Hi PJ,
One thing to bear in mind here as regards the "
Error Running Script: either the script was running longer than the timeout period of 5 seconds or the script length was more than 50000 lines" message - the 50k lines are not necessarily
unique lines, so for example any lines executed as part of a
for loop would all count towards that maximum number. Beware of iterations over very large collections and things like that.
-P.
------------------------------
PAUL CURRAN
------------------------------
Original Message:
Sent: Thu May 09, 2019 11:01 AM
From: PATRICK MCKENNA
Subject: Script limitation issue
Hi Adina,
I ran your script and did not encounter any problems.
Could you please send me an example of the email message that is confounding the script?
-P.J.
------------------------------
Patrick (PJ) McKenna
Resilient Development
Original Message:
Sent: Mon May 06, 2019 04:49 PM
From: Adina Bodkins
Subject: Script limitation issue
Hi Patrick,
Sorry for the delayed response. Please find our modified script attached. We still are getting the line error when trying to use the email_subject regex line.
Thank you!
------------------------------
Adina Bodkins
Original Message:
Sent: Tue April 30, 2019 09:10 AM
From: PATRICK MCKENNA
Subject: Script limitation issue
Dear Adina,
I might suggest using
email_subject = re.sub(r"re\:\s+|fw\:\s+|fwd\:\s+", "", emailmessage.subject, flags=re.IGNORECASE)
because without using flags= you don't get the case insensitivity you evidently want. Secondly there is usually some whitespace after re:, fw:, or fwd: and I addressed this in the regular expression too.
Regarding the overrunning the 5000 line maximum, it would help to see your script in its entirety.
-P.J.
------------------------------
Patrick (PJ) McKenna
Resilient Development
Original Message:
Sent: Mon April 29, 2019 11:49 AM
From: Adina Bodkins
Subject: Script limitation issue
Hi PJ,
I received the same error for a different use case. I am trying to remove all the "re:", "fw:", or "fwd:" from the email subject. I had the following line of code in there:
email_subject = re.sub(r"re\:|fw\:|fwd\:", "", emailmessage.subject, re.IGNORECASE)
newIncidentTitle = u"\"{0}\"".format(email_subject)
I did have additional regex parsing going to decode URLs that was working fine and not returning any errors until I added this. Then I received the error: "Error Running Script: either the script was running longer than the timeout period of 5 seconds or the script length was more than 50000 lines"
Any tips or ideas how to resolve it?
Thanks!
------------------------------
Adina
Original Message:
Sent: Thu April 25, 2019 12:10 PM
From: PATRICK MCKENNA
Subject: Script limitation issue
Dear Alex,
Great news!
-P.J.
------------------------------
Patrick (PJ) McKenna
Resilient Development
Original Message:
Sent: Thu April 25, 2019 11:17 AM
From: Alexander Saulenko
Subject: Script limitation issue
Thank you, Patrick, for your reply. The script working like a charm!
BR,
Alex
------------------------------
Alexander Saulenko
Original Message:
Sent: Thu April 25, 2019 06:35 AM
From: PATRICK MCKENNA
Subject: Script limitation issue
Hello,
Please find attached a script that addresses the problem you are having, while following closely the instructions you posted about how you went about adapting the default script to your needs.
I ran this script against an email with the following body:
someone@somewhere.com
another.name@somewhereelse.org
Pah
NoDomain@
@invalid.name.org
user.name@sub.domain.com
This lead to an incident being created with "String"-type artifacts:
Please note that the entirety of the string passed in to the first parameter of processor.processArtifactCategory() is used as the capturing group for the regex and so it is not necessary to enclose the string in "(...)". Please also note that ^ and $ should also be avoided.
Yours,
PJ McKenna
------------------------------
Patrick (PJ) McKenna
Resilient Development
Original Message:
Sent: Thu April 25, 2019 03:04 AM
From: Alexander Saulenko
Subject: Script limitation issue
Hi Team,
I have a request to modify a default email parsing script to extract email addresses.
To achieve this I modified the default email parsing script to this way:
1. I have defined static method:
def makeEmailPattern():
return "(^[a-zA-Z0-9_.+-]+@[a-zA-Z0-9-]+\.[a-zA-Z0-9-.]+$)"
and added the following string at the bottom of the script to capture emails from a message body:
processor.processArtifactCategory(processor.makeEmailPattern(), "String", "Email address in a message body")
When I run the script I got the following error message:
"Error Running Script: either the script was running longer than the timeout period of 5 seconds or the script length was more than 50000 lines"
First of all, I thought that the root cause of the issue is on the regexp side. But if I comment any other processor string for extracting (for example IPV6), then the script works. I also tried to simplify the regex to something more simple (like "^.+@[^\.].*\.[a-z]{2,}$" ) In this case script works but we can not extract email with multiple dots in side. (like user.name@sub.domain.com).
So, if you have any ideas about how to extract all pre-built artefacts types + complex emails type - I would be much appreciated for any recommendations.
BR,
Alexander Saulenko
------------------------------
Alexander Saulenko
------------------------------