STAXX - HOWTO DHS AIS Feed


#1

HI,

given that we have a valid subscription and agreement with DHS,
and STAXX 2.5

would you have a step by step configuration for the DHS AIS feed in STAXX ? (with urls and p12 in proper places and all) ?


#2

Hello @some_user
Per your comment, I believe you have followed the DHS registration requirements described here:
https://www.us-cert.gov/ais

In STAXX, you would do the following:

  1. Create a Site (Settings -> Sites)
    Add a description, the discovery URL provided by the DHS, check SSL two-way cert and upload the p12 file provided by the DHS. In the passphrase field, enter the password for the p12 file:

  2. Next ‘View’ the site (Settings -> Sites -> View). Perform a ‘Discovery’.
    A list of DHS feeds should appear:

  3. Apply the subscription ids for the feeds you are entitled to receive, by editing the feed:

  4. Finally enable the subscribed feeds. You can click on Poll Now to trigger the query of indicators for that feed.


#3

HI , thanks for the screenshots.

The essential missing piece of information is the discovery URL which was not provided to me, until later.
So there it is, its the poll URL a user gets from the AIS FAQ, but the last part is “/discovery” instead of “/poll”


#4

What was your response time in waiting to get your feed setup? I emailed the US-CERT address and still have yet to get a reply to get the process rolling on getting the needed cert, etc to connect to their Feed.

-R


#5

Just change pool with discovery, I got this with the welcome email from DHS


#6

Something of value would be if we can get the Indicator description , this is how it’s represented in the STIX file: indicator:Description </indicator:Description>, I think the context is the most valuable part of an indicator.


#7

@spatel

Is this something that can be added as feature change request. I think the context is one of the most important elements of an IOC and it will be great to have it here especially that is available in the DHS feed ?


#8

@FilipS
Can you confirm which DHS feed you’re using?


#9

I’m using Production AIS Feed


#10

Having Issues with getting AIS data to inbox. Here is what I’m getting with the latest version of STAXX. Prior to the last upgrade this was working. I confirmed with the TAXII administrators that they are not having issues with this.

Anybody else having this issue?

[2017-10-19 08:58:46,664] [ERROR] STAXX: Failed to get_feeds for site [redacted] discovery, response: None
[2017-10-19 08:58:46,665] [ERROR] Service FEED not available for site [redacted]
Traceback (most recent call last):
File “taxii_stix.py”, line 771, in get_feeds
File “taxii_stix.py”, line 709, in get_version_url
Exception: Service FEED not available for site [redacted]
[2017-10-19 08:58:46,665] [ERROR] STAXX: inbox for site [redacted]
target_col_subid {“AIS_INGEST”: null} failed
[2017-10-19 08:58:46,665] [ERROR] Service FEED not available for site [redacted]
Traceback (most recent call last):
File “taxii_stix.py”, line 524, in inbox_once
File “taxii_stix.py”, line 747, in get_inbox_address
File “taxii_stix.py”, line 737, in get_inbox_map
File “taxii_stix.py”, line 771, in get_feeds
File “taxii_stix.py”, line 709, in get_version_url
Exception: Service FEED not available for site [redacted]

And then finally
[2017-10-19 08:58:46,667] [INFO ] STAXX, inbox max attempts reached 0 3, giveup.
[2017-10-19 08:58:46,667] [ERROR] Failed during one-time intels push to server: inbox failed
Traceback (most recent call last):
File “webapp/services/feed_publisher_service.py”, line 271, in push_once
File “webapp/services/feed_publisher_service.py”, line 263, in _fetch_and_publish_intels
File “webapp/services/feed_publisher_service.py”, line 467, in publish_to_taxii1_site
PushError: Failed during one-time intels push to server: inbox failed


#11

I’m having the exact same issue. Did you ever resolve your connection problems?


#12

I have tried various discovery URLs to no avail. Has anyone been able to get this to work? I’m not sure if it’s a problem with my certificate or the URL. Thanks in advance.


#13

I would not think the URL is sensitive. They white list individual IPs anyway. Where can I find the correct URL?


#14

Hi,

Can you please contact Anomali support and let them know the URL you are using to confirm it is the correct one. Unfortunately I am not able to share this URL publicly.

Many thanks,

Darren


#15

I contacted Anomali support a couple weeks ago about this issue and haven’t heard anything back.


#16

3.1.0 is working with inboxing to DHS but 3.2.0 won’t inbox on their side so you can’t send indicators to DHS if your instance updates to 3.2.0 for some reason at least that’s the case in our environment.


#17

I was able to resolve the issue of discovery not working:

 1) Delete DHS feed
 2) Reboot Staxx
 3) Add DHS Feed

Not sure why that worked, but it did the trick. Hope it helps others.


#18

All, thanks for posting the issues you are seeing. Anomali and DHS are in communication to root cause the issues. I will update here as soon as I have further information.


#19

The DHS AIS team is investigating a potential discovery timeout issue in their infrastructure. I will update again here, when I have further information from the DHS.


#20

The DHS AIS team have implemented a solution to improve discovery results. The Anomali STAXX team have been testing over the last 24 hours, and the results are positive - discovery seems to be working reliably.

Please post here if you notice further issues.