Prototype for FS-ISAC

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Prototype for FS-ISAC

L1 Bithead

I understand that Soltra is part of the existing 3rd party intelligence feed, just wondering has anyone created a prototype from FS-ISAC? THe portal address is https://portal.fsisac.com/

 

Understand from FS-ISAC, they uses Soltra as part of their intel too, is FS-ISAC intelligence pool as subset of Soltra?

27 REPLIES 27

L7 Applicator

Hi @c_cong,

from FS-ISAC you should retrieve the following data:

- URL of the TAXII discovery service

- name of the feed

- client certificate for authentication

 

On MineMeld:

- click on CONFIG and then on the hamburger icon to list the Prototypes

- click on hailataxii.guest_Abuse_ch and click on NEW

- modify the name of the new prototype

- under config copy & paste the following and change the feed name and the URL with the values you get from FS-ISAC:

age_out:
    default: last_seen+30d
    sudden_death: false
attributes:
    confidence: 30
    share_level: red
collection: <feedname>
discovery_service: <fs-isac discovery service>
source_name: fs-isac.<feedname>
client_cert_required: true

- press OK and then create a new node from the new prototype

- COMMIT

- after the engine has started, go in NODES click on the new NODE and upload the client certificate

Hi @lmori

 

I need to connect with FS-ISAC but I found some issue. below:

 

Screenshot from 2017-06-29 17 21 42.png

 

remark: I received certificate from FS-ISAC.

CLIENT CERTIFICATE: CERTIFICATE -> cert.pem & PRIVATE KEY -> cert.key

I am not sure that I upload file type correctly.

 

Could you recommend me?

Hi @iThreatHunt,

could you open the two files with a text editor and check the contents ? 

You should see an header like this for the certificate (public key):

-----BEGIN CERTIFICATE-----
...

Did you upload the Server CA ?

Hi @lmori

 

fs-isac_config.png

 

taxii.py (from minemeld.core) : I upload follow this code (.pem & .crt)

 

cert.jpg

 

Node Confiuguration : success

 

fs-isac_node.png

 

But this node cannot retrieve data from FS-ISAC. Whrere is application log for investigate? 

Hi @iThreatHunt,

you can check the logs downloading minemeld-engine.log from System > Dashboard > Engine > Logs.

Could you check on the FS-ISAC WebUI what is the time of the last indicator in the feed you are polling ? By default the Miner the first time it polls the source it polls the last day worth of indicators, if you want to go further back in time you should configure the initial_interval parameter in the prototype:

initial_interval: 7d

Thanks @lmori. It is works.

L0 Member

Hi @lmori

 

I have one similar problem synchronizing local minemeld with fsisac cyber repository.

...."collection fsisac not found" appears when minemeld try to polling isac.

Any idea?

 

colection_fsisac_notfound.png

 

Thanks.

Hi @xgil2017,

I think the collection name is wrong, it should be in the form <fs-isac username>.<feedname>

 

Luigi

Hi Lugi,

 

I am stuck here not sure what this error code means

 

fsisac-minemeld.PNG

L0 Member

Hi Luigi @lmori

 

I have follow your configuration and get all data with share_level=red.

BTW, my customer would like to have all shre_level=green data. 

I have customize prototype as attached screenshot  and commit failed.

 

 

Could you please suggest the correct configuration?

 

Thanks

Nattapon

L4 Transporter

Where are you all even getting the feed names and discovery_service URL for the feed? I am looking all over the portal and I don't see anything with TAXII feed information anywhere in there.

 

the URL mentioned in this thread (analysis.fsisac.com...) does not seem to be a real thing. Anyone have a working FS-ISAC feed into Minemeld? Can you provide some details about how to find the required info for populating the variables here?

 

TIA

L1 Bithead

Hi

 

I'm running minemeld 0.9.50 on the latest RHEL 7.5.

Now i tried to attach the the FS-ISAC feed, username feed, cert, seems to be fine.

 

When i manuall pull the feed from the Node; "LAST RUN" receives the State ERROR: 'module' object has no attrbute 'sslwrap'.

 

/opt/minemeld/log/minemeld-engine.log tells me:

 

2018-10-17T18:30:40 (12180)basepoller._polling_loop INFO: Polling fs-isac-soltra-feed
2018-10-17T18:30:41 (12180)basepoller._poll ERROR: Exception in polling loop for fs-isac-soltra-feed: 'module' object has no attribute 'sslwrap'

 

Traceback (most recent call last):
  File "/opt/minemeld/engine/core/minemeld/ft/basepoller.py", line 721, in _poll
    performed = self._polling_loop()
  File "/opt/minemeld/engine/core/minemeld/ft/basepoller.py", line 571, in _polling_loop
    iterator = self._build_iterator(now)
  File "/opt/minemeld/engine/core/minemeld/ft/taxii.py", line 1131, in _build_iterator
    self._discover_services(tc)
  File "/opt/minemeld/engine/core/minemeld/ft/taxii.py", line 292, in _discover_services
    resp = self._call_taxii_service(self.discovery_service, tc, request)
  File "/opt/minemeld/engine/core/minemeld/ft/taxii.py", line 282, in _call_taxii_service
    port=port
  File "/opt/minemeld/engine/current/lib/python2.7/site-packages/libtaxii/clients.py", line 337, in call_taxii_service2
    response = urllib.request.urlopen(req)
  File "/usr/lib64/python2.7/urllib2.py", line 154, in urlopen
    return opener.open(url, data, timeout)
  File "/usr/lib64/python2.7/urllib2.py", line 431, in open
    response = self._open(req, data)
  File "/usr/lib64/python2.7/urllib2.py", line 449, in _open
    '_open', req)
  File "/usr/lib64/python2.7/urllib2.py", line 409, in _call_chain
    result = func(*args)
  File "/opt/minemeld/engine/current/lib/python2.7/site-packages/libtaxii/clients.py", line 363, in https_open
    return self.do_open(self.get_connection, req)
  File "/usr/lib64/python2.7/urllib2.py", line 1211, in do_open
    h.request(req.get_method(), req.get_selector(), req.data, headers)
  File "/usr/lib64/python2.7/httplib.py", line 1041, in request
    self._send_request(method, url, body, headers)
  File "/usr/lib64/python2.7/httplib.py", line 1075, in _send_request
    self.endheaders(body)
  File "/usr/lib64/python2.7/httplib.py", line 1037, in endheaders
    self._send_output(message_body)
  File "/usr/lib64/python2.7/httplib.py", line 881, in _send_output
    self.send(msg)
  File "/usr/lib64/python2.7/httplib.py", line 843, in send
    self.connect()
  File "/opt/minemeld/engine/current/lib/python2.7/site-packages/libtaxii/clients.py", line 443, in connect
    ca_certs=self.ca_certs)
  File "/opt/minemeld/engine/current/lib/python2.7/site-packages/gevent/_ssl2.py", line 410, in wrap_socket
    ciphers=ciphers)
  File "/opt/minemeld/engine/current/lib/python2.7/site-packages/gevent/_ssl2.py", line 84, in __init__
    self._sslobj = _ssl.sslwrap(self._sock, server_side,

 

AttributeError: 'module' object has no attribute 'sslwrap'

 

 

Maybe someone else ran into the same/similar issue and knows how to fix this ?

 

It seems to be related to the python code handling the certificate/ssl/tls connectivity.


@hshawn wrote:

Where are you all even getting the feed names and discovery_service URL for the feed? I am looking all over the portal and I don't see anything with TAXII feed information anywhere in there.

 

the URL mentioned in this thread (analysis.fsisac.com...) does not seem to be a real thing. Anyone have a working FS-ISAC feed into Minemeld? Can you provide some details about how to find the required info for populating the variables here?

 

TIA


 

I don't know if you ever solved this, but if you don't have access to analysis.fsisac.com you'll need to request it from FS-ISAC support.

 

Once you have access, there's a Publish link at the top of the page that allows you to create your own custom feed based on the information you want (URLs, IPs, file hashes, etc.) and other criteria. You'll use the feed name combined with your credentials to access it.

 

HTH

FYI, in case anyone runs into this issue i described earlier:

 

/opt/minemeld/log/minemeld-engine.log tells me:

 

2018-10-17T18:30:41 (12180)basepoller._poll ERROR: Exception in polling loop for <your miner node>: 'module' object has no attribute 'sslwrap'

 

This can be solved by replacing minemelds internal python "gevent" with a newer version.

 

For whatever reason, minmeld brings it own "gevent" in /opt/minemeld/engine/current/lib/python2.7/site-packages/gevent this outdated gevent version seems to cause issue with the Python Version installed on RHEL 7.

 

Just install the latest Version (pip install --upgrade gevent) and then replace the minemeld "gevent" with the new version from /usr/lib64/python2.7/site-packages/gevent.

 

After that the FS-ISAC Feed/Miner  (and also other feeds requiring certificate authentication) is working fine on RHEL 7.

  • 20080 Views
  • 27 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!