search

MISP / MISP-Taxii-Server

An OpenTAXII Configuration for MISP
BSD 3-Clause "New" or "Revised" License
80 stars 30 forks source link

Events pushed by Python Scritpt are not inserted on MISP #51

Closed rmeghnagi closed 6 years ago

rmeghnagi commented 6 years ago

Hi to all,

I wrote a Python script using Cabby API. The script retrieves some content from a source and writes it to a collection (basically a taxii-proxy is executed but i had to develop a custom script beacuse of the taxii-proxy command does not accept some auth-options).

The problem is, while if I execute a taxii-push command from CLI (getting content from a file) an event appears on the MISP platform, if I execute my custom script the event does not appear.

Do you have any tips?

FloatingGhost commented 6 years ago

please debug my script that I haven't given you and the details of which are incredibly vague

oh also I'm not going to give you any logs

I swear to god is it THAT hard!?

adulau commented 6 years ago

@rmeghnagi Could you share technical information such output of logs, Python exceptions or technical details or even the source of your script? That would help us to debug your issue. Thank you.

rmeghnagi commented 6 years ago

Case A:

taxii-push -f content_file --dest collection --path path/to/inbox/service

This command works fine. The content is read from the source file and stored within the collection. After that, an event appears on MISP.

I checked the Python code that is executed using the taxii-push: a simple client.push()

Case B: 

from cabby import create_client

poll_client = create_client(
        'url',
        use_https=True,
        discovery_path='taxii-discovery-service')

poll_client.set_auth(cert_file="cert", key_file="key", username="user", password="pass")

content_blocks = poll_client.poll('collection_name')

push_client = create_client(
        '127.0.0.1',
        use_https=False,
        discovery_path='services/discovery')

for block in content_blocks:
    push_client.push(content=block.content, collection_names=["collection_name"], content_binding="urn:stix.mitre.org:xml:1.1", uri="http://localhost:9000/services/inbox")

Data are correctly retrieved from the online service and are correctly stored within the specified collection. Nothing appears on MISP.

I don't have any log or exception cause the script itself works fine.

Did i miss something?

rmeghnagi commented 6 years ago

@adulau Do you have any suggestion? Thank you in advance!

adulau commented 6 years ago

Could you save/print the STIX file and try to import manually using the import in MISP directly? The STIX 1.1 import in MISP has been significantly improved. If you could share the file that would be great too. Thanks.

rmeghnagi commented 6 years ago

I'm looking for a way to automate the STIX import in MISP from a certain source. For this reason i wrote this Python script. I cannot understand which is the difference between the taxii-push command and the push inside the script. The first event is loaded in MISP, not the second one.

rmeghnagi commented 6 years ago

Resolved.

Thank you all.

adulau commented 6 years ago

Cool thank you for the feedback.