Prototype for FS-ISAC

Reply
L0 Member

Re: Prototype for FS-ISAC

Hi Luigi @lmori

 

I have follow your configuration and get all data with share_level=red.

BTW, my customer would like to have all shre_level=green data. 

I have customize prototype as attached screenshot  and commit failed.

 

 

Could you please suggest the correct configuration?

 

Thanks

Nattapon

L4 Transporter

Re: Prototype for FS-ISAC

Where are you all even getting the feed names and discovery_service URL for the feed? I am looking all over the portal and I don't see anything with TAXII feed information anywhere in there.

 

the URL mentioned in this thread (analysis.fsisac.com...) does not seem to be a real thing. Anyone have a working FS-ISAC feed into Minemeld? Can you provide some details about how to find the required info for populating the variables here?

 

TIA

L1 Bithead

Re: Prototype for FS-ISAC

Hi

 

I'm running minemeld 0.9.50 on the latest RHEL 7.5.

Now i tried to attach the the FS-ISAC feed, username feed, cert, seems to be fine.

 

When i manuall pull the feed from the Node; "LAST RUN" receives the State ERROR: 'module' object has no attrbute 'sslwrap'.

 

/opt/minemeld/log/minemeld-engine.log tells me:

 

2018-10-17T18:30:40 (12180)basepoller._polling_loop INFO: Polling fs-isac-soltra-feed
2018-10-17T18:30:41 (12180)basepoller._poll ERROR: Exception in polling loop for fs-isac-soltra-feed: 'module' object has no attribute 'sslwrap'

 

Traceback (most recent call last):
  File "/opt/minemeld/engine/core/minemeld/ft/basepoller.py", line 721, in _poll
    performed = self._polling_loop()
  File "/opt/minemeld/engine/core/minemeld/ft/basepoller.py", line 571, in _polling_loop
    iterator = self._build_iterator(now)
  File "/opt/minemeld/engine/core/minemeld/ft/taxii.py", line 1131, in _build_iterator
    self._discover_services(tc)
  File "/opt/minemeld/engine/core/minemeld/ft/taxii.py", line 292, in _discover_services
    resp = self._call_taxii_service(self.discovery_service, tc, request)
  File "/opt/minemeld/engine/core/minemeld/ft/taxii.py", line 282, in _call_taxii_service
    port=port
  File "/opt/minemeld/engine/current/lib/python2.7/site-packages/libtaxii/clients.py", line 337, in call_taxii_service2
    response = urllib.request.urlopen(req)
  File "/usr/lib64/python2.7/urllib2.py", line 154, in urlopen
    return opener.open(url, data, timeout)
  File "/usr/lib64/python2.7/urllib2.py", line 431, in open
    response = self._open(req, data)
  File "/usr/lib64/python2.7/urllib2.py", line 449, in _open
    '_open', req)
  File "/usr/lib64/python2.7/urllib2.py", line 409, in _call_chain
    result = func(*args)
  File "/opt/minemeld/engine/current/lib/python2.7/site-packages/libtaxii/clients.py", line 363, in https_open
    return self.do_open(self.get_connection, req)
  File "/usr/lib64/python2.7/urllib2.py", line 1211, in do_open
    h.request(req.get_method(), req.get_selector(), req.data, headers)
  File "/usr/lib64/python2.7/httplib.py", line 1041, in request
    self._send_request(method, url, body, headers)
  File "/usr/lib64/python2.7/httplib.py", line 1075, in _send_request
    self.endheaders(body)
  File "/usr/lib64/python2.7/httplib.py", line 1037, in endheaders
    self._send_output(message_body)
  File "/usr/lib64/python2.7/httplib.py", line 881, in _send_output
    self.send(msg)
  File "/usr/lib64/python2.7/httplib.py", line 843, in send
    self.connect()
  File "/opt/minemeld/engine/current/lib/python2.7/site-packages/libtaxii/clients.py", line 443, in connect
    ca_certs=self.ca_certs)
  File "/opt/minemeld/engine/current/lib/python2.7/site-packages/gevent/_ssl2.py", line 410, in wrap_socket
    ciphers=ciphers)
  File "/opt/minemeld/engine/current/lib/python2.7/site-packages/gevent/_ssl2.py", line 84, in __init__
    self._sslobj = _ssl.sslwrap(self._sock, server_side,

 

AttributeError: 'module' object has no attribute 'sslwrap'

 

 

Maybe someone else ran into the same/similar issue and knows how to fix this ?

 

It seems to be related to the python code handling the certificate/ssl/tls connectivity.

Highlighted
L1 Bithead

Re: Prototype for FS-ISAC


@hshawn wrote:

Where are you all even getting the feed names and discovery_service URL for the feed? I am looking all over the portal and I don't see anything with TAXII feed information anywhere in there.

 

the URL mentioned in this thread (analysis.fsisac.com...) does not seem to be a real thing. Anyone have a working FS-ISAC feed into Minemeld? Can you provide some details about how to find the required info for populating the variables here?

 

TIA


 

I don't know if you ever solved this, but if you don't have access to analysis.fsisac.com you'll need to request it from FS-ISAC support.

 

Once you have access, there's a Publish link at the top of the page that allows you to create your own custom feed based on the information you want (URLs, IPs, file hashes, etc.) and other criteria. You'll use the feed name combined with your credentials to access it.

 

HTH

L1 Bithead

Re: Prototype for FS-ISAC

FYI, in case anyone runs into this issue i described earlier:

 

/opt/minemeld/log/minemeld-engine.log tells me:

 

2018-10-17T18:30:41 (12180)basepoller._poll ERROR: Exception in polling loop for <your miner node>: 'module' object has no attribute 'sslwrap'

 

This can be solved by replacing minemelds internal python "gevent" with a newer version.

 

For whatever reason, minmeld brings it own "gevent" in /opt/minemeld/engine/current/lib/python2.7/site-packages/gevent this outdated gevent version seems to cause issue with the Python Version installed on RHEL 7.

 

Just install the latest Version (pip install --upgrade gevent) and then replace the minemeld "gevent" with the new version from /usr/lib64/python2.7/site-packages/gevent.

 

After that the FS-ISAC Feed/Miner  (and also other feeds requiring certificate authentication) is working fine on RHEL 7.

L2 Linker

Re: Prototype for FS-ISAC

Has anyone successfully stripped http and https from the FSISAC Feed so that PaloAlto FWs can block those URLs? Currently aggregating the URLs into an output works and PAs can pull them into EDLs however it is pulling them with http and https which PAs then are not able to block those objects, according to PA article any url object cannot contain http:// or https://

 

I found the example here https://live.paloaltonetworks.com/t5/MineMeld-Articles/Using-MineMeld-to-Create-a-Custom-Miner/tac-p...

It shows how to do it against a csv/txt list but i have not been able to find it for the taxi client feed. I applied the same terminology but that did not work. Anyone else has been able to do this and can share some insight?

L4 Transporter

Re: Prototype for FS-ISAC

Thanks to all the pieces everyone has provided to this puzzle in this thread I was able to finally get a FS-ISAC feed setup however it errors out when polling.

 

I noticed in the log files I was seeing:

 

2019-07-15T13:35:07 (2425)basepoller._actor_loop INFO: FS-ISAC-Feed-1563221567853 - command: 1563222907645 poll
2019-07-15T13:35:07 (2425)basepoller._polling_loop INFO: Polling FS-ISAC-Feed-1563221567853
2019-07-15T13:35:07 (2425)basepoller._poll ERROR: Exception in polling loop for FS-ISAC-Feed-1563221567853: global name 'HTTPSClientAuthHandler' is not defined
Traceback (most recent call last):
  File "/opt/minemeld/engine/core/minemeld/ft/basepoller.py", line 724, in _poll
    performed = self._polling_loop()
  File "/opt/minemeld/engine/core/minemeld/ft/basepoller.py", line 571, in _polling_loop
    iterator = self._build_iterator(now)
  File "/opt/minemeld/engine/core/minemeld/ft/taxii.py", line 1131, in _build_iterator
    self._discover_services(tc)
  File "/opt/minemeld/engine/core/minemeld/ft/taxii.py", line 292, in _discover_services
    resp = self._call_taxii_service(self.discovery_service, tc, request)
  File "/opt/minemeld/engine/core/minemeld/ft/taxii.py", line 282, in _call_taxii_service
    port=port
  File "/opt/minemeld/engine/current/lib/python2.7/site-packages/libtaxii/clients.py", line 307, in call_taxii_service2
    handler_list.append(HTTPSClientAuthHandler(k, c))
NameError: global name 'HTTPSClientAuthHandler' is not defined
2019-07-15T13:35:11 (2425)basepoller._polling_loop INFO: Polling FS-ISAC-Feed-1563221567853
2019-07-15T13:35:11 (2425)basepoller._poll ERROR: Exception in polling loop for FS-ISAC-Feed-1563221567853: global name 'HTTPSClientAuthHandler' is not defined
Traceback (most recent call last):
  File "/opt/minemeld/engine/core/minemeld/ft/basepoller.py", line 724, in _poll
    performed = self._polling_loop()
  File "/opt/minemeld/engine/core/minemeld/ft/basepoller.py", line 571, in _polling_loop
    iterator = self._build_iterator(now)
  File "/opt/minemeld/engine/core/minemeld/ft/taxii.py", line 1131, in _build_iterator
    self._discover_services(tc)
  File "/opt/minemeld/engine/core/minemeld/ft/taxii.py", line 292, in _discover_services
    resp = self._call_taxii_service(self.discovery_service, tc, request)
  File "/opt/minemeld/engine/core/minemeld/ft/taxii.py", line 282, in _call_taxii_service
    port=port
  File "/opt/minemeld/engine/current/lib/python2.7/site-packages/libtaxii/clients.py", line 307, in call_taxii_service2
    handler_list.append(HTTPSClientAuthHandler(k, c))
NameError: global name 'HTTPSClientAuthHandler' is not defined
2019-07-15T13:35:12 (2425)basepoller._actor_loop INFO: FS-ISAC-Feed-1563221567853 - command: 1563222907645 age_out
2019-07-15T13:35:12 (2425)table._query_by_index INFO: Deleted in scan of _age_out: 0
2019-07-15T13:35:12 (2425)basepoller._actor_loop INFO: FS-ISAC-Feed-1563221567853 - command: 1563222907645 gc
2019-07-15T13:35:12 (2425)table._query_by_index INFO: Deleted in scan of _withdrawn: 0

I tried the change suggested by @lukasj but that just hard downed Minemeld until I replaced the gevent directory with the old one again.

 

This is the error I am running into, what am I missing? The cert and username/password fields have green checks

 

2019-07-15 13_36_34-MineMeld.png

 

Any suggestions?

 

TIA!

L2 Linker

Re: Prototype for FS-ISAC

Can you share what your prototype config looks like, here is mine. This is working for me without any problems.fsisacprototype.PNG

L4 Transporter

Re: Prototype for FS-ISAC

Sure thing, Here is our prototype:

 

prot2019-07-16 12_04_58-MineMeld.png

L2 Linker

Re: Prototype for FS-ISAC

So if i were i would setup exactly as i have as you do not need minemeld on the source and collection names.

TAGS:

ConfidenceHigh ShareLevelRed

 

CONFIG:

age_out:
default: last_seen+30d
sudden_death: false
attributes:
confidence: 30
share_level: red
client_cert_required: true
collection: username.FSISAC_FEED
discovery_service: https://analysis.fsisac.com/taxii-discovery-service
initial_interval: 90d
source_name: fs-isac.username.FSISAC_FEED

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!