Unable to discover taxii services

[stne-uk]

Description

404 while attempt to discover TAXII collection using Cabby and also while using AnomaliSTAXX

Environment

1. OS- Ubuntu 20.04.4
2. OpenCTI version: Latest
3. OpenCTI client:
4. Other environment details: Running in Docker 20.10.16

Reproducible Steps

Steps to create the smallest reproducible scenario:

1. Create Taxii collection

2. Attempt to discover taxii collection via any of the following a. https:// /taxii2/root/ b. https:// /taxii2/ c. https:// /

3. Cabby client returns 404, AnoamliSTAXX client also returns similar "Could not discover. Check Site Information is correct" a. Used the following cabby command with different discovery paths as above taxii-collections \ --path 'https:///taxii2/ \ --username '' \ --password ''

Expected Output

Display list of taxii collection

Actual Output

2022-06-09 14:54:41,301 INFO: Sending Collection_Information_Request to https:///taxii2 2022-06-09 14:54:41,449 ERROR: HTTP Error: status code 404

Tried the same via multiple taxii clients all with similar responses, I am however able to browse to the individual collections.

Had a look at this issue too but still not able to resolve my issue https://github.com/OpenCTI-Platform/connectors/issues/259

I was able to configure Sentinel to query the taxii output which worked fine

Any help would by much appreciated.

-----edit-----

I've also just tried this in QRadar 7.5 using the latest Threat Intel App which allows for Taxii 2.0 collection however also receive a 404.

[richard-julien]

Hi. Do you try directly with your browser to see if information are correct. Looking good on the demo with url like

• https://demo.opencti.io/taxii2/
• https://demo.opencti.io/taxii2/root
• https://demo.opencti.io/taxii2/root/collections

[stne-uk]

Hi, Yes I tried via the browser and get the same as the demo site.

[richard-julien]

So not sure how to help you. Looks like every Url doesnt return any 404.

[stne-uk]

Here are the screenshots, Does OpenCTI only use TAXII 2.1 or TAXII2.0 aswell? I saw a note that 2.0 was upgraded to 2.1 but nothing about any backwards compatability. Thanks.

[richard-julien]

OpenCTI now only publish STIX 2.1 (with extensions) data.

[stne-uk]

Understood thanks, This explains the discovery issues then. Don't suppose these is any method of running both Taxii 2.0 and 2.1 in the most recent OpenCTI version? Or just 2.0?

[richard-julien]

In fact there is not a lot of difference between STIX2 and the new 2.1 implementations where we introduce the extensions mechanism. Are you sure cabby is compatible with TAXII 2?

[stne-uk]

I did check earlier and cabby is not although Anomali STAXX and QRadar are 2.0 compatible but also return the same 404 when trying the various endpoints.

[richard-julien]

Really difficult to help you. As you see when you access it through your browser you dont have a 404. Please check the exact URL called by STAXX or QRadar.

[khanafeer]

The issue that I traced in Qradar Threat Intelligence app is, that it's doing discover by a POST request to the URL with XML data.

[khanafeer]

Even in cabby it's doing a post request, as below to do discovery response = session.post( url, data=request_body, stream=True, timeout=timeout, headers=headers) but OpenCTI not supporting POST in discovery.

[richard-julien]

If the client use XML and a post request to discovery it seems the the client use TAXII 1.1 format.

For TAXII 2.1, the discovery is a GET request

[khanafeer]

thanks for the answer, for the Qradar TI app "Version 2.3.0", it supporting TAXII 2, and for python TAXII clients you can use this library taxii2-client.