MISP Integration Error: While running custom-misp -> integrations. Output: IndexError: list index out of range
117 views
Skip to first unread message
Palak Chopra
Sep 30, 2024, 2:47:04 PM9/30/24
to Wazuh | Mailing List
I'm trying to integrate MISP to check for malicious domains in email.
I've used this script: custom-misp
And added postfix as one of the groups to run this integration script.
However, when a postfix alert is generated, I receive this error in ossec.logs:
2024/09/30 18:34:38 wazuh-integratord: ERROR: Exit status was: 1
2024/09/30 18:34:39 wazuh-integratord: ERROR: Unable to run integration for custom-misp -> integrations
2024/09/30 18:34:39 wazuh-integratord: ERROR: While running custom-misp -> integrations. Output: IndexError: list index out of range
2024/09/30 18:34:39 wazuh-integratord: ERROR: Unable to run integration for custom-misp -> integrations
2024/09/30 18:34:39 wazuh-integratord: ERROR: While running custom-misp -> integrations. Output: IndexError: list index out of range
This is triggered by the line:
alert_file = open(sys.argv[1])
Postfix rules:
<group name="postfix,">
<!-- Rule to capture the first log entry with a specific queue ID -->
<rule id="100001" level="12">
<decoded_as>postfix</decoded_as>
<description>Initial Postfix log entry with q ID</description>
<group>postfix,</group>
<!--match>q_id=.*</match-->
<!--field name="q_id">^(.+)$</field> <!-- Match queue_id -->
<!--options>no_full_log</options-->
<!-- Save this field to use in correlation -->
</rule>
<!-- Rule to capture subsequent log entries with the same queue ID -->
<rule id="100002" level="12">
<decoded_as>postfix</decoded_as>
<if_matched_sid>100001</if_matched_sid>
<description>Subsequent Postfix log entries for the same queue ID</description>
<group>postfix,</group>
<!--match>q_id=.*</match-->
<!--field name="q_id">^(.+)$</field-->
<same_id/>
<!--options>no_full_log</options-->
</rule>
</group>
<!-- Rule to capture the first log entry with a specific queue ID -->
<rule id="100001" level="12">
<decoded_as>postfix</decoded_as>
<description>Initial Postfix log entry with q ID</description>
<group>postfix,</group>
<!--match>q_id=.*</match-->
<!--field name="q_id">^(.+)$</field> <!-- Match queue_id -->
<!--options>no_full_log</options-->
<!-- Save this field to use in correlation -->
</rule>
<!-- Rule to capture subsequent log entries with the same queue ID -->
<rule id="100002" level="12">
<decoded_as>postfix</decoded_as>
<if_matched_sid>100001</if_matched_sid>
<description>Subsequent Postfix log entries for the same queue ID</description>
<group>postfix,</group>
<!--match>q_id=.*</match-->
<!--field name="q_id">^(.+)$</field-->
<same_id/>
<!--options>no_full_log</options-->
</rule>
</group>
Federico Ramos
Sep 30, 2024, 5:15:59 PM9/30/24
to Wazuh | Mailing List
Hi,
It seems that the script isn't receiving its first CLI argument when executed, can you show us the configuration section where you configured this integration? Also, which documentation/step did you follow to integrate this script?
Also, here is a small guide on how to integrate custom scripts: https://wazuh.com/blog/how-to-integrate-external-software-using-integrator/. Maybe this can help you with the setup.
Reply all
Reply to author
Forward
0 new messages