Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

[malwarebazaar-recent-additions] Allow optional storage of malware samples #3503

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

[malwarebazaar-recent-additions] Allow optional storage of malware samples #3503

wants to merge 1 commit into from
+157 −44

Conversation

ParamConstructor
Copy link

@ParamConstructor ParamConstructor commented Feb 26, 2025
edited
Loading

Proposed changes

The core intent of this update is to support the "optional" storage of the malware files related to the Malware Bazaar data fetches. Some users may not wish to "actually" store the "real" malware files on their system disk. This could be due to security requirements, or could be because they never use the actual file and it is needlessly increasing their S3/MinIO storage requirements. This update allows for access to the Artifact entries and metadata about the malware artifacts - but removes the storage of the "real" malware when enabled. The malware is replaced with a file that is 85 bytes in size and when downloaded within OpenCTI states:

"This would normally be Malware, but we have disabled the saving of the real malware."

Changes:

  • Cleaned up code for autopep8/black/isort/pylint compliance.

  • Added the following in the docker-compose.yml to show connector values could be in the config.yml or here and added the missing Auth-Key token reference that is required for the connector to function properly.

      - CONNECTOR_CONFIDENCE_LEVEL=40 # From 0 (Unknown) to 100 (Fully trusted); ENV or can be set in config.yml
      - CONNECTOR_UPDATE_EXISTING_DATA=false # ENV or can be set in config.yml
      - CONNECTOR_CREATE_INDICATOR=false # ENV or can be set in config.yml
      - CONNECTOR_LOG_LEVEL=error
      - MALWAREBAZAAR_RECENT_ADDITIONS_USER_TOKEN=your-token-here # Free Auth-Key Required - https://bazaar.abuse.ch/api/#auth_key
  • Added the new key disable_malware_sample to both docker-compose.yml and config.yml.sample in order to support NOT actually storing the real malware in S3/MinIO storage.
      - MALWAREBAZAAR_RECENT_ADDITIONS_DISABLE_MALWARE_SAMPLE=true # If true, malware will be replaced with a benign Text file sample.

  disable_malware_sample: false # If true, malware will be replaced with a benign Text file sample.
  • Added code changes required to support this capability enhancement.

Related issues

  • None

Checklist

  • I consider the submitted work as finished
  • I tested the code for its functionality using different use cases
    • Tested connector with the disable_malware_sample set to true
    • Tested connector with the disable_malware_sample set to false
  • I added/update the relevant documentation (within connector code)
  • Where necessary I refactored code to improve the overall quality

Further comments

N/A

@ParamConstructor ParamConstructor force-pushed the malware-bazaar-disable-malware-storage branch from 987ee50 to 8426772 Compare February 26, 2025 17:13
@ParamConstructor ParamConstructor force-pushed the malware-bazaar-disable-malware-storage branch from 8426772 to 4179485 Compare February 26, 2025 17:20
@helene-nguyen helene-nguyen self-assigned this Feb 27, 2025
@helene-nguyen helene-nguyen added the partner used to identify PR from patner label Feb 27, 2025
# for free to join this conversation on GitHub. Already have an account? # to comment
Reviewers
No reviews
Assignees

@helene-nguyen helene-nguyen

Labels
partner used to identify PR from patner
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@ParamConstructor @helene-nguyen