0

I am trying to create a python webhook to receive data from my ELastic SIEM (JSON format), when I try it I am getting this errors: (sorry It's my first time using python, so couldn't know what's the problem)

 * Serving Flask app "webhook3" (lazy loading)
 * Environment: production
   WARNING: This is a development server. Do not use it in a production deployment.
   Use a production WSGI server instead.
 * Debug mode: on
 * Running on http://10.10.13.135:8080/ (Press CTRL+C to quit)
 * Restarting with stat
 * Debugger is active!
 * Debugger PIN: 235-675-806
{"body": "test"}
10.13.81.254 - - [11/Dec/2020 16:43:02] "POST /webhook HTTP/1.1" 200 -
10.13.81.254 - - [11/Dec/2020 16:43:21] "POST /webhook HTTP/1.1" 500 -
Traceback (most recent call last):
  File "/usr/local/lib/python3.8/dist-packages/flask/app.py", line 2464, in __call__
    return self.wsgi_app(environ, start_response)
  File "/usr/local/lib/python3.8/dist-packages/flask/app.py", line 2450, in wsgi_app
    response = self.handle_exception(e)
  File "/usr/local/lib/python3.8/dist-packages/flask/app.py", line 1867, in handle_exception
    reraise(exc_type, exc_value, tb)
  File "/usr/local/lib/python3.8/dist-packages/flask/_compat.py", line 39, in reraise
    raise value
  File "/usr/local/lib/python3.8/dist-packages/flask/app.py", line 2447, in wsgi_app
    response = self.full_dispatch_request()
  File "/usr/local/lib/python3.8/dist-packages/flask/app.py", line 1952, in full_dispatch_request
    rv = self.handle_user_exception(e)
  File "/usr/local/lib/python3.8/dist-packages/flask/app.py", line 1821, in handle_user_exception
    reraise(exc_type, exc_value, tb)
  File "/usr/local/lib/python3.8/dist-packages/flask/_compat.py", line 39, in reraise
    raise value
  File "/usr/local/lib/python3.8/dist-packages/flask/app.py", line 1950, in full_dispatch_request
    rv = self.dispatch_request()
  File "/usr/local/lib/python3.8/dist-packages/flask/app.py", line 1936, in dispatch_request
    return self.view_functions[rule.endpoint](**req.view_args)
  File "/opt/thehive/webhook3.py", line 20, in api_webhook_messages
    my_info = json.loads(request.data)
  File "/usr/local/lib/python3.8/dist-packages/flask/json/__init__.py", line 253, in loads
    return _json.loads(s, **kwargs)
  File "/usr/lib/python3/dist-packages/simplejson/__init__.py", line 535, in loads
    return cls(encoding=encoding, **kw).decode(s)
  File "/usr/lib/python3/dist-packages/simplejson/decoder.py", line 370, in decode
    obj, end = self.raw_decode(s)
  File "/usr/lib/python3/dist-packages/simplejson/decoder.py", line 400, in raw_decode
    return self.scan_once(s, idx=_w(s, idx).end())
simplejson.errors.JSONDecodeError: Expecting value: line 1 column 1 (char 0)

The webhook configuration:

#!/usr/bin/env python
# -*- coding: utf-8 -*-



from flask import json        # To read json data 
from flask import request     # To receive headers
from flask import Flask       # To be able to start the application 

app = Flask(__name__)


@app.route('/')
def api_root():
    return 'Welcome guys'

@app.route('/webhook', methods=['POST'])
def api_webhook_messages():
    my_info = json.loads(request.data)
    print(json.dumps(my_info))
    return 'Connection sucessful'


if __name__=='__main__':
    app.run(port=8080, host='10.10.13.135',debug=True)

And here is the watcher that I have configured:


POST _watcher/watch/_execute
{
  "watch": {
    "trigger": {
      "schedule": {
        "interval": "1h"
      }
    },
    "input": {
      "search": {
        "request": {
          "indices": "firewall-*",
          "body": {
            "size": 0,
            "query": {
              "bool": {
                "filter": {
                  "range": {
                    "@timestamp": {
                      "from": "now-1h",
                      "to": "now"
                    }
                  }
                }
              }
            },
            "aggs": {
              "by_source_ip": {
                "terms": {
                  "size": 100,
                  "field": "source.ip"
                },
                "aggs": {
                  "by_destination_ip": {
                    "terms": {
                      "size": 100,
                      "field": "destination.ip"
                    },
                    "aggs": {
                      "by_port_number": {
                        "terms": {
                          "size": 100,
                          "field": "destination.port",
                          "order": {
                            "_count": "asc"
                          }
                        }
                      }
                    }
                  }
                }
              }
            }
          }
        }
      }
    },
    "condition": {
      "script":
      """

      for (int i=0; i < ctx.payload.aggregations.by_source_ip.buckets.size(); i++)
      {
        for (int j=0; j < ctx.payload.aggregations.by_source_ip.buckets[i].by_destination_ip.buckets.size() ; j++ )
        {
          if (ctx.payload.aggregations.by_source_ip.buckets[i].by_destination_ip.buckets[j].by_port_number.buckets.size() > 15 ) // l'action ne sera exécuté seulement s'il y a un scan de 20 port par @IP source / @IP destination
          {
            return true;
          }
        }
      }

        """
    },
    "transform":
    {
      "script":
      """

     String[] source= new String[5]; // Un vercteur qui contient les addresse IP source des scan
     String[] destination= new String[5]; // Un vercteur qui contient les adresse IP destination qui ont été scanné
     int[] nombre_port= new int[5]; // Un vecteur qui contient le nombre de ports scanné pour  (IP source / IP destination)
     int n=0;
      for (int i=0; i < ctx.payload.aggregations.by_source_ip.buckets.size(); i++)
      {
        for (int j=0; j < ctx.payload.aggregations.by_source_ip.buckets[i].by_destination_ip.buckets.size() ; j++ )
        {
          if (ctx.payload.aggregations.by_source_ip.buckets[i].by_destination_ip.buckets[j].by_port_number.buckets.size() > 15) // Pour entregistrer seulement les addresse IP source/destinations qui ont déclenché l'alarme
          {
            if (n<5) // Pour s'assurer qu'on dépasse pas 5 cases qu'on a alloué
            {
            source[n] = ctx.payload.aggregations.by_source_ip.buckets[i].key;
            destination[n] = ctx.payload.aggregations.by_source_ip.buckets[i].by_destination_ip.buckets[j].key;
            nombre_port[n] = ctx.payload.aggregations.by_source_ip.buckets[i].by_destination_ip.buckets[j].by_port_number.buckets.size();
            n++;
            }
          }
        }
      }
      return [source,destination,nombre_port];
      """
    },
    "actions": {
     "my_webhook": {
       "webhook": {
         "method": "POST",
         "host": "10.10.13.135",
         "path": "/webhook",
         "port": 8080,
         "body": "test"
       }
     }
    }
  }
}

Could you please help me to solve this error ! Thanks :)

Improve this question
2
  • The data you are sending is probably not JSON, but you haven't supplied enough information to reproduce any meaningful problem. Commented Dec 11, 2020 at 17:52
  • Thanks for your answer @Ken, I have updated my post and added the configuration of the watcher I am using Commented Dec 14, 2020 at 8:01

1 Answer 1

Reset to default
1

So I just found out that the data send wasn't in a json format and to print I used:

def api_webhook_messages(): data = request.data print(data)

Thanks for your help

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.