topic Re: LogRhythm Threat Intelligence Service crashes MineMeld TAXII in General Topics

LogRhythm Threat Intelligence Service crashes MineMeld TAXII

kmerolla — Fri, 18 Nov 2016 21:10:26 GMT

I have a LogRhythm Appliance and the Threat Intelligence service is able to register my TAXII datafeed. However when I try and donwload the feed, the minemeld web server crashes.

The feed also crashes using PostMan ... same thing, rabbitmq crashes and restarts.

127.0.0.1 - - [18/Nov/2016:20:53:55 +0000] "POST /taxii-poll-service HTTP/1.0" 200 582 "-" "-"
DEBUG:amqp:Start from server, version: 0.9, properties: {u'information': u'Licensed under the MPL. See http://www.rabbitmq.com/', u'product': u'RabbitMQ', u'copyright': u'Copyright (C) 20 07-2013 GoPivotal, Inc.', u'capabilities': {u'exchange_exchange_bindings': True, u'connection. blocked': True, u'authentication_failure_close': True, u'basic.nack': True, u'consumer_priorit ies': True, u'consumer_cancel_notify': True, u'publisher_confirms': True}, u'platform': u'Erla ng/OTP', u'version': u'3.2.4'}, mechanisms: [u'AMQPLAIN', u'PLAIN'], locales: [u'en_US']
DEBUG:amqp:Open OK!
DEBUG:amqp:using channel_id: 1
DEBUG:amqp:Channel open
DEBUG:amqp:Start from server, version: 0.9, properties: {u'information': u'Licensed under the MPL. See http://www.rabbitmq.com/', u'product': u'RabbitMQ', u'copyright': u'Copyright (C) 20 07-2013 GoPivotal, Inc.', u'capabilities': {u'exchange_exchange_bindings': True, u'connection. blocked': True, u'authentication_failure_close': True, u'basic.nack': True, u'consumer_priorit ies': True, u'consumer_cancel_notify': True, u'publisher_confirms': True}, u'platform': u'Erla ng/OTP', u'version': u'3.2.4'}, mechanisms: [u'AMQPLAIN', u'PLAIN'], locales: [u'en_US']
DEBUG:amqp:Open OK!
DEBUG:minemeld.comm.amqp:sending {'reply_to': u'amq.gen-CtlcZUWQMrN1HZ6f_6Yfqw', 'params': {}, 'method': 'status', 'id': '23bc7e8a-add1-11e6-a79d-000d3a153a4f'} to mbus:master:rpc
DEBUG:minemeld.comm.amqp:start draining events on connection 0
DEBUG:minemeld.comm.amqp:start draining events on connection None
DEBUG:amqp:Closed channel #1

the STIXX service is configured by a yml file ... the MineMeld section looks like this (IPs removed):

"StixProviders": [
{
"NumofBackDaysData": 7,
"SourceURL": "https://<minemeld server>/taxii-collection-management-service",
"UserName": "",
"Password": "",
"LastFullDownloadOn": null,
"ProviderName": "MineMeld",
"Enabled": true,
"Retired": false,
"StixFeedTypes": [
{
"Name": "blacklist_taxiiDataFeed",
"Enabled": true,
"FeedPollAddress": "https://<minemeld server>/taxii-poll-service"
}
],

Any assistance is greatly appreciated

-Kevin

Re: LogRhythm Threat Intelligence Service crashes MineMeld TAXII

lmori — Fri, 18 Nov 2016 21:25:47 GMT

Hi @kmerolla,

the log you see are normal, by default the minemeld-web service runs with DEBUG log level and those are just DEBUG logs.

Would you mind sharing the output of POSTMAN Discovery and Collection management requests ?

You can share them here, or unicast them to my email lmori@paloaltonetworks.com.

Thanks !

luigi

Re: LogRhythm Threat Intelligence Service crashes MineMeld TAXII

kmerolla — Fri, 18 Nov 2016 22:34:42 GMT

Postman Collection Information Request:

<taxii_11:Collection_Information_Response xmlns:taxii="http://taxii.mitre.org/messages/taxii_xml_binding-1" xmlns:taxii_11="http://taxii.mitre.org/messages/taxii_xml_binding-1.1" xmlns:tdq="http://taxii.mitre.org/query/taxii_default_query-1" message_id="3446523018790861401" in_response_to="26300">
<taxii_11:Collection collection_name="blacklist_taxiiDataFeed" collection_type="DATA_FEED" available="true">
<taxii_11:Description>blacklist_taxiiDataFeed Data Feed</taxii_11:Description>
<taxii_11:Content_Binding binding_id="urn:stix.mitre.org:xml:1.1.1"/>
<taxii_11:Polling_Service>
<taxii_11:Protocol_Binding>urn:taxii.mitre.org:protocol:http:1.0</taxii_11:Protocol_Binding>
<taxii_11:Address>https://<<host>>/taxii-poll-service</taxii_11:Address>
<taxii_11:Message_Binding>urn:taxii.mitre.org:message:xml:1.1</taxii_11:Message_Binding>
</taxii_11:Polling_Service>
</taxii_11:Collection>
</taxii_11:Collection_Information_Response>

Postman Poll Request (spins for 5 minutes before crashing)

Re: LogRhythm Threat Intelligence Service crashes MineMeld TAXII

lmori — Sat, 19 Nov 2016 13:29:49 GMT

Hi @kmerolla,

an issue could be the number of indicators stored in the feed. If LogRythm is asking for all of them at once, the resulting response could be too big to be handled. How many indicators do you have in the feed ?

Re: LogRhythm Threat Intelligence Service crashes MineMeld TAXII

chirss — Wed, 12 Apr 2017 17:33:36 GMT

Is this still a concern or has it been addressed?

Re: LogRhythm Threat Intelligence Service crashes MineMeld TAXII

LeeSeeman — Tue, 14 May 2019 15:26:49 GMT

We are also planning to bring Minemeld threat intel into our SIEM LogRhythm. Is anyone doing that is kind enough to share how they set it up and if it is proving valuable?