Showing results for 
Show  only  | Search instead for 
Did you mean: 
Level 7
Report Inappropriate Content
Message 1 of 10

Critical Stack Threat Feeds

Hi Folks

Critical Stack has an impressive option to customise the threat feeds that one wants and then make that available in various forms. Check

Has anyone one used these feeds? or are they what we are getting in Taxii. From what I can see there appears to be more in the critical stack feed list.

I am starting on this today but any help will be appreciated

9 Replies
Reliable Contributor
Reliable Contributor
Report Inappropriate Content
Message 2 of 10

Re: Critical Stack Threat Feeds

hey buddy,

have you done this???

Level 7
Report Inappropriate Content
Message 3 of 10

Re: Critical Stack Threat Feeds

Not had much time to work on this I've been a little busy.

I will be working on this in the next couple of weeks.

I was hoping someone else had been able to get a start.

I wonder how much of the information is available in hail a taxii

as soon as I know morei will post here

McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 4 of 10

Re: Critical Stack Threat Feeds

I took a look at this for the first time last night. It looks pretty straightforward to convert the bro signatures into watchlist values and upload them. I'll poke at it if I can find some time.

Re: Critical Stack Threat Feeds

The best TAXII feeds is Hail a

Hail a is a repository of Open Source Cyber Threat Intellegence feeds in STIX format.
There are currently 535948 indicators, last updated Thu May 19 15:06:50 2016 UTC.


  • guest.Abuse_ch
  • guest.CyberCrime_Tracker
  • guest.EmergingThreats_rules
  • guest.Lehigh_edu
  • guest.MalwareDomainList_Hostlist
  • guest.blutmagie_de_torExits
  • guest.dataForLast_7daysOnly
  • guest.dshield_BlockList
  • guest.phishtank_com


Our data is accessible via the TAXII-HTTP Message Protocol. (1.0 & 1.1)
The discovery service is located at

Anonymous connections are accepted.
Clients that require login details can use HTTP-Basic user=guest, password=guest.

Level 9
Report Inappropriate Content
Message 6 of 10

Re: Critical Stack Threat Feeds

How do you use the TAXII service? Do you find great value using it?

Level 7
Report Inappropriate Content
Message 7 of 10

Re: Critical Stack Threat Feeds

Are you able to pull the feed right now? I have tried over half of them to no avail. Below is a shot of my configs. I have also tried "Basic" and used guest/guest for creds.


Level 7
Report Inappropriate Content
Message 8 of 10

Re: Critical Stack Threat Feeds

Hi @d_j and

I do get results from TAXII which I populate into multiple watch lists. 

D_J I see you are using the GET method try using the POST method.

Also the collection name that you are using can be any of the ones listed above. however you do need to make sure that you are using the right watchlist data type for the data in the list. e.g. url or ip address or host name etc.

Have you tried the connection test?

Screen Shot 2016-06-06 at 10.09.17 AM.png

Screen Shot 2016-06-06 at 10.07.55 AM.png

Level 9
Report Inappropriate Content
Message 9 of 10

Re: Critical Stack Threat Feeds

I do have a working setup as well for the TAXII feed too, but I haven't had any value from using it yet. Many false/positives as well.

Re: Critical Stack Threat Feeds

I was just testing these setting as I wanted to add an additional list.

I see what you mean @d_j the connection test failed with a HTML 500 error. I have sent an email to the hailataxii guys to see if they are aware of the problem.


Error issuing TAXII request, HTTP response code: 500: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">


<title>500 Internal Server Error</title>


<h1>Internal Server Error</h1>

<p>The server encountered an internal error or

misconfiguration and was unable to complete

your request.</p>

<p>Please contact the server administrator,

root@localhost and inform them of the time the error occurred,

and anything you might have done that may have

caused the error.</p>

<p>More information about this error may be available

in the server error log.</p>


<address>Apache/2.2.15 (CentOS) Server at Port 80</address>


You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community