I have the opportunity to work with stix documents at work, to better understand First, let's touch it to study the contents of the data with the client side.
--The local environment is as follows.
% sw_vers
ProductName: Mac OS X
ProductVersion: 10.11.6
BuildVersion: 15G1217
% python -V
Python 2.7.13
% pip -V
pip 9.0.1 from /usr/local/lib/python2.7/site-packages (python 2.7)
% pip show libtaxii
Name: libtaxii
Version: 1.1.110
Summary: TAXII Library.
Home-page: http://taxii.mitre.org/
Author: Mark Davidson
Author-email: [email protected]
License: UNKNOWN
Location: /usr/local/lib/python2.7/site-packages
Requires: six, lxml, python-dateutil
--The taxii server uses the following.
Hail a TAXII.com ( http://hailataxii.com ) The demo method is described below. Hailataxii and Libtaxii Demo ( https://github.com/STIXProject/schemas/wiki/Hailataxii-and-Libtaxii-Demo )
First of all, what kind of services are available on the server? I want to confirm. If you visit Hail a TAXII.com, you will find the following information:
· Our data is accessible via the TAXII-HTTP Message Protocol. (1.0 & 1.1) ・ The discovery service is located at http://hailataxii.com/taxii-discovery-service ・ Anonymous connections are accepted. · Clients that require login details can use HTTP-Basic user = guest, password = guest.
Based on the above information, connect to the server to check the corresponding service.
```
% discovery_client --host hailataxii.com --path /taxii-discovery-service --username guest --pass guest
Request:
Message Type: Discovery_Request
Message ID: 7418183229071165630
Response:
Message Type: Discovery_Response
Message ID: 73726; In Response To: 7418183229071165630
=== Service Instance ===
Service Type: DISCOVERY
Service Version: urn:taxii.mitre.org:services:1.1
Protocol Binding: urn:taxii.mitre.org:protocol:https:1.0
Service Address: http://hailataxii.com:80/taxii-data
Message Binding: urn:taxii.mitre.org:message:xml:1.1
Available: True
Message: None
=== Service Instance ===
Service Type: COLLECTION_MANAGEMENT
Service Version: urn:taxii.mitre.org:services:1.1
Protocol Binding: urn:taxii.mitre.org:protocol:https:1.0
Service Address: http://hailataxii.com:80/taxii-data
Message Binding: urn:taxii.mitre.org:message:xml:1.1
Available: True
Message: None
=== Service Instance ===
Service Type: POLL
Service Version: urn:taxii.mitre.org:services:1.1
Protocol Binding: urn:taxii.mitre.org:protocol:https:1.0
Service Address: http://hailataxii.com:80/taxii-data
Message Binding: urn:taxii.mitre.org:message:xml:1.1
Available: True
Message: None
```
First of all, you can see that you need to access the following URL to refer to the data.
Service Address: http://hailataxii.com:80/taxii-data
On top of that, the following content is described above.
・ Service Type: DISCOVERY The Taxii service is open to the public.
・ Service Type: COLLECTION_MANAGEMENT What kind of accumulated data do you manage? It is possible to confirm the type.
・ Service Type: POLL It is possible to refer to the accumulated data.
It can be seen that the above can be used with this server. In addition to the above, taxii also has a service called ʻInbox` that allows you to post data, but you can see that this time it is not allowed.
In 1., it was found that to check the data type, access COLLECTION_MANAGEMENT.
Based on the information found so far, connect to the server to check the type next.
```
% collection_information_client --host hailataxii.com --username guest --pass guest --path /taxii-data
Request:
Message Type: Collection_Information_Request
Message ID: 4659866494431617975
Response:
Message Type: Collection_Information_Response
Message ID: 85921; In Response To: 4659866494431617975
Contains 11 Collection Informations
=== Data Collection Information ===
Collection Name: guest.Abuse_ch
Collection Type: DATA_FEED
Available: True
Collection Description: guest.Abuse_ch
Supported Content: urn:stix.mitre.org:xml:1.0
=== Polling Service Instance ===
Poll Protocol: urn:taxii.mitre.org:protocol:https:1.0
Poll Address: http://hailataxii.com:80/taxii-data
Message Binding: urn:taxii.mitre.org:message:xml:1.1
==================================
=== Data Collection Information ===
Collection Name: guest.CyberCrime_Tracker
Collection Type: DATA_FEED
Available: True
Collection Description: guest.CyberCrime_Tracker
Supported Content: urn:stix.mitre.org:xml:1.0
=== Polling Service Instance ===
Poll Protocol: urn:taxii.mitre.org:protocol:https:1.0
Poll Address: http://hailataxii.com:80/taxii-data
Message Binding: urn:taxii.mitre.org:message:xml:1.1
==================================
=== Data Collection Information ===
Collection Name: guest.EmergineThreats_rules
Collection Type: DATA_FEED
Available: True
Collection Description: guest.EmergineThreats_rules
Supported Content: urn:stix.mitre.org:xml:1.0
=== Polling Service Instance ===
Poll Protocol: urn:taxii.mitre.org:protocol:https:1.0
Poll Address: http://hailataxii.com:80/taxii-data
Message Binding: urn:taxii.mitre.org:message:xml:1.1
==================================
=== Data Collection Information ===
Collection Name: guest.EmergingThreats_rules
Collection Type: DATA_FEED
Available: True
Collection Description: guest.EmergingThreats_rules
Supported Content: urn:stix.mitre.org:xml:1.0
=== Polling Service Instance ===
Poll Protocol: urn:taxii.mitre.org:protocol:https:1.0
Poll Address: http://hailataxii.com:80/taxii-data
Message Binding: urn:taxii.mitre.org:message:xml:1.1
==================================
=== Data Collection Information ===
Collection Name: guest.Lehigh_edu
Collection Type: DATA_FEED
Available: True
Collection Description: guest.Lehigh_edu
Supported Content: urn:stix.mitre.org:xml:1.0
=== Polling Service Instance ===
Poll Protocol: urn:taxii.mitre.org:protocol:https:1.0
Poll Address: http://hailataxii.com:80/taxii-data
Message Binding: urn:taxii.mitre.org:message:xml:1.1
==================================
=== Data Collection Information ===
Collection Name: guest.MalwareDomainList_Hostlist
Collection Type: DATA_FEED
Available: True
Collection Description: guest.MalwareDomainList_Hostlist
Supported Content: urn:stix.mitre.org:xml:1.0
=== Polling Service Instance ===
Poll Protocol: urn:taxii.mitre.org:protocol:https:1.0
Poll Address: http://hailataxii.com:80/taxii-data
Message Binding: urn:taxii.mitre.org:message:xml:1.1
==================================
=== Data Collection Information ===
Collection Name: guest.blutmagie_de_torExits
Collection Type: DATA_FEED
Available: True
Collection Description: guest.blutmagie_de_torExits
Supported Content: urn:stix.mitre.org:xml:1.0
=== Polling Service Instance ===
Poll Protocol: urn:taxii.mitre.org:protocol:https:1.0
Poll Address: http://hailataxii.com:80/taxii-data
Message Binding: urn:taxii.mitre.org:message:xml:1.1
==================================
=== Data Collection Information ===
Collection Name: guest.dataForLast_7daysOnly
Collection Type: DATA_FEED
Available: True
Collection Description: guest.dataForLast_7daysOnly
Supported Content: urn:stix.mitre.org:xml:1.0
=== Polling Service Instance ===
Poll Protocol: urn:taxii.mitre.org:protocol:https:1.0
Poll Address: http://hailataxii.com:80/taxii-data
Message Binding: urn:taxii.mitre.org:message:xml:1.1
==================================
=== Data Collection Information ===
Collection Name: guest.dshield_BlockList
Collection Type: DATA_FEED
Available: True
Collection Description: guest.dshield_BlockList
Supported Content: urn:stix.mitre.org:xml:1.0
=== Polling Service Instance ===
Poll Protocol: urn:taxii.mitre.org:protocol:https:1.0
Poll Address: http://hailataxii.com:80/taxii-data
Message Binding: urn:taxii.mitre.org:message:xml:1.1
==================================
=== Data Collection Information ===
Collection Name: guest.phishtank_com
Collection Type: DATA_FEED
Available: True
Collection Description: guest.phishtank_com
Supported Content: urn:stix.mitre.org:xml:1.0
=== Polling Service Instance ===
Poll Protocol: urn:taxii.mitre.org:protocol:https:1.0
Poll Address: http://hailataxii.com:80/taxii-data
Message Binding: urn:taxii.mitre.org:message:xml:1.1
==================================
=== Data Collection Information ===
Collection Name: system.Default
Collection Type: DATA_FEED
Available: True
Collection Description: system.Default
Supported Content: urn:stix.mitre.org:xml:1.0
=== Polling Service Instance ===
Poll Protocol: urn:taxii.mitre.org:protocol:https:1.0
Poll Address: http://hailataxii.com:80/taxii-data
Message Binding: urn:taxii.mitre.org:message:xml:1.1
==================================
```
This server provides 10 types of data (1 type duplicate).
You can see the data type Collection Name and the reference destination Poll Address of the type data, respectively.
・ Collection Name: guest.Abuse_ch Poll Address: http://hailataxii.com:80/taxii-data
・ Collection Name: guest.CyberCrime_Tracker Poll Address: http://hailataxii.com:80/taxii-data
・ Collection Name: guest.EmergineThreats_rules Poll Address: http://hailataxii.com:80/taxii-data
・ Collection Name: guest.Lehigh_edu Poll Address: http://hailataxii.com:80/taxii-data
-Collection Name: guest.MalwareDomainList_Hostlist Poll Address: http://hailataxii.com:80/taxii-data
・ Collection Name: guest.blutmagie_de_torExits Poll Address: http://hailataxii.com:80/taxii-data
・ Collection Name: guest.dataForLast_7daysOnly Poll Address: http://hailataxii.com:80/taxii-data
・ Collection Name: guest.dshield_BlockList Poll Address: http://hailataxii.com:80/taxii-data
・ Collection Name: guest.phishtank_com Poll Address: http://hailataxii.com:80/taxii-data
・ Collection Name: system.Default Poll Address: http://hailataxii.com:80/taxii-data
We were able to confirm the type of data in 1. and the reference destination of the data in 2. Now, let's actually get the data.
When you execute the following command, a lot of data will be downloaded to the current directory, so be careful where you get it.
% poll_client --host hailataxii.com --username guest --pass guest --path /taxii-data --collection guest.Abuse_ch
Request:
Message Type: Poll_Request
Message ID: 7016854206412201300
Collection Name: guest.Abuse_ch
Excl. Begin TS Label: None
Incl. End TS Label: None
=== Poll_Parameters ===
Response type: FULL
Response:
Message Type: Poll_Response
Message ID: 3510; In Response To: 7016854206412201300
Collection Name: guest.Abuse_ch
More: False
Result ID: None
Result Part Num: 1
Incl. End TS Label: 2017-03-27T14:11:06.739630+00:00
=== Content Block ===
Content Binding: urn:stix.mitre.org:xml:1.1.1
Content length: 4462
(Content not printed for brevity)
Timestamp Label: 2017-03-27 14:11:06.959883+00:00
Message: None
Padding: None
.
. (Content information)
.
File created: guest.Abuse_ch_STIX111_t2017_03_27T14_11_06_959883_00_00.xml
.
. (Created content file)
.
The data was actually downloaded and 14,390 files were created. Next time, I would like to check the contents of each command and the content file.
Hail a TAXII.com : http://hailataxii.com
libtaxii : https://github.com/TAXIIProject/libtaxii
Hailataxii and Libtaxii Demo : https://github.com/STIXProject/schemas/wiki/Hailataxii-and-Libtaxii-Demo
--Procedure for automatic exchange of detection index information TAXII Overview: https://www.ipa.go.jp/security/vuln/TAXII.html