vt_check on bro 2.5 not working

[akefallonitis]

i get this error

1490780707.065084 error in /opt/bro/share/bro/bro-extra/vt_check.bro, line 79: no such index (VTCHECK::temp[2])
1490780707.065084 error in /opt/bro/share/bro/bro-extra/vt_check.bro, line 74: no such index (VTCHECK::temp[2])
1490780707.065084 error in /opt/bro/share/bro/bro-extra/vt_check.bro, line 91: value used but not set (VTCHECK::positives)

After a while error stops i get requests to virultotal but no results even with file hashes i manually check that are reported

[akefallonitis]

Update curl is running and returns json .. but stil same error

[binups]

in bro 2.5 i am getting below error while running vt_check.bro

1491343971.786777 error in ./vt_check.bro, line 93: value used but not set (VTCHECK::positives)

[akefallonitis]

if ( result?$files && bodyfile in result$files )
{
local body = fmt("%s", result$files[bodyfile]);
local context = "";
local subcon = "-";
if ( |body| > 0 )
{
local positives: string;
local total: string;
local elements = split_string(body, /,/);
local results: vector of string;
local virustotal_url = fmt(match_sub_url, f$info$sha256);
for ( e in elements )
{
print e;
local temp: string_vec;
if ( /"positives":/ in elements[e] )
{
temp = split_string(elements[e], /:/);
positives = sub_bytes(temp[1], 1, |temp[3]|);
print positives;
}
else if ( /"total":/ in elements[e] )
{
temp = split_string(elements[e], /:/);
total = sub_bytes(temp[1], 1, |temp[3]|);
print total;
}
else if ( /"result":/ in elements[e] )
{
if ( ! ( / null/ in elements[e] ) )
{
temp = split_string(elements[e], /"/);
print temp[3];
results[|results|] = temp[3];
}

Change this part and check what is printed

[RealLinkers]

The fix doesn't seem to be working, it can't find the function match_sub_url in match_sub_url and after rem oving that it gives an error on line 98, about regex parsing.

[sooshie]

I'll try and take a look at it. I haven't been doing much Bro stuff lately. If you get it figured out before I do I'll happily take a PR.

[jbaggs]

@RealLinkers: I believe it is not so much a fix as a suggestion to use a print statement for troubleshooting.

As far as the issue goes, it appears it is because VT is returning json in the case of not finding results. The hash is in the "resource" field of the json, so the conditionals at lines 55 and 60 both fall through.

The json from VT also contains a "response_code" field (0 if not found, and 1 if found), so changing line 60 to: if ( |body| > 0 && /\"response_code\": 1/ in body) will make sure there is a result to work with.

That said, I noticed the tracking of hashes that have previously been checked, and I'm not sure the behavior is what is expected. The script only raises notices the first time a hash is seen, and only if it is in VT at the time it is first spotted. The hash is also added before any of the other code executes, so failure anywhere else in the code will leave the hash unchecked.