- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
11-18-2016 01:04 PM - edited 11-18-2016 01:10 PM
I have a LogRhythm Appliance and the Threat Intelligence service is able to register my TAXII datafeed. However when I try and donwload the feed, the minemeld web server crashes.
The feed also crashes using PostMan ... same thing, rabbitmq crashes and restarts.
127.0.0.1 - - [18/Nov/2016:20:53:55 +0000] "POST /taxii-poll-service HTTP/1.0" 200 582 "-" "-"
DEBUG:amqp:Start from server, version: 0.9, properties: {u'information': u'Licensed under the MPL. See http://www.rabbitmq.com/', u'product': u'RabbitMQ', u'copyright': u'Copyright (C) 20 07-2013 GoPivotal, Inc.', u'capabilities': {u'exchange_exchange_bindings': True, u'connection. blocked': True, u'authentication_failure_close': True, u'basic.nack': True, u'consumer_priorit ies': True, u'consumer_cancel_notify': True, u'publisher_confirms': True}, u'platform': u'Erla ng/OTP', u'version': u'3.2.4'}, mechanisms: [u'AMQPLAIN', u'PLAIN'], locales: [u'en_US']
DEBUG:amqp:Open OK!
DEBUG:amqp:using channel_id: 1
DEBUG:amqp:Channel open
DEBUG:amqp:Start from server, version: 0.9, properties: {u'information': u'Licensed under the MPL. See http://www.rabbitmq.com/', u'product': u'RabbitMQ', u'copyright': u'Copyright (C) 20 07-2013 GoPivotal, Inc.', u'capabilities': {u'exchange_exchange_bindings': True, u'connection. blocked': True, u'authentication_failure_close': True, u'basic.nack': True, u'consumer_priorit ies': True, u'consumer_cancel_notify': True, u'publisher_confirms': True}, u'platform': u'Erla ng/OTP', u'version': u'3.2.4'}, mechanisms: [u'AMQPLAIN', u'PLAIN'], locales: [u'en_US']
DEBUG:amqp:Open OK!
DEBUG:minemeld.comm.amqp:sending {'reply_to': u'amq.gen-CtlcZUWQMrN1HZ6f_6Yfqw', 'params': {}, 'method': 'status', 'id': '23bc7e8a-add1-11e6-a79d-000d3a153a4f'} to mbus:master:rpc
DEBUG:minemeld.comm.amqp:start draining events on connection 0
DEBUG:minemeld.comm.amqp:start draining events on connection None
DEBUG:amqp:Closed channel #1
the STIXX service is configured by a yml file ... the MineMeld section looks like this (IPs removed):
"StixProviders": [
{
"NumofBackDaysData": 7,
"SourceURL": "https://<minemeld server>/taxii-collection-management-service",
"UserName": "",
"Password": "",
"LastFullDownloadOn": null,
"ProviderName": "MineMeld",
"Enabled": true,
"Retired": false,
"StixFeedTypes": [
{
"Name": "blacklist_taxiiDataFeed",
"Enabled": true,
"FeedPollAddress": "https://<minemeld server>/taxii-poll-service"
}
],
Any assistance is greatly appreciated
-Kevin
11-18-2016 01:24 PM - edited 11-18-2016 01:25 PM
Hi @kmerolla,
the log you see are normal, by default the minemeld-web service runs with DEBUG log level and those are just DEBUG logs.
Would you mind sharing the output of POSTMAN Discovery and Collection management requests ?
You can share them here, or unicast them to my email lmori@paloaltonetworks.com.
Thanks !
luigi
11-18-2016 02:34 PM
Postman Collection Information Request:
<taxii_11:Collection_Information_Response xmlns:taxii="http://taxii.mitre.org/messages/taxii_xml_binding-1" xmlns:taxii_11="http://taxii.mitre.org/messages/taxii_xml_binding-1.1" xmlns:tdq="http://taxii.mitre.org/query/taxii_default_query-1" message_id="3446523018790861401" in_response_to="26300">
<taxii_11:Collection collection_name="blacklist_taxiiDataFeed" collection_type="DATA_FEED" available="true">
<taxii_11:Description>blacklist_taxiiDataFeed Data Feed</taxii_11:Description>
<taxii_11:Content_Binding binding_id="urn:stix.mitre.org:xml:1.1.1"/>
<taxii_11:Polling_Service>
<taxii_11:Protocol_Binding>urn:taxii.mitre.org:protocol:http:1.0</taxii_11:Protocol_Binding>
<taxii_11:Address>https://<<host>>/taxii-poll-service</taxii_11:Address>
<taxii_11:Message_Binding>urn:taxii.mitre.org:message:xml:1.1</taxii_11:Message_Binding>
</taxii_11:Polling_Service>
</taxii_11:Collection>
</taxii_11:Collection_Information_Response>
Postman Poll Request (spins for 5 minutes before crashing)
11-19-2016 05:29 AM
Hi @kmerolla,
an issue could be the number of indicators stored in the feed. If LogRythm is asking for all of them at once, the resulting response could be too big to be handled. How many indicators do you have in the feed ?
04-12-2017 10:33 AM
Is this still a concern or has it been addressed?
05-14-2019 08:26 AM
We are also planning to bring Minemeld threat intel into our SIEM LogRhythm. Is anyone doing that is kind enough to share how they set it up and if it is proving valuable?
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!