Improve ransomware.live connector

[seanthegeek]

Proposed changes

• Properly handle empty sector values
• Do not create threat actor objects by default
  • They were wasteful duplicates of Intrusion Sets and not threat actors in terms of STIX definitions
• Fix typos
• Fix README tables

Related issues

• [ransomware.live] improvements #2665

Checklist

• I consider the submitted work as finished
• I tested the code for its functionality using different use cases
• I added/update the relevant documentation (either on github or on notion)
• Where necessary I refactored code to improve the overall quality

Further comments

[seanthegeek]

How do I properly test this connector on my development system? This PR should work, but I'm keeping the PR in draft status until I can properly test it.

{"timestamp": "2024-10-01T23:54:16.228980Z", "level": "ERROR", "name": "pika.adapters.utils.connection_workflow", "message": "AMQP connection workflow failed: AMQPConnectionWorkflowFailed: 1 exceptions in all; last exception - gaierror(11001, 'getaddrinfo failed'); first exception - None.", "taskName": null}
{"timestamp": "2024-10-01T23:54:16.228980Z", "level": "ERROR", "name": "pika.adapters.utils.connection_workflow", "message": "AMQPConnectionWorkflow - reporting failure: AMQPConnectionWorkflowFailed: 1 exceptions in all; last exception - gaierror(11001, 'getaddrinfo failed'); first exception - None", "taskName": null}
{"timestamp": "2024-10-01T23:54:16.228980Z", "level": "ERROR", "name": "pika.adapters.blocking_connection", "message": "Connection workflow failed: AMQPConnectionWorkflowFailed: 1 exceptions in all; last exception - gaierror(11001, 'getaddrinfo failed'); first exception - None", "taskName": null}

[seanthegeek]

I was able to test is by creating a local docker image, but that's not ideal if I want to walk through the Python code in a debugger

Now I'm getting an exception that states "File data is not a valid bundle"

{"timestamp": "2024-10-02T00:30:20.182278Z", "level": "ERROR", "name": "ransomware.live", "message": "Error sending STIX2 bundle to OpenCTI", "exc_info": "Traceback (most recent call last):\n  File \"/opt/connector/lib/ransomConn.py\", line 960, in run\n    self.helper.send_stix2_bundle(\n  File \"/usr/local/lib/python3.11/site-packages/pycti/connector/opencti_connector_helper.py\", line 1699, in send_stix2_bundle\n    ) = stix2_splitter.split_bundle_with_expectations(\n        ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^\n  File \"/usr/local/lib/python3.11/site-packages/pycti/utils/opencti_stix2_splitter.py\", line 215, in split_bundle_with_expectations\n    raise Exception(\"File data is not a valid bundle\")\nException: File data is not a valid bundle"}

Any suggestions for tracking down where my PR went wrong?

[seanthegeek]

All issues have been fixed.

[Powlinett]

Hi @seanthegeek thank you for submitting a PR and improvements!

I managed to resolve conflicts locally by keeping your changes and pycti.<ENTITY_CLASS>.generate_id() functions calls from master.🤞

I had to add "filterGroups": [] on line ~320 (in filterGroups[0]) to avoid errors returned by OpenCTI API, and now everything seems to work as intended 👍

May I ask you to resolve conflicts and fix the filters tiny issue on your repo so we can merge your PR? Thanks 🙏