Anomali Limo Miner Creation

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Anomali Limo Miner Creation

L1 Bithead

Hello,

First, I am not a programmer, so please keep that in mind 😉 I would like to create a miner for the Anomali Limo TAXII feed. The Anomali documentation is not very good:

 

You can also get the benefits of Limo without STAXX. Simply:

This doesn't really explain much. If I go to: https://limo.anomali.com/taxii and authenticate, I get this back:

 

Capture.PNG

Thus, I am really not sure how I would use any of this information. I was expecting to see data with headers and such. Not only don't I get those, I don't see the feed names themselves as suggested in the Anomali documentation. Thus, I am really not sure how to proceed from here.

 

Any help would be greatly appreciated!

 

Jon

1 accepted solution

Accepted Solutions

L5 Sessionator

@Jon-Irish,

 

you just have to create  a new TaxiiClient class based prototype and clone it into your engine as a working node.

 

To create a new TaxiiClient prototype you can use any other TaxiiClient prototype as the base. For example, you can use any from the "hailataxii" series.

 

2018-07-13_08-11-11.png

 

Change the "discovery_service" and "collection" class configuration parameters to fit your need. In your case:

  • discovery_service = https://limo.anomali.com/api/v1/taxii/taxii-discovery-service/
  • collection: any from the following list:
    • Abuse_ch_Ransomware_IPs_F135
    • Abuse_ch_Ransomware_Domains_F136
    • DShield_Scanning_IPs_F150
    • Lehigh_Malwaredomains_F33
    • CyberCrime_F41
    • Emerging_Threats_C_C_Server_F31
    • Malware_Domain_List___Hotlist_F200
    • Phish_Tank_F107
    • Emerging_Threats___Compromised_F68
    • Blutmagie_TOR_Nodes_F209
    • Anomali_Weekly_Threat_Briefing_S1

(the list was captured today with the cabby command "taxii-collections --path https://limo.anomali.com/api/v1/taxii/collection_management/ --username guest --password guest")

View solution in original post

6 REPLIES 6

L5 Sessionator

@Jon-Irish,

 

you just have to create  a new TaxiiClient class based prototype and clone it into your engine as a working node.

 

To create a new TaxiiClient prototype you can use any other TaxiiClient prototype as the base. For example, you can use any from the "hailataxii" series.

 

2018-07-13_08-11-11.png

 

Change the "discovery_service" and "collection" class configuration parameters to fit your need. In your case:

  • discovery_service = https://limo.anomali.com/api/v1/taxii/taxii-discovery-service/
  • collection: any from the following list:
    • Abuse_ch_Ransomware_IPs_F135
    • Abuse_ch_Ransomware_Domains_F136
    • DShield_Scanning_IPs_F150
    • Lehigh_Malwaredomains_F33
    • CyberCrime_F41
    • Emerging_Threats_C_C_Server_F31
    • Malware_Domain_List___Hotlist_F200
    • Phish_Tank_F107
    • Emerging_Threats___Compromised_F68
    • Blutmagie_TOR_Nodes_F209
    • Anomali_Weekly_Threat_Briefing_S1

(the list was captured today with the cabby command "taxii-collections --path https://limo.anomali.com/api/v1/taxii/collection_management/ --username guest --password guest")

Thanks for the great reply! Is it possible to have more than one collection in a miner?

I was able to get the "cabby"docker image working and I replicated your findings. Thanks for pointing this out to me! My only other question is, can I have mor ethan one collection in a data miner?

 

Thanks!

Jon

Another thing that I am noticing is that I am not pulling any indicators. Here is the config for the poller:

 

minemeldlocal.anomali_limo_feed PROTOTYPE

 

 

MINER

EXPERIMENTAL

ABOUT minemeldlocal

Local prototype library managed via MineMeld WebUI

ABOUT minemeldlocal.anomali_limo_feed

Anomali Limo data feed

CLASS

minemeld.ft.taxii.TaxiiClient

INDICATOR TYPES

IPv4IPv6domainURL

TAGS

OSINTShareLevelGreenConfidenceHighConfidenceMediumConfidenceLow

CONFIG

age_out
  • default: last_seen+30d
  • sudden_death: false
attributes
  • confidence: 30
  • share_level: green
collection Anomali_Weekly_Threat_Briefing_S1
discovery_service https://limo.anomali.com/api/v1/taxii/taxii-discovery-service/
password guest
source_name limo.anomali.com
username guest

 

If I then go to the Nodes view and look at the node, it shows it successfully polling, but no indicators. I must have done something wrong.

 

anomali_limo_feed NODE

 
STATUS
CLASS minemeld.ft.taxii.TaxiiClient
PROTOTYPE minemeldlocal.anomali_limo_feed
STATE STARTED
USERNAME guest
PASSWORD  
SERVER CA Not set
LAST RUN 2018-07-13 10:03:29 -0500 SUCCESS
# INDICATORS 0
OUTPUT ENABLED
INPUTS none

Hi @Jon-Irish,

 

yes, you're right. Something is wrong. But not on your end (neither on mine) but on Anomali's one.

 

Using Cabby (instead of MineMeld) to poll the indicators also rise an exception.

 

<ord guest --discovery https://limo.anomali.com/api/v1/taxii/taxii-discovery-service/ --collection Anomali_Weekly_Threat_Briefing_S1                                                                
2018-07-23 09:07:25,668 INFO: Polling using data binding: ALL
2018-07-23 09:07:25,672 INFO: Sending Discovery_Request to https://limo.anomali.com/api/v1/taxii/taxii-discovery-service/
2018-07-23 09:07:26,569 INFO: 4 services discovered
2018-07-23 09:07:26,571 INFO: Sending Poll_Request to https://limo.anomali.com/api/v1/taxii/poll/
2018-07-23 09:07:27,432 ERROR: HTTP Error: status code 400

I'll try later on to troubleshoot what's wrong in their API.

Thanks for the update @xhoms... It is good to know that it isn't something that I did wrong.

  • 1 accepted solution
  • 8111 Views
  • 6 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!