have you done this???
Not had much time to work on this I've been a little busy.
I will be working on this in the next couple of weeks.
I was hoping someone else had been able to get a start.
I wonder how much of the information is available in hail a taxii
as soon as I know morei will post here
I took a look at this for the first time last night. It looks pretty straightforward to convert the bro signatures into watchlist values and upload them. I'll poke at it if I can find some time.
The best TAXII feeds is Hail a TAXII.com.
Hail a TAXII.com is a repository of Open Source Cyber Threat Intellegence feeds in STIX format.
There are currently 535948 indicators, last updated Thu May 19 15:06:50 2016 UTC.
HOW TO CONNECT
Our data is accessible via the TAXII-HTTP Message Protocol. (1.0 & 1.1)
The discovery service is located at http://hailataxii.com/taxii-discovery-service
Anonymous connections are accepted.
Clients that require login details can use HTTP-Basic user=guest, password=guest.
How do you use the TAXII service? Do you find great value using it?
Hi @d_j and jp87
I do get results from TAXII which I populate into multiple watch lists.
D_J I see you are using the GET method try using the POST method.
Also the collection name that you are using can be any of the ones listed above. however you do need to make sure that you are using the right watchlist data type for the data in the list. e.g. url or ip address or host name etc.
Have you tried the connection test?
I was just testing these setting as I wanted to add an additional list.
I see what you mean @d_j the connection test failed with a HTML 500 error. I have sent an email to the hailataxii guys to see if they are aware of the problem.
Error issuing TAXII request, HTTP response code: 500: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<title>500 Internal Server Error</title>
<h1>Internal Server Error</h1>
<p>The server encountered an internal error or
misconfiguration and was unable to complete
<p>Please contact the server administrator,
root@localhost and inform them of the time the error occurred,
and anything you might have done that may have
caused the error.</p>
<p>More information about this error may be available
in the server error log.</p>
<address>Apache/2.2.15 (CentOS) Server at hailataxii.com Port 80</address>
I do have a working setup as well for the TAXII feed too, but I haven't had any value from using it yet. Many false/positives as well.