Closed
Description
Description
I initially filed this as a bug with the YARA connector (#2700), but then it me that the root cause of the issue is that OpenCTI calls the enrichments for artifacts too early, before the file is uploaded.
The YARA connector raises an exception when new samples are uploaded by the MalwareBazaar connector but succeeds when the YARA enrichment is ran manually. It looks like the YARA connector attempts to scan an artifact before the MalwareBazaar connector finishes uploading the file.
warnings.warn(
{"timestamp": "2024-09-23T19:14:36.718425Z", "level": "ERROR", "name": "YARA", "message": "Error in message processing, reporting error to API", "exc_info": "Traceback (most recent call last):\n File \"/usr/local/lib/python3.11/site-packages/pycti/connector/opencti_connector_helper.py\", line 352, in _data_handler\n message = self.callback(event_data)\n ^^^^^^^^^^^^^^^^^^^^^^^^^\n File \"/opt/opencti-yara/main.py\", line 107, in _process_message\n self._scan_artifact(artifact, yara_indicators)\n File \"/opt/opencti-yara/main.py\", line 63, in _scan_artifact\n artifact_contents = self._get_artifact_contents(artifact)\n ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^\n File \"/opt/opencti-yara/main.py\", line 27, in _get_artifact_contents\n file_id = artifact[\"importFiles\"][0][\"id\"]\n ~~~~~~~~~~~~~~~~~~~~~~~^^^\nIndexError: list index out of range"}
Environment
- OS (where OpenCTI server runs): Debian 12
- OpenCTI version: 6.3.1
- OpenCTI client: Python
Reproducible Steps
Steps to create the smallest reproducible scenario:
- Import some YARA rules (e.g. use the Valhalla connector)
- Add the yara connector
- Add the malwarebazaar-recent-additions connector
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
