Prototype for FS-ISAC

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Prototype for FS-ISAC

L1 Bithead

I understand that Soltra is part of the existing 3rd party intelligence feed, just wondering has anyone created a prototype from FS-ISAC? THe portal address is https://portal.fsisac.com/

 

Understand from FS-ISAC, they uses Soltra as part of their intel too, is FS-ISAC intelligence pool as subset of Soltra?

27 REPLIES 27

Has anyone successfully stripped http and https from the FSISAC Feed so that PaloAlto FWs can block those URLs? Currently aggregating the URLs into an output works and PAs can pull them into EDLs however it is pulling them with http and https which PAs then are not able to block those objects, according to PA article any url object cannot contain http:// or https://

 

I found the example here https://live.paloaltonetworks.com/t5/MineMeld-Articles/Using-MineMeld-to-Create-a-Custom-Miner/tac-p...

It shows how to do it against a csv/txt list but i have not been able to find it for the taxi client feed. I applied the same terminology but that did not work. Anyone else has been able to do this and can share some insight?

L4 Transporter

Thanks to all the pieces everyone has provided to this puzzle in this thread I was able to finally get a FS-ISAC feed setup however it errors out when polling.

 

I noticed in the log files I was seeing:

 

2019-07-15T13:35:07 (2425)basepoller._actor_loop INFO: FS-ISAC-Feed-1563221567853 - command: 1563222907645 poll
2019-07-15T13:35:07 (2425)basepoller._polling_loop INFO: Polling FS-ISAC-Feed-1563221567853
2019-07-15T13:35:07 (2425)basepoller._poll ERROR: Exception in polling loop for FS-ISAC-Feed-1563221567853: global name 'HTTPSClientAuthHandler' is not defined
Traceback (most recent call last):
  File "/opt/minemeld/engine/core/minemeld/ft/basepoller.py", line 724, in _poll
    performed = self._polling_loop()
  File "/opt/minemeld/engine/core/minemeld/ft/basepoller.py", line 571, in _polling_loop
    iterator = self._build_iterator(now)
  File "/opt/minemeld/engine/core/minemeld/ft/taxii.py", line 1131, in _build_iterator
    self._discover_services(tc)
  File "/opt/minemeld/engine/core/minemeld/ft/taxii.py", line 292, in _discover_services
    resp = self._call_taxii_service(self.discovery_service, tc, request)
  File "/opt/minemeld/engine/core/minemeld/ft/taxii.py", line 282, in _call_taxii_service
    port=port
  File "/opt/minemeld/engine/current/lib/python2.7/site-packages/libtaxii/clients.py", line 307, in call_taxii_service2
    handler_list.append(HTTPSClientAuthHandler(k, c))
NameError: global name 'HTTPSClientAuthHandler' is not defined
2019-07-15T13:35:11 (2425)basepoller._polling_loop INFO: Polling FS-ISAC-Feed-1563221567853
2019-07-15T13:35:11 (2425)basepoller._poll ERROR: Exception in polling loop for FS-ISAC-Feed-1563221567853: global name 'HTTPSClientAuthHandler' is not defined
Traceback (most recent call last):
  File "/opt/minemeld/engine/core/minemeld/ft/basepoller.py", line 724, in _poll
    performed = self._polling_loop()
  File "/opt/minemeld/engine/core/minemeld/ft/basepoller.py", line 571, in _polling_loop
    iterator = self._build_iterator(now)
  File "/opt/minemeld/engine/core/minemeld/ft/taxii.py", line 1131, in _build_iterator
    self._discover_services(tc)
  File "/opt/minemeld/engine/core/minemeld/ft/taxii.py", line 292, in _discover_services
    resp = self._call_taxii_service(self.discovery_service, tc, request)
  File "/opt/minemeld/engine/core/minemeld/ft/taxii.py", line 282, in _call_taxii_service
    port=port
  File "/opt/minemeld/engine/current/lib/python2.7/site-packages/libtaxii/clients.py", line 307, in call_taxii_service2
    handler_list.append(HTTPSClientAuthHandler(k, c))
NameError: global name 'HTTPSClientAuthHandler' is not defined
2019-07-15T13:35:12 (2425)basepoller._actor_loop INFO: FS-ISAC-Feed-1563221567853 - command: 1563222907645 age_out
2019-07-15T13:35:12 (2425)table._query_by_index INFO: Deleted in scan of _age_out: 0
2019-07-15T13:35:12 (2425)basepoller._actor_loop INFO: FS-ISAC-Feed-1563221567853 - command: 1563222907645 gc
2019-07-15T13:35:12 (2425)table._query_by_index INFO: Deleted in scan of _withdrawn: 0

I tried the change suggested by @lukasj but that just hard downed Minemeld until I replaced the gevent directory with the old one again.

 

This is the error I am running into, what am I missing? The cert and username/password fields have green checks

 

2019-07-15 13_36_34-MineMeld.png

 

Any suggestions?

 

TIA!

Can you share what your prototype config looks like, here is mine. This is working for me without any problems.fsisacprototype.PNG

Sure thing, Here is our prototype:

 

prot2019-07-16 12_04_58-MineMeld.png

So if i were i would setup exactly as i have as you do not need minemeld on the source and collection names.

TAGS:

ConfidenceHigh ShareLevelRed

 

CONFIG:

age_out:
default: last_seen+30d
sudden_death: false
attributes:
confidence: 30
share_level: red
client_cert_required: true
collection: username.FSISAC_FEED
discovery_service: https://analysis.fsisac.com/taxii-discovery-service
initial_interval: 90d
source_name: fs-isac.username.FSISAC_FEED

I can try that but I feel like the names are arbitrary, can anyone confirm?

 

Maybe it has to do with the version of MM I am using, and is possibly a bug. I am currently on ver 0.9.62

i do not think those are arbitrary. I am too running same version and with this config do not have a problem. just click on that prototype you have and click NEW then change the config, save, then add new node using that prototype and you know the rest. will take you 5 minutes. There arent many people it seems to me reading these. I have my question posted on 4 different links and no response on stripping http/https from the taxiclient feed. 

Thanks I gave that a shot, getting the same error.

 

FS-ISAC provided:

 

filenanme.crt

filename.key

filename.p12

filename.pem

 

I am using the .crt and the .key file

I am using the username and password for the CIR portal

 

stuck at this point, seems like it should be pretty simple

Use the pem and key files instead.

I did try that before, tried it just now again and get the same error, I wonder if it is related to something on the distro version I am running. The error sounds like it has to do with the function being called rather than the conenction to FS-ISAC

 

$ uname -a
Linux 3.10.0-957.21.3.el7.x86_64 #1 SMP Tue Jun 18 16:35:19 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux

 

cat /etc/redhat-release
CentOS Linux release 7.6.1810 (Core)

I do not think that you are running a supported release.

I am running Ubuntu 16.04.6 LTS which i believe was the latest approved. You need to follow this article.

https://live.paloaltonetworks.com/t5/MineMeld-Articles/Manually-install-MineMeld-on-Ubuntu-Server-16...

Unfortunately we cannot run Ubuntu here the supported server OS is CentOS so I may have to just keep poking at it on my own.

It seems like you would be on your own as it is not supported. I find the community of minemeld is very small and therefore lack of responses. 

  • 20084 Views
  • 27 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!