connectors icon indicating copy to clipboard operation
connectors copied to clipboard
verified publisher icon OpenCTI-Platform

MISP Connector ignores MISP_INTERVAL value

Open blockanz opened this issue 11 months ago • 3 comments

Description

I have sent the MISP_INTERVAL value to 240 (4 hours), however the connector continues to run hourly regardless of the value set here.

Environment

  1. OS (where OpenCTI server runs): Ubuntu 24.04
  2. OpenCTI version: 6.5.8
  3. OpenCTI client: Frontend
  4. Other environment details: Docker instance

Reproducible Steps

Steps to create the smallest reproducible scenario:

  1. Update the value for MISP_INTERVAL in .yml file to be greater than 1 hour
  2. Stop and then start Docker instances
  3. Monitor for 1 hour and notice new connection and download every hour

Expected Output

The connector interprets the value of minutes in the MISP_INTERVAL setting and does not run again until this time period has elapsed.

Actual Output

Connector seems to run each hour regardless of the MISP_INTERVAL value.

Additional information

Screenshots (optional)

blockanz avatar Mar 19 '25 20:03 blockanz

Here are screenshots of my configuration and examples of the connector ignoring the settings.

Image

connector-misp: image: opencti/connector-misp:6.5.10 environment: - OPENCTI_URL=http://opencti:8080 - OPENCTI_TOKEN=${OPENCTI_MISP_TOKEN} - CONNECTOR_ID=${CONNECTOR_MISP_ID} - CONNECTOR_TYPE=EXTERNAL_IMPORT - CONNECTOR_NAME=MISP - CONNECTOR_SCOPE=misp - CONNECTOR_CONFIDENCE_LEVEL=25 - CONNECTOR_UPDATE_EXISTING_DATA=true - CONNECTOR_LOG_LEVEL=debug - CONNECTOR_QUEUE_THRESHOLD=1000 - CONNECTOR_DURATION_PERIOD=PT2H - MISP_URL=https://10.214.5.30 - MISP_KEY=${CONNECTOR_MISP_API} - MISP_SSL_VERIFY=false - MISP_DATETIME_ATTRIBUTE=timestamp - MISP_CREATE_REPORTS=true - MISP_CREATE_OBSERVABLES=true - MISP_CREATE_OBJECT_OBSERVABLES=true - MISP_CREATE_TAGS_AS_LABELS=true - MISP_IMPORT_WITH_ATTACHMENTS=true - MISP_CREATE_INDICATORS=true - MISP_REPORT_CLASS=MISP Event - MISP_IMPORT_FROM_DATE=2025-03-03 - MISP_IMPORT_TAGS=osint:source-type="block-or-filter-list",circl:incident-classification="phishing",type:OSINT - MISP_INTERVAL=240 restart: always depends_on: - opencti

blockanz avatar Mar 30 '25 21:03 blockanz

I'm still seeing this behavior in 6.6.4. Is there any update on this?

blockanz avatar Apr 13 '25 23:04 blockanz

Hi @blockanz, thank you for sharing your issue.

I'm taking the subject from today, don't hesitate to ask me anything from now on.

I ran the connector with different intervals and I couldn't reproduce your issue. So far, with the informations you gave me, the only thing I can see would be if you have 2 instances of the connector running at the same time. The 2 runs you shared are not exactly an hour apart, we can see the second run started 54 minutes after, which made me think of that.

  • MISP run @ 2025-03-30T20:31:56.640090÷00:00
  • MISP run @ 2025-03-30T21:26:00.132055+00:00

Also, in the description, you're speaking about the configuration being made in the config.yml, but then, you shared the docker configuration. Maybe you have 1 instance in the docker and another one in dev ?

Could you check my guess ?

Also, if it's not because of this, would you mind coming back with more info ? I would need the logs of the connector (what you can share, if possible for more than 4 hours)

pdamoune avatar May 22 '25 08:05 pdamoune

@blockanz Little ping on this :)

helene-nguyen avatar Jul 01 '25 07:07 helene-nguyen