I have tried minemeld with few miners and output to the inbounfeedhc i.e. PAN EBL/DBL. It is worked as expected. I would like to push the data to SIEM so that i can perform log analysis based on the indicators. How can i use taxii? I have configured ET.compromisedIP and Dshield miners to send data to new aggregator with output to stllib.feedHCGreen and stdlib.taxiiDataFeed based nodes. I can get data in PAN DBL using stdlib.feedHCGreen output node. What configuration will be needed so that I can configure our SIEM to use taxii based feed? For the taxii based node, I can see current indicators as 1080.
default output nodes do not support TAXII. But you can create new output nodes based on stdlib.taxiiDataFeed and attach them to your aggregators to support TAXII.
Then you can query the MineMeld TAXII Discover Service at https://<minemeld>/taxii-discovery-service to retrieve the list of currently configured TAXII feeds.
I am working on the documentation for the TAXII output nodes, stay tuned 🙂
@lmori Thank you.
I have configured custom aggregator node based on stlib.aggregatorIPv4Generic and custom output node based on stdlib.taxiiDataFeed. I am using DShild block list as miner. The SIEM just says Error and hostname while adding feed.
I am also suspecting issue with self signed ssl cert.
I don't have access to a McAfee SIEM but this config should work:
Ignore Invalid Certificate: Checked (if you have changed the cet with a valid one you should uncheck this)
Collection Name: <name of the TAXII output node>
thanks for the additional log. I have found the issue, it's an oversight in the nginx config. It will be fixed in the next release.
Meanwhile as a workaround you can edit the file /opt/minemeld/local/config/wsgi.yml and add the TAXII_HOST variable. The value should be the IP address of your MineMeld instance. Example if your MineMeld instance has IP 192.168.55.172:
# this should be commented in production ! DEBUG: true API_AUTH_ENABLED: true USERS_DB: wsgi.htpasswd SUPERVISOR_URL: "unix:///opt/minemeld/local/supervisor/run/minemeld.sock" TAXII_HOST: 192.168.55.172
After changing the file you should reload MineMeld Web API using the command:
sudo -u minemeld /opt/minemeld/engine/current/bin/supervisorctl -c /opt/minemeld/local/supervisor/config/supervisord.conf restart minemeld-web
@lmori I have got required configuration updated in the config file. Please note that the command to reload minemeld api worked fine in cli however there was warning in GUI "Error loading config" and indicators to "0". I restarted the VM and the gui loaded fine with all required nodes with indicator data. Now the error has changed on SIEM. I am not sure if the MineMeld configuration needs further tweaking.
ERROR Error issuing TAXII request, HTTP response code: 400: Invalid message
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!