Hi all,
Here is my Graylog environment on host A:
hi graylog-4.3-repository 1-6 all Package to install Gray
hi graylog-integrations-plugins 4.3.8-1 all Graylog Integrations pl
hi graylog-server 4.3.8-1 all Graylog server
hi mongodb-database-tools 100.10.0 amd64 mongodb-database-tools
hi mongodb-org 4.4.17 amd64 MongoDB open source doc
hi mongodb-org-database-tools-extra 4.4.29 amd64 Extra MongoDB database
hi mongodb-org-mongos 4.4.17 amd64 MongoDB sharded cluster
hi mongodb-org-server 4.4.17 amd64 MongoDB database server
hi mongodb-org-shell 4.4.17 amd64 MongoDB shell client
hi mongodb-org-tools 4.4.17 amd64 MongoDB tools
Here is my MISP environment on host B:
MISP 2.5.6
In Host A, I able to get the result from CLI:
> curl -X GET "https://172.18.3.102/attributes/restSearch/value:t21j21t" -H "Accept: application/json" -H "Authorization: auth_key" -H "Content-Type: application/json"
> {"response": {"Attribute": [{"id":"124758","event_id":"456","object_id":"0","object_relation":null,"category":"Payload delivery","type":"malware-sample","to_ids":true,"uuid":"57f64b6a-8400-44c2-806c-4008950d210f","timestamp":"1475758954","distribution":"5","sharing_group_id":"0","comment":"downloaded 2nd stage","deleted":false,"disable_correlation":false,"first_seen":null,"last_seen":null,"value":"t21j21t|1e188d977397f791ccd12f0b04288d22","Event":{"org_id":"1","distribution":"3","publish_timestamp":"1737607676","id":"456","info":"Malspam 2016-10-06 (.js in .zip) - campaign: \"Your Order\"","orgc_id":"3","uuid":"57f64039-dec0-4c41-b2eb-42e7950d210f"}},{"id":"124759","event_id":"456","object_id":"0","object_relation":null,"category":"Payload delivery","type":"filename|sha1","to_ids":true,"uuid":"57f64b6a-f900-4bbb-b845-4008950d210f","timestamp":"1475758954","distribution":"5","sharing_group_id":"0","comment":"downloaded 2nd stage","deleted":false,"disable_correlation":false,"first_seen":null,"last_seen":null,"value":"t21j21t|f3aa004fa60d74e4fb7759a244cf12867ee79ef1","Event":{"org_id":"1","distribution":"3","publish_timestamp":"1737607676","id":"456","info":"Malspam 2016-10-06 (.js in .zip) - campaign: \"Your Order\"","orgc_id":"3","uuid":"57f64039-dec0-4c41-b2eb-42e7950d210f"}},{"id":"124760","event_id":"456","object_id":"0","object_relation":null,"category":"Payload delivery","type":"filename|sha256","to_ids":true,"uuid":"57f64b6b-120c-4e6f-ba28-4008950d210f","timestamp":"1475758955","distribution":"5","sharing_group_id":"0","comment":"downloaded 2nd stage","deleted":false,"disable_correlation":false,"first_seen":null,"last_seen":null,"value":"t21j21t|60be5a920d81590595f532983f6f45a04ce42e3ceec6f7e7b07f0c4b189d5505","Event":{"org_id":"1","distribution":"3","publish_timestamp":"1737607676","id":"456","info":"Malspam 2016-10-06 (.js in .zip) - campaign: \"Your Order\"","orgc_id":"3","uuid":"57f64039-dec0-4c41-b2eb-42e7950d210f"}}]}}
The problem is when I test lookup from web interface:
## MISP <small>(HTTP JSONPath)</small>
Description
*No description.*
#### Configuration
Lookup URL
https://172.18.3.102/attributes/restSearch/value:${key}
Single value JSONPath
`$.response.Attribute.[0].category`
Multi value JSONPath
`$.response.Attribute.[0]`
HTTP User-Agent
Graylog Lookup - https://www.graylog.org/
HTTP Headers
|Name|Value|
| --- | --- |
|Accept|application/json|
|Authorization|auth_key|
|Content-Type|application/json|
Test Lookup:
t21j21t
Lookup result
{
"single_value": null,
"multi_value": null,
"string_list_value": null,
"has_error": true,
"ttl": 5000
}
These are the error log in /var/log/graylog-server/server.log
ERROR [HTTPJSONPathDataAdapter] HTTP request error for key <t21j21t>
javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
Thank you.