IBM QRadar

IBM QRadar

Join this online user group to communicate across Security product users and IBM experts by sharing advice and best practices with peers and staying up to date regarding product enhancements.

 View Only
Back to discussions
Expand all | Collapse all

URL error in custom action script

  • 1.  URL error in custom action script

    Posted Sun October 11, 2020 06:45 PM

    I want to integrate qRadar with VirusTotal base via API ^.^

    I want to do it using action script, but i have a little problem.

    So, my idea:

    1. Create a rule, to check IPs.
    2. Create custom action script:
      1. Check IP via VirusTotal using API.
      2. Pasring responce data.
      3. If the IP is marware IP, so add it into "malware IPs" reference set.
    3. Add custom action script to rule.
    4. Thats all :)

    So, my problem:

    The first part of my script not workong:

    My script:

    import requests

    url1 = "https://www.virustotal.com/vtapi/v2/ip-address/report?apikey=XXXXXXXXXXXXXXXXXXX&ip=47.89.192.12"

    r = requests.get(url1)

    print(r.status_code)

    Then the "XXXXXXXXXX" is my API key.

    And responce with error:

    Traceback (most recent call last):

    File "/custom_action_scripts/customaction_201.script", line 3, in <module>

    r = requests.get(url)

    File "/usr/lib/python2.7/site-packages/requests/api.py", line 68, in get

    return request('get', url, **kwargs)

    File "/usr/lib/python2.7/site-packages/requests/api.py", line 50, in request

    response = session.request(method=method, url=url, **kwargs)

    File "/usr/lib/python2.7/site-packages/requests/sessions.py", line 477, in request

    resp = self.send(prep, **send_kwargs)

    File "/usr/lib/python2.7/site-packages/requests/sessions.py", line 589, in send

    r = adapter.send(request, **kwargs)

    File "/usr/lib/python2.7/site-packages/requests/adapters.py", line 415, in send

    raise ConnectionError(err, request=request)

    requests.exceptions.ConnectionError: ('Connection aborted.', gaierror(-5, 'No address associated with hostname'))

    I check, and change URL to "https://www.virustotal.com", and recieve the same error.

    So i thing, that the problen is with URL. I am not a programmer, so i can be wrong.

    Can someone give me an advice?

    Thanks all!



    #QRadar
    #Support
    #SupportMigration


  • 2.  RE: URL error in custom action script

    Posted Sun October 11, 2020 06:49 PM

    P.S. I am using Python language



    #QRadar
    #Support
    #SupportMigration


  • 3.  RE: URL error in custom action script

    Posted Thu October 15, 2020 04:53 AM

    Hi!

    First things first - please use python3 as python2 is now deprecated and out of support.

    I haven't worked with VirusTotal api, but judging from the errors and the fact that top url for VirusTotal also generates same errors I would say the problem is on your device. Sockets, proxy, anything that prevents python from connecting to VT.

    I've checked below and it works, but it's on my personal PC. At work it wouldn't work due to proxies restricting outbound traffic.

    >>> import requests >>> r = requests.get('https://www.virustotal.com/gui/').status_code >>> r 200

    Also, what does status code give you in this situation? It's only going to return HTTP status code that doesn't contain any data.



    #QRadar
    #Support
    #SupportMigration


  • 4.  RE: URL error in custom action script

    Posted Thu October 15, 2020 06:34 AM

    There is no problem with firewall and proxy, i checked it. All traffic is ALLOW

    I added certificate - No help.

    I disabled ssl check- and its works.



    #QRadar
    #Support
    #SupportMigration