yelp / osxcollector_output_filters Goto Github PK

I am getting the below error while trying to run on a mac. All steps prior have been completed, only received an error while trying to run the app. Please assist. Thank you.

Zachs-iMac:bundle zachary$ env PORT=3000 PATH_TO_SCRIPTS=/Users/zachary/Desktop/OSXSTRATA/osxstrata-master/scripts MONGO_CONNECT=mongodb://localhost:3001/ ROOT_URL=http://localhost MONGO_URL=mongodb://localhost:3001/meteor node main.js
[+]STARTING UP

/Users/zachary/Desktop/OSXSTRATA/bundle/programs/server/node_modules/fibers/future.js:278
throw(ex);
^
MongoError: driver is incompatible with this server version
at Object.Future.wait (/Users/zachary/Desktop/OSXSTRATA/bundle/programs/server/node_modules/fibers/future.js:398:15)
at [object Object].MongoConnection._ensureIndex (packages/mongo/mongo_driver.js:790:1)
at [object Object].Mongo.Collection._ensureIndex (packages/mongo/collection.js:635:1)
at server/startup.js:29:1
at /Users/zachary/Desktop/OSXSTRATA/bundle/programs/server/boot.js:249:5
- - - - -
at Object.toError (/Users/zachary/Desktop/OSXSTRATA/bundle/programs/server/npm/npm-mongo/node_modules/mongodb/lib/mongodb/utils.js:114:11)
at __executeInsertCommand (/Users/zachary/Desktop/OSXSTRATA/bundle/programs/server/npm/npm-mongo/node_modules/mongodb/lib/mongodb/db.js:1926:27)
at Db._executeInsertCommand (/Users/zachary/Desktop/OSXSTRATA/bundle/programs/server/npm/npm-mongo/node_modules/mongodb/lib/mongodb/db.js:2028:5)
at /Users/zachary/Desktop/OSXSTRATA/bundle/programs/server/npm/npm-mongo/node_modules/mongodb/lib/mongodb/db.js:1348:12
at /Users/zachary/Desktop/OSXSTRATA/bundle/programs/server/npm/npm-mongo/node_modules/mongodb/lib/mongodb/db.js:1442:20
at /Users/zachary/Desktop/OSXSTRATA/bundle/programs/server/npm/npm-mongo/node_modules/mongodb/lib/mongodb/db.js:1196:16
at /Users/zachary/Desktop/OSXSTRATA/bundle/programs/server/npm/npm-mongo/node_modules/mongodb/lib/mongodb/db.js:1905:9
at Server.Base._callHandler (/Users/zachary/Desktop/OSXSTRATA/bundle/programs/server/npm/npm-mongo/node_modules/mongodb/lib/mongodb/connection/base.js:453:41)
at /Users/zachary/Desktop/OSXSTRATA/bundle/programs/server/npm/npm-mongo/node_modules/mongodb/lib/mongodb/connection/server.js:488:18
at [object Object].MongoReply.parseBody (/Users/zachary/Desktop/OSXSTRATA/bundle/programs/server/npm/npm-mongo/node_modules/mongodb/lib/mongodb/responses/mongo_reply.js:68:5)

Adding u before every string with .format() method should fix the problem.

They should be formatted as list elements, using <li> HTML tag.

If we could utilize Alexa's free API for querying domain rankings as an output filter, we can better identify domains worth of further investigation due to being globally rare. This would be utilized by invoking the soon-to-be created Alexa API module in Yelp's threat-intel package as its own output filter.

I'm a developer interested in security and ran osxcollector on my machine. I don't have access to the OpenDNS API. I got in touch with OpenDNS sales and asked about getting a demo, but never heard back from them. Not surprised because there's no opportunity for them to make a sale.

Any suggestions?

Migrated from Yelp/osxcollector#84

Looking up all of the URLs in the OSXCollector output might cause some sensitive data to be send to VirusTotal.

Let's follow what we are doing with the domains in LookupDomainsFilter and not look up the reports for the whitelisted stuff.

I have discovered that in one of the checks for no_virustotal and no_opendns flags in the Analyze Filter they are used for the wrong if statements: no_virustotal flag is used in the if condition where no_opendns flag should be and vice versa.

SummaryFilter takes an argument called summary_output_file which is expected to be a filename. However, there should be an option to pass an already opened output stream. In this case calling open should be optional and determined by the type of summary_output_file parameter.

Migrated from Yelp/osxcollector#85

Currently find_domains filter tries to extract domain names from any value.

adblock_custom contains a lot of domains (not to mention that they are stored in just one big string) that are on the AdBlock's blacklist. It does not make sense to extract any domain names from this field as it could contain a lot of malware websites that user actually not visited.

This field is in osxcollector_section chrome and osxcollector_subsection local_storage. osxcollector_table_name is ItemTable

I have tried to analyze specificMalware and grepped for {{installmac}}.
It was found in that item and when I looked at how many domains were extracted from this single value (which apparently is the whole local storage of Chrome web browser) it was big:

$ cat foo.json | grep installmac | jq '.osxcollector_domains' | wc -l
     990

find_domains.py crashes with ValueError: Invalid IPv6 URL:

File "osxcollector/output_filters/base_filters/output_filter.py", line 140, in run_filter_main
    _run_filter(output_filter, input_stream=fp_in)
  File "osxcollector/output_filters/base_filters/output_filter.py", line 109, in _run_filter
    blob = output_filter.filter_line(blob)
  File "osxcollector/output_filters/base_filters/chain.py", line 48, in filter_line
    return self._on_filter_line(blob, self._head_of_chain)
  File "osxcollector/output_filters/base_filters/chain.py", line 61, in _on_filter_line
    return self._on_filter_line(link.filter_line(blob), link._next_link)
  File "osxcollector/output_filters/base_filters/chain.py", line 61, in _on_filter_line
    return self._on_filter_line(link.filter_line(blob), link._next_link)
  File "osxcollector/output_filters/base_filters/chain.py", line 61, in _on_filter_line
    return self._on_filter_line(link.filter_line(blob), link._next_link)
  File "osxcollector/output_filters/find_domains.py", line 33, in filter_line
    self._look_for_domains(blob)
  File "osxcollector/output_filters/find_domains.py", line 63, in _look_for_domains
    self._look_for_domains(elem, key)
  File "osxcollector/output_filters/find_domains.py", line 56, in _look_for_domains
    domain = self._url_to_domain(maybe_url)
  File "osxcollector/output_filters/find_domains.py", line 79, in _url_to_domain
    split_url = urlsplit(url)
  File "/System/Library/Frameworks/Python.framework/Versions/2.7/lib/python2.7/urlparse.py", line 214, in urlsplit
    raise ValueError("Invalid IPv6 URL")
ValueError: Invalid IPv6 URL

@megancarney identified that this is caused by a URL similar to "https://example.com/#/discover?_g=()&_a=(columns:!(_source),index:%5Blogstash-%5DYYYY.MM,interval:auto,query:(query_string:(analyze_wildcard:!t,query:'*')),sort:!('@timestamp',desc)), basically sort of URLs that Kibana dashboard produces.

The problem has to do with this recent change, whereby python assumes that source distribution README files are either in the format README or README.txt. In OSXCollector Output Filter's case, the name is README.md hence the error. The fix is to specify a custom MANIFEST.in file for what files to include besides the defaults (i.e. all Python source files and C modules). An alternative is also to just rename README.md (as well as LICENSE.md since that is not being included either) with the .txt extension.

Migrated from Yelp/osxcollector#54

Hi all, I acknowledge I'm newbie to this tool ... greatly appreciate, if someone can help w/ these errors I'm seeing

(venv_osxcollector) MAC:osxcollector_output_filters root# python -m osxcollector.output_filters.analyze -i osxcollect.json

Exception ignored in: <function ApiCache.del at 0x10c5b0378>
Traceback (most recent call last):
File "/Users/user.1/Downloads/osxcollector_output_filters/venv_osxcollector/lib/python3.7/site-packages/threat_intel/util/api_cache.py", line 31, in del
self.close()
File "/Users/user.1/Downloads/osxcollector_output_filters/venv_osxcollector/lib/python3.7/site-packages/threat_intel/util/api_cache.py", line 39, in close
self._write_cache_to_file()
File "/Users/user.1/Downloads/osxcollector_output_filters/venv_osxcollector/lib/python3.7/site-packages/threat_intel/util/api_cache.py", line 45, in _write_cache_to_file
fp.write(simplejson.dumps(self._cache))
File "/Users/user.1/Downloads/osxcollector_output_filters/venv_osxcollector/lib/python3.7/site-packages/simplejson/init.py", line 380, in dumps
return _default_encoder.encode(obj)
File "/Users/user.1/Downloads/osxcollector_output_filters/venv_osxcollector/lib/python3.7/site-packages/simplejson/encoder.py", line 291, in encode
chunks = self.iterencode(o, _one_shot=True)
File "/Users/user.1/Downloads/osxcollector_output_filters/venv_osxcollector/lib/python3.7/site-packages/simplejson/encoder.py", line 373, in iterencode
return _iterencode(o, 0)
File "/Users/user.1/Downloads/osxcollector_output_filters/venv_osxcollector/lib/python3.7/site-packages/simplejson/encoder.py", line 268, in default
raise TypeError(repr(o) + " is not JSON serializable")
TypeError: <Response [200]> is not JSON serializable
WARNING:root:Expected response in JSON format from https://www.virustotal.com/vtapi/v2/file/report?resource=053227691fb6878beddedc926b96050158a12e27267306b41937df3f6ea014a555ce214c1dc8a2e9c0191981e072ceaf089df868%2C0ad78fddac5cbe9c179fb37b0ef66a9d3b534b142c91beea42be23d5af66b002%2C0aed73a822a58249a2371b6db07d28098412166ec7082b5b21f595a99c2b715d&apikey=162e05666zzz869e06a6c70f193a0661e7afe589c9c925 but the actual response text is:
WARNING:root:Expected response in JSON format from https://www.virustotal.com/vtapi/v2/file/report?resource=fde662ff8a320e078cd73c7f27a4c1aefe54e85782fd89e9a980bc42472f863e76bc1158ec40fedc3fb6061efead2c%2Cff78892d8c6bb179f85233a80d95fde5b970534285c6d1becb10267b18413d33&apikey=162e05666zzz869e06a6c70f193a0661e7afe589c9c925 but the actual response text is:
WARNING:root:Request to https://investigate.api.opendns.com/recommendations/name/amazonaws.com.json caused a 403 response status code.
[ERROR] InvalidRequestError Access forbidden
File "/Users/user.1/Downloads/osxcollector_output_filters/venv_osxcollector/lib/python3.7/site-packages/threat_intel/util/http.py", line 454, in wrapper
result = fn(*args, **kwargs)
File "/Users/user.1/Downloads/osxcollector_output_filters/venv_osxcollector/lib/python3.7/site-packages/threat_intel/opendns.py", line 149, in _multi_get
responses = self._requests.multi_get(urls, query_params)
File "/Users/user.1/Downloads/osxcollector_output_filters/venv_osxcollector/lib/python3.7/site-packages/threat_intel/util/http.py", line 217, in multi_get
data=None, to_json=to_json,
File "/Users/user.1/Downloads/osxcollector_output_filters/venv_osxcollector/lib/python3.7/site-packages/threat_intel/util/http.py", line 436, in _multi_request
responses = self._wait_for_response(prepared_requests)
File "/Users/user.1/Downloads/osxcollector_output_filters/venv_osxcollector/lib/python3.7/site-packages/threat_intel/util/http.py", line 341, in _wait_for_response
self._availability_limiter.map_with_retries(requests, responses_for_requests)
File "/Users/user.1/Downloads/osxcollector_output_filters/venv_osxcollector/lib/python3.7/site-packages/threat_intel/util/http.py", line 140, in map_with_retries
raise InvalidRequestError('Access forbidden')
Traceback (most recent call last):
File "/Library/Frameworks/Python.framework/Versions/3.7/lib/python3.7/runpy.py", line 193, in _run_module_as_main
"main", mod_spec)
File "/Library/Frameworks/Python.framework/Versions/3.7/lib/python3.7/runpy.py", line 85, in _run_code
exec(code, run_globals)
File "/Users/user.1/Downloads/osxcollector_output_filters/osxcollector/output_filters/analyze.py", line 221, in
main()
File "/Users/user.1/Downloads/osxcollector_output_filters/osxcollector/output_filters/analyze.py", line 217, in main
run_filter_main(AnalyzeFilter)
File "/Users/user.1/Downloads/osxcollector_output_filters/osxcollector/output_filters/base_filters/output_filter.py", line 154, in run_filter_main
_run_filter(output_filter, input_stream=fp_in, output_stream=fp_out)
File "/Users/user.1/Downloads/osxcollector_output_filters/osxcollector/output_filters/base_filters/output_filter.py", line 120, in _run_filter
final_blobs = output_filter.end_of_lines()
File "/Users/user.1/Downloads/osxcollector_output_filters/osxcollector/output_filters/base_filters/chain.py", line 72, in end_of_lines
return self._on_end_of_lines(self._head_of_chain)
File "/Users/user.1/Downloads/osxcollector_output_filters/osxcollector/output_filters/base_filters/chain.py", line 91, in _on_end_of_lines
final_lines = self._on_end_of_lines(link._next_link)
File "/Users/user.1/Downloads/osxcollector_output_filters/osxcollector/output_filters/base_filters/chain.py", line 91, in _on_end_of_lines
final_lines = self._on_end_of_lines(link._next_link)
File "/Users/user.1/Downloads/osxcollector_output_filters/osxcollector/output_filters/base_filters/chain.py", line 91, in _on_end_of_lines
final_lines = self._on_end_of_lines(link._next_link)
[Previous line repeated 4 more times]
File "/Users/user.1/Downloads/osxcollector_output_filters/osxcollector/output_filters/base_filters/chain.py", line 86, in _on_end_of_lines
for blob in link.end_of_lines():
File "/Users/user.1/Downloads/osxcollector_output_filters/osxcollector/output_filters/opendns/related_domains.py", line 107, in end_of_lines
domains_to_related = self._perform_lookup_for_all_domains(self._domains_to_lookup, self._ips_to_lookup)
File "/Users/user.1/Downloads/osxcollector_output_filters/osxcollector/output_filters/opendns/related_domains.py", line 169, in _perform_lookup_for_all_domains
related_domains = self._perform_lookup_for_single_domain(domain_or_ip, is_domain, self._generation_count)
File "/Users/user.1/Downloads/osxcollector_output_filters/osxcollector/output_filters/opendns/related_domains.py", line 198, in _perform_lookup_for_single_domain
generation_results = self._find_related_domains(generation_results, None)
File "/Users/user.1/Downloads/osxcollector_output_filters/osxcollector/output_filters/opendns/related_domains.py", line 218, in _find_related_domains
cooccurrence_info = self._investigate.cooccurrences(domains)
File "/Users/user.1/Downloads/osxcollector_output_filters/venv_osxcollector/lib/python3.7/site-packages/threat_intel/opendns.py", line 227, in cooccurrences
return self._multi_get(api_name, fmt_url_path, domains)
File "/Users/user.1/Downloads/osxcollector_output_filters/venv_osxcollector/lib/python3.7/site-packages/threat_intel/util/http.py", line 464, in wrapper
raise e
File "/Users/user.1/Downloads/osxcollector_output_filters/venv_osxcollector/lib/python3.7/site-packages/threat_intel/util/http.py", line 454, in wrapper
result = fn(*args, **kwargs)
File "/Users/user.1/Downloads/osxcollector_output_filters/venv_osxcollector/lib/python3.7/site-packages/threat_intel/opendns.py", line 149, in _multi_get
responses = self._requests.multi_get(urls, query_params)
File "/Users/user.1/Downloads/osxcollector_output_filters/venv_osxcollector/lib/python3.7/site-packages/threat_intel/util/http.py", line 217, in multi_get
data=None, to_json=to_json,
File "/Users/user.1/Downloads/osxcollector_output_filters/venv_osxcollector/lib/python3.7/site-packages/threat_intel/util/http.py", line 436, in _multi_request
responses = self._wait_for_response(prepared_requests)
File "/Users/user.1/Downloads/osxcollector_output_filters/venv_osxcollector/lib/python3.7/site-packages/threat_intel/util/http.py", line 341, in _wait_for_response
self._availability_limiter.map_with_retries(requests, responses_for_requests)
File "/Users/user.1/Downloads/osxcollector_output_filters/venv_osxcollector/lib/python3.7/site-packages/threat_intel/util/http.py", line 140, in map_with_retries
raise InvalidRequestError('Access forbidden')
threat_intel.exceptions.InvalidRequestError: Access forbidden

Following the instructions in Packaging Python Projects documentation let's add the long_description field to setup.py that will link the GitHub README.

running py 3.7

Any help on missing alexa module ? Thanks!

When None is returned as a result of a call to the Threat Intel Investigate API security domain information endpoint (InvestigateAPI.security) for a particular domain, the LookupDomainsFilter will fail when processing IoCs, becaue it expects there a dictionary.

A simple fix is to check for None in LookupDomainsFilter._is_security_info_suspicious method.

_VeryReadableOutputFilter.filter_line() returns None which means that the AnalyzeFilter cannot arbitrarily write to another output stream the results of the analysis using output_stream parameter in OutputFilter._run_filter() method.
Instead of returning None the method should simply return the blob it was invoked with.

After running the filter for checking hashes against VT, I am getting the following error:

WARNING:urllib3.connectionpool:Connection pool is full, discarding connection: www.virustotal.com
WARNING:root:Expected response in JSON format from https://www.virustotal.com/vtapi/v2/file/report?apikey=5c3a90ef42aa6.............

Thanks.

TOC at the the top of the analysis summary in HTML format should also include how many entries are in each section.

Also, sections should use ordered list (<ol>) HTML tag rather than unordered list (<ul>).

After pushing cd9e4c1 it seems that running the Analyze Filter with the default parameters first writes the Very Readable Output and then the OSXCollector output augmented with the results analysis (which is also written to analysis_<OSXCOLLECTOR_OUTPUT_FILENAME>.out) to the standard output.

The augmented output should not be written by default to the standard output.

This maybe solved by passing the output file name or opened output stream.

Migrated from Yelp/osxcollector#118

Currently there is a black list for file hashes and domains and a whitelist for domains, but not for file hashes.
The whitelist for the file hashes should ignore things like the legitimate OS X binaries and plists, e.g. listed here.

Currently OSXCollector summarizes analysis results by threat intel sections. It would be useful to also have the option of displaying summary data listed not by these threat indicator sections individually, but by the IoCs themselves (i.e. with each also having a list of threat intel that identified them as worthy of further investigation).

Migrated from Yelp/osxcollector#83

As the resource parameter in {{url/report}} VirusTotal method is send over HTTP GET it encodes the parameters in a URL query.

This could cause for some of the requests an erroneous situation where the resource parameter could not fit into the URL.

There is a debug output in {{osxcollector/output_filters/util/http.py}} that prints the URL for each request.
For the failed requests the URL seems to not contain any query parameters:

[ERROR] url[https://www.virustotal.com/vtapi/v2/url/report] status_code[<UNKNOWN>]
https://www.virustotal.com/vtapi/v2/url/report
[ERROR] url[https://www.virustotal.com/vtapi/v2/url/report] status_code[<UNKNOWN>]
https://www.virustotal.com/vtapi/v2/url/report
[ERROR] url[https://www.virustotal.com/vtapi/v2/url/report] status_code[<UNKNOWN>]
https://www.virustotal.com/vtapi/v2/url/report

So it rather looks like some limitation in the Requests package than some shortcoming of VirusTotal API.

Follow up from #42.

Domains on the domain blacklist that include special unicode characters, e.g. Bücher.tld, are causing UnicodeDecodeError:

/osxcollector_output_filters/osxcollector/output_filters/util/blacklist.pyc in _convert_to_matching_term(self, blacklisted_value)
     93                 logging.warning(
     94                     u'Blacklisted value "{0}" cannot be resolved as a domain name'
---> 95                     .format(blacklisted_value))
     96                 return None
     97

UnicodeDecodeError: 'ascii' codec can't decode byte 0xc3 in position 1: ordinal not in range(128)

I'm getting an error running the basic osxcollector_output_filers:

Traceback (most recent call last):
  File "/usr/local/Cellar/python3/3.6.2/Frameworks/Python.framework/Versions/3.6/lib/python3.6/runpy.py", line 193, in _run_module_as_main
    "__main__", mod_spec)
  File "/usr/local/Cellar/python3/3.6.2/Frameworks/Python.framework/Versions/3.6/lib/python3.6/runpy.py", line 85, in _run_code
    exec(code, run_globals)
  File "/Users/scott/osxcollector_output_filters/osxcollector/output_filters/analyze.py", line 33, in <module>
    from osxcollector.output_filters.find_domains import FindDomainsFilter
  File "/Users/scott/osxcollector_output_filters/osxcollector/output_filters/find_domains.py", line 8, in <module>
    from urllib import unquote_plus
ImportError: cannot import name 'unquote_plus'

I don't really have time to track it down, but thought it should at least be captured.

Here is an example how to do it from the PaaSTA GitHub repo.

Migrated from Yelp/osxcollector#97

I have got the ValueError: Invalid IPv6 URL when running the analyze filter for a certain file path:

$ cat ../INCIDENT-28-2015_07_27-10_56_02.json | python -m osxcollector.output_filters.analyze -f '/Users/jdoe/Downloads/some_malware_file'
Traceback (most recent call last):
  File "/System/Library/Frameworks/Python.framework/Versions/2.7/lib/python2.7/runpy.py", line 162, in _run_module_as_main
    "__main__", fname, loader, pkg_name)
  File "/System/Library/Frameworks/Python.framework/Versions/2.7/lib/python2.7/runpy.py", line 72, in _run_code
    exec code in run_globals
  File "/Users/jsendor/Documents/osxcollector/osxcollector/output_filters/analyze.py", line 453, in <module>
    main()
  File "/Users/jsendor/Documents/osxcollector/osxcollector/output_filters/analyze.py", line 449, in main
    run_filter_main(AnalyzeFilter)
  File "osxcollector/output_filters/base_filters/output_filter.py", line 142, in run_filter_main
    _run_filter(output_filter)
  File "osxcollector/output_filters/base_filters/output_filter.py", line 109, in _run_filter
    blob = output_filter.filter_line(blob)
  File "osxcollector/output_filters/base_filters/chain.py", line 48, in filter_line
    return self._on_filter_line(blob, self._head_of_chain)
  File "osxcollector/output_filters/base_filters/chain.py", line 61, in _on_filter_line
    return self._on_filter_line(link.filter_line(blob), link._next_link)
  File "osxcollector/output_filters/base_filters/chain.py", line 61, in _on_filter_line
    return self._on_filter_line(link.filter_line(blob), link._next_link)
  File "osxcollector/output_filters/base_filters/chain.py", line 61, in _on_filter_line
    return self._on_filter_line(link.filter_line(blob), link._next_link)
  File "osxcollector/output_filters/find_domains.py", line 33, in filter_line
    self._look_for_domains(blob)
  File "osxcollector/output_filters/find_domains.py", line 63, in _look_for_domains
    self._look_for_domains(elem, key)
  File "osxcollector/output_filters/find_domains.py", line 56, in _look_for_domains
    domain = self._url_to_domain(maybe_url)
  File "osxcollector/output_filters/find_domains.py", line 79, in _url_to_domain
    split_url = urlsplit(url)
  File "/System/Library/Frameworks/Python.framework/Versions/2.7/lib/python2.7/urlparse.py", line 213, in urlsplit
    raise ValueError("Invalid IPv6 URL")
ValueError: Invalid IPv6 URL

I am quite sure the problem is with some URL in the OSXCollector output file.

It seems that the error is caused by a URL with trailing ] character, as in:

https://example.com]

Such error should just ignore a faulty line and log a warning message, rather than crash the filter.

Very Readable Output is a summary of all the findings from the run of the Analyze Filter.

There should be an option to have the summary in an HTML format as well, which could be later enhanced with clickable links to VirusTotal and OpenDNS Investigate results, etc.

It seems after fixing #28 a new UTF error is being raised:

File "/usr/local/lib/python2.7/dist-packages/osxcollector/output_filters/summary_filters/html.py", line 332, in _print_val
self._write(u'<span class=\"val\">{0}</span>'.format(val))
UnicodeDecodeError: 'ascii' codec can't decode byte 0xe2 in position 5: ordinal not in range(128)

I've been trying without success to run the AnalyzeAll filter against a JSON formatted output file generated with osxcollector.py despite being able to run make test and getting "congratulations for both 27 and 36" . I get an error saying that /tmp/domain_whitelist.txt doesn't exist. If I manually create that file, and run python -m osxcollector.output_filters.find_domains -i macbook.json | \ jq 'select(has("osxcollector_domains"))' i get " ImportError: No module named six"

if i run "python3 -m osxcollector.output_filters.find_domains -i macbook.json | \ jq 'select(has("osxcollector_domains"))' i get " ImportError: No module named six"

then i get

"Exception ignored in: <_io.TextIOWrapper name='' mode='w' encoding='UTF-8'>
BrokenPipeError: [Errno 32] Broken pipe"

python version 2.7.16
python3 version 3.6.7