-
Notifications
You must be signed in to change notification settings - Fork 799
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Worker error when importing Network-Traffic object with nested properties #6056
Comments
Hi @AlexSanchezN and thanks for the details! After some investigations, I narrowed down the issue to a simple repro case:
The error prevents the modification to be published in the stream (as you can see if you do this operation with a However, the data is still ingested correctly. The only side effect I see would be that if the event is not published, the platform cannot trigger automatic enrichments or any scripted process relying on the event stream. Could you confirm this on your side ? Do you get the right data object ingested, with the src relationship ? I'll try to fix this asap. |
Hi @labo-flg , thanks for your help. Our real problem is from the Worker as once we receive the store update event error, nothing else in the bundle is ingested/created. Great work! Thanks again! |
…6056) Co-authored-by: Souad Hadjiat <souad.hadjiat@filigran.io> Co-authored-by: Julien Richard <julien.richard@filigran.io>
…6056) Co-authored-by: Souad Hadjiat <souad.hadjiat@filigran.io> Co-authored-by: Julien Richard <julien.richard@filigran.io>
We receive the error below when importing a Network-Traffic object via Worker from a stix bundle:
{'name': 'DATABASE_ERROR', 'message': 'Error in store update event'}
In the Worker logs we find the following error message:
ERROR:worker:{'name': 'DATABASE_ERROR', 'message': 'Error in store update event'} Traceback (most recent call last): File "/opt/opencti/./worker/worker.py", line 263, in data_handler self.api.stix2.import_bundle_from_json( File "/usr/local/lib/python3.10/dist-packages/pycti/utils/opencti_stix2.py", line 215, in import_bundle_from_json return self.import_bundle( File "/usr/local/lib/python3.10/dist-packages/pycti/utils/opencti_stix2.py", line 2421, in import_bundle self.import_observable(item, update, types) File "/usr/local/lib/python3.10/dist-packages/pycti/utils/opencti_stix2.py", line 1066, in import_observable self.opencti.stix_nested_ref_relationship.create( File "/usr/local/lib/python3.10/dist-packages/pycti/entities/opencti_stix_nested_ref_relationship.py", line 266, in create result = self.opencti.query( File "/usr/local/lib/python3.10/dist-packages/pycti/api/opencti_api_client.py", line 348, in query raise ValueError( ValueError: {'name': 'DATABASE_ERROR', 'message': 'Error in store update event'}
No associated error is found in the Platform logs
After some testing with the code that generates the bundles, we find:
The problem is related to the network-traffic object.
It only appears if we add src_ref, start or end properties. (we do not add dst_ref, haven’t checked the case).
If we create the object without those properties, it is created correctly.
If we only add start and end properties, the object is created correctly.
If we only add src_ref, most objects are created correctly, but the error still appears (let’s say 20% of the time).
If we add src_ref, start and end, ALL network-traffic object creation fails.
Environment
Ubuntu 22.04 baremetal installation. All platform components in different VMs.
Current platform version 5.12.32
Reproducible Steps
Difficult to reproduce as the same bundle that gives the error when importing via Worker, does not give an error when imported via WorkBench
Expected Output
A nice network-traffic object with associated src_ref, start and end time.
Actual Output
The errors above
Additional information
There are similar reports in Filigran's Slack, posted after ours:
https://filigran-community.slack.com/archives/C06CF1N302W/p1708432322249959
The text was updated successfully, but these errors were encountered: