Hi Sam Wang,
Currently I am using the local AppHost. For modifying the current VirusTotal application, can I just change the function locally and use the upgrade function?
I am not familiar with the modifying existing community app on IBM AppHost, and from some searching it requires
new app publication when changes are made.
In the case for Virus Total function, I am using on two different artifacts type which are the following:
- URI Path/DNS/URL
- IP Address
If it helps, the following image below is the structure of my playbook:
For the virustotal function on the different nodes, I have used different variables name to indicate their purpose.
Below are some of the example of failed artifact hits:
The only pattern I can observe to reproduce this error is to query the same artifact after removing it.
Best regards,
------------------------------
Luqman Nur
Techlab
------------------------------
Original Message:
Sent: Wed January 04, 2023 08:41 PM
From: Sam Wang
Subject: Issue with virus total API lookup functionality
Hi Luqman,
It's inevitable that playbook would be terminated once function error occurred. It can be addressed only to modify fn_virustotal code.
I'm not sure you are linking to Quay.io AppHost or your local AppHost. If you have your local AppHost you are able to modify the code and rebuild app docker image then push to AppHost to reinstall virustotal app. Otherwise, I can escalate this issue to our app dev team to fix it. Could you share what artifacts you encountered this issue while sending for the VT scan?
------------------------------
Sam Wang
IBM QRadar SOAR
Original Message:
Sent: Wed January 04, 2023 04:32 AM
From: Luqman Nur
Subject: Issue with virus total API lookup functionality
Hi Sam Wang,
Thanks for the reply, from what I understand from your reply is that I should wrapped the virus total API lookup in the function part such that it will not trigger the IBM playbook error in the case of the function encountered the specific bug. Also, this might seem like a temporary fix to the bug, is there any way that I could tamper with the virus total code and make a quick lasting fix and use it ( i.e. without publishing it, because it is a minor change)
Again thanks for the help.
Best regards,
------------------------------
Luqman Nur
Techlab
Original Message:
Sent: Wed January 04, 2023 04:09 AM
From: Sam Wang
Subject: Issue with virus total API lookup functionality
Hi Luqman,
Your workflow code is perfect, it looks like the response result of VirusToatal that you send for scan sometimes cannot be converted into a list format but an integer which results in result['response_code']
cannot be found. Following is the test code to reproduce this issue. You may add another exception to handle this case.
-> % cat test.py
RC_NOT_FOUND = 0
RC_READY = 1
RC_IN_QUEUE = -2
results = int(100)
if results['response_code'] == RC_NOT_FOUND:
print(results['response_code'])
-> % python test.py
Traceback (most recent call last):
File "test.py", line 8, in <module>
if results['response_code'] == RC_NOT_FOUND:
TypeError: 'int' object has no attribute '__getitem__'
------------------------------
Sam Wang
Original Message:
Sent: Tue January 03, 2023 04:03 AM
From: Luqman Nur
Subject: Issue with virus total API lookup functionality
Hi IBM community,
I am currently developing a lookup function using multiple tools and my goal is to process the dictionary output return by the API as dictionary. During the API lookup, all the function works fine on the API part with the exception of VirusTotal where I got the following error:
In the virus total package, the error pointed out to the following:
Where below are the code for my VirusTotal Function following the workflow example given by adding the application into the AppHost server:
My confusion with this error is that the activation for it is seemingly random because at times I have manage to call the virus total function despite using the same command. Below are the example of successful activation for the similar query:
Below are the code for the artifact generation which I wrapped in try-except clause:
Is there any possible lead on what could possibly lead to this error. Is it on my artifact generation part or the API lookup part or simply some steps that I have missed?
Regards,
Luqman
------------------------------
Luqman Nur
Techlab
------------------------------