carbonblack / cb-taxii-connector Goto Github PK

This breaks some cloud deployments, we should either make this configurable or add a knob to turn off auto feed configuration all together

Use STIX confidence index to generate the feed report "score" in the TAXII connector.

Suggestion is to use High (75), Medium (50), Low (25)

It appears SHA256 is now supported (looking at cybox_parse).

If this is the case, please update the README to reflect this.

I know it does not currently recognize reports (STIX) removed from a Taxii feed, but I wanted to suggest an option:

• Request a pull from taxii with a start deep in the past (maybe leave the ability specify the start date), and end of now.
• Hourly request an update for the last hour.
• Daily, pull the entire feed again some time before the nightly CB full feed fetch
• Let Carbon Black handle the feed management with the daily refresh

I think this will allow the Taxii feed integration handle deleted entries from Taxii.

Hello,
I might just be doing it wrong, but it appears some of the sample commands in the README.md are not correct.

Line 151: /usr/share/cb/integrations/cbtaxii/cbtaxii -c /etc/cb/integrations/cbtaxii/cbtaxii.conf
This does work for me after the latest upgrade, I get /usr/share/cb/integrations/cbtaxii/cb-taxii-connector: command not found. If instead, I use /usr/share/cb/integrations/cbtaxii/bin/cb-taxii-connector -c /etc/cb/integrations/cbtaxii/cbtaxii.conf then it works.

Line 166: /usr/share/cb/integrations/cbtaxii/cbtaxii -c /etc/cb/integrations/cbtaxii/cbtaxii.conf -l
Same issue as above, but if I try the alternative path get unrecognized argumets: -l.

Line 183: /usr/share/cb/integrations/cbtaxii/cbtaxii -c /etc/cb/integrations/cbtaxii/cbtaxii.conf --export
Same as the first issue.

If my change in pathing is correct, I would be happy to try and make the necessary changes.

Regards

If I delete a feed int he Carbon Black GUI and the integration finds the same feed on the TAXII server again, it will re-import then enable both the deleted feed and the new feed so it appears I have double reports. I think the integration should honor the deleted flag in the database.

cb-taxii-connector vs cbtaxii

Have feeds that require subscription_id support. Example requirement: "For each subscription, you will receive a subscription ID. This must be present in all Poll_Requests as the value of the “subscription_id” attribute".

Need to find a way to support synchronizing modification/deletion of existing IOCs from a TAXII provider

Some data sources report IP addresses with a port number (IP:port) in the IP address field. Right now the entire record is rejected; we should strip off the port and add the IP address in the feed instead.

Potentially related to the use of urllib2? Investigate how we can replace urllib2 with requests, which is verified to work against the same server.

Reports older than X days should expire out of the feed

https://github.com/carbonblack/cb-taxii-connector/blob/master/cbopensource/connectors/taxii/cybox_parse.py#L169

The parsing for IPv4 addresses validates the format of lists of IPs via validate_ip_address() and fails cleanly on unexpected inputs, but does not validate individual entries. (e.g., the else block)

If an individual Address entry is malformed, it results in the bad IP address being included in the list of IOCs and a hard fail later in processing (e.g., on feed.dump()).

We should update the else block to call validate_ip_address()

Below is stack trace that triggered this, note the IP address we tried to parse in the feed validation contains an URL. That's a bug in the feed - our bug is we failed hard instead of cleanly.

2017-05-17 08:51:11,904 Sending Poll_Request to https://analysis.foo.com/taxii-data
2017-05-17 08:51:18,787 content blocks read: 2194
2017-05-17 08:51:18,788 current number of reports: 4701
2017-05-17 08:51:18,788 Found 4701 new reports.
2017-05-17 08:51:18,804 Total number of reports: 8860
2017-05-17 08:51:19,363 Traceback (most recent call last):
  File "cbopensource/connectors/taxii/bridge.py", line 468, in runner
  File "cbopensource/connectors/taxii/bridge.py", line 446, in perform
  File "cbopensource/connectors/taxii/bridge.py", line 344, in _import_collection
  File "cbopensource/connectors/taxii/cb_feed_util.py", line 116, in build_feed_data
  File "cbfeeds/feed.py", line 28, in dump
  File "cbfeeds/feed.py", line 91, in validate
  File "cbfeeds/feed.py", line 348, in validate
CbInvalidReport: Malformed IPv4 (1.2.3.4/zeco/panelnew/gate.php) addr in IOC list for report foo-Observable-eeb1d830-ac39-49f0-9317-57ae9b42eb3b

It would be useful to include the ability to import arbitrary STIX data from a file. Many orgs get this information by file and don't have the resources to host their own STIX server