FOFA rule returns null

Question

FOFA rule returns null

V0lundr opened this issue 5 months ago · comments

Hello, I'm testing a FOFA query and it always returns "null" even though the result on FOFA returns hits.

Here is the rule that I'm using:

---
id: 575fdb13-c04f-48d2-80a8-c1587e1456a8
title: FOFA test
description: FOFA test
tags:
- FOFATest
author: FOFATest
created_on: '2023-12-31'
queries:
- analyzer: fofa
  query: ip="137.74.131.20"
emitters:
- emitter: database
- emitter: slack
enrichers:
- enricher: whois
- enricher: mmdb
- enricher: shodan
- enricher: google_public_dns
data_types:
- hash
- ip
- domain
- url
- mail
falsepositives: []

Result:

mihari search -f 575fdb13-c04f-48d2-80a8-c1587e1456a8 -d
null

Any help is appreciated. Thanks :)

Manabu Niseki · Answer 1 · Wed Jan 03 2024 20:19:10 GMT+0800 (China Standard Time)

I guess you already have 137.74.131.20 in under the same rule.
You can check it by mihari artifact list "rule.id:575fdb13-c04f-48d2-80a8-c1587e1456a8 AND data:137.74.131.20.
If the command outputs something, my hypothesis is right.

Einar Runarsson · Answer 2 · Wed Jan 03 2024 21:23:03 GMT+0800 (China Standard Time)

Thanks for your quick reply. Actually the rule was new, as I was testing FOFA queries for the first time. In any case, the command you suggested produced the following:

mihari artifact list "rule.id:575fdb13-c04f-48d2-80a8-c1587e1456a8 AND data:137.74.131.20"
{
  "total": 0,
  "currentPage": 1,
  "pageSize": 10,
  "results": [

  ]
}

Manabu Niseki · Answer 3 · Wed Jan 03 2024 23:16:23 GMT+0800 (China Standard Time)

I'm unable to reproduce the issue unfortunately.

$ mihari search 575fdb13-c04f-48d2-80a8-c1587e1456a8                                                                                                                  
{
  "id": 4,
  "ruleId": "575fdb13-c04f-48d2-80a8-c1587e1456a8",
  "createdAt": "2024-01-03 15:09:41 UTC",
  "artifacts": [
    {
      "id": 4,
      "data": "137.74.131.20",
      "dataType": "ip",
      "source": "fofa",
      "query": "ip=\"137.74.131.20\"",
      "metadata": null,
      "createdAt": "2024-01-03 15:09:41 UTC"
    }
  ],
  "tags": [
    {
      "id": 1,
      "name": "FOFATest"
    }
  ]
}

Einar Runarsson · Answer 4 · Thu Jan 04 2024 01:04:20 GMT+0800 (China Standard Time)

No worries. I redeployed the system from scratch and tested it. I get the same null value for FOFA.

When I use the same query for censys in the same rule, it works fine. So, there's deff something wrong with FOFA on my side.

Here is the summary:
FOFA query: server=="web.go" && asn="44477" -> returns null + no results
Censys query: services:(services.http.response.headers.Server:web.go) and (autonomous_system.description="STARK-INDUSTRIES")

Overall rule:

id: 575fdb13-c04f-48d2-80a8-c1587e1456a8
title:  web.go
description: web.go
tags:
- web
author: web
created_on: '2023-12-31'
queries:
- analyzer: fofa
  query: server=="web.go" && asn="44477"
- analyzer: censys
  query: services:(services.http.response.headers.Server:web.go) and (autonomous_system.description="STARK-INDUSTRIES")
emitters:
- emitter: database
- emitter: slack
- emitter: misp
enrichers:
- enricher: whois
- enricher: mmdb
- enricher: shodan
- enricher: google_public_dns
data_types:
- hash
- ip
- domain
- url
- mail
falsepositives: []

If you've exhausted all ideas regarding what the issue might be, please feel free to close the issue. And thanks a lot.