AnsweredAssumed Answered

QRDI troubleshooting

Question asked by Matthew Verive on Feb 19, 2020
Latest reply on Mar 27, 2020 by keith Seymour

I'm working on a QRDI to pull the favicon from a detected web page (useful for identifying device types/manufacturers). The logic behind this QRDI is that it'll first look at the default web page (GET /) and see if there's a favicon meta tag. If one is found, then it would do a GET request for that image and return the raw contents of the favicon as the result. If no favicon meta tag is found, then it would do a GET request for /favicon.ico and return the results of that if one is found (after a check to make sure /favicon.ico doesn't result in an HTML page).

 

Here's the QRDI as written:

 

{ "detection_type": "http dialog", "api_version": 1, "trigger_type": "service", "debug_level": 300, "title": "Favicon information", "dialog": [{ "transaction": "http get", "object": "/", "label": "get_base_page" }, { "transaction": "process", "mode": "regexp", "match": "(?i)rel=\".*icon\".* href=\"([^\"]*)\"", "extract": [{ "var": "full_match" }, { "var": "favicon_found" } ], "on_found": { "action": "goto", "label": "get_new_favicon" }, "on_missing": { "action": "goto", "label": "get_ico_direct" }, "label": "find_favicon" }, { "transaction": "http get", "object": { "user": "favicon_found" }, "http_status_map": [{ "status": [ 400, 401, 402, 403, 404 ], "action": "stop" }, { "status": [ 200, 201, 202, 203, 204, 205, 206 ], "action": { "action": "goto", "label": "end_output" } } ], "label": "get_new_favicon" }, { "transaction": "http get", "object": "/favicon.ico", "http_status_map": [{ "status": [ 400, 401, 402, 403, 404 ], "action": "stop" }, { "status": [ 200, 201, 202, 203, 204, 205, 206 ], "action": { "action": "goto", "label": "html_check" } } ], "label": "get_ico_direct" }, { "transaction": "process", "mode": "regexp", "match": "(?i)<html", "on_found": "stop", "on_missing": { "action": "goto", "label": "end_output_ico" }, "label": "html_check" }, { "transaction": "report", "result": { "concat": [{ "user": "favicon_found" }, "contains: ", { "system": "body" } ] }, "label": "end_output" }, { "transaction": "report", "result": { "concat": [ "/favicon.ico contains: ", { "system": "body" } ] }, "label": "end_output_ico" } ] }

 

However, when run, I get an output of "/favicon.ico contains:" with nothing after it (IP doesn't show a favicon on the default page, but does have a real /favicon.ico). Any ideas on what might be going wrong?

The log seems to look okay (IP replaced for privacy reasons):

 

Start time: Wed 19 Feb 2020 08:16:26 AM GMT +0:00:00 Executing custom detection 'Favicon information' for QID 410001 +0:00:00 Processing dialog item 1, transaction type 'http get' +0:00:00 Timeout: 60 seconds +0:00:00 Hostname: 'my.ip.address.here' +0:00:00 Effective URL: 'https://my.ip.address.here:443/' +0:00:00 Network status: OK +0:00:00 HTTP status: 302 +0:00:00 Dialog item 1 finished with action 'continue' +0:00:00 Processing dialog item 2, transaction type 'process' +0:00:00 Regular expression did not match +0:00:00 Dialog item 2 finished with action 'goto' +0:00:00 Processing dialog item 4, transaction type 'http get' +0:00:00 Timeout: 60 seconds +0:00:00 Hostname: 'my.ip.address.here' +0:00:00 Effective URL: 'https://my.ip.address.here:443/favicon.ico' +0:00:00 Network status: OK +0:00:00 HTTP status: 200 +0:00:00 Action from http_status_map: 'goto' +0:00:00 Dialog item 4 finished with action 'goto' +0:00:00 Processing dialog item 5, transaction type 'process' +0:00:00 Regular expression did not match +0:00:00 Dialog item 5 finished with action 'goto' +0:00:00 Processing dialog item 7, transaction type 'report' +0:00:00 Dialog item 7 finished with action 'stop' +0:00:00 Custom detection returned success

Outcomes