Giter Site home page Giter Site logo

graylog2 / graylog-plugin-threatintel Goto Github PK

View Code? Open in Web Editor NEW
145.0 28.0 21.0 1.72 MB

Graylog Processing Pipeline functions to enrich log messages with IoC information from threat intelligence databases

License: Other

Java 83.87% JavaScript 16.10% Groovy 0.03%
graylog threat otx whois-information abuse graylog-plugin threatintel threat-score threat-analysis spamhaus

graylog-plugin-threatintel's Introduction

Threat Intelligence Plugin for Graylog

NOTE: This plugin has been merged into the server now. Please do not open PRs/issues here!

Github Downloads GitHub Release Build Status

Required Graylog version: 2.4.0

This Plugin use external sources to enrich your data - read the documentation before you run this in production

This plugin adds Processing Pipeline functions to enrich log messages with threat intelligence data.

Supported data feeds

Example

let src_addr_intel = threat_intel_lookup_ip(to_string($message.src_addr), "src_addr");
set_fields(src_addr_intel);

Please read the usage instructions below for more information and specific guides.

Installation

Since Graylog Version 2.4.0 this plugin is already included in the Graylog server installation package as default plugin.

Download the plugin and place the .jar file in your Graylog plugin directory. The plugin directory is the plugins/ folder relative from your graylog-server directory by default and can be configured in your graylog.conf file.

Restart graylog-server and you are done.

Usage

Example Processing Pipeline rules are following:

Global/combined threat feed lookup

This is the recommended way to use this plugin. The threat_intel_lookup_* function will run an indicator like an IP address or domain name against all enabled threat intel sources and return a combined result. (Except OTX lookups)

let src_addr_intel = threat_intel_lookup_ip(to_string($message.src_addr), "src_addr");
set_fields(src_addr_intel);

let dns_question_intel = threat_intel_lookup_domain(to_string($message.dns_question), "dns_question");
set_fields(dns_question_intel);

This will lead to the fields src_addr_threat_indicated:true|false and dns_question_threat_indicated:true|false being added to the processed message. It will also add fields like testing_threat_indicated_abusech_ransomware:true (Abuse.ch Ransomware tracker OSINT) to indicate threat intel sources returned matches.

Add a second pipeline step that adds the field threat_indicated:true if either of the above fields was true to allow easier queries for all messages that indicated any kind of threat:

rule "inflate threat intel results"
when
  to_bool($message.src_threat_indicated) || to_bool($message.dst_threat_indicated)
then
  set_field("threat_indicated", true);
end

WHOIS lookups

You can look up WHOIS information about IP addresses. The method will return the registered owner and country code. The lookup results are heavily cached and invalidated after 12 hours or when the graylog-server process restarts.

let whois_intel = whois_lookup_ip(to_string($message.src_addr), "src_addr")
set_fields(whois_intel);

Note: The plugin will use the ARIN WHOIS servers for the first lookup because they have the best redirect to other registries in case they are not responsible for the block of the requested IP address. Graylog will follow the redirect to other registries like RIPE-NCC, AFRINI, APNIC or LACNIC. Future versions will support initial lookups in other registries, but for now, you might experience longer latencies if your Graylog cluster is not located in North America.

OTX

let intel = otx_lookup_ip(to_string($message.src_addr));
// let intel = otx_lookup_domain(to_string($message.dns_question))

set_field("threat_indicated", intel.otx_threat_indicated);
set_field("threat_ids", intel.otx_threat_ids);
set_field("threat_names", intel.otx_threat_names);

Tor exit nodes

You'll need at least Java 8 (u101) to make this work. The exit node information is hosted on a Tor website that uses Let's Encrypt for SSL and only Java 8 (u101 or newer) supports it.

  let intel = tor_lookup(to_string($message.src_addr));
  set_field("src_addr_is_tor_exit_node", intel.threat_indicated);

Spamhaus DROP/EDROP

  let intel = spamhaus_lookup_ip(to_string($message.src_addr));
  set_field("threat_indicated", intel.threat_indicated);

Abuse.ch Ransomware tracker

  let intel = abusech_ransom_lookup_domain(to_string($message.dns_domain));
  // let intel = abusech_ransom_lookup_ip(to_string($message.src_addr));
  set_field("request_domain_is_ransomware", intel.threat_indicated);

Note that you can combine these and change field names as you wish.

Performance considerations

  • All lookups will automatically skip processing IPv4 addresses from private networks as defined in RFC 1918. (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16)
    • Note that this plugin also ships a new function in_private_net(ip_address) : Boolean for any manual lookups of the same kind.
  • You can vastly improve performance by connecting pipelines that make use of the threat intelligence rules only to streams that contain data you want to run the lookups on.

graylog-plugin-threatintel's People

Contributors

bernd avatar danotorrey avatar dennisoelkers avatar dependabot-preview[bot] avatar dependabot[bot] avatar edmundoa avatar gally47 avatar garybot2 avatar jalogisch avatar janheise avatar joschi avatar kmerz avatar kroepke avatar kyleknighted avatar linuspahl avatar mpfz0r avatar patrickmann avatar pbr0ck3r avatar thll avatar waab76 avatar

Stargazers

avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar

Watchers

avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar

Forkers

dbinoj dizhaung poeblu minkione kurobeats diudiuda d-demirci mysky528 technotrev liansir ykankaya pbr0ck3r chrisforsythe morganatwood tycoryco cdengatgithub isabella232 ekmixon uskr matrixsociety

graylog-plugin-threatintel's Issues

Legacy functions do not work out of the box after upgrade to 2.4

I am using pipeline rules from before the migration to lookup tables:

rule "Threat Intelligence lookups"
when
  has_field("src_addr") && has_field("dst_addr")
then
  set_fields(threat_intel_lookup_ip(to_string($message.src_addr), "src_addr"));
  set_fields(threat_intel_lookup_ip(to_string($message.dst_addr), "dst_addr"));
end

This leads to all lookups failing and these error messages:

2017-09-27T13:58:45.692-05:00 WARN  [LookupTableService] Lookup table <abuse-ch-ransomware-ip> does not exist
2017-09-27T13:58:45.692-05:00 WARN  [LookupTableService] Lookup table <spamhaus-drop> does not exist
2017-09-27T13:58:45.693-05:00 WARN  [LookupTableService] Lookup table <alienvault-otx-ip> does not exist
2017-09-27T13:58:45.693-05:00 WARN  [LookupTableService] Lookup table <whois> does not exist
2017-09-27T13:58:45.693-05:00 WARN  [LookupTableService] Lookup table <tor-exit-node-list> does not exist
2017-09-27T13:58:45.693-05:00 WARN  [LookupTableService] Lookup table <abuse-ch-ransomware-domains> does not exist
2017-09-27T13:58:46.712-05:00 WARN  [LookupTableService] Lookup table <abuse-ch-ransomware-ip> does not exist
2017-09-27T13:58:46.712-05:00 WARN  [LookupTableService] Lookup table <spamhaus-drop> does not exist
2017-09-27T13:58:46.712-05:00 WARN  [LookupTableService] Lookup table <alienvault-otx-ip> does not exist
2017-09-27T13:58:46.712-05:00 WARN  [LookupTableService] Lookup table <whois> does not exist
2017-09-27T13:58:46.712-05:00 WARN  [LookupTableService] Lookup table <tor-exit-node-list> does not exist
2017-09-27T13:58:46.712-05:00 WARN  [LookupTableService] Lookup table <abuse-ch-ransomware-domains> does not exist
2017-09-27T13:58:47.688-05:00 WARN  [LookupTableService] Lookup table <abuse-ch-ransomware-ip> does not exist
2017-09-27T13:58:47.688-05:00 WARN  [LookupTableService] Lookup table <spamhaus-drop> does not exist
2017-09-27T13:58:47.688-05:00 WARN  [LookupTableService] Lookup table <alienvault-otx-ip> does not exist
2017-09-27T13:58:47.688-05:00 WARN  [LookupTableService] Lookup table <whois> does not exist
2017-09-27T13:58:47.688-05:00 WARN  [LookupTableService] Lookup table <tor-exit-node-list> does not exist
2017-09-27T13:58:47.689-05:00 WARN  [LookupTableService] Lookup table <abuse-ch-ransomware-domains> does not exist
2017-09-27T13:58:48.695-05:00 WARN  [LookupTableService] Lookup table <abuse-ch-ransomware-ip> does not exist
2017-09-27T13:58:48.695-05:00 WARN  [LookupTableService] Lookup table <spamhaus-drop> does not exist
2017-09-27T13:58:48.695-05:00 WARN  [LookupTableService] Lookup table <alienvault-otx-ip> does not exist
2017-09-27T13:58:48.695-05:00 WARN  [LookupTableService] Lookup table <whois> does not exist
2017-09-27T13:58:48.695-05:00 WARN  [LookupTableService] Lookup table <tor-exit-node-list> does not exist
2017-09-27T13:58:48.695-05:00 WARN  [LookupTableService] Lookup table <abuse-ch-ransomware-domains> does not exist
2017-09-27T13:58:49.689-05:00 WARN  [LookupTableService] Lookup table <abuse-ch-ransomware-ip> does not exist
2017-09-27T13:58:49.689-05:00 WARN  [LookupTableService] Lookup table <spamhaus-drop> does not exist
2017-09-27T13:58:49.690-05:00 WARN  [LookupTableService] Lookup table <alienvault-otx-ip> does not exist
2017-09-27T13:58:49.690-05:00 WARN  [LookupTableService] Lookup table <whois> does not exist
2017-09-27T13:58:49.690-05:00 WARN  [LookupTableService] Lookup table <tor-exit-node-list> does not exist
2017-09-27T13:58:49.690-05:00 WARN  [LookupTableService] Lookup table <abuse-ch-ransomware-domains> does not exist
2017-09-27T13:58:50.691-05:00 WARN  [LookupTableService] Lookup table <abuse-ch-ransomware-ip> does not exist
2017-09-27T13:58:50.691-05:00 WARN  [LookupTableService] Lookup table <spamhaus-drop> does not exist
2017-09-27T13:58:50.691-05:00 WARN  [LookupTableService] Lookup table <alienvault-otx-ip> does not exist
2017-09-27T13:58:50.691-05:00 WARN  [LookupTableService] Lookup table <whois> does not exist
2017-09-27T13:58:50.691-05:00 WARN  [LookupTableService] Lookup table <tor-exit-node-list> does not exist
2017-09-27T13:58:50.691-05:00 WARN  [LookupTableService] Lookup table <abuse-ch-ransomware-domains> does not exist
2017-09-27T13:58:51.693-05:00 WARN  [LookupTableService] Lookup table <abuse-ch-ransomware-ip> does not exist
2017-09-27T13:58:51.693-05:00 WARN  [LookupTableService] Lookup table <spamhaus-drop> does not exist
2017-09-27T13:58:51.693-05:00 WARN  [LookupTableService] Lookup table <alienvault-otx-ip> does not exist
2017-09-27T13:58:51.693-05:00 WARN  [LookupTableService] Lookup table <whois> does not exist
2017-09-27T13:58:51.693-05:00 WARN  [LookupTableService] Lookup table <tor-exit-node-list> does not exist
2017-09-27T13:58:51.693-05:00 WARN  [LookupTableService] Lookup table <abuse-ch-ransomware-domains> does not exist
2017-09-27T13:58:52.697-05:00 WARN  [LookupTableService] Lookup table <abuse-ch-ransomware-ip> does not exist
2017-09-27T13:58:52.697-05:00 WARN  [LookupTableService] Lookup table <spamhaus-drop> does not exist
2017-09-27T13:58:52.697-05:00 WARN  [LookupTableService] Lookup table <alienvault-otx-ip> does not exist
2017-09-27T13:58:52.697-05:00 WARN  [LookupTableService] Lookup table <whois> does not exist
2017-09-27T13:58:52.697-05:00 WARN  [LookupTableService] Lookup table <tor-exit-node-list> does not exist
2017-09-27T13:58:52.697-05:00 WARN  [LookupTableService] Lookup table <abuse-ch-ransomware-domains> does not exist

I do see them in lut_tables though:

...
{
        "_id" : ObjectId("59cbf313da4e6a5f9cd778f0"),
        "title" : "Spamhaus DROP",
        "description" : "This is the lookup table for Spamhaus' DROP (Don't Route Or Peer) list, containing netblocks which are \"hijacked\" or leased by professional spam or cyber-crime operations. For more information see https://www.spamhaus.org/drop. This lookup table is used internally by Graylog's Threat Intel Plugin. Do not delete it manually.",
        "name" : "spamhaus-drop",
        "cache" : ObjectId("59cbf313da4e6a5f9cd778e7"),
        "data_adapter" : ObjectId("59cbf313da4e6a5f9cd778ed"),
        "content_pack" : "59cbf312da4e6a5f9cd778e0",
        "default_single_value" : "",
        "default_single_value_type" : "NULL",
        "default_multi_value" : "",
        "default_multi_value_type" : "NULL"
}
{
        "_id" : ObjectId("59cbf313da4e6a5f9cd778f1"),
        "title" : "abuse.ch Ransomware Domains",
        "description" : "This is the lookup table for the abuse.ch ransomware Domain Tracker, listing infrastructure by domain names which are used for ransomware. For more information see https://ransomwaretracker.abuse.ch. This lookup table is use
d internally by Graylog's Threat Intel Plugin. Do not delete it manually.",
        "name" : "abuse-ch-ransomware-domains",
        "cache" : ObjectId("59cbf313da4e6a5f9cd778e2"),
        "data_adapter" : ObjectId("59cbf313da4e6a5f9cd778ec"),
        "content_pack" : "59cbf312da4e6a5f9cd778e0",
        "default_single_value" : "",
        "default_single_value_type" : "NULL",
        "default_multi_value" : "",
        "default_multi_value_type" : "NULL"
}
{
        "_id" : ObjectId("59cbf313da4e6a5f9cd778f2"),
        "title" : "abuse.ch Ransomware IP",
        "description" : "This is the lookup table for the abuse.ch ransomware IP Tracker, listing infrastructure by IP which is used for ransomware. For more information see https://ransomwaretracker.abuse.ch. This lookup table is used internally by
 Graylog's Threat Intel Plugin. Do not delete it manually.",
        "name" : "abuse-ch-ransomware-ip",
        "cache" : ObjectId("59cbf313da4e6a5f9cd778e2"),
        "data_adapter" : ObjectId("59cbf313da4e6a5f9cd778e9"),
        "content_pack" : "59cbf312da4e6a5f9cd778e0",
        "default_single_value" : "",
        "default_single_value_type" : "NULL",
        "default_multi_value" : "",
        "default_multi_value_type" : "NULL"
}
{
        "_id" : ObjectId("59cbf313da4e6a5f9cd778f3"),
        "title" : "Tor Exit Node List",
        "description" : "This is the lookup table for the TOR (The Onion Router) Exit Node List, listing Exit Nodes of the TOR Network . This lookup table is used internally by Graylog's Threat Intel Plugin. Do not delete it manually.",
        "name" : "tor-exit-node-list",
        "cache" : ObjectId("59cbf313da4e6a5f9cd778e4"),
        "data_adapter" : ObjectId("59cbf313da4e6a5f9cd778ea"),
        "content_pack" : "59cbf312da4e6a5f9cd778e0",
        "default_single_value" : "",
        "default_single_value_type" : "NULL",
        "default_multi_value" : "",
        "default_multi_value_type" : "NULL"
}
...

Refresh OTX cache

Cached OTX entries seem to be forever stuck (even when removed from my OTX feed, it's still using a rule that's constantly banging away with false positives on a rule that flagged 8.8.8.8 as malicious).

Enable/disable, seemingly no matter what I do I can't seem to get that rule out of the OTX cache. Using Graylog 2.2.3 on Ubuntu 16.04 Xenial.

WebUI for configuring not availabie in 0.10.0

I downloaded graylog-plugin-threatintel-0.10.0.jar and placed in plugins folder.
Plugin works (eg. threat_intel_lookup_ip) but I can see errors:

[LocalCopyListProvider] Abuse.ch Ransomware tracker threat intel lookup requested but not enabled in configuration. Please enable it first in the web interface at System -> Configurations.

though there is no ThreatIntelligence configuration in System -> Configurations...

Graylog 2.3.0+81f8228

more verbose whois error messages

It would be nice if WHOIS error messages were a little more verbose, giving us a better idea of what happened that caused the error.

Unknown function error

While creating a rule using threat intel it is showing error unknown function. I am using graylog server version 2.2.3-1

Pipeline Rules not loading

When using threatintel plugin with graylog 2.2.2, the new pipeline functions are not recognized by the Pipeline editor.

ipv6 whois creates stack trace in ipv4 env.

i notice that ipv6 whois lookups are not working. at least when the graylog server is running a ipv4 only environment.

2017-01-23T12:07:47.327+01:00 ERROR [WhoisLookupIpFunction] Could not run WHOIS lookup for IP [2a01:4f8:210:322b:d32::82] with prefix [clientip].
java.lang.IllegalArgumentException: Could not parse [2a01:4f8:210:322b:d32::82]

same as #20 this spam the logfile with stack traces for every not successful lookup.

Better IPv6 support

  • Support IPv6 for all existing lookup sources
  • Avoid throwing huge exceptions in methods that only support IPv4 because a user might throw garbage in there.

New function: whois()

  • Implement for ARIN origin lookups
  • Implement with configurable origin lookups through other registries
  • Test with IPv6
  • Collect metrics
  • Cache
  • Support prefix and setFields() syntax
  • Increase default cache time
  • Write an empty or error result, too
  • Explain/document selective WHOIS
  • Document usage
  • Document ARIN-first lookups

Add more Lookup providers and file hashes

Please add the following IOC's and lookups, I'd like to use Sysmon Hash checks as well:
IPv4
MD5
SHA1
SHA256
CVE
FQDN (EFQDN is for Internet FQDN, IFQDN is for internal domains)

ThreatMiner for IPv4, FQDN, MD5, SHA1 and SHA2 lookups.
Alienvault OTX for IPv4, MD5, SHA1 and SHA2 lookups.
IBM X-Force Exchange for IPv4, EFQDN lookups.
VirusTotal for MD5, SHA1, SHA2 and FQDN lookups.
Cymon.io for IPv4 lookups.
CIRCL (Computer Incident Response Center Luxembourg) for CVE lookups.
PassiveTotal for FQDN Whois lookups
MISP for MD5 and SHA2 (If you want more submit an issue in this github)
Censys.io for IPv4 lookups
Shodan for IPV4 lookups

Unable to change Threat Intelligence configuration

When trying to change the configuration on the System -> Configuations page, the following exception is thrown:

2017-09-26 15:39:05,896 ERROR: org.graylog2.rest.resources.system.ClusterConfigResource - Couldn't parse cluster configuration "org.graylog.plugins.threatintel.ThreatIntelPluginConfiguration".
com.fasterxml.jackson.databind.JsonMappingException: Can not construct instance of org.graylog.plugins.threatintel.ThreatIntelPluginConfiguration, problem: Null otxApiKey
 at [Source: org.glassfish.jersey.message.internal.EntityInputStream@3018e231; line: 1, column: 95]
	[...]
Caused by: java.lang.NullPointerException: Null otxApiKey
	at org.graylog.plugins.threatintel.AutoValue_ThreatIntelPluginConfiguration$Builder.otxApiKey(AutoValue_ThreatIntelPluginConfiguration.java:119) ~[classes/:?]
	at org.graylog.plugins.threatintel.ThreatIntelPluginConfiguration.create(ThreatIntelPluginConfiguration.java:41) ~[classes/:?]
	[...]

Enabling the plugin

Hi! Many thanks for this plugin! I'm sure, it bring log management to a new level.
But I can't figure out how to turn it on.
server.log:
[OTXLookupProvider] OTX domain lookup requested but OTX is not enabled in configuration. Please enable it first.
The relevant options is not available in WUI System/Configurations ->Configurations
Thanks!

feature: lookup against elasticsearch index

This might be a generic pipeline function, but it's very useful specifically for threatintel
Looking up against a dedicated index of IOCs and adding a field that would generate an alert

Field syntax for Ransomware Domain Lookups

Fantastic update!

Quick question, when performing the new 'all threat' checks for IP addresses everything is good. However I'm not sure of the syntax\format for checking DNS\URL fields. We're using Palo's so the field is their URI which will be in the format:-

www.domain.com/uri

whereas the Ransomware Domain entries are in the format www.domain.com (no trailing /) and URI's are in the format http://www.domain.com/uri (so added http://)

Should I be using pipelines to transform this into two new fields, one formatted for DNS entries and another for URI's, or would you expect the plugin to do this automatically?

OTX Processing Stopped

Hi,

Plugin really good, but have hit an issue with OTX processing. After running fine for about 12 hours it suddenly stopped - error logged as below.

I suspect (seeing as the Tor and Spamhaus functions were\are fine, and we still had an issue after restarting graylog) that there is a rate limit applied by Alienvault which we tripped by looking up all inbound IP addresses on our firewall :)

We built up a backlog of 4M messages, but as soon as I disabled OTX processing in my pipeline it started working. Will investigate more today, but as a FYI.

2016-11-02T07:26:54.440Z ERROR [OTXIPLookupFunction] Could not lookup OTX threat intelligence for IP [198.20.70.114].
java.util.concurrent.ExecutionException: java.util.concurrent.ExecutionException: Could not load OTX response.
at com.google.common.util.concurrent.AbstractFuture.getDoneValue(AbstractFuture.java:476) ~[graylog.jar:?]
at com.google.common.util.concurrent.AbstractFuture.get(AbstractFuture.java:455) ~[graylog.jar:?]
at com.google.common.util.concurrent.AbstractFuture$TrustedFuture.get(AbstractFuture.java:79) ~[graylog.jar:?]
at com.google.common.util.concurrent.Uninterruptibles.getUninterruptibly(Uninterruptibles.java:143) ~[graylog.jar:?]
at com.google.common.cache.LocalCache$LoadingValueReference.waitForValue(LocalCache.java:3573) ~[graylog.jar:?]
at com.google.common.cache.LocalCache$Segment.waitForLoadingValue(LocalCache.java:2306) ~[graylog.jar:?]
at com.google.common.cache.LocalCache$Segment.get(LocalCache.java:2195) ~[graylog.jar:?]
at com.google.common.cache.LocalCache.get(LocalCache.java:3953) ~[graylog.jar:?]
at com.google.common.cache.LocalCache.getOrLoad(LocalCache.java:3957) ~[graylog.jar:?]
at com.google.common.cache.LocalCache$LocalLoadingCache.get(LocalCache.java:4875) ~[graylog.jar:?]
at org.graylog.plugins.threatintel.providers.otx.OTXLookupProvider.lookup(OTXLookupProvider.java:101) ~[graylog-plugin-threatintel-0.7.0.jar:?]
at org.graylog.plugins.threatintel.providers.otx.ip.OTXIPLookupFunction.evaluate(OTXIPLookupFunction.java:55) [graylog-plugin-threatintel-0.7.0.jar:?]
at org.graylog.plugins.threatintel.providers.otx.ip.OTXIPLookupFunction.evaluate(OTXIPLookupFunction.java:17) [graylog-plugin-threatintel-0.7.0.jar:?]
at org.graylog.plugins.pipelineprocessor.ast.expressions.FunctionExpression.evaluateUnsafe(FunctionExpression.java:59) [graylog-plugin-pipeline-processor-1.1.1.jar:?]
at org.graylog.plugins.pipelineprocessor.ast.expressions.Expression.evaluate(Expression.java:36) [graylog-plugin-pipeline-processor-1.1.1.jar:?]
at org.graylog.plugins.pipelineprocessor.ast.statements.VarAssignStatement.evaluate(VarAssignStatement.java:33) [graylog-plugin-pipeline-processor-1.1.1.jar:?]
at org.graylog.plugins.pipelineprocessor.ast.statements.VarAssignStatement.evaluate(VarAssignStatement.java:22) [graylog-plugin-pipeline-processor-1.1.1.jar:?]
at org.graylog.plugins.pipelineprocessor.processors.PipelineInterpreter.processForResolvedPipelines(PipelineInterpreter.java:357) [graylog-plugin-pipeline-processor-1.1.1.jar:?]
at org.graylog.plugins.pipelineprocessor.processors.PipelineInterpreter.processForPipelines(PipelineInterpreter.java:291) [graylog-plugin-pipeline-processor-1.1.1.jar:?]
at org.graylog.plugins.pipelineprocessor.processors.PipelineInterpreter.process(PipelineInterpreter.java:248) [graylog-plugin-pipeline-processor-1.1.1.jar:?]
at org.graylog.plugins.pipelineprocessor.processors.PipelineInterpreter.process(PipelineInterpreter.java:192) [graylog-plugin-pipeline-processor-1.1.1.jar:?]
at org.graylog2.buffers.processors.ServerProcessBufferProcessor.handleMessage(ServerProcessBufferProcessor.java:56) [graylog.jar:?]
at org.graylog2.shared.buffers.processors.ProcessBufferProcessor.dispatchMessage(ProcessBufferProcessor.java:82) [graylog.jar:?]
at org.graylog2.shared.buffers.processors.ProcessBufferProcessor.onEvent(ProcessBufferProcessor.java:61) [graylog.jar:?]
at org.graylog2.shared.buffers.processors.ProcessBufferProcessor.onEvent(ProcessBufferProcessor.java:35) [graylog.jar:?]
at com.lmax.disruptor.WorkProcessor.run(WorkProcessor.java:143) [graylog.jar:?]
at com.codahale.metrics.InstrumentedThreadFactory$InstrumentedRunnable.run(InstrumentedThreadFactory.java:66) [graylog.jar:?]
at java.lang.Thread.run(Thread.java:745) [?:1.8.0_91]
Caused by: java.util.concurrent.ExecutionException: Could not load OTX response.
at org.graylog.plugins.threatintel.providers.otx.OTXLookupProvider.callOTX(OTXLookupProvider.java:142) ~[?:?]
at org.graylog.plugins.threatintel.providers.otx.ip.OTXIPLookupProvider.loadIntel(OTXIPLookupProvider.java:73) ~[?:?]
at org.graylog.plugins.threatintel.providers.otx.OTXLookupProvider$1.load(OTXLookupProvider.java:49) ~[?:?]
at org.graylog.plugins.threatintel.providers.otx.OTXLookupProvider$1.load(OTXLookupProvider.java:46) ~[?:?]
at com.google.common.cache.LocalCache$LoadingValueReference.loadFuture(LocalCache.java:3542) ~[graylog.jar:?]
at com.google.common.cache.LocalCache$Segment.loadSync(LocalCache.java:2323) ~[graylog.jar:?]
at com.google.common.cache.LocalCache$Segment.lockedGetOrLoad(LocalCache.java:2286) ~[graylog.jar:?]
at com.google.common.cache.LocalCache$Segment.get(LocalCache.java:2201) ~[graylog.jar:?]
... 21 more

Spamhaus EDROP data adapter issue

There seems to be an issue with the Spamhaus EDROP data adapter. The following log snippet shows three things:

  • Timeout while getting the list
  • NullPointerException
  • Message about a connection leak

Not sure if these are all related to the timeout, but I guess this should be looked at.

2017-09-29 08:58:37,777 ERROR: org.graylog.plugins.threatintel.adapters.spamhaus.SpamhausEDROPDataAdapter - Unable to retrieve Spamhaus (E)DROP list <https://w
ww.spamhaus.org/drop/edrop.txt>: 
java.net.SocketTimeoutException: timeout
        at okio.Okio$4.newTimeoutException(Okio.java:230) ~[graylog.jar:?]
        at okio.AsyncTimeout.exit(AsyncTimeout.java:285) ~[graylog.jar:?]
        at okio.AsyncTimeout$2.read(AsyncTimeout.java:241) ~[graylog.jar:?]
        at okio.RealBufferedSource.indexOf(RealBufferedSource.java:345) ~[graylog.jar:?]
        at okio.RealBufferedSource.readUtf8LineStrict(RealBufferedSource.java:217) ~[graylog.jar:?]
        at okio.RealBufferedSource.readUtf8LineStrict(RealBufferedSource.java:211) ~[graylog.jar:?]
        at okhttp3.internal.http1.Http1Codec.readResponseHeaders(Http1Codec.java:187) ~[graylog.jar:?]
        at okhttp3.internal.http.CallServerInterceptor.intercept(CallServerInterceptor.java:88) ~[graylog.jar:?]
        at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:147) ~[graylog.jar:?]
        at okhttp3.internal.connection.ConnectInterceptor.intercept(ConnectInterceptor.java:45) ~[graylog.jar:?]
        at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:147) ~[graylog.jar:?]
        at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:121) ~[graylog.jar:?]
        at okhttp3.internal.cache.CacheInterceptor.intercept(CacheInterceptor.java:93) ~[graylog.jar:?]
        at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:147) ~[graylog.jar:?]
        at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:121) ~[graylog.jar:?]
        at okhttp3.internal.http.BridgeInterceptor.intercept(BridgeInterceptor.java:93) ~[graylog.jar:?]
        at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:147) ~[graylog.jar:?]
        at okhttp3.internal.http.RetryAndFollowUpInterceptor.intercept(RetryAndFollowUpInterceptor.java:125) ~[graylog.jar:?]
        at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:147) ~[graylog.jar:?]
        at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:121) ~[graylog.jar:?]
        at okhttp3.RealCall.getResponseWithInterceptorChain(RealCall.java:200) ~[graylog.jar:?]
        at okhttp3.RealCall.execute(RealCall.java:77) ~[graylog.jar:?]
        at org.graylog2.lookup.adapters.dsvhttp.HTTPFileRetriever.fetchFileIfNotModified(HTTPFileRetriever.java:58) ~[graylog.jar:?]
        at org.graylog.plugins.threatintel.adapters.spamhaus.SpamhausEDROPDataAdapter.fetchSubnetsFromEDROPLists(SpamhausEDROPDataAdapter.java:89) ~[?:?]
        at org.graylog.plugins.threatintel.adapters.spamhaus.SpamhausEDROPDataAdapter.doRefresh(SpamhausEDROPDataAdapter.java:71) ~[?:?]
        at org.graylog2.plugin.lookup.LookupDataAdapter.refresh(LookupDataAdapter.java:89) ~[graylog.jar:?]
        at org.graylog2.lookup.LookupDataAdapterRefreshService.lambda$schedule$0(LookupDataAdapterRefreshService.java:142) ~[graylog.jar:?]
        at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511) [?:1.8.0_131]
        at java.util.concurrent.FutureTask.runAndReset(FutureTask.java:308) [?:1.8.0_131]
        at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.access$301(ScheduledThreadPoolExecutor.java:180) [?:1.8.0_131]
        at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:294) [?:1.8.0_131]
        at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) [?:1.8.0_131]
        at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) [?:1.8.0_131]
        at java.lang.Thread.run(Thread.java:748) [?:1.8.0_131]
Caused by: java.net.SocketException: Socket closed
        at java.net.SocketInputStream.read(SocketInputStream.java:204) ~[?:1.8.0_131]
        at java.net.SocketInputStream.read(SocketInputStream.java:141) ~[?:1.8.0_131]
        at sun.security.ssl.InputRecord.readFully(InputRecord.java:465) ~[?:1.8.0_131]
        at sun.security.ssl.InputRecord.read(InputRecord.java:503) ~[?:1.8.0_131]
        at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:973) ~[?:1.8.0_131]
        at sun.security.ssl.SSLSocketImpl.readDataRecord(SSLSocketImpl.java:930) ~[?:1.8.0_131]
        at sun.security.ssl.AppInputStream.read(AppInputStream.java:105) ~[?:1.8.0_131]
        at okio.Okio$2.read(Okio.java:139) ~[graylog.jar:?]
        at okio.AsyncTimeout$2.read(AsyncTimeout.java:237) ~[graylog.jar:?]
        ... 31 more
2017-09-29 08:58:37,791 ERROR: org.graylog2.plugin.lookup.LookupDataAdapter - Couldn't refresh data adapter <spamhaus-drop/59ca241e0efe211981ef85bf/@53deaa46>
java.lang.NullPointerException: null value in entry: https://www.spamhaus.org/drop/drop.txt=null
        at com.google.common.collect.CollectPreconditions.checkEntryNotNull(CollectPreconditions.java:34) ~[graylog.jar:?]
        at com.google.common.collect.RegularImmutableMap.fromEntryArray(RegularImmutableMap.java:80) ~[graylog.jar:?]
        at com.google.common.collect.RegularImmutableMap.fromEntries(RegularImmutableMap.java:54) ~[graylog.jar:?]
        at com.google.common.collect.ImmutableMap.copyOf(ImmutableMap.java:430) ~[graylog.jar:?]
        at com.google.common.collect.ImmutableMap.copyOf(ImmutableMap.java:403) ~[graylog.jar:?]
        at org.graylog.plugins.threatintel.adapters.spamhaus.SpamhausEDROPDataAdapter.doRefresh(SpamhausEDROPDataAdapter.java:82) ~[?:?]
        at org.graylog2.plugin.lookup.LookupDataAdapter.refresh(LookupDataAdapter.java:89) ~[graylog.jar:?]
        at org.graylog2.lookup.LookupDataAdapterRefreshService.lambda$schedule$0(LookupDataAdapterRefreshService.java:142) ~[graylog.jar:?]
        at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511) [?:1.8.0_131]
        at java.util.concurrent.FutureTask.runAndReset(FutureTask.java:308) [?:1.8.0_131]
        at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.access$301(ScheduledThreadPoolExecutor.java:180) [?:1.8.0_131]
        at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:294) [?:1.8.0_131]
        at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) [?:1.8.0_131]
        at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) [?:1.8.0_131]
        at java.lang.Thread.run(Thread.java:748) [?:1.8.0_131]
2017-09-29 09:04:27,673 ERROR: org.graylog.plugins.threatintel.adapters.spamhaus.SpamhausEDROPDataAdapter - Unable to retrieve Spamhaus (E)DROP list <https://w
ww.spamhaus.org/drop/edrop.txt>: 
java.io.IOException: Request failed: Bad Gateway
        at org.graylog2.lookup.adapters.dsvhttp.HTTPFileRetriever.fetchFileIfNotModified(HTTPFileRetriever.java:72) ~[graylog.jar:?]
        at org.graylog.plugins.threatintel.adapters.spamhaus.SpamhausEDROPDataAdapter.fetchSubnetsFromEDROPLists(SpamhausEDROPDataAdapter.java:89) ~[?:?]
        at org.graylog.plugins.threatintel.adapters.spamhaus.SpamhausEDROPDataAdapter.doRefresh(SpamhausEDROPDataAdapter.java:71) ~[?:?]
        at org.graylog2.plugin.lookup.LookupDataAdapter.refresh(LookupDataAdapter.java:89) ~[graylog.jar:?]
        at org.graylog2.lookup.LookupDataAdapterRefreshService.lambda$schedule$0(LookupDataAdapterRefreshService.java:142) ~[graylog.jar:?]
        at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511) [?:1.8.0_131]
        at java.util.concurrent.FutureTask.runAndReset(FutureTask.java:308) [?:1.8.0_131]
        at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.access$301(ScheduledThreadPoolExecutor.java:180) [?:1.8.0_131]
        at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:294) [?:1.8.0_131]
        at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) [?:1.8.0_131]
        at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) [?:1.8.0_131]
        at java.lang.Thread.run(Thread.java:748) [?:1.8.0_131]
2017-09-29 09:04:27,674 ERROR: org.graylog2.plugin.lookup.LookupDataAdapter - Couldn't refresh data adapter <spamhaus-drop/59ca241e0efe211981ef85bf/@53deaa46>
java.lang.NullPointerException: null value in entry: https://www.spamhaus.org/drop/drop.txt=null
        at com.google.common.collect.CollectPreconditions.checkEntryNotNull(CollectPreconditions.java:34) ~[graylog.jar:?]
        at com.google.common.collect.RegularImmutableMap.fromEntryArray(RegularImmutableMap.java:80) ~[graylog.jar:?]
        at com.google.common.collect.RegularImmutableMap.fromEntries(RegularImmutableMap.java:54) ~[graylog.jar:?]
        at com.google.common.collect.ImmutableMap.copyOf(ImmutableMap.java:430) ~[graylog.jar:?]
        at com.google.common.collect.ImmutableMap.copyOf(ImmutableMap.java:403) ~[graylog.jar:?]
        at org.graylog.plugins.threatintel.adapters.spamhaus.SpamhausEDROPDataAdapter.doRefresh(SpamhausEDROPDataAdapter.java:82) ~[?:?]
        at org.graylog2.plugin.lookup.LookupDataAdapter.refresh(LookupDataAdapter.java:89) ~[graylog.jar:?]
        at org.graylog2.lookup.LookupDataAdapterRefreshService.lambda$schedule$0(LookupDataAdapterRefreshService.java:142) ~[graylog.jar:?]
        at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511) [?:1.8.0_131]
        at java.util.concurrent.FutureTask.runAndReset(FutureTask.java:308) [?:1.8.0_131]
        at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.access$301(ScheduledThreadPoolExecutor.java:180) [?:1.8.0_131]
        at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:294) [?:1.8.0_131]
        at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) [?:1.8.0_131]
        at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) [?:1.8.0_131]
        at java.lang.Thread.run(Thread.java:748) [?:1.8.0_131]
2017-09-29 09:06:26,341 WARN : okhttp3.OkHttpClient - A connection to https://www.spamhaus.org/ was leaked. Did you forget to close a response body? To see whe
re this was allocated, set the OkHttpClient logger level to FINE: Logger.getLogger(OkHttpClient.class.getName()).setLevel(Level.FINE);

check lookup before processing (better error handling)

If you have a pipeline that extract data (like DNS Logfiles) that you extract non IP Data.

The error handling should be improved to get only one line and not the following

2017-01-02T20:55:06.289+01:00 ERROR [GlobalIpLookupFunction] Could not run global lookup for IP [NODATA-IPv6] with prefix [query_answer].
java.lang.RuntimeException: Could not fetch intel from [org.graylog.plugins.threatintel.providers.spamhaus.SpamhausIpLookupProvider] as part of global lookup.
	at org.graylog.plugins.threatintel.providers.global.GlobalLookupProvider.lookup(GlobalLookupProvider.java:87) ~[graylog-plugin-threatintel-0.9.0.jar:?]
	at org.graylog.plugins.threatintel.providers.global.GlobalLookupProvider.lookupIp(GlobalLookupProvider.java:62) ~[graylog-plugin-threatintel-0.9.0.jar:?]
	at org.graylog.plugins.threatintel.providers.global.ip.GlobalIpLookupFunction.evaluate(GlobalIpLookupFunction.java:53) [graylog-plugin-threatintel-0.9.0.jar:?]
	at org.graylog.plugins.threatintel.providers.global.ip.GlobalIpLookupFunction.evaluate(GlobalIpLookupFunction.java:16) [graylog-plugin-threatintel-0.9.0.jar:?]
	at org.graylog.plugins.pipelineprocessor.ast.expressions.FunctionExpression.evaluateUnsafe(FunctionExpression.java:59) [graylog-plugin-threatintel-0.9.0.jar:?]
	at org.graylog.plugins.pipelineprocessor.ast.expressions.Expression.evaluate(Expression.java:36) [graylog-plugin-threatintel-0.9.0.jar:?]
	at org.graylog.plugins.pipelineprocessor.ast.statements.VarAssignStatement.evaluate(VarAssignStatement.java:33) [graylog-plugin-threatintel-0.9.0.jar:?]
	at org.graylog.plugins.pipelineprocessor.ast.statements.VarAssignStatement.evaluate(VarAssignStatement.java:22) [graylog-plugin-threatintel-0.9.0.jar:?]
	at org.graylog.plugins.pipelineprocessor.processors.PipelineInterpreter.processForResolvedPipelines(PipelineInterpreter.java:357) [graylog-plugin-threatintel-0.9.0.jar:?]
	at org.graylog.plugins.pipelineprocessor.processors.PipelineInterpreter.processForPipelines(PipelineInterpreter.java:291) [graylog-plugin-threatintel-0.9.0.jar:?]
	at org.graylog.plugins.pipelineprocessor.processors.PipelineInterpreter.process(PipelineInterpreter.java:248) [graylog-plugin-threatintel-0.9.0.jar:?]
	at org.graylog.plugins.pipelineprocessor.processors.PipelineInterpreter.process(PipelineInterpreter.java:192) [graylog-plugin-threatintel-0.9.0.jar:?]
	at org.graylog2.buffers.processors.ServerProcessBufferProcessor.handleMessage(ServerProcessBufferProcessor.java:56) [graylog.jar:?]
	at org.graylog2.shared.buffers.processors.ProcessBufferProcessor.dispatchMessage(ProcessBufferProcessor.java:82) [graylog.jar:?]
	at org.graylog2.shared.buffers.processors.ProcessBufferProcessor.onEvent(ProcessBufferProcessor.java:61) [graylog.jar:?]
	at org.graylog2.shared.buffers.processors.ProcessBufferProcessor.onEvent(ProcessBufferProcessor.java:35) [graylog.jar:?]
	at com.lmax.disruptor.WorkProcessor.run(WorkProcessor.java:143) [graylog.jar:?]
	at com.codahale.metrics.InstrumentedThreadFactory$InstrumentedRunnable.run(InstrumentedThreadFactory.java:66) [graylog.jar:?]
	at java.lang.Thread.run(Thread.java:745) [?:1.8.0_111]
Caused by: java.util.concurrent.ExecutionException: java.util.concurrent.ExecutionException: java.lang.IllegalArgumentException: Could not parse [NODATA-IPv6]
	at com.google.common.util.concurrent.AbstractFuture.getDoneValue(AbstractFuture.java:476) ~[graylog.jar:?]
	at com.google.common.util.concurrent.AbstractFuture.get(AbstractFuture.java:435) ~[graylog.jar:?]
	at com.google.common.util.concurrent.AbstractFuture$TrustedFuture.get(AbstractFuture.java:79) ~[graylog.jar:?]
	at com.google.common.util.concurrent.Uninterruptibles.getUninterruptibly(Uninterruptibles.java:143) ~[graylog.jar:?]
	at com.google.common.cache.LocalCache$Segment.getAndRecordStats(LocalCache.java:2352) ~[graylog.jar:?]
	at com.google.common.cache.LocalCache$Segment.loadSync(LocalCache.java:2324) ~[graylog.jar:?]
	at com.google.common.cache.LocalCache$Segment.lockedGetOrLoad(LocalCache.java:2286) ~[graylog.jar:?]
	at com.google.common.cache.LocalCache$Segment.get(LocalCache.java:2201) ~[graylog.jar:?]
	at com.google.common.cache.LocalCache.get(LocalCache.java:3953) ~[graylog.jar:?]
	at com.google.common.cache.LocalCache.getOrLoad(LocalCache.java:3957) ~[graylog.jar:?]
	at com.google.common.cache.LocalCache$LocalLoadingCache.get(LocalCache.java:4875) ~[graylog.jar:?]
	at org.graylog.plugins.threatintel.providers.LocalCopyListProvider.lookup(LocalCopyListProvider.java:141) ~[?:?]
	at org.graylog.plugins.threatintel.providers.spamhaus.SpamhausIpLookupProvider.lookup(SpamhausIpLookupProvider.java:22) ~[?:?]
	at org.graylog.plugins.threatintel.providers.global.GlobalLookupProvider.lookup(GlobalLookupProvider.java:85) ~[?:?]
	... 18 more
Caused by: java.util.concurrent.ExecutionException: java.lang.IllegalArgumentException: Could not parse [NODATA-IPv6]
	at org.graylog.plugins.threatintel.providers.LocalCopyListProvider$5.load(LocalCopyListProvider.java:90) ~[?:?]
	at org.graylog.plugins.threatintel.providers.LocalCopyListProvider$5.load(LocalCopyListProvider.java:83) ~[?:?]
	at com.google.common.cache.LocalCache$LoadingValueReference.loadFuture(LocalCache.java:3542) ~[graylog.jar:?]
	at com.google.common.cache.LocalCache$Segment.loadSync(LocalCache.java:2323) ~[graylog.jar:?]
	at com.google.common.cache.LocalCache$Segment.lockedGetOrLoad(LocalCache.java:2286) ~[graylog.jar:?]
	at com.google.common.cache.LocalCache$Segment.get(LocalCache.java:2201) ~[graylog.jar:?]
	at com.google.common.cache.LocalCache.get(LocalCache.java:3953) ~[graylog.jar:?]
	at com.google.common.cache.LocalCache.getOrLoad(LocalCache.java:3957) ~[graylog.jar:?]
	at com.google.common.cache.LocalCache$LocalLoadingCache.get(LocalCache.java:4875) ~[graylog.jar:?]
	at org.graylog.plugins.threatintel.providers.LocalCopyListProvider.lookup(LocalCopyListProvider.java:141) ~[?:?]
	at org.graylog.plugins.threatintel.providers.spamhaus.SpamhausIpLookupProvider.lookup(SpamhausIpLookupProvider.java:22) ~[?:?]
	at org.graylog.plugins.threatintel.providers.global.GlobalLookupProvider.lookup(GlobalLookupProvider.java:85) ~[?:?]
	... 18 more
Caused by: java.lang.IllegalArgumentException: Could not parse [NODATA-IPv6]
	at org.apache.commons.net.util.SubnetUtils.toInteger(SubnetUtils.java:287) ~[?:?]
	at org.apache.commons.net.util.SubnetUtils.access$400(SubnetUtils.java:27) ~[?:?]
	at org.apache.commons.net.util.SubnetUtils$SubnetInfo.isInRange(SubnetUtils.java:125) ~[?:?]
	at org.graylog.plugins.threatintel.providers.spamhaus.SpamhausIpLookupProvider.fetchIntel(SpamhausIpLookupProvider.java:66) ~[?:?]
	at org.graylog.plugins.threatintel.providers.spamhaus.SpamhausIpLookupProvider.fetchIntel(SpamhausIpLookupProvider.java:22) ~[?:?]
	at org.graylog.plugins.threatintel.providers.LocalCopyListProvider$5.load(LocalCopyListProvider.java:88) ~[?:?]
	at org.graylog.plugins.threatintel.providers.LocalCopyListProvider$5.load(LocalCopyListProvider.java:83) ~[?:?]
	at com.google.common.cache.LocalCache$LoadingValueReference.loadFuture(LocalCache.java:3542) ~[graylog.jar:?]
	at com.google.common.cache.LocalCache$Segment.loadSync(LocalCache.java:2323) ~[graylog.jar:?]
	at com.google.common.cache.LocalCache$Segment.lockedGetOrLoad(LocalCache.java:2286) ~[graylog.jar:?]
	at com.google.common.cache.LocalCache$Segment.get(LocalCache.java:2201) ~[graylog.jar:?]
	at com.google.common.cache.LocalCache.get(LocalCache.java:3953) ~[graylog.jar:?]
	at com.google.common.cache.LocalCache.getOrLoad(LocalCache.java:3957) ~[graylog.jar:?]
	at com.google.common.cache.LocalCache$LocalLoadingCache.get(LocalCache.java:4875) ~[graylog.jar:?]
	at org.graylog.plugins.threatintel.providers.LocalCopyListProvider.lookup(LocalCopyListProvider.java:141) ~[?:?]
	at org.graylog.plugins.threatintel.providers.spamhaus.SpamhausIpLookupProvider.lookup(SpamhausIpLookupProvider.java:22) ~[?:?]
	at org.graylog.plugins.threatintel.providers.global.GlobalLookupProvider.lookup(GlobalLookupProvider.java:85) ~[?:?]
	... 18 more

depending on the skill of the graylog user it might not be seen what the initial problem is!

AS lookups

Query and enrich the AS number and abuse contact for an IPv4 or IPv6 address.

No alerts being generated

We were using the TIP plugin successfully on Graylog 2.1, but had to disable when we upgraded to 2.2.

With the release of the updated plugin we have re-enabled but appear to have an issue with it working properly. My pipeline processor (carried over from the old version) is as below:-

rule "Outbound TIP IP Threat Check"
when
to_string($message.DestinationZone) == "Internet" && (to_string($message.SourceZone) == "Internal")
then
let DestinationIP_intel = threat_intel_lookup_ip(to_string($message.DestinationIP), "TIP_IP_Dst");
set_fields(DestinationIP_intel);
end

This appears to be triggering properly as logs matching the criteria have a new field "TIP_IP_Dst_threat_indicated" inserted, but the issue is this is always set to "false" - tested by manually web browsing to IP addresses that are in the ransomware IP and Spamhaus lists that are still being logged with a "false" value. Logs indicate that the source data lookups are generally fine (there are occasional errors but >99% are fine):-

2017-03-10T10:49:16.554Z INFO [SpamhausIpLookupProvider] Refreshing internal table of Spamhaus drop list IPs.
2017-03-10T10:51:03.811Z INFO [TorExitNodeLookupProvider] Refreshing internal table of known Tor exit nodes.
2017-03-10T10:53:37.093Z INFO [AbuseChRansomLookupProvider] Refreshing internal table of Abuse.ch Ransomware tracker data.

I have not seen anything that indicates I need to change the pipeline code, but have I missed something?

Thanks!

Threat Intel plugin creates and starts data adapters without asking

The Threat Intelligence plugin creates a battery of data adapters which access remote servers which might not be possible or might not be wanted at all.

graylog-plugin-threatintel/src/main/java/org/graylog/plugins/threatintel/ThreatIntelPluginConfiguration.java

Lines 52 to 59 in e0e4444

public static ThreatIntelPluginConfiguration defaults() {
return builder()
.otxEnabled(false)
.torEnabled(true)
.spamhausEnabled(true)
.abusechRansomEnabled(true)
.build();
}

graylog-plugin-threatintel/src/main/java/org/graylog/plugins/threatintel/migrations/V20170815111700_CreateThreatIntelLookupTables.java

Lines 54 to 58 in e0e4444

final URL contentPackURL = V20170815111700_CreateThreatIntelLookupTables.class.getResource("V20170815111700_CreateThreatIntelLookupTables-content_pack.json");
final ConfigurationBundle configurationBundle = this.objectMapper.readValue(contentPackURL, ConfigurationBundle.class);
final ConfigurationBundle savedBundle = this.bundleService.insert(configurationBundle);
this.bundleService.applyConfigurationBundle(savedBundle, this.userService.getAdminUser());
clusterConfigService.write(MigrationCompleted.create(savedBundle.getId()));

https://github.com/Graylog2/graylog-plugin-threatintel/blob/e0e4444bff479922f5f87252e89d511231c28dbe/src/main/resources/org/graylog/plugins/threatintel/migrations/V20170815111700_CreateThreatIntelLookupTables-content_pack.json

2017-09-26 15:58:24,702 INFO : org.graylog2.lookup.LookupTableService - Data Adapter abuse-ch-ransomware-ip/59ca5ca848e7b9aa8938da44 [@2722d5d6] STARTING
2017-09-26 15:58:24,706 INFO : org.graylog2.lookup.LookupTableService - Data Adapter otx-ip/59ca5ca848e7b9aa8938da46 [@57abeafd] STARTING
2017-09-26 15:58:24,709 INFO : org.graylog2.lookup.LookupTableService - Data Adapter spamhaus-drop/59ca5ca848e7b9aa8938da43 [@561b68a1] STARTING
2017-09-26 15:58:24,709 INFO : org.graylog2.lookup.LookupTableService - Data Adapter whois/59ca5ca948e7b9aa8938da48 [@674672ac] STARTING
2017-09-26 15:58:24,710 INFO : org.graylog2.lookup.LookupTableService - Data Adapter whois/59ca5ca948e7b9aa8938da48 [@674672ac] RUNNING
2017-09-26 15:58:24,710 INFO : org.graylog2.lookup.LookupDataAdapterRefreshService - Adding job for <whois/59ca5ca948e7b9aa8938da48/@674672ac> [interval=3600000ms]
2017-09-26 15:58:24,710 INFO : org.graylog2.lookup.LookupTableService - Data Adapter tor-exit-node/59ca5ca948e7b9aa8938da47 [@33e5eb4e] STARTING
2017-09-26 15:58:24,713 INFO : org.graylog2.lookup.LookupTableService - Data Adapter abuse-ch-ransomware-domains/59ca5ca848e7b9aa8938da45 [@7c1224ac] STARTING
2017-09-26 15:58:24,730 INFO : org.graylog2.lookup.LookupTableService - Cache tor-exit-node-list-cache/59ca5ca848e7b9aa8938da3f [@2b8843ed] STARTING
2017-09-26 15:58:24,732 INFO : org.graylog2.lookup.LookupTableService - Cache otx-ip-cache/59ca5ca848e7b9aa8938da40 [@47ea444] STARTING
2017-09-26 15:58:24,732 INFO : org.graylog2.lookup.LookupTableService - Cache tor-exit-node-list-cache/59ca5ca848e7b9aa8938da3f [@2b8843ed] RUNNING
2017-09-26 15:58:24,733 INFO : org.graylog2.lookup.LookupTableService - Cache otx-ip-cache/59ca5ca848e7b9aa8938da40 [@47ea444] RUNNING
2017-09-26 15:58:24,734 INFO : org.graylog2.lookup.LookupTableService - Cache abuse-ch-ransomware-cache/59ca5ca848e7b9aa8938da3d [@5756c78d] STARTING
2017-09-26 15:58:24,735 INFO : org.graylog2.lookup.LookupTableService - Cache abuse-ch-ransomware-cache/59ca5ca848e7b9aa8938da3d [@5756c78d] RUNNING
2017-09-26 15:58:24,735 INFO : org.graylog2.lookup.LookupTableService - Data Adapter otx-ip/59ca5ca848e7b9aa8938da46 [@57abeafd] RUNNING
2017-09-26 15:58:24,736 INFO : org.graylog2.lookup.LookupTableService - Cache whois-cache/59ca5ca848e7b9aa8938da3e [@5ae4fa4f] STARTING
2017-09-26 15:58:24,737 INFO : org.graylog2.lookup.LookupTableService - Cache whois-cache/59ca5ca848e7b9aa8938da3e [@5ae4fa4f] RUNNING
2017-09-26 15:58:24,737 INFO : org.graylog2.lookup.LookupTableService - Cache spamhaus-e-drop-cache/59ca5ca848e7b9aa8938da42 [@657571e9] STARTING
2017-09-26 15:58:24,738 INFO : org.graylog2.lookup.LookupTableService - Cache spamhaus-e-drop-cache/59ca5ca848e7b9aa8938da42 [@657571e9] RUNNING

Errors on my development machine after a fresh installation with no manual interaction:

2017-09-26 15:58:24,844 ERROR: org.graylog2.plugin.lookup.LookupDataAdapter - Couldn't start data adapter <abuse-ch-ransomware-domains/59ca5ca848e7b9aa8938da45/@7c1224ac>
javax.net.ssl.SSLException: java.lang.RuntimeException: Unexpected error: java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty
	at sun.security.ssl.Alerts.getSSLException(Alerts.java:208) ~[?:1.8.0_144]
	[...]
	at org.graylog2.lookup.adapters.dsvhttp.HTTPFileRetriever.fetchFileIfNotModified(HTTPFileRetriever.java:58) ~[classes/:?]
	at org.graylog2.lookup.adapters.DSVHTTPDataAdapter.doStart(DSVHTTPDataAdapter.java:95) ~[classes/:?]
	at org.graylog2.plugin.lookup.LookupDataAdapter.startUp(LookupDataAdapter.java:59) [classes/:?]
	at com.google.common.util.concurrent.AbstractIdleService$DelegateService$1.run(AbstractIdleService.java:62) [guava-23.0.jar:?]
	at com.google.common.util.concurrent.Callables$4.run(Callables.java:122) [guava-23.0.jar:?]
2017-09-26 15:58:24,845 ERROR: org.graylog2.plugin.lookup.LookupDataAdapter - Couldn't start data adapter <tor-exit-node/59ca5ca948e7b9aa8938da47/@33e5eb4e>
javax.net.ssl.SSLException: java.lang.RuntimeException: Unexpected error: java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty
[...]

UI Reloads every 10-20 seconds after upgrade to Graylog 2.1.3

Using 0.9 version of the Threat Intel plugin causes the UI to reload every 10-20 seconds.

Issue #23 notes problem, but closed.
Issue #3448 on Graylog2 Git notes issue, but user who reported it was running old Graylog2 Plugins from source TGZ.

I've got a similar issue with .deb installed Graylog2 from Repo's with two separate servers following an install/upgrade to Graylog 2.1.3.

If I remove the Threat Intel plugin (v0.9) and reboot, the issue goes away.

Threat Intel 0.10 RPM error in CentOS 7

When installing graylog-threatintel plugin using the RPM from releases page, I get the following error in CentOS 7:

Transaction check error:
package graylog-plugin-threatintel-0.10.0-1.noarch is intended for a different operating system

make use of lookup tables in 2.3

with the new available lookup tables and caches the implementation should be way more efficient and it should be possible with that to strip down this plugin.

Abuse.ch Ransomware lookup can block processing

A timeout in the table refresh can apparently hold up processing even through this should be completely async.

2016-12-07T16:23:13.997-06:00 ERROR [LocalCopyListProvider] Could not refresh [Abuse.ch Ransomware tracker] source table.
java.util.concurrent.ExecutionException: Could not refresh local source table.
	at org.graylog.plugins.threatintel.providers.abusech.AbuseChRansomLookupProvider.refreshTable(AbuseChRansomLookupProvider.java:113) ~[graylog-plugin-threatintel-0.9.0.jar:?]
	at org.graylog.plugins.threatintel.providers.LocalCopyListProvider.initialize(LocalCopyListProvider.java:114) [graylog-plugin-threatintel-0.9.0.jar:?]
	at org.graylog.plugins.threatintel.providers.abusech.domain.AbuseChRansomDomainLookupFunction.<init>(AbuseChRansomDomainLookupFunction.java:31) [graylog-plugin-threatintel-0.9.0.jar:?]
	at org.graylog.plugins.threatintel.providers.abusech.domain.AbuseChRansomDomainLookupFunction$$FastClassByGuice$$b2698faf.newInstance(<generated>) [graylog-plugin-threatintel-0.9.0.jar:?]
	at com.google.inject.internal.DefaultConstructionProxyFactory$FastClassProxy.newInstance(DefaultConstructionProxyFactory.java:89) [graylog.jar:?]

New function: identify_ip()

  • Dropbox
  • Box
  • Google Drive
  • AWS
  • Azure
  • Google Cloud
  • GoDaddy
  • Rackspace
  • ServerBeach
  • Hetzner
  • HostGator
  • DreamHost
  • BlueHost
  • NameCheap

General findings:

  • Read from ARIN, RIPE, ...

Is the Tor portion functional?

Is the Tor portion functional?

I'm seeing these in the logs.

2016-11-13 09:21:01,528 INFO : org.graylog.plugins.threatintel.providers.spamhaus.SpamhausIpLookupProvider - Refreshing internal table of Spamhaus drop list IPs.
2016-11-13 09:25:40,442 INFO : org.graylog.plugins.threatintel.providers.tor.TorExitNodeLookupProvider - Refreshing internal table of known Tor exit nodes.
2016-11-13 09:25:40,732 ERROR: org.graylog.plugins.threatintel.providers.tor.TorExitNodeLookupProvider - Could not refresh list of Tor exit nodes.
javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
        at sun.security.ssl.Alerts.getSSLException(Alerts.java:192) ~[?:1.8.0_65]
        at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1949) ~[?:1.8.0_65]
        at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:302) ~[?:1.8.0_65]
        at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:296) ~[?:1.8.0_65]
        at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1509) ~[?:1.8.0_65]
        at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:216) ~[?:1.8.0_65]
        at sun.security.ssl.Handshaker.processLoop(Handshaker.java:979) ~[?:1.8.0_65]
        at sun.security.ssl.Handshaker.process_record(Handshaker.java:914) ~[?:1.8.0_65]
        at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1062) ~[?:1.8.0_65]
        at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1375) ~[?:1.8.0_65]
        at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1403) ~[?:1.8.0_65]
        at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1387) ~[?:1.8.0_65]
        at okhttp3.internal.connection.RealConnection.connectTls(RealConnection.java:241) ~[graylog.jar:?]
        at okhttp3.internal.connection.RealConnection.establishProtocol(RealConnection.java:198) ~[graylog.jar:?]
        at okhttp3.internal.connection.RealConnection.buildConnection(RealConnection.java:174) ~[graylog.jar:?]
        at okhttp3.internal.connection.RealConnection.connect(RealConnection.java:114) ~[graylog.jar:?]
        at okhttp3.internal.connection.StreamAllocation.findConnection(StreamAllocation.java:193) ~[graylog.jar:?]
        at okhttp3.internal.connection.StreamAllocation.findHealthyConnection(StreamAllocation.java:129) ~[graylog.jar:?]
        at okhttp3.internal.connection.StreamAllocation.newStream(StreamAllocation.java:98) ~[graylog.jar:?]
        at okhttp3.internal.connection.ConnectInterceptor.intercept(ConnectInterceptor.java:42) ~[graylog.jar:?]
        at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:92) ~[graylog.jar:?]
        at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:67) ~[graylog.jar:?]
        at okhttp3.internal.cache.CacheInterceptor.intercept(CacheInterceptor.java:109) ~[graylog.jar:?]
        at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:92) ~[graylog.jar:?]
        at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:67) ~[graylog.jar:?]
        at okhttp3.internal.http.BridgeInterceptor.intercept(BridgeInterceptor.java:93) ~[graylog.jar:?]
        at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:92) ~[graylog.jar:?]
        at okhttp3.internal.http.RetryAndFollowUpInterceptor.intercept(RetryAndFollowUpInterceptor.java:124) ~[graylog.jar:?]
        at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:92) ~[graylog.jar:?]
        at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:67) ~[graylog.jar:?]
        at okhttp3.RealCall.getResponseWithInterceptorChain(RealCall.java:170) ~[graylog.jar:?]
        at okhttp3.RealCall.execute(RealCall.java:60) ~[graylog.jar:?]
        at org.graylog.plugins.threatintel.providers.tor.TorExitNodeLookupProvider.refreshTable(TorExitNodeLookupProvider.java:141) ~[graylog-plugin-threatintel-0.7.0.jar:?]
        at org.graylog.plugins.threatintel.providers.tor.TorExitNodeLookupProvider$1.run(TorExitNodeLookupProvider.java:59) [graylog-plugin-threatintel-0.7.0.jar:?]
        at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511) [?:1.8.0_65]
        at java.util.concurrent.FutureTask.runAndReset(FutureTask.java:308) [?:1.8.0_65]
        at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.access$301(ScheduledThreadPoolExecutor.java:180) [?:1.8.0_65]
        at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:294) [?:1.8.0_65]
        at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) [?:1.8.0_65]
        at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) [?:1.8.0_65]
        at java.lang.Thread.run(Thread.java:745) [?:1.8.0_65]
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
        at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:387) ~[?:1.8.0_65]
        at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:292) ~[?:1.8.0_65]
        at sun.security.validator.Validator.validate(Validator.java:260) ~[?:1.8.0_65]
        at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:324) ~[?:1.8.0_65]
        at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:229) ~[?:1.8.0_65]
        at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:124) ~[?:1.8.0_65]
        at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1491) ~[?:1.8.0_65]
        ... 36 more
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
        at sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:146) ~[?:1.8.0_65]
        at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:131) ~[?:1.8.0_65]
        at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:280) ~[?:1.8.0_65]
        at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:382) ~[?:1.8.0_65]
        at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:292) ~[?:1.8.0_65]
        at sun.security.validator.Validator.validate(Validator.java:260) ~[?:1.8.0_65]
        at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:324) ~[?:1.8.0_65]
        at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:229) ~[?:1.8.0_65]
        at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:124) ~[?:1.8.0_65]
        at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1491) ~[?:1.8.0_65]
        ... 36 more

Where is the configuration for Tor? (other than enabled True | False)
where is it getting the list from?

Thanks

Lookups failing

Hi,

Thanks for the feedback to my questions - I am re-opening the issue #26 as requested, as we are still having the problem. To try and narrow down any possible causes in my setup I have tried to simplify:-

  • Re-downloaded the JAR file and copied into the /plugin directory, and restarted the service (on all 3 nodes in our cluster).

  • Confirmed in the logs that the source data lookups are (appear to be) working

2017-03-27T17:05:55.494+01:00 INFO [AbuseChRansomLookupProvider] Refreshing internal table of Abuse.ch Ransomware tracker data.

  • Created a new rule and a new pipeline, and attached it to the 'All Messages' stream, the rule is:-

Rule "TIP Egress IP Lookup"
When
to_string($message.DestinationZone) == "Internet"
Then
let DstIP_intel = threat_intel_lookup_ip(to_string($message.DestinationIP), "TIP_IP_Dst");
set_fields(DstIP_intel);
End

  • Manually browsed to 100.2.4.245 - the first malicious IP in the Ransomware IP blocklist.
  • Confirmed that a new attribute "TIP_IP_Dst_threat_indicated" is created for the logged entry in GL, but that the value is set to "false".

We are however seeing the following erros being logged, which I have not seen before:-

2017-03-27T16:50:33.656+01:00 WARN [DeadEventLoggingListener] Received unhandled event of type <org.graylog.plugins.pipelineprocessor.processors.PipelineInterpreter.State> from event bus <AsyncEventBus{graylog-eventbus}>

Many Thanks

OTX Alienvault - block produce stack trace

when you are producing to much queries to the toe Alienvault API you will be limited and answers will be delayed. This creates high loads on Graylog and most lookups fails with the following:

2017-01-23T12:10:36.072+01:00 ERROR [OTXIPLookupFunction] Could not lookup OTX threat intelligence for IP [207.46.13.181].
java.util.concurrent.ExecutionException: java.util.concurrent.ExecutionException: Could not load OTX response.
	at com.google.common.util.concurrent.AbstractFuture.getDoneValue(AbstractFuture.java:476) ~[graylog.jar:?]
	at com.google.common.util.concurrent.AbstractFuture.get(AbstractFuture.java:435) ~[graylog.jar:?]
	at com.google.common.util.concurrent.AbstractFuture$TrustedFuture.get(AbstractFuture.java:79) ~[graylog.jar:?]
	at com.google.common.util.concurrent.Uninterruptibles.getUninterruptibly(Uninterruptibles.java:143) ~[graylog.jar:?]
	at com.google.common.cache.LocalCache$Segment.getAndRecordStats(LocalCache.java:2352) ~[graylog.jar:?]
	at com.google.common.cache.LocalCache$Segment.loadSync(LocalCache.java:2324) ~[graylog.jar:?]
	at com.google.common.cache.LocalCache$Segment.lockedGetOrLoad(LocalCache.java:2286) ~[graylog.jar:?]
	at com.google.common.cache.LocalCache$Segment.get(LocalCache.java:2201) ~[graylog.jar:?]
	at com.google.common.cache.LocalCache.get(LocalCache.java:3953) ~[graylog.jar:?]
	at com.google.common.cache.LocalCache.getOrLoad(LocalCache.java:3957) ~[graylog.jar:?]
	at com.google.common.cache.LocalCache$LocalLoadingCache.get(LocalCache.java:4875) ~[graylog.jar:?]
	at org.graylog.plugins.threatintel.providers.otx.OTXLookupProvider.lookup(OTXLookupProvider.java:124) ~[graylog-plugin-threatintel-0.9.0.jar:?]
	at org.graylog.plugins.threatintel.providers.otx.ip.OTXIPLookupFunction.evaluate(OTXIPLookupFunction.java:55) [graylog-plugin-threatintel-0.9.0.jar:?]
	at org.graylog.plugins.threatintel.providers.otx.ip.OTXIPLookupFunction.evaluate(OTXIPLookupFunction.java:17) [graylog-plugin-threatintel-0.9.0.jar:?]
	at org.graylog.plugins.pipelineprocessor.ast.expressions.FunctionExpression.evaluateUnsafe(FunctionExpression.java:59) [graylog-plugin-pipeline-processor-1.1.2.jar:?]
	at org.graylog.plugins.pipelineprocessor.ast.expressions.Expression.evaluate(Expression.java:36) [graylog-plugin-pipeline-processor-1.1.2.jar:?]
	at org.graylog.plugins.pipelineprocessor.ast.statements.VarAssignStatement.evaluate(VarAssignStatement.java:33) [graylog-plugin-pipeline-processor-1.1.2.jar:?]
	at org.graylog.plugins.pipelineprocessor.ast.statements.VarAssignStatement.evaluate(VarAssignStatement.java:22) [graylog-plugin-pipeline-processor-1.1.2.jar:?]
	at org.graylog.plugins.pipelineprocessor.processors.PipelineInterpreter.processForResolvedPipelines(PipelineInterpreter.java:357) [graylog-plugin-pipeline-processor-1.1.2.jar:?]
	at org.graylog.plugins.pipelineprocessor.processors.PipelineInterpreter.processForPipelines(PipelineInterpreter.java:291) [graylog-plugin-pipeline-processor-1.1.2.jar:?]
	at org.graylog.plugins.pipelineprocessor.processors.PipelineInterpreter.process(PipelineInterpreter.java:248) [graylog-plugin-pipeline-processor-1.1.2.jar:?]
	at org.graylog.plugins.pipelineprocessor.processors.PipelineInterpreter.process(PipelineInterpreter.java:192) [graylog-plugin-pipeline-processor-1.1.2.jar:?]
	at org.graylog2.buffers.processors.ServerProcessBufferProcessor.handleMessage(ServerProcessBufferProcessor.java:56) [graylog.jar:?]
	at org.graylog2.shared.buffers.processors.ProcessBufferProcessor.dispatchMessage(ProcessBufferProcessor.java:82) [graylog.jar:?]
	at org.graylog2.shared.buffers.processors.ProcessBufferProcessor.onEvent(ProcessBufferProcessor.java:61) [graylog.jar:?]
	at org.graylog2.shared.buffers.processors.ProcessBufferProcessor.onEvent(ProcessBufferProcessor.java:35) [graylog.jar:?]
	at com.lmax.disruptor.WorkProcessor.run(WorkProcessor.java:143) [graylog.jar:?]
	at com.codahale.metrics.InstrumentedThreadFactory$InstrumentedRunnable.run(InstrumentedThreadFactory.java:66) [graylog.jar:?]
	at java.lang.Thread.run(Thread.java:745) [?:1.8.0_111]
Caused by: java.util.concurrent.ExecutionException: Could not load OTX response.
	at org.graylog.plugins.threatintel.providers.otx.OTXLookupProvider.callOTX(OTXLookupProvider.java:165) ~[?:?]
	at org.graylog.plugins.threatintel.providers.otx.ip.OTXIPLookupProvider.loadIntel(OTXIPLookupProvider.java:73) ~[?:?]
	at org.graylog.plugins.threatintel.providers.otx.OTXLookupProvider$1.load(OTXLookupProvider.java:50) ~[?:?]
	at org.graylog.plugins.threatintel.providers.otx.OTXLookupProvider$1.load(OTXLookupProvider.java:47) ~[?:?]
	at com.google.common.cache.LocalCache$LoadingValueReference.loadFuture(LocalCache.java:3542) ~[graylog.jar:?]
	at com.google.common.cache.LocalCache$Segment.loadSync(LocalCache.java:2323) ~[graylog.jar:?]
	... 23 more
Caused by: java.net.SocketTimeoutException: timeout
	at okio.Okio$3.newTimeoutException(Okio.java:210) ~[graylog.jar:?]
	at okio.AsyncTimeout.exit(AsyncTimeout.java:288) ~[graylog.jar:?]
	at okio.AsyncTimeout$2.read(AsyncTimeout.java:242) ~[graylog.jar:?]
	at okio.RealBufferedSource.indexOf(RealBufferedSource.java:325) ~[graylog.jar:?]
	at okio.RealBufferedSource.indexOf(RealBufferedSource.java:314) ~[graylog.jar:?]
	at okio.RealBufferedSource.readUtf8LineStrict(RealBufferedSource.java:210) ~[graylog.jar:?]
	at okhttp3.internal.http.Http1xStream.readResponse(Http1xStream.java:186) ~[graylog.jar:?]
	at okhttp3.internal.http.Http1xStream.readResponseHeaders(Http1xStream.java:127) ~[graylog.jar:?]
	at okhttp3.internal.http.CallServerInterceptor.intercept(CallServerInterceptor.java:53) ~[graylog.jar:?]
	at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:92) ~[graylog.jar:?]
	at okhttp3.internal.connection.ConnectInterceptor.intercept(ConnectInterceptor.java:45) ~[graylog.jar:?]
	at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:92) ~[graylog.jar:?]
	at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:67) ~[graylog.jar:?]
	at okhttp3.internal.cache.CacheInterceptor.intercept(CacheInterceptor.java:109) ~[graylog.jar:?]
	at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:92) ~[graylog.jar:?]
	at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:67) ~[graylog.jar:?]
	at okhttp3.internal.http.BridgeInterceptor.intercept(BridgeInterceptor.java:93) ~[graylog.jar:?]
	at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:92) ~[graylog.jar:?]
	at okhttp3.internal.http.RetryAndFollowUpInterceptor.intercept(RetryAndFollowUpInterceptor.java:124) ~[graylog.jar:?]
	at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:92) ~[graylog.jar:?]
	at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:67) ~[graylog.jar:?]
	at okhttp3.RealCall.getResponseWithInterceptorChain(RealCall.java:170) ~[graylog.jar:?]
	at okhttp3.RealCall.execute(RealCall.java:60) ~[graylog.jar:?]
	at org.graylog.plugins.threatintel.providers.otx.OTXLookupProvider.callOTX(OTXLookupProvider.java:140) ~[?:?]
	at org.graylog.plugins.threatintel.providers.otx.ip.OTXIPLookupProvider.loadIntel(OTXIPLookupProvider.java:73) ~[?:?]
	at org.graylog.plugins.threatintel.providers.otx.OTXLookupProvider$1.load(OTXLookupProvider.java:50) ~[?:?]
	at org.graylog.plugins.threatintel.providers.otx.OTXLookupProvider$1.load(OTXLookupProvider.java:47) ~[?:?]
	at com.google.common.cache.LocalCache$LoadingValueReference.loadFuture(LocalCache.java:3542) ~[graylog.jar:?]
	at com.google.common.cache.LocalCache$Segment.loadSync(LocalCache.java:2323) ~[graylog.jar:?]
	... 23 more
Caused by: java.net.SocketException: Socket closed
	at java.net.SocketInputStream.read(SocketInputStream.java:203) ~[?:1.8.0_111]
	at java.net.SocketInputStream.read(SocketInputStream.java:141) ~[?:1.8.0_111]
	at sun.security.ssl.InputRecord.readFully(InputRecord.java:465) ~[?:1.8.0_111]
	at sun.security.ssl.InputRecord.read(InputRecord.java:503) ~[?:1.8.0_111]
	at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:973) ~[?:1.8.0_111]
	at sun.security.ssl.SSLSocketImpl.readDataRecord(SSLSocketImpl.java:930) ~[?:1.8.0_111]
	at sun.security.ssl.AppInputStream.read(AppInputStream.java:105) ~[?:1.8.0_111]
	at okio.Okio$2.read(Okio.java:138) ~[graylog.jar:?]
	at okio.AsyncTimeout$2.read(AsyncTimeout.java:238) ~[graylog.jar:?]
	at okio.RealBufferedSource.indexOf(RealBufferedSource.java:325) ~[graylog.jar:?]
	at okio.RealBufferedSource.indexOf(RealBufferedSource.java:314) ~[graylog.jar:?]
	at okio.RealBufferedSource.readUtf8LineStrict(RealBufferedSource.java:210) ~[graylog.jar:?]
	at okhttp3.internal.http.Http1xStream.readResponse(Http1xStream.java:186) ~[graylog.jar:?]
	at okhttp3.internal.http.Http1xStream.readResponseHeaders(Http1xStream.java:127) ~[graylog.jar:?]
	at okhttp3.internal.http.CallServerInterceptor.intercept(CallServerInterceptor.java:53) ~[graylog.jar:?]
	at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:92) ~[graylog.jar:?]
	at okhttp3.internal.connection.ConnectInterceptor.intercept(ConnectInterceptor.java:45) ~[graylog.jar:?]
	at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:92) ~[graylog.jar:?]
	at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:67) ~[graylog.jar:?]
	at okhttp3.internal.cache.CacheInterceptor.intercept(CacheInterceptor.java:109) ~[graylog.jar:?]
	at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:92) ~[graylog.jar:?]
	at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:67) ~[graylog.jar:?]
	at okhttp3.internal.http.BridgeInterceptor.intercept(BridgeInterceptor.java:93) ~[graylog.jar:?]
	at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:92) ~[graylog.jar:?]
	at okhttp3.internal.http.RetryAndFollowUpInterceptor.intercept(RetryAndFollowUpInterceptor.java:124) ~[graylog.jar:?]
	at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:92) ~[graylog.jar:?]
	at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:67) ~[graylog.jar:?]
	at okhttp3.RealCall.getResponseWithInterceptorChain(RealCall.java:170) ~[graylog.jar:?]
	at okhttp3.RealCall.execute(RealCall.java:60) ~[graylog.jar:?]
	at org.graylog.plugins.threatintel.providers.otx.OTXLookupProvider.callOTX(OTXLookupProvider.java:140) ~[?:?]
	at org.graylog.plugins.threatintel.providers.otx.ip.OTXIPLookupProvider.loadIntel(OTXIPLookupProvider.java:73) ~[?:?]
	at org.graylog.plugins.threatintel.providers.otx.OTXLookupProvider$1.load(OTXLookupProvider.java:50) ~[?:?]
	at org.graylog.plugins.threatintel.providers.otx.OTXLookupProvider$1.load(OTXLookupProvider.java:47) ~[?:?]
	at com.google.common.cache.LocalCache$LoadingValueReference.loadFuture(LocalCache.java:3542) ~[graylog.jar:?]
	at com.google.common.cache.LocalCache$Segment.loadSync(LocalCache.java:2323) ~[graylog.jar:?]
	... 23 more

IP whois Lookup Rule Source Not Working

let whois_intel = whois_lookup_ip(to_string($message.DstIP), "DstIP")
set_fields(whois_intel);

When using these two lines in my rule source it throws up an error on the second line which is:
github error

These two lines of source rule were copied from the plugins GitHub page so in theory should work.

Feature Request: Scheduled Lookups

Ability to schedule a task - daily\weekly etc - to parse historical logs for TIP hits aginst old data i.e. for evidence of exposure to IoC's before they were availble in a TIP lookup.

Feature Request - Custom lookup source

Ability to define a custom URL(s) to get IOC's from (IP, URL, Hash etc).

Ideally with some form of syntax definition (e.g. ignore '#', comma delimited field1 = IOC, field2 = description), but at it's most simple just a list of IOC's to perform lookups against.

Many Thanks

Lookup data providers too chatty

Currently the new lookup providers log on info when they updated their backing data, but debug should be enough for these regular messages.

Configuration \ Enable Plugin

Firstly - thanks for ongoing development, always feel awkward raising issues in 'free' software...! I think this will be a fantastic plugin when out of pre-release and will be the point at which Graylog really takes off.

I have updated to the latest code (0.5.0) but am still unable to work out how to enable - internal logs are showing that all three source types need to be enabled i.e. "Tor exit node lookup requested but not enabled in configuration. Please enable it first." - I do note that the spamhaus pipeline function is now available though, which it wasn't before.

I also assume the OTX checks needs a API key, so needs to be set somewhere?

What would also be fantastic would be a generic module - we're moving away from pulling from native sources and using aggregations, so (keeping it open source) are using MineMeld as the mechanism to collect, collate and publish IOC's via internal webpages - mindmeld.

If this does become supported it would also be good to know if there were\are any limits on the number of records etc to keep it running smoothly.

v0.9.0 not comp with Graylog 2.1.3 and 2.2

After the Bugfix Release of Graylog 2.1.3 the Plugin in Version 0.9.0 breaks the setup.

As I have a frontent NGINX I notice the following 401 line:

1.1.1.82 - 3c8e2671-df60-463c-843a-bf1762c54677 [27/Jan/2017:11:15:21 +0100] "POST /api/cluster/metrics/multiple HTTP/2.0" 200 1484 "https://x.jalogis.ch/search" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_2) AppleWebKit/602.3.12 (KHTML, like Gecko) Version/10.0.2 Safari/602.3.12"
1.1.1.82 - - [27/Jan/2017:11:15:22 +0100] "GET /api/system/cluster/node HTTP/2.0" 401 170 "https://x.jalogis.ch/search" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_2) AppleWebKit/602.3.12 (KHTML, like Gecko) Version/10.0.2 Safari/602.3.12"
1.1.1.82 - 3c8e2671-df60-463c-843a-bf1762c54677 [27/Jan/2017:11:15:23 +0100] "GET /api/system/cluster/nodes HTTP/2.0" 200 1191 "https://x.jalogis.ch/search" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_2) AppleWebKit/602.3.12 (KHTML, like Gecko) Version/10.0.2 Safari/602.3.12"

The Request to /api/system/cluster/node is made without authentication if the Plugin is active an this force a full reload.

After removing the Plugin everything is working without any issues.

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.