Skip to content

Commit

Permalink
[Malpedia] Adding variable default_marking, and schedule_unit (#2465)
Browse files Browse the repository at this point in the history
  • Loading branch information
@Megafredo
Megafredo authored Aug 14, 2024
1 parent f014eb4 commit c11e6c6
Show file tree
Hide file tree
Showing 6 changed files with 144 additions and 126 deletions.
45 changes: 22 additions & 23 deletions external-import/malpedia/README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -26,31 +26,34 @@ We provide an example of [`docker-compose.yml`](docker-compose.yml) file that co

Below are the parameters you'll need to set for OpenCTI:

| Parameter | config.yml | Docker environment variable | Mandatory | Description |
|---------------|------------|-----------------------------|-----------|------------------------------------------------------|
| OpenCTI URL | url | `OPENCTI_URL` | Yes | The URL of the OpenCTI platform. |
| OpenCTI Token | token | `OPENCTI_TOKEN` | Yes | The default admin token set in the OpenCTI platform. |
| Parameter `OpenCTI` | config.yml | Docker environment variable | Mandatory | Description |
|---------------------|---------------|-----------------------------|-----------|------------------------------------------------------|
| URL | `url` | `OPENCTI_URL` | Yes | The URL of the OpenCTI platform. |
| Token | `token` | `OPENCTI_TOKEN` | Yes | The default admin token set in the OpenCTI platform. |

Below are the parameters you'll need to set for running the connector properly:

| Parameter | config.yml | Docker environment variable | Default | Mandatory | Description |
|--------------------------------|----------------------|----------------------------------|------------|-----------|----------------------------------------------------------------------------------------|
| Connector ID | id | `CONNECTOR_ID` | / | Yes | A unique `UUIDv4` identifier for this connector instance. |
| Connector Name | name | `CONNECTOR_NAME` | `Malpedia` | Yes | Name of the connector. |
| Connector Scope | scope | `CONNECTOR_SCOPE` | `malpedia` | Yes | Must be `malpedia`, not used in this connector. |
| Connector Log Level | log_level | `CONNECTOR_LOG_LEVEL` | / | Yes | Determines the verbosity of the logs. Options are `debug`, `info`, `warn`, or `error`. |
| Connector Expose Metrics | expose_metrics | `CONNECTOR_EXPOSE_METRICS` | `false` | Yes | If `True` use metrics. |
| Parameter `Connector` | config.yml | Docker environment variable | Default | Mandatory | Description |
|-----------------------|-------------------|-----------------------------|------------|-----------|--------------------------------------------------------------------------------------------------|
| ID | `id` | `CONNECTOR_ID` | / | Yes | A unique `UUIDv4` identifier for this connector instance. |
| Name | `name` | `CONNECTOR_NAME` | `Malpedia` | Yes | Name of the connector. |
| Scope | `scope` | `CONNECTOR_SCOPE` | `malpedia` | Yes | Must be `malpedia`, not used in this connector. |
| Log Level | `log_level` | `CONNECTOR_LOG_LEVEL` | / | Yes | Determines the verbosity of the logs. Options are `debug`, `info`, `warn`, or `error`. |
| Expose Metrics | `expose_metrics` | `CONNECTOR_EXPOSE_METRICS` | `False` | Yes | If `True` use metrics. |
| Duration Period | `duration_period` | `CONNECTOR_DURATION_PERIOD` | / | No | Determines the time interval between each launch of the connector (current use `interval_sec`). |
| Queue Threshold | `queue_threshold` | `CONNECTOR_QUEUE_THRESHOLD` | `500` | No | Used to determine the limit (RabbitMQ) in MB at which the connector must go into buffering mode. |

Below are the parameters you'll need to set for Malpedia connector:

| Parameter | config.yml | Docker environment variable | Default | Mandatory | Description |
|--------------------------------|-----------------------|----------------------------------|---------|-----------|-------------------------------------------------------------------------|
| Malpedia Auth Key | auth_key | `MALPEDIA_AUTH_KEY` | / | Yes | API authentication key |
| Malpedia Interval Sec | internal_sec | `MALPEDIA_INTERVAL_SEC` | `86400` | Yes | Interval in seconds before a new import is considered |
| Malpedia Import Intrusion Sets | import_intrusion_sets | `MALPEDIA_IMPORT_INTRUSION_SETS` | `true` | Yes | Choose if you want to import Intrusion-Sets from Malpedia |
| Malpedia Import Yara | import_yara | `MALPEDIA_IMPORT_YARA` | `true` | Yes | Choose if you want to import Yara rules from Malpedia |
| Malpedia Create Indicators | create_indicators | `MALPEDIA_CREATE_INDICATORS` | `true` | Yes | Choose if you want to create Indicators Sample (File) from Malpedia |
| Malpedia Create Observables | create_observables | `MALPEDIA_CREATE_OBSERVABLES` | `true` | Yes | Choose if you want to create Observables Sample (File) from Malpedia |
| Parameter `Malpedia` | config.yml | Docker environment variable | Default | Mandatory | Description |
|-----------------------|-------------------------|----------------------------------|-------------|-----------|--------------------------------------------------------------------------------------------|
| Auth Key | `auth_key` | `MALPEDIA_AUTH_KEY` | / | Yes | API authentication key |
| Interval Sec | `internal_sec` | `MALPEDIA_INTERVAL_SEC` | `86400` | Yes | Interval in seconds before a new import is considered |
| Import Intrusion Sets | `import_intrusion_sets` | `MALPEDIA_IMPORT_INTRUSION_SETS` | `true` | Yes | Choose if you want to import Intrusion-Sets from Malpedia |
| Import Yara | `import_yara` | `MALPEDIA_IMPORT_YARA` | `true` | Yes | Choose if you want to import Yara rules from Malpedia |
| Create Indicators | `create_indicators` | `MALPEDIA_CREATE_INDICATORS` | `true` | Yes | Choose if you want to create Indicators Sample (File) from Malpedia |
| Create Observables | `create_observables` | `MALPEDIA_CREATE_OBSERVABLES` | `true` | Yes | Choose if you want to create Observables Sample (File) from Malpedia |
| Default Marking | `default_marking` | `MALPEDIA_DEFAULT_MARKING` | `TLP:CLEAR` | No | If not defined in config, an authenticated user will have TLP:AMBER, otherwise TLP:CLEAR |


## Notes
Expand All @@ -72,7 +75,3 @@ If you are not authenticated, by leaving this variable (auth_key) undefined or o

If you choose to set environment variables such as import_intrusion_sets, import_yara, create_indicators, create_observables to false, the connector will simply skip the bundle creation steps for the selected category.

---
**Caution**

You should only enable update_existing_data for connectors that you consider a knowledge priority for specific entities. Entities created by other connectors might be overwritten.
2 changes: 1 addition & 1 deletion external-import/malpedia/src/config.yml.sample
View file
Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,6 @@ connector:
type: 'EXTERNAL_IMPORT'
name: 'Malpedia'
scope: 'malpedia'
update_existing_data: false
log_level: 'info'
expose_metrics: false

Expand All @@ -18,3 +17,4 @@ malpedia:
import_yara: true
create_indicators: true # Required, create indicators for hashes
create_observables: true # Required, create observables for hashes
default_marking: "TLP:CLEAR"
12 changes: 6 additions & 6 deletions external-import/malpedia/src/main.py
View file
Original file line number Diff line number Diff line change
@@ -1,14 +1,14 @@
# -*- coding: utf-8 -*-
"""OpenCTI Malpedia connector main module."""
import time
import sys
import traceback

from malpedia_connector import MalpediaConnector

if __name__ == "__main__":
try:
connector = MalpediaConnector()
connector.start()
except Exception as err:
print(err)
time.sleep(10)
exit(0)
connector.run()
except Exception:
traceback.print_exc()
sys.exit(1)
Loading

0 comments on commit c11e6c6

Please sign in to comment.