LogRhythm Threat Intelligence Service crashes MineMeld TAXII

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

LogRhythm Threat Intelligence Service crashes MineMeld TAXII

L0 Member

I have a LogRhythm Appliance and the Threat Intelligence service is able to register my TAXII datafeed.  However when I try and donwload the feed, the minemeld web server crashes.

 

The feed also crashes using PostMan ... same thing, rabbitmq crashes and restarts.

 

127.0.0.1 - - [18/Nov/2016:20:53:55 +0000] "POST /taxii-poll-service HTTP/1.0" 200 582 "-" "-"
DEBUG:amqp:Start from server, version: 0.9, properties: {u'information': u'Licensed under the MPL. See http://www.rabbitmq.com/', u'product': u'RabbitMQ', u'copyright': u'Copyright (C) 20 07-2013 GoPivotal, Inc.', u'capabilities': {u'exchange_exchange_bindings': True, u'connection. blocked': True, u'authentication_failure_close': True, u'basic.nack': True, u'consumer_priorit ies': True, u'consumer_cancel_notify': True, u'publisher_confirms': True}, u'platform': u'Erla ng/OTP', u'version': u'3.2.4'}, mechanisms: [u'AMQPLAIN', u'PLAIN'], locales: [u'en_US']
DEBUG:amqp:Open OK!
DEBUG:amqp:using channel_id: 1
DEBUG:amqp:Channel open
DEBUG:amqp:Start from server, version: 0.9, properties: {u'information': u'Licensed under the MPL. See http://www.rabbitmq.com/', u'product': u'RabbitMQ', u'copyright': u'Copyright (C) 20 07-2013 GoPivotal, Inc.', u'capabilities': {u'exchange_exchange_bindings': True, u'connection. blocked': True, u'authentication_failure_close': True, u'basic.nack': True, u'consumer_priorit ies': True, u'consumer_cancel_notify': True, u'publisher_confirms': True}, u'platform': u'Erla ng/OTP', u'version': u'3.2.4'}, mechanisms: [u'AMQPLAIN', u'PLAIN'], locales: [u'en_US']
DEBUG:amqp:Open OK!
DEBUG:minemeld.comm.amqp:sending {'reply_to': u'amq.gen-CtlcZUWQMrN1HZ6f_6Yfqw', 'params': {}, 'method': 'status', 'id': '23bc7e8a-add1-11e6-a79d-000d3a153a4f'} to mbus:master:rpc
DEBUG:minemeld.comm.amqp:start draining events on connection 0
DEBUG:minemeld.comm.amqp:start draining events on connection None
DEBUG:amqp:Closed channel #1

 

 

the STIXX service is configured by a yml file ... the MineMeld section looks like this (IPs removed):

 

"StixProviders": [
{
     "NumofBackDaysData": 7,
     "SourceURL": "https://<minemeld server>/taxii-collection-management-service",
     "UserName": "",
     "Password": "",
     "LastFullDownloadOn": null,
     "ProviderName": "MineMeld",
     "Enabled": true,
     "Retired": false,
     "StixFeedTypes": [
     {
          "Name": "blacklist_taxiiDataFeed",
          "Enabled": true,
          "FeedPollAddress": "https://<minemeld server>/taxii-poll-service"
     }
],

 

Any assistance is greatly appreciated

 

-Kevin

5 REPLIES 5

L7 Applicator

Hi @kmerolla,

the log you see are normal, by default the minemeld-web service runs with DEBUG log level and those are just DEBUG logs.

Would you mind sharing the output of POSTMAN Discovery and Collection management requests ?

You can share them here, or unicast them to my email lmori@paloaltonetworks.com.

 

Thanks !

luigi

Postman Collection Information Request:

<taxii_11:Collection_Information_Response xmlns:taxii="http://taxii.mitre.org/messages/taxii_xml_binding-1" xmlns:taxii_11="http://taxii.mitre.org/messages/taxii_xml_binding-1.1" xmlns:tdq="http://taxii.mitre.org/query/taxii_default_query-1" message_id="3446523018790861401" in_response_to="26300">
<taxii_11:Collection collection_name="blacklist_taxiiDataFeed" collection_type="DATA_FEED" available="true">
<taxii_11:Description>blacklist_taxiiDataFeed Data Feed</taxii_11:Description>
<taxii_11:Content_Binding binding_id="urn:stix.mitre.org:xml:1.1.1"/>
<taxii_11:Polling_Service>
<taxii_11:Protocol_Binding>urn:taxii.mitre.org:protocol:http:1.0</taxii_11:Protocol_Binding>
<taxii_11:Address>https://<<host>>/taxii-poll-service</taxii_11:Address>
<taxii_11:Message_Binding>urn:taxii.mitre.org:message:xml:1.1</taxii_11:Message_Binding>
</taxii_11:Polling_Service>
</taxii_11:Collection>
</taxii_11:Collection_Information_Response>

 

Postman Poll Request (spins for 5 minutes before crashing)

 

Hi @kmerolla,

an issue could be the number of indicators stored in the feed. If LogRythm is asking for all of them at once, the resulting response could be too big to be handled. How many indicators do you have in the feed ?

Is this still a concern or has it been addressed?

We are also planning to bring Minemeld threat intel into our SIEM LogRhythm. Is anyone doing that is kind enough to share how they set it up and if it is proving valuable?

CISSP, CCSP, CISA, CISM
  • 9481 Views
  • 5 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!