topic Re: TAXII feed for SIEM in General Topics

TAXII feed for SIEM

Sly_Cooper — Tue, 16 Aug 2016 19:58:40 GMT

Hi,

I have tried minemeld with few miners and output to the inbounfeedhc i.e. PAN EBL/DBL. It is worked as expected. I would like to push the data to SIEM so that i can perform log analysis based on the indicators. How can i use taxii? I have configured ET.compromisedIP and Dshield miners to send data to new aggregator with output to stllib.feedHCGreen and stdlib.taxiiDataFeed based nodes. I can get data in PAN DBL using stdlib.feedHCGreen output node. What configuration will be needed so that I can configure our SIEM to use taxii based feed? For the taxii based node, I can see current indicators as 1080.

Re: TAXII feed for SIEM

lmori — Tue, 16 Aug 2016 20:36:43 GMT

Hi Sly_Cooper,

what SIEM are you working with ?

Can your SIEM retrieve (pull) indicators from MineMeld via TAXII ? Or should MineMeld push indicators to the SIEM using TAXII ?

Re: TAXII feed for SIEM

Sly_Cooper — Tue, 16 Aug 2016 21:18:05 GMT

@lmori we use McAfee ESM. We already have one thread feed configured for hailataxii feed (http://hailataxii.com/taxii-discovery-service). The current feed is configured as POST (and Collection Name). I dont see any URL to pull the data the way it is for DBL based output nodes.

Re: TAXII feed for SIEM

lmori — Tue, 16 Aug 2016 21:24:34 GMT

Hi Sly_Cooper,

default output nodes do not support TAXII. But you can create new output nodes based on stdlib.taxiiDataFeed and attach them to your aggregators to support TAXII.

Then you can query the MineMeld TAXII Discover Service at https://<minemeld>/taxii-discovery-service to retrieve the list of currently configured TAXII feeds.

I am working on the documentation for the TAXII output nodes, stay tuned 🙂

Re: TAXII feed for SIEM

Sly_Cooper — Tue, 16 Aug 2016 22:03:51 GMT

@lmori Thank you.

I have configured custom aggregator node based on stlib.aggregatorIPv4Generic and custom output node based on stdlib.taxiiDataFeed. I am using DShild block list as miner. The SIEM just says Error and hostname while adding feed.

I am also suspecting issue with self signed ssl cert.

Re: TAXII feed for SIEM

lmori — Wed, 17 Aug 2016 21:25:02 GMT

Please, could you post the full error message you get back from the SIEM ?

Re: TAXII feed for SIEM

Sly_Cooper — Thu, 18 Aug 2016 16:50:27 GMT

Hi @lmori,

The web ui just shows "Error and hostname on next line" when we try "Test Connection". I will see if there is way to get raw log from the system.

Re: TAXII feed for SIEM

lmori — Fri, 19 Aug 2016 12:16:40 GMT

Hi Sly_Cooper,

I don't have access to a McAfee SIEM but this config should work:

Type: TAXII

URL: https://<minemeldip>/taxii-discovery-service

Authentication: None

Method: POST

Ignore Invalid Certificate: Checked (if you have changed the cet with a valid one you should uncheck this)

Collection Name: <name of the TAXII output node>

Re: TAXII feed for SIEM

Sly_Cooper — Mon, 22 Aug 2016 22:31:12 GMT

@lmori

I have configured the required settings. Here is the new error.

ERROR
Error issuing TAXII request, HTTP response code: 400: Missing X-Server header

Re: TAXII feed for SIEM

lmori — Mon, 29 Aug 2016 08:34:43 GMT

Hi Sly_Cooper,

thanks for the additional log. I have found the issue, it's an oversight in the nginx config. It will be fixed in the next release.

Meanwhile as a workaround you can edit the file /opt/minemeld/local/config/wsgi.yml and add the TAXII_HOST variable. The value should be the IP address of your MineMeld instance. Example if your MineMeld instance has IP 192.168.55.172:

# this should be commented in production !
DEBUG: true

API_AUTH_ENABLED: true
USERS_DB: wsgi.htpasswd

SUPERVISOR_URL: "unix:///opt/minemeld/local/supervisor/run/minemeld.sock"

TAXII_HOST: 192.168.55.172

After changing the file you should reload MineMeld Web API using the command:

sudo -u minemeld /opt/minemeld/engine/current/bin/supervisorctl -c /opt/minemeld/local/supervisor/config/supervisord.conf restart minemeld-web

Thanks !

luigi

Re: TAXII feed for SIEM

Sly_Cooper — Mon, 29 Aug 2016 15:46:14 GMT

@lmori I have got required configuration updated in the config file. Please note that the command to reload minemeld api worked fine in cli however there was warning in GUI "Error loading config" and indicators to "0". I restarted the VM and the gui loaded fine with all required nodes with indicator data. Now the error has changed on SIEM. I am not sure if the MineMeld configuration needs further tweaking.

ERROR
Error issuing TAXII request, HTTP response code: 400: Invalid message

Re: TAXII feed for SIEM

lmori — Mon, 29 Aug 2016 15:55:37 GMT

Would you be available for a webmeeting? We could speed up the integration tests this way.
Just send me an email at lmori@paloaltonetworks.com

Thanks,
Luigi

Re: TAXII feed for SIEM

lmori — Mon, 29 Aug 2016 17:12:28 GMT

@Sly_Cooper that error message typically happens when you try to access a TAXII feed that does not exist. Could you post the screenshot of your MM config and the config of McAfee SIEM ?

Thanks !

luigi

Re: TAXII feed for SIEM

Sly_Cooper — Mon, 29 Aug 2016 19:49:16 GMT

Re: TAXII feed for SIEM

Sly_Cooper — Mon, 29 Aug 2016 19:51:14 GMT

McAfee SIEM Config and error

Re: TAXII feed for SIEM

lmori — Mon, 29 Aug 2016 21:03:46 GMT

@Sly_Cooper could you post or send me the log /opt/minemeld/log/minemeld-web.log ?

Thanks,

luigi

Re: TAXII feed for SIEM

Sly_Cooper — Thu, 01 Sep 2016 15:16:00 GMT

@lmori Logs attached.

Re: TAXII feed for SIEM

lmori — Mon, 05 Sep 2016 15:46:53 GMT

@Sly_Cooper thanks !

I have checked and you should change the config this way (note the URL now set to https://<minemeld>/taxii-poll-service):

Basically you have to specify URL of the TAXII poll service, not the URL of the discovery service.

After that indicators can be sucessfully downloaded:

Re: TAXII feed for SIEM

Sly_Cooper — Tue, 06 Sep 2016 14:55:06 GMT

@lmori Thank you. It worked! I could see the indicators in the watchlist. I will continue to work with minemeld and SIEM.

FYI - The Minemeld instance failed automatically with error reading config message. All indicators went to zero. It started back automatically when checked after two days.

Re: TAXII feed for SIEM

lmori — Tue, 06 Sep 2016 14:58:18 GMT

@Sly_Cooper could you send me the file /opt/minemeld/log/minemeld-engine.log to check the error in reading the config ?