Closed packet-rat closed 6 months ago
Hi @packet-rat -
Does this happen consistently?
I'm attempting to recreate this, but my long running test hasn't run into it yet. (Fired it off last night hoping it was bad data that I needed to check for, but this is just a guess based upon where the failure occurred.)
I'll run it again...
Office: 732.615.5287 | Email: @.**@.>
From: Joshua Hiller @.> Sent: Monday, February 27, 2023 9:51 AM To: CrowdStrike/MISP-tools @.> Cc: MARONEY, PATRICK @.>; Mention @.> Subject: Re: [CrowdStrike/MISP-tools] OverflowError: string longer than 2147483647 bytes (Issue #102)
Does this happen consistently?
I'm attempting to recreate this, but my long running test hasn't run into it yet. (Fired it off last night hoping it was bad data that I needed to check for, but this is just a guess based upon where the failure occurred.)
— Reply to this email directly, view it on GitHubhttps://urldefense.com/v3/__https://github.com/CrowdStrike/MISP-tools/issues/102*issuecomment-1446469918__;Iw!!BhdT!nXdfcYFeG24ehxjNrmrwd9y3-_6avc-1OCwhHDFT_ppRi1-VZpbX4iLfwArnSpfR6Ka-qQleYwN5LCjPLHH8_INR7mo$, or unsubscribehttps://urldefense.com/v3/__https://github.com/notifications/unsubscribe-auth/AAYSFYPE4JZA5GLD3ZNVBATWZS5OPANCNFSM6AAAAAAVIFUN5U__;!!BhdT!nXdfcYFeG24ehxjNrmrwd9y3-_6avc-1OCwhHDFT_ppRi1-VZpbX4iLfwArnSpfR6Ka-qQleYwN5LCjPLHH8shpuhwM$. You are receiving this because you were mentioned.Message ID: @.***>
Weird:
2023-02-27 16:18:41,743] CRITICAL config authentication Invalid API credentials provided
python3 misp_import.py --fullmonty -d -v -p -nb [2023-02-27 16:18:41,738] INFO misp_tools MISP Import for CrowdStrike Threat Intelligence v0.6.8 [2023-02-27 16:18:41,738] INFO config CHECK CONFIG [2023-02-27 16:18:41,739] DEBUG config client_id value redacted, check config file [2023-02-27 16:18:41,739] DEBUG config client_secret value redacted, check config file [2023-02-27 16:18:41,739] DEBUG config crowdstrike_url US1 [2023-02-27 16:18:41,740] DEBUG config api_request_max 5000 [2023-02-27 16:18:41,740] DEBUG config api_enable_ssl True [2023-02-27 16:18:41,740] DEBUG config reports_timestamp_filename lastReportsUpdate.dat [2023-02-27 16:18:41,740] DEBUG config indicators_timestamp_filename lastIndicatorsUpdate.dat [2023-02-27 16:18:41,740] DEBUG config actors_timestamp_filename lastActorsUpdate.dat [2023-02-27 16:18:41,740] DEBUG config init_reports_days_before 365 [2023-02-27 16:18:41,740] DEBUG config init_indicators_minutes_before 20220 [2023-02-27 16:18:41,740] DEBUG config init_actors_days_before 365 [2023-02-27 16:18:41,740] DEBUG config reports_unique_tag CrowdStrike: REPORT [2023-02-27 16:18:41,740] DEBUG config indicators_unique_tag CrowdStrike: INDICATOR [2023-02-27 16:18:41,740] DEBUG config actors_unique_tag CrowdStrike: ADVERSARY [2023-02-27 16:18:41,740] DEBUG config reports_tags att:source="Crowdstrike.Report" [2023-02-27 16:18:41,740] DEBUG config indicators_tags att:source="Crowdstrike.Indicators" [2023-02-27 16:18:41,740] DEBUG config actors_tags att:source="Crowdstrike.Actors" [2023-02-27 16:18:41,740] DEBUG config unknown_mapping CrowdStrike:indicator:galaxy: UNATTRIBUTED [2023-02-27 16:18:41,740] DEBUG config unattributed_title Unattributed indicators: [2023-02-27 16:18:41,740] DEBUG config indicator_type_title Indicator Type: [2023-02-27 16:18:41,740] DEBUG config malware_family_title Malware Family: [2023-02-27 16:18:41,740] DEBUG config log_duplicates_as_sightings True [2023-02-27 16:18:41,740] DEBUG config misp_url https://3samisp [2023-02-27 16:18:41,740] DEBUG config misp_auth_key value redacted, check config file [2023-02-27 16:18:41,740] DEBUG config crowdstrike_org_uuid ca4f4b5d-db04-4a5e-a6de-e60636dc01be [2023-02-27 16:18:41,740] DEBUG config misp_enable_ssl False [2023-02-27 16:18:41,740] WARNING config misp_enable_ssl SSL is disabled for MISP API requests [2023-02-27 16:18:41,740] DEBUG config ind_attribute_batch_size 2500 [2023-02-27 16:18:41,740] DEBUG config event_save_memory_refresh_interval 180 [2023-02-27 16:18:41,740] DEBUG config max_threads 16 [2023-02-27 16:18:41,740] DEBUG config miss_track_file no_galaxy_mapping.log [2023-02-27 16:18:41,740] DEBUG config galaxies_map_file galaxy.ini [2023-02-27 16:18:41,740] DEBUG config tag_unknown_galaxy_maps True [2023-02-27 16:18:41,740] DEBUG config taxonomic_kill-chain True [2023-02-27 16:18:41,741] DEBUG config taxonomic_information-security-data-source True [2023-02-27 16:18:41,741] DEBUG config taxonomic_type True [2023-02-27 16:18:41,741] DEBUG config taxonomic_iep False [2023-02-27 16:18:41,741] DEBUG config taxonomic_iep2 True [2023-02-27 16:18:41,741] DEBUG config taxonomic_iep2_version False [2023-02-27 16:18:41,741] DEBUG config taxonomic_tlp True [2023-02-27 16:18:41,741] DEBUG config taxonomicworkflow True [2023-02-27 16:18:41,743] CRITICAL config authentication Invalid API credentials provided [2023-02-27 16:18:41,743] INFO config 1 configuration error found (1 warning) [2023-02-27 16:18:41,743] ERROR config [2023-02-27 16:18:41,743] ERROR config ____ ____ _ __ [2023-02-27 16:18:41,743] ERROR config | || | | |/ [ | || | | |__ | \ [2023-02-27 16:18:41,743] ERROR config | | | | | | _ ] | | | | | |_ |/ [2023-02-27 16:18:41,743] ERROR config [2023-02-27 16:18:41,743] INFO misp_tools FINISHED Invalid configuration specified, unable to continue.
Office: 732.615.5287 | Email: @.**@.>
From: MARONEY, PATRICK @.> Sent: Monday, February 27, 2023 11:17 AM To: CrowdStrike/MISP-tools @.>; CrowdStrike/MISP-tools @.> Cc: Mention @.> Subject: Re: [CrowdStrike/MISP-tools] OverflowError: string longer than 2147483647 bytes (Issue #102)
I'll run it again...
Patrick Maroney Principal - Cybersecurity Chief Security Office AT&T Services, Inc. 200 S Laurel Ave, Middletown, NJ 07748
Office: 732.615.5287 | Email: @.**@.>
From: Joshua Hiller @.> Sent: Monday, February 27, 2023 9:51 AM To: CrowdStrike/MISP-tools @.> Cc: MARONEY, PATRICK @.>; Mention @.> Subject: Re: [CrowdStrike/MISP-tools] OverflowError: string longer than 2147483647 bytes (Issue #102)
Does this happen consistently?
I'm attempting to recreate this, but my long running test hasn't run into it yet. (Fired it off last night hoping it was bad data that I needed to check for, but this is just a guess based upon where the failure occurred.)
— Reply to this email directly, view it on GitHubhttps://urldefense.com/v3/__https://github.com/CrowdStrike/MISP-tools/issues/102*issuecomment-1446469918__;Iw!!BhdT!nXdfcYFeG24ehxjNrmrwd9y3-_6avc-1OCwhHDFT_ppRi1-VZpbX4iLfwArnSpfR6Ka-qQleYwN5LCjPLHH8_INR7mo$, or unsubscribehttps://urldefense.com/v3/__https://github.com/notifications/unsubscribe-auth/AAYSFYPE4JZA5GLD3ZNVBATWZS5OPANCNFSM6AAAAAAVIFUN5U__;!!BhdT!nXdfcYFeG24ehxjNrmrwd9y3-_6avc-1OCwhHDFT_ppRi1-VZpbX4iLfwArnSpfR6Ka-qQleYwN5LCjPLHH8shpuhwM$. You are receiving this because you were mentioned.Message ID: @.***>
It looks like it can't see your configuration file.
The lab server cannot reach your API. A better connectivity test to discriminate between connection vs. credentialing could prevent mild-goose-chases.
Note that the original issue remains (presumably since we can't retest until out lab access is fixed.)
OverflowError: string longer than 2147483647 bytes
Deleted .dat files:
Ran just indictors:
python3 misp_import.py -d -p -v -i
(venv) [rx118r@md2nj01di:~/src/crowdstrike/MISP-tools-main]$ python3 misp_import.py -d -p -v -r
[2023-03-06 16:07:18,046] INFO misp_tools
[2023-03-06 16:07:18,046] INFO misp_tools '##::::'##:'####::'######::'########:::::'########::'#######:::'#######::'##::::::::'######::
[2023-03-06 16:07:18,047] INFO misp_tools ###::'###:. ##::'##... ##: ##.... ##::::... ##..::'##.... ##:'##.... ##: ##:::::::'##... ##:
[2023-03-06 16:07:18,047] INFO misp_tools ####'####:: ##:: ##:::..:: ##:::: ##::::::: ##:::: ##:::: ##: ##:::: ##: ##::::::: ##:::..::
[2023-03-06 16:07:18,047] INFO misp_tools ## ### ##:: ##::. ######:: ########:::::::: ##:::: ##:::: ##: ##:::: ##: ##:::::::. ######::
[2023-03-06 16:07:18,047] INFO misp_tools ##. #: ##:: ##:::..... ##: ##.....::::::::: ##:::: ##:::: ##: ##:::: ##: ##::::::::..... ##:
[2023-03-06 16:07:18,047] INFO misp_tools ##:.:: ##:: ##::'##::: ##: ##:::::::::::::: ##:::: ##:::: ##: ##:::: ##: ##:::::::'##::: ##:
[2023-03-06 16:07:18,047] INFO misp_tools ##:::: ##:'####:. ######:: ##:::::::::::::: ##::::. #######::. #######:: ########:. ######::
[2023-03-06 16:07:18,047] INFO misp_tools ..:::::..::....:::......:::..:::::::::::::::..::::::.......::::.......:::........:::......:::
[2023-03-06 16:07:18,047] INFO misp_tools _____
[2023-03-06 16:07:18,047] INFO misp_tools / '
[2023-03-06 16:07:18,047] INFO misp_tools ,-/-,__ __
[2023-03-06 16:07:18,047] INFO misp_tools (_/ (_)/ (_
[2023-03-06 16:07:18,047] INFO misp_tools _______ __ _______ __ __ __
[2023-03-06 16:07:18,047] INFO misp_tools | _ .----.-----.--.--.--.--| | _ | |_.----|__| |--.-----.
[2023-03-06 16:07:18,047] INFO misp_tools |. 1___| _| _ | | | | _ | 1___| _| _| | <| -__|
[2023-03-06 16:07:18,047] INFO misp_tools |. |___|__| |_____|________|_____|____ |____|__| |__|__|__|_____|
[2023-03-06 16:07:18,047] INFO misp_tools |: 1 | |: 1 |
[2023-03-06 16:07:18,047] INFO misp_tools |::.. . | |::.. . | Threat Intelligence v0.6.8
[2023-03-06 16:07:18,047] INFO misp_tools `-------' `-------'
[2023-03-06 16:07:18,047] INFO misp_tools
[2023-03-06 16:07:18,047] INFO config
[2023-03-06 16:07:18,047] INFO config _______ _ _ _______ _______ _ _ _______ _____ __ _ _______ _____ ______
[2023-03-06 16:07:18,047] INFO config | |_____| |______ | |____/ | | | | \ | |______ | | ____
[2023-03-06 16:07:18,047] INFO config |_____ | | |______ |_____ | \_ |_____ |_____| | \_| | __|__ |_____|
[2023-03-06 16:07:18,047] INFO config
[2023-03-06 16:07:18,048] DEBUG config client_id value redacted, check config file
[2023-03-06 16:07:18,048] DEBUG config client_secret value redacted, check config file
[2023-03-06 16:07:18,048] DEBUG config crowdstrike_url US1
[2023-03-06 16:07:18,048] DEBUG config api_request_max 5000
[2023-03-06 16:07:18,048] DEBUG config api_enable_ssl True
[2023-03-06 16:07:18,048] DEBUG config reports_timestamp_filename lastReportsUpdate.dat
[2023-03-06 16:07:18,048] DEBUG config indicators_timestamp_filename lastIndicatorsUpdate.dat
[2023-03-06 16:07:18,048] DEBUG config actors_timestamp_filename lastActorsUpdate.dat
[2023-03-06 16:07:18,048] DEBUG config init_reports_days_before 365
[2023-03-06 16:07:18,048] DEBUG config init_indicators_minutes_before 20220
[2023-03-06 16:07:18,048] DEBUG config init_actors_days_before 365
[2023-03-06 16:07:18,048] DEBUG config reports_unique_tag CrowdStrike: REPORT
[2023-03-06 16:07:18,048] DEBUG config indicators_unique_tag CrowdStrike: INDICATOR
[2023-03-06 16:07:18,048] DEBUG config actors_unique_tag CrowdStrike: ADVERSARY
[2023-03-06 16:07:18,048] DEBUG config reports_tags att:source="Crowdstrike.Report"
[2023-03-06 16:07:18,048] DEBUG config indicators_tags att:source="Crowdstrike.Indicators"
[2023-03-06 16:07:18,048] DEBUG config actors_tags att:source="Crowdstrike.Actors"
[2023-03-06 16:07:18,048] DEBUG config unknown_mapping CrowdStrike:indicator:galaxy: UNATTRIBUTED
[2023-03-06 16:07:18,048] DEBUG config unattributed_title Unattributed indicators:
[2023-03-06 16:07:18,048] DEBUG config indicator_type_title Indicator Type:
[2023-03-06 16:07:18,048] DEBUG config malware_family_title Malware Family:
[2023-03-06 16:07:18,048] DEBUG config log_duplicates_as_sightings True
[2023-03-06 16:07:18,048] DEBUG config misp_url https://3samisp
[2023-03-06 16:07:18,048] DEBUG config misp_auth_key value redacted, check config file
[2023-03-06 16:07:18,048] DEBUG config crowdstrike_org_uuid ca4f4b5d-db04-4a5e-a6de-e60636dc01be
[2023-03-06 16:07:18,048] DEBUG config misp_enable_ssl False
[2023-03-06 16:07:18,048] WARNING config misp_enable_ssl SSL is disabled for MISP API requests
[2023-03-06 16:07:18,048] DEBUG config ind_attribute_batch_size 2500
[2023-03-06 16:07:18,048] DEBUG config event_save_memory_refresh_interval 180
[2023-03-06 16:07:18,048] DEBUG config max_threads 16
[2023-03-06 16:07:18,049] DEBUG config miss_track_file no_galaxy_mapping.log
[2023-03-06 16:07:18,049] DEBUG config galaxies_map_file galaxy.ini
[2023-03-06 16:07:18,049] DEBUG config tag_unknown_galaxy_maps True
[2023-03-06 16:07:18,049] DEBUG config taxonomic_kill-chain True
[2023-03-06 16:07:18,049] DEBUG config taxonomic_information-security-data-source True
[2023-03-06 16:07:18,049] DEBUG config taxonomic_type True
[2023-03-06 16:07:18,049] DEBUG config taxonomic_iep False
[2023-03-06 16:07:18,049] DEBUG config taxonomic_iep2 True
[2023-03-06 16:07:18,049] DEBUG config taxonomic_iep2_version False
[2023-03-06 16:07:18,049] DEBUG config taxonomic_tlp True
[2023-03-06 16:07:18,049] DEBUG config taxonomic_workflow True
[2023-03-06 16:07:18,556] INFO config No configuration errors found (1 warning)
[2023-03-06 16:07:18,556] INFO config
[2023-03-06 16:07:18,556] INFO config ____ _ _ ____ ____ _ _ ____ ___ ____ ____ ____ ____ ___
[2023-03-06 16:07:18,556] INFO config | |__| |___ | |_/ [__ |__] |__| [__ [__ |___ | \
[2023-03-06 16:07:18,556] INFO config |___ | | |___ |___ | \_ ___] | | | ___] ___] |___ |__/
[2023-03-06 16:07:18,556] INFO config
[2023-03-06 16:07:20,105] INFO processor/main
[2023-03-06 16:07:20,105] INFO processor/main _____ _______ _____ _____ ______ _______
[2023-03-06 16:07:20,106] INFO processor/main | | | | |_____] | | |_____/ |
[2023-03-06 16:07:20,106] INFO processor/main __|__ | | | | |_____| | \_ |
[2023-03-06 16:07:20,106] INFO processor/main
[2023-03-06 16:07:20,106] INFO processor/main
[2023-03-06 16:07:20,106] INFO processor/main ____ ___ ____ ___ ____ ______ _____
[2023-03-06 16:07:20,106] INFO processor/main | \ / _]| \ / \ | \| T/ ___/
[2023-03-06 16:07:20,106] INFO processor/main | D ) / [_ | o )Y Y| D ) ( \_
[2023-03-06 16:07:20,106] INFO processor/main | / Y _]| _/ | O || /l_j l_j\__ T
[2023-03-06 16:07:20,106] INFO processor/main | \ | [_ | | | || \ | | / \ |
[2023-03-06 16:07:20,106] INFO processor/main | . Y| T| | l !| . Y | | \ |
[2023-03-06 16:07:20,106] INFO processor/main l__j\_jl_____jl__j \___/ l__j\_j l__j \___j
[2023-03-06 16:07:20,106] INFO processor/main
[2023-03-06 16:07:20,107] INFO processor/main Starting import of CrowdStrike Threat Intelligence reports as events (past 365 days).
[2023-03-06 16:07:20,107] INFO processor/main Retrieving all available report types.
[2023-03-06 16:07:24,130] INFO processor/main Retrieved 45 total reports from the Crowdstrike Intel API.
[2023-03-06 16:07:24,130] INFO processor/main Found 2340 pre-existing CrowdStrike reports within the MISP instance.
[2023-03-06 16:07:29,129] INFO processor/main Retrieved extended report details for 39 reports.
[2023-03-06 16:07:32,486] INFO processor/main 371 related indicators found.
[2023-03-06 16:07:32,489] DEBUG processor/thread_1 Retrieved 11 indicators detailed within report CSA-230312
[2023-03-06 16:07:32,527] DEBUG processor/thread_8 Retrieved 7 indicators detailed within report CSA-230293
[2023-03-06 16:07:32,565] DEBUG processor/thread_12 Retrieved 30 indicators detailed within report CSA-230314
[2023-03-06 16:07:32,600] DEBUG processor/thread_14 Retrieved 33 indicators detailed within report CSA-230297
[2023-03-06 16:07:32,812] DEBUG processor/thread_5 CSIT-23059 Emerging Trends in Uzbekistan Hacktivism report created.
[2023-03-06 16:07:32,813] DEBUG processor/thread_5 Retrieved 42 indicators detailed within report CSA-230328
[2023-03-06 16:07:32,816] DEBUG processor/thread_4 CSIT-23070 Operational Profile of Anti-Iranian Government Hacktivist Group Black Reward report created.
[2023-03-06 16:07:32,849] DEBUG processor/thread_6 CSIT-23072 ATM Attacks Fluctuate and Resurge After COVID-19 Lockdowns End report created.
[2023-03-06 16:07:32,858] DEBUG processor/thread_11 CSA-230323 Oracle Web Logic Vulnerability (CVE-2023-21839) Exploit Proof-of-Concept Released, Automated Exploitation Attempts Likely report created.
[2023-03-06 16:07:32,861] DEBUG processor/thread_13 CSA-230325 CCP Releases “Global Security Initiative” Paper Outlining Chinese Alternative to U.S.-Led Global Security Architecture report created.
[2023-03-06 16:07:32,864] DEBUG processor/thread_9 CSA-230321 Iran Expands Military Electronics Proliferation, Broadens Alternative Technology Supply Chain report created.
[2023-03-06 16:07:32,869] DEBUG processor/thread_1 CSA-230312 Watermeloader Rust Loader Protected with Modified Exocet Crypter; Distribution Overlap with CARBON SPIDER report created.
[2023-03-06 16:07:32,876] DEBUG processor/thread_8 CSA-230293 InnateSpark Continues to Deliver AvantGarde in February 2023 After Brief Hiatus; Likely Targeting Apple Devices report created.
[2023-03-06 16:07:32,880] DEBUG processor/thread_9 Retrieved 3 indicators detailed within report CSA-230322
[2023-03-06 16:07:32,980] DEBUG processor/thread_3 Retrieved 15 indicators detailed within report CSA-230310
[2023-03-06 16:07:33,046] DEBUG processor/thread_9 CSA-230322 Opportunistic eCrime Actor Exploits ManageEngine and KACE, Deploys ScreenConnect report created.
[2023-03-06 16:07:33,055] DEBUG processor/thread_14 CSA-230297 China-Nexus Adversary Targets Telecommunication Entities with Reptile Rootkit and SideWalk Malware report created.
[2023-03-06 16:07:33,177] DEBUG processor/thread_12 CSA-230314 Industry Reporting Details ForgedCombine Activity Targeting Telecommunications Entities in the Middle East and Likely Afghanistan report created.
[2023-03-06 16:07:33,178] DEBUG processor/thread_12 Retrieved 9 indicators detailed within report CSA-230329
[2023-03-06 16:07:33,195] DEBUG processor/thread_14 CSA-230335 Iran Emphasizes Online Media Messaging Control to Strengthen Cognitive Warfare report created.
[2023-03-06 16:07:33,195] DEBUG processor/thread_14 Retrieved 15 indicators detailed within report CSA-230317
[2023-03-06 16:07:33,215] DEBUG processor/thread_5 CSA-230328 Shindig Updates its Loader report created.
[2023-03-06 16:07:33,284] DEBUG processor/thread_3 CSA-230310 RECESS SPIDER Leverages Compromised VPN Credentials for Initial Access report created.
[2023-03-06 16:07:33,401] DEBUG processor/thread_6 Retrieved 10 indicators detailed within report CSA-230316
[2023-03-06 16:07:33,465] DEBUG processor/thread_12 CSA-230329 Fsociety Updates Tooling, Including New Obfuscation Process to Hide Malicious Infrastructure report created.
[2023-03-06 16:07:33,500] DEBUG processor/thread_14 CSA-230317 Mallox Ransomware Activity Identified; the Group Recently Began Recruiting Pentesters via an Underground Forum report created.
[2023-03-06 16:07:33,591] DEBUG processor/thread_12 CSA-230331 Chinese and Russian Propagandists Exploit Ohio Train Derailment report created.
SNIP
[2023-03-06 21:33:50,399] INFO processor/thread_3 Updated Indicator Type: SHA256 hashes with 824 new indicators after 151.64 seconds.
[2023-03-06 21:33:56,574] INFO processor/thread_2 Updated Indicator Type: SHA1 hashes with 810 new indicators after 157.84 seconds.
[2023-03-06 21:34:06,270] INFO processor/thread_0 Updated Indicator Type: MD5 hashes with 811 new indicators after 167.55 seconds.
[2023-03-06 21:34:36,704] INFO processor/thread_15 Updated Malware Family: Sodinokibi with 337 new indicators after 176.87 seconds.
Traceback (most recent call last):
File "misp_import.py", line 377, in <module>
main()
File "misp_import.py", line 356, in main
importer.import_from_crowdstrike(int(settings["CrowdStrike"]["init_reports_days_before"]),
File "/home/rx118r/src/crowdstrike/MISP-tools-main/cs_misp_import/importer.py", line 314, in import_from_crowdstrike
self.indicators_importer.process_indicators(indicators_minutes_before)
File "/home/rx118r/src/crowdstrike/MISP-tools-main/cs_misp_import/indicators.py", line 195, in process_indicators
self.push_indicators(indicators_page)
File "/home/rx118r/src/crowdstrike/MISP-tools-main/cs_misp_import/indicators.py", line 387, in push_indicators
for cleaned in self.clean_laundry(len(batch), all_successes, f_failures, m_failures):
File "/home/rx118r/src/crowdstrike/MISP-tools-main/cs_misp_import/indicators.py", line 363, in clean_laundry
saved.append(fut.result())
File "/opt/rh/rh-python38/root/usr/lib64/python3.8/concurrent/futures/_base.py", line 437, in result
return self.__get_result()
File "/opt/rh/rh-python38/root/usr/lib64/python3.8/concurrent/futures/_base.py", line 389, in __get_result
raise self._exception
File "/opt/rh/rh-python38/root/usr/lib64/python3.8/concurrent/futures/thread.py", line 57, in run
result = self.fn(*self.args, **self.kwargs)
File "/home/rx118r/src/crowdstrike/MISP-tools-main/cs_misp_import/indicators.py", line 247, in event_thread
self.misp.update_event(evt)
File "/data/misp/venv/lib64/python3.8/site-packages/pymisp/api.py", line 417, in update_event
r = self._prepare_request('POST', f'events/edit/{eid}' + ('/metadata:1' if metadata else ''), data=event)
File "/data/misp/venv/lib64/python3.8/site-packages/pymisp/api.py", line 3705, in _prepare_request
return self.__session.send(prepped, timeout=self.timeout, **settings)
File "/data/misp/venv/lib64/python3.8/site-packages/requests/sessions.py", line 701, in send
r = adapter.send(request, **kwargs)
File "/data/misp/venv/lib64/python3.8/site-packages/requests/adapters.py", line 489, in send
resp = conn.urlopen(
File "/data/misp/venv/lib64/python3.8/site-packages/urllib3/connectionpool.py", line 703, in urlopen
httplib_response = self._make_request(
File "/data/misp/venv/lib64/python3.8/site-packages/urllib3/connectionpool.py", line 398, in _make_request
conn.request(method, url, **httplib_request_kw)
File "/data/misp/venv/lib64/python3.8/site-packages/urllib3/connection.py", line 239, in request
super(HTTPConnection, self).request(method, url, body=body, headers=headers)
File "/opt/rh/rh-python38/root/usr/lib64/python3.8/http/client.py", line 1256, in request
self._send_request(method, url, body, headers, encode_chunked)
File "/opt/rh/rh-python38/root/usr/lib64/python3.8/http/client.py", line 1302, in _send_request
self.endheaders(body, encode_chunked=encode_chunked)
File "/opt/rh/rh-python38/root/usr/lib64/python3.8/http/client.py", line 1251, in endheaders
self._send_output(message_body, encode_chunked=encode_chunked)
File "/opt/rh/rh-python38/root/usr/lib64/python3.8/http/client.py", line 1050, in _send_output
self.send(chunk)
File "/opt/rh/rh-python38/root/usr/lib64/python3.8/http/client.py", line 972, in send
self.sock.sendall(data)
File "/opt/rh/rh-python38/root/usr/lib64/python3.8/ssl.py", line 1204, in sendall
v = self.send(byte_view[count:])
File "/opt/rh/rh-python38/root/usr/lib64/python3.8/ssl.py", line 1173, in send
return self._sslobj.write(data)
OverflowError: string longer than 2147483647 bytes
(venv) [rx118r@md2nj01di:~/src/crowdstrike/MISP-tools-main]$
I see quite a few hits on that error (relating to trying to load a chunk-o-stuff over 2GBs).
For example:
Do you want me to do a complete wipe and try from scratch again?
Change my settings?
init_reports_days_before = 365 init_indicators_minutes_before = 20220 init_actors_days_before = 365
Try dropping init_indicators_minutes_before
down to 300.
If that doesn't get you past the error, then try clearing. (I also am finding hits related to overall update size. We may need to consider chunking indicator events that exceed a certain attribute count.)
Please note that the indicator runs are typically taking in excess of 5 hours to complete/fail.
Out of curiosity: why do you appear to pull all of the Attributes from all sources?
[2023-03-07 16:11:46,497] INFO processor/thread_9 Retrieved 7 coin_address indicators from MISP.
[2023-03-07 16:11:46,651] INFO processor/thread_3 Retrieved 1,740 hash_imphash indicators from MISP.
[2023-03-07 16:11:46,658] INFO processor/thread_13 Retrieved 50 device_name indicators from MISP.
[2023-03-07 16:11:46,894] INFO processor/thread_7 Retrieved 3,922 mutex_name indicators from MISP.
[2023-03-07 16:11:46,908] INFO processor/thread_8 Retrieved 302 bitcoin_address indicators from MISP.
[2023-03-07 16:11:47,264] INFO processor/thread_12 Retrieved 495 registry indicators from MISP.
[2023-03-07 16:11:48,801] INFO processor/thread_9 Retrieved 171 campaign_id indicators from MISP.
[2023-03-07 16:11:48,816] INFO processor/thread_3 Retrieved 29 service_name indicators from MISP.
[2023-03-07 16:11:49,486] INFO processor/thread_7 Retrieved 446 port indicators from MISP.
[2023-03-07 16:12:09,651] INFO processor/thread_13 Retrieved 90,329 user_agent indicators from MISP.
[2023-03-07 16:12:23,738] INFO processor/thread_4 Retrieved 199,917 file_name indicators from MISP.
[2023-03-07 16:12:27,594] INFO processor/thread_5 Retrieved 199,917 file_path indicators from MISP.
[2023-03-07 16:12:31,243] INFO processor/thread_10 Retrieved 21,408 email_address indicators from MISP.
[2023-03-07 16:12:49,347] INFO processor/thread_2 Retrieved 512,139 hash_sha1 indicators from MISP.
[2023-03-07 16:13:39,268] INFO processor/thread_11 Retrieved 547,578 email_subject indicators from MISP.
[2023-03-07 16:14:19,051] INFO processor/thread_14 Retrieved 1,588,537 domain indicators from MISP.
[2023-03-07 16:16:44,599] INFO processor/thread_1 Retrieved 2,112,980 hash_sha256 indicators from MISP.
[2023-03-07 16:17:50,401] INFO processor/thread_0 Retrieved 2,737,593 hash_md5 indicators from MISP.
[2023-03-07 16:20:39,068] INFO processor/thread_15 Retrieved 4,214,016 ip_address indicators from MISP.
[2023-03-07 16:42:20,474] INFO processor/thread_6 Retrieved 14,758,445 url indicators from MISP.
[2023-03-07 16:42:35,343] INFO processor/main Found 0 pre-existing indicators within CrowdStrike reports.
[2023-03-07 16:42:48,466] INFO processor/main Starting import of CrowdStrike indicators into MISP.
[2023-03-07 16:43:07,859] INFO processor/main Retrieved 5,000 of 38,205 remaining indicators.
[2023-03-07 16:43:07,859] DEBUG processor/main Configuration states we should process batches of 2,500 indicators.
Out of curiosity: why do you appear to pull all of the Attributes from all sources?
Dupe checking. This has changed over the past few versions, at some point this will get revisited. (Reports and Adversaries will probably still populate this way.)
So what do you do (or not do) if one of your competitors/alternate sources have stated than an IOC is bad?
230225-2300
python3 misp_import.py --fullmonty -d -v -p -nb