How can I validate that my TAXII output miner is working?

L0 Member

How can I validate that my TAXII output miner is working?

Hi!  Been testing the product for a couple of weeks, and I really am impressed, but while the TAXII/STIX miners work well from HailATAXII, I'm trying to feed output from my aggregator into a TAXII output to push to other tools down the line that can ingest the indicators and match them up from what comes out of our internal malware analysis.  (Shows if we have to dig deeper or we have a known bad junk file to up the counter upon.)

 

However, in looking through the NGINX output, I can't find the discovery service or the feeds.  Save me from being run over by a TAXII!  :)

L7 Applicator

Re: How can I validate that my TAXII output miner is working?

Hi @twisterdavemd,

I developed a simple POstman collection for exactly this purpose: https://gist.github.com/jtschichold/65ee13d29038f78e220d75e6668eeea1

 

Could you check it ?

L0 Member

Re: How can I validate that my TAXII output miner is working?

I did check it out, and while it is working, it's only after disabling ssl checking in Postman that I get the output I'm expecting.

 

Hence my next problem.  Because I'm specifying https: in my URL, my taxii ingest to my secondary product is attempting to validate ssl, and has no way of overriding from default.

L7 Applicator

Re: How can I validate that my TAXII output miner is working?

Hi @twisterdavemd,

any way you can create a certificate for MineMeld that can be validated by the TAXII client product ?

If you can do that you can easily install it on the MineMeld instance.

L1 Bithead

Re: How can I validate that my TAXII output miner is working?

Hi Imori,

I built the TAXII output node using prototype stdlib.taxiiDataFeed .  Node has 4 indicators. I did test POST taxii-recovery service using script from github :   

 https://gist.github.com/jtschichold/65ee13d29038f78e220d75e6668eeea1 

I can only guess the response is ok ( 200 OK) (screenshot attached). 

How can I get the indicators from this node using TAXII ?

Best Regards,

An

L1 Bithead

Re: How can I validate that my TAXII output miner is working?

 
L7 Applicator

Re: How can I validate that my TAXII output miner is working?

Hi @Nupagazy,

yes, using the postman TAXII library is a good way to test the TAXII feeds:

https://gist.github.com/jtschichold/65ee13d29038f78e220d75e6668eeea1

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!