IBM Security QRadar SOAR

Hello,

We have developed an additional webhook on our Integration server for creating incidents in Resilient. The sending side sends a JSON request body of around 40kb in size, because it also contains the base64 encoded version of a file that is attached to the incident. This file is also processed by the Integration server to fill in some incident details, so sending it directly to the appliance is not an option.

This request body is sent from a Windows server using Powershell's Invoke-RestMethod.

Everything was working fine until we enabled SSL on the inbound webserver of the integration server. However, the issue does not lie in SSL certificate validation.

We are able to send smaller JSON bodies to the webhook just fine, but whenever we send a larger one, we get the following error in /var/log/messages of the Integration server:

<error[web] (<ssl.SSLSocket object at 0x7f7651964de8>, SSLWantReadError(2, u'The operation did not complete (read) (_ssl.c:1822)') )>​

Initially we blamed Powershell, but also when using curl on the Windows server, we see the same buggy behavior. However, we can POST the exact same request body just fine from a Linux server. I currently think this issue is related to some sort of difference in send and receive buffer sizes between Linux and Windows, and specifically only when using SSL.

Is this some kind of known issue with Resilient?  Or perhaps an issue on OS level?

Thanks!

------------------------------
Jerome Kleinen
------------------------------

Hi Jerome, 
Thank you for visiting the community and raising this with us. 

Could you provide us with some more information on your additional webhook ? You mention that it use Powershell's Invoke-RestMethod to send the payload; does this mean it is a Powershell script that receives it?, or could it be a Python webservice ?
And if it is Python, would you be able to clarify if its just Python or is it a framework ontop of Python such as Django or Flask

This is an interesting use case so anything you could give us such as sample code would be a big help in figuring this out.

------------------------------
Ryan Gordon
Security Software Engineer
IBM
------------------------------

Original Message:
Sent: Wed May 15, 2019 09:21 AM
From: Jerome Kleinen
Subject: Integration webserver issue when enabling SSL

Hello,

We have developed an additional webhook on our Integration server for creating incidents in Resilient. The sending side sends a JSON request body of around 40kb in size, because it also contains the base64 encoded version of a file that is attached to the incident. This file is also processed by the Integration server to fill in some incident details, so sending it directly to the appliance is not an option.

This request body is sent from a Windows server using Powershell's Invoke-RestMethod.

Everything was working fine until we enabled SSL on the inbound webserver of the integration server. However, the issue does not lie in SSL certificate validation.

We are able to send smaller JSON bodies to the webhook just fine, but whenever we send a larger one, we get the following error in /var/log/messages of the Integration server:

<error[web] (<ssl.SSLSocket object at 0x7f7651964de8>, SSLWantReadError(2, u'The operation did not complete (read) (_ssl.c:1822)') )>​

Initially we blamed Powershell, but also when using curl on the Windows server, we see the same buggy behavior. However, we can POST the exact same request body just fine from a Linux server. I currently think this issue is related to some sort of difference in send and receive buffer sizes between Linux and Windows, and specifically only when using SSL.

Is this some kind of known issue with Resilient?  Or perhaps an issue on OS level?

Thanks!

------------------------------
Jerome Kleinen
------------------------------

Hi Ryan,

Perhaps my initial post wasn't clear.

We created a Python webhook which uses exposeWeb decorators to add additional endpoints to the resilient circuits integration server webserver component.​

This webhook is intended for receiving data from a Windows server host. The call on the Windows end is done by Powershell's Invoke-Restmethod, however we had the exact same result using cURL on Windows. It works fine when using cURL from a Linux server.

I can write some Powershell tomorrow and let you know at what body size the request starts to fail. My guess is this will line up perfectly with whatever read buffer size is configured on the resilient circuits webserver component, specifically when SSL is enabled.


------------------------------
Jerome Kleinen
------------------------------

Original Message:
Sent: Mon May 20, 2019 04:05 AM
From: Ryan Gordon
Subject: Integration webserver issue when enabling SSL

Hi Jerome, 
Thank you for visiting the community and raising this with us. 

Could you provide us with some more information on your additional webhook ? You mention that it use Powershell's Invoke-RestMethod to send the payload; does this mean it is a Powershell script that receives it?, or could it be a Python webservice ?
And if it is Python, would you be able to clarify if its just Python or is it a framework ontop of Python such as Django or Flask

This is an interesting use case so anything you could give us such as sample code would be a big help in figuring this out.

------------------------------
Ryan Gordon
Security Software Engineer
IBM

Original Message:
Sent: Wed May 15, 2019 09:21 AM
From: Jerome Kleinen
Subject: Integration webserver issue when enabling SSL

Hello,

We have developed an additional webhook on our Integration server for creating incidents in Resilient. The sending side sends a JSON request body of around 40kb in size, because it also contains the base64 encoded version of a file that is attached to the incident. This file is also processed by the Integration server to fill in some incident details, so sending it directly to the appliance is not an option.

This request body is sent from a Windows server using Powershell's Invoke-RestMethod.

Everything was working fine until we enabled SSL on the inbound webserver of the integration server. However, the issue does not lie in SSL certificate validation.

We are able to send smaller JSON bodies to the webhook just fine, but whenever we send a larger one, we get the following error in /var/log/messages of the Integration server:

<error[web] (<ssl.SSLSocket object at 0x7f7651964de8>, SSLWantReadError(2, u'The operation did not complete (read) (_ssl.c:1822)') )>​

Initially we blamed Powershell, but also when using curl on the Windows server, we see the same buggy behavior. However, we can POST the exact same request body just fine from a Linux server. I currently think this issue is related to some sort of difference in send and receive buffer sizes between Linux and Windows, and specifically only when using SSL.

Is this some kind of known issue with Resilient?  Or perhaps an issue on OS level?

Thanks!

------------------------------
Jerome Kleinen
------------------------------