9 Replies Latest reply on Jun 7, 2016 1:12 AM by jp87

    Critical Stack Threat Feeds

    barrylewis

      Hi Folks

      Critical Stack has an impressive option to customise the threat feeds that one wants and then make that available in various forms. Check intel.criticalstack.com

      Has anyone one used these feeds? or are they what we are getting in Taxii. From what I can see there appears to be more in the critical stack feed list.

      I am starting on this today but any help will be appreciated

        • 1. Re: Critical Stack Threat Feeds
          kmc

          hey buddy,

           

          have you done this???

          • 2. Re: Critical Stack Threat Feeds
            barrylewis

            Not had much time to work on this I've been a little busy.

            I will be working on this in the next couple of weeks.

            I was hoping someone else had been able to get a start.

            I wonder how much of the information is available in hail a taxii

            as soon as I know morei will post here

            • 3. Re: Critical Stack Threat Feeds
              andy777

              I took a look at this for the first time last night. It looks pretty straightforward to convert the bro signatures into watchlist values and upload them. I'll poke at it if I can find some time.

              • 4. Re: Critical Stack Threat Feeds
                yassinezeroual

                The best TAXII feeds is Hail a TAXII.com.

                 

                Hail a TAXII.com is a repository of Open Source Cyber Threat Intellegence feeds in STIX format.
                There are currently 535948 indicators, last updated Thu May 19 15:06:50 2016 UTC.

                AVAILABLE FEEDS

                • guest.Abuse_ch
                • guest.CyberCrime_Tracker
                • guest.EmergingThreats_rules
                • guest.Lehigh_edu
                • guest.MalwareDomainList_Hostlist
                • guest.blutmagie_de_torExits
                • guest.dataForLast_7daysOnly
                • guest.dshield_BlockList
                • guest.phishtank_com

                HOW TO CONNECT

                Our data is accessible via the TAXII-HTTP Message Protocol. (1.0 & 1.1)
                The discovery service is located at http://hailataxii.com/taxii-discovery-service

                Anonymous connections are accepted.
                Clients that require login details can use HTTP-Basic user=guest, password=guest.

                • 5. Re: Critical Stack Threat Feeds
                  jp87

                  How do you use the TAXII service? Do you find great value using it?

                  • 6. Re: Critical Stack Threat Feeds
                    d_j

                    Are you able to pull the feed right now? I have tried over half of them to no avail. Below is a shot of my configs. I have also tried "Basic" and used guest/guest for creds.

                     

                    Capture.PNG

                    • 7. Re: Critical Stack Threat Feeds
                      barrylewis

                      Hi @d_j and jp87

                      I do get results from TAXII which I populate into multiple watch lists. 

                       

                      D_J I see you are using the GET method try using the POST method.

                      Also the collection name that you are using can be any of the ones listed above. however you do need to make sure that you are using the right watchlist data type for the data in the list. e.g. url or ip address or host name etc.

                      Have you tried the connection test?

                      Screen Shot 2016-06-06 at 10.09.17 AM.png

                      Screen Shot 2016-06-06 at 10.07.55 AM.png

                      • 8. Re: Critical Stack Threat Feeds
                        barrylewis

                        I was just testing these setting as I wanted to add an additional list.

                        I see what you mean @d_j the connection test failed with a HTML 500 error. I have sent an email to the hailataxii guys to see if they are aware of the problem.

                         

                        ERROR

                        Error issuing TAXII request, HTTP response code: 500: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">

                        <html><head>

                        <title>500 Internal Server Error</title>

                        </head><body>

                        <h1>Internal Server Error</h1>

                        <p>The server encountered an internal error or

                        misconfiguration and was unable to complete

                        your request.</p>

                        <p>Please contact the server administrator,

                        root@localhost and inform them of the time the error occurred,

                        and anything you might have done that may have

                        caused the error.</p>

                        <p>More information about this error may be available

                        in the server error log.</p>

                        <hr>

                        <address>Apache/2.2.15 (CentOS) Server at hailataxii.com Port 80</address>

                        </body></html>

                        • 9. Re: Critical Stack Threat Feeds
                          jp87

                          I do have a working setup as well for the TAXII feed too, but I haven't had any value from using it yet. Many false/positives as well.