cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

ESM - Threat Intel feed, via TAXII, failing to connect


Good morning/afternoon all,

We've recently upgraded to ESM v9.5, our primary driver being the ability to ingest NH-ISAC TAXII (and other) threat intelligence feeds.

We've followed the documentation but are seeing an "unrecognized name" handshake failure when testing "Connect"... please see screenshots below.

Is the issue that we are potentially missing the Collection Name (is it mandatory)? What else could it be?

Any and all comments are welcomed and appreciated!

Thank you all very much in advance!

3 Replies

Re: ESM - Threat Intel feed, via TAXII, failing to connect

Besides the outstanding issues of ESM not being able to parse the large TAXII files it receives, I would suggest to try to enter "system.Default" for the collection value.

When I was having issues connecting into my TAXII service, I ran tcpdump on the receiver to confirm that everything with the packet structure is sound. You should be able to determine exactly what's causing your TLS issue by going about this troubleshooting method.

Here at my work place I implemented a different way about using TAXII with ESM. I would suggest you use Soltra (soltra.com) to facilitate the storage of threat intel you receive from NH-ISAC then plug ESM into your on-site TAXII instance.

otsruss
Level 7
Report Inappropriate Content
Message 3 of 4

Re: ESM - Threat Intel feed, via TAXII, failing to connect

We are seeing the same error with an on-prem TAXII server . The connection works fine with SSL disabled (http) on the TAXII server, but fails with the “Error, Handshake Alert: Unrecognized_Name” error when enabled (https).  It looks like a Java 1.7.0 feature;)

http://stackoverflow.com/questions/7615645/ssl-handshake-alert-unrecognized-name-error-since-upgrade...

I have opened a ticket with McAfee support and suggest you do the same so we can get some traction on this.

Regards,

Joe

Re: ESM - Threat Intel feed, via TAXII, failing to connect

Use this URL for TAXII feeds: http://hailataxii.com/

You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community