search

PaloAltoNetworks / minemeld-core

Engine of MineMeld
Apache License 2.0
141 stars 95 forks source link

Taxii poll script - Can't handle multiple message bindings #367

Open adambaumeister opened 4 years ago

adambaumeister commented 4 years ago

Describe the bug

Taxii services that publish multiple message bindings fail to be parsed by minemeld.

Expected behavior

Taxii service should look through list of provided message bindings to determine compatibility.

Current behavior

Taxii script simply pulls the first element of the list of message bindings, and if it is not 1.1, reports it as failed.

Possible solution

Change this

        for pi in tci.polling_service_instances:
            LOG.info('{} - message binding: {}'.format(
                self.name, pi.poll_message_bindings
            ))
            if pi.poll_message_bindings[0] == libtaxii.constants.VID_TAXII_XML_11:
                self.poll_service = pi.poll_address
                LOG.info('{} - poll service found'.format(self.name))
                break

To this

        for pi in tci.polling_service_instances:
            LOG.info('{} - message binding: {}'.format(
                self.name, pi.poll_message_bindings
            ))
            if libtaxii.constants.VID_TAXII_XML_11 in pi.poll_message_bindings:
                self.poll_service = pi.poll_address
                LOG.info('{} - poll service found'.format(self.name))
                break

Screenshots

Example Collecton output Service Type: COLLECTION_MANAGEMENT Service Version: urn:taxii.mitre.org:services:1.1 Protocol Binding: urn:taxii.mitre.org:protocol:https:1.0 Service Address: https://blah.this.is.not.real.com/taxii/acsc/services/collections Message Binding: urn:taxii.mitre.org:message:xml:1.0 Message Binding: urn:taxii.mitre.org:message:xml:1.1 Available: True Message: example

Context

Your Environment