Try touching libtaxii

Trigger

I have the opportunity to work with stix documents at work, to better understand First, let's touch it to study the contents of the data with the client side.

environment

--The local environment is as follows.

% sw_vers     
ProductName:	Mac OS X
ProductVersion:	10.11.6
BuildVersion:	15G1217

% python -V
Python 2.7.13

% pip -V
pip 9.0.1 from /usr/local/lib/python2.7/site-packages (python 2.7)

% pip show libtaxii
Name: libtaxii
Version: 1.1.110
Summary: TAXII Library.
Home-page: http://taxii.mitre.org/
Author: Mark Davidson
Author-email: [email protected]
License: UNKNOWN
Location: /usr/local/lib/python2.7/site-packages
Requires: six, lxml, python-dateutil

--The taxii server uses the following.

Hail a TAXII.com ( http://hailataxii.com ) The demo method is described below. Hailataxii and Libtaxii Demo ( https://github.com/STIXProject/schemas/wiki/Hailataxii-and-Libtaxii-Demo )

Stix document acquisition procedure

  1. Check the services managed on the server side

First of all, what kind of services are available on the server? I want to confirm. If you visit Hail a TAXII.com, you will find the following information:

· Our data is accessible via the TAXII-HTTP Message Protocol. (1.0 & 1.1) ・ The discovery service is located at http://hailataxii.com/taxii-discovery-service ・ Anonymous connections are accepted. · Clients that require login details can use HTTP-Basic user = guest, password = guest.

Based on the above information, connect to the server to check the corresponding service.

```
% discovery_client --host hailataxii.com --path /taxii-discovery-service --username guest --pass guest
Request:

Message Type: Discovery_Request
Message ID: 7418183229071165630

Response:

Message Type: Discovery_Response
Message ID: 73726; In Response To: 7418183229071165630
  === Service Instance ===
Service Type: DISCOVERY
Service Version: urn:taxii.mitre.org:services:1.1
Protocol Binding: urn:taxii.mitre.org:protocol:https:1.0
Service Address: http://hailataxii.com:80/taxii-data
Message Binding: urn:taxii.mitre.org:message:xml:1.1
Available: True
Message: None
  === Service Instance ===
Service Type: COLLECTION_MANAGEMENT
Service Version: urn:taxii.mitre.org:services:1.1
Protocol Binding: urn:taxii.mitre.org:protocol:https:1.0
Service Address: http://hailataxii.com:80/taxii-data
Message Binding: urn:taxii.mitre.org:message:xml:1.1
Available: True
Message: None
  === Service Instance ===
Service Type: POLL
Service Version: urn:taxii.mitre.org:services:1.1
Protocol Binding: urn:taxii.mitre.org:protocol:https:1.0
Service Address: http://hailataxii.com:80/taxii-data
Message Binding: urn:taxii.mitre.org:message:xml:1.1
Available: True
Message: None
```

First of all, you can see that you need to access the following URL to refer to the data. Service Address: http://hailataxii.com:80/taxii-data

On top of that, the following content is described above.

・ Service Type: DISCOVERY The Taxii service is open to the public.

・ Service Type: COLLECTION_MANAGEMENT What kind of accumulated data do you manage? It is possible to confirm the type.

・ Service Type: POLL It is possible to refer to the accumulated data.

It can be seen that the above can be used with this server. In addition to the above, taxii also has a service called ʻInbox` that allows you to post data, but you can see that this time it is not allowed.

  1. Check the data type

In 1., it was found that to check the data type, access COLLECTION_MANAGEMENT. Based on the information found so far, connect to the server to check the type next.

```
% collection_information_client --host hailataxii.com --username guest --pass guest --path /taxii-data
Request:

Message Type: Collection_Information_Request
Message ID: 4659866494431617975

Response:

Message Type: Collection_Information_Response
Message ID: 85921; In Response To: 4659866494431617975
Contains 11 Collection Informations
=== Data Collection Information ===
Collection Name: guest.Abuse_ch
Collection Type: DATA_FEED
Available: True
Collection Description: guest.Abuse_ch
Supported Content:     urn:stix.mitre.org:xml:1.0
=== Polling Service Instance ===
  Poll Protocol: urn:taxii.mitre.org:protocol:https:1.0
  Poll Address: http://hailataxii.com:80/taxii-data
  Message Binding: urn:taxii.mitre.org:message:xml:1.1
==================================

=== Data Collection Information ===
Collection Name: guest.CyberCrime_Tracker
Collection Type: DATA_FEED
Available: True
Collection Description: guest.CyberCrime_Tracker
Supported Content:     urn:stix.mitre.org:xml:1.0
=== Polling Service Instance ===
  Poll Protocol: urn:taxii.mitre.org:protocol:https:1.0
  Poll Address: http://hailataxii.com:80/taxii-data
  Message Binding: urn:taxii.mitre.org:message:xml:1.1
==================================

=== Data Collection Information ===
Collection Name: guest.EmergineThreats_rules
Collection Type: DATA_FEED
Available: True
Collection Description: guest.EmergineThreats_rules
Supported Content:     urn:stix.mitre.org:xml:1.0
=== Polling Service Instance ===
  Poll Protocol: urn:taxii.mitre.org:protocol:https:1.0
  Poll Address: http://hailataxii.com:80/taxii-data
  Message Binding: urn:taxii.mitre.org:message:xml:1.1
==================================

=== Data Collection Information ===
Collection Name: guest.EmergingThreats_rules
Collection Type: DATA_FEED
Available: True
Collection Description: guest.EmergingThreats_rules
Supported Content:     urn:stix.mitre.org:xml:1.0
=== Polling Service Instance ===
  Poll Protocol: urn:taxii.mitre.org:protocol:https:1.0
  Poll Address: http://hailataxii.com:80/taxii-data
  Message Binding: urn:taxii.mitre.org:message:xml:1.1
==================================

=== Data Collection Information ===
Collection Name: guest.Lehigh_edu
Collection Type: DATA_FEED
Available: True
Collection Description: guest.Lehigh_edu
Supported Content:     urn:stix.mitre.org:xml:1.0
=== Polling Service Instance ===
  Poll Protocol: urn:taxii.mitre.org:protocol:https:1.0
  Poll Address: http://hailataxii.com:80/taxii-data
  Message Binding: urn:taxii.mitre.org:message:xml:1.1
==================================

=== Data Collection Information ===
Collection Name: guest.MalwareDomainList_Hostlist
Collection Type: DATA_FEED
Available: True
Collection Description: guest.MalwareDomainList_Hostlist
Supported Content:     urn:stix.mitre.org:xml:1.0
=== Polling Service Instance ===
  Poll Protocol: urn:taxii.mitre.org:protocol:https:1.0
  Poll Address: http://hailataxii.com:80/taxii-data
  Message Binding: urn:taxii.mitre.org:message:xml:1.1
==================================

=== Data Collection Information ===
Collection Name: guest.blutmagie_de_torExits
Collection Type: DATA_FEED
Available: True
Collection Description: guest.blutmagie_de_torExits
Supported Content:     urn:stix.mitre.org:xml:1.0
=== Polling Service Instance ===
  Poll Protocol: urn:taxii.mitre.org:protocol:https:1.0
  Poll Address: http://hailataxii.com:80/taxii-data
  Message Binding: urn:taxii.mitre.org:message:xml:1.1
==================================

=== Data Collection Information ===
Collection Name: guest.dataForLast_7daysOnly
Collection Type: DATA_FEED
Available: True
Collection Description: guest.dataForLast_7daysOnly
Supported Content:     urn:stix.mitre.org:xml:1.0
=== Polling Service Instance ===
  Poll Protocol: urn:taxii.mitre.org:protocol:https:1.0
  Poll Address: http://hailataxii.com:80/taxii-data
  Message Binding: urn:taxii.mitre.org:message:xml:1.1
==================================

=== Data Collection Information ===
Collection Name: guest.dshield_BlockList
Collection Type: DATA_FEED
Available: True
Collection Description: guest.dshield_BlockList
Supported Content:     urn:stix.mitre.org:xml:1.0
=== Polling Service Instance ===
  Poll Protocol: urn:taxii.mitre.org:protocol:https:1.0
  Poll Address: http://hailataxii.com:80/taxii-data
  Message Binding: urn:taxii.mitre.org:message:xml:1.1
==================================

=== Data Collection Information ===
Collection Name: guest.phishtank_com
Collection Type: DATA_FEED
Available: True
Collection Description: guest.phishtank_com
Supported Content:     urn:stix.mitre.org:xml:1.0
=== Polling Service Instance ===
  Poll Protocol: urn:taxii.mitre.org:protocol:https:1.0
  Poll Address: http://hailataxii.com:80/taxii-data
  Message Binding: urn:taxii.mitre.org:message:xml:1.1
==================================

=== Data Collection Information ===
Collection Name: system.Default
Collection Type: DATA_FEED
Available: True
Collection Description: system.Default
Supported Content:     urn:stix.mitre.org:xml:1.0
=== Polling Service Instance ===
  Poll Protocol: urn:taxii.mitre.org:protocol:https:1.0
  Poll Address: http://hailataxii.com:80/taxii-data
  Message Binding: urn:taxii.mitre.org:message:xml:1.1
==================================
```

This server provides 10 types of data (1 type duplicate). You can see the data type Collection Name and the reference destination Poll Address of the type data, respectively.

・ Collection Name: guest.Abuse_ch Poll Address: http://hailataxii.com:80/taxii-data

・ Collection Name: guest.CyberCrime_Tracker Poll Address: http://hailataxii.com:80/taxii-data

・ Collection Name: guest.EmergineThreats_rules Poll Address: http://hailataxii.com:80/taxii-data

・ Collection Name: guest.Lehigh_edu Poll Address: http://hailataxii.com:80/taxii-data

-Collection Name: guest.MalwareDomainList_Hostlist Poll Address: http://hailataxii.com:80/taxii-data

・ Collection Name: guest.blutmagie_de_torExits Poll Address: http://hailataxii.com:80/taxii-data

・ Collection Name: guest.dataForLast_7daysOnly Poll Address: http://hailataxii.com:80/taxii-data

・ Collection Name: guest.dshield_BlockList Poll Address: http://hailataxii.com:80/taxii-data

・ Collection Name: guest.phishtank_com Poll Address: http://hailataxii.com:80/taxii-data

・ Collection Name: system.Default Poll Address: http://hailataxii.com:80/taxii-data

  1. Actually refer to the data

We were able to confirm the type of data in 1. and the reference destination of the data in 2. Now, let's actually get the data.

The data was actually downloaded and 14,390 files were created. Next time, I would like to check the contents of each command and the content file.

Reference site

--Procedure for automatic exchange of detection index information TAXII Overview: https://www.ipa.go.jp/security/vuln/TAXII.html

Recommended Posts

Try touching libtaxii
Try python
try pysdl2
Try PyOpenGL