Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Bug when posting file_data with non-000Z milliseconds #60

Closed
ustayready opened this issue May 16, 2024 · 0 comments
Closed

Bug when posting file_data with non-000Z milliseconds #60

ustayready opened this issue May 16, 2024 · 0 comments

Comments

@ustayready
Copy link

ustayready commented May 16, 2024
edited

What is the installation of Nemesis?

Debian 11, k3s

What is the issue?

Nemesis API endpoint for posting file_data to /api/data using curl or python3 requests requires the timestamp/expiration to have 000Z milliseconds in order to succeed. I've attempted dozens of alternative timestamp formats and none seem to work.

Example Curl Statements:

BAD: Invalid expiration value in metadata field

curl -X POST http://192.168.68.66/api/data -v --user 'nemesis:password' \
   -H "Content-Type: application/json" \
   -d '{
         "metadata": {
           "agent_id": "3249337381",
           "agent_type": "monitor",
           "automated": true,
           "data_type": "file_data",
           "expiration": "2024-06-14T21:43:07.900Z",
           "project": "7249",
           "timestamp": "2024-05-15T21:43:07.400Z",
           "source": "blob://monitor"
         },
         "data": [
           {
             "path": "./test/Certify.exe",
             "size": 583568,
             "object_id": "8c0f2413-12b2-47e5-82fc-0b46e0535c13"
           }
         ]
       }'

BAD: Invalid file_data message

curl -X POST http://192.168.68.66/api/data -v --user 'nemesis:password' \
   -H "Content-Type: application/json" \
   -d '{
         "metadata": {
           "agent_id": "3249337381",
           "agent_type": "monitor",
           "automated": true,
           "data_type": "file_data",
           "expiration": "2024-06-14T21:43:07",
           "project": "7249",
           "timestamp": "2024-05-15T21:43:07",
           "source": "blob://monitor"
         },
         "data": [
           {
             "path": "./test/Certify.exe",
             "size": 583568,
             "object_id": "8c0f2413-12b2-47e5-82fc-0b46e0535c13"
           }
         ]
       }'

GOOD

curl -X POST http://192.168.68.66/api/data -v --user 'nemesis:password' \
   -H "Content-Type: application/json" \
   -d '{
         "metadata": {
           "agent_id": "3249337381",
           "agent_type": "monitor",
           "automated": true,
           "data_type": "file_data",
           "expiration": "2024-06-14T21:43:07.000Z",
           "project": "7249",
           "timestamp": "2024-05-15T21:43:07.000Z",
           "source": "blob://monitor"
         },
         "data": [
           {
             "path": "./test/Certify.exe",
             "size": 583568,
             "object_id": "8c0f2413-12b2-47e5-82fc-0b46e0535c13"
           }
         ]
       }'

Problem Line in Code

It looks like the strptime() is requiring .000Z:

Nemesis/cmd/enrichment/enrichment/tasks/webapi/nemesis_api.py

Line 370 in 84d5986

expiration = datetime.strptime(expiration_string, "%Y-%m-%dT%H:%M:%S.000Z")

Proposed Solution

Consider using the format string "%Y-%m-%dT%H:%M:%S.%fZ" for flexible formatting.

If I get a moment, I will make a PR to fix this. I tested it locally and it works at parsing all the variants.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@ustayready