opencti icon indicating copy to clipboard operation
opencti copied to clipboard

Published 20 hours ago verified publisher icon OpenCTI-Platform

MITRE "will produce only internal modification" error

Open Tonnulus opened this issue 2 years ago • 3 comments

Description

Mitre connector errors

{'name': 'UnsupportedError', 'message': '[OPENCTI] Upsert will produce only internal modification'}

Environment

  1. OS (where OpenCTI server runs): Debian 4.19
  2. OpenCTI version: 5.3.7
  3. OpenCTI Mitre connector: 5.3.7
  4. Other environment details:

Reproducible Steps

Steps to create the smallest reproducible scenario:

  1. Clean MITRE connector
  2. Restart MITRE
  3. On the UI go to DATA -> Connectors -> MITRE -> COMPLETED WORKS -> errrors

Expected Output

Full import without error

Actual Output

106 errors messages :

{'name': 'UnsupportedError', 'message': '[OPENCTI] Upsert will produce only internal modification'}

Source exemple:

{"type": "bundle", "id": "bundle--8376c00f-48c6-4fc0-949f-06e8edd7c0a6", "spec_version": "2.1", "x_opencti_seq": 6, "objects": [{"labels": ["malware"], "x_mitre_platforms": ["Windows"], "x_mitre_domains": ["enterprise-attack"], "x_mitre_aliases": ["PS1", "PS1 "], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "id": "malware--13183cdf-280b-46be-913a-5c6df47831e7", "type": "malware", "created": "2021-05-24T14:55:59.316Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"external_id": "S0613", "source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0613"}, {"source_name": "BlackBerry CostaRicto November 2020", "url": "https://blogs.blackberry.com/en/2020/11/the-costaricto-campaign-cyber-espionage-outsourced", "description": "The BlackBerry Research and Intelligence Team. (2020, November 12). The CostaRicto Campaign: Cyber-Espionage Outsourced. Retrieved May 24, 2021."}], "modified": "2021-10-15T12:58:20.120Z", "name": "PS1", "description": "[PS1](https://attack.mitre.org/software/S0613) is a loader that was used to deploy 64-bit backdoors in the [CostaRicto](https://attack.mitre.org/groups/G0132) campaign.(Citation: BlackBerry CostaRicto November 2020)", "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "confidence": 3, "nb_deps": 6}]}

or

{"type": "bundle", "id": "bundle--17f97d69-4677-4371-9fd4-a18ae702576f", "spec_version": "2.1", "x_opencti_seq": 18, "objects": [{"object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "type": "relationship", "id": "relationship--dfd0dc6c-33ad-44a4-9def-1d8e23e278fb", "created": "2022-04-15T22:05:32.209Z", "x_mitre_version": "0.1", "x_mitre_deprecated": false, "revoked": false, "description": "", "modified": "2022-04-15T22:05:32.209Z", "relationship_type": "revoked-by", "source_ref": "intrusion-set--76d59913-1d24-4992-a8ac-05a3eb093f71", "target_ref": "intrusion-set--1c63d4ec-0a75-4daa-b1df-0d11af3d3cc1", "x_mitre_attack_spec_version": "2.1.0", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "confidence": 3, "nb_deps": 18}]}

Additional information

Current MITRE connector configuration:

  connector-mitre:
    image: opencti/connector-mitre:5.3.7
    environment:
      OPENCTI_URL: http://opencti.:8080/opencti
      OPENCTI_TOKEN: ${OPENCTI_C_MITRE_TOKEN}
      CONNECTOR_ID: ${OPENCTI_C_MITRE_ID}
      CONNECTOR_TYPE: EXTERNAL_IMPORT
      CONNECTOR_NAME: MITRE ATT&CK
      CONNECTOR_SCOPE: marking-definition,identity,attack-pattern,course-of-action,intrusion-set,campaign,malware,tool,report,external-reference-as-report
      CONNECTOR_CONFIDENCE_LEVEL: 3
      CONNECTOR_UPDATE_EXISTING_DATA: "true"
      CONNECTOR_RUN_AND_TERMINATE: "false"
      CONNECTOR_LOG_LEVEL: info
      MITRE_ENTERPRISE_FILE_URL: https://raw.githubusercontent.com/mitre/cti/master/enterprise-attack/enterprise-attack.json
      MITRE_PRE_ATTACK_FILE_URL: https://raw.githubusercontent.com/mitre/cti/master/pre-attack/pre-attack.json
      MITRE_MOBILE_ATTACK_FILE_URL: https://raw.githubusercontent.com/mitre/cti/master/mobile-attack/mobile-attack.json
      MITRE_ICS_ATTACK_FILE_URL: https://raw.githubusercontent.com/mitre/cti/master/ics-attack/ics-attack.json
      MITRE_CAPEC_FILE_URL: https://raw.githubusercontent.com/mitre/cti/master/capec/2.1/stix-capec.json
      MITRE_INTERVAL: 7 # Days

Other connectors installed:

  • mitre
  • cybercrimetracker
  • virustotal
  • export-file-csv
  • cryptolaemus
  • export-file-stix
  • cve
  • malpedia
  • hygiene
  • import-file-stix
  • ipinfo
  • import-document
  • opencti
  • urlhaus

Screenshots (optional)

image image

Tonnulus avatar Jul 20 '22 15:07 Tonnulus

Thank you in advance for all the work you have done

Tonnulus avatar Jul 20 '22 15:07 Tonnulus

Any chance you still have the log files of this? Unfortunatly we do not display all information in the UI.

richard-julien avatar Aug 05 '22 14:08 richard-julien

I retried today. I have the same number of error.

Logs form the connector:

INFO:root:Connector will run!
INFO:root:Initiate work for 5671d70f-e8f9-4a50-b262-01c6e27bac8a
INFO:root:Update action expectations opencti-work--261087a8-144d-4db1-81df-61d8566bc1b9 - 17134
INFO:root:Update action expectations opencti-work--261087a8-144d-4db1-81df-61d8566bc1b9 - 268
INFO:root:Update action expectations opencti-work--261087a8-144d-4db1-81df-61d8566bc1b9 - 1357
INFO:root:Update action expectations opencti-work--261087a8-144d-4db1-81df-61d8566bc1b9 - 954
ERROR:root:Error while sending bundle: maximum recursion depth exceeded while calling a Python object
INFO:root:Connector successfully run, storing last_run as 1659963393
INFO:root:Reporting work update_received opencti-work--261087a8-144d-4db1-81df-61d8566bc1b9

Logs from opencti: toto.log

Tonnulus avatar Aug 08 '22 13:08 Tonnulus