Support: Server with several ORGS in permitted does not sync

[jfgobin]

Support Questions

I configured a server to pull events. The pull rules excluded the tag tlp:red and had a few ORGs in the permitted org field. The sync went fine and the events were downloaded.

I added several ORGs to the permitted organizations (more than 10) and after that the sync never brought any events: there was no failure but no event was brought either. The worker logs showed the upstream server' HTTP code as 305 (not modified). After a few days, I confirmed on the upstream servers that new events had been created which should have been pulled.

I deleted the server and recreated it with the same rule, no effect. I deleted all the events using the API, no effect.

Removing all the ORGs from the rule but one made the sync pull events once more.

Is there a limit on the number of orgs one can put in a pull rule?

MISP version

2.4.165

Operating System

Ubuntu

Operating System version

20.04

PHP version

7.4

Browser

Edge

Browser version

107.0.1418.56

Relevant log output

No response

Extra attachments

No response

Code of Conduct

• I agree to follow this project's Code of Conduct

[jfgobin]

I forgot to write: after that, when I tried to delete all the events using misp-purge, only 7 events out of 600+ were found for deletion. I deleted all the others using the API (/events/index, retrieved the event number, /events/delete/) and purged the blocklist.

By the looks of it, it seems the database of events/attributes/elements got corrupted or damaged somehow.