FS-ISAC New STIX/TAXII Feeds

Announcements

ATTENTION Customers, All Partners and Employees: The Customer Support Portal (CSP) will be undergoing maintenance and unavailable on Saturday, November 7, 2020, from 11 am to 11 pm PST. Please read our blog for more information.

Reply
Highlighted
L0 Member

FS-ISAC New STIX/TAXII Feeds

Good Morning All,

I am trying to configure our minemeld system to use the new FS-ISAC STIX/TAXII feed but its giving me issues. Has anyone successfully configured Minemeld to pull information from FS-ISAC recently? I added a sample of the config settings that I am using and a screenshot of the error message.

 

Config Settings

age_out:
default: last_seen+30d
sudden_death: false
attributes:
confidence: 50
share_level: green
collection: <feedname>
discovery_service: <fs-isac discovery service>

 

Error Message

Pedro2020_0-1592489704011.png

<urlopen error [SSL: TLSV1_ALERT_INTERNAL_ERROR] TLSV1 ALERT INTERNAL ERROR (_SSL.C:726)>

 

 


Accepted Solutions
Highlighted
L0 Member


All Replies
Highlighted
L0 Member

Highlighted
L7 Applicator

I have improved the minemeld-taxii-ng extension to improve compatibility with FS-ISAC feeds. You can do this to configure your MineMeld for FS-ISAC:

 

  1. In System, click on Extensions tab and click on "git" 

    1.png

  2. Use https://github.com/PaloAltoNetworks/minemeld-taxii-ng.git as Repository URL and click Retrieve. Select 0.2a4 as version (or greater). Click Install2.png
  3.  Activate the extension3.png

  4. in System, Dashboard restart the API4.png
  5. Now we need to create a prototype, click on Config and then the hamburger icon at the bottom right5.png
  6. Search for the taxiing.phishtank prototype6.png
  7. Click on NEW7.png
  8. Change the configuration removine username and password, and inserting the STIXv1 collection name and TAXII discovery service URL. Click OK when done.8.png
  9. Create a new node from the new prototype by clicking on CLONE. And Commit the config.9.png10.png
  10. Once the engine has restart, click on Nodes and the new Miner. Configure Username and Password for the feed and then click the poll icon11.png
Tags (1)
Highlighted
L1 Bithead

Hi Sir,

 

We are trying to integrate FS-ISAC threat feeds into Minemeld instance. In the 4th Step,you mentioned to restart the API. I did the same and got Bad Gateway error. I thought of logging out and logging in back again to see if that resolves the issue. However, after logging out of the instance, it is not allowing me to login back again. I am still getting Bad Gateway error. Requesting your quick help here as we have critical data in Minemeld and it is not working.

Highlighted
L7 Applicator

Could you check /opt/minemeld/log/minemeld-web.log for errors?

If you don't see anything and you want to quickly restore try this:

 

/opt/minemeld/engine/current/bin/pip uninstall minemeld_taxii_ng

and then restart the instance

Highlighted
L1 Bithead

Hi,

 

Thanks for the quick turn around, I have attached minemeld-web.log to this case. I have removed most of the unnecessary logs and attached the ones that are required for this case. Can you have a look at it and let me know how to proceed further?

Highlighted
L7 Applicator

I think the problem is that you are running a pretty old version of MineMeld (0.9.52.post1) and I didn't set the right constraint in the extension.

I would go ahead and uninstall minemeld-taxii-ng using my instructions above.

After upgrading your MineMeld version to a recent one, you will be able to use the extension.

 

 

Highlighted
L1 Bithead

sure, I will try that. Can you give me the instructions for upgrading the MineMeld

Highlighted
L1 Bithead

I am running ubuntu 14.04.5 LTS, do you suggest to upgrade that as well? if yes, to which version do you suggest to upgrade?

 

can you give me the instructions on how do I upgrade latest version of Minemeld on Compatible Ubuntu version? 

Highlighted
L1 Bithead

While Trying to uninstall minemeld_taxii_ng, I got the below error. 

 

ubuntu@ip-addresss:/opt/minemeld/engine/current/bin$ pip uninstall minemeld_taxii_ng
Cannot uninstall requirement minemeld-taxii-ng, not installed
Storing debug log for failure in /home/ubuntu/.pip/pip.log

 

Requesting your help to resolve the error

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!