Comments (13)
Would love to read an Answer for this one ! Very exciting!
from thephish.
Hi all, sorry for the delay in the response. The problem experienced by Davdavidid may be due to a configuration problem. I know well that the installation and configuration procedure is fairly tedious, but maybe you have skipped some step anywhere in the guide or something like that. The fact that Cortex is not recognized is a problem related to the KEY that you set in the configuration file for sure.
from thephish.
Hallo again and thanks for your answer. On Friday we set up 2 systems using Ubuntu, configured them on cli and they went up and running instantly :) Both used the docker method but different hardware and 1 HyperV, 1 ESXI.
Today though when we wanted to do further tests, both systems were unable to operate because the diskspace ran full (129GB and 120GB).
They were running over the weekend but didn't get any emails beside some test Emails on Friday. Do you know where this might be coming from? There is no harm since i got a Snapshot but i’m worried it’ll happen again.
I would also like your help on a Topic with the Analysis. Is it possible to add the IP of the initial sender as an observable (from the SMTP-header)? If not do you maybe know of an analyzer that will do that?
The things i tried sadly didn’t work and a malicious phishing mail i tested was marked as SAFE. When i manually checked for that IP the services marked it as a spam IP though.
I also have problems adjusting the URLs in the „index.html“. I tried changing the href links to the machines IP-address, but when opening the site the links still point to the old adresses.
href=http://thehive:9000/ -> href="http://192.168.188.62:9000"
Is there another location beside the „configuration.json“ and „index.html“ that i need to adjust?
Thanks for your help in advance!
from thephish.
Hi, the problem of the disk running full is strange. I do know that every analyzed email may occupy more space than one would expect due to the fact that an entire case is created for each email, but if you just analyzed a couple of emails your disk shouldn't be full. The only thing I can think about now as the root of the problem is that you may have enabled the fetching functionality in your MISP instance, so all the information contained in the various feeds you enable are also ingested and stored on your machine.
Regarding the second problem, what do you mean by "the IP of the sender"? Every IP in the header should be captured by the regular expression engine running in the backend, so if the IP is in the header, it will appear among the observables as well. Are you sure that the IP you are lloking for is actually present in the email, or you just know the IP via other means? I'm asking this question because often the outgoing SMTP servers or the client application don't include the information about the effective sender IP for privacy or security reasons.
Regarding the last problem, the files you have mentioned are the only locations where the URL is written.
from thephish.
You'r totally right regarding the Header. It got cut off by the software when attaching as an .eml. After a manual test everything worked out perfectly!
Regarding the disk space, we just made a clean docker installation as per guide and both had the same issue after letting the machine run over the weekend. After rolling back i constantly check the ressources and haven't seen any high demand yet but i'll report back if i catch anything. If you have any other tips for me what to check for that would be awesome.
About the URL i'm unsure if i'm making a major mistake here but when i use ther index.html to open thePhish everything is fine. When im browsing there via IP, the links are still the default ones.
from thephish.
Hello again,
i let ThePhish run overnight and the size grew to 39GB. Before i left it yesterday it was at ~250MB.
Do you have any idea how to get to the bottom of this problem?
I also did some more testing and found out that as soon as an Email got a DKIM-Signature it will not get fetched by thePhish (will get an error when trying to list). After editing those 2 Emails and removing the Signature it could get processed.
Do you think there is a possibility to fetch Emails with a Signature?
from thephish.
Hello, sorry for the delay in the response. Regarding the space problem, I have never experienced this problem. I think it may be a MISP problem, since it fetches several feeds. For the DKIM problem, I have never experienced it either. I should test this behavior, but it strange that a DKIM signature prevents the email from being processed, since it is not directly checked by ThePhish.
from thephish.
Hello again. I couldn't get the space problem under control. If i can assist you with the search i'd be happy to.
Regarding the DKIM-signature i found the workaround to forward the Email from the Phish inbox to itself, which removed the Signature and solved the problem.
from thephish.
Hi, how many emails have you fed to ThePhish? From what I see in your screenshots, it seems like there is a problem related to the size of the logs and correlations that MISP produces. If this is just how MISP works, I don't think you can do anything but disabling MISP if you want to test it on a machine with limited storage.
from thephish.
I probably fed 20 Emails or somehting like that. The size of the vm also doesn't really change in that timeframe. It writes those logs over time (without getting Emails) until to the point that it's not operational anymore. i get that MISP needs a lot of storage to run but there seems to be a problem with it disabling the system. The system has 200GB storage right now but i'll try and extend that even more and reduce feeds.
from thephish.
I fed hundreds of emails to the tool and never had this problem on different VMs with 50GB storage at max. Have you checked that you have just enabled the feeds and not fetched them in their entirety in the MISP instance?
from thephish.
I don't understand exactly what you mean by enabling fetching but i stuck to the Guide and enabled the misp feeds like this:
Enable MISP feeds:
Sync Actions -> List Feeds -> Load default feed metadata -> All feeds
Select the feeds to enable (filtered for "misp" and enabled them)
Click on "Enable selected"
The "Fetch and store" button seems to be enabled but i dont't think i changed anything there.
from thephish.
That's weird. I just found an issue for MISP that mentions the same problem that you have and it seems the issuer solved its problem. Now I can't test that in my environment, both because I don't have time now and because i can't reproduce it, but this may help you: MISP/MISP#2800
from thephish.
Related Issues (20)
- [ERROR]: Error while trying to create the case HOT 4
- [Error] Imap connection
- TheHive5 analysis in alert HOT 3
- ERROR: Version in "./docker-compose.yml" is unsupported HOT 2
- [Question] HOT 1
- [Question]CaseTemplate not found HOT 1
- [BUG] TheHive, Cortex and MISP instances are not reachable on thephish HOT 1
- AttributeError: 'NoneType' object has no attribute 'span' HOT 3
- How to change the email message that thephish sends. HOT 1
- [BUG] - Docker compose - java.lang.IllegalArgumentException: Could not instantiate implementation: org.janusgraph.diskstorage.cql.CQLStoreManager HOT 1
- Ciao non riesco nell'installazione [Question] HOT 1
- [BUG] - Crowdsec_Analyzer_1_0: Job AobGi4wB0KV4xh-jmuSh has be updated (JsDefined("Failure")) HOT 1
- There are no e-mails to read HOT 8
- [ERROR]: Error during the analysis task - Why does this happen? HOT 1
- [Question] authentication/login page for ThePhish HOT 1
- Do you have a working ISO Image for the Phish ? HOT 1
- ModuleNotFoundError: No module named 'flask' HOT 1
- Issue regarding configuration HOT 2
- [Problème de réception d'email au niveau de la BAL ThePhish] HOT 1
- Come è possibiole modificare la pagina iniziale e le risposte dell'email HOT 3
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from thephish.