Couldn't refresh adapter <abuse-ch-ransomware-domains>

Graylog Central (peer support)
1

Hello all,

I notice this entry spamming in Graylog’s server.log:

2018-05-02T17:43:04.696-04:00 ERROR [LookupDataAdapter] Couldn't refresh data adapter <abuse-ch-ransomware-domains/5ade22e42bf9e61bf8226f84/@4e5fb3b4>
java.net.SocketTimeoutException: connect timed out
        at java.net.PlainSocketImpl.socketConnect(Native Method) ~[?:1.8.0_91]
        at java.net.AbstractPlainSocketImpl.doConnect(AbstractPlainSocketImpl.java:350) ~[?:1.8.0_91]
        at java.net.AbstractPlainSocketImpl.connectToAddress(AbstractPlainSocketImpl.java:206) ~[?:1.8.0_91]
        at java.net.AbstractPlainSocketImpl.connect(AbstractPlainSocketImpl.java:188) ~[?:1.8.0_91]
        at java.net.SocksSocketImpl.connect(SocksSocketImpl.java:392) ~[?:1.8.0_91]
        at java.net.Socket.connect(Socket.java:589) ~[?:1.8.0_91]
        at okhttp3.internal.platform.Platform.connectSocket(Platform.java:125) ~[graylog.jar:?]
        at okhttp3.internal.connection.RealConnection.connectSocket(RealConnection.java:238) ~[graylog.jar:?]
        at okhttp3.internal.connection.RealConnection.connect(RealConnection.java:158) ~[graylog.jar:?]
        at okhttp3.internal.connection.StreamAllocation.findConnection(StreamAllocation.java:256) ~[graylog.jar:?]
        at okhttp3.internal.connection.StreamAllocation.findHealthyConnection(StreamAllocation.java:134) ~[graylog.jar:?]
        at okhttp3.internal.connection.StreamAllocation.newStream(StreamAllocation.java:113) ~[graylog.jar:?]
        at okhttp3.internal.connection.ConnectInterceptor.intercept(ConnectInterceptor.java:42) ~[graylog.jar:?]
        at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:147) ~[graylog.jar:?]
        at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:121) ~[graylog.jar:?]
        at okhttp3.internal.cache.CacheInterceptor.intercept(CacheInterceptor.java:93) ~[graylog.jar:?]
        at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:147) ~[graylog.jar:?]
        at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:121) ~[graylog.jar:?]
        at okhttp3.internal.http.BridgeInterceptor.intercept(BridgeInterceptor.java:93) ~[graylog.jar:?]
        at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:147) ~[graylog.jar:?]
        at okhttp3.internal.http.RetryAndFollowUpInterceptor.intercept(RetryAndFollowUpInterceptor.java:125) ~[graylog.jar:?]
        at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:147) ~[graylog.jar:?]
        at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:121) ~[graylog.jar:?]
        at okhttp3.RealCall.getResponseWithInterceptorChain(RealCall.java:200) ~[graylog.jar:?]
        at okhttp3.RealCall.execute(RealCall.java:77) ~[graylog.jar:?]
        at org.graylog2.lookup.adapters.dsvhttp.HTTPFileRetriever.fetchFileIfNotModified(HTTPFileRetriever.java:58) ~[graylog.jar:?]
        at org.graylog.plugins.threatintel.adapters.abusech.AbuseChRansomAdapter.loadData(AbuseChRansomAdapter.java:114) ~[?:?]
        at org.graylog.plugins.threatintel.adapters.abusech.AbuseChRansomAdapter.doRefresh(AbuseChRansomAdapter.java:109) ~[?:?]
        at org.graylog2.plugin.lookup.LookupDataAdapter.refresh(LookupDataAdapter.java:89) ~[graylog.jar:?]
        at org.graylog2.lookup.LookupDataAdapterRefreshService.lambda$schedule$0(LookupDataAdapterRefreshService.java:142) ~[graylog.jar:?]
        at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511) [?:1.8.0_91]
        at java.util.concurrent.FutureTask.runAndReset(FutureTask.java:308) [?:1.8.0_91]
        at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.access$301(ScheduledThreadPoolExecutor.java:180) [?:1.8.0_91]
        at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:294) [?:1.8.0_91]
        at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) [?:1.8.0_91]
        at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) [?:1.8.0_91]
        at java.lang.Thread.run(Thread.java:745) [?:1.8.0_91]

I have seen this similar post on the forums:

But I suspect my situation might be slightly different: We just recently upgraded from Graylog v2.1 to v2.4 and have never used the abuse.ch lookup tables. My graylog_depreceation.log is 0 bytes (this log was mentioned in the other post).

I am very new to Graylog, can anyone provide a bit more information on how I would troubleshoot this?

2

Can you curl/wget on the list manually? If so, it seems you have a good path to the list. If not, maybe a firewall or something is blocking the way.

Abuse.ch URLs:

    DOMAINS("https://ransomwaretracker.abuse.ch/downloads/RW_DOMBL.txt", true),
    URLS("https://ransomwaretracker.abuse.ch/downloads/RW_URLBL.txt", true),
    IPS("https://ransomwaretracker.abuse.ch/downloads/RW_IPBL.txt", false);

Also, the docs state that to use Tor

You'll need at least Java 8 (u101) to make this work. The exit node information is hosted on a Tor website that uses Let's Encrypt for SSL and only Java 8 (u101 or newer) supports it.
3

as @billmurrin already wrote - your Graylog is not able to get the updates from the outsite world.

That is not really a problem - as long as you do not want to use the thread intel plugin. Those lookup tables are created because of the present plugin.

Your option is:

  • ignore the message
  • delete the plugin and the lookup tables
  • open graylog to be able to request the information
4

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.