08-16-2016 12:58 PM
Hi,
I have tried minemeld with few miners and output to the inbounfeedhc i.e. PAN EBL/DBL. It is worked as expected. I would like to push the data to SIEM so that i can perform log analysis based on the indicators. How can i use taxii? I have configured ET.compromisedIP and Dshield miners to send data to new aggregator with output to stllib.feedHCGreen and stdlib.taxiiDataFeed based nodes. I can get data in PAN DBL using stdlib.feedHCGreen output node. What configuration will be needed so that I can configure our SIEM to use taxii based feed? For the taxii based node, I can see current indicators as 1080.
08-16-2016 02:17 PM - edited 08-16-2016 02:18 PM
@lmori we use McAfee ESM. We already have one thread feed configured for hailataxii feed (http://hailataxii.com/taxii-discovery-service). The current feed is configured as POST (and Collection Name). I dont see any URL to pull the data the way it is for DBL based output nodes.
08-16-2016 02:24 PM
Hi Sly_Cooper,
default output nodes do not support TAXII. But you can create new output nodes based on stdlib.taxiiDataFeed and attach them to your aggregators to support TAXII.
Then you can query the MineMeld TAXII Discover Service at https://<minemeld>/taxii-discovery-service to retrieve the list of currently configured TAXII feeds.
I am working on the documentation for the TAXII output nodes, stay tuned 🙂
08-16-2016 02:42 PM - edited 08-16-2016 03:03 PM
@lmori Thank you.
I have configured custom aggregator node based on stlib.aggregatorIPv4Generic and custom output node based on stdlib.taxiiDataFeed. I am using DShild block list as miner. The SIEM just says Error and hostname while adding feed.
I am also suspecting issue with self signed ssl cert.
08-17-2016 02:25 PM
Please, could you post the full error message you get back from the SIEM ?
08-18-2016 09:50 AM
Hi @lmori,
The web ui just shows "Error and hostname on next line" when we try "Test Connection". I will see if there is way to get raw log from the system.
08-19-2016 05:16 AM
Hi Sly_Cooper,
I don't have access to a McAfee SIEM but this config should work:
Type: TAXII
URL: https://<minemeldip>/taxii-discovery-service
Authentication: None
Method: POST
Ignore Invalid Certificate: Checked (if you have changed the cet with a valid one you should uncheck this)
Collection Name: <name of the TAXII output node>
08-22-2016 03:31 PM
I have configured the required settings. Here is the new error.
ERROR
Error issuing TAXII request, HTTP response code: 400: Missing X-Server header
08-29-2016 01:33 AM - edited 08-29-2016 01:34 AM
Hi Sly_Cooper,
thanks for the additional log. I have found the issue, it's an oversight in the nginx config. It will be fixed in the next release.
Meanwhile as a workaround you can edit the file /opt/minemeld/local/config/wsgi.yml and add the TAXII_HOST variable. The value should be the IP address of your MineMeld instance. Example if your MineMeld instance has IP 192.168.55.172:
# this should be commented in production ! DEBUG: true API_AUTH_ENABLED: true USERS_DB: wsgi.htpasswd SUPERVISOR_URL: "unix:///opt/minemeld/local/supervisor/run/minemeld.sock" TAXII_HOST: 192.168.55.172
After changing the file you should reload MineMeld Web API using the command:
sudo -u minemeld /opt/minemeld/engine/current/bin/supervisorctl -c /opt/minemeld/local/supervisor/config/supervisord.conf restart minemeld-web
Thanks !
luigi
08-29-2016 08:46 AM
@lmori I have got required configuration updated in the config file. Please note that the command to reload minemeld api worked fine in cli however there was warning in GUI "Error loading config" and indicators to "0". I restarted the VM and the gui loaded fine with all required nodes with indicator data. Now the error has changed on SIEM. I am not sure if the MineMeld configuration needs further tweaking.
ERROR Error issuing TAXII request, HTTP response code: 400: Invalid message
08-29-2016 08:55 AM
08-29-2016 10:12 AM
@Sly_Cooper that error message typically happens when you try to access a TAXII feed that does not exist. Could you post the screenshot of your MM config and the config of McAfee SIEM ?
Thanks !
luigi
08-29-2016 12:50 PM - edited 08-29-2016 12:51 PM
McAfee SIEM Config and error
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
