topic Re: MineMeld Engine Stuck in Restart Loop in General Topics

MineMeld Engine Stuck in Restart Loop

shanu2405 — Wed, 13 Nov 2019 07:57:54 GMT

Hello,

I face an issue where my MineMeld server keeps on restarting continuously. Initially, it showed an error about low disk space, which got fixed by purging logs, however, the engine keeps restarting. Below is the sample log which I keep seeing repeatedly in engine logs. Attached the complete file. Any help is appreciated. Thanks in advance.

2019-11-13T02:44:00 (37331)launcher.main ERROR: Exception initializing graph
Traceback (most recent call last):
File "/minemeld-ansible/minemeld/engine/core/minemeld/run/launcher.py", line 288, in main
mbusmaster.wait_for_chassis(timeout=10)
File "/minemeld-ansible/minemeld/engine/core/minemeld/mgmtbus.py", line 140, in wait_for_chassis
raise RuntimeError('Timeout waiting for chassis')
RuntimeError: Timeout waiting for chassis
2019-11-13T02:44:00 (37331)mgmtbus.checkpoint_graph INFO: checkpoint_graph called, checking current state
2019-11-13T02:44:00 (37331)mgmtbus.checkpoint_graph INFO: graph status None, checkpoint_graph ignored
2019-11-13T02:44:00 (37636)chassis.stop INFO: chassis stop called
2019-11-13T02:44:00 (37638)chassis.stop INFO: chassis stop called
2019-11-13T02:44:00 (37636)base.stop ERROR: stop on not IDLE or STARTED FT
2019-11-13T02:44:00 (37638)base.stop ERROR: stop on not IDLE or STARTED FT
2019-11-13T02:44:00 (37638)chassis.stop ERROR: Error stopping Test-Vendor-IP
Traceback (most recent call last):
File "/minemeld-ansible/minemeld/engine/core/minemeld/chassis.py", line 210, in stop
ft.stop()
File "/minemeld-ansible/minemeld/engine/core/minemeld/ft/actorbase.py", line 69, in stop
super(ActorBaseFT, self).stop()
File "/minemeld-ansible/minemeld/engine/core/minemeld/ft/base.py", line 763, in stop
raise AssertionError("stop on not IDLE or STARTED FT")

Re: MineMeld Engine Stuck in Restart Loop

lmori — Wed, 13 Nov 2019 14:16:17 GMT

The problem is in the custom prototype of Azure-AD_Test node. infilters should be an array. If you paste the custom prototype conig here I can help.

Re: MineMeld Engine Stuck in Restart Loop

shanu2405 — Wed, 13 Nov 2019 15:54:36 GMT

Thanks Luigi.

That was the issue. Commit fixed it.

Coming to the Custom Prototype: I am trying to split the JSON feed of Azure IPs based on services/region/both.

Here is what I tried which failed. I can’t remember exactly, but I think it was created from aws.AMAZON

minemeldlocal_ms_AzurePublicIP_JSON-AD:

config:

age_out:

default: null

interval: 257

sudden_death: true

attributes:

confidence: 100

share_level: green

type: IPv4

extractor: values[].properties.addressPrefixes[].{indicator:@}

infilters:

actions: accept

conditions: __method == 'withdraw' name_azure == 'AzureActiveDirectory'

prefix: azure

source_name: azure

url: https://www.microsoft.com/en-us/download/details.aspx?id=56519

description: all Azure ranges

development_status: STABLE

indicator_types:

- IPv4

node_type: miner

tags:

- ConfidenceHigh

- ShareLevelGreen

--------------------------------------

I found it worked for region in another post and tried similar conditions to accept indicators. It does work for region+service, but not for services alone.

Here is what I have created

Miner uses prototype: azure.cloudIPsWithServiceTags

Processor uses:

------------

infilters:

- actions:

- accept

conditions:

- __method == 'withdraw'

- actions:

- accept

conditions:

- type == 'IPv4'

- azure_id == 'AzureCloud.uksouth2'

- actions:

- drop

This seems to be working in most of the cases unless I filter services which have their names matching with other IDs (region based) – example:

"id": "AzureActiveDirectory", - 95 indicators

"id": "AzureActiveDirectoryDomainServices", - 73 indicators

When such is the case, it keeps only unique values (22 indicators) and removes both values in case of a duplicate.

I’m not really good with scripting. Is there a way we can make the condition attribute as exact match?

Thanks again for your help.

Re: MineMeld Engine Stuck in Restart Loop

Farouk.Kahoul — Fri, 28 Feb 2020 14:48:18 GMT

did you resolved your problem of filtering by service name?

i have the same problem.

Re: MineMeld Engine Stuck in Restart Loop

lmori — Fri, 06 Mar 2020 10:42:06 GMT

Hi @Farouk.Kahoul,

which MineMeld version are you using? the most recent version (0.9.68) has several improvements in how the Azure feeds are handled and you can adopt a solution similar to the one used for regions also for services.

Luigi

Re: MineMeld Engine Stuck in Restart Loop

Farouk.Kahoul — Fri, 06 Mar 2020 10:49:17 GMT

hi Luigi

thx for your answer.

im using the VERSION: 0.9.66.

i have found a way to filter using the syntax: contains(xxxxx_list, 'yyyyyyy') == true