Thanks gsmith for your help. I understand the error and I assume that the lookup table is not suppose to exist since it is my understanding that abuse-ch-ransomeware-ip no longer works. What I don’t know is what is causing it to be called. I’ve checked the lookup tables, caches, and data adapters and none refer to abuse-ch…
Here are the caches:
And the content packs:
The Internet Threat Pipeline has two stages. I’ve determined that if I comment out Stage 1 and allow Stage 0 to run, that causes the message to occur. Stage 0 rule is:
rule “Global/combined threat feed lookup”
when
has_field(“SRC”)
then
let src_addr_intel = threat_intel_lookup_ip(to_string($message.SRC),“SRC”);
set_fields(src_addr_intel);
end
So the routine threat_intel_lookup_ip must be calling the abuse_ch_ransomware_ip routine which I thought was discontinued, see Ransomware.abuse.ch discontinued
I’ll take a look at your other links, maybe has been a change to the “Global/combined threat feed lookup” rule that I need to implement.
In the meantime, my solution has been to set up a pipeline rule to drop those messages.
Thanks again for taking the time to help.
Rand