cudeso
commented
10 months ago HI @aliman53 . Do you know which IOCs cause the errors? I can then look into it. Is it caused by data coming from any of the OSINT feeds in MISP?
Closed aliman53 closed 9 months ago
cudeso
commented
10 months ago HI @aliman53 . Do you know which IOCs cause the errors? I can then look into it. Is it caused by data coming from any of the OSINT feeds in MISP?
aliman53
commented
10 months ago Hi @cudeso not sure on which IOCs are causing the errors sorry, my MISP enviroment has a handful of feeds enabled, it seems the OSINT feeds are okay, im mostly noticing the missing IOCs from a paid threat intel feed. I can confirm the issues are not coming from the paid provider and that the IOCs used to come in normally.
The paid feeds are quite large so that may be causing the issue? but what's strange is they used to come into Sentinel fine and just randomly stopped coming in recently. (I have checked the feeds have IDS ticked and the MISP filters match what needs to be ingested).
I'm a bit stuck on how to troubleshoot this or figure out what may be causing it, my only guess is the error I shared above.
cudeso
commented
10 months ago print(misp_event.id) on line 97, just after the misp_event = RequestObject_Event(event["Event"], logger). If you run the script, it should print out the event IDs, the last one is the event where it get stuck./var/www/MISP/app/tmp/logsaliman53
commented
10 months ago Hi @cudeso thanks for the troubleshooting help.
I got the latest commit and added the new print line:
I am now getting this error when running script.py?
cudeso
commented
10 months ago Fat fingers :(... You can either get the latest commit, or remove the second : from the line 137.
aliman53
commented
10 months ago Hi @cudeso thanks for the fix. When running the script I just get the same following error:
2024-01-23 20:35:35,232 - misp2sentinel - ERROR - Error received from the MISP server Error code 500: {"name":"An Internal Error Has Occurred.","message":"An Internal Error Has Occurred.","url":"\/events\/restSearch"}
No event ids printed and script does not continue to run.
cudeso
commented
10 months ago That's a 500 error code from the MISP server. Can you check if there's anything in the MISP logs in MISP/app/tmp/logs?
aliman53
commented
10 months ago Hi @cudeso
I checked MISP/app/tmp/logs but there was so many old logs it was hard to trace back to this error so I cleared the logs in MISP/app/tmp/logs then ran the script.py to generate the error again: 2024-01-23 20:35:35,232 - misp2sentinel - ERROR - Error received from the MISP server Error code 500: {"name":"An Internal Error Has Occurred.","message":"An Internal Error Has Occurred.","url":"/events/restSearch"}
After receiving the known error, I went back to check if any error logs got generated in MISP/app/tmp/logs but there was nothing:
cudeso
commented
10 months ago @aliman53 I changed the code to also display the error line when it fails.
Could you also check that the values in misp_event_filters are correct?
cudeso
commented
9 months ago Closing pending feedback
Hi Cudeso,
I've been noticing certain MISP feeds and IOCs have not been going into Sentinel, Upon looking at the error logs I saw these errors:
I am not sure what could be causing these errors or what they could mean exactly and if they are reason why a handful of IOCs are not pushing into sentinel?
For my context these are error logs from a cronjob set up that is pushing IOCs into sentinel from MISP daily.