Description
Describe the bug
The MISP_2_1 analyzer (using the ghcr.io/thehive-project/misp:2 Docker image, which internally uses Python 3.13.3 and PyMISP 2.5.10) consistently fails when run.
The job report in the Cortex UI shows "input": null and a FutureWarning related to pymisp usage:
/usr/local/lib/python3.13/site-packages/pymisp/__init__.py:67: FutureWarning: This class is deprecated, use PyMISP instead...
The backend Cortex logs (docker logs final_cortex.local_1) indicate that "[warn] o.t.c.s.DockerJobRunnerSrv - The worker didn't generate output file."
This occurs even when correctly selecting the Data Type (e.g., "ip") and providing valid input (e.g., "8.8.8.8") in the UI.
The Docker host machine running the Cortex container is also using Python 3.13.x.
To Reproduce
Steps to reproduce the behavior:
- Ensure Cortex and its dependencies (including the
ghcr.io/thehive-project/misp:2analyzer image) are running in a Docker environment. - Navigate to the "Analyzers" page in the Cortex UI.
- Select the
MISP_2_1analyzer. - Click the "Run analysis" button (play icon).
- In the "Run analysis" dialog:
a. Set TLP (e.g., AMBER).
b. Set PAP (e.g., AMBER).
c. Select Data Type:ip.
d. Enter Data:8.8.8.8. - Click "Start".
- Observe the job in "Jobs History" shows "Failure".
- View the job report, which shows
"input": nulland theFutureWarning.
Expected behavior
The MISP_2_1 analyzer should:
- Successfully receive the input observable (e.g.,
8.8.8.8). - Query the configured MISP instance.
- Generate an output report file.
- Show a "Success" status in the Cortex "Jobs History" with a meaningful report (e.g., "No results found" or details of MISP events if the IP is present).
Complementary information
- UI Job Report Screenshot (showing
input: nullandFutureWarning): [Link to your screenshot if you can upload it somewhere, or describe it as previously provided] You can describe: "As seen in previous screenshots, the job report JSON contains\"input\": nulland theFutureWarning..." - Relevant Docker logs from
final_cortex.local_1:[info] o.t.c.s.JobSrv - Looking for similar job in the last 10 minutes (worker=a9f0dc192a18876bb0abe99677334132, dataType=ip, data=Left(8.8.8.8), tlp=2, parameters={}) ... [info] o.t.c.s.DockerJobRunnerSrv - Execute container f8e0f858533fcf96dd64d375b4ae28e80ace0bd3882cf2f542b0eaae43ac7c73 timeout: 30 minutes image : ghcr.io/thehive-project/misp:2 volume : /tmp/cortex-jobs/cortex-job-s9c37JYBBAXVpzhgnmTo-11309280436449689568:/job ... [warn] o.t.c.s.DockerJobRunnerSrv - The worker didn't generate output file. [info] o.t.c.s.JobSrv - Job s9c37JYBBAXVpzhgnmTo has finished with status Failure - Python and PyMISP versions inside
ghcr.io/thehive-project/misp:2Docker image: (If you managed to get these, add them here. E.g., "Python version inside image: 3.x.x", "PyMISP version inside image: y.y.y") This is very valuable if you can get it.
Work environment
- Client OS: [Your OS, e.g., Ubuntu 22.04, Windows 10, macOS Sonoma]
- Server OS: [OS running Docker, e.g., Ubuntu 22.04 - likely same as your client for
soc-Veriton-S2690G-D22E2] - Browser type and version: [Your Browser, e.g., Chrome 120.0.x.x, Firefox 119.x]
- Cortex version:
3.1.8-1(from UI screenshot) - Cortex Analyzer/Responder name:
MISP - Cortex Analyzer/Responder version:
2.1(from UI list of analyzers) - Additional Environment Details:
- Cortex Docker Image:
thehiveproject/cortex:latest(Container namefinal_cortex.local_1) - MISP Analyzer Docker Image:
ghcr.io/thehive-project/misp:2 - Python version on the Docker host machine: [Be specific, e.g., Python 3.13.0, 3.13.1]
- Cortex Docker Image:
- Python and PyMISP versions inside
ghcr.io/thehive-project/misp:2Docker image:- Python version inside image:
3.13.3 - PyMISP version inside image:
2.5.10
- Python version inside image: