[Question] ThePhish Several Questions

[asterictnl-lvdw]

I have some questions about ThePhish:

• Will ThePhish have their modules updated?
• Will ThePhish be made compatible with Docker on Windows?
• Can you pretty please make a video tutorial on how to install and configure ThePhish for test environment and do a test-email?

Thanks in advance.

[emalderson]

Hi, let me answer your questions:

• Yes, probably after the APIs for TheHive 5 will be released (I'll just maintain it to fix bugs for now)
• ThePhish is just a Python web application, the compatibility issue is related to TheHive, Cortex and MISP
• I don't think there is any necessity for a video tutorial, it's all described step-by-step in the README

[asterictnl-lvdw]

Thank you for the answer.

• I have read that the old API works with TheHive 5 if I must believe the Strangebee article.
• Does the Python Web-App work on Windows itself as well? Then it is just installing some Python libraries, en changing some code in the Docker-Compose yaml. I have tested TheHive, Cortex and MISP standalone and they seem to work on Windows (atleast the latest version does).
• I will test it out with very minimal amount of changes to see if the latest version of Cortex, MISP, TheHive and such could be implemented. I have found some sources with a docker-compose.yml that could be implemented. Aside I might have to change some things in the app.conf files as well due the migration of some modules and such.

[asterictnl-lvdw]

Update (28-07-2022): ThePhish4Win seems to work as all the containers did start up after some tiny changes in the docker-compose.yml file. I will check if I can get TheHive5, Cortex and Misp latest version to work as well.

[asterictnl-lvdw]

Update 28-07-2022:14:45 - I have managed to update all the packages (excluded redis and mysql for now as they were not required to be updated). I stumble upon the following error at Cortex. Cortex does open en no errors are displayed:

[error] o.e.s.a.MultiAuthSrv - Authentication failure cortex | org.elastic4play.AuthenticationError: Authentication using API key is not supported cortex | at org.elastic4play.services.AuthSrv.authenticate(UserSrv.scala:48) cortex | at org.elastic4play.services.AuthSrv.authenticate$(UserSrv.scala:47) cortex | at org.thp.cortex.services.LocalAuthSrv.authenticate(LocalAuthSrv.scala:15) cortex | at org.elastic4play.services.auth.MultiAuthSrv.$anonfun$authenticate$3(MultiAuthSrv.scala:58) cortex | at org.elastic4play.services.auth.MultiAuthSrv$$anonfun$$nestedInanonfun$forAllAuthProvider$1$1.applyOrElse(MultiAuthSrv.scala:43) cortex | at org.elastic4play.services.auth.MultiAuthSrv$$anonfun$$nestedInanonfun$forAllAuthProvider$1$1.applyOrElse(MultiAuthSrv.scala:41) cortex | at scala.concurrent.Future.$anonfun$recoverWith$1(Future.scala:417) cortex | at scala.concurrent.impl.Promise.$anonfun$transformWith$1(Promise.scala:41) cortex | at scala.concurrent.impl.CallbackRunnable.run(Promise.scala:64) cortex | at akka.dispatch.BatchingExecutor$AbstractBatch.processBatch(BatchingExecutor.scala:63)

@emalderson maybe you know the solution. It seems like an API related error. I haven't changed anything in the .conf files.

Thanks in advance.

Update: It seems to be as well existing in the V1 of ThePhish (with your current version modules)

[asterictnl-lvdw]

Update 28-07-2022:14:50 -

The following modules have been updated:

• Cassandra to v4 (latest v4)
• TheHive4 to TheHive5.0.10-1 (latest version) using a different docker container (still the official one)
• Elasticsearch to 7.17.5 from docker.elastic.co (latest v7)
• TheHive: Cortex to 3.1.6-1 (latest)
• Misp to core-v2.4.159a (latest)

In the application.conf of TheHive changed the following:

• the old janusgraph db structure to:
  # JanusGraph db.janusgraph { storage { backend = cql hostname = ["cassandra"] //# Cassandra authentication (if configured) //# username = "thehive" //# password = "password" cql { cluster-name = thp keyspace = thehive read-consistency-level = ONE write-consistency-level = ONE } } index.search { backend = elasticsearch hostname = ["elasticsearch"] index-name = thehive } }

changed the localfs.location to /opt/data

changed the play.enabled to scalligraph.modules

The rest I did not update (yet).

Pages seem to open on Docker for Windows so that is good, I need to test the actual procedure of setting up ThePhish later.

[asterictnl-lvdw]

I will test the Windows version out later if anything is not working I will report it back. I did not have the time to test it yet. If it works all then I will comit it first to my own repo and then if you would like I could to a PReq. so you can review it.

~LvdW

Additional question:
I also saw TheHive4py now works with TheHive5 so there will be no more problems with that, could you confirm that?