Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

[Malpedia] Connector creating external reference

See original GitHub issue

Description

I have a docker setup that is running the malpedia connector without any API key. When running the connector to start the import, it will create some malware entities as well as the organisation etc but errors appear in the logs then the connector stops until the next run time or manually restart the docker container.

Environment

OS (where OpenCTI server runs): Ubuntu 20.10/Docker
OpenCTI version: 4.5.3
OpenCTI client: frontend
Other environment details: none

Reproducible Steps

Steps to create the smallest reproducible scenario:

Create malpedia connector in docker
Create user
Add user key to config
Launch

Expected Output

Items to be pulled from the malpedia API and enter the information into opencti

Actual Output

` INFO:root:Listing Malwares with filters [{“key”: “aliases”, “values”: [“Flame”]}].

DEBUG:urllib3.connectionpool:http://10.50.0.41:8080 “POST /graphql HTTP/1.1” 200 140

INFO:root:Tag ‘Flame’ does not reference malware

INFO:root:Listing Malwares with filters [{“key”: “name”, “values”: [“sKyWIper”]}].

DEBUG:urllib3.connectionpool:http://10.50.0.41:8080 “POST /graphql HTTP/1.1” 200 140

INFO:root:Listing Malwares with filters [{“key”: “aliases”, “values”: [“sKyWIper”]}].

DEBUG:urllib3.connectionpool:http://10.50.0.41:8080 “POST /graphql HTTP/1.1” 200 140

INFO:root:Tag ‘sKyWIper’ does not reference malware

INFO:root:Listing Malwares with filters [{“key”: “name”, “values”: [“win.flame”]}].

DEBUG:urllib3.connectionpool:http://10.50.0.41:8080 “POST /graphql HTTP/1.1” 200 140

INFO:root:Listing Malwares with filters [{“key”: “aliases”, “values”: [“win.flame”]}].

DEBUG:urllib3.connectionpool:http://10.50.0.41:8080 “POST /graphql HTTP/1.1” 200 140

INFO:root:Tag ‘win.flame’ does not reference malware

INFO:root:Reading Marking-Definition {marking-definition–613f2e26-407d-48c7-9eca-b8e91df99dc9}.

DEBUG:urllib3.connectionpool:http://10.50.0.41:8080 “POST /graphql HTTP/1.1” 200 502

INFO:root:Creating Malware {Flame}.

DEBUG:urllib3.connectionpool:http://10.50.0.41:8080 “POST /graphql HTTP/1.1” 200 236

ERROR:root:Restricted entity already exists

ERROR:root:error creating malware entity: {‘name’: ‘UnsupportedError’, ‘message’: ‘Restricted entity already exists’}

ERROR:root:some error occurred during malware creation

INFO:root:Processing malware family: win.nagini

INFO:root:Listing Malwares with filters [{“key”: “name”, “values”: [“Nagini”]}].

INFO:root:Listing Malwares with filters [{“key”: “aliases”, “values”: [“Nagini”]}].

DEBUG:urllib3.connectionpool:http://10.50.0.41:8080 “POST /graphql HTTP/1.1” 200 140

INFO:root:Tag ‘Nagini’ does not reference malware

INFO:root:Listing Malwares with filters [{“key”: “name”, “values”: [“win.nagini”]}].

DEBUG:urllib3.connectionpool:http://10.50.0.41:8080 “POST /graphql HTTP/1.1” 200 140

INFO:root:Listing Malwares with filters [{“key”: “aliases”, “values”: [“win.nagini”]}].

INFO:root:Tag ‘win.nagini’ does not reference malware

INFO:root:Reading Marking-Definition {marking-definition–613f2e26-407d-48c7-9eca-b8e91df99dc9}.

INFO:root:Creating Malware {Nagini}. INFO:root:Creating External Reference {Malpedia}.

INFO:root:Adding External-Reference {05f3bcfa-7a15-4884-8609-92f9f952ee07} to Stix-Domain-Object {2198398d-ceba-46f0-bb9e-9a012158463a}

DEBUG:urllib3.connectionpool:http://10.50.0.41:8080 “POST /graphql HTTP/1.1” 200 287

ERROR:root:Cannot add the relation, Stix-Domain-Object cannot be found.

ERROR:root:{‘name’: ‘FunctionalError’, ‘message’: ‘Cannot add the relation, Stix-Domain-Object cannot be found.’}`

Additional information

malpedia connector config: connector-malpedia: image: opencti/connector-malpedia:latest environment: - OPENCTI_URL=http://xx.xx.xx.xx:8080 - OPENCTI_TOKEN=1fba4df1-xxxx-3f3520341ac9 - CONNECTOR_ID=malpedia_connector - CONNECTOR_TYPE=EXTERNAL_IMPORT - CONNECTOR_NAME=Malpedia - CONNECTOR_SCOPE=malpedia - CONNECTOR_CONFIDENCE_LEVEL=30 # From 0 (Unknown) to 100 (Fully trusted) - CONNECTOR_UPDATE_EXISTING_DATA=false - CONNECTOR_LOG_LEVEL=debug - MALPEDIA_AUTH_KEY= # Empty key only fetches TLP:WHITE information - MALPEDIA_INTERVAL_SEC=86400 # Run once every day - MALPEDIA_IMPORT_INTRUSION_SETS=true - MALPEDIA_IMPORT_YARA=false - MALPEDIA_CREATE_INDICATORS=true - MALPEDIA_CREATE_OBSERVABLES=true restart: always

Issue Analytics

State:
Created 2 years ago
Comments:7 (4 by maintainers)

Top GitHub Comments

1reaction

SamuelHassinecommented, Sep 2, 2021

Hello @rhaist, any news / update on this issue?

1reaction

rhaistcommented, May 31, 2021

Thanks for reporting - I’ll look into this. NOTE: The malpedia team is currently working on a new STIX2 export that might render a lot of the current connector obsolete.

Top Results From Across the Web

INTEGRATION OF INFORMATION IN OPENCTI

This doctrine has been published in order to help entities and people interested in the plateform understand how.

APT41 (Threat Actor) - Malpedia

APT41 is a prolific cyber threat group that carries out Chinese state-sponsored espionage activity in addition to financially motivated activity potentially ...

Usage — IntelOwl v4.1.2 documentation

Hint: Tokens Creation. The server authentication is managed by API tokens. So, if you want to interact with Intel Owl, you have two...

Automated Malware Analysis Report for npKluh4Dmo.exe ...

Creates files inside the system directory ... Internet Provider seen in connection with other malware ... Source, Detection, Scanner, Label, Link ...

book.pdf - User guide of MISP intelligence sharing platform

Add SightingDB Connection: Create a SightingDB connection. List Communities: A list of ... external organisation requests access to your MISP instance.