search

Graylog2 / graylog-plugin-threatintel

Graylog Processing Pipeline functions to enrich log messages with IoC information from threat intelligence databases
Other
150 stars 19 forks source link

OTX Alienvault - block produce stack trace #22

Closed jalogisch closed 7 years ago

jalogisch commented 7 years ago

when you are producing to much queries to the toe Alienvault API you will be limited and answers will be delayed. This creates high loads on Graylog and most lookups fails with the following:

2017-01-23T12:10:36.072+01:00 ERROR [OTXIPLookupFunction] Could not lookup OTX threat intelligence for IP [207.46.13.181].
java.util.concurrent.ExecutionException: java.util.concurrent.ExecutionException: Could not load OTX response.
    at com.google.common.util.concurrent.AbstractFuture.getDoneValue(AbstractFuture.java:476) ~[graylog.jar:?]
    at com.google.common.util.concurrent.AbstractFuture.get(AbstractFuture.java:435) ~[graylog.jar:?]
    at com.google.common.util.concurrent.AbstractFuture$TrustedFuture.get(AbstractFuture.java:79) ~[graylog.jar:?]
    at com.google.common.util.concurrent.Uninterruptibles.getUninterruptibly(Uninterruptibles.java:143) ~[graylog.jar:?]
    at com.google.common.cache.LocalCache$Segment.getAndRecordStats(LocalCache.java:2352) ~[graylog.jar:?]
    at com.google.common.cache.LocalCache$Segment.loadSync(LocalCache.java:2324) ~[graylog.jar:?]
    at com.google.common.cache.LocalCache$Segment.lockedGetOrLoad(LocalCache.java:2286) ~[graylog.jar:?]
    at com.google.common.cache.LocalCache$Segment.get(LocalCache.java:2201) ~[graylog.jar:?]
    at com.google.common.cache.LocalCache.get(LocalCache.java:3953) ~[graylog.jar:?]
    at com.google.common.cache.LocalCache.getOrLoad(LocalCache.java:3957) ~[graylog.jar:?]
    at com.google.common.cache.LocalCache$LocalLoadingCache.get(LocalCache.java:4875) ~[graylog.jar:?]
    at org.graylog.plugins.threatintel.providers.otx.OTXLookupProvider.lookup(OTXLookupProvider.java:124) ~[graylog-plugin-threatintel-0.9.0.jar:?]
    at org.graylog.plugins.threatintel.providers.otx.ip.OTXIPLookupFunction.evaluate(OTXIPLookupFunction.java:55) [graylog-plugin-threatintel-0.9.0.jar:?]
    at org.graylog.plugins.threatintel.providers.otx.ip.OTXIPLookupFunction.evaluate(OTXIPLookupFunction.java:17) [graylog-plugin-threatintel-0.9.0.jar:?]
    at org.graylog.plugins.pipelineprocessor.ast.expressions.FunctionExpression.evaluateUnsafe(FunctionExpression.java:59) [graylog-plugin-pipeline-processor-1.1.2.jar:?]
    at org.graylog.plugins.pipelineprocessor.ast.expressions.Expression.evaluate(Expression.java:36) [graylog-plugin-pipeline-processor-1.1.2.jar:?]
    at org.graylog.plugins.pipelineprocessor.ast.statements.VarAssignStatement.evaluate(VarAssignStatement.java:33) [graylog-plugin-pipeline-processor-1.1.2.jar:?]
    at org.graylog.plugins.pipelineprocessor.ast.statements.VarAssignStatement.evaluate(VarAssignStatement.java:22) [graylog-plugin-pipeline-processor-1.1.2.jar:?]
    at org.graylog.plugins.pipelineprocessor.processors.PipelineInterpreter.processForResolvedPipelines(PipelineInterpreter.java:357) [graylog-plugin-pipeline-processor-1.1.2.jar:?]
    at org.graylog.plugins.pipelineprocessor.processors.PipelineInterpreter.processForPipelines(PipelineInterpreter.java:291) [graylog-plugin-pipeline-processor-1.1.2.jar:?]
    at org.graylog.plugins.pipelineprocessor.processors.PipelineInterpreter.process(PipelineInterpreter.java:248) [graylog-plugin-pipeline-processor-1.1.2.jar:?]
    at org.graylog.plugins.pipelineprocessor.processors.PipelineInterpreter.process(PipelineInterpreter.java:192) [graylog-plugin-pipeline-processor-1.1.2.jar:?]
    at org.graylog2.buffers.processors.ServerProcessBufferProcessor.handleMessage(ServerProcessBufferProcessor.java:56) [graylog.jar:?]
    at org.graylog2.shared.buffers.processors.ProcessBufferProcessor.dispatchMessage(ProcessBufferProcessor.java:82) [graylog.jar:?]
    at org.graylog2.shared.buffers.processors.ProcessBufferProcessor.onEvent(ProcessBufferProcessor.java:61) [graylog.jar:?]
    at org.graylog2.shared.buffers.processors.ProcessBufferProcessor.onEvent(ProcessBufferProcessor.java:35) [graylog.jar:?]
    at com.lmax.disruptor.WorkProcessor.run(WorkProcessor.java:143) [graylog.jar:?]
    at com.codahale.metrics.InstrumentedThreadFactory$InstrumentedRunnable.run(InstrumentedThreadFactory.java:66) [graylog.jar:?]
    at java.lang.Thread.run(Thread.java:745) [?:1.8.0_111]
Caused by: java.util.concurrent.ExecutionException: Could not load OTX response.
    at org.graylog.plugins.threatintel.providers.otx.OTXLookupProvider.callOTX(OTXLookupProvider.java:165) ~[?:?]
    at org.graylog.plugins.threatintel.providers.otx.ip.OTXIPLookupProvider.loadIntel(OTXIPLookupProvider.java:73) ~[?:?]
    at org.graylog.plugins.threatintel.providers.otx.OTXLookupProvider$1.load(OTXLookupProvider.java:50) ~[?:?]
    at org.graylog.plugins.threatintel.providers.otx.OTXLookupProvider$1.load(OTXLookupProvider.java:47) ~[?:?]
    at com.google.common.cache.LocalCache$LoadingValueReference.loadFuture(LocalCache.java:3542) ~[graylog.jar:?]
    at com.google.common.cache.LocalCache$Segment.loadSync(LocalCache.java:2323) ~[graylog.jar:?]
    ... 23 more
Caused by: java.net.SocketTimeoutException: timeout
    at okio.Okio$3.newTimeoutException(Okio.java:210) ~[graylog.jar:?]
    at okio.AsyncTimeout.exit(AsyncTimeout.java:288) ~[graylog.jar:?]
    at okio.AsyncTimeout$2.read(AsyncTimeout.java:242) ~[graylog.jar:?]
    at okio.RealBufferedSource.indexOf(RealBufferedSource.java:325) ~[graylog.jar:?]
    at okio.RealBufferedSource.indexOf(RealBufferedSource.java:314) ~[graylog.jar:?]
    at okio.RealBufferedSource.readUtf8LineStrict(RealBufferedSource.java:210) ~[graylog.jar:?]
    at okhttp3.internal.http.Http1xStream.readResponse(Http1xStream.java:186) ~[graylog.jar:?]
    at okhttp3.internal.http.Http1xStream.readResponseHeaders(Http1xStream.java:127) ~[graylog.jar:?]
    at okhttp3.internal.http.CallServerInterceptor.intercept(CallServerInterceptor.java:53) ~[graylog.jar:?]
    at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:92) ~[graylog.jar:?]
    at okhttp3.internal.connection.ConnectInterceptor.intercept(ConnectInterceptor.java:45) ~[graylog.jar:?]
    at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:92) ~[graylog.jar:?]
    at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:67) ~[graylog.jar:?]
    at okhttp3.internal.cache.CacheInterceptor.intercept(CacheInterceptor.java:109) ~[graylog.jar:?]
    at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:92) ~[graylog.jar:?]
    at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:67) ~[graylog.jar:?]
    at okhttp3.internal.http.BridgeInterceptor.intercept(BridgeInterceptor.java:93) ~[graylog.jar:?]
    at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:92) ~[graylog.jar:?]
    at okhttp3.internal.http.RetryAndFollowUpInterceptor.intercept(RetryAndFollowUpInterceptor.java:124) ~[graylog.jar:?]
    at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:92) ~[graylog.jar:?]
    at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:67) ~[graylog.jar:?]
    at okhttp3.RealCall.getResponseWithInterceptorChain(RealCall.java:170) ~[graylog.jar:?]
    at okhttp3.RealCall.execute(RealCall.java:60) ~[graylog.jar:?]
    at org.graylog.plugins.threatintel.providers.otx.OTXLookupProvider.callOTX(OTXLookupProvider.java:140) ~[?:?]
    at org.graylog.plugins.threatintel.providers.otx.ip.OTXIPLookupProvider.loadIntel(OTXIPLookupProvider.java:73) ~[?:?]
    at org.graylog.plugins.threatintel.providers.otx.OTXLookupProvider$1.load(OTXLookupProvider.java:50) ~[?:?]
    at org.graylog.plugins.threatintel.providers.otx.OTXLookupProvider$1.load(OTXLookupProvider.java:47) ~[?:?]
    at com.google.common.cache.LocalCache$LoadingValueReference.loadFuture(LocalCache.java:3542) ~[graylog.jar:?]
    at com.google.common.cache.LocalCache$Segment.loadSync(LocalCache.java:2323) ~[graylog.jar:?]
    ... 23 more
Caused by: java.net.SocketException: Socket closed
    at java.net.SocketInputStream.read(SocketInputStream.java:203) ~[?:1.8.0_111]
    at java.net.SocketInputStream.read(SocketInputStream.java:141) ~[?:1.8.0_111]
    at sun.security.ssl.InputRecord.readFully(InputRecord.java:465) ~[?:1.8.0_111]
    at sun.security.ssl.InputRecord.read(InputRecord.java:503) ~[?:1.8.0_111]
    at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:973) ~[?:1.8.0_111]
    at sun.security.ssl.SSLSocketImpl.readDataRecord(SSLSocketImpl.java:930) ~[?:1.8.0_111]
    at sun.security.ssl.AppInputStream.read(AppInputStream.java:105) ~[?:1.8.0_111]
    at okio.Okio$2.read(Okio.java:138) ~[graylog.jar:?]
    at okio.AsyncTimeout$2.read(AsyncTimeout.java:238) ~[graylog.jar:?]
    at okio.RealBufferedSource.indexOf(RealBufferedSource.java:325) ~[graylog.jar:?]
    at okio.RealBufferedSource.indexOf(RealBufferedSource.java:314) ~[graylog.jar:?]
    at okio.RealBufferedSource.readUtf8LineStrict(RealBufferedSource.java:210) ~[graylog.jar:?]
    at okhttp3.internal.http.Http1xStream.readResponse(Http1xStream.java:186) ~[graylog.jar:?]
    at okhttp3.internal.http.Http1xStream.readResponseHeaders(Http1xStream.java:127) ~[graylog.jar:?]
    at okhttp3.internal.http.CallServerInterceptor.intercept(CallServerInterceptor.java:53) ~[graylog.jar:?]
    at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:92) ~[graylog.jar:?]
    at okhttp3.internal.connection.ConnectInterceptor.intercept(ConnectInterceptor.java:45) ~[graylog.jar:?]
    at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:92) ~[graylog.jar:?]
    at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:67) ~[graylog.jar:?]
    at okhttp3.internal.cache.CacheInterceptor.intercept(CacheInterceptor.java:109) ~[graylog.jar:?]
    at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:92) ~[graylog.jar:?]
    at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:67) ~[graylog.jar:?]
    at okhttp3.internal.http.BridgeInterceptor.intercept(BridgeInterceptor.java:93) ~[graylog.jar:?]
    at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:92) ~[graylog.jar:?]
    at okhttp3.internal.http.RetryAndFollowUpInterceptor.intercept(RetryAndFollowUpInterceptor.java:124) ~[graylog.jar:?]
    at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:92) ~[graylog.jar:?]
    at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:67) ~[graylog.jar:?]
    at okhttp3.RealCall.getResponseWithInterceptorChain(RealCall.java:170) ~[graylog.jar:?]
    at okhttp3.RealCall.execute(RealCall.java:60) ~[graylog.jar:?]
    at org.graylog.plugins.threatintel.providers.otx.OTXLookupProvider.callOTX(OTXLookupProvider.java:140) ~[?:?]
    at org.graylog.plugins.threatintel.providers.otx.ip.OTXIPLookupProvider.loadIntel(OTXIPLookupProvider.java:73) ~[?:?]
    at org.graylog.plugins.threatintel.providers.otx.OTXLookupProvider$1.load(OTXLookupProvider.java:50) ~[?:?]
    at org.graylog.plugins.threatintel.providers.otx.OTXLookupProvider$1.load(OTXLookupProvider.java:47) ~[?:?]
    at com.google.common.cache.LocalCache$LoadingValueReference.loadFuture(LocalCache.java:3542) ~[graylog.jar:?]
    at com.google.common.cache.LocalCache$Segment.loadSync(LocalCache.java:2323) ~[graylog.jar:?]
    ... 23 more
ion-storm commented 7 years ago

im effected by this as well

ion-storm commented 7 years ago

java.util.concurrent.ExecutionException: java.util.concurrent.ExecutionException: Could not load OTX response.

jalogisch commented 7 years ago

@ion-storm as this limits are given by alien vault you might talk to them for a solution. Disable would be one, get access without limits and maybe pay for this option at alien vault might be the other.

The only option for graylog is here to make a nice warning.