STIX and TAXII support

Reply
Highlighted

Re: STIX and TAXII support

This would be very helpful for those of us in the Financial Industry who want to pull in the FS-ISAC feed.

Highlighted
L7 Applicator

Re: STIX and TAXII support

Hi MGBerkowitz,

I will work on it. We already have customers collecting FS-ISAC indicators in Soltra Edge and then using MineMeld to enforce active indicators from Soltra Edge on our NGFW platforms. This way they can conduct manual analysis of indicators on Soltra Edge and use MineMeld to select the active indicators.

 

I will keep you posted on the progress of this feature.

 

Thanks,

luigi

Highlighted
L2 Linker

Re: STIX and TAXII support

Ok so I hacked in certificate support this afternoon.  This is just that - a hack (it's not configureable and uses the same cert for any taxii collection).

 

Once the changes were made i cloned the existing halitaxii prototype and created one with the relevant URL, user creds and collection name.  Worked first go!

 

Does anyone have a list of what STIX vocab is supported by minemeld?  It pulled a chunk of data in - but only showed a very small subset of indicators as a result.  Guessing it doesn't understand everything we publish.  Would be great to get a list so we know what is and isnt supported (and possibly suggest some additions) :)

 

/opt/minemeld/engine/current/lib/python2.7/site-packages/minemeld/ft/taxii.py

 

def configure(self):
        super(TaxiiClient, self).configure()

        self.discovery_service = self.config.get('discovery_service', None)
        self.username = self.config.get('username', None)
        self.password = self.config.get('password', None)
++        self.key_file = '/opt/certs/browsc-key.pem'
++        self.cert_file = '/opt/certs/browsc-cert.pem'
        self.collection = self.config.get('collection', None)
        self.prefix = self.config.get('prefix', self.name)
        self.ca_file = self.config.get('ca_file', None)
        self.confidence_map = self.config.get('confidence_map', {
            'low': 40,
            'medium': 60,
            'high': 80
        })

    def _build_taxii_client(self):
        result = libtaxii.clients.HttpClient()

        up = urlparse.urlparse(self.discovery_service)

        if up.scheme == 'https':
            result.set_use_https(True)

        if self.username and self.password:
++            result.set_auth_type(libtaxii.clients.HttpClient.AUTH_CERT_BASIC)
--            result.set_auth_type(libtaxii.clients.HttpClient.AUTH_BASIC)
            result.set_auth_credentials({
                'username': self.username,
++                'password': self.password,
--                'password': self.password
++                'key_file': self.key_file,
++                'cert_file': self.cert_file
            })

        if self.ca_file is not None:
            result.set_verify_server(
                verify_server=True,
                ca_file=self.ca_file
            )

        return result
Highlighted
L7 Applicator

Re: STIX and TAXII support

Hi ScottyAU,

that's great ! thanks for testing this. I will include something  similar in the next release.

Currently the TAXII Miner supports indicators with observables of type DomainNameObjectType, AddressObjectType, URIObjectType. It can easily be extened to support additional types.

What type of indicators are you receiving via TAXII ?

 

Thanks,

luigi

Highlighted
L2 Linker

Re: STIX and TAXII support

Hi Luigi,

 

This is STIX packages that we (CERT Australia) produce currently and push out to partners.  We're looking at minemeld in the event we have any partner companies that want to use it to talk to us.

 

The STIX elements we use are:

 

* Package

* Indicator

* CourseOfAction

* TTP

* KillChain / KillChainPhase

 

Our Indicators typically contain one or more Cybox Observables each of which describes a Cybox Object. Our STIX packages will potentially include the following Cybox Object types:

 

* Address

* DomainName

* EmailAddress

* EmailMessage

* File

* HTTPSession

* SocketAddress

* URI

* WinRegistryKey

 

Cheers,

 

Scotty

Highlighted
L7 Applicator

Re: STIX and TAXII support

Hi Scotty,

I could easily add support for the those additional indicator types, if you could send me an email we can talk about the detailed requirements. My email is lmori@paloaltonetworks.com

 

Thanks,

luigi

Highlighted
L2 Linker

Re: STIX and TAXII support

Will do!

Highlighted
L7 Applicator

Re: STIX and TAXII support

For the posterity: client certificates are supported in TAXII miner since MM version 0.9.12

Highlighted
L2 Linker

Re: STIX and TAXII support

Hey Luigi,

 

Is there anyway for the inital poll to be for a longer historic period?

 

It just does an hour prior to current time.

 

So the last year or two of data is not pulled in - becuse the begin and end timestamp is only the previous hour to when the job was run.

 

Cheers,

SCotty

Highlighted
L7 Applicator

Re: STIX and TAXII support

Not yet, but it is a while I wanted to expose it to the config. 

ER minemeld-core #18 has been created to track this, it should make into the next minor release.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!