connectors icon indicating copy to clipboard operation
connectors copied to clipboard
verified publisher icon OpenCTI-Platform

[glimps_malware] add glimps malware connector

Open glimps-glv opened this issue 8 months ago • 2 comments

Related issues

  • https://github.com/OpenCTI-Platform/connectors/issues/4126

Checklist

  • [x] I consider the submitted work as finished
  • [x] I have signed my commits using GPG key.
  • [x] I tested the code for its functionality using different use cases
  • [x] I added/update the relevant documentation (either on github or on notion)
  • [x] Where necessary I refactored code to improve the overall quality

Further comments

glimps-glv avatar Jun 10 '25 07:06 glimps-glv

Hello,

Thank you for your contribution! It’s a great addition to your ecosystem.

After taking a quick look, I think that the connector code needs to be reworked. In fact, we noticed that it currently uses our GraphQL APIs directly to publish entities (example: https://github.com/OpenCTI-Platform/connectors/pull/4116/files#diff-9912979b0fe2f44cb82ff9150ea1a53facb3b76fb0fd5cab7525b1ae5c3a8784R117)

However, this approach is now deprecated and we encourage building a STIX bundle containing STIX objects and publishing it to the RabbitMQ queue instead (example: https://github.com/OpenCTI-Platform/connectors/blob/master/templates/internal-enrichment/src/internal_enrichment_connector/connector.py#L172)

I believe the most effective way to proceed would be to use our enrichment connector template as a starting point or source of inspiration: https://github.com/OpenCTI-Platform/connectors/tree/master/templates/internal-enrichment

Would this be something you could implement on your side?

cc @helene-nguyen

romain-filigran avatar Jun 13 '25 15:06 romain-filigran

Hello,

Thank you for your contribution! It’s a great addition to your ecosystem.

After taking a quick look, I think that the connector code needs to be reworked. In fact, we noticed that it currently uses our GraphQL APIs directly to publish entities (example: https://github.com/OpenCTI-Platform/connectors/pull/4116/files#diff-9912979b0fe2f44cb82ff9150ea1a53facb3b76fb0fd5cab7525b1ae5c3a8784R117)

However, this approach is now deprecated and we encourage building a STIX bundle containing STIX objects and publishing it to the RabbitMQ queue instead (example: https://github.com/OpenCTI-Platform/connectors/blob/master/templates/internal-enrichment/src/internal_enrichment_connector/connector.py#L172)

I believe the most effective way to proceed would be to use our enrichment connector template as a starting point or source of inspiration: https://github.com/OpenCTI-Platform/connectors/tree/master/templates/internal-enrichment

Would this be something you could implement on your side?

cc @helene-nguyen

yes, I'll do it

glimps-glv avatar Jun 16 '25 05:06 glimps-glv

Hello @romain-filigran

I made the modifications to be push elements with a bundle, I'm not sure how I enriched the base STIX entity though.

Also rework config loading and other things to comply to your template.

I'll be available if needed

glimps-glv avatar Jun 23 '25 14:06 glimps-glv

Hey @glimps-giv, thanks a lot for your contribution.

I made a few suggestions and a couple of must change in order to be able to merge.

Feel free to ping us for any help 🙏

Thanks!

Thanks a lot for you review :pray:

I've made all the changes you requested, it should be okay now. Feel free to ping me directly if needed !

Thanks again :ok_hand:

glimps-glv avatar Jul 07 '25 13:07 glimps-glv

Hey @glimps-glv, thank you for your reactivity.

I forgot one thing about the confidence level, >= Since 6.0, confidence level configuration is now according to the user confidence level on the platform and needs to be removed from the configuration files such as config.yml.sample and docker-compose.yml file

https://github.com/OpenCTI-Platform/connectors/issues/1816

Also, the CI failed. to fix it :

For Isort, you might need either to execute it from the root directory, either use pre-commit:

Here is a command for isort directly that should work :

isort --profile black  ./external-import/malwarebazaar --skip .temp_venv --skip build --skip venv

or here is the pre-commit :

# from the root
pre-commit run --files external-import/malwarebazaar/src/main.py
# in external-import/malwarebazaar
pre-commit run --files src/main.py

let us know if it doesn't work

Let meknow, I'll do another review and then we'll be able to merge ! :)

pdamoune avatar Jul 08 '25 06:07 pdamoune

Hey @glimps-glv, thank you for your reactivity.

I forgot one thing about the confidence level, >= Since 6.0, confidence level configuration is now according to the user confidence level on the platform and needs to be removed from the configuration files such as config.yml.sample and docker-compose.yml file

#1816

Also, the CI failed. to fix it :

For Isort, you might need either to execute it from the root directory, either use pre-commit:

Here is a command for isort directly that should work :

isort --profile black  ./external-import/malwarebazaar --skip .temp_venv --skip build --skip venv

or here is the pre-commit :

# from the root
pre-commit run --files external-import/malwarebazaar/src/main.py
# in external-import/malwarebazaar
pre-commit run --files src/main.py

let us know if it doesn't work

Let meknow, I'll do another review and then we'll be able to merge ! :)

Hey @pdamoune

Should be ok now, I also re-based the branch and updated dependencies.

glimps-glv avatar Jul 08 '25 07:07 glimps-glv

Hey @glimps-glv

Thank you and sorry I missed the comment about the docker-compose file... Could you just modify this please ?

Hey @pdamoune ,

It's changed, thx for the review !

glimps-glv avatar Jul 10 '25 13:07 glimps-glv