STIX and TAXII support

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

STIX and TAXII support

L2 Linker

Hi all,

 

Anyone used minemeld with STIX and TAXII?  While we pretty familure with STIX/TAXII - only just booted minemeld for the first time.

 

Cheers,

 

Scotty

36 REPLIES 36

Hi Scotty,

I could easily add support for the those additional indicator types, if you could send me an email we can talk about the detailed requirements. My email is lmori@paloaltonetworks.com

 

Thanks,

luigi

L2 Linker

Will do!

For the posterity: client certificates are supported in TAXII miner since MM version 0.9.12

Hey Luigi,

 

Is there anyway for the inital poll to be for a longer historic period?

 

It just does an hour prior to current time.

 

So the last year or two of data is not pulled in - becuse the begin and end timestamp is only the previous hour to when the job was run.

 

Cheers,

SCotty

Not yet, but it is a while I wanted to expose it to the config. 

ER minemeld-core #18 has been created to track this, it should make into the next minor release.

This has been implemented in MineMeld v0.9.14 (minemeld-core ER #18)

L2 Linker

Hey Luigi,

 

Has the deployment changed on vmware?  I was trying to do a fresh deployment and can't get it to play ball today.

 

I was working from this https://live.paloaltonetworks.com/t5/MineMeld-Articles/Running-MineMeld-on-VMWare-desktop/ta-p/72038

 

using the 0.9.4 iso and it bombs out during the install after initial login with nothing in the autoupdate log to tell me what went wrong.

 

I've used this method probably half a dozen times in the last few months with out issue - but its failed 3 times in a row today?

 

Cheers,

 

Scotty

Hi ScottyAU,

I have just retested it and works in my environment.

Please, could you take a look at the contents of the file /var/log/cloud-config-output.log ?

 

Thanks,

luigi

Hey Luigi,

 

Looks reasonably ok in there - only 1 error around:

 

Errors were encountered while processing:
libksi0
libksi1

 

All of the minemeld stuff comes down ok looking at the log,  but hitting the box on 443 gives me a 404 from nginix.

 

Looking in /opt/minemeld/www/ that directory is empty - which is what is casuing the 404 (no /current/index.html or anything else).

 

Cheers!

So after fixing the host with an apt-get install -f (which removes libksi0 and keeps libksi1)  i tried a manual reinstall of all the minemeld lib debs listed in the log.

 

I then get this:

 

Selecting previously unselected package libksi0.
dpkg: regarding libksi0_3.2.2.0-0adiscon3trusty1_amd64.deb containing libksi0:
libksi0 breaks libksi1
libksi1 (version 3.4.0.5.adiscon1-0adiscon1trusty1) is present and installed.

 

Not sure if this *the* problem or just *a* problem.  If i pick adiscon based on libksi1 and go with that (remove libksi0 and the adiscon based on it), and then grab and install https://s3-us-west-2.amazonaws.com/minemeld/minemeld_0.9.4_amd64.deb

 

I get no errors - but still nothing under /opt/minemeld/www/

 

I think there should be a symlink for current in there?  (and /engine and /prototype)?

 

Scotty

Hi ScottyAU,

please could you unicast me the cloud-config-output.log file ?

 

Thanks !

luigi

Emailed - thanks mate.

Hey Luigi,

 

Did that log give you any leads as to the issue?

 

Cheers,

 

Scotty

I am trying to implement a feed using  (Stix  and Taxii) and I am having a hard time pulling the feeds. I used a prototype for taxii as an example. And I am still retrieving an error. I have included the password and username in the node config but once again I am still receiving an error. 

Hi @pjames_ucla,

would you mind sending me the minemeld-engine.log file over at lmori@paloaltonetworks.com ?

I would like to take a look at the error. Or we can set up a webmeeting to troubleshoot it.

 

Thanks,

luigi

  • 28984 Views
  • 36 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!