search

eclecticiq / OpenTAXII

TAXII server implementation in Python from EclecticIQ
BSD 3-Clause "New" or "Revised" License
193 stars 92 forks source link

Poll the same IOCs every time #134

Closed dp1975 closed 4 years ago

dp1975 commented 5 years ago

Hi i am sending the command : taxii-poll --path https://x.x.x.x/services/poll --collection collection --username root --password root --verify /etc/ssl/certs/nginx-selfsigned.crt -The problem that i always getting the same IOCS data.(Old data) -I can not pull new data that i have in the MISP can any one have an idea what is the problem. thank you for your help David

traut commented 5 years ago

@dp1975 your query will be fetching full collection every time because it does not specify time window of interest, it is expected that with it you will get same data every time.

-I can not pull new data that i have in the MISP

could you please elaborate? What errors do you see?

dp1975 commented 5 years ago

Thank you I do not see any errors , i just can not see the new data (IOCs) that i add to the misp. i see my new data date in : mysql> select date_created from result_sets; but i can not see it in mysql> select date_created from result_sets; the result of the last query is always 28 records. thank you

traut commented 5 years ago

I do not see any errors , i just can not see the new data (IOCs) that i add to the misp.

if poll succeeds, it might be ingestion problem with the data. What kind of content are you serving in your TAXII collection? STIX1.2?

Are there any errors in MISP logs?

the result of the last query is always 28 records.

it seems OpenTAXII works — it returns you data you queried

dp1975 commented 5 years ago

hi the xml recoreds show that it use STIX 1.2 i see in the misp server settings STIX: 1.1.1.4 CyBox: 2.1.0.12 mixbox: 1.0.2 what do you mean "What kind of content are you serving in your TAXII collection"? thanks you

arcsector commented 5 years ago

I'm assuming he means what does your data_configuration.yml look like. Could you post the collection and poll route definition, as well as the user you're polling with.

traut commented 5 years ago

can MISP ingest STIX1.2, while being configured for STIX 1.1.1.4, @dp1975 ?

dp1975 commented 5 years ago

Hi This is my yaml configuration:

domain: "0.0.0.0:9001" support_basic_auth: yes

persistence_api: class: opentaxii.persistence.sqldb.SQLDatabaseAPI parameters: db_connection: mysql://root:admin@localhost/taxiipersist create_tables: yes

auth_api: class: opentaxii.auth.sqldb.SQLDatabaseAPI parameters: db_connection: mysql://root:admin@localhost/taxiiauth create_tables: yes secret: ILoveTheSecretStringIsIsGreatButNeedsToBeChangedFrienderino

logging: opentaxii: info root: info

hooks: misp_taxii_hooks.hooks

zmq: host: taxiiserver port: 50000

misp: url: "https://x.x.x.x" api: B1MOFtE1K6VBdZkKpNnvNEqBXpuXUqeNdinEBi38 verifySSL: False

taxii: auth: username: taxii password: taxiiserver collections:

thanks

arcsector commented 5 years ago

Please post data configuration yaml file where you configure collections, services, and users

arcsector commented 5 years ago

Also are you using the MISP-taxii-server repo for opentaxii integration?