Using synchronization groups, publish (might) fail

[LilaLipetti]

Work environment

Questions	Answers
Type of issue	Bug or Question, let see
OS version (server)	MISP_v2.4.87@b341dc4843291dbe37c0da98ad8b4a83520dadf4.ova
OS version (client)	Ubuntu 16.04 LTS.
PHP version	5.4, 5.5, 5.6, 7.0, 7.1...
MISP version / git hash	MISP_v2.4.87@b341dc4843291dbe37c0da98ad8b4a83520dadf4.ova
Browser	firefox 58.01 64bit

Expected behavior

When event is published, it should be pushed according to push/pull rules to other servers.

Actual behavior

When the event is created and published, in some cases the event is not pushed correctly to the receiving servers. The first "publish" will always fail.

In the receiving server logs: Action "add", "Event could not be saved due to failed sharing group capture". Although when the failing server will initialize "pull" the event is received and created correctly.

Steps to reproduce the behavior

• 2 servers
• each server has site admin organisation A, B
• each server has 1 additional organisation A1, B1
• pull/push rules A1<->B1 created by site admin
• create a sync group with organisation admin A1 with local organisations (A,A1) and remote organisations B1
• don't add servers, use "Enable roaming mode"

Logs, screenshots, configuration dump, ...

The sync group

The event

The log on publisher

The log on receiver

[LilaLipetti]

But.. the event can be synced (pulled) correctly :

[LilaLipetti]

I think because of the documentation https://www.circl.lu/doc/misp/sharing/, I think that the server sync is always defined like "copy from xxx to xxxx"

[iglocska]

Indeed, looking at the documentation, it is clearly incorrect. Thanks for the heads-up!

On Sun, Feb 18, 2018 at 10:05 AM, PasiHyytiainen notifications@github.com wrote:

I think because of the documentation https://www.circl.lu/doc/misp/ sharing/, I think that the server sync is always defined like "copy from xxx to xxxx"

[image: image] https://user-images.githubusercontent.com/10400146/36350152-908a48a8-149b-11e8-9560-42541ffe65b2.png

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/MISP/MISP/issues/2949#issuecomment-366501974, or mute the thread https://github.com/notifications/unsubscribe-auth/ADf6wHmnOXQV3foo8dXJ2Wf-f2Zd5bWBks5tV-fLgaJpZM4SJTTz .

[iglocska]

Clarified here: https://github.com/MISP/misp-book/commit/91f37934f68a00fcbd07ce6d9afda8e1482c219e

[LilaLipetti]

Reconfigured everything so that the sync is defined to host organisation of the remote instance and sync user is defined in the host organisation on the remote instance.

The sharing groups will give additional level of complexity. So far while testing sharing groups, based on https://www.circl.lu/doc/misp/using-the-system/#create-and-manage-sharing-groups

The problem is that given example sharing group configuration only works

• when the servers are correctly defined, "roaming mode" can't be used
• the host organisation used for sync needs to be included in the sharing group configuration as well

So to get sharing groups working,

• can't use "roaming mode" Or the initial push will fail to "Event could not be saved due to failed sharing group capture"."

It's getting problematic as if I want that the users who create and handle events are users of my "public" organisations and access to the host organisations is limited to only users who are maintaining the server. So if the sync is defined in the host org level, those organisations needs to be included in the sync groups as well.