06-24-2020 02:04 PM
Dear ALL,
I configured Trend Micro DD Director to update IOC from MineMeld TaxiiDataFeed.
Here are the details:
- I enabled http on nginx in addition to https service. Both works fine.
- When I check the taxiiDataFeed with the following command, it works as expected.
Test Commands:
Discovery: taxii-discovery --host 10.0.11.102 --discovery /taxii-discovery-service
Polling: taxii-poll --path http://10.0.11.102/taxii-poll-service --collection TAXII-FEED
- When I click on Discover button in the attached screenshots,MineMeld returns only the following lines and Trend Micro can not discover MineMeld collections.
Minemeld Request:
23:58:16.415772 IP 1.1.1.1.38320 > 10.0.11.102.80: Flags [P.], seq 1:783, ack 1, win 229, options [nop,nop,TS val 441716131 ecr 1245956666], length 782: HTTP: POST /taxii-discovery-service HTTP/1.1
.T..JC.:POST /taxii-discovery-service HTTP/1.1
Host: 10.0.11.102
User-Agent: PycURL/7.43.0 libcurl/7.51.0 OpenSSL/1.0.1e zlib/1.2.7 c-ares/1.10.0 libssh2/1.4.3
Accept-Encoding: gzip
X-TAXII-Accept: urn:taxii.mitre.org:message:xml:1.1
X-TAXII-Protocol: urn:taxii.mitre.org:protocol:http:1.0
X-TAXII-Services: urn:taxii.mitre.org:services:1.1
Content-Type: application/xml
Accept: application/xml
X-TAXII-Content-Type: urn:taxii.mitre.org:message:xml:1.1
Connection: Keep-Alive
Content-Length: 280
Minemeld Response:
23:58:16.422722 IP 10.0.11.102.80 > 1.1.1.1.38320: Flags [P.], seq 1:1930, ack 783, win 239, options [nop,nop,TS val 1245956673 ecr 441716131], length 1929: HTTP: HTTP/1.1 200 OK
E....!@.?.n.
..f
....P..m......:...........
JC.A.T..HTTP/1.1 200 OK
Server: nginx/1.10.3 (Ubuntu)
Date: Wed, 24 Jun 2020 20:58:16 GMT
Content-Type: application/xml
Content-Length: 1649
Connection: keep-alive
X-TAXII-Protocol: urn:taxii.mitre.org:protocol:http:1.0
X-TAXII-Content-Type: urn:taxii.mitre.org:message:xml:1.1
<taxii_11:Discovery_Response xmlns:taxii="http://taxii.mitre.org/messages/taxii_xml_binding-1" xmlns:taxii_11="http://taxii.mitre.org/messages/taxii_xml_binding-1.1" xmlns:tdq="http://taxii.mitre.org/query/taxii_default_query-1" message_id="3769233488082205306" in_response_to="dff3aa50-aabf-436b-af83-0bee18f13424">
<taxii_11:Service_Instance service_type="DISCOVERY" service_version="urn:taxii.mitre.org:services:1.1" available="true">
<taxii_11:Protocol_Binding>urn:taxii.mitre.org:protocol:http:1.0</taxii_11:Protocol_Binding>
<taxii_11:Address>https://10.0.11.102/taxii-discovery-service</taxii_11:Address>
<taxii_11:Message_Binding>urn:taxii.mitre.org:message:xml:1.1</taxii_11:Message_Binding>
</taxii_11:Service_Instance>
<taxii_11:Service_Instance service_type="COLLECTION_MANAGEMENT" service_version="urn:taxii.mitre.org:services:1.1" available="true">
<taxii_11:Protocol_Binding>urn:taxii.mitre.org:protocol:http:1.0</taxii_11:Protocol_Binding>
<taxii_11:Address>https://10.0.11.102/taxii-collection-management-service</taxii_11:Address>
<taxii_11:Message_Binding>urn:taxii.mitre.org:message:xml:1.1</taxii_11:Message_Binding>
</taxii_11:Service_Instance>
<taxii_11:Service_Instance service_type="POLL" service_version="urn:taxii.mitre.org:services:1.1" available="true">
<taxii_11:Protocol_Binding>urn:taxii.mitre.org:protocol:http:1.0</taxii_11:Protocol_Binding>
<taxii_11:Address>https://10.0.11.102/taxii-poll-service</taxii_11:Address>
<taxii_11:Message_Binding>urn:taxii.mitre.org:message:xml:1.1</taxii_11:Message_Binding>
</taxii_11:Service_Instance>
</taxii_11:Discovery_Response>
Is there any suggestions? Why Trend Micro can not discover collections?
Sincerely
