[YARA] The YARA connector attempts to scan an artifact before the malwarebazaar-recent-additions connector finishes uploading the file

[seanthegeek]

Description

The YARA connector raises an exception when new samples are uploaded by the MalwareBazaar connector but succeeds when the YARA enrichment is ran manually. It looks like the YARA connector attempts to scan an artifact before the MalwareBazaar connector finishes uploading the file.

  warnings.warn(
{"timestamp": "2024-09-23T19:14:36.718425Z", "level": "ERROR", "name": "YARA", "message": "Error in message processing, reporting error to API", "exc_info": "Traceback (most recent call last):\n  File \"/usr/local/lib/python3.11/site-packages/pycti/connector/opencti_connector_helper.py\", line 352, in _data_handler\n    message = self.callback(event_data)\n              ^^^^^^^^^^^^^^^^^^^^^^^^^\n  File \"/opt/opencti-yara/main.py\", line 107, in _process_message\n    self._scan_artifact(artifact, yara_indicators)\n  File \"/opt/opencti-yara/main.py\", line 63, in _scan_artifact\n    artifact_contents = self._get_artifact_contents(artifact)\n                        ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^\n  File \"/opt/opencti-yara/main.py\", line 27, in _get_artifact_contents\n    file_id = artifact[\"importFiles\"][0][\"id\"]\n              ~~~~~~~~~~~~~~~~~~~~~~~^^^\nIndexError: list index out of range"}

Environment

1. OS (where OpenCTI server runs): Debian 12
2. OpenCTI version: 6.3.1
3. OpenCTI client: Python

Reproducible Steps

Steps to create the smallest reproducible scenario:

1. Import some YARA rules (e.g. use the Valhalla connector)
2. Add the yara connector
3. Add the malwarebazaar-recent-additions connector