Hello,
we are running filebeat 8.8.1 and use the threatintel module to ingest data from MISP to elasticsearch.
While it is running well most of the time, some MISP events (probably those with many attributes) will result in an endless loop of the filebeat module. The filebeat instance creates a huge number (possible infinite) of entries in elasticsearch. The behaviour is the same if a file output is used in filebeat.
We narrowed down the cause by modifying threatintel/misp/config/config.yml to
response.split:
target: body.response
# split:
# target: body.Event.Attribute
# ignore_empty_value: true
# keep_parent: true
# split:
# target: body.Event.Object
# keep_parent: true
# split:
# target: body.Event.Object.Attribute
# keep_parent: true
response.request_body_on_pagination: true
response.pagination:
- set:
target: body.page
value: '[[if (ne (len .last_response.body.response) 0)]][[add .last_response.page 1]][[end]]'
fail_on_template_error: true
cursor:
timestamp:
value: '[[.last_event.Event.timestamp]]'
If we modify the file like this, the ingest terminates. As soon as we include the Attribute split (without Object or Object.Attribute) the threatintel module will run forever.
I have saved the .ndjson from the terminating run, which might help to reproduce the issue.
The problematic MISP event has 27759 attributes and 3863 objects.
Best regards,
hti