You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Im getting a weird reset from the server when doing a test or accessing the port. Its establishing a connection (See tcpdump below) but its resting the connection after the post. I'm guessing its something with the http server. Thanks for the help, really want to get this working.
Im getting a weird reset from the server when doing a test or accessing the port. Its establishing a connection (See tcpdump below) but its resting the connection after the post. I'm guessing its something with the http server. Thanks for the help, really want to get this working.
strace
poll([{fd=3, events=POLLIN}], 1, 500) = 1 ([{fd=3, revents=POLLIN}])
accept4(3, {sa_family=AF_INET, sin_port=htons(48042), sin_addr=inet_addr("172.31.74.93")}, [16], SOCK_CLOEXEC) = 4
getsockopt(4, SOL_SOCKET, SO_TYPE, [1], [4]) = 0
ioctl(4, FIONBIO, [0]) = 0
getpeername(4, {sa_family=AF_INET, sin_port=htons(48042), sin_addr=inet_addr("172.31.74.93")}, [16]) = 0
read(4, "POST / HTTP", 11) = 11
ioctl(4, FIONBIO, [0]) = 0
close(4) = 0
clock_gettime(CLOCK_MONOTONIC, {6477550, 132108430}) = 0
Requirement already satisfied (use --upgrade to upgrade): simplejson>=3.6.5 in /usr/local/lib/python3.5/dist-packages (from -r requirements.txt (line 1))
Requirement already satisfied (use --upgrade to upgrade): pymisp>=2.4.62 in /usr/local/lib/python3.5/dist-packages (from -r requirements.txt (line 2))
Requirement already satisfied (use --upgrade to upgrade): httplib2>=0.8 in /usr/local/lib/python3.5/dist-packages (from -r requirements.txt (line 3))
Requirement already satisfied (use --upgrade to upgrade): configparser in /usr/local/lib/python3.5/dist-packages (from -r requirements.txt (line 4))
Requirement already satisfied (use --upgrade to upgrade): urllib3 in /usr/lib/python3/dist-packages (from -r requirements.txt (line 5))
Requirement already satisfied (use --upgrade to upgrade): six in /usr/lib/python3/dist-packages (from pymisp>=2.4.62->-r requirements.txt (line 2))
Requirement already satisfied (use --upgrade to upgrade): requests in /usr/lib/python3/dist-packages (from pymisp>=2.4.62->-r requirements.txt (line 2))
Requirement already satisfied (use --upgrade to upgrade): python-dateutil in /usr/local/lib/python3.5/dist-packages (from pymisp>=2.4.62->-r requirements.txt (line 2))
Requirement already satisfied (use --upgrade to upgrade): jsonschema in /usr/local/lib/python3.5/dist-packages (from pymisp>=2.4.62->-r requirements.txt (line 2))
tcpdump -Anni lo port 8080
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on lo, link-type EN10MB (Ethernet), capture size 262144 bytes
17:29:31.716449 IP 172.31.74.93.47976 > 172.31.74.93.8080: Flags [S], seq 657993979, win 43690, options [mss 65495,sackOK,TS val 1618276462 ecr 0,nop,wscale 7], length 0
E..<..@[email protected]]..J].h..'80..........'.........
t.n........ 17:29:31.716461 IP 172.31.74.93.8080 > 172.31.74.93.47976: Flags [S.], seq 1921625788, ack 657993980, win 43690, options [mss 65495,sackOK,TS val 1618276462 ecr 1618276462,nop,wscale 7], length 0 E..<..@[email protected]]..J]...hr...'80......'.........t.nt.n.... 17:29:31.716469 IP 172.31.74.93.47976 > 172.31.74.93.8080: Flags [.], ack 1, win 342, options [nop,nop,TS val 1618276462 ecr 1618276462], length 0 E..4..@[email protected]]..J].h..'80.r......V.......t.nt.n 17:29:31.716672 IP 172.31.74.93.47976 > 172.31.74.93.8080: Flags [P.], seq 1:203, ack 1, win 342, options [nop,nop,TS val 1618276463 ecr 1618276462], length 202: HTTP: POST / HTTP/1.1 E.....@[email protected]]..J].h..'80.r......V.......t.o`t.nPOST / HTTP/1.1Host: 172.31.74.93:8080
Accept: /
User-Agent: python-requests/2.9.1
Accept-Encoding: gzip, deflate
content-type: application/json
Content-Length: 1595
Connection: keep-alive
17:29:31.716682 IP 172.31.74.93.8080 > 172.31.74.93.47976: Flags [.], ack 203, win 350, options [nop,nop,TS val 1618276463 ecr 1618276463], length 0
E..4^.@[email protected]]..J]...hr...'81....^.......
t.ot.o17:29:31.716715 IP 172.31.74.93.8080 > 172.31.74.93.47976: Flags [R.], seq 1, ack 203, win 350, options [nop,nop,TS val 1618276463 ecr 1618276463], length 0
E..4^.@[email protected]]..J]...hr...'81....^.......
t.ot.opython3 fmtest.py -f alert-details.json -u 172.31.74.93 -p 8080
"{"msg": "extended", "product": "Web MPS", "version": "7.7.0.123456", "appliance": "fireeye.foo.bar", "appliance-id": "00:11:11:11:11:11","alert": [{ "src": { "ip": "10.1.2.3", "host": "internalclient.intra.net", "vlan": "0", "mac": "00:24:aa:aa:aa:aa" }, "severity": "minr", "alert-url": "https://fireeye.foo.bar/event_stream/events_for_bot?ma_id=12345678", "explanation": { "malware-detected": { "malware": { "profile": "win7x64-sp1", "http-header": "POST http://malicious.com", "name": "Misc.Eicar-Test-File", "md5sum": "44d88612fea8a8f36de82e1278abb02f", "executed-at": "2016-01-19T08:30:21Z", "application": "Windows Explorer", "type": "exe", "original": "driver.exe", "stype": "24" } }, "protocol": "", "analysis": "binary", "cnc-services": { "cnc-service": [ { "protocol": "tcp", "port": "4143", "channel": "\\\\026\\\\003\\\\001", "address": "198.50.234.211" }, { "protocol": "tcp", "port": "9943", "channel": "\\\\026\\\\003\\\\001", "address": "80.96.150.201" }, { "protocol": "tcp", "port": "4493", "channel": "\\\\026\\\\003\\\\001", "address": "1.179.170.7" } ] }, "anomaly": "98816" }, "occurred": "2016-01-19 08:30:21+00", "id": "12345678", "action": "notified", "interface": { "mode": "tap" }, "dst": { "ip": "10.1.2.4", "mac": "00:24:bb:bb:bb:bb" }, "name": "malware-object"}]}"
COMMUNICATION ERROR : ('Connection aborted.', ConnectionResetError(104, 'Connection reset by peer'))
The text was updated successfully, but these errors were encountered: