connectors icon indicating copy to clipboard operation
connectors copied to clipboard

Published 20 hours ago verified publisher icon OpenCTI-Platform

Hybrid Analysis connector sends too many requests without checking API quota

Open barismutan opened this issue 1 year ago • 0 comments

Description

Current Hybrid Analysis connector implementation sends too many requests to the Hybrid Analysis API, resulting in either 429 too many requests error, even temporary IP bans from CloudFare.

Environment

  1. OS (where OpenCTI server runs): Docker installation on Ubuntu 22.04.02 LTS
  2. OpenCTI version: OpenCTI 5.7.6
  3. OpenCTI client: Docker
  4. Other environment details: -

Reproducible Steps

Steps to create the smallest reproducible scenario:

  1. Connect the Hybrid Analysis connector with auto enrichment enabled.
  2. Connect any other source that generates observables/file artifacts ( e.g. CrowdStrike, Alienvault, Malwarebazaar etc.)
  3. Soon we get thousands of error messages either resulted from 429 too many requests or temporary IP ban from Cloudfare.

Expected Output

The expectation is that the connector periodically runs respecting the API key quota limitations.

Actual Output

The connector tries to make as many requests as it possibly can, resulting in 429 too many requests or temporary IP ban from Cloudfare.

Additional information

Please note that the default quota is 200/min and 2000/hour. Also, for submitting files to the sandbox I believe the daily limit is 30.

barismutan avatar May 26 '23 08:05 barismutan