- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
11-12-2019 11:57 PM
Hello,
I face an issue where my MineMeld server keeps on restarting continuously. Initially, it showed an error about low disk space, which got fixed by purging logs, however, the engine keeps restarting. Below is the sample log which I keep seeing repeatedly in engine logs. Attached the complete file. Any help is appreciated. Thanks in advance.
2019-11-13T02:44:00 (37331)launcher.main ERROR: Exception initializing graph
Traceback (most recent call last):
File "/minemeld-ansible/minemeld/engine/core/minemeld/run/launcher.py", line 288, in main
mbusmaster.wait_for_chassis(timeout=10)
File "/minemeld-ansible/minemeld/engine/core/minemeld/mgmtbus.py", line 140, in wait_for_chassis
raise RuntimeError('Timeout waiting for chassis')
RuntimeError: Timeout waiting for chassis
2019-11-13T02:44:00 (37331)mgmtbus.checkpoint_graph INFO: checkpoint_graph called, checking current state
2019-11-13T02:44:00 (37331)mgmtbus.checkpoint_graph INFO: graph status None, checkpoint_graph ignored
2019-11-13T02:44:00 (37636)chassis.stop INFO: chassis stop called
2019-11-13T02:44:00 (37638)chassis.stop INFO: chassis stop called
2019-11-13T02:44:00 (37636)base.stop ERROR: stop on not IDLE or STARTED FT
2019-11-13T02:44:00 (37638)base.stop ERROR: stop on not IDLE or STARTED FT
2019-11-13T02:44:00 (37638)chassis.stop ERROR: Error stopping Test-Vendor-IP
Traceback (most recent call last):
File "/minemeld-ansible/minemeld/engine/core/minemeld/chassis.py", line 210, in stop
ft.stop()
File "/minemeld-ansible/minemeld/engine/core/minemeld/ft/actorbase.py", line 69, in stop
super(ActorBaseFT, self).stop()
File "/minemeld-ansible/minemeld/engine/core/minemeld/ft/base.py", line 763, in stop
raise AssertionError("stop on not IDLE or STARTED FT")
11-13-2019 06:16 AM
The problem is in the custom prototype of Azure-AD_Test node. infilters should be an array. If you paste the custom prototype conig here I can help.
11-13-2019 06:16 AM
The problem is in the custom prototype of Azure-AD_Test node. infilters should be an array. If you paste the custom prototype conig here I can help.
11-13-2019 07:54 AM
Thanks Luigi.
That was the issue. Commit fixed it.
Coming to the Custom Prototype: I am trying to split the JSON feed of Azure IPs based on services/region/both.
Here is what I tried which failed. I can’t remember exactly, but I think it was created from aws.AMAZON
minemeldlocal_ms_AzurePublicIP_JSON-AD:
class: minemeld.ft.json.SimpleJSON
config:
age_out:
default: null
interval: 257
sudden_death: true
attributes:
confidence: 100
share_level: green
type: IPv4
extractor: values[].properties.addressPrefixes[].{indicator:@}
infilters:
actions: accept
conditions: __method == 'withdraw' name_azure == 'AzureActiveDirectory'
name: accept withdraws
prefix: azure
source_name: azure
url: https://www.microsoft.com/en-us/download/details.aspx?id=56519
description: all Azure ranges
development_status: STABLE
indicator_types:
- IPv4
node_type: miner
tags:
- ConfidenceHigh
- ShareLevelGreen
--------------------------------------
I found it worked for region in another post and tried similar conditions to accept indicators. It does work for region+service, but not for services alone.
Here is what I have created
Miner uses prototype: azure.cloudIPsWithServiceTags
Processor uses:
------------
infilters:
- actions:
- accept
conditions:
- __method == 'withdraw'
name: accept withdraws
- actions:
- accept
conditions:
- type == 'IPv4'
- azure_id == 'AzureCloud.uksouth2'
name: accept IPv4
- actions:
- drop
name: drop all
This seems to be working in most of the cases unless I filter services which have their names matching with other IDs (region based) – example:
"id": "AzureActiveDirectory", - 95 indicators
"id": "AzureActiveDirectoryDomainServices", - 73 indicators
When such is the case, it keeps only unique values (22 indicators) and removes both values in case of a duplicate.
I’m not really good with scripting. Is there a way we can make the condition attribute as exact match?
Thanks again for your help.
02-28-2020 06:48 AM
hi
did you resolved your problem of filtering by service name?
i have the same problem.
03-06-2020 02:42 AM
Hi @Farouk.Kahoul,
which MineMeld version are you using? the most recent version (0.9.68) has several improvements in how the Azure feeds are handled and you can adopt a solution similar to the one used for regions also for services.
Luigi
03-06-2020 02:49 AM
hi Luigi
thx for your answer.
im using the VERSION: 0.9.66.
i have found a way to filter using the syntax: contains(xxxxx_list, 'yyyyyyy') == true
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!