IBM Security QRadar SOAR

 View Only
Expand all | Collapse all

Issue with virus total API lookup functionality

  • 1.  Issue with virus total API lookup functionality

    Posted Tue January 03, 2023 04:03 AM
    Hi IBM community,

    I am currently developing a lookup function using multiple tools and my goal is to process the dictionary output return by the API as dictionary. During the API lookup, all the function works fine on the API part with the exception of VirusTotal where I got the following error:

    In the virus total package, the error pointed out to the following:

    Where below are the code for my VirusTotal Function following the workflow example given by adding the application into the AppHost server:


    My confusion with this error is that the activation for it is seemingly random because at times I have manage to call the virus total function despite using the same command. Below are the example of successful activation for the similar query:

    Below are the code for the artifact generation which I wrapped in try-except clause:

    Is there any possible lead on what could possibly lead to this error. Is it on my artifact generation part or the API lookup part or simply some steps that I have missed?


    Regards,

    Luqman

    ------------------------------
    Luqman Nur
    Techlab
    ------------------------------


  • 2.  RE: Issue with virus total API lookup functionality

    Posted Wed January 04, 2023 04:10 AM

    Hi Luqman,

    Your workflow code is perfect, it looks like the response result of VirusToatal that you send for scan sometimes cannot be converted into a list format but an integer which results in result['response_code'] cannot be found. Following is the test code to reproduce this issue. You may add another exception to handle this case.

    -> % cat test.py

    RC_NOT_FOUND = 0
    RC_READY = 1
    RC_IN_QUEUE = -2

    results = int(100)

    if results['response_code'] == RC_NOT_FOUND:
    print(results['response_code'])

    -> % python test.py
    Traceback (most recent call last):
    File "test.py", line 8, in <module>
    if results['response_code'] == RC_NOT_FOUND:
    TypeError: 'int' object has no attribute '__getitem__'



    ------------------------------
    Sam Wang
    ------------------------------



  • 3.  RE: Issue with virus total API lookup functionality

    Posted Wed January 04, 2023 04:33 AM
    Hi Sam Wang,

    Thanks for the reply, from what I understand from your reply is that I should wrapped the virus total API lookup in the function part such that it will not trigger the IBM playbook error in the case of the function encountered the specific bug. Also, this might seem like a temporary fix to the bug, is there any way that I could tamper with the virus total code and make a quick lasting fix and use it ( i.e. without publishing it, because it is a minor change)


    Again thanks for the help.

    Best regards,

    ------------------------------
    Luqman Nur
    Techlab
    ------------------------------



  • 4.  RE: Issue with virus total API lookup functionality

    Posted Wed January 04, 2023 08:42 PM

    Hi Luqman, 

    It's inevitable that playbook would be terminated once function error occurred. It can be addressed only to modify fn_virustotal code. 

    I'm not sure you are linking to Quay.io AppHost or your local AppHost. If you have your local AppHost you are able to modify the code and rebuild app docker image then push to AppHost to reinstall virustotal app. Otherwise, I can escalate this issue to our app dev team to fix it. Could you share what artifacts you encountered this issue while sending for the VT scan? 



    ------------------------------
    Sam Wang
    IBM QRadar SOAR
    ------------------------------



  • 5.  RE: Issue with virus total API lookup functionality

    Posted Wed January 04, 2023 09:28 PM
    Edited by Luqman Nur Wed January 04, 2023 09:31 PM
    Hi Sam Wang,

    Currently I am using the local AppHost. For modifying the current VirusTotal application, can I just change the function locally and use the upgrade function?

    I am not familiar with the modifying existing community app on IBM AppHost, and from some searching it requires new app publication when changes are made.

    In the case for Virus Total function, I am using on two different artifacts type which are the following:
    - URI Path/DNS/URL
    - IP Address

    If it helps, the following image below is the structure of my playbook:

    For the virustotal function on the different nodes, I have used different variables name to indicate their purpose.

    Below are some of the example of failed artifact hits:

    The only pattern I can observe to reproduce this error is to query the same artifact after removing it.

    Best regards,

    ------------------------------
    Luqman Nur
    Techlab
    ------------------------------



  • 6.  RE: Issue with virus total API lookup functionality

    Posted Thu January 05, 2023 10:04 AM

    Hi Luqman, 

    If you're using the local AppHost, after you changed the function locally, you can build & push a new docker image with the command below:

    -> Copy the dockerfile and entrypoint.sh to the directory (remove the dockerfile's extension name)

    -> commands
    $ python setup.py sdist
    $ docker build . -t  <AppRegistryName>/<Repository>/<packagename:version>     #ex: docker build . -t localhost:5000/ibmresilient/fn_virustotal:1.0.7
    $ docker push <AppRegistry>/<Repository>/<fn_name:1.0.0>                          #ex: docker push localhost:5000/ibmresilient/fn_virustotal:1.0.7


    ​​​​​

    ------------------------------
    Allen Lee
    ------------------------------

    Attachment(s)

    sh
    entrypoint.sh   693 B 1 version
    txt
    dockerfile.txt   2 KB 1 version


  • 7.  RE: Issue with virus total API lookup functionality

    Posted 20 days ago
    Hi Allen Lee,

    Thank you for the guide given. I have made changes to the file and followed the steps that you listed, but unable to run my docker images that I have build due to the following error:
    "no properly formatted SHA256 checksum lines found".

    Seems like I am missing some required configuration, also what you meant by local is that I am running the AppHost on my windows device? . If so, I might be mistaken with my phrasing on the thread above because the AppHost is on separate server environment.

    Best regards,

    ------------------------------
    Luqman Nur
    Techlab
    ------------------------------



  • 8.  RE: Issue with virus total API lookup functionality

    Posted 14 days ago
    Hi Luqman,

    I was trying to replicate your issue to fix the code but when I run the Example Workflow on the artifacts you've provided, it runs with no issues. Is there any more information you can give? What is the value of the Results dictionary? Can you also paste here the urls you are using for the artifacts so I know I didn't make any typos?

    Thanks.

    ------------------------------
    Christopher Chang
    ------------------------------



  • 9.  RE: Issue with virus total API lookup functionality

    Posted 13 days ago
    Hi Christopher Chang,

    I have noticed that the error is likely to happen when I use the same artifact again, provided that I already delete it beforehand. For the value of the results dictionary, when the error occurred the results does not able to parse because the function error.

    Some example of URL I used in the playbook (Which are mostly random urls):
    https://www.redhat.com/en/topics/devops/what-is-devsecops
    https://www.kaspersky.com/resource-center/definitions/cookies


    I have also use the function to search for IP address, and the error occurred in the same line of the code 118 :
    result['response_code'] == RC_NOT_FOUND:
    which is an error during conversion. My full function is running two playbook which one is an IOC parser from an attachment and the other one is the workflow that you have replied to, so sometimes the error occurred when I continuously trigger the function (virustotal for URL and IP).

    Best regards,


    ------------------------------
    Luqman Nur
    Techlab
    ------------------------------



  • 10.  RE: Issue with virus total API lookup functionality

    Posted 12 days ago
    Hi Luqman,

    I tried using your URLs, deleting them and re-adding them, continuously triggering the function, and doing all the previous in Python2.7. Unfortunately, I am unable to replicate the function error you are seeing, I am able to run through the entire function and get a result with your artifacts.

    ------------------------------
    Christopher Chang
    ------------------------------



  • 11.  RE: Issue with virus total API lookup functionality

    Posted 11 days ago
    Hi Christopher Chang,

    Below are the recent testing I have done with the function, 2052 EST
    Method use:
    Submitted the URL for 4 times, deleting and re-adding them

    URL submitted:
    https://www.codecademy.com/

    Error code:

    Playbook flow:



    VirusTotal URL function:

    Virus total addhit function:


    ------------------------------
    Luqman Nur
    Techlab
    ------------------------------