I am trying to create a python webhook to receive data from my ELastic SIEM (JSON format), when I try it I am getting this errors: (sorry It’s my first time using python, so couldn’t know what’s the problem)
JavaScript
x
46
46
1
* Serving Flask app "webhook3" (lazy loading)
2
* Environment: production
3
WARNING: This is a development server. Do not use it in a production deployment.
4
Use a production WSGI server instead.
5
* Debug mode: on
6
* Running on http://10.10.13.135:8080/ (Press CTRL+C to quit)
7
* Restarting with stat
8
* Debugger is active!
9
* Debugger PIN: 235-675-806
10
{"body": "test"}
11
10.13.81.254 - - [11/Dec/2020 16:43:02] "POST /webhook HTTP/1.1" 200 -
12
10.13.81.254 - - [11/Dec/2020 16:43:21] "POST /webhook HTTP/1.1" 500 -
13
Traceback (most recent call last):
14
File "/usr/local/lib/python3.8/dist-packages/flask/app.py", line 2464, in __call__
15
return self.wsgi_app(environ, start_response)
16
File "/usr/local/lib/python3.8/dist-packages/flask/app.py", line 2450, in wsgi_app
17
response = self.handle_exception(e)
18
File "/usr/local/lib/python3.8/dist-packages/flask/app.py", line 1867, in handle_exception
19
reraise(exc_type, exc_value, tb)
20
File "/usr/local/lib/python3.8/dist-packages/flask/_compat.py", line 39, in reraise
21
raise value
22
File "/usr/local/lib/python3.8/dist-packages/flask/app.py", line 2447, in wsgi_app
23
response = self.full_dispatch_request()
24
File "/usr/local/lib/python3.8/dist-packages/flask/app.py", line 1952, in full_dispatch_request
25
rv = self.handle_user_exception(e)
26
File "/usr/local/lib/python3.8/dist-packages/flask/app.py", line 1821, in handle_user_exception
27
reraise(exc_type, exc_value, tb)
28
File "/usr/local/lib/python3.8/dist-packages/flask/_compat.py", line 39, in reraise
29
raise value
30
File "/usr/local/lib/python3.8/dist-packages/flask/app.py", line 1950, in full_dispatch_request
31
rv = self.dispatch_request()
32
File "/usr/local/lib/python3.8/dist-packages/flask/app.py", line 1936, in dispatch_request
33
return self.view_functions[rule.endpoint](**req.view_args)
34
File "/opt/thehive/webhook3.py", line 20, in api_webhook_messages
35
my_info = json.loads(request.data)
36
File "/usr/local/lib/python3.8/dist-packages/flask/json/__init__.py", line 253, in loads
37
return _json.loads(s, **kwargs)
38
File "/usr/lib/python3/dist-packages/simplejson/__init__.py", line 535, in loads
39
return cls(encoding=encoding, **kw).decode(s)
40
File "/usr/lib/python3/dist-packages/simplejson/decoder.py", line 370, in decode
41
obj, end = self.raw_decode(s)
42
File "/usr/lib/python3/dist-packages/simplejson/decoder.py", line 400, in raw_decode
43
return self.scan_once(s, idx=_w(s, idx).end())
44
simplejson.errors.JSONDecodeError: Expecting value: line 1 column 1 (char 0)
45
46
The webhook configuration:
JavaScript
1
28
28
1
#!/usr/bin/env python
2
# -*- coding: utf-8 -*-
3
4
5
6
from flask import json # To read json data
7
from flask import request # To receive headers
8
from flask import Flask # To be able to start the application
9
10
app = Flask(__name__)
11
12
13
@app.route('/')
14
def api_root():
15
return 'Welcome guys'
16
17
@app.route('/webhook', methods=['POST'])
18
def api_webhook_messages():
19
my_info = json.loads(request.data)
20
print(json.dumps(my_info))
21
return 'Connection sucessful'
22
23
24
if __name__=='__main__':
25
app.run(port=8080, host='10.10.13.135',debug=True)
26
27
28
And here is the watcher that I have configured:
JavaScript
1
116
116
1
POST _watcher/watch/_execute
2
{
3
"watch": {
4
"trigger": {
5
"schedule": {
6
"interval": "1h"
7
}
8
},
9
"input": {
10
"search": {
11
"request": {
12
"indices": "firewall-*",
13
"body": {
14
"size": 0,
15
"query": {
16
"bool": {
17
"filter": {
18
"range": {
19
"@timestamp": {
20
"from": "now-1h",
21
"to": "now"
22
}
23
}
24
}
25
}
26
},
27
"aggs": {
28
"by_source_ip": {
29
"terms": {
30
"size": 100,
31
"field": "source.ip"
32
},
33
"aggs": {
34
"by_destination_ip": {
35
"terms": {
36
"size": 100,
37
"field": "destination.ip"
38
},
39
"aggs": {
40
"by_port_number": {
41
"terms": {
42
"size": 100,
43
"field": "destination.port",
44
"order": {
45
"_count": "asc"
46
}
47
}
48
}
49
}
50
}
51
}
52
}
53
}
54
}
55
}
56
}
57
},
58
"condition": {
59
"script":
60
"""
61
62
for (int i=0; i < ctx.payload.aggregations.by_source_ip.buckets.size(); i++)
63
{
64
for (int j=0; j < ctx.payload.aggregations.by_source_ip.buckets[i].by_destination_ip.buckets.size() ; j++ )
65
{
66
if (ctx.payload.aggregations.by_source_ip.buckets[i].by_destination_ip.buckets[j].by_port_number.buckets.size() > 15 ) // l'action ne sera exécuté seulement s'il y a un scan de 20 port par @IP source / @IP destination
67
{
68
return true;
69
}
70
}
71
}
72
73
"""
74
},
75
"transform":
76
{
77
"script":
78
"""
79
80
String[] source= new String[5]; // Un vercteur qui contient les addresse IP source des scan
81
String[] destination= new String[5]; // Un vercteur qui contient les adresse IP destination qui ont été scanné
82
int[] nombre_port= new int[5]; // Un vecteur qui contient le nombre de ports scanné pour (IP source / IP destination)
83
int n=0;
84
for (int i=0; i < ctx.payload.aggregations.by_source_ip.buckets.size(); i++)
85
{
86
for (int j=0; j < ctx.payload.aggregations.by_source_ip.buckets[i].by_destination_ip.buckets.size() ; j++ )
87
{
88
if (ctx.payload.aggregations.by_source_ip.buckets[i].by_destination_ip.buckets[j].by_port_number.buckets.size() > 15) // Pour entregistrer seulement les addresse IP source/destinations qui ont déclenché l'alarme
89
{
90
if (n<5) // Pour s'assurer qu'on dépasse pas 5 cases qu'on a alloué
91
{
92
source[n] = ctx.payload.aggregations.by_source_ip.buckets[i].key;
93
destination[n] = ctx.payload.aggregations.by_source_ip.buckets[i].by_destination_ip.buckets[j].key;
94
nombre_port[n] = ctx.payload.aggregations.by_source_ip.buckets[i].by_destination_ip.buckets[j].by_port_number.buckets.size();
95
n++;
96
}
97
}
98
}
99
}
100
return [source,destination,nombre_port];
101
"""
102
},
103
"actions": {
104
"my_webhook": {
105
"webhook": {
106
"method": "POST",
107
"host": "10.10.13.135",
108
"path": "/webhook",
109
"port": 8080,
110
"body": "test"
111
}
112
}
113
}
114
}
115
}
116
Could you please help me to solve this error ! Thanks :)
Advertisement
Answer
So I just found out that the data send wasn’t in a json format and to print I used:
def api_webhook_messages(): data = request.data print(data)
Thanks for your help