nino-filigran
commented
11 months ago If you don't find anybody able to help you here @Pez721 please also try to ask your question on our OpenCTI slack channel.
Open Pez721 opened 11 months ago
nino-filigran
commented
11 months ago If you don't find anybody able to help you here @Pez721 please also try to ask your question on our OpenCTI slack channel.
I have deployed Opencti and the Opencti CVE connector (both version 5.9.6). This deployment is in google cloud platform using their Kubernetes engine. OpenCTI started failing today, in the pods I saw the error: {"category":"APP","error":{"context":{},"message":"The content length (1632551421) is bigger than the maximum allowed string (536870888)"
I understand this this error is caused by Opencti requesting more data from Kibana than its maximum allowance. The query executed was:
(/opt/opencti/build/node_modules/set-interval-async/dist/set-interval-async-timer.cjs:29:13)"},"level":"error","message":"[SEARCH] Paginate fail","query":{"_source":true,"body":{"query":{"bool":{"must":[{"bool":{"minimum_should_match":1,"should":[{"match_phrase":{"entity_type.keyword":"Work"}},{"match_phrase":{"parent_types.keyword":"Work"}}]}},{"bool":{"minimum_should_match":1,"should":[{"multi_match":{"fields":["event_source_id.keyword"],"query":"aa6288f3-59c8-46bc-ba1b-51a7dfec4ea6"}}]}},{"bool":{"minimum_should_match":1,"should":[{"multi_match":{"fields":["status.keyword"],"query":"complete"}}]}},{"bool":{"minimum_should_match":1,"should":[{"range":{"completed_time":{"lte":"now-7d/d"}}}]}}],"must_not":[]}},"size":5000,"sort":[{"_score":"desc"},{"standard_id.keyword":"asc"}]},"ignore_throttled":false,"index":["opencti_history"],"track_total_hits":true},"timestamp":"2023-11-23T14:12:08.412Z","version":"5.9.6"}
I looked into the query being executed and the data that it was attempting to retrieve from the opencti_history index. When I looked at these documents in Discover I saw that the CVE connector had attempted to modify many vulnerabilities but had encountered the same python exception on each one. Storing these errors caused the document to become extremely large, even viewing 25 of these documents in Kibana caused errors in the GUI. The traceback error was:
Traceback (most recent call last): File "/opt/opencti-worker/worker.py", line 224, in data_handler self.api.stix2.import_bundle_from_json( File "/usr/local/lib/python3.11/site-packages/pycti/utils/opencti_stix2.py", line 209, in import_bundle_from_json return self.import_bundle( ^^^^^^^^^^^^^^^^^^^ File "/usr/local/lib/python3.11/site-packages/pycti/utils/opencti_stix2.py", line 2364, in import_bundle self.import_object(item, update, types) File "/usr/local/lib/python3.11/site-packages/pycti/utils/opencti_stix2.py", line 748, in import_object embedded_relationships = self.extract_embedded_relationships(stix_object, types) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "/usr/local/lib/python3.11/site-packages/pycti/utils/opencti_stix2.py", line 532, in extract_embedded_relationships external_reference_id = self.opencti.external_reference.create( ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "/usr/local/lib/python3.11/site-packages/pycti/entities/opencti_external_reference.py", line 210, in create result = self.opencti.query( ^^^^^^^^^^^^^^^^^^^ File "/usr/local/lib/python3.11/site-packages/pycti/api/opencti_api_client.py", line 358, in query raise ValueError( ValueError: {'name': 'Variable "$input" got invalid value "" at "input.source_name"; Expected type "source_name_String_NotNull_minLength_2". Must be at least 2 characters in length', 'message': 'Variable "$input" got invalid value "" at "input.source_name"; Expected type "source_name_String_NotNull_minLength_2". Must be at least 2 characters in length'}
I have removed the CVE connector and deleted the documents with errors, now the platform is running again.
Have you encountered this error before and is there a solution to prevent it reoccurring?
Many thanks for your help