Polling empty package


We have an issue reported by quite some of our customers trying to poll our IOC feed. We expose our IOCs in STIX 1.2 format and they are accessible via TAXII poll. This works fine with a number of clients, but it seems that our customers using Anomali STAXX are polling empty collections.
We have tested it ourselves with STAXX 3.4.0, build 566. Indeed, no IOC’s are ingested, while the discovery URL works fine (i.e. no collection issue, a file is polled.
In The xlink.log, we can see:
[Waringn] STAXX: It could be an empty package Igone
[Info] “STAXX: poll_stix successful: Output to …”
[Info] retrieved 0 IOCs…
Then: “total list of entries: 0”
Could you please advise what might go wrong? It’s quite hard to debug, the file that is polled is not persisted on the system. But we know from a fact that the file other clients poll is not empty.
Since a large part of the Community seems to be using your solution, we would like to identify the root cause and provide a workaround / solution.

Many thanks in advance.

Best Regards,

1 Like


I’m having the same issue.
Were you able to solve it?


1 Like

Same question here. I have the same problem. Did you solve this? If so, what did you do?


I am also facing same issue, if anyone found a solution on it please let me know

Hey there, is this issue solved?

I’ve logs indicating similar issue, could anyone throw shed some light. I am not sure why the time range is picking same time though I’ve requested Poll for last 10 days

[2020-04-29 20:15:59,400] [WARNING] STAXX: It could be an empty package. Ignore
[2020-04-29 20:15:59,401] [INFO ] STAXX: parse_stix: /opt/staxx/var/tmp/taxii_stix_temp_limo.anomali.com_Phish_Tank_F107_20200429_201556_800927.xml, total number of entries:0, result_list size:0

[2020-04-29 20:15:59,401] [INFO ] Retrieved 0 IOCs in time range : 2020-04-26T02:43:55Z ~ 2020-04-26T03:43:55Z from site:[Limo] feed:[Phish_Tank_F107]

[2020-04-29 20:16:05,843] [INFO ] STAXX: poll_stix successful: Output to /opt/staxx/var/tmp/taxii_stix_temp_limo.anomali.com_Phish_Tank_F107_20200429_201559_441093.xml, start:2020-04-26T03:43:55Z, end:2020-04-26T04:43:55Z

Dear All,
Even I have same issue. The Discovery is completed, but Pooling doesn’t return any values.
Appreciate if the issue is fixed soon.

Hi Irving,

Would it be possible to get your feed details so we can run some internal polling tests?


Same issue. Here are some details, David.

[2020-12-18 03:00:01,980] [INFO ] STAXX: poll_stix successful: Output to /opt/staxx/var/tmp/taxii_stix_temp_taxii-pilot.cisecurity.org_collection-msisac_20201218_030001_542259.xml, start:2020-12-18T07:00:00Z, end:2020-12-18T08:00:00Z

[2020-12-18 03:00:01,982] [WARNING] STAXX: It could be an empty package. Ignore

[2020-12-18 03:00:01,982] [INFO ] STAXX: parse_stix: /opt/staxx/var/tmp/taxii_stix_temp_taxii-pilot.cisecurity.org_collection-msisac_20201218_030001_542259.xml, total number of entries:0, result_list size:0

Anomali STAXX Version…3.4.0

Anomali STAXX Build…566

After successfully discovery the feed it shows as TAXII Version: 1

and Observables = 0.

Quick follow up from the source feed.
“Currently, our feed is STIX 2.1 only. If you’re configured to collect version 1.x, this could show up as 0, as there are no 1.x indicators in that collection.”