Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Error generating alerts on Iris | 'NoneType' object has no attribute 'removesuffix' #1457

Closed
rober-fuji opened this issue May 31, 2024 · 7 comments · Fixed by #1533
Closed

Error generating alerts on Iris | 'NoneType' object has no attribute 'removesuffix' #1457

rober-fuji opened this issue May 31, 2024 · 7 comments · Fixed by #1533
Labels
bug Something isn't working

Comments

@rober-fuji
Copy link

Good morning,

An attempt has been made to run elastalert on Docker, version 2.2, with the following file:

es_host: ***************
es_port: *******
alert:
- debug
description: Test Rule
filter:
- query_string:
    query: (data.office365.Workload:AzureActiveDirectory AND data.office365.Operation:UserLoginFailed AND data.offic>
index: *******
name: Test Alert
priority: 3
realert:
  minutes: 0
type: any
alert:
- "iris"
 
iris_host: ***************
iris_api_token: *********************************************
iris_customer_id: 2
iris_description: 'Test alert from ElastAlert2'
iris_alert_note: 'Alert triggered by opened session'
iris_alert_tags: 'test, login, ssh'
#iris_alert_context:
#  username: data.office365.UserId
#  ip: data.office365.ClientIP
iris_iocs:
 
  - ioc_value: data.office365.ClientIP
    ioc_description: source ip address
    ioc_tlp_id: 1
    ioc_type_id: 79
    ioc_tags: ip-src

The first alert pops up in Iris, including its IoCs and everything is correct, but when the second alert pops up, it appears without IoCs and the following exception pops up

elastalert_error - {'message': "Uncaught exception running rule Test Alert: 'NoneType' object has no attribute 'remov                                                                                                                        esuffix'", 'traceback': ['Traceback (most recent call last):', '  File "/usr/local/lib/python3.12/site-packages/elast                                                                                                                        alert/elastalert.py", line 1324, in alert', '    return self.send_alert(matches, rule, alert_time=alert_time, retried                                                                                                                        =retried)', '           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^', '  File "/usr/local/                                                                                                                        lib/python3.12/site-packages/elastalert/elastalert.py", line 1409, in send_alert', '    alert.alert(matches)', '  Fil                                                                                                                        e "/usr/local/lib/python3.12/site-packages/elastalert/alerters/iris.py", line 138, in alert', '    alert_data = self.                                                                                                                        make_alert(matches)', '                 ^^^^^^^^^^^^^^^^^^^^^^^^', '  File "/usr/local/lib/python3.12/site-packages/e                                                                                                                        lastalert/alerters/iris.py", line 96, in make_alert', '    iocs = self.make_iocs_records(matches)', '           ^^^^^                                                                                                                        ^^^^^^^^^^^^^^^^^^^^^^^^^^', '  File "/usr/local/lib/python3.12/site-packages/elastalert/alerters/iris.py", line 67,                                                                                                                         in make_iocs_records', "    record['ioc_value'] = lookup_es_key(matches[0], record['ioc_value'])", '                                                                                                                                                  ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^', '  File "/usr/local/lib/python3.12/site-packages/elastalert                                                                                                                        /util.py", line 165, in lookup_es_key', '    value_dict, value_key = _find_es_dict_by_key(lookup_dict, term)', '                                                                                                                                                    ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^', '  File "/usr/local/lib/python3.12/site-packages/ela                                                                                                                        stalert/util.py", line 88, in _find_es_dict_by_key', '    term = term.removesuffix(string_multi_field_name)', '                                                                                                                                   ^^^^^^^^^^^^^^^^^', "AttributeError: 'NoneType' object has no attribute 'removesuffix'"], 'data': {'rule': 'Test                                                                                                                         Alert'}}
 
elastalert_error - {'message': "Uncaught exception running rule Test Alert: 'NoneType' object has no attribute 'remov                                                                                                                        esuffix'", 'traceback': ['Traceback (most recent call last):', '  File "/usr/local/lib/python3.12/site-packages/elast                                                                                                                        alert/elastalert.py", line 1324, in alert', '    return self.send_alert(matches, rule, alert_time=alert_time, retried                                                                                                                        =retried)', '           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^', '  File "/usr/local/                                                                                                                        lib/python3.12/site-packages/elastalert/elastalert.py", line 1409, in send_alert', '    alert.alert(matches)', '  Fil                                                                                                                        e "/usr/local/lib/python3.12/site-packages/elastalert/alerters/iris.py", line 138, in alert', '    alert_data = self.                                                                                                                        make_alert(matches)', '                 ^^^^^^^^^^^^^^^^^^^^^^^^', '  File "/usr/local/lib/python3.12/site-packages/e                                                                                                                        lastalert/alerters/iris.py", line 96, in make_alert', '    iocs = self.make_iocs_records(matches)', '           ^^^^^                                                                                                                        ^^^^^^^^^^^^^^^^^^^^^^^^^^', '  File "/usr/local/lib/python3.12/site-packages/elastalert/alerters/iris.py", line 67,                                                                                                                         in make_iocs_records', "    record['ioc_value'] = lookup_es_key(matches[0], record['ioc_value'])", '                                                                                                                                                  ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^', '  File "/usr/local/lib/python3.12/site-packages/elastalert                                                                                                                        /util.py", line 165, in lookup_es_key', '    value_dict, value_key = _find_es_dict_by_key(lookup_dict, term)', '                                                                                                                                                    ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^', '  File "/usr/local/lib/python3.12/site-packages/ela                                                                                                                        stalert/util.py", line 88, in _find_es_dict_by_key', '    term = term.removesuffix(string_multi_field_name)', '                                                                                                                                   ^^^^^^^^^^^^^^^^^', "AttributeError: 'NoneType' object has no attribute 'removesuffix'"], 'data': {'rule': 'Test                                                                                                                         Alert'}}
 
elastalert_error - {'message': "Uncaught exception running rule Test Alert: 'NoneType' object has no attribute 'remov                                                                                                                        esuffix'", 'traceback': ['Traceback (most recent call last):', '  File "/usr/local/lib/python3.12/site-packages/elast                                                                                                                        alert/elastalert.py", line 1324, in alert', '    return self.send_alert(matches, rule, alert_time=alert_time, retried                                                                                                                        =retried)', '           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^', '  File "/usr/local/                                                                                                                        lib/python3.12/site-packages/elastalert/elastalert.py", line 1409, in send_alert', '    alert.alert(matches)', '  Fil                                                                                                                        e "/usr/local/lib/python3.12/site-packages/elastalert/alerters/iris.py", line 138, in alert', '    alert_data = self.                                                                                                                        make_alert(matches)', '                 ^^^^^^^^^^^^^^^^^^^^^^^^', '  File "/usr/local/lib/python3.12/site-packages/e                                                                                                                        lastalert/alerters/iris.py", line 96, in make_alert', '    iocs = self.make_iocs_records(matches)', '           ^^^^^                                                                                                                        ^^^^^^^^^^^^^^^^^^^^^^^^^^', '  File "/usr/local/lib/python3.12/site-packages/elastalert/alerters/iris.py", line 67,                                                                                                                         in make_iocs_records', "    record['ioc_value'] = lookup_es_key(matches[0], record['ioc_value'])", '                                                                                                                                                  ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^', '  File "/usr/local/lib/python3.12/site-packages/elastalert                                                                                                                        /util.py", line 165, in lookup_es_key', '    value_dict, value_key = _find_es_dict_by_key(lookup_dict, term)', '                                                                                                                                                    ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^', '  File "/usr/local/lib/python3.12/site-packages/ela                                                                                                                        stalert/util.py", line 88, in _find_es_dict_by_key', '    term = term.removesuffix(string_multi_field_name)', '                                                                                                                                   ^^^^^^^^^^^^^^^^^', "AttributeError: 'NoneType' object has no attribute 'removesuffix'"], 'data': {'rule': 'Test                                                                                                                         Alert'}}

In this example there is only one match and no error occurs, the alert is generated correctly.

es_host: *********************************************
es_port: *********************************************
alert:
- debug
description: Test Rule 2
filter:
- query_string:
    query: (data.type:utm AND data.subtype:ips AND data.severity:medium)
index: *********************************************
name: Test Alert
priority: 3
realert:
  minutes: 0
type: any
alert:
- "iris"
 
iris_host: *********************************************
iris_api_token: *********************************************
iris_customer_id: 2
iris_description: 'Test alert from ElastAlert2'
iris_alert_note: 'Alert triggered by opened session'
iris_alert_tags: 'test, login, ssh'
iris_iocs:
 
  - ioc_value: data.srcip
    ioc_description: source ip address
    ioc_tlp_id: 1
    ioc_type_id: 79
    ioc_tags: ip-src

In this example there is more than one hit and the same error is generated.

es_host: *********************************************
es_port: *********************************************
alert:
- debug
description: Test Rule 3
filter:
- query_string:
    query: (data.type:utm AND data.subtype:ips AND data.severity:critical)
index: *********************************************
name: Test Alert
priority: 3
realert:
  minutes: 0
type: any
alert:
- "iris"
 
iris_host: *********************************************
iris_api_token: *********************************************
iris_customer_id: 2
iris_description: 'Test alert from ElastAlert2'
iris_alert_note: 'Alert triggered by opened session'
iris_alert_tags: 'test, login, ssh'
iris_iocs:
 
  - ioc_value: data.srcip
    ioc_description: source ip address
    ioc_tlp_id: 1
    ioc_type_id: 79
    ioc_tags: ip-src

This happens when the following command is used:
elastalert-test-alert name-of-file.yaml --alert
@jertel
Copy link
Owner

jertel commented May 31, 2024

Thanks for reporting this @rober-fuji. I reviewed the IRIS alerter and see a problem.

@malinkinsa, in the IRIS PR you submitted last year, there's a bug where the IOC fetcher loop is overwriting the rule configuration, causing subsequent alerts to throw errors and fail to alert. Specifically, this line:

elastalert2/elastalert/alerters/iris.py

Line 67 in 23aab84

record['ioc_value'] = lookup_es_key(matches[0], record['ioc_value'])

is fetching a value from the matched document, and then storing that looked up value over the top of the original lookup key.

Given this config:

iris_iocs:
  - ioc_value: data.srcip
     ...

If that fetched value wasn't found in the document then a None is returned, and now the rule configuration looks like this:

iris_iocs:
  - ioc_value: 
    ...

Notice how ioc_value no longer has a lookup key. Now all subsequent IRIS alerts will fail since ElastAlert 2 currently does not allow None (aka null) lookup terms.

I think the code should be using a deep clone of the IOC object and modifying/appending that, rather than using the original rule config.

CC: @gregorywychowaniec-zt, since you recently made a change in this area and may have some input or time to help prepare a fix.

@malinkinsa
Copy link
Contributor

Unfortunately, I haven't watched it yet. I'll try to look closer to the middle of the month :(

@jertel
Copy link
Owner

jertel commented Jul 3, 2024

Unfortunately, I haven't watched it yet. I'll try to look closer to the middle of the month :(

Any update on this?

@malinkinsa
Copy link
Contributor

Unfortunately, I still haven't had the time to address this issue. :(

@gregorywychowaniec-zt
Copy link
Contributor

Same for me, I'm not on this topic at the moment. I will reopen this topic on my side in a few weeks, so if it was not fixed at that time, I will keep an eye on it.

@nsano-rururu nsano-rururu added the bug Something isn't working label Jul 24, 2024
@gregorywychowaniec-zt
Copy link
Contributor

Hello, I will restart IRIS project soon so I will look for this issue in the next few weeks

bvirgilioamnh added a commit to bvirgilioamnh/elastalert2 that referenced this issue Sep 16, 2024
@bvirgilioamnh
Updated iris.py to fix issue jertel#1457
52a305e 
Copying the record data into a new private variable resolves the issue.
@jertel jertel linked a pull request Sep 18, 2024 that will close this issue
Bugfix/1457 fixing iris ioc NoneType #1533
Merged
6 tasks
@jertel
Copy link
Owner

jertel commented Sep 18, 2024

Thanks you @bvirgilioamnh for taking the time to fix this issue, and for the several other IRIS alerter improvements. Your efforts are appreciated!

@jertel jertel closed this as completed Sep 18, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Bugfix/1457 fixing iris ioc NoneType bvirgilioamnh/elastalert2
5 participants
@malinkinsa @jertel @nsano-rururu @gregorywychowaniec-zt @rober-fuji