Alienvault OTX - Successful Run but no returned stix files
kp625544 opened this issue ยท 17 comments
Hello,
I tried setting up the Alienvault OTX adapter and I m always getting the following error:
Get by OTX Adapter successfully!! (Get 0 stix files.)
Steps I have followed:
- Passed a correct API Key in the adapter
- Clicked on modify button
- Input in the Get the parameter: From this datetime (UTC). in the format provided
- Clicked on Get
Could you try specifying a date one day ago?
It might be no new AlienVault pulses after 2020/09/09 13:47:16+00:00
.
I have tried 2020/07/09 13:47:16+00:00 too but after polling it shows the latest time by default in UI thus the screenshot.
OK. I will check the issue tomorrow.
The same is happening in case of STIX polling to, the same message. But I have some STIX packages in the TAXII server. Tried with 2-3 servers, with and without passwords too, for all I m getting the same messages.
The reason I can think of ....
If your network environment requires a proxy, try setting it from Configuration > System
.
no, there is no proxy in the environment, also I m able to reach the endpoints via curl from the docker instances
Nice catch, @kp625544 !!
I was finally able to find the bug!
https://github.com/s-tip/stip-rs/blob/master/src/ctirs/core/adapter/__init__.py#L12
fp.write(content)
Content value had to be str. However, it was bytes object.
I was able to get it by fixing it as follows.
fp.write(content.decode('utf-8'))
This bug will be fixed at next version.
But I have some STIX packages in the TAXII server. Tried with 2-3 servers, with and without passwords too, for all I m getting the same messages.
The next version S-TIP will support TAXII 1.1, 2.0 and 2.1 client.
I guess that this bug will be resoved.
Anyway, I would like to know which TAXII version did you try to connect?
If you tell me your TAXII client settings, I may be able to find the reason.
I tried with Taxii 1.1 which is provided by alienvault otx.
Thank you.
I will try to connect to AlienVault OTX through TAXII 1.1.
Could you try this setting?
-
Display Name
any phrase -
Protocol Version
1.1 -
Address
otx.alienvault.com -
Port
443 -
Path
/taxii/poll -
collection
user_AlienVault -
Login ID
<Your API Key>
-
Login Password
Any Phrase (AlienVault OTX ignores this field) -
Use Certificate Authentication
Unchecked -
Use SSL
Checked -
Push on Adding Files
Unchecked -
Community
Any Collection -
Uploader
Any User
I can get STIX files under this setting from AlienVault OTX.
Ok let me try, I was giving the discovery url in the path.
After changing the discovery url to poll url path it works. 2 suggestions:
- Can we give a tooltip/overlay text to put in the poll path
- Can we give a tooltip/overlay of the Start UTC and End UTC time formats too as in any case other than the accepted it gives 500 error.
Congratulation and thank you for your nice feedbacks!!
I will try to implement those for the next version.
I finished to commit your suggested tooltip window into the next release branch.
s-tip/stip-rs#86
Thanks ๐ Can we close this?
Yes, we should close it.