Closed MichaelDwucet closed 5 years ago
Additional infos from MISP debugging & apache2 logs:
Server A is only doing a single HTTP GET request after pushing the "sync push" button while another regular MISP instance without proxy usage is doing a HTTP GET request followed by two HTTP POST request. As a HTTP POST "curl"-request is working on Server A, it currently does not look like a proxy / firewall issue. Do you have any ideas which settings could cause this behaviour?
Request of internal Server A on target MISP Server B: "GET /servers/getVersion HTTP/1.1" 200 6064 "-" "CakePHP"
Requests with a compared MISP instance without proxy on target MISP Server B: "GET /servers/getVersion HTTP/1.1" 200 6049 "-" "CakePHP" "POST /events/filterEventIdsForPush HTTP/1.1" 200 6023 "-" "CakePHP" "POST /events/index HTTP/1.1" 200 2943617 "-" "CakePHP"
Compared "curl" API request from Server A on MISP Server B: "POST /events HTTP/1.1" 200 22793 "-" "curl/7.47.0"
That sounds really odd. What versions are the MISPs involved?
We updated all involved MISPs last week to the latest head 2.4.53. With that version we did our first tests with pushing from the internal network to the external. Never tested that before, because it was working with our test setup in our lab.
Our proxy server seemed to have an issue with our SSL configuration (DH parameters) of Server B. However the issue is now resolved. Thanks a lot!
Thanks for the heads-up, let's keep this issue open though since the response / logging of failed events isn't great if it told you that they were transferred.
Hi folks, any updates on that, because we are facing exactly the same problem?
@MichaelDwucet I suppose we can close the issue? Let us know (and reopen the issue) if you still have the issue. I'll close the issue in the mean time. Thanks a lot.
Work environment
We have some problems with a MISP server in an protected internal network that we can not get to push out MISP events to another MISP server in a DMZ. We still are still searching for the reason. At the moment, it can be a bug in our MISP installation or maybe some strange error with the firewall between the networks, but we found that the MISP logs are not very helpful to find the reason, why MISP is not pushing out the events.
Server A: Internal network. Server B : DMZ network, our Proxy MISP server Between the two networks is a very restrictive firewall. Only connections initiated from A to B are allowed on an strict IP / Port basis.
Server B has a Sync-User. The authkey of this Sync-user is used in Server A in the config for connected server B. The config of Server B in Server A looks like:
The connection test between the two instances seems to work (View from Server A)
Expected behavior
Server A has 7 new events. When I press "Push All" I would expect that the events will be synced. Server A shows me that he synced the 7 events. (In the picture I pressed the push button 2 times, with one minute apart.
One "error" that already appears, is that it seems that the second push also has pushed 7 events, even if there were no new events added in Server A between the 2 pushes..
Actual behavior
When I look at Server B, he shows me that there is communication from Server A. (In the picture is the 2nd push, the time difference is because one server has UTC, the other CET).
But there are no events added on server B. I also checked directly in the database. No events got added.
Also there is nothing in the logs regarding the push, not in the error.log, resque...logs or the other logs in /var/www/misp/app/tmp/logs.
If there are no events added on server B I would expect MISP to throw some error messages, either on server A or server B. So we just have Server A, telling us he has "7 events pushed or updated", even if that is not true.
It justs happens between these two servers. Pushing from a Server C in the same DMZ to Server B is working normally. We are further searching for the error, but it would be very helpful if somebody could give us a hint, where we could look for the source of this problem.
For the future, it would be helpful, if there would some sort of acknowledgments from the MISP server that gets events pushed on back to the pushing server, that acknowledges the successful addition of the events.
Just two more points: 1) Using CURL on the command line of server A to create an event on server B is working perfectly. 2) TCPDump on Server B shows https packets between the 2 servers during the push. As the packets are encrypted, we have not investigated them further.