This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

GoQR.me QR Code Reader misbehaving

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

GoQR.me QR Code Reader misbehaving

mattem
L1 Bithead

‎03-25-2024 07:19 PM

I have an XSOAR 8.5 instance with a playbook which makes use of the GoQR.me QR Code Reader integration.

It had been working nicely in the playbook for months, but has begun to misbehave.

 

In the playbook, images are extracted from a phishing email and stored in XSOAR, and the IDs of the images are fed through

!goqr-read-qr-code-from-file entry_id= with either a single value (rarely) or in most cases an array of EntryIDs as "Entry_ID= [/"first_id",/"second_id"....]
 
This had been working for a few months, but starting late last week it began to return errors as follows, after 120 seconds:
Reason
Error from QR Code Reader - goqr.me is : Script failed to run: Error: [Traceback (most recent call last): File "<string>", line 76, in <module> File "<string>", line 63, in main File "<string>", line 21, in read_qr_code File "<string>", line 93, in getFilePath File "<string>", line 289, in __do ValueError: timeout while waiting for answer: request 968af3ca-046f-48c3-82df-4e3a10613969. Wait time:2m0s (1515) ] (2604) (2603)
 
If I run !goqr-read-qr-code-from-file with a single EntryID, I get a sensible response.
If I submit two IDs, I get the script error above.
 
Is anyone else having this issue, and can anyone shed any light on what's going wrong?

0 Likes Likes
3 REPLIES 3

mattem
L1 Bithead

‎04-02-2024 04:41 PM

I have an update on this.

After reconfiguring the integration to run on an engine, and setting up tcpdump to monitor all connections to the four publicly listed IP addresses of api.qrserver.com, I can see traffic between the engine and the API server if I submit a single Entry_ID

 

If I submit more than one Entry_ID, the engine server doesn't even try to connect to the API server.

 

So something in the Integration has broken such that it does not attempt to contact the API server in the event that more than one Entry_ID is supplied. But this worked perfectly earlier in the year.

0 Likes Likes

oromeromoya
L1 Bithead
In response to mattem

‎04-09-2024 02:30 PM

Hi @Mattern

Thanks for reaching out to us about this topic. Can you please answer the following questions?

- Have you recently applied an update/fix to your XSOAR environment?

- Which is the current version of XSOAR and GoQR.me QR Code Reader integration? (can you please refer us to the version/scenario where the integration ran as expected?)

- If you submit more than one Entry_ID and it stops working as expected, it is probable that the automation code will require some update to process other IDs again. As a workaround (if any update was installed for the integration), you should try rolling back to the version that was working previously.

 

mattem
L1 Bithead
In response to oromeromoya

‎05-09-2024 05:25 PM

Hi @oromeromoya,

Thanks for replying.

We have applied patches to the environment, but none that patched the goQR.me content pack.
While I can't see any indications in the error thrown by the script that forms part of the QR code integration that indicate we're running into a rate limiting problem, there does seem to be an issue with the number of items we're submitting to the goQR API.

 

Executing a QR code read for a dozen or so Entry_IDs generally works. I haven't established a magic number of Entry_IDs which causes the call to consistently fail with a large number of indicators.

In concert with Customer Success, we're looking to alter our playbook to reduce the number of items we submit in a single call, and we're also going to try out the XSOAR-native QR code reader to see if it better handles what we're trying to do.

 

I'll post back here once we've made some configuration and engineering changes to report progress.

0 Likes Likes
  • 710 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks