Network Object is deduplicating

OpenCTI-Platform / opencti

Open Cyber Threat Intelligence Platform

https://opencti.io

Other

6.16k stars 911 forks source link

Network Object is deduplicating #8033

Open sudesh0sudesh opened 1 month ago

sudesh0sudesh commented 1 month ago

Description

I was testing a new feed and creating network objects. When a new network object is created or pushed for the same port with a new destination IP, it is not creating a new network object; instead, it is replacing the existing network object's destination IP address. This behavior is not ideal or expected.

Environment

OpenCTI version: 6.2.11

Screenshot 2024-08-14 at 11 31 51

Expected Output

Actual Output

Additional information

Screenshots (optional)

sudesh0sudesh commented 1 month ago

Screenshot 2024-08-14 at 13 59 41

sudesh0sudesh commented 1 month ago

I think deduplication or replacement should be perfromed if atleast two common parameters match and not solely on port number in network object. On the other hand, Maybe be custom observable for port is not a bad idea.

nino-filigran commented 1 month ago

@sudesh0sudesh I would need slightly more information to help out. Could you provide me with reproduction steps (which type of feed are you trying to ingest, its link if possible, if it's ingested through a CSV the mapping of the corresponding CSV...) since reading your ticket and trying to reproduce manually was not successful on my side.

sudesh0sudesh commented 4 weeks ago

So, I have basically tried creating a connector and feeding it through connector api. Feed is just a network feed. For example, in a network on port 80 multiple devices might start communicating. Here when a new Network object is created with different IP and same port . Instead of creating a new network object. It is simply replace the IP in the network object

richard-julien commented 3 weeks ago

Can you check if the source is not sending the same stix id? We will need to have the 2 stix bundles responsible for this situation to try to reproduce. Thanks

sudesh0sudesh commented 3 weeks ago

I am sure that It is not sending same stix IDs for network objects because I pushed thousands of them on various ports and it happened to all of them. All of them are created using stix2 library.

richard-julien commented 3 weeks ago

Hi @sudesh0sudesh. Can you please give us a example of 2 stix bundles that produce this problem ? Thanks

sudesh0sudesh commented 3 weeks ago

I don't think i have one @richard-julien , I have modified that connector to do different set of actions. If you need one I can try to reproduce the same. I have tried to ingest data that has port information so converted into network objects

nino-filigran commented 5 days ago

@sudesh0sudesh yes, we would need precise example when this happens to be able to reproduce. Even if it's two example crafted by hand, that would help us.