Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[ BUG ] Successful RTR connections when they fail #187

Closed
kevin-cooper-1 opened this issue Jul 20, 2024 · 3 comments · Fixed by #205
Closed

[ BUG ] Successful RTR connections when they fail #187

kevin-cooper-1 opened this issue Jul 20, 2024 · 3 comments · Fixed by #205
Assignees
@ChristopherHammond13
Labels
bug 🐛 Something isn't working

Comments

@kevin-cooper-1
Copy link

Bug Report Template

Describe the bug

I believe there is an issue in lines 181-186 of batch_session.py. Currently, the code just appends all the hosts that return from the worker thread when attempting a RTR connection. However, in the logs provided below, RTR connections fail when the host isn't online. Since the connections succeed and connection details aren't return, it isn't possible to verify whether follow up commands are actually capable of being run.

To Reproduce

Attempt to initiate an RTR connection to an endpoint that the web UI claims is "offline"

from caracara import Client
import logging

logger = logging.getLogger(__name__)
logging.basicConfig(level=logging.DEBUG)

client = Client(
    client_id = os.getenv("FALCON_CLIENT_ID"),
    client_secret = os.getenv("FALCON_CLIENT_SECRET"),
)
filters = client.FalconFilter()
filters.create_new_filter("OS", "Mac")
device_ids = client.hosts.get_device_ids(filters=filters)
batch_session = client.rtr.batch_session()
batch_session.connect(device_ids=device_ids, queueing=False)
for device_id, device_result in batch_session.run_generic_command('COMMAND', timeout=10).items():
    ...
batch_session.disconnect()

Logs

INFO:caracara.modules.rtr.batch_session:Establishing an RTR batch session with 3 systems
DEBUG:caracara.modules.rtr.batch_session:['X', 'Y', 'Z']
INFO:caracara.modules.rtr.batch_session:Divided up devices into 1 batches
INFO:caracara.modules.rtr.batch_session:ThreadPoolExecutor-4_0 | Batch worker started with a list of 3 devices
DEBUG:urllib3.connectionpool:Starting new HTTPS connection (1): api.us-2.crowdstrike.com:443
DEBUG:urllib3.connectionpool:https://api.us-2.crowdstrike.com:443 "POST /real-time-response/combined/batch-init-session/v1?timeout=30&timeout_duration=30s HTTP/11" 404 463
INFO:caracara.modules.rtr.batch_session:ThreadPoolExecutor-4_0 | Connected to 3 systems
DEBUG:caracara.modules.rtr.batch_session:ThreadPoolExecutor-4_0 | {'meta': {'query_time': 29.500542149, 'powered_by': 'empower-api', 'trace_id': 'A'}, 'batch_id': '', 'resources': {'Z': {'session_id': '', 'complete': False, 'stdout': '', 'stderr': '', 'aid': 'Z', 'errors': [{'code': 50401, 'message': 'Exceeded maximum connect timeout: 29.50s'}], 'query_time': 0, 'offline_queued': False}, 'Y': {'session_id': '', 'complete': False, 'stdout': '', 'stderr': '', 'aid': 'Y', 'errors': [{'code': 40401, 'message': 'Could not establish sensor comms'}], 'query_time': 0, 'offline_queued': False}, 'X': {'session_id': '', 'complete': False, 'stdout': '', 'stderr': '', 'aid': 'X', 'errors': [{'code': 40401, 'message': 'Could not establish sensor comms'}], 'query_time': 0, 'offline_queued': False}}, 'errors': [{'code': 404, 'message': 'no successful hosts initialized on RTR'}]}
INFO:caracara.modules.rtr.batch_session:Completed a batch of RTR connections
INFO:caracara.modules.rtr.batch_session:Connected to 3 devices
DEBUG:caracara.modules.rtr.batch_session:[<caracara.modules.rtr.batch_session.InnerRTRBatchSession object at 0x0000>]
DEBUG:caracara.modules.rtr.batch_session:RTR session  has 599s remaining
INFO:caracara.modules.rtr.batch_session:Executing a command via RTR: COMMAND

Expected behavior

The RTR api should indicate/return the endpoints that were successfully connected to. Currently it claims that all three completed successfully, so attempts to execute RTR scripts/commands fail without any visible reason (when debug logging isn't on).

Environment

Operating System Version

Windows 11
Version 23H2 (OS Build 22631.3880)

Python Version

Python 3.10.6

Poetry Version

N/A

Python Package Versions

caracara==0.7.0
caracara-filters==0.2.0
crowdstrike-falconpy==1.4.4
falcon-toolkit==3.4.2

Additional context
@kevin-cooper-1 kevin-cooper-1 added the bug 🐛 Something isn't working label Jul 20, 2024
@ChristopherHammond13 ChristopherHammond13 self-assigned this Aug 2, 2024
@ChristopherHammond13
Copy link
Member

Very interesting! We will look more into this when I am back from PTO.

Thank you so much for raising this bug report, and I really appreciate all the detail you have included to help us figure this one out!

@ChristopherHammond13
Copy link
Member

I may have a neat fix for this. Going to test it internally, then get a PR up and merged in if the fix succeeds. Thank you again for your detailed bug report!

@kevin-cooper-1
Copy link
Author

Thank you!

ChristopherHammond13 added a commit that referenced this issue Sep 11, 2024
@ChristopherHammond13
Resolves #187 and some other general RTR snags. Also bumps dependencies.
22a7c7c
Merged
6 tasks
ChristopherHammond13 added a commit that referenced this issue Oct 16, 2024
@ChristopherHammond13
Resolves #187 and some other general RTR snags. Also bumps dependencies.
cb037ee
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@ChristopherHammond13 ChristopherHammond13

Labels
bug 🐛 Something isn't working
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

RTR Robustness Updates CrowdStrike/caracara
2 participants
@ChristopherHammond13 @kevin-cooper-1