search

OpenCTI-Platform / opencti

Open Cyber Threat Intelligence Platform
https://opencti.io
Other
6.24k stars 922 forks source link

Observable of type Domain-Name is not correctly formatted #4297

Open cl-tim opened 1 year ago

cl-tim commented 1 year ago

Description

Invalid Domain Names from external sources are causing workers to stop processing some queues.

Environment

  1. OS (where OpenCTI server runs): Ubuntu 22.04
  2. OpenCTI version: 5.10.1
  3. OpenCTI client: front-end
  4. Other environment details: These bundles are from public external import connectors, so I have no ability to fix the invalid data from the bundles (if it's actually the raw STIX causing this).

Reproducible Steps

N/A - STIX bundle seems to have come from the Google DNS connector, but difficult to tell as it has affected several enrichment connectors.

Expected Output

Engine should skip the invalid record but it's just attempting to ingest it over and over. I have 250k queued bundles that aren't getting processed now.

Actual Output

N/A

Additional information

Two samples of these errors from the opencti container log:

2023-09-09T10:27:33.760594046Z {"category":"APP","error":{"data":{"category":"business","http_status":400,"observableSyntaxResult":"Valid domain name","reason":"Observable of type Domain-Name is not correctly formatted."},"stacktrace":["FunctionalError: Business validation","at error (/opt/opencti/build/src/config/errors.js:8:10)","at FunctionalError (/opt/opencti/build/src/config/errors.js:87:50)","at addStixCyberObservable (/opt/opencti/build/src/domain/stixCyberObservable.js:214:11)","at Object.resolve [as stixCyberObservableAdd] (/opt/opencti/build/src/resolvers/stixCyberObservable.js:123:51)","at fieldResolver (/opt/opencti/build/src/graphql/authDirective.js:59:24)","at resolveFn (/opt/opencti/build/node_modules/apollo-server-core/src/utils/schemaInstrumentation.ts:106:18)","at executeField (/opt/opencti/build/node_modules/graphql/execution/execute.js:492:20)","at callbackFn (/opt/opencti/build/node_modules/graphql/execution/execute.js:377:22)","at promiseReduce (/opt/opencti/build/node_modules/graphql/jsutils/promiseReduce.js:23:9)","at executeFieldsSerially (/opt/opencti/build/node_modules/graphql/execution/execute.js:373:29)","at executeOperation (/opt/opencti/build/node_modules/graphql/execution/execute.js:347:14)","at execute (/opt/opencti/build/node_modules/graphql/execution/execute.js:136:20)","at execute (/opt/opencti/build/node_modules/apollo-server-core/src/requestPipeline.ts:501:20)","at processGraphQLRequest (/opt/opencti/build/node_modules/apollo-server-core/src/requestPipeline.ts:407:28)"]},"inner_relation_creation":0,"level":"error","message":"API Call","operation":"StixCyberObservableAdd","operation_query":"mutation StixCyberObservableAdd($type:String!$stix_id:StixId$x_opencti_score:Int$x_opencti_description:String$createIndicator:Boolean$createdBy:String$objectMarking:[String]$objectLabel:[String]$objectOrganization:[String]$externalReferences:[String]$AutonomousSystem:AutonomousSystemAddInput$Directory:DirectoryAddInput$DomainName:DomainNameAddInput$EmailAddr:EmailAddrAddInput$EmailMessage:EmailMessageAddInput$EmailMimePartType:EmailMimePartTypeAddInput$Artifact:ArtifactAddInput$StixFile:StixFileAddInput$X509Certificate:X509CertificateAddInput$IPv4Addr:IPv4AddrAddInput$IPv6Addr:IPv6AddrAddInput$MacAddr:MacAddrAddInput$Mutex:MutexAddInput$NetworkTraffic:NetworkTrafficAddInput$Process:ProcessAddInput$Software:SoftwareAddInput$Url:UrlAddInput$UserAccount:UserAccountAddInput$WindowsRegistryKey:WindowsRegistryKeyAddInput$WindowsRegistryValueType:WindowsRegistryValueTypeAddInput$CryptographicKey:CryptographicKeyAddInput$CryptocurrencyWallet:CryptocurrencyWalletAddInput$Hostname:HostnameAddInput$Text:TextAddInput$UserAgent:UserAgentAddInput$BankAccount:BankAccountAddInput$PhoneNumber:PhoneNumberAddInput$PaymentCard:PaymentCardAddInput$MediaContent:MediaContentAddInput){stixCyberObservableAdd(type:$type stix_id:$stix_id x_opencti_score:$x_opencti_score x_opencti_description:$x_opencti_description createIndicator:$createIndicator createdBy:$createdBy objectMarking:$objectMarking objectLabel:$objectLabel externalReferences:$externalReferences objectOrganization:$objectOrganization AutonomousSystem:$AutonomousSystem Directory:$Directory DomainName:$DomainName EmailAddr:$EmailAddr EmailMessage:$EmailMessage EmailMimePartType:$EmailMimePartType Artifact:$Artifact StixFile:$StixFile X509Certificate:$X509Certificate IPv4Addr:$IPv4Addr IPv6Addr:$IPv6Addr MacAddr:$MacAddr Mutex:$Mutex NetworkTraffic:$NetworkTraffic Process:$Process Software:$Software Url:$Url UserAccount:$UserAccount WindowsRegistryKey:$WindowsRegistryKey WindowsRegistryValueType:$WindowsRegistryValueType CryptographicKey:$CryptographicKey CryptocurrencyWallet:$CryptocurrencyWallet Hostname:$Hostname Text:$Text UserAgent:$UserAgent BankAccount:$BankAccount PhoneNumber:$PhoneNumber PaymentCard:$PaymentCard MediaContent:$MediaContent){id standard_id entity_type parent_types indicators{edges{node{id pattern pattern_type}}}}}","size":267,"time":1,"timestamp":"2023-09-09T10:27:33.760Z","type":"WRITE_ERROR","user":{"group_ids":["7ab351e3-15e5-4cf8-bc6e-8cea07c0c174","7b2aaa03-bef3-4e4b-84c4-a16e07359d5b","5336f103-3afc-4fa2-93b6-3786804b5b25"],"ip":"::ffff:172.18.0.6","organization_ids":[],"socket":"query","user_id":"bc867313-45a9-4ad6-b090-20e59293f2bd"},"variables":{"DomainName":{"value":"adsl."},"createIndicator":false,"createdBy":null,"externalReferences":null,"objectLabel":null,"objectMarking":null,"objectOrganization":null,"stix_id":null,"type":"Domain-Name","update":true,"x_opencti_description":null,"x_opencti_score":null},"version":"5.10.1"}

2023-09-09T10:23:26.645190279Z {"category":"APP","error":{"data":{"category":"business","http_status":400,"observableSyntaxResult":"Valid domain name","reason":"Observable of type Domain-Name is not correctly formatted."},"stacktrace":["FunctionalError: Business validation","at error (/opt/opencti/build/src/config/errors.js:8:10)","at FunctionalError (/opt/opencti/build/src/config/errors.js:87:50)","at addStixCyberObservable (/opt/opencti/build/src/domain/stixCyberObservable.js:214:11)","at Object.resolve [as stixCyberObservableAdd] (/opt/opencti/build/src/resolvers/stixCyberObservable.js:123:51)","at fieldResolver (/opt/opencti/build/src/graphql/authDirective.js:59:24)","at resolveFn (/opt/opencti/build/node_modules/apollo-server-core/src/utils/schemaInstrumentation.ts:106:18)","at executeField (/opt/opencti/build/node_modules/graphql/execution/execute.js:492:20)","at callbackFn (/opt/opencti/build/node_modules/graphql/execution/execute.js:377:22)","at promiseReduce (/opt/opencti/build/node_modules/graphql/jsutils/promiseReduce.js:23:9)","at executeFieldsSerially (/opt/opencti/build/node_modules/graphql/execution/execute.js:373:29)","at executeOperation (/opt/opencti/build/node_modules/graphql/execution/execute.js:347:14)","at execute (/opt/opencti/build/node_modules/graphql/execution/execute.js:136:20)","at execute (/opt/opencti/build/node_modules/apollo-server-core/src/requestPipeline.ts:501:20)","at processGraphQLRequest (/opt/opencti/build/node_modules/apollo-server-core/src/requestPipeline.ts:407:28)"]},"inner_relation_creation":0,"level":"error","message":"API Call","operation":"StixCyberObservableAdd","operation_query":"mutation StixCyberObservableAdd($type:String!$stix_id:StixId$x_opencti_score:Int$x_opencti_description:String$createIndicator:Boolean$createdBy:String$objectMarking:[String]$objectLabel:[String]$objectOrganization:[String]$externalReferences:[String]$AutonomousSystem:AutonomousSystemAddInput$Directory:DirectoryAddInput$DomainName:DomainNameAddInput$EmailAddr:EmailAddrAddInput$EmailMessage:EmailMessageAddInput$EmailMimePartType:EmailMimePartTypeAddInput$Artifact:ArtifactAddInput$StixFile:StixFileAddInput$X509Certificate:X509CertificateAddInput$IPv4Addr:IPv4AddrAddInput$IPv6Addr:IPv6AddrAddInput$MacAddr:MacAddrAddInput$Mutex:MutexAddInput$NetworkTraffic:NetworkTrafficAddInput$Process:ProcessAddInput$Software:SoftwareAddInput$Url:UrlAddInput$UserAccount:UserAccountAddInput$WindowsRegistryKey:WindowsRegistryKeyAddInput$WindowsRegistryValueType:WindowsRegistryValueTypeAddInput$CryptographicKey:CryptographicKeyAddInput$CryptocurrencyWallet:CryptocurrencyWalletAddInput$Hostname:HostnameAddInput$Text:TextAddInput$UserAgent:UserAgentAddInput$BankAccount:BankAccountAddInput$PhoneNumber:PhoneNumberAddInput$PaymentCard:PaymentCardAddInput$MediaContent:MediaContentAddInput){stixCyberObservableAdd(type:$type stix_id:$stix_id x_opencti_score:$x_opencti_score x_opencti_description:$x_opencti_description createIndicator:$createIndicator createdBy:$createdBy objectMarking:$objectMarking objectLabel:$objectLabel externalReferences:$externalReferences objectOrganization:$objectOrganization AutonomousSystem:$AutonomousSystem Directory:$Directory DomainName:$DomainName EmailAddr:$EmailAddr EmailMessage:$EmailMessage EmailMimePartType:$EmailMimePartType Artifact:$Artifact StixFile:$StixFile X509Certificate:$X509Certificate IPv4Addr:$IPv4Addr IPv6Addr:$IPv6Addr MacAddr:$MacAddr Mutex:$Mutex NetworkTraffic:$NetworkTraffic Process:$Process Software:$Software Url:$Url UserAccount:$UserAccount WindowsRegistryKey:$WindowsRegistryKey WindowsRegistryValueType:$WindowsRegistryValueType CryptographicKey:$CryptographicKey CryptocurrencyWallet:$CryptocurrencyWallet Hostname:$Hostname Text:$Text UserAgent:$UserAgent BankAccount:$BankAccount PhoneNumber:$PhoneNumber PaymentCard:$PaymentCard MediaContent:$MediaContent){id standard_id entity_type parent_types indicators{edges{node{id pattern pattern_type}}}}}","size":267,"time":2,"timestamp":"2023-09-09T10:23:26.644Z","type":"WRITE_ERROR","user":{"group_ids":["7ab351e3-15e5-4cf8-bc6e-8cea07c0c174","7b2aaa03-bef3-4e4b-84c4-a16e07359d5b","5336f103-3afc-4fa2-93b6-3786804b5b25"],"ip":"::ffff:172.18.0.6","organization_ids":[],"socket":"query","user_id":"bc867313-45a9-4ad6-b090-20e59293f2bd"},"variables":{"DomainName":{"value":"dhcp."},"createIndicator":false,"createdBy":null,"externalReferences":null,"objectLabel":null,"objectMarking":null,"objectOrganization":null,"stix_id":null,"type":"Domain-Name","update":true,"x_opencti_description":null,"x_opencti_score":null},"version":"5.10.1"}

Screenshots (optional)

cl-tim commented 1 year ago

I'm also seeing this message in the logs appearing over and over around these "not correctly formatted" errors - not sure if it's related:

2023-09-09T14:53:09.412782579Z (node:7) MaxListenersExceededWarning: Possible EventEmitter memory leak detected. 11 abort listeners added to [EventEmitter]. Use emitter.setMaxListeners() to increase limit

richard-julien commented 1 year ago

Hi @cl-tim , i dont think there is any problem with the platform. Looks like your bundle if full of bad domains. In this case the platform check and fail and if your bundle is full of failure it will takes times but will finished at some point.

We can see in your logs that is not a loop but 2 different domains.

{"value":"adsl."}
{"value":"dhcp."}

Now if you are able to have some error logs that looping on the same error, please add the bundle in the ticket for us to be able to reproduce.

For the Possible EventEmitter memory leak detected its a warning of the elasticsearch client, nothing to worry about.

cl-tim commented 1 year ago

Yeah I'm seeing it looping on the same error. I just picked those two samples to show there was more than one bad domain.

I'll attach the logs when I can export them. Do you need just the opencti container log, or logs from the other containers too?

richard-julien commented 1 year ago

If you can upload a bundle that i can try to reproduce the loop, thanks