-
Notifications
You must be signed in to change notification settings - Fork 1.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add PyMISP argument to ignore dup indicators during ingestion with MISP server-side support #5257
Comments
I upvote, and would not raise an error when adding a tag that is already present, or saving an event where nothing changed. |
A few ideas:
|
If the attribute is not added because already existing, the timestamp
should not be updated.
I'm curious to know the use case where it would be needed.
|
A PyMISP client ingests hourly into fixed events from a premium feed provider. These events can contain 500k+ attributes. Experience shows that having the client retrieve the full event with attributes in order to discover dups takes too much time. Therefore, the app calls We want the attribute timestamp revised as this indicates the indicator is active at that time. For example, if the downstream data consumer needs a list of active indicators in the last 30 days, then the timestamp revision offers accurate results. |
Our
HOWEVER, we get tons (could 1000s) of inserts in the What about adding two options to
Thanks for your consideration as this is acausing operational issues in our Production MISP instance. |
Or another thought, offer a similar method as the Default Feed |
Okay, I add it in the feature requests queue. It will be implemented as soon as possible, depending on the urgent/paid features requests we receive. |
Recap: Feature Request to add an argument, perhaps called |
Extending PyMISP is the easy part. The server requires an extension, better make sure there's an issue open in MISP for that. On the server I think this function needs to be extended to accept a new parameter to allow/ignore duplicate attributes: Line 4162 in 476e6ab
I believe the attribute save command indicates error on dupe: Line 4216 in 476e6ab
Maybe it's possible to look at the error here and skip over duplicates, but I don't know how, so I am not ready to propose a code patch here. |
I discovered issues with the server side MISPObject deduplication within an Event and have a proposed fix. Please see |
Hi @Rafiot -- HNY!! Hope you are well... I have tested successfully a simple patch to Would appreciate someone with greater expertise reviewing this patch proposal to ensure it's works in all cases. Thanks!!
|
If this seems acceptable, based on the revision being considered in #6838 I'd suggest adding the same logic to not log a duplicate object if
Thanks. |
Status? |
@iglocska -- Hey Andras, were you able to close all the loose ends in the object dedup; if not, what remains? |
Hi... was this completed? |
Revisiting... We still see lots of the |
Hi @iglocska ... We still see these in 2.4.164 (we check after each MISP release =8^). Should we just forget about this being changed? Thx... |
Issue persists in 2.4.165. |
@iglocska I thought maybe you'd get to this one. Perhaps if you're not going to work it, you can close this ticket as "wontdo"? Thx. |
This persists in 2.4.169. Gonna do anything with this one :) ? ... If not close, and I'll stop checking. Thanks! |
@righel can you have a look? |
It makes sense to me. We can simply stop the logging if the flag is present (sorry @github-germ - completely missed this one before). |
Thanks @iglocska --no worries, it's not critical but would be nice to have. |
Hello @github-germ |
@righel Excellent! I will have time to build and test this next week, and will report back. THANKS. |
@righel What MISP branch should I build my docker image with, and which PyMISP for client? Hope to get to this within the next week. Thanks again. |
You can apply this patch to MISP: MISP branch: https://github.com/righel/MISP/tree/ignore-dup-attrs |
@righel Thanks for your patience. IT WORKS!! Can this be merged in and available in 2.4.170? |
Yes it will be released in 2.4.170 which will be released tomorrow. |
@righel I am revisiting this now that 2.4.170 is installed here in the context of my client PyMISP apps. Indeed using
Questions:
|
Hello
|
@righel Really appreciate your swift replies: thanks!!
|
|
@righel ... Many Thanks!!! I think I now understand how we can take advantage of this feature in our code in a future release. I'll close this ticket, and only if I have more questions come back with a new issue. |
2.4.114
In order to increase performance in a
ExpandedPyMISP
client that is processing a large feed ingestion particularly into existing events that are large, it is more efficient to not first retrieve the entire event into the app to look for dups. Rather simple add the attribute, and deal with the error if it occurs.I refactored two major feed ingestion clients with this approach and the processing time went for hours to minutes; so I was quite happy to deal with the error return. However, now the
logs
table is growing rather quickly.This method does trigger an error return to the
ExpandedPyMISP
client, and also the insertion of a row into the databaselogs
table -- example below.Might it make sense to not trigger an error in this case, possibly adding an optional boolean argument to
pymisp.add_attribute
requesting the error but defaulted toFalse
.The text was updated successfully, but these errors were encountered: