-
Notifications
You must be signed in to change notification settings - Fork 21
Hailataxii and Libtaxii Demo
Hailataxii is a service that Soltra stood up to host open source threat intel that they've mapped into STIX. It's hosted at http://hailataxii.com and can be accessed by any TAXII 1.1 client.
Libtaxii is a client library for working with TAXII. It includes a set of client scripts that are accessible from the command line.
To use libtaxii to access hailataxii, first install libtaxii. Next, the following commands can be used:
Request
discovery_client --host hailataxii.com --path /taxii-discovery-service --username guest --pass guest [--proxy http://proxy.example.com:80]
The path argument is the path at which the discovery service is running. On hailataxii.com this is located at /taxii-discovery-service per their "HOW TO CONNECT" section. The username and password information are also in that section.
Response
Request:
Message Type: Discovery_Request
Message ID: 2319
Response:
Message Type: Discovery_Response
Message ID: 24503; In Response To: 2319
=== Service Instance ===
Service Type: DISCOVERY
Service Version: urn:taxii.mitre.org:services:1.1
Protocol Binding: urn:taxii.mitre.org:protocol:https:1.0
Service Address: http://hailataxii.com/taxii-data
Message Binding: urn:taxii.mitre.org:message:xml:1.1
Available: True
Message: None
=== Service Instance ===
Service Type: COLLECTION_MANAGEMENT
Service Version: urn:taxii.mitre.org:services:1.1
Protocol Binding: urn:taxii.mitre.org:protocol:https:1.0
Service Address: http://hailataxii.com/taxii-data
Message Binding: urn:taxii.mitre.org:message:xml:1.1
Available: True
Message: None
=== Service Instance ===
Service Type: POLL
Service Version: urn:taxii.mitre.org:services:1.1
Protocol Binding: urn:taxii.mitre.org:protocol:https:1.0
Service Address: http://hailataxii.com/taxii-data
Message Binding: urn:taxii.mitre.org:message:xml:1.1
Available: True
Message: None
Request
collection_information_client --host hailataxii.com --username guest --pass guest --path /taxii-data [--proxy http://proxy.example.com:80]
The path was determined based on the discovery response.
Response
Request:
Message Type: Collection_Information_Request
Message ID: 56243
Response:
Message Type: Collection_Information_Response
Message ID: 38715; In Response To: 56243
Contains 6 Collection Informations
=== Data Collection Information ===
Collection Name: system.Default
Collection Type: DATA_FEED
Available: True
Collection Description: system.Default
Supported Content: None
=== Polling Service Instance ===
Poll Protocol: urn:taxii.mitre.org:protocol:https:1.0
Poll Address: http://hailataxii.com/taxii-data
Message Binding: urn:taxii.mitre.org:message:xml:1.1
==================================
=== Data Collection Information ===
Collection Name: guest.CyberCrime_Tracker
Collection Type: DATA_FEED
Available: True
Collection Description: guest.CyberCrime_Tracker
Supported Content: None
=== Polling Service Instance ===
Poll Protocol: urn:taxii.mitre.org:protocol:https:1.0
Poll Address: http://hailataxii.com/taxii-data
Message Binding: urn:taxii.mitre.org:message:xml:1.1
==================================
=== Data Collection Information ===
Collection Name: guest.EmergineThreats_rules
Collection Type: DATA_FEED
Available: True
Collection Description: guest.EmergineThreats_rules
Supported Content: None
=== Polling Service Instance ===
Poll Protocol: urn:taxii.mitre.org:protocol:https:1.0
Poll Address: http://hailataxii.com/taxii-data
Message Binding: urn:taxii.mitre.org:message:xml:1.1
==================================
=== Data Collection Information ===
Collection Name: guest.MalwareDomainList_Hostlist
Collection Type: DATA_FEED
Available: True
Collection Description: guest.MalwareDomainList_Hostlist
Supported Content: None
=== Polling Service Instance ===
Poll Protocol: urn:taxii.mitre.org:protocol:https:1.0
Poll Address: http://hailataxii.com/taxii-data
Message Binding: urn:taxii.mitre.org:message:xml:1.1
==================================
=== Data Collection Information ===
Collection Name: guest.Abuse_ZeusTracker
Collection Type: DATA_FEED
Available: True
Collection Description: guest.Abuse_ZeusTracker
Supported Content: None
=== Polling Service Instance ===
Poll Protocol: urn:taxii.mitre.org:protocol:https:1.0
Poll Address: http://hailataxii.com/taxii-data
Message Binding: urn:taxii.mitre.org:message:xml:1.1
==================================
=== Data Collection Information ===
Collection Name: guest.dshield_BlockList
Collection Type: DATA_FEED
Available: True
Collection Description: guest.dshield_BlockList
Supported Content: None
=== Polling Service Instance ===
Poll Protocol: urn:taxii.mitre.org:protocol:https:1.0
Poll Address: http://hailataxii.com/taxii-data
Message Binding: urn:taxii.mitre.org:message:xml:1.1
==================================
Request
poll_client --host hailataxii.com --username guest --pass guest --path /taxii-data --collection guest.Abuse_ZeusTracker [--proxy http://proxy.example.com:80]
The path is again taken from the discovery service, and the collection name from the subscription information service.
Response
Too much for me to capture. It will look similar to the others but write out a bunch of information about each of the content blocks that it found and saved. You can use the timestamp parameters (poll_client --help for more info) to tune this down.