Reputation: 1
SophosLabs Intelix API - Static File Analysis - always response BAD REQUEST
I try to use Static or Dynamic File Analysis APIs (https://api.labs.sophos.com/doc/analysis/file/static), but always get a response: BAD REQUEST
Here are my examples of request and exception:
$headers
Name Value
---- -----
Authorization <Auth token>
Content-Type multipart/form-data
$formData
Name Value
---- -----
file C:\Temp\mexnixzv.gsk\outlook.exe
name file
filename outlook.exe
report_format json
$uri
https://de.api.labs.sophos.com/analysis/file/static/v1/
Invoke-WebRequest -URI $uri -Method POST -Headers $headers -Form $formData -UseDefaultCredentials
$_.Exception
Response : StatusCode: 400, ReasonPhrase: 'BAD REQUEST', Version: 1.1, Content: System.Net.Http.HttpConnectionResponseContent, Headers:
{
Connection: keep-alive
Date: Wed, 25 Sep 2024 07:16:05 GMT
Access-Control-Allow-Headers: Authorization, X-Correlation-ID, *
Server: Sophos Intelix
Content-Security-Policy: default-src https:; script-src https: 'unsafe-inline'; style-src https: 'unsafe-inline'
Referrer-Policy: same-origin
Strict-Transport-Security: max-age=31536000; includeSubDomains
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
X-XSS-Protection: 1; mode=block
X-Request-ID: db629807-65b5-4937-940e-0e62bd548320
X-Rate-Limit-Value: 30
X-Rate-Limit-Period: 60
X-Rate-Limit-Requests-Left: 29
X-Rate-Limit-End: 0.0
Access-Control-Allow-Origin: *
Access-Control-Allow-Credentials: true
Access-Control-Allow-Methods: GET, HEAD, POST, PUT, PATCH, DELETE, OPTIONS
X-Cache: Error from cloudfront
Via: 1.1 cf058b286fa80390c08073fa68269f12.cloudfront.net (CloudFront)
X-Amz-Cf-Pop: TXL50-P1
X-Amz-Cf-Id: 5vr6sgHb7DeHswIg9F9WAqwzhSesGbw8CvudJEqP7husRI2gKUKVIg==
Content-Type: application/json
Content-Length: 120
}
HttpRequestError : Unknown
StatusCode : BadRequest
TargetSite : Void ThrowTerminatingError(System.Management.Automation.ErrorRecord)
Message : Response status code does not indicate success: 400 (BAD REQUEST).
Data : {}
InnerException :
HelpLink :
Source : System.Management.Automation
HResult : -2146233088
StackTrace : at System.Management.Automation.MshCommandRuntime.ThrowTerminatingError(ErrorRecord errorRecord)
I have tried different file formats (excel, csv, jpg), different sizes (several MB and a few bytes) and different methods (PowerShell, curl, directly on the website https://api.labs.sophos.com/doc/analysis/file/static). The response is always the same: 400, BAD REQUEST What am I doing wrong or is something broken on the API side?
Upvotes: 0
Views: 49
Answers (2)
Reputation: 1
Thank you for your answer here. Unfortunately, that didn't solve my problem, but it pointed me in the right direction. For whatever reason, the data sent using your script has different sha256 values on both sides. But I found a good example in the Microsoft documentation: https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.utility/invoke-webrequest?view=powershell-7.4#example-5-submit-a-multipart-form-data-file
And here is the code that works for me:
param(
[Parameter(Mandatory=$true)]
[string]$filePath,
[Parameter(Mandatory=$true)]
[string]$sessionToken
)
$fieldName = 'file'
$contentType = 'application/octet-stream'
$headers = @{
Authorization = $sessionToken
"Content-Type" = "multipart/form-data"
}
$FileStream = [System.IO.FileStream]::new($filePath, [System.IO.FileMode]::Open)
$FileHeader = [System.Net.Http.Headers.ContentDispositionHeaderValue]::new('form-data')
$FileHeader.Name = $fieldName
$FileHeader.FileName = Split-Path -leaf $filePath
$FileContent = [System.Net.Http.StreamContent]::new($FileStream)
$FileContent.Headers.ContentDisposition = $FileHeader
$FileContent.Headers.ContentType = [System.Net.Http.Headers.MediaTypeHeaderValue]::Parse($contentType)
$MultipartContent = [System.Net.Http.MultipartFormDataContent]::new()
$MultipartContent.Add($FileContent)
try {
# send request
$response = Invoke-WebRequest -URI $uri -Method POST -Headers $headers -Body $MultipartContent
} catch {
$statusCode = [int]$_.Exception.Response.StatusCode
}
Upvotes: 0
Reputation: 11
I'm afraid your request is malformed. I would do the submission workflow like this:
param(
[Parameter(Position=0, Mandatory=$true)]
[string]$filePath,
[Parameter(Position=1, Mandatory=$true)]
[string]$clientId,
[Parameter(Position=2, Mandatory=$true)]
[string]$clientSecret,
[Parameter(Position=3)]
[string]$authEndPoint = 'https://api.labs.sophos.com/oauth2/token',
[Parameter(Position=4)]
[string]$submissionEndPoint = 'https://de.api.labs.sophos.com/analysis/file/static/v1/'
)
$ErrorActionPreference = 'Stop'
$resp = Invoke-RestMethod `
-Uri $authEndPoint `
-Method Post `
-Headers @{
'Content-Type'='application/x-www-form-urlencoded';
'Authorization'="Basic $([Convert]::ToBase64String([Text.Encoding]::ASCII.GetBytes($clientId + ':' + $clientSecret)))"
} `
-Body 'grant_type=client_credentials'
$boundary = [Guid]::NewGuid().ToString()
$resp = Invoke-RestMethod `
-Uri $submissionEndPoint `
-Method Post `
-Headers @{
'Content-Type'="multipart/form-data; boundary=$boundary";
'Authorization'=$resp.access_token
} `
-Body @"
--$boundary
Content-Disposition: form-data; name="file"; filename="$([IO.Path]::GetFileName($filePath))"
Content-Type: application/octet-stream
$([IO.File]::ReadAllBytes($filePath))
--$boundary--
"@
Write-Host $resp
Upvotes: 1
Related Questions
- Sophos Intelix File Hash Lookup for unknown file hash always returns reputation score 30
- Interpreting sophos static file analysis score
- How long does Static / Dynamic analysis take in Intelix?
- Unable to submit for static analysis
- Uploading big samples for analysis giving unexpected response
- What do reputationScore values mean in SophosLabs File Malware Cloud Lookup API