GoQR.me QR Code Reader misbehaving

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

GoQR.me QR Code Reader misbehaving

L1 Bithead

I have an XSOAR 8.5 instance with a playbook which makes use of the GoQR.me QR Code Reader integration.

It had been working nicely in the playbook for months, but has begun to misbehave.

 

In the playbook, images are extracted from a phishing email and stored in XSOAR, and the IDs of the images are fed through

 
Reason
Error from QR Code Reader - goqr.me is : Script failed to run: Error: [Traceback (most recent call last): File "<string>", line 76, in <module> File "<string>", line 63, in main File "<string>", line 21, in read_qr_code File "<string>", line 93, in getFilePath File "<string>", line 289, in __do ValueError: timeout while waiting for answer: request 968af3ca-046f-48c3-82df-4e3a10613969. Wait time:2m0s (1515) ] (2604) (2603)
 
If I run ! with a single EntryID, I get a sensible response.
If I submit two IDs, I get the script error above.
 
Is anyone else having this issue, and can anyone shed any light on what's going wrong?

4 REPLIES 4

L1 Bithead

I have an update on this.

After reconfiguring the integration to run on an engine, and setting up tcpdump to monitor all connections to the four publicly listed IP addresses of api.qrserver.com, I can see traffic between the engine and the API server if I submit a single Entry_ID

 

If I submit more than one Entry_ID, the engine server doesn't even try to connect to the API server.

 

So something in the Integration has broken such that it does not attempt to contact the API server in the event that more than one Entry_ID is supplied. But this worked perfectly earlier in the year.

Hi @Mattern

Thanks for reaching out to us about this topic. Can you please answer the following questions?

- Have you recently applied an update/fix to your XSOAR environment?

- Which is the current version of XSOAR and GoQR.me QR Code Reader integration? (can you please refer us to the version/scenario where the integration ran as expected?)

- If you submit more than one Entry_ID and it stops working as expected, it is probable that the automation code will require some update to process other IDs again. As a workaround (if any update was installed for the integration), you should try rolling back to the version that was working previously.

 

Hi @oromeromoya,

Thanks for replying.

We have applied patches to the environment, but none that patched the goQR.me content pack.
While I can't see any indications in the error thrown by the script that forms part of the QR code integration that indicate we're running into a rate limiting problem, there does seem to be an issue with the number of items we're submitting to the goQR API.

 

Executing a QR code read for a dozen or so Entry_IDs generally works. I haven't established a magic number of Entry_IDs which causes the call to consistently fail with a large number of indicators.

In concert with Customer Success, we're looking to alter our playbook to reduce the number of items we submit in a single call, and we're also going to try out the XSOAR-native QR code reader to see if it better handles what we're trying to do.

 

I'll post back here once we've made some configuration and engineering changes to report progress.

L1 Bithead

Working with Customer Success and an XSOAR Engineer we've made a large number of changes to the over-elaborate Phishing playbook which has reduced the number of assets we have to pass to the goQR.me integration. We also opted to start using CV for QR code reading, with the rationale being that we couldn't control access to or performance of an external API, but we can sure use a lot of CPU time in docker containers running CV to do scanning within XSOAR. CPU time costs us nothing, and as yet our platform's not busy enough to need to offload the processing to an external provider.

 

  • 1640 Views
  • 4 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!