This blog was authored by Alya Gomaa and originally published in her personal page.
It is common for many organisations to need to query, process and store Threat Intelligence information. For this purpose TAXII is a very good option. Since there are almost no blog posts talking about how to set up your own TAXII server, I thought this blog could help.
In particular we needed to test the exporting capabilities of our Stratosphere Linux IPS tool Slips into TAXII. So, what is TAXII?
Trusted Automated Exchange of Intelligence Information (TAXII™) is an application protocol for exchanging CTI over HTTPS. TAXII defines a RESTful API (a set of services and message exchanges) and a set of requirements for TAXII Clients and Servers
TAXII was specifically designed to support the exchange of CTI represented in STIX
Our goal is to setup a TAXII server that can receive Intelligence Information and then access it using client tools.
I’ll be using EclecticIQ OpenTAXII v02.3 server in docker and the TAXII client Cabby for testing it.
Clone the repo because we’re going to be changing some configurations instead of running the eclecticiq/opentaxii image from docker hub:
git clone https://github.com/eclecticiq/OpenTAXII.git
Modify configuration files
First we need to edit the file: examples/data-configuration.yml
Here you can edit the username and password of the default user
NOTE: if you add a new user using the
opentaxii-create-accountcommand from inside the container, it won’t take effect in the database. You’ll have to rebuild the image with the new user added todata-configuration.ymlor add the user directly in the database. To access the database executesqlite3 /data/auth.dbfrom inside the container.
I set authentication_required of inbox_a to yes to test server authentication later
Here’s the edited part of data-configuration.yml:
services: - id: inbox_a type: inbox address: /services/inbox-a description: Custom Inbox Service Description A destination_collection_required: yes accept_all_content: yes authentication_required: yes
Now save and let’s edit the Dockerfile to copy data-configuration.yml into the container. In the Dockerfile add this line under the ENTRYPOINT command:
COPY examples/data-configuration.yml /input/data-configuration.yml
Build and run the TAXII server
Now that we have fixed everything, build and run the image:
docker build --no-cache --network=host -t opentaxii -f Dockerfile . docker run -d --network=host opentaxii
According to the documentation now the server should be available on localhost:9000.
To check run this command:
curl -d 'username=admin&password=admin' http://localhost:9000/management/auth
If everything’s good you should get a token and continue to the Testing the server section , if not or if you need to see the server logs
Go into the container:
docker exec -ti <container-id> bin/bash
You can get the container id using docker ps
Rerun the server using a different port:
gunicorn opentaxii.http:app --bind localhost:1234
To test it from your local computer, run:
curl -d 'username=admin&password=admin' http://localhost:1234/management/auth
you should get the token now.Test the server
Now that the server’s up and running, here’s the Python script to test it:
from cabby import create_client client = create_client('localhost', use_https = False, port = '1234', discovery_path='/services/discovery-a') client.set_auth( username='admin', password='admin', # URL used to obtain JWT token jwt_auth_url='/management/auth' ) # Check the available services to make sure inbox service is there services = client.discover_services() print(f"Services: ") # Get the data that we want to send with open("examples/stix/stuxnet.stix.xml") as stix_file: stix_data = stix_file.read() binding = 'urn:stix.mitre.org:xml:1.1.1' # URI is the path to the inbox service we want to use in the taxii server client.push(stix_data, binding, collection_names=['collection-a'], uri='/services/inbox-a') print(f"Successfully exported to TAXII server.")
Save this in the OpenTAXII dir and run, now you should see the services printed.
To verify that the data is pushed, run this in your local computer:
pip3 uninstall cabby taxii-poll --path http://localhost:1234/services/poll-a -c collection-a --username admin --password admin
You should get the contents of examples/stix/stuxnet.stix.xml
Conclusion
We were able to download, modify, install and query a local TAXII server. In our case this was done to test the exporting capabilities of our Stratosphere Linux IPS tool Slips.