Prototype for FS-ISAC

c_cong · ‎06-02-2017

I understand that Soltra is part of the existing 3rd party intelligence feed, just wondering has anyone created a prototype from FS-ISAC? THe portal address is https://portal.fsisac.com/

Understand from FS-ISAC, they uses Soltra as part of their intel too, is FS-ISAC intelligence pool as subset of Soltra?

lmori · ‎06-06-2017

Hi @c_cong,

from FS-ISAC you should retrieve the following data:

- URL of the TAXII discovery service

- name of the feed

- client certificate for authentication

On MineMeld:

- click on CONFIG and then on the hamburger icon to list the Prototypes

- click on hailataxii.guest_Abuse_ch and click on NEW

- modify the name of the new prototype

- under config copy & paste the following and change the feed name and the URL with the values you get from FS-ISAC:

age_out:
    default: last_seen+30d
    sudden_death: false
attributes:
    confidence: 30
    share_level: red
collection: <feedname>
discovery_service: <fs-isac discovery service>
source_name: fs-isac.<feedname>
client_cert_required: true

- press OK and then create a new node from the new prototype

- COMMIT

- after the engine has started, go in NODES click on the new NODE and upload the client certificate

iThreatHunt · ‎06-29-2017

Hi @lmori

I need to connect with FS-ISAC but I found some issue. below:

remark: I received certificate from FS-ISAC.

CLIENT CERTIFICATE: CERTIFICATE -> cert.pem & PRIVATE KEY -> cert.key

I am not sure that I upload file type correctly.

Could you recommend me?

lmori · ‎07-02-2017

Hi @iThreatHunt,

could you open the two files with a text editor and check the contents ?

You should see an header like this for the certificate (public key):

-----BEGIN CERTIFICATE-----
...

Did you upload the Server CA ?

iThreatHunt · ‎07-02-2017

Hi @lmori

taxii.py (from minemeld.core) : I upload follow this code (.pem & .crt)

Node Confiuguration : success

But this node cannot retrieve data from FS-ISAC. Whrere is application log for investigate?

lmori · ‎07-03-2017

Hi @iThreatHunt,

you can check the logs downloading minemeld-engine.log from System > Dashboard > Engine > Logs.

Could you check on the FS-ISAC WebUI what is the time of the last indicator in the feed you are polling ? By default the Miner the first time it polls the source it polls the last day worth of indicators, if you want to go further back in time you should configure the initial_interval parameter in the prototype:

initial_interval: 7d

iThreatHunt · ‎07-04-2017

Thanks @lmori. It is works.

xgil2017 · ‎08-03-2017

Hi @lmori

I have one similar problem synchronizing local minemeld with fsisac cyber repository.

...."collection fsisac not found" appears when minemeld try to polling isac.

Any idea?

Thanks.

lmori · ‎08-04-2017

Hi @xgil2017,

I think the collection name is wrong, it should be in the form <fs-isac username>.<feedname>

Luigi

Shankar_Chandrasekhar · ‎08-17-2017

Hi Lugi,

I am stuck here not sure what this error code means

npalviriya · ‎01-18-2018

Hi Luigi @lmori

I have follow your configuration and get all data with share_level=red.

BTW, my customer would like to have all shre_level=green data.

I have customize prototype as attached screenshot and commit failed.

Could you please suggest the correct configuration?

Thanks

Nattapon

hshawn · ‎07-06-2018

Where are you all even getting the feed names and discovery_service URL for the feed? I am looking all over the portal and I don't see anything with TAXII feed information anywhere in there.

the URL mentioned in this thread (analysis.fsisac.com...) does not seem to be a real thing. Anyone have a working FS-ISAC feed into Minemeld? Can you provide some details about how to find the required info for populating the variables here?

TIA

lukasj · ‎10-17-2018

Hi

I'm running minemeld 0.9.50 on the latest RHEL 7.5.

Now i tried to attach the the FS-ISAC feed, username feed, cert, seems to be fine.

When i manuall pull the feed from the Node; "LAST RUN" receives the State ERROR: 'module' object has no attrbute 'sslwrap'.

/opt/minemeld/log/minemeld-engine.log tells me:

2018-10-17T18:30:40 (12180)basepoller._polling_loop INFO: Polling fs-isac-soltra-feed
2018-10-17T18:30:41 (12180)basepoller._poll ERROR: Exception in polling loop for fs-isac-soltra-feed: 'module' object has no attribute 'sslwrap'

Traceback (most recent call last):
File "/opt/minemeld/engine/core/minemeld/ft/basepoller.py", line 721, in _poll
    performed = self._polling_loop()
File "/opt/minemeld/engine/core/minemeld/ft/basepoller.py", line 571, in _polling_loop
    iterator = self._build_iterator(now)
File "/opt/minemeld/engine/core/minemeld/ft/taxii.py", line 1131, in _build_iterator
    self._discover_services(tc)
File "/opt/minemeld/engine/core/minemeld/ft/taxii.py", line 292, in _discover_services
    resp = self._call_taxii_service(self.discovery_service, tc, request)
File "/opt/minemeld/engine/core/minemeld/ft/taxii.py", line 282, in _call_taxii_service
    port=port
File "/opt/minemeld/engine/current/lib/python2.7/site-packages/libtaxii/clients.py", line 337, in call_taxii_service2
    response = urllib.request.urlopen(req)
File "/usr/lib64/python2.7/urllib2.py", line 154, in urlopen
    return opener.open(url, data, timeout)
File "/usr/lib64/python2.7/urllib2.py", line 431, in open
    response = self._open(req, data)
File "/usr/lib64/python2.7/urllib2.py", line 449, in _open
    '_open', req)
File "/usr/lib64/python2.7/urllib2.py", line 409, in _call_chain
    result = func(*args)
File "/opt/minemeld/engine/current/lib/python2.7/site-packages/libtaxii/clients.py", line 363, in https_open
    return self.do_open(self.get_connection, req)
File "/usr/lib64/python2.7/urllib2.py", line 1211, in do_open
    h.request(req.get_method(), req.get_selector(), req.data, headers)
File "/usr/lib64/python2.7/httplib.py", line 1041, in request
    self._send_request(method, url, body, headers)
File "/usr/lib64/python2.7/httplib.py", line 1075, in _send_request
    self.endheaders(body)
File "/usr/lib64/python2.7/httplib.py", line 1037, in endheaders
    self._send_output(message_body)
File "/usr/lib64/python2.7/httplib.py", line 881, in _send_output
    self.send(msg)
File "/usr/lib64/python2.7/httplib.py", line 843, in send
    self.connect()
File "/opt/minemeld/engine/current/lib/python2.7/site-packages/libtaxii/clients.py", line 443, in connect
    ca_certs=self.ca_certs)
File "/opt/minemeld/engine/current/lib/python2.7/site-packages/gevent/_ssl2.py", line 410, in wrap_socket
    ciphers=ciphers)
File "/opt/minemeld/engine/current/lib/python2.7/site-packages/gevent/_ssl2.py", line 84, in __init__
    self._sslobj = _ssl.sslwrap(self._sock, server_side,

AttributeError: 'module' object has no attribute 'sslwrap'

Maybe someone else ran into the same/similar issue and knows how to fix this ?

It seems to be related to the python code handling the certificate/ssl/tls connectivity.

benime · ‎10-24-2018

@hshawn wrote:

Where are you all even getting the feed names and discovery_service URL for the feed? I am looking all over the portal and I don't see anything with TAXII feed information anywhere in there.

the URL mentioned in this thread (analysis.fsisac.com...) does not seem to be a real thing. Anyone have a working FS-ISAC feed into Minemeld? Can you provide some details about how to find the required info for populating the variables here?

TIA

I don't know if you ever solved this, but if you don't have access to analysis.fsisac.com you'll need to request it from FS-ISAC support.

Once you have access, there's a Publish link at the top of the page that allows you to create your own custom feed based on the information you want (URLs, IPs, file hashes, etc.) and other criteria. You'll use the feed name combined with your credentials to access it.

HTH

lukasj · ‎10-25-2018

FYI, in case anyone runs into this issue i described earlier:

/opt/minemeld/log/minemeld-engine.log tells me:

2018-10-17T18:30:41 (12180)basepoller._poll ERROR: Exception in polling loop for <your miner node>: 'module' object has no attribute 'sslwrap'

This can be solved by replacing minemelds internal python "gevent" with a newer version.

For whatever reason, minmeld brings it own "gevent" in /opt/minemeld/engine/current/lib/python2.7/site-packages/gevent this outdated gevent version seems to cause issue with the Python Version installed on RHEL 7.

Just install the latest Version (pip install --upgrade gevent) and then replace the minemeld "gevent" with the new version from /usr/lib64/python2.7/site-packages/gevent.

After that the FS-ISAC Feed/Miner (and also other feeds requiring certificate authentication) is working fine on RHEL 7.

Unlock your full community experience!

Prototype for FS-ISAC

Prototype for FS-ISAC

Show your appreciation!