endless loop of cortex analyser call

[crackytsi]

Request Type

Bug

Work Environment

Question	Answer
OS version (server)	Debian 8
Cortex version / git hash	1.1.3-1
Package Type	Binary

Problem Description

Cortex Analysis of geoip_country leads to an endless Loop.
Excerpt:

Jun 30 13:59:37 server cortex[29365]: at [Source: 2017-06-30 13:57:12,616 - geoip_country - DEBUG - 62.210.15.114
Jun 30 13:59:37 server cortex[29365]: {"error": "GeoIP resolving error"}
Jun 30 13:59:37 server cortex[29365]: ; line: 1, column: 6]
Jun 30 13:59:37 server cortex[29365]: at com.fasterxml.jackson.core.JsonParser._constructError(JsonParser.java:1586)
Jun 30 13:59:37 server cortex[29365]: at com.fasterxml.jackson.core.base.ParserMinimalBase._reportError(ParserMinimalBase.java:521)
Jun 30 13:59:37 server cortex[29365]: at com.fasterxml.jackson.core.base.ParserMinimalBase._reportUnexpectedChar(ParserMinimalBase.java:450)
Jun 30 13:59:37 server cortex[29365]: at com.fasterxml.jackson.core.base.ParserMinimalBase._reportMissingRootWS(ParserMinimalBase.java:466)
Jun 30 13:59:37 server cortex[29365]: at com.fasterxml.jackson.core.json.ReaderBasedJsonParser._verifyRootSpace(ReaderBasedJsonParser.java:1598)
Jun 30 13:59:37 server cortex[29365]: at com.fasterxml.jackson.core.json.ReaderBasedJsonParser._parsePosNumber(ReaderBasedJsonParser.java:1248)
Jun 30 13:59:37 server cortex[29365]: at com.fasterxml.jackson.core.json.ReaderBasedJsonParser.nextToken(ReaderBasedJsonParser.java:705)
Jun 30 13:59:37 server cortex[29365]: at com.fasterxml.jackson.databind.ObjectMapper._initForReading(ObjectMapper.java:3847)
Jun 30 13:59:37 server cortex[29365]: at com.fasterxml.jackson.databind.ObjectMapper._readValue(ObjectMapper.java:3765)
Jun 30 13:59:37 server cortex[29365]: at com.fasterxml.jackson.databind.ObjectMapper.readValue(ObjectMapper.java:2050)
Jun 30 13:59:37 server cortex[29365]: [#033[37minfo#033[0m] application - GET /api/job/aOXIJkMHdn51RHsP/waitreport?atMost=1%20minute returned 500
Jun 30 13:59:37 server cortex[29365]: com.fasterxml.jackson.core.JsonParseException: Unexpected character ('-' (code 45)): Expected space separating root-level values
Jun 30 13:59:37 server cortex[29365]: at [Source: 2017-06-30 13:57:12,616 - geoip_country - DEBUG - 62.210.15.114
Jun 30 13:59:37 server cortex[29365]: {"error": "GeoIP resolving error"}
Jun 30 13:59:37 server cortex[29365]: ; line: 1, column: 6]
Jun 30 13:59:37 server cortex[29365]: at com.fasterxml.jackson.core.JsonParser._constructError(JsonParser.java:1586)
Jun 30 13:59:37 server cortex[29365]: at com.fasterxml.jackson.core.base.ParserMinimalBase._reportError(ParserMinimalBase.java:521)
Jun 30 13:59:37 server cortex[29365]: at com.fasterxml.jackson.core.base.ParserMinimalBase._reportUnexpectedChar(ParserMinimalBase.java:450)
Jun 30 13:59:37 server cortex[29365]: at com.fasterxml.jackson.core.base.ParserMinimalBase._reportMissingRootWS(ParserMinimalBase.java:466)
Jun 30 13:59:37 server cortex[29365]: at com.fasterxml.jackson.core.json.ReaderBasedJsonParser._verifyRootSpace(ReaderBasedJsonParser.java:1598)
Jun 30 13:59:37 server cortex[29365]: at com.fasterxml.jackson.core.json.ReaderBasedJsonParser._parsePosNumber(ReaderBasedJsonParser.java:1248)
Jun 30 13:59:37 server cortex[29365]: at com.fasterxml.jackson.core.json.ReaderBasedJsonParser.nextToken(ReaderBasedJsonParser.java:705)
Jun 30 13:59:37 server cortex[29365]: at com.fasterxml.jackson.databind.ObjectMapper._initForReading(ObjectMapper.java:3847)
Jun 30 13:59:37 server cortex[29365]: at com.fasterxml.jackson.databind.ObjectMapper._readValue(ObjectMapper.java:3765)
Jun 30 13:59:37 server cortex[29365]: at com.fasterxml.jackson.databind.ObjectMapper.readValue(ObjectMapper.java:2050)
Jun 30 13:59:37 server cortex[29850]: [#033[37minfo#033[0m] a.e.s.Slf4jLogger - Slf4jLogger started
Jun 30 13:59:37 server cortex[29850]: [#033[37minfo#033[0m] s.MispSrv - MISP modules is enabled, loader is /opt/cortex/contrib/misp-modules-loader.py
Jun 30 13:59:37 server cortex[29850]: [#033[37minfo#033[0m] play.api.Play - Application started (Prod)
Jun 30 13:59:37 server cortex[29850]: [#033[37minfo#033[0m] p.c.s.NettyServer - Listening for HTTP on /0:0:0:0:0:0:0:0:9001
Jun 30 13:59:38 server cortex[29850]: [#033[37minfo#033[0m] application - GET /api/job/aOXIJkMHdn51RHsP/waitreport?atMost=1%20minute returned 404

[nadouani]

Do you mean MaxMind analyzer when you talk about geoip_country?

[crackytsi]

The geoip_country module is included by MISP. Never the less this endless Loop should not occur...

[nadouani]

Do you see the job listed in Cortex's UI?

[crackytsi]

Yes, it Shows:

"Unexpected character ('-' (code 45)): Expected space separating root-level values\n at [Source: 2017-06-30 14:10:01,944 - geoip_country - DEBUG - 62.210.15.114\n{"error": "GeoIP resolving error"}\n; line: 1, column: 6]"

[nadouani]

Since I see GET /api/job/aOXIJkMHdn51RHsP/waitreport?atMost=1%20minute returned 404 on the logs, that means that the job that TheHive asks for, doesn't exist.

[crackytsi]

But this Returns 500:
#33[37minfo#033[0m] application - GET /api/job/PIdxu7FJqeyKg77j/waitreport?atMost=1%20minute returned 500

[crackytsi]

Actually if the Loop starts, the only Thing I can do is restart Cortex to get Job abbort....

[nadouani]

I think this is no longer valid with Cortex 2. Please reopen if you encounter the issue again.