Threat Intel Plugins Not working


(Nav) #1

Hi,
I have enabled the threatintel plugins, register at otx and entered the api key. The graylog server has access to internet.

Now, when I run the test lookup against otx domain, I always get the same result.
2018-10-01%2011_12_25-DC01%20-%20VMware%20Workstation

the other threatintel plugin has error

I have used a copy of default trust store cacerts and used graylog jvm settings to point to the copy of the cacerts. I have also manually added the cert to default store, replaced the default store with its working copy however I still have the errors and no change in the outcome when testing.

I am using https://ransomwaretracker.abuse.ch/downloads/CW_C2_DOMBL.txt to test but so far all results are not coming.
any idea what might be the issue here.


(Jan Doberstein) #2

the error indicates that your truststore does not have the CA certificates to verify the https connection.

Not sure how you could resolve the issue, but the missing key validation is the route to check.


(Nav) #3

Hi Jan, i have tried replacing the default truststore with the one that i created during enabling https but no luck.
Is there any config file where i can make change to ignore the trust?


(Jan Doberstein) #4

It is not recommended to do this - that is the reason we do not propagate this via the documentation.

You can add -Dcom.sun.net.ssl.checkRevocation=false to your GRAYLOG_JAVA_OPTS to disable the certificate verification.


(Nav) #5

there seems to be more than one problem when seeing the error

Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

The alert notification isn’t working either and smtp is coming complaining about the same error.

I have given another short by importing the https cert into the default store by using the following command but still facing the same issue

keytool -importcert -keystore /usr/lib/jvm/jre-1.8.0-openjdk-1.8.0.181-3.b13.el7_5.x86_64/lib/security/cacerts -storepass changeit -alias graylog.domain.com -file /etc/graylog/server/graylog-cert.pem

my Graylog_server_java_opts is configure as per below

-Djavax.net.ssl.trustStore=/etc/graylog/server/keystore.jks

what can be done to address this issue. it’s driving me nuts.


(Jan Doberstein) #6

you have imported the certificate into the systems key store, but you use a self-defined keystore in your startup parameters.

copy over /usr/lib/jvm/jre-1.8.0-openjdk-1.8.0.181-3.b13.el7_5.x86_64/lib/security/cacerts to /etc/graylog/server/keystore.jks and it should work without issue.


(Nav) #7

Thank you very much Jan. I used the following command post which the error went way.
keytool -importkeystore -srckeystore /cacerts -srcstorepass changeit -destkeystore keystore.jks -deststorepass changeit


(system) #8

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.