search

MISP / misp-modules

Modules for expansion services, enrichment, import and export in MISP and other tools.
http://misp.github.io/misp-modules
GNU Affero General Public License v3.0
344 stars 233 forks source link

MISP Module Server Fails to Handle Events Larger Than 100MB #662

Closed rvaccarisec closed 4 months ago

rvaccarisec commented 4 months ago

In this issue, we address the MISP module server’s inability to effectively handle events exceeding 100MB in size. The root cause lies in a limitation within the HTTPServerobject from the Tornado Python framework. Specifically, the max_buffer_sizeparameter defaults to 100MB, which restricts the server’s ability to process large events efficiently.

Steps to Reproduce:

  1. Create a MISP event with a size greater than 100MB.
  2. Develop an action Python module.
  3. Set up a workflow for the publish trigger.
  4. Insert the action module into the workflow.
  5. Publish the event.

Expected Result: The Python action module should execute successfully, processing the event regardless of its size.

Actual Result: Due to the default max_buffer_size limitation, the Python action module fails to execute when handling events larger than 100MB.

Proposed Solution: To address this issue, modify the misp_modules/__init__.py file at line 301 within the MISP module server codebase. Replace the existing line:

application.listen(args.port, address=args.listen)

server = tornado.httpserver.HTTPServer(application, max_buffer_size=1073741824)  # 1GB
server.listen(port)

This change increases the buffer size limit to 1GB, allowing the MISP module server to handle larger events effectively.

adulau commented 4 months ago

Good finding and thanks for the detailed report. It's fixed.