Reply
Highlighted
L1 Bithead
Posts: 5
Registered: ‎09-12-2015

Prototype for FS-ISAC

I understand that Soltra is part of the existing 3rd party intelligence feed, just wondering has anyone created a prototype from FS-ISAC? THe portal address is https://portal.fsisac.com/

 

Understand from FS-ISAC, they uses Soltra as part of their intel too, is FS-ISAC intelligence pool as subset of Soltra?

L7 Applicator
Posts: 920
Registered: ‎03-03-2011

Re: Prototype for FS-ISAC

Hi @c_cong,

from FS-ISAC you should retrieve the following data:

- URL of the TAXII discovery service

- name of the feed

- client certificate for authentication

 

On MineMeld:

- click on CONFIG and then on the hamburger icon to list the Prototypes

- click on hailataxii.guest_Abuse_ch and click on NEW

- modify the name of the new prototype

- under config copy & paste the following and change the feed name and the URL with the values you get from FS-ISAC:

age_out:
    default: last_seen+30d
    sudden_death: false
attributes:
    confidence: 30
    share_level: red
collection: <feedname>
discovery_service: <fs-isac discovery service>
source_name: fs-isac.<feedname>
client_cert_required: true

- press OK and then create a new node from the new prototype

- COMMIT

- after the engine has started, go in NODES click on the new NODE and upload the client certificate

L3 Networker
Posts: 42
Registered: ‎06-29-2017

Re: Prototype for FS-ISAC

Hi @lmori

 

I need to connect with FS-ISAC but I found some issue. below:

 

Screenshot from 2017-06-29 17 21 42.png

 

remark: I received certificate from FS-ISAC.

CLIENT CERTIFICATE: CERTIFICATE -> cert.pem & PRIVATE KEY -> cert.key

I am not sure that I upload file type correctly.

 

Could you recommend me?

L7 Applicator
Posts: 920
Registered: ‎03-03-2011

Re: Prototype for FS-ISAC

Hi @iThreatHunt,

could you open the two files with a text editor and check the contents ? 

You should see an header like this for the certificate (public key):

-----BEGIN CERTIFICATE-----
...

Did you upload the Server CA ?

L3 Networker
Posts: 42
Registered: ‎06-29-2017

Re: Prototype for FS-ISAC

Hi @lmori

 

fs-isac_config.png

 

taxii.py (from minemeld.core) : I upload follow this code (.pem & .crt)

 

cert.jpg

 

Node Confiuguration : success

 

fs-isac_node.png

 

But this node cannot retrieve data from FS-ISAC. Whrere is application log for investigate? 

L7 Applicator
Posts: 920
Registered: ‎03-03-2011

Re: Prototype for FS-ISAC

Hi @iThreatHunt,

you can check the logs downloading minemeld-engine.log from System > Dashboard > Engine > Logs.

Could you check on the FS-ISAC WebUI what is the time of the last indicator in the feed you are polling ? By default the Miner the first time it polls the source it polls the last day worth of indicators, if you want to go further back in time you should configure the initial_interval parameter in the prototype:

initial_interval: 7d
L3 Networker
Posts: 42
Registered: ‎06-29-2017

Re: Prototype for FS-ISAC

Thanks @lmori. It is works.

L0 Member
Posts: 1
Registered: ‎08-03-2017

Re: Prototype for FS-ISAC

Hi @lmori

 

I have one similar problem synchronizing local minemeld with fsisac cyber repository.

...."collection fsisac not found" appears when minemeld try to polling isac.

Any idea?

 

colection_fsisac_notfound.png

 

Thanks.

L7 Applicator
Posts: 920
Registered: ‎03-03-2011

Re: Prototype for FS-ISAC

Hi @xgil2017,

I think the collection name is wrong, it should be in the form <fs-isac username>.<feedname>

 

Luigi

L0 Member
Posts: 2
Registered: ‎12-10-2015

Re: Prototype for FS-ISAC

Hi Lugi,

 

I am stuck here not sure what this error code means

 

fsisac-minemeld.PNG

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!