alienvault-otx / otx-apps-taxii Goto Github PK
View Code? Open in Web Editor NEWAlienvault OTX TAXII connector
Alienvault OTX TAXII connector
Caveat: I'm not running an actual TAXII client, I'm just running this in Python 2.7 natively to see what the data looks like. If running a TAXII client is required and I can't do it natively through Python, let me know and I'll make the adjustments. Thanks in advance.
I ran the connector with python otx-taxii.py first_run
and then python otx-taxii.py check_new
and received 0 new pulses
, which was expected, I had no pulses.
I added a test private pulse and then ran python otx-taxii.py check_new
and received the following error:
$ python otx-taxii.py check_new
Sending malicious URL
Traceback (most recent call last):
File "otx-taxii.py", line 76, in <module>
sendTAXII(None)
File "otx-taxii.py", line 60, in sendTAXII
client.push(st.to_xml(), binding, collection_names=[config.get('taxii', 'collection_name')], uri=config.get('taxii', 'uri'))
File "/Library/Python/2.7/site-packages/cabby/client11.py", line 332, in push
service_type=const.SVC_INBOX)
File "/Library/Python/2.7/site-packages/cabby/abstract.py", line 138, in _execute_request
proxy_details=self.proxy_details)
File "/Library/Python/2.7/site-packages/cabby/dispatcher.py", line 111, in send_taxii_request
fu = furl(url)
File "/Library/Python/2.7/site-packages/furl/furl.py", line 869, in __init__
self.load(url) # Raises ValueError on invalid url.
File "/Library/Python/2.7/site-packages/furl/furl.py", line 889, in load
self.netloc = tokens.netloc # Raises ValueError in Python 2.7+.
File "/Library/Python/2.7/site-packages/furl/furl.py", line 1248, in __setattr__
object.__setattr__(self, attr, value)
File "/Library/Python/2.7/site-packages/furl/furl.py", line 994, in netloc
self.port = port # Raises ValueError on invalid port.
File "/Library/Python/2.7/site-packages/furl/furl.py", line 1248, in __setattr__
object.__setattr__(self, attr, value)
File "/Library/Python/2.7/site-packages/furl/furl.py", line 938, in port
raise ValueError("Invalid port: '%s'" % port)
ValueError: Invalid port: ''
I've double-checked all of my dependencies and made sure that they were on the correct version, change the pulse from public to private and vice verse, disabled my firewall, and made sure I have a direct connection to the Internet - no dice.
I know it is seeing the Pulse because it returns Sending malicious URL
(which is what I named it for testing).
It only happens when there is a Pulse. When I delete the Pulse, it works fine, but obviously shows 0 new pulses
I tried to troubleshoot here https://github.com/gruns/furl/blob/master/furl/furl.py and here https://github.com/AlienVault-Labs/OTX-Apps-TAXII/blob/master/OTXv2.py (line 42-55) but didn't get any answers.
I am currently trying to integrate the TAXII Feed provided by Alienvault OTX into QRadar.
Now I have the problem that no IOCs are retrieved from the TAXII server.
The setup is "working", I followed the instructions described in this link: https://otx.alienvault.com/api.
The feed is shown in the list of taxii feeds in Qradar, bus just isn't polled in regular intervalls and nothing is being retrieved.
Has anyone had the same issue before? And how do you select which type of IOC you want to get (IPv4, domains, etc.), because how I see it, you can only select the default Alienvault Feed (still doesn't get me anything).
Thanks
i first saw this issue in forums post https://forums.soltra.com/index.php?/topic/681-alient-vault-otx/ posted and was able to replicate the error. I have resolved it, and will submit a pull request against this issue
submitted by qianru.c (18 September 2016 - 02:16 AM)
C:\Users\W\OTX-Apps-TAXII-master>python otx-taxii.py check_new
Traceback (most recent call last):
File "otx-taxii.py", line 2, in
from StixExport import StixExport
File "C:\Users\W\OTX-Apps-TAXII-master\StixExport.py", line 16, in
from stix.utils import set_id_namespace
ImportError: cannot import name set_id_namespace
submitted by mdargie (11 January 2017 - 08:25 PM)
Traceback (most recent call last):
File "otx-taxii.py", line 1, in <module>
from StixExport import StixExport
File "/home/OTX/OTX-Apps-TAXII/StixExport.py", line 1, in <module>
from stix.core import STIXPackage, STIXHeader
File "/usr/lib/python2.6/site-packages/stix/__init__.py", line 5, in <module>
from .base import Entity, EntityList, TypedList, BaseCoreComponent # noqa
File "/usr/lib/python2.6/site-packages/stix/base.py", line 11, in <module>
from . import bindings, utils
File "/usr/lib/python2.6/site-packages/stix/utils/__init__.py", line 338, in <module>
from .nsparser import * # noqa
File "/usr/lib/python2.6/site-packages/stix/utils/nsparser.py", line 433, in <module>
(ns, loc) for ns, _, loc in cybox.utils.nsparser.NS_LIST if loc
AttributeError: 'module' object has no attribute 'NS_LIST'```
I have tired to implement STIX for AlienVault OTX by myself, to learn how to use python-stix
and cybox
modules, and I used StixExport.py as a template.
According to the process to create a new indicator, for example, a URL indicator, an observable_ will be added to a new indicator and then a new indicator will be added to a package. When this process is done, <indicator:Title>
and <indicator:Description>
will contain information from mind
.
mind = Indicator()
mind.description = p_indicator["description"]
mind.title = "%s from %spulse/%s" % (p_indicator["indicator"], PULSE_SERVER_BASE, str(self.pulse["id"]))
observable_.title = "%s - %s" % (p_indicator["type"], p_indicator["indicator"])
mind.add_observable(observable_)
self.stix_package.add_indicator(mind)
By the way, SitxExport.py also has another part that responsible to create and add information to an indicator new_ind
, but new_ind
are not going to use on any part of code. Please clarify me why it needs to create both new_ind
and mind
when only mind
is used.
...
new_ind = Indicator()
new_ind.description = p_indicator["description"]
...
Hello
I am using medallion implementation of taxii (https://github.com/oasis-open/cti-taxii-server). However, I seem to be getting this error on the taxii server.
127.0.0.1 - - [13/Jun/2018 11:25:57] "POST /taxii HTTP/1.1" 405 -
Here's my configuration file
Any idea how to fix this problem?
Thanks
Hi guys
I'm fairly new to this, I'm trying to integrate OTX feed using qradar's threat intelligence feed plugin.
However the connection page is asking for TAXIII endpoint?
Not sure which URL to put here
Please advice
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.