Community Articles

Find and share helpful community-sourced technical articles.
Labels (2)
avatar
Super Collaborator

Pre-requisite

  • Working Metron cluster - deployed via ansible-playbook or via Ambari + Mpack.
  • The node on which opentaxii service is being deployed should have access to HBASE.

Step 1 - Deploy Opentaxii Role (Optional - if not deployed)

a) Create a playbook to deploy the opentaxii role

[root@metron-test ~]# cat metron/metron-deployment/playbooks/install-opentaxii.yml
- hosts: metron
  become: true
  roles:
    - role: opentaxii

b) Deploy using ansible-playbook

[root@metron-test ~]# ansible-playbook -i ~/metron-deployment/inventory/metron_example  playbooks/install-opentaxii.yml -e ansible_python_interpreter=python -e ansible_user=root  -e ansible_ssh_private_key_file=/path/to/private-keypair.pem -vvv

c) Verify the service has been deployed successfully using the command:

service opentaxii status

This should show the list of subscribed services along with threat feed counts. Here is a sample output:

[root@metron-test]# service opentaxii status
guest.phishtank_com                                888
guest.Abuse_ch                                     0
guest.CyberCrime_Tracker                           0
guest.EmergingThreats_rules                        0
guest.Lehigh_edu                                   0
guest.MalwareDomainList_Hostlist                   0
guest.blutmagie_de_torExits                        648
guest.dataForLast_7daysOnly                        1124
guest.dshield_BlockList                            0

Note:

In case the following is noticed

[root@node1 ~]# service opentaxii status
Checking opentaxii...                             Running
Services not defined

Refer to METRON-484 for more details and a workaround.

Step 2 - Fetch Latest Opentaxii Feeds

Use the following command to fetch the latest hailataxii feeds into the opentaxii server

service opentaxii sync <service-name> [YYYY-MM-DD]
For e.g.
service opentaxii sync guest.phishtank_com 
service opentaxii sync guest.Abuse_ch 2016-08-01

Note: The date (YYYY-MM-DD) indicates the time from when the threat intel feeds is to be pulled. If not suffixed, then the sync command picks up feeds available for the current day.

The above process can be repeated for all the subscribed services.

Step 3 - Load Opentaxii Feeds into HBASE

Create sample extractor.json and connection_config.json files as follows:

[root@metron-test]# cat ~/extractor.json
{
  "config": {
    "columns": {
      "ip": 0
    },
    "indicator_column": "ip",
    "type" : "malicious_ip",
    "separator" : ","
  },
  "extractor" : "STIX"
}
[root@metron-test]# cat ~/connection_config.json
{
  "endpoint" : "http://localhost:9000/services/discovery"
  ,"username" : "guest"
  ,"password" : "guest"
  ,"type" : "DISCOVER"
  ,"collection" : "guest.MalwareDomainList_Hostlist"
  ,"table" : "threatintel"
  ,"columnFamily" : "t"
  ,"allowedIndicatorTypes" : [ "domainname:FQDN", "address:IPV_4_ADDR" ]
}

Now, push the hailataxii feeds from the opentaxii server into HBASE using the following script:

/usr/metron/<METRON_VERSION>/bin/threatintel_taxii_load.sh -b <START_TIME> -c /path/to/connection_config.json -e /path/to/extractor.json -p <TIME_INTERVAL_MSECS>
For e.g.
/usr/metron/0.2.0BETA/bin/threatintel_taxii_load.sh -b "2016-08-01 00:00:00" -c ~/connection_config.json -e ~/extractor.json -p 10000

Step 4 - Verify in HBASE

Query the Hbase table to check for the threat intel feeds.

echo "scan 'threatintel'" | hbase shell
13,059 Views
Comments
avatar
New Contributor

connector.json and extractor.json created as per this article. ansible pushed opentaxii as per this article. the service is started and i was able to pull several thousand elements from a few of the taxii servers. i can connect to localhost:9000 and there is a service waiting for input.

when i enter this:

0.2.1BETA/bin/threatintel_taxii_load.sh -b "2016-10-13 00:00:00" -c taxii_connector.json -e taxii_extractor.json -p 10000

i get this (bold for emphasis):

WARNING: Use "yarn jar" to launch YARN applications.

16/10/15 12:14:55 INFO taxii.TaxiiHandler: Loading configuration: TaxiiConnectionConfig{endpoint=http://localhost:9000/services/discovery, port=443, proxy=null, username='guest', password='******', type=DISCOVER, allowedIndicatorTypes=domainname:FQDN,address:IPV_4_ADDR, collection='guest.MalwareDomainList_Hostlist', subscriptionId='null', beginTime=Thu Oct 13 00:00:00 UTC 2016, table=threatintel:t}

16/10/15 12:14:55 INFO taxii.TaxiiHandler: Initializing client..

16/10/15 12:14:55 INFO taxii.TaxiiHandler: Discovering endpoint

16/10/15 12:14:57 INFO taxii.TaxiiHandler: Request made : org.mitre.taxii.messages.xml11.DiscoveryRequest => org.mitre.taxii.messages.xml11.DiscoveryResponse (expected org.mitre.taxii.messages.xml11.DiscoveryResponse)

16/10/15 12:14:57 INFO taxii.TaxiiHandler: Discovered endpoint as http://localhost:9000/services/poll

16/10/15 12:14:57 INFO taxii.TaxiiHandler: Configured, starting polling http://localhost:9000/services/poll for guest.MalwareDomainList_Hostlist

16/10/15 12:14:57 INFO taxii.TaxiiHandler: Polling...10/15/16 12:14 PM

16/10/15 12:14:57 INFO taxii.TaxiiHandler: Begin Time: 2016-10-13T00:00:00Z

16/10/15 12:14:57 INFO taxii.TaxiiHandler: Request made : org.mitre.taxii.messages.xml11.PollRequest => org.mitre.taxii.messages.xml11.PollResponse (expected org.mitre.taxii.messages.xml11.PollResponse)

16/10/15 12:14:57 INFO taxii.TaxiiHandler: Got Poll Response with 0 blocks

16/10/15 12:15:07 INFO taxii.TaxiiHandler: Polling...10/15/16 12:15 PM

16/10/15 12:15:07 INFO taxii.TaxiiHandler: Begin Time: 2016-10-15T12:14:57Z

16/10/15 12:15:07 ERROR taxii.TaxiiHandler: Connection pool shut down

java.lang.IllegalStateException: Connection pool shut down

at org.apache.metron.httpcore.dataload.util.Asserts.check(Asserts.java:34) at org.apache.metron.httpcore.dataload.pool.AbstractConnPool.lease(AbstractConnPool.java:169) at org.apache.metron.httpcore.dataload.impl.conn.PoolingHttpClientConnectionManager.requestConnection(PoolingHttpClientConnectionManager.java:217) at org.apache.metron.httpcore.dataload.impl.execchain.MainClientExec.execute(MainClientExec.java:158) at org.apache.metron.httpcore.dataload.impl.execchain.ProtocolExec.execute(ProtocolExec.java:195) at org.apache.metron.httpcore.dataload.impl.execchain.RetryExec.execute(RetryExec.java:85) at org.apache.metron.httpcore.dataload.impl.execchain.RedirectExec.execute(RedirectExec.java:108) at org.apache.metron.httpcore.dataload.impl.client.InternalHttpClient.doExecute(InternalHttpClient.java:186) at org.apache.metron.httpcore.dataload.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:82) at org.mitre.taxii.client.HttpClient.callTaxiiService(HttpClient.java:297) at org.apache.metron.dataloads.nonbulk.taxii.TaxiiHandler.call(TaxiiHandler.java:336) at org.apache.metron.dataloads.nonbulk.taxii.TaxiiHandler.call(TaxiiHandler.java:242) at org.apache.metron.dataloads.nonbulk.taxii.TaxiiHandler.run(TaxiiHandler.java:171) at java.util.TimerThread.mainLoop(Timer.java:555) at java.util.TimerThread.run(Timer.java:505)

Exception in thread "Timer-0" java.lang.RuntimeException: Unable to make request

at org.apache.metron.dataloads.nonbulk.taxii.TaxiiHandler.run(TaxiiHandler.java:214) at java.util.TimerThread.mainLoop(Timer.java:555) at java.util.TimerThread.run(Timer.java:505)

Caused by: java.lang.IllegalStateException: Connection pool shut down

at org.apache.metron.httpcore.dataload.util.Asserts.check(Asserts.java:34) at org.apache.metron.httpcore.dataload.pool.AbstractConnPool.lease(AbstractConnPool.java:169) at org.apache.metron.httpcore.dataload.impl.conn.PoolingHttpClientConnectionManager.requestConnection(PoolingHttpClientConnectionManager.java:217) at org.apache.metron.httpcore.dataload.impl.execchain.MainClientExec.execute(MainClientExec.java:158) at org.apache.metron.httpcore.dataload.impl.execchain.ProtocolExec.execute(ProtocolExec.java:195) at org.apache.metron.httpcore.dataload.impl.execchain.RetryExec.execute(RetryExec.java:85) at org.apache.metron.httpcore.dataload.impl.execchain.RedirectExec.execute(RedirectExec.java:108) at org.apache.metron.httpcore.dataload.impl.client.InternalHttpClient.doExecute(InternalHttpClient.java:186) at org.apache.metron.httpcore.dataload.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:82) at org.mitre.taxii.client.HttpClient.callTaxiiService(HttpClient.java:297) at org.apache.metron.dataloads.nonbulk.taxii.TaxiiHandler.call(TaxiiHandler.java:336) at org.apache.metron.dataloads.nonbulk.taxii.TaxiiHandler.call(TaxiiHandler.java:242) at org.apache.metron.dataloads.nonbulk.taxii.TaxiiHandler.run(TaxiiHandler.java:171) ... 2 more

am i missing somthing?

i am not behind a proxy, this is a cloud based server, there is no real firewall between me and the internet, there is no local firewall, there is no SSL interception, i can access other sites with no issues, and metron as a whole is functional.

thanks for any insight.

avatar
Contributor
@asubramanian

What version of ansible did you use to get the opentaxii feed? i tried running it on 2.0.0.2 and still getting service not defined error while checking the opentaxii status, the service is running though. I followed the work around steps but still the same error.

avatar
Contributor

I have got taxii to work but i keep getting error message "Exception in thread "main" java.lang.IllegalStateException: Extractor must be a STIX Extractor" when i try to push the feed to Hbase

Here's what the extractor file looks like

{
"config": {
"zk_quorum": "node1:2181",
"columns": {
"stix_address_categories" : "IPV_4_ADDR"
},
"indicator_column": "ip",
"type" : "malicious_ip",
"separator" : ","
}
,"extractor" : "STIX"
}

avatar
Contributor

Have you solve this problem. I got the same mistake. The version of Metron is 0.4.0.

avatar
Super Collaborator

@ankur V and @leo lee - looks like you are hitting into https://issues.apache.org/jira/browse/METRON-1026. This has been fixed with latest bits of metron. Can you give it a try?

avatar
Contributor

Okay ,Thank you so much.

avatar
Contributor

I got the follow mistake when load opentaxii feeds to hbase. Metron version is 0.4.0

[root@node1 ~]# /usr/metron/0.4.0/bin/threatintel_taxii_load.sh -b "2016-08-01 00:00:00" -c ~/connection_config.json -e ~/extractor.json -p 10000
17/08/22 03:35:01 WARN extractor.TransformFilterExtractorDecorator: Unable to setup zookeeper client - zk_quorum url not provided. **This will limit some Stellar functionality**
Exception in thread "main" java.lang.IllegalStateException: Extractor must be a STIX Extractor
at org.apache.metron.dataloads.nonbulk.taxii.TaxiiLoader.main(TaxiiLoader.java:202)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at org.apache.hadoop.util.RunJar.run(RunJar.java:233)
at org.apache.hadoop.util.RunJar.main(RunJar.java:148)

so what can i do to solve this? Any help will be appreciated.

avatar
Contributor

@leo leeWe fixed the issue by modifying the JAR files and replacing the metron-data-management-0.4.0.jar in /usr/metron/0.4.0/lib with the modified jar follow the instructions noted in https://github.com/apache/metron/pull/643/files see if that helps if not let me know i can upload the JAR file (its 100M though)

avatar
Contributor

Thanks for the headsup @asubramanian

avatar
Contributor

Thanks to your help,I handled this correctly.