Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

basic_detection_callback_example.py doesn't return any event #17

Open
marineriva opened this issue Feb 12, 2020 · 7 comments
Open

basic_detection_callback_example.py doesn't return any event #17

marineriva opened this issue Feb 12, 2020 · 7 comments

Comments

@marineriva
Copy link

Hello,
I'm writting again becauce I would like to use the /sample/basic/basic_detection_callback_example.py script and receive all detection events (from /mcafee/event/tie/file/detection).
My goal is to catch every event and its hash and send to another reputation server, if reputation is unknown.
But I can't catch any event.
I'm using TIE 3.0.0.480 and DXL 6.0.0.197.
Client Certificates are working (I can set reputation or send messages over DXL) and I think restrictions over DXL Topic Authorization are good.

Has anyone already had the same issue ? Do you know what I can do ?

Thank you for help
@hbazan
Copy link
Contributor

hbazan commented Feb 12, 2020

Detection events depend on the client (ENS+ATP/VSE+TIEm) sending metadata after blocking/cleaning a file. Do you have an endpoint? which products+versions do you have?
Also, if you want to test events you can subscribe to /mcafee/event/tie/file/repchange/broadcast and you will be able to catch reputation changes. This is the event TIE Server generates when any reputation changes, and it is bound to be received by clients to update their local cache and reevaluate the info.

@marineriva
Copy link
Author

image
You will find on the screenshot products and versions used by my endpoint (I use this one for my tests, but there are others endpoints).
Ok, I will test this topic, thanks.

@marineriva
Copy link
Author

Hi,
I tried the /mcafee/event/tie/file/repchange/broadcast subscribtion and it's working well

@marineriva
Copy link
Author

I made the update to 10.7.1 and still doesn't work

@hbazan
Copy link
Contributor

hbazan commented Feb 18, 2020

Hi @marineriva
This event depends on the endpoint reporting the detection to the server, and it is now working. This is an endpoint issue.
You can workaround the problem by listening to repchange and then checking if any of the trustlevels changed to 1, 15 or 30, meaning, it became malicious.

@marineriva
Copy link
Author

Hi @hbazan
I tried too the repchange topic and everything works, except the detection.. I wonder if it could be a authorization issue ? Because repchange is in the same topic group.
In fact, I can listen and send payloads on every topics, even specified topics, like firstinstance or whatever, but the only topic which never displays anything is /mcafee/event/tie/file/detection. Could it be blocked by somehow ?

I've installed ENS 10.7 february update, everything is working well, ATP is sending events to TIE.

@hbazan
Copy link
Contributor

hbazan commented Apr 6, 2020

hi @marineriva, if I'm not mistaken, your company filed an SR on this. There is a problem with ENS/ATP not sending required information for the detection event.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@hbazan @marineriva