Manager Login failed with unknown reason and IOCs in file output

[qasidali1]

When I start the collectors. For sometime it work fine. But after sometime it keeps on loading. When tried Logout and login. Show this error.

[sebix]

How did you install IntelMQ and which operating system do you use?

Can you please open the developer tools (Ctrl+Shift+I), switch to the network tab, load or the page triggering the error and paste the response of the request /intelmq/v1/api/login?
Does the error log of your webserver show anything?

[qasidali1]

I am using ubuntu.
Using the docker Image.
I just tried creating the docker image again it works.
For now I have not get this error again.

[sebix]

Thanks for sharing your observation. If it happens again, the information I mentioned above would be helpful.

cc @waldbauer-certat because of Docker

[qasidali1]

Sure I'll
I am playing with this now a days.

[qasidali1]

Request URL: http://127.0.0.1:1337/intelmq/v1/api/login
Referrer Policy: strict-origin-when-cross-origin
Provisional headers are shown
Learn more
Accept: application/json, text/javascript, /; q=0.01
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Referer: http://127.0.0.1:1337/
sec-ch-ua: "Google Chrome";v="105", "Not)A;Brand";v="8", "Chromium";v="105"
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: "Linux"
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36
X-Requested-With: XMLHttpRequest

Again got the same error
This I got from Network tab

[sebix]

That's the request from the browser, not the response from the server.

Did the webserver logs show anything in the error log?

[qasidali1]

Thanks for your support I got the issue it was with my docker.

I have another confusion.
I am getting the events file but in events file ioc are missing. Where I can find the ioc.?

[sebix]

I am getting the events file but in events file ioc are missing. Where I can find the ioc.?

What do you miss?

The file output bot writes all events to the file that it receives. You configure IntelMQ, i.e. which feeds you want to process yourself. At https://intelmq.readthedocs.io/en/latest/user/feeds.html you can find a big list of possible feeds which you can add to IntelMQ and connecto to your file output bot instance.

[qasidali1]

I am looking for Indicator of compromise (IOC). Does INTELMQ provide the IOC in the events file. I have configured all that already. But I am looking forward to see IOC.

…

On Tue, Sep 13, 2022 at 1:03 PM Sebastian ***@***.***> wrote: I am getting the events file but in events file ioc are missing. Where I can find the ioc.? What do you miss? The file output bot writes all events to the file that it receives. You configure IntelMQ, i.e. which feeds you want to process yourself. At https://intelmq.readthedocs.io/en/latest/user/feeds.html you can find a big list of possible feeds which you can add to IntelMQ and connecto to your file output bot instance. — Reply to this email directly, view it on GitHub <#2243 (reply in thread)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/A27QIVIADBT2NPNPIAOP7HLV6AYNVANCNFSM6AAAAAAQLFPPH4> . You are receiving this because you authored the thread.Message ID: ***@***.***>

[sebix]

What Indicators are you looking for? There are many data feeds, see the link that I posted above, all providing different data (= Indicators of Compromise).
If you reveal what you are trying to achieve in the bigger picture, I can maybe recommend suitable feeds for you.

[qasidali1]

[image: Screenshot from 2022-09-13 13-17-47.png] I have already configured the feeds. And I am getting data from a lot of different feeds. But I am getting only the event information. Just as like {"classification.taxonomy": "malicious-code", "classification.type": "c2-server", "feed.accuracy": 100.0, "feed.name": "Feodo Tracker Browse", "feed.provider": "Abuse.ch", "feed.url": " https://feodotracker.abuse.ch/browse", "malware.name": "qakbot", "source.allocated": "2009-05-06T00:00:00+00:00", "source.as_name": "WINDSTREAM, US", "source.asn": 7029, "source.geolocation.cc": "US", "source.ip": "173.189.167.21", "source.network": "173.189.164.0/22", "source.registry": "ARIN", "status": "Online", "time.observation": "2022-09-09T12:42:05+00:00", "time.source": "2022-09-08T12:43:34+00:00"} This is the one the feed I got. I am looking forward to see the Indicator of Compromise(IOC). But unable to figure out where I can find this.

…

On Tue, Sep 13, 2022 at 1:15 PM Sebastian ***@***.***> wrote: *What* Indicators are you looking for? There are many data feeds, see the link that I posted above, all providing different data (= Indicators of Compromise). What are you trying to achieve in the bigger picture? — Reply to this email directly, view it on GitHub <#2243 (reply in thread)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/A27QIVNXRAI2FWZEDGEZASTV6AZ2FANCNFSM6AAAAAAQLFPPH4> . You are receiving this because you authored the thread.Message ID: ***@***.***>

[sebix]

The event you posted says:
The device with the IP address 173.189.167.21 is hosting a C2 Server of the Malware qakbot.

If this is not what you are looking for, what is it?

[qasidali1]

Thank you for your reply. I was not more familiar with feed. I got my confusion cleared.

…

On Tue, Sep 13, 2022 at 1:23 PM Sebastian ***@***.***> wrote: The event you posted says: The device with the IP address 173.189.167.21 is hosting a C2 Server of the Malware qakbot. If this is not what you are looking for, what is it? — Reply to this email directly, view it on GitHub <#2243 (reply in thread)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/A27QIVNSFKVEADJY43FEOTTV6A2YNANCNFSM6AAAAAAQLFPPH4> . You are receiving this because you authored the thread.Message ID: ***@***.***>