cancel
Showing results for 
Search instead for 
Did you mean: 

Critical Stack Threat Feeds

Hi Folks

Critical Stack has an impressive option to customise the threat feeds that one wants and then make that available in various forms. Check intel.criticalstack.com

Has anyone one used these feeds? or are they what we are getting in Taxii. From what I can see there appears to be more in the critical stack feed list.

I am starting on this today but any help will be appreciated

9 Replies
Highlighted
kmc
Level 12
Report Inappropriate Content
Message 2 of 10

Re: Critical Stack Threat Feeds

hey buddy,

have you done this???

Re: Critical Stack Threat Feeds

Not had much time to work on this I've been a little busy.

I will be working on this in the next couple of weeks.

I was hoping someone else had been able to get a start.

I wonder how much of the information is available in hail a taxii

as soon as I know morei will post here

McAfee Employee andy777
McAfee Employee
Report Inappropriate Content
Message 4 of 10

Re: Critical Stack Threat Feeds

I took a look at this for the first time last night. It looks pretty straightforward to convert the bro signatures into watchlist values and upload them. I'll poke at it if I can find some time.

Re: Critical Stack Threat Feeds

The best TAXII feeds is Hail a TAXII.com.

Hail a TAXII.com is a repository of Open Source Cyber Threat Intellegence feeds in STIX format.
There are currently 535948 indicators, last updated Thu May 19 15:06:50 2016 UTC.

AVAILABLE FEEDS

  • guest.Abuse_ch
  • guest.CyberCrime_Tracker
  • guest.EmergingThreats_rules
  • guest.Lehigh_edu
  • guest.MalwareDomainList_Hostlist
  • guest.blutmagie_de_torExits
  • guest.dataForLast_7daysOnly
  • guest.dshield_BlockList
  • guest.phishtank_com

HOW TO CONNECT

Our data is accessible via the TAXII-HTTP Message Protocol. (1.0 & 1.1)
The discovery service is located at http://hailataxii.com/taxii-discovery-service

Anonymous connections are accepted.
Clients that require login details can use HTTP-Basic user=guest, password=guest.

jp87
Level 9
Report Inappropriate Content
Message 6 of 10

Re: Critical Stack Threat Feeds

How do you use the TAXII service? Do you find great value using it?

d_j
Level 7
Report Inappropriate Content
Message 7 of 10

Re: Critical Stack Threat Feeds

Are you able to pull the feed right now? I have tried over half of them to no avail. Below is a shot of my configs. I have also tried "Basic" and used guest/guest for creds.

Capture.PNG

Re: Critical Stack Threat Feeds

Hi @d_j and

I do get results from TAXII which I populate into multiple watch lists. 

D_J I see you are using the GET method try using the POST method.

Also the collection name that you are using can be any of the ones listed above. however you do need to make sure that you are using the right watchlist data type for the data in the list. e.g. url or ip address or host name etc.

Have you tried the connection test?

Screen Shot 2016-06-06 at 10.09.17 AM.png

Screen Shot 2016-06-06 at 10.07.55 AM.png

jp87
Level 9
Report Inappropriate Content
Message 9 of 10

Re: Critical Stack Threat Feeds

I do have a working setup as well for the TAXII feed too, but I haven't had any value from using it yet. Many false/positives as well.

Re: Critical Stack Threat Feeds

I was just testing these setting as I wanted to add an additional list.

I see what you mean @d_j the connection test failed with a HTML 500 error. I have sent an email to the hailataxii guys to see if they are aware of the problem.

ERROR

Error issuing TAXII request, HTTP response code: 500: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">

<html><head>

<title>500 Internal Server Error</title>

</head><body>

<h1>Internal Server Error</h1>

<p>The server encountered an internal error or

misconfiguration and was unable to complete

your request.</p>

<p>Please contact the server administrator,

root@localhost and inform them of the time the error occurred,

and anything you might have done that may have

caused the error.</p>

<p>More information about this error may be available

in the server error log.</p>

<hr>

<address>Apache/2.2.15 (CentOS) Server at hailataxii.com Port 80</address>

</body></html>

More McAfee Tools to Help You
  • Subscription Service Notification (SNS)
  • How-to: Endpoint Removal Tool
  • Support: Endpoint Security
  • eSupport: Policy Orchestrator
  • Community Help Hub

      New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

    • Find Forum FAQs
    • Learn How to Earn Badges
    • Ask for Help
    Go to Community Help

    Join the Community

      Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

    • Get helpful solutions from McAfee experts.
    • Stay connected to product conversations that matter to you.
    • Participate in product groups led by McAfee employees.
    Join the Community
    Join the Community