LogRhythm Threat Intelligence Service crashes MineMeld TAXII

Reply
L0 Member

LogRhythm Threat Intelligence Service crashes MineMeld TAXII

I have a LogRhythm Appliance and the Threat Intelligence service is able to register my TAXII datafeed.  However when I try and donwload the feed, the minemeld web server crashes.

 

The feed also crashes using PostMan ... same thing, rabbitmq crashes and restarts.

 

127.0.0.1 - - [18/Nov/2016:20:53:55 +0000] "POST /taxii-poll-service HTTP/1.0" 200 582 "-" "-"
DEBUG:amqp:Start from server, version: 0.9, properties: {u'information': u'Licensed under the MPL. See http://www.rabbitmq.com/', u'product': u'RabbitMQ', u'copyright': u'Copyright (C) 20 07-2013 GoPivotal, Inc.', u'capabilities': {u'exchange_exchange_bindings': True, u'connection. blocked': True, u'authentication_failure_close': True, u'basic.nack': True, u'consumer_priorit ies': True, u'consumer_cancel_notify': True, u'publisher_confirms': True}, u'platform': u'Erla ng/OTP', u'version': u'3.2.4'}, mechanisms: [u'AMQPLAIN', u'PLAIN'], locales: [u'en_US']
DEBUG:amqp:Open OK!
DEBUG:amqp:using channel_id: 1
DEBUG:amqp:Channel open
DEBUG:amqp:Start from server, version: 0.9, properties: {u'information': u'Licensed under the MPL. See http://www.rabbitmq.com/', u'product': u'RabbitMQ', u'copyright': u'Copyright (C) 20 07-2013 GoPivotal, Inc.', u'capabilities': {u'exchange_exchange_bindings': True, u'connection. blocked': True, u'authentication_failure_close': True, u'basic.nack': True, u'consumer_priorit ies': True, u'consumer_cancel_notify': True, u'publisher_confirms': True}, u'platform': u'Erla ng/OTP', u'version': u'3.2.4'}, mechanisms: [u'AMQPLAIN', u'PLAIN'], locales: [u'en_US']
DEBUG:amqp:Open OK!
DEBUG:minemeld.comm.amqp:sending {'reply_to': u'amq.gen-CtlcZUWQMrN1HZ6f_6Yfqw', 'params': {}, 'method': 'status', 'id': '23bc7e8a-add1-11e6-a79d-000d3a153a4f'} to mbus:master:rpc
DEBUG:minemeld.comm.amqp:start draining events on connection 0
DEBUG:minemeld.comm.amqp:start draining events on connection None
DEBUG:amqp:Closed channel #1

 

 

the STIXX service is configured by a yml file ... the MineMeld section looks like this (IPs removed):

 

"StixProviders": [
{
     "NumofBackDaysData": 7,
     "SourceURL": "https://<minemeld server>/taxii-collection-management-service",
     "UserName": "",
     "Password": "",
     "LastFullDownloadOn": null,
     "ProviderName": "MineMeld",
     "Enabled": true,
     "Retired": false,
     "StixFeedTypes": [
     {
          "Name": "blacklist_taxiiDataFeed",
          "Enabled": true,
          "FeedPollAddress": "https://<minemeld server>/taxii-poll-service"
     }
],

 

Any assistance is greatly appreciated

 

-Kevin

L7 Applicator

Re: LogRhythm Threat Intelligence Service crashes MineMeld TAXII

Hi @kmerolla,

the log you see are normal, by default the minemeld-web service runs with DEBUG log level and those are just DEBUG logs.

Would you mind sharing the output of POSTMAN Discovery and Collection management requests ?

You can share them here, or unicast them to my email lmori@paloaltonetworks.com.

 

Thanks !

luigi

L0 Member

Re: LogRhythm Threat Intelligence Service crashes MineMeld TAXII

Postman Collection Information Request:

<taxii_11:Collection_Information_Response xmlns:taxii="http://taxii.mitre.org/messages/taxii_xml_binding-1" xmlns:taxii_11="http://taxii.mitre.org/messages/taxii_xml_binding-1.1" xmlns:tdq="http://taxii.mitre.org/query/taxii_default_query-1" message_id="3446523018790861401" in_response_to="26300">
<taxii_11:Collection collection_name="blacklist_taxiiDataFeed" collection_type="DATA_FEED" available="true">
<taxii_11:Description>blacklist_taxiiDataFeed Data Feed</taxii_11:Description>
<taxii_11:Content_Binding binding_id="urn:stix.mitre.org:xml:1.1.1"/>
<taxii_11:Polling_Service>
<taxii_11:Protocol_Binding>urn:taxii.mitre.org:protocol:http:1.0</taxii_11:Protocol_Binding>
<taxii_11:Address>https://<<host>>/taxii-poll-service</taxii_11:Address>
<taxii_11:Message_Binding>urn:taxii.mitre.org:message:xml:1.1</taxii_11:Message_Binding>
</taxii_11:Polling_Service>
</taxii_11:Collection>
</taxii_11:Collection_Information_Response>

 

Postman Poll Request (spins for 5 minutes before crashing)

 

Highlighted
L7 Applicator

Re: LogRhythm Threat Intelligence Service crashes MineMeld TAXII

Hi @kmerolla,

an issue could be the number of indicators stored in the feed. If LogRythm is asking for all of them at once, the resulting response could be too big to be handled. How many indicators do you have in the feed ?

L3 Networker

Re: LogRhythm Threat Intelligence Service crashes MineMeld TAXII

Is this still a concern or has it been addressed?

L1 Bithead

Re: LogRhythm Threat Intelligence Service crashes MineMeld TAXII

We are also planning to bring Minemeld threat intel into our SIEM LogRhythm. Is anyone doing that is kind enough to share how they set it up and if it is proving valuable?

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!