Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Bug] Tags gets wrong renamed #1376

Closed
crackytsi opened this issue May 28, 2020 · 6 comments
Closed

[Bug] Tags gets wrong renamed #1376

crackytsi opened this issue May 28, 2020 · 6 comments
Assignees
@To-om
Labels
bug TheHive4 TheHive4 related issues
Milestone
4.0.0

Comments

@crackytsi
Copy link

Bug

Work Environment

Question Answer
OS version (server) Debian
OS version (client) 10
TheHive version / git hash 4 RC3
Package Type DEB

Problem Description

I have a tag like this:Id:7SeUoB3IBABD+tMh2PjVJYg==
Note the ":" and the 2 "=" characters.
If I set this tag manually on a case or if I run the migration script importing a case with this tag, it becomes:
Id.7SeUoB3IBABD+tMh2PjVJYg="="
This is not what is expected.

Please encode / preserve the tag is it is.
@crackytsi crackytsi added TheHive4 TheHive4 related issues bug labels May 28, 2020
@To-om
Copy link
Contributor

To-om commented May 28, 2020

Tags are decomposed into: namespace, predicate and value. This will permit a soft transition to taxonomies.
When a string is provided, TheHive try to find the 3 components with the following format:

([^\".:=]+)[.:]([\".=]+)=\"([^\"]+)\"#(\\p{XDigit}{6})
([^\".:=]+)[.:]([^\".=]+)=\"?([^\"]+)\"?
([^\".:=]+)[.:]([^\".=]+)
([^\".:=]+)=\"([^\"]+)\"
([^\".:=]+)

In your case, Id becomes the namespace, 7SeUoB3IBABD+tMh2PjVJYg the predicate and = the value. Is it an option to enter Id=7SeUoB3IBABD+tMh2PjVJYg== instead ?

@To-om To-om self-assigned this May 28, 2020
@crackytsi
Copy link
Author

Hi,
I don't understand, why this issue didn't exist on TheHive3.
Actually I have a lot of tags that are in the format "XX: asdfadsfads", so this would be a bigger change for me.
I also have no clue how to deal in the migration with this. As it would break a lot of existing things (reports, dashboards etc.)

And would "Id: XXXXX==" work?

@To-om
Copy link
Contributor

To-om commented Jun 8, 2020

I can fix tag parsing for this format. Have you other tag formats that are incorrectly parsed ?

@crackytsi
Copy link
Author

crackytsi commented Jun 8, 2020
edited
Loading

On Case-level all my cases have Tags like "id:XXX".
Some have at the end of XXX can be at the end one or 2 characters with "==" e.g. "Id:.7YTkXEBABCETVxKTcUhwQ=="

I also observed that on Observable level, that all tags are "wrong".
They have "Key: Value"-Format (key-dubblepoint-space-value) and become "Key. Value".
Some have the format "Key: A.B.C.D", they are correct, some have the format "Key: Text_A.B.C.D", they are also correct.

@To-om To-om added this to the 4.0.0-RC4 milestone Jun 13, 2020
To-om added a commit that referenced this issue Jun 13, 2020
@To-om
#1376 Fix tag parsing
8037795
@To-om
Copy link
Contributor

To-om commented Jun 13, 2020

This should cover all your cases (cf. https://github.com/TheHive-Project/TheHive/blob/develop-th4/thehive/test/org/thp/thehive/models/TagTest.scala)

@To-om To-om closed this as completed Jun 13, 2020
@crackytsi
Copy link
Author

@To-om
Unforunately I still have some tags thar are wrong:

Here some examples:
Module:atest_blah_blah ==> Module.atest_blah_blah
caOut:/Success ==> caOut./Success
DevProduct:apache ==> DevProduct.apache
Prot:TCP ==> Prot.TCP
dPort:42147 ==> dPort.42147

To-om added a commit that referenced this issue Jun 15, 2020
@To-om
#1376 Fix tag parsing (key:value)
92b1c98
To-om added a commit that referenced this issue Jul 22, 2020
@To-om
#1376 Update tag format
0a0ad3a
To-om added a commit that referenced this issue Jul 23, 2020
@To-om
#1376 Fix tests
4d87948
To-om added a commit that referenced this issue Jul 24, 2020
@To-om
#1376 Fix tests
574bc53
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@To-om To-om

Labels
bug TheHive4 TheHive4 related issues
Projects
None yet
Milestone
4.0.0
Development

No branches or pull requests
2 participants
@crackytsi @To-om