[BUG] Mihari ThreatFox webhook is not working about mihari HOT 7 CLOSED

json.query submit_ioc indicates that you don't quote submit_ioc.
You have to double or single quote it.

from mihari.

@ninoseki Sorry, I pasted the wrong logs before, I tried with both double or single quotes, but the error exists for both cases.

/var/lib/gems/3.0.0/gems/rack-3.0.8/lib/rack/auth/digest.rb:8: warning: Rack::Auth::Digest is deprecated and will be removed in Rack 3.1
2024-04-06 07:50:04.179412 I [2189:8000] Mihari -- Emission by Mihari::Emitters::Database is succeeded
2024-04-06 07:50:04.179815 I [2189:8000] Mihari -- Emission by Mihari::Emitters::Webhook is failed: 809: unexpected token at 'json.query "submit_ioc"
json.threat_type "botnet_cc"
json.ioc_type "ip:port"
json.malware "win.icedid"
json.confidence_level 60
json.anonymous 0
json.iocs artifacts.map(&:data)
'

from mihari.

Now I think your setup is wrong or broken.
You said you are using Mihari v7.5.0. But Mihari v7.5.0 is shipped with Rack v3.0.10. (https://github.com/ninoseki/mihari/blob/master/mihari.gemspec#L100)
So there is no way to have /var/lib/gems/3.0.0/gems/rack-3.0.8.

from mihari.

Okay, I fixed the issue with the latest version not pulling the latest Rack. Now, I'm not seeing the warnings I mentioned before, but the IoCs are still not being pushed to ThreatFox. I checked the generated alerts, and they are not listed on the ThreatFox website.
I tried to run mihari using --debug mode but it's not generating debug logs.

from mihari.

You set ip:port as an IOC type but you sent ip IOCs. So ThreatFox denies your submission I guess.
You have to provide proper data. This may help you to customize the Jbuilder template for that.

from mihari.

You set ip:port as an IOC type but you sent ip IOCs. So ThreatFox denies your submission I guess.

Ah, now I understand. Thanks for the heads-up and help! @ninoseki

from mihari.

Can you provide me with an example?

Ok I did something like this
this one for associating IPs with only those ports for which they have been matched (not worked)

json.threat_type "botnet_cc"
json.ioc_type "ip:port"
json.malware "win.icedid"
json.confidence_level 60
json.anonymous 0
json.iocs artifacts.map { |artifact|
  artifact.metadata['matched_services'].map do |service|
    "#{artifact.data}:#{service['port']}"
  end
}.flatten

and this one for all the ports associated with IPs (this worked!)

json.query "submit_ioc"
json.threat_type "botnet_cc"
json.ioc_type "ip:port"
json.malware "win.icedid"
json.confidence_level 60
json.anonymous 0
json.iocs artifacts.map { |artifact|
  artifact.ports.map do |port|
    "#{artifact.data}:#{port.number}"
  end
}.flatten

and this is for fixed port: (not worked)

json.query "submit_ioc"
json.threat_type "botnet_cc"
json.ioc_type "ip:port"
json.malware "win.icedid"
json.confidence_level 60
json.anonymous 0
json.iocs artifacts.map { |artifact|
  "#{artifact.data}:443"
}

Can you guide? Thanks

from mihari.