTheHiveOrganisations: []
  }

notification.webhook.endpoints = [
  {
    name: "local"
    url: "http://localhost:5000/webhook"
    version: 0
    wsConfig: {}
    auth: { type: "basic"
            username: ""
            password: ""
    }
    includedTheHiveOrganisations: []
    excludedTheHiveOrganisations: []
  }

None of them showed the expected result, which is sending notification to my webhook server.

My webhook server is listening:

Jun 17 12:16:51 io-ls-csirt3.iter.org python[19126]: WARNING: This is a development server. Do not use it in a production deployment.
Jun 17 12:16:51 io-ls-csirt3.iter.org python[19126]: Use a production WSGI server instead.
Jun 17 12:16:51 io-ls-csirt3.iter.org python[19126]: * Debug mode: on
Jun 17 12:16:51 io-ls-csirt3.iter.org python[19126]: * Running on http://127.0.0.1:5000/ (Press CTRL+C to quit)
Jun 17 12:16:51 io-ls-csirt3.iter.org python[19126]: * Restarting with stat
Jun 17 12:16:51 io-ls-csirt3.iter.org python[19126]: [2021-06-17 12:16:51,351] INFO in __init__: Started
Jun 17 12:16:51 io-ls-csirt3.iter.org python[19126]: * Debugger is active!
Jun 17 12:16:51 io-ls-csirt3.iter.org python[19126]: * Debugger PIN: 148-567-980
Jun 17 12:16:51 io-ls-csirt3.iter.org python[19126]: [2021-06-17 12:16:51,666] INFO in __init__: Started
Jun 17 12:17:01 io-ls-csirt3.iter.org python[19126]: 127.0.0.1 - - [17/Jun/2021 12:17:01] "POST /webhook HTTP/1.1" 500 -

In thehive logs :

2021-06-22 11:27:39,464 [DEBUG] from org.thp.thehive.services.notification.NotificationActor in application-akka.actor.default-dispatcher-19 [|] Receive AuditStreamMessage(~40964264)
2021-06-22 11:27:39,464 [INFO] from org.thp.scalligraph.AccessLogFilter in application-akka.actor.default-dispatcher-22 [0000005e|] 10.10.241.247 PATCH /api/case/~40972360 took 806ms and returned 200 1325 bytes
2021-06-22 11:27:39,473 [DEBUG] from org.thp.thehive.services.notification.NotificationActor in application-akka.actor.default-dispatcher-19 [|2d5c0aa3] Notification is related to Audit(cea8202b39af0e35:6767b94f:17a33083066:-8000:94,update,true,Some(~40972360),Some(Case),Some({"endDate":1624354058666,"impactStatus":"NotApplicable","summary":"Legit traffic from an IO laptop on google addresses","status":"Resolved","resolutionStatus":"FalsePositive","customFields":{"responseCategories":{"order":0,"string":"Announced Administrative or business task"}}})), Some(org.thp.scalligraph.traversal.TraversalOps$TraversalOpsDefs$$anon$3@63ec95c0), Organisation(Iter,Iter)
2021-06-22 11:27:39,509 [INFO] from org.thp.scalligraph.AccessLogFilter in application-akka.actor.default-dispatcher-17 [00000060|] 10.10.241.247 POST /api/v1/query?name=cases took 15ms and returned 200
2021-06-22 11:27:39,515 [INFO] from org.thp.scalligraph.AccessLogFilter in application-akka.actor.default-dispatcher-13 [0000005f|] 10.10.241.247 POST /api/v1/query?name=case-count-all took 26ms and returned 200 4 bytes
2021-06-22 11:27:39,544 [INFO] from org.thp.scalligraph.AccessLogFilter in application-akka.actor.default-dispatcher-19 [00000062|] 10.10.241.247 GET /api/flow?count=10&rootId=any took 41ms and returned 200 6985 bytes
2021-06-22 11:27:39,621 [INFO] from org.thp.scalligraph.AccessLogFilter in application-akka.actor.default-dispatcher-19 [00000061|] 10.10.241.247 POST /api/v1/query?name=cases.count took 126ms and returned 200 2 bytes
2021-06-22 11:27:39,628 [INFO] from org.thp.scalligraph.AccessLogFilter in application-akka.actor.default-dispatcher-13 [0000005c|] 10.10.241.247 GET /api/stream/E7hdG6zNILz1B5wZrRaG took 4563ms and returned 200 1877 bytes
2021-06-22 11:27:40,113 [INFO] from org.thp.scalligraph.AccessLogFilter in application-akka.actor.default-dispatcher-18 [00000063|] 10.10.241.247 POST /api/v1/query?name=cases took 16ms and returned 200
2021-06-22 11:27:40,130 [INFO] from org.thp.scalligraph.AccessLogFilter in application-akka.actor.default-dispatcher-20 [00000064|] 10.10.241.247 POST /api/v1/query?name=cases.count took 31ms and returned 200 2 bytes

But I received zero notification.

I'm going out of ideas. If you have any idea on things I should activate to get more verbosity in the logs or on the root issue, I'll take any input.

Kind regards,

@luffynextgen luffynextgen changed the title [Bug] - Webhook activation issue [Bug][Help Wanted] - Webhook activation issue Jun 23, 2021
@luffynextgen
Copy link
Author

Dear @To-om

To keep you updated, after a reindexation of the database it seems to work.
But it seems that notifications regarding a case reopening are emitted.

Kind regards,

@Thibs-mgs012345 Thibs-mgs012345 mentioned this issue Jul 19, 2023
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug TheHive4 TheHive4 related issues
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@To-om @luffynextgen