Cortex 3.0.0 to 3.0.1 Upgrade

Cortex 3.0.1: The better logging edition has been released now. I am quite surprised that the developers were able to release a point upgrade out while they are working on the new major release of TheHive but I welcome it as it brings a number of fixes and enhancements which you can read about on TheHive project Blog.

Some of the bug fixes will make my life easier as some logging issues have been corrected which will make testing and developing responders for Cortex less painful.

But the purpose of this blog post is to cover a Cortex 3.0.0 to 3.0.1 upgrade for non docker versions. It will cover the way I have configured my environment as documented on my blog, so some steps may be different (like the location of your application.conf file.)

Backup

The first step in any upgrade is to get your backups sorted. Create a snapshot of your VM and get a backup copy of your Elasticsearch data.

When you are SSH’d to your Cortex server, you can obtain a list of your indices with this command. You will need to know your index name for the backup. In my case, I still have my old cortex_2 index and the current cortex_4 index.

This upgrade of Cortex does not create a new index.

curl 'localhost:9200/_cat/indices?v'


health status index    uuid                   pri rep docs.count docs.deleted store.size pri.store.size
yellow open   cortex_2 PLcBK-wOTgSjXw6RMGy5XQ   5   1         41            3    410.3kb        410.3kb
yellow open   cortex_4 CQOcr5UdSAexbrRCvEU4ng   5   1       2161            1     29.3mb         29.3mb

Given I already have a previous backup in the /opt/backup I’ll delete the files here before I start.

To register a snapshot use this command.

curl -XPUT 'http://localhost:9200/_snapshot/cortex_backup_jan_2020' -d '{
    "type": "fs",
    "settings": {
        "location": "/opt/backup",
        "compress": true
    }
}'

# Output (if successful)
{"acknowledged":true}

And now create a backup by using this command (replace <INDEX> with the index identified earlier, in this case it will be cortex_4):

curl -XPUT 'http://localhost:9200/_snapshot/cortex_backup_jan_2020/snapshot_1?wait_for_completion=true&pretty' -d '{
  "indices": "cortex_4"
}'

# Output
{
  "snapshot" : {
    "snapshot" : "snapshot_1",
    "uuid" : "nHigahsTQwuC5rXcO1_1oQ",
    "version_id" : 5061699,
    "version" : "5.6.16",
    "indices" : [
      "cortex_4"
    ],
    "state" : "SUCCESS",
    "start_time" : "2020-01-22T09:35:21.597Z",
    "start_time_in_millis" : 1579685721597,
    "end_time" : "2020-01-22T09:35:23.499Z",
    "end_time_in_millis" : 1579685723499,
    "duration_in_millis" : 1902,
    "failures" : [ ],
    "shards" : {
      "total" : 5,
      "failed" : 0,
      "successful" : 5
    }
  }
}

Upgrade Cortex to 3.0.1 via the binaries

Stop cortex service

service cortex stop

Import the PGP key for the-hive project if you don’t already have it (Optional but do it)

sudo wget https://raw.githubusercontent.com/TheHive-Project/cortex/master/PGP-PUBLIC-KEY
gpg --import PGP-PUBLIC-KEY

# Output
gpg: /home/thehive/.gnupg/trustdb.gpg: trustdb created
gpg: key 3D99BB18562CBC1C: public key "TheHive Project (TheHive release key) <support@thehive-project.org>" imported
gpg: Total number processed: 1
gpg:               imported: 1

Download and Verify Cortex 3.0.1

cd /opt

sudo wget http://dl.bintray.com/thehive-project/binary/cortex-3.0.1-1.zip
sudo wget http://dl.bintray.com/thehive-project/binary/cortex-3.0.1-1.zip.asc

# Verify the signature file against the download to ensure integrity, cause supply chain thats why
gpg --verify cortex-3.0.1-1.zip.asc cortex-3.0.1-1.zip

# Output
gpg: Signature made Mon 20 Jan 2020 04:05:50 PM UTC
gpg:                using RSA key 3D99BB18562CBC1C
gpg: Good signature from "TheHive Project (TheHive release key) <support@thehive-project.org>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 0CD5 AC59 DE5C 5A8E 0EE1  3849 3D99 BB18 562C BC1C

Extract Cortex files

sudo unzip cortex-3.0.1-1.zip

Now break the Symbolic link cortex and point it at our new 3.0.0 instance. Ensure that your cortex user owns the folder.

sudo rm cortex
sudo ln -s cortex-3.0.1-1 cortex

Copy over your existing config file

sudo cp /opt/cortex-3.0.0-1/conf/application.conf /opt/cortex/conf/

Fix ownership

sudo chown -R cortex:cortex /opt/cortex
sudo chown -R cortex:cortex /opt/cortex-3.0.1-1

Restart the Cortex service

sudo service cortex start
sudo service cortex status

Confirm the upgrade

You can confirm the upgrade was successful by logging into either TheHive or Cortex and selecting your profile icon in the top right and selecting “About”.

Now run an analyser against an observable and check the response in both TheHive and Cortex.

I did run into an issue post upgrade where TheHive wasn’t able to run any analyzer at all post upgrade. I would simply see the an error Sorry there are currently no analyzers for the selected observable type(s).

I was able to work around this issue by renewing the API key in TheHive for the cortex user, making the appropriate key change in the application.conf file and restarting TheHive service.

I tested this out a number of way including standing up a new clean instance with Cortex 3.0.0 and upgrading which had the same result and then creating a new instance which went straight to Cortex 3.0.1 and I didn’t experience that same issue.

Overall, no major issues with this update.