-
Notifications
You must be signed in to change notification settings - Fork 375
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
VT quota management #287
Comments
This has normally the same behavior has HA module, it first checks the remaining quota: RedELK/elkserver/docker/redelk-base/redelkinstalldata/scripts/modules/alarm_filehash/ioc_vt.py Lines 27 to 63 in 5f50fc6
Then checks each hash one by one until the quota is reached, the remainder should be done on next run when the quota is available again: RedELK/elkserver/docker/redelk-base/redelkinstalldata/scripts/modules/alarm_filehash/ioc_vt.py Lines 91 to 100 in 5f50fc6
It's normally not a "all or nothing", it should be a smart queue 😄 |
Im getting Virus Total quota issues although it seems that I still have space left in my quota. Output from daemon.log reads:
My hypothesis is that although the quota says 240 left for now, the actual list of items to check exceeds 240. I checked this manually for one call and indeed it wanted to check 386 hashes in one go. VT will see the too big result come in and therefor nothing will be checked. This is an endless loop as the amount of to be checked items will only grow.
It would be ideal if alarm_filehash module would actually parse the output of VT's report on available quota, and tune the amount of to be checked hashed accordingly.
The text was updated successfully, but these errors were encountered: