Alienvault OTX - Successful Run but no returned stix files

Question

Alienvault OTX - Successful Run but no returned stix files

kp625544 opened this issue 4 years ago · 17 comments

Hello,
I tried setting up the Alienvault OTX adapter and I m always getting the following error:
Get by OTX Adapter successfully!! (Get 0 stix files.)

Steps I have followed:

Passed a correct API Key in the adapter
Clicked on modify button
Input in the Get the parameter: From this datetime (UTC). in the format provided
Clicked on Get

Answer 1 · 2020-09-09T14:18:51.000Z

Could you try specifying a date one day ago?

It might be no new AlienVault pulses after 2020/09/09 13:47:16+00:00.

Answer 2 · 2020-09-09T14:21:49.000Z

I have tried 2020/07/09 13:47:16+00:00 too but after polling it shows the latest time by default in UI thus the screenshot.

Answer 3 · 2020-09-09T14:24:25.000Z

OK. I will check the issue tomorrow.

Answer 4 · 2020-09-09T14:26:57.000Z

The same is happening in case of STIX polling to, the same message. But I have some STIX packages in the TAXII server. Tried with 2-3 servers, with and without passwords too, for all I m getting the same messages.

Answer 5 · 2020-09-09T14:34:22.000Z

The reason I can think of ....

If your network environment requires a proxy, try setting it from Configuration > System.

Answer 6 · 2020-09-09T14:39:11.000Z

no, there is no proxy in the environment, also I m able to reach the endpoints via curl from the docker instances

Answer 7 · 2020-09-09T23:25:55.000Z

Nice catch, @kp625544 !!

I was finally able to find the bug!

https://github.com/s-tip/stip-rs/blob/master/src/ctirs/core/adapter/__init__.py#L12

fp.write(content)

Content value had to be str. However, it was bytes object.

I was able to get it by fixing it as follows.

fp.write(content.decode('utf-8'))

This bug will be fixed at next version.

Answer 8 · 2020-09-10T00:44:12.000Z

But I have some STIX packages in the TAXII server. Tried with 2-3 servers, with and without passwords too, for all I m getting the same messages.

The next version S-TIP will support TAXII 1.1, 2.0 and 2.1 client.
I guess that this bug will be resoved.

Anyway, I would like to know which TAXII version did you try to connect?
If you tell me your TAXII client settings, I may be able to find the reason.

Answer 9 · 2020-09-10T03:07:44.000Z

I tried with Taxii 1.1 which is provided by alienvault otx.

Answer 10 · 2020-09-10T03:09:50.000Z

Thank you.
I will try to connect to AlienVault OTX through TAXII 1.1.

Answer 11 · 2020-09-10T04:27:32.000Z

Could you try this setting?

Display Name
any phrase
Protocol Version
1.1
Address
otx.alienvault.com
Port
443
Path
/taxii/poll
collection
user_AlienVault
Login ID
<Your API Key>
Login Password
Any Phrase (AlienVault OTX ignores this field)
Use Certificate Authentication
Unchecked
Use SSL
Checked
Push on Adding Files
Unchecked
Community
Any Collection
Uploader
Any User

I can get STIX files under this setting from AlienVault OTX.

Answer 12 · 2020-09-10T04:29:30.000Z

Ok let me try, I was giving the discovery url in the path.

Answer 13 · 2020-09-10T07:05:15.000Z

After changing the discovery url to poll url path it works. 2 suggestions:

Can we give a tooltip/overlay text to put in the poll path
Can we give a tooltip/overlay of the Start UTC and End UTC time formats too as in any case other than the accepted it gives 500 error.

Answer 14 · 2020-09-10T07:16:02.000Z

Congratulation and thank you for your nice feedbacks!!

I will try to implement those for the next version.

Answer 15 · 2020-09-11T07:14:32.000Z

@kp625544

I finished to commit your suggested tooltip window into the next release branch.
s-tip/stip-rs#86

Answer 16 · 2020-09-13T17:19:35.000Z

Thanks 😀 Can we close this?

Answer 17 · 2020-09-13T23:09:20.000Z

Yes, we should close it.