Cuckoo Package - MISP error with stack

[SparkyNZL]

Hey guys, Just been looking through the errors from last night, and noiced a fairly regular occurance of the following. Some entries are going into misp and others are not,below are the ones which are not :(

Cheers

2017-02-18 17:16:29,705 [cuckoo.core.plugins] ERROR: Failed to run the reporting module: MISP Traceback (most recent call last): File "/usr/local/lib/python2.7/dist-packages/cuckoo/core/plugins.py", line 504, in process current.run(self.results) File "/usr/local/lib/python2.7/dist-packages/cuckoo/reporting/misp.py", line 124, in run self.domain_ipaddr(results, event) File "/usr/local/lib/python2.7/dist-packages/cuckoo/reporting/misp.py", line 82, in domain_ipaddr self.misp.add_ipdst(event, sorted(list(ipaddrs))) File "/usr/local/lib/python2.7/dist-packages/pymisp/api.py", line 482, in add_ipdst return self._send_attributes(event, attributes, proposal) File "/usr/local/lib/python2.7/dist-packages/pymisp/api.py", line 369, in _send_attributes response = self.update_event(event['Event']['id'], json.dumps(e, cls=EncodeUpdate)) File "/usr/local/lib/python2.7/dist-packages/pymisp/api.py", line 277, in update_event return self._check_response(response) File "/usr/local/lib/python2.7/dist-packages/pymisp/api.py", line 175, in _check_response response.raise_for_status() File "/usr/local/lib/python2.7/dist-packages/requests/models.py", line 851, in raise_for_status raise HTTPError(http_error_msg, response=self) HTTPError: 500 Server Error: Internal Server Error

[doomedraven]

This looks like server side errror not pluginone, check misp logs

[jbremer]

I was going to say the same as @doomedraven, I think the library we include is outdated now.

[jbremer]

Which version of MISP are you running?

[SparkyNZL]

@jbremer - Im running 2.4.65, and i think i know what is causing the "Too many files open" issue Ill run a couple more tests, but I think it might be linked to MISP , ill run another 5K samples tonight and see if it dies, the funny thing was its only just started occurring, and matched up to when i added MISP into the fold.

[SparkyNZL]

@doomedraven , yeah i thought the same, but the server side seems to be working fine...

[doomedraven]

hm interesting, as it return 500 that is strange, and there no threads in misp module so shouldn't open many fds, let us know what is wrong

[SparkyNZL]

Question, and this might be a little off topic, but does any one know whats happened to malwr.com ? the sites monkeys have been very busy for at least a month :(

[SparkyNZL]

OK So i have hunted down this issue, and its a user issue ! because of some of the sizes of the IOC which are sent over to MISP you MUST make sure you set the upload limits higher than the defaults. This corrected the issue, the other finny thing is that i haven't had the "Too many files open" issue since, not sure if thats just a coincidence or not.

Hope my screw ups help others not make the same mistakes

[jbremer]

I'm going to reopen the issue because I think we should limit the amount of IOCs per call on the Cuckoo side. And also the too many files error should be unrelated because I had that issue as well and I don't have MISP enabled :)

[SparkyNZL]

sweet as :) Question, i was going through the conf files, and i noticed that there is a MISP section in reporting.conf and also one in processing.conf, this doesn't seem right ? Im not sure how its ended up in both conf files, oh this is in the packaged version of cuckoo.

[doomedraven]

there you have the answer ;) https://github.com/cuckoosandbox/cuckoo/pull/1012

[SparkyNZL]

Cheers @doomedraven