alienvault-otx / otx-apps-taxii Goto Github PK

Caveat: I'm not running an actual TAXII client, I'm just running this in Python 2.7 natively to see what the data looks like. If running a TAXII client is required and I can't do it natively through Python, let me know and I'll make the adjustments. Thanks in advance.

I ran the connector with python otx-taxii.py first_run and then python otx-taxii.py check_new and received 0 new pulses, which was expected, I had no pulses.

I added a test private pulse and then ran python otx-taxii.py check_new and received the following error:

$ python otx-taxii.py check_new
Sending malicious URL
Traceback (most recent call last):
  File "otx-taxii.py", line 76, in <module>
    sendTAXII(None)
  File "otx-taxii.py", line 60, in sendTAXII
    client.push(st.to_xml(), binding, collection_names=[config.get('taxii', 'collection_name')], uri=config.get('taxii', 'uri'))
  File "/Library/Python/2.7/site-packages/cabby/client11.py", line 332, in push
    service_type=const.SVC_INBOX)
  File "/Library/Python/2.7/site-packages/cabby/abstract.py", line 138, in _execute_request
    proxy_details=self.proxy_details)
  File "/Library/Python/2.7/site-packages/cabby/dispatcher.py", line 111, in send_taxii_request
    fu = furl(url)
  File "/Library/Python/2.7/site-packages/furl/furl.py", line 869, in __init__
    self.load(url)  # Raises ValueError on invalid url.
  File "/Library/Python/2.7/site-packages/furl/furl.py", line 889, in load
    self.netloc = tokens.netloc  # Raises ValueError in Python 2.7+.
  File "/Library/Python/2.7/site-packages/furl/furl.py", line 1248, in __setattr__
    object.__setattr__(self, attr, value)
  File "/Library/Python/2.7/site-packages/furl/furl.py", line 994, in netloc
    self.port = port  # Raises ValueError on invalid port.
  File "/Library/Python/2.7/site-packages/furl/furl.py", line 1248, in __setattr__
    object.__setattr__(self, attr, value)
  File "/Library/Python/2.7/site-packages/furl/furl.py", line 938, in port
    raise ValueError("Invalid port: '%s'" % port)
ValueError: Invalid port: ''

I've double-checked all of my dependencies and made sure that they were on the correct version, change the pulse from public to private and vice verse, disabled my firewall, and made sure I have a direct connection to the Internet - no dice.

I know it is seeing the Pulse because it returns Sending malicious URL (which is what I named it for testing).

It only happens when there is a Pulse. When I delete the Pulse, it works fine, but obviously shows 0 new pulses

I tried to troubleshoot here https://github.com/gruns/furl/blob/master/furl/furl.py and here https://github.com/AlienVault-Labs/OTX-Apps-TAXII/blob/master/OTXv2.py (line 42-55) but didn't get any answers.

I am currently trying to integrate the TAXII Feed provided by Alienvault OTX into QRadar.
Now I have the problem that no IOCs are retrieved from the TAXII server.

The setup is "working", I followed the instructions described in this link: https://otx.alienvault.com/api.

The feed is shown in the list of taxii feeds in Qradar, bus just isn't polled in regular intervalls and nothing is being retrieved.

Has anyone had the same issue before? And how do you select which type of IOC you want to get (IPv4, domains, etc.), because how I see it, you can only select the default Alienvault Feed (still doesn't get me anything).

Thanks

i first saw this issue in forums post https://forums.soltra.com/index.php?/topic/681-alient-vault-otx/ posted and was able to replicate the error. I have resolved it, and will submit a pull request against this issue

submitted by qianru.c (18 September 2016 - 02:16 AM)

C:\Users\W\OTX-Apps-TAXII-master>python otx-taxii.py check_new
Traceback (most recent call last):
File "otx-taxii.py", line 2, in
from StixExport import StixExport
File "C:\Users\W\OTX-Apps-TAXII-master\StixExport.py", line 16, in
from stix.utils import set_id_namespace
ImportError: cannot import name set_id_namespace

submitted by mdargie (11 January 2017 - 08:25 PM)

Traceback (most recent call last):
  File "otx-taxii.py", line 1, in <module>
    from StixExport import StixExport
  File "/home/OTX/OTX-Apps-TAXII/StixExport.py", line 1, in <module>
    from stix.core import STIXPackage, STIXHeader
  File "/usr/lib/python2.6/site-packages/stix/__init__.py", line 5, in <module>
    from .base import Entity, EntityList, TypedList, BaseCoreComponent  # noqa
  File "/usr/lib/python2.6/site-packages/stix/base.py", line 11, in <module>
    from . import bindings, utils
  File "/usr/lib/python2.6/site-packages/stix/utils/__init__.py", line 338, in <module>
    from .nsparser import *  # noqa
  File "/usr/lib/python2.6/site-packages/stix/utils/nsparser.py", line 433, in <module>
    (ns, loc) for ns, _, loc in cybox.utils.nsparser.NS_LIST if loc
AttributeError: 'module' object has no attribute 'NS_LIST'```

I have tired to implement STIX for AlienVault OTX by myself, to learn how to use python-stix and cybox modules, and I used StixExport.py as a template.

According to the process to create a new indicator, for example, a URL indicator, an observable_ will be added to a new indicator and then a new indicator will be added to a package. When this process is done, <indicator:Title> and <indicator:Description> will contain information from mind.

mind = Indicator()
mind.description = p_indicator["description"]
mind.title = "%s from %spulse/%s" % (p_indicator["indicator"], PULSE_SERVER_BASE, str(self.pulse["id"]))
observable_.title = "%s - %s" % (p_indicator["type"], p_indicator["indicator"])
mind.add_observable(observable_)
self.stix_package.add_indicator(mind)

By the way, SitxExport.py also has another part that responsible to create and add information to an indicator new_ind, but new_ind are not going to use on any part of code. Please clarify me why it needs to create both new_ind and mind when only mind is used.

...
new_ind = Indicator()
new_ind.description = p_indicator["description"]
...

Hello

I am using medallion implementation of taxii (https://github.com/oasis-open/cti-taxii-server). However, I seem to be getting this error on the taxii server.

127.0.0.1 - - [13/Jun/2018 11:25:57] "POST /taxii HTTP/1.1" 405 -

Here's my configuration file

Any idea how to fix this problem?

Thanks

Hi guys

I'm fairly new to this, I'm trying to integrate OTX feed using qradar's threat intelligence feed plugin.
However the connection page is asking for TAXIII endpoint?
Not sure which URL to put here

Please advice