vt_check on bro 2.5 not working about bro-scripts HOT 6 OPEN

Update curl is running and returns json .. but stil same error

from bro-scripts.

in bro 2.5 i am getting below error while running vt_check.bro

1491343971.786777 error in ./vt_check.bro, line 93: value used but not set (VTCHECK::positives)

from bro-scripts.

if ( result?$files && bodyfile in result$files )
{
local body = fmt("%s", result$files[bodyfile]);
local context = "";
local subcon = "-";
if ( |body| > 0 )
{
local positives: string;
local total: string;
local elements = split_string(body, /,/);
local results: vector of string;
local virustotal_url = fmt(match_sub_url, f$info$sha256);
for ( e in elements )
{
print e;
local temp: string_vec;
if ( /"positives":/ in elements[e] )
{
temp = split_string(elements[e], /:/);
positives = sub_bytes(temp[1], 1, |temp[3]|);
print positives;
}
else if ( /"total":/ in elements[e] )
{
temp = split_string(elements[e], /:/);
total = sub_bytes(temp[1], 1, |temp[3]|);
print total;
}
else if ( /"result":/ in elements[e] )
{
if ( ! ( / null/ in elements[e] ) )
{
temp = split_string(elements[e], /"/);
print temp[3];
results[|results|] = temp[3];
}

Change this part and check what is printed

from bro-scripts.

The fix doesn't seem to be working, it can't find the function match_sub_url in match_sub_url and after rem oving that it gives an error on line 98, about regex parsing.

from bro-scripts.

I'll try and take a look at it. I haven't been doing much Bro stuff lately. If you get it figured out before I do I'll happily take a PR.

from bro-scripts.

@RealLinkers: I believe it is not so much a fix as a suggestion to use a print statement for troubleshooting.

As far as the issue goes, it appears it is because VT is returning json in the case of not finding results. The hash is in the "resource" field of the json, so the conditionals at lines 55 and 60 both fall through.

The json from VT also contains a "response_code" field (0 if not found, and 1 if found), so changing line 60 to: if ( |body| > 0 && /\"response_code\": 1/ in body) will make sure there is a result to work with.

That said, I noticed the tracking of hashes that have previously been checked, and I'm not sure the behavior is what is expected. The script only raises notices the first time a hash is seen, and only if it is in VT at the time it is first spotted. The hash is also added before any of the other code executes, so failure anywhere else in the code will leave the hash unchecked.

from bro-scripts.