i can see that the plugin itself is working and im able to curl using the following command on the integration server yet from the actual main resilient server i get a connection refused so this may be some configuration issue with the iptables or the simple fact that resilient is listening on port 9000 to the local host rather than the actual server such as what's listed below and notice how all of the services except for abuseipdb specify the main resilient server. I believe a possible fix would be to specify the host/ip under the [webserver] option in the app.config
yet I'm not sure what the parameters are.
Ran on Resilient Integration Server
$ dzdo lsof -i -P -n | grep resilient
resilient 3624 root 5u IPv4 60958080 0t0 UDP *:55540
resilient 3624 root 6u IPv4 60958082 0t0 TCP 192.168.122.28:52136->10.0.12.132:443 (CLOSE_WAIT)
resilient 3624 root 9u IPv4 60957009 0t0 TCP 127.0.0.1:9000 (LISTEN)
resilient 3624 root 12u IPv4 60958085 0t0 TCP 192.168.122.28:42382->10.0.12.132:65001 (ESTABLISHED)
resilient 3624 root 13u IPv4 60958106 0t0 TCP 192.168.122.28:52140->10.0.12.132:443 (CLOSE_WAIT)
$ curl -v -k --header "Content-Type: application/json" --data-binary '{"type":"net.ip","value":"8.8.8.8"}' 'http://127.0.0.1:9000/cts/abuseipdb_threat_feed'
* Trying 127.0.0.1:9000...
* TCP_NODELAY set
* Connected to 127.0.0.1 (127.0.0.1) port 9000 (#0)
> POST /cts/abuseipdb_threat_feed HTTP/1.1
> Host: 127.0.0.1:9000
> User-Agent: curl/7.65.0
> Accept: */*
> Content-Type: application/json
> Content-Length: 35
>
* upload completely sent off: 35 out of 35 bytes
Ran on Main Resilient Server
$ curl -v -k --header "Content-Type: application/json" --data-binary '{"type":"net.ip","value":"8.8.8.8"}' 'http://192.168.122.28:9000/cts/abuseipdb_threat_feed'
* About to connect() to 192.168.122.28 port 9000 (#0)
* Trying 192.168.122.28...
* Connection refused
* Failed connect to 192.168.122.28:9000; Connection refused
* Closing connection 0
curl: (7) Failed connect to 192.168.122.28:9000; Connection refused
------------------------------
Matthew Figueroa
------------------------------
Original Message:
Sent: Fri July 17, 2020 10:55 AM
From: John Quirke
Subject: Abuse IPDB ThreatService
I have this working in my lab but I use port 9001.
I think I had a problem using 9000 as this port was being used by Resilient.
Note in app .config these setting should match your port that you are using
[webserver]
# Port for the web server. Default is 9000.
port=9001
My command to configure was
sudo resutil threatserviceedit -name abuseipdb -resturl http://<integrationserverip>:9001/cts/abuseipdb_threat_feed
When testing ensure resilient-circuits is running and the Threat Source 'abuseipdb' is enabled on the Resilient UI (Administrator Settings)
sudo resutil threatservicetest -name abuseipdb
------------------------------
John Quirke
Original Message:
Sent: Thu July 16, 2020 06:48 PM
From: Matthew Figueroa
Subject: Abuse IPDB ThreatService
this command was ran on the integration server
$ dzdo lsof -i -P -n | grep 9000
resilient 3993 root 9u IPv4 60704739 0t0 TCP 127.0.0.1:9000 (LISTEN)
$ dzdo lsof -i -P -n | grep resilient
resilient 3993 root 5u IPv4 60705379 0t0 UDP *:33182
resilient 3993 root 6u IPv4 60705381 0t0 TCP 192.168.122.28:42310->10.0.12.132:443 (CLOSE_WAIT)
resilient 3993 root 9u IPv4 60704739 0t0 TCP 127.0.0.1:9000 (LISTEN)
resilient 3993 root 12u IPv4 60704740 0t0 TCP 192.168.122.28:60788->10.0.12.132:65001 (ESTABLISHED)
resilient 3993 root 13u IPv4 60771843 0t0 TCP 192.168.122.28:44442->10.0.12.132:443 (CLOSE_WAIT)
My Integration Server and Resilient Server are on different subnets yet there's routing between the two and all of the other modules work just fine.
------------------------------
Matthew Figueroa
Original Message:
Sent: Thu July 16, 2020 06:06 PM
From: Chance Casey
Subject: Abuse IPDB ThreatService
Please copy/paste the entire command you used here, so we can see if anything is wrong.
------------------------------
Chance Casey
Original Message:
Sent: Thu July 16, 2020 04:15 PM
From: Matthew Figueroa
Subject: Abuse IPDB ThreatService
I am getting the exact same error and after checking the ip tables and which ports are listening it seems that the resilient service on the server i have resilient circuits on is listening to port 9000 yet only locally meanwhile my integration server and resilient server are separate.
------------------------------
Matthew Figueroa
Original Message:
Sent: Wed July 15, 2020 03:39 AM
From: Adam
Subject: Abuse IPDB ThreatService
wget says no route to host but port 9000 is listening and nothing is between them.
------------------------------
Adam
Original Message:
Sent: Tue July 14, 2020 11:16 AM
From: Chance Casey
Subject: Abuse IPDB ThreatService
exactly. you need the http://
------------------------------
Chance Casey
Original Message:
Sent: Tue July 14, 2020 09:17 AM
From: Ben Lurie
Subject: Abuse IPDB ThreatService
I think the command is missing the http:// at the beginning of the URL.
Ben
------------------------------
Ben Lurie
Original Message:
Sent: Tue July 14, 2020 08:07 AM
From: Adam
Subject: Abuse IPDB ThreatService
I uploaded the screenshot.
Adam
------------------------------
Adam
Original Message:
Sent: Tue July 14, 2020 08:03 AM
From: Ben Lurie
Subject: Abuse IPDB ThreatService
I would be helpful to see a screenshot of the command and error message together. I'm not sure I understand how '0:' got into the URL?
Ben
------------------------------
Ben Lurie
Original Message:
Sent: Tue July 14, 2020 07:56 AM
From: Adam
Subject: Abuse IPDB ThreatService
Thank you but it raises another error message now:
An error occurred while running the command line utility: Illegal character in scheme name at index 0: 172.20.22.10:9000/cts/abuseipdb_threat_feed
Illegal character in scheme name at index 0: 172.20.22.10:9000/cts/abuseipdb_threat_feed
Adam
------------------------------
Adam
Original Message:
Sent: Thu July 09, 2020 05:56 PM
From: Chance Casey
Subject: Abuse IPDB ThreatService
Sorry if this is a duplicate. Use this (note you may need to change IP address):
sudo resutil threatserviceedit -name "AbuseIPDB" -resturl http://127.0.0.1:9000/cts/abuseipdb_threat_feed
------------------------------
Chance Casey
Original Message:
Sent: Tue July 07, 2020 07:44 AM
From: Adam
Subject: Abuse IPDB ThreatService
Hi,
After I installed the service on the Integration Server and Resilient I got an error when try to connect to it.
Failed to connect to AbuseIPDB
Maybe I did not setup the URL right:
sudo resutil threatserviceedit -name "AbuseIPDB" -resturl <resilient_circuits_url>/cts/abuseipdb_threat_feed
What is the right URL for <resilient_circuits_url>? Is it the IP of the Int. Srv. or host name or something else?
Thank you.
Regards,
Adam
------------------------------
Adam
------------------------------