File submission to FireEye MAS results in ERR_CODE_RUNTIME_EXCEPTION in Security Analytics
Article ID: 168203
Updated On:
Products
Security Analytics
Security Analytics - VA
Issue/Introduction
When files are submitted to FireEye MAS 7.x through Data Enrichment these files will not create an analysis task.
Instead, the /var/log/messages log will show something like this:
Nov 6 06:09:55 hostname Data-Enrichment: error: ERR_CODE_RUNTIME_EXCEPTION : Failed to submit artifact: % File hostname_2014-11-06T08.45.00-0500_10.0.0.1-51098_192.168.2.122-80_172e6256e2f6ca8f587b322dcab6c94f1_22.exe does not exist
Cause
This can be caused by insufficient privileges of the user specified for MAS submission.
Resolution
Make sure the MAS user is an admin user, not analyst.
To verify the problem you can use the attached python script.
Connect to the Security Analytics appliance via SSH.
1. Backup the existing fireeye.py script file: cp /usr/lib64/python3.3/site-packages/derp/providers/fireeye.py /usr/lib64/python3.3/site-packages/derp/providers/fireeye.bak
1. Replace the fireeye.py file in /usr/lib64/python3.3/site-packages/derp/providers with the attached version of the file
2. Restart derpd:
4. /var/log/messages will show the permission error if you search for the submitted filename.
To verify the problem you can use the attached python script.
Connect to the Security Analytics appliance via SSH.
1. Backup the existing fireeye.py script file: cp /usr/lib64/python3.3/site-packages/derp/providers/fireeye.py /usr/lib64/python3.3/site-packages/derp/providers/fireeye.bak
1. Replace the fireeye.py file in /usr/lib64/python3.3/site-packages/derp/providers with the attached version of the file
2. Restart derpd:
service derpd restart
3. Request for FireEye analysis4. /var/log/messages will show the permission error if you search for the submitted filename.
Feedback
Yes
No
Powered by
