FOFA rule returns null
V0lundr opened this issue · comments
Hello, I'm testing a FOFA query and it always returns "null" even though the result on FOFA returns hits.
Here is the rule that I'm using:
---
id: 575fdb13-c04f-48d2-80a8-c1587e1456a8
title: FOFA test
description: FOFA test
tags:
- FOFATest
author: FOFATest
created_on: '2023-12-31'
queries:
- analyzer: fofa
query: ip="137.74.131.20"
emitters:
- emitter: database
- emitter: slack
enrichers:
- enricher: whois
- enricher: mmdb
- enricher: shodan
- enricher: google_public_dns
data_types:
- hash
- ip
- domain
- url
- mail
falsepositives: []
Result:
mihari search -f 575fdb13-c04f-48d2-80a8-c1587e1456a8 -d
null
Any help is appreciated. Thanks :)
I guess you already have 137.74.131.20
in under the same rule.
You can check it by mihari artifact list "rule.id:575fdb13-c04f-48d2-80a8-c1587e1456a8 AND data:137.74.131.20
.
If the command outputs something, my hypothesis is right.
Thanks for your quick reply. Actually the rule was new, as I was testing FOFA queries for the first time. In any case, the command you suggested produced the following:
mihari artifact list "rule.id:575fdb13-c04f-48d2-80a8-c1587e1456a8 AND data:137.74.131.20"
{
"total": 0,
"currentPage": 1,
"pageSize": 10,
"results": [
]
}
I'm unable to reproduce the issue unfortunately.
$ mihari search 575fdb13-c04f-48d2-80a8-c1587e1456a8
{
"id": 4,
"ruleId": "575fdb13-c04f-48d2-80a8-c1587e1456a8",
"createdAt": "2024-01-03 15:09:41 UTC",
"artifacts": [
{
"id": 4,
"data": "137.74.131.20",
"dataType": "ip",
"source": "fofa",
"query": "ip=\"137.74.131.20\"",
"metadata": null,
"createdAt": "2024-01-03 15:09:41 UTC"
}
],
"tags": [
{
"id": 1,
"name": "FOFATest"
}
]
}
No worries. I redeployed the system from scratch and tested it. I get the same null value for FOFA.
When I use the same query for censys in the same rule, it works fine. So, there's deff something wrong with FOFA on my side.
Here is the summary:
FOFA query: server=="web.go" && asn="44477" -> returns null + no results
Censys query: services:(services.http.response.headers.Server:web.go) and (autonomous_system.description="STARK-INDUSTRIES")
Overall rule:
id: 575fdb13-c04f-48d2-80a8-c1587e1456a8
title: web.go
description: web.go
tags:
- web
author: web
created_on: '2023-12-31'
queries:
- analyzer: fofa
query: server=="web.go" && asn="44477"
- analyzer: censys
query: services:(services.http.response.headers.Server:web.go) and (autonomous_system.description="STARK-INDUSTRIES")
emitters:
- emitter: database
- emitter: slack
- emitter: misp
enrichers:
- enricher: whois
- enricher: mmdb
- enricher: shodan
- enricher: google_public_dns
data_types:
- hash
- ip
- domain
- url
- mail
falsepositives: []
If you've exhausted all ideas regarding what the issue might be, please feel free to close the issue. And thanks a lot.