Backup connector Error every 10sec when using AlienVault Feed

[PeeBee66]

Description

Consistent restarting of the backup connector when using AlienVault

Backup connector https://github.com/OpenCTI-Platform/connectors/tree/master/stream/backup-files

INFO Backup processed event 1701520853906-0 in 20231202T124100Z / relationship--fc89d0ab-3968-4f05-8437-641af617d002 | timestamp=2023-12-17T21:40:39.642305Z name=pycti.connector Traceback (most recent call last): File "/usr/local/lib/python3.11/site-packages/pycti/connector/opencti_connector_helper.py", line 530, in run self.callback(msg) File "/opt/opencti-connector-backup-files/backup-files.py", line 75, in _process_message data = json.loads(msg.data) ^^^^^^^^^^^^^^^^^^^^ File "/usr/local/lib/python3.11/json/init.py", line 346, in loads return _default_decoder.decode(s) ^^^^^^^^^^^^^^^^^^^^^^^^^^ File "/usr/local/lib/python3.11/json/decoder.py", line 337, in decode obj, end = self.raw_decode(s, idx=_w(s, 0).end()) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "/usr/local/lib/python3.11/json/decoder.py", line 353, in raw_decode obj, end = self.scan_once(s, idx) ^^^^^^^^^^^^^^^^^^^^^^ json.decoder.JSONDecodeError: Unterminated string starting at: line 1 column 841 (char 840) Terminated

Environment

1. OS - Ubuntu
2. OpenCTI version: 5.12.9
3. OpenCTI client: frontend
4. Other environment details: The server only runs the alien vault feed, I have rebuilt it and the same issue is still occurring

Reproducible Steps

Steps to create the smallest reproducible scenario:

1. Install docker, docker compose,
2. load up docker compose file
3. wait a bit for the files to start coming in and backing up

Expected Output

I expect the backup feed to keep backing up with out restarting every 10 sec.

i have a number of other opencti instances and feeds backing up and not one other seems to have this issue

Actual Output

The backup connector restarts every 10 sec and shows this error

AV-connectoer log.txt

Additional information

`###------------------- AV CONNECTOR 1 of 2 PORT 4000-----------------------### version: '3' services:

------------------- REDIS SEARCH -----------------------

redis: image: redis:7.2.3 ports:

• "6379:6379" privileged: true command: --port 6379 restart: always volumes:

• redisdata:/data

  ------------------- ELASTIC SEARCH -----------------------

  elasticsearch: image: docker.elastic.co/elasticsearch/elasticsearch:8.11.3 volumes:

• esdata:/usr/share/elasticsearch/data environment:

  Comment-out the line below for a cluster of multiple nodes

• discovery.type=single-node

  Uncomment the line below below for a cluster of multiple nodes

  - cluster.name=docker-cluster

• xpack.ml.enabled=false
• xpack.security.enabled=false
• "ES_JAVA_OPTS=-Xms${ELASTIC_MEMORY_SIZE} -Xmx${ELASTIC_MEMORY_SIZE}"
• http.port=9200 ports:

• "9200:9200" restart: always ulimits: memlock: soft: -1 hard: -1 nofile: soft: 65536 hard: 65536

  ------------------- MINIO -----------------------

  minio: image: minio/minio:RELEASE.2023-11-15T20-43-25Z volumes:

• s3data:/data ports:
• "9000:9000"

• "9001:9001" environment: MINIO_ROOT_USER: ${MINIO_ROOT_USER} MINIO_ROOT_PASSWORD: ${MINIO_ROOT_PASSWORD}

  command: server --address ":9000" --console-address ":9001" /data healthcheck: test: ["CMD", "curl", "-f", "http://localhost:9000/minio/health/live"] interval: 30s timeout: 20s retries: 3 restart: always

  ------------------- RABITMQ -----------------------

  rabbitmq: image: rabbitmq:3.12-management privileged: true environment:

• RABBITMQ_DEFAULT_USER=${RABBITMQ_DEFAULT_USER}
• RABBITMQ_DEFAULT_PASS=${RABBITMQ_DEFAULT_PASS}
• RABBITMQ_NODENAME=rabbit01@localhost
• RABBITMQ_NODE_PORT=5672
• RABBITMQ_SERVER_START_ARGS=-rabbitmq_management listener [{port,15672}] ports:
• "5672:5672"
• "15672:15672" volumes:

• amqpdata:/var/lib/rabbitmq restart: always

  ------------------- OPENCTI -----------------------

  opencti: image: opencti/platform:${OPENCTI_VERSION} environment:

• NODE_OPTIONS=--max-old-space-size=8096
• APP__PORT=4000
• APP__BASE_URL=${OPENCTI_BASE_URL}
• APPADMINEMAIL=${OPENCTI_ADMIN_EMAIL}
• APPADMINPASSWORD=${OPENCTI_ADMIN_PASSWORD}
• APPADMINTOKEN=${OPENCTI_ADMIN_TOKEN}
• APP__APP_LOGS__LOGS_LEVEL=info
• REDIS__HOSTNAME=redis
• REDIS__PORT=6379
• ELASTICSEARCH__URL=http://elasticsearch:9200
• MINIO__ENDPOINT=minio
• MINIO__PORT=9000
• MINIO__USE_SSL=false
• MINIO__ACCESS_KEY=${MINIO_ROOT_USER}
• MINIO__SECRET_KEY=${MINIO_ROOT_PASSWORD}
• RABBITMQ__HOSTNAME=rabbitmq
• RABBITMQ__PORT=5672
• RABBITMQ__PORT_MANAGEMENT=15672
• RABBITMQ__MANAGEMENT_SSL=false
• RABBITMQ__USERNAME=${RABBITMQ_DEFAULT_USER}
• RABBITMQ__PASSWORD=${RABBITMQ_DEFAULT_PASS}
• SMTP__HOSTNAME=${SMTP_HOSTNAME}
• SMTP__PORT=25
• PROVIDERSLOCALSTRATEGY=LocalStrategy ports:
• "4000:4000" depends_on:
• redis
• elasticsearch
• minio
• rabbitmq restart: always

------------------- Worker -----------------------

worker: image: opencti/worker:${OPENCTI_VERSION} environment:

• OPENCTI_URL=http://opencti:4000
• OPENCTI_TOKEN=${OPENCTI_ADMIN_TOKEN}
• WORKER_LOG_LEVEL=info depends_on:
• opencti deploy: mode: replicated replicas: 3 restart: always

------------------- AV BACKUP -----------------------

c.av-backup-files: image: opencti/connector-backup-files:${OPENCTI_VERSION}

privileged: true

environment:      
  - OPENCTI_URL=http://opencti:4000
  - OPENCTI_TOKEN=${OPENCTI_ADMIN_TOKEN}
  - CONNECTOR_ID=${CONNECTOR_BACKUP_ID}
  - CONNECTOR_TYPE=STREAM
  - CONNECTOR_LIVE_STREAM_ID=live # ID of the live stream created in the OpenCTI UI
  - CONNECTOR_LIVE_STREAM_LISTEN_DELETE=true
  - CONNECTOR_NAME=BackupFiles
  - CONNECTOR_SCOPE=backup
  - CONNECTOR_LOG_LEVEL=info
  - BACKUP_PROTOCOL=local # Protocol for file copy (only `local` is supported for now).
  - BACKUP_PATH=/home/opencti_admin/1.Feeds/${CONNECTOR_FEED} # Path to be used to copy the data, can be relative or absolute.
restart: always
volumes:
  - /home/opencti_admin/1.Feeds/${CONNECTOR_FEED}:/home/opencti_admin/1.Feeds/${CONNECTOR_FEED}
depends_on:
  - opencti

------------------- AV FEED -----------------------

connector-alienvault: image: opencti/connector-alienvault:${OPENCTI_VERSION} environment:

• OPENCTI_URL=http://opencti:4000
• OPENCTI_TOKEN=${CONNECTOR_AV_USER}
• CONNECTOR_ID=${CONNECTOR_AV_ID}
• CONNECTOR_TYPE=EXTERNAL_IMPORT
• CONNECTOR_NAME=AlienVault
• CONNECTOR_SCOPE=alienvault
• CONNECTOR_CONFIDENCE_LEVEL=15 # From 0 (Unknown) to 100 (Fully trusted)
• CONNECTOR_UPDATE_EXISTING_DATA=false
• CONNECTOR_LOG_LEVEL=info
• ALIENVAULT_BASE_URL=https://otx.alienvault.com
• ALIENVAULT_API_KEY=xxxxxxxxxxxxx
• ALIENVAULT_TLP=White
• ALIENVAULT_CREATE_OBSERVABLES=true
• ALIENVAULT_CREATE_INDICATORS=true
• ALIENVAULT_PULSE_START_TIMESTAMP=2020-05-01T00:00:00 # BEWARE! Could be a lot of pulses!
• ALIENVAULT_REPORT_TYPE=threat-report
• ALIENVAULT_REPORT_STATUS=New
• ALIENVAULT_GUESS_MALWARE=false # Use tags to guess malware.
• ALIENVAULT_GUESS_CVE=false # Use tags to guess CVE.
• ALIENVAULT_EXCLUDED_PULSE_INDICATOR_TYPES=FileHash-MD5,FileHash-SHA1 # Excluded Pulse indicator types.
• ALIENVAULT_ENABLE_RELATIONSHIPS=true # Enable/Disable relationship creation between SDOs.
• ALIENVAULT_ENABLE_ATTACK_PATTERNS_INDICATES=false # Enable/Disable "indicates" relationships between indicators and attack patterns
• ALIENVAULT_INTERVAL_SEC=1800 restart: always depends_on:
• opencti volumes: esdata: s3data: redisdata: amqpdata:`

Screenshots (optional)

[nino-filigran]

@axelfahy I think you were the one who created the conenctor. Would you mind having a look?

[axelfahy]

@nino-filigran, sorry, but I have never used this connector.

[nino-filigran]

my bad then! I did look in the wrong place. @daemitus / @Arcelone / @rlynch-ironnet / @maertv I see that you all have done some PRs in the past with this connector. Would any of you mind having a look at this?