Cloudera Community

Community Articles

Find and share helpful community-sourced technical articles.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Advanced Search

Pushing STIX/Taxii feeds from Opentaxii server into HBASE

Labels (2)
avatar
author-rank asubramanian
Super Collaborator

Created on ‎10-04-2016 09:32 AM

Pre-requisite

  • Working Metron cluster - deployed via ansible-playbook or via Ambari + Mpack.
  • The node on which opentaxii service is being deployed should have access to HBASE.

Step 1 - Deploy Opentaxii Role (Optional - if not deployed)

a) Create a playbook to deploy the opentaxii role

[root@metron-test ~]# cat metron/metron-deployment/playbooks/install-opentaxii.yml
- hosts: metron
  become: true
  roles:
    - role: opentaxii

b) Deploy using ansible-playbook

[root@metron-test ~]# ansible-playbook -i ~/metron-deployment/inventory/metron_example  playbooks/install-opentaxii.yml -e ansible_python_interpreter=python -e ansible_user=root  -e ansible_ssh_private_key_file=/path/to/private-keypair.pem -vvv

c) Verify the service has been deployed successfully using the command:

service opentaxii status

This should show the list of subscribed services along with threat feed counts. Here is a sample output:

[root@metron-test]# service opentaxii status
guest.phishtank_com                                888
guest.Abuse_ch                                     0
guest.CyberCrime_Tracker                           0
guest.EmergingThreats_rules                        0
guest.Lehigh_edu                                   0
guest.MalwareDomainList_Hostlist                   0
guest.blutmagie_de_torExits                        648
guest.dataForLast_7daysOnly                        1124
guest.dshield_BlockList                            0

Note:

In case the following is noticed

[root@node1 ~]# service opentaxii status
Checking opentaxii...                             Running
Services not defined

Refer to METRON-484 for more details and a workaround.

Step 2 - Fetch Latest Opentaxii Feeds

Use the following command to fetch the latest hailataxii feeds into the opentaxii server

service opentaxii sync <service-name> [YYYY-MM-DD]
For e.g.
service opentaxii sync guest.phishtank_com 
service opentaxii sync guest.Abuse_ch 2016-08-01

Note: The date (YYYY-MM-DD) indicates the time from when the threat intel feeds is to be pulled. If not suffixed, then the sync command picks up feeds available for the current day.

The above process can be repeated for all the subscribed services.

Step 3 - Load Opentaxii Feeds into HBASE

Create sample extractor.json and connection_config.json files as follows:

[root@metron-test]# cat ~/extractor.json
{
  "config": {
    "columns": {
      "ip": 0
    },
    "indicator_column": "ip",
    "type" : "malicious_ip",
    "separator" : ","
  },
  "extractor" : "STIX"
}
[root@metron-test]# cat ~/connection_config.json
{
  "endpoint" : "http://localhost:9000/services/discovery"
  ,"username" : "guest"
  ,"password" : "guest"
  ,"type" : "DISCOVER"
  ,"collection" : "guest.MalwareDomainList_Hostlist"
  ,"table" : "threatintel"
  ,"columnFamily" : "t"
  ,"allowedIndicatorTypes" : [ "domainname:FQDN", "address:IPV_4_ADDR" ]
}

Now, push the hailataxii feeds from the opentaxii server into HBASE using the following script:

/usr/metron/<METRON_VERSION>/bin/threatintel_taxii_load.sh -b <START_TIME> -c /path/to/connection_config.json -e /path/to/extractor.json -p <TIME_INTERVAL_MSECS>
For e.g.
/usr/metron/0.2.0BETA/bin/threatintel_taxii_load.sh -b "2016-08-01 00:00:00" -c ~/connection_config.json -e ~/extractor.json -p 10000

Step 4 - Verify in HBASE

Query the Hbase table to check for the threat intel feeds.

echo "scan 'threatintel'" | hbase shell
13,069 Views
Comments

Re: Pushing STIX/Taxii feeds from Opentaxii server into HBASE

avatar
author-rank ragdelaed
New Contributor

Created on ‎10-15-2016 12:28 PM

connector.json and extractor.json created as per this article. ansible pushed opentaxii as per this article. the service is started and i was able to pull several thousand elements from a few of the taxii servers. i can connect to localhost:9000 and there is a service waiting for input.

when i enter this:

0.2.1BETA/bin/threatintel_taxii_load.sh -b "2016-10-13 00:00:00" -c taxii_connector.json -e taxii_extractor.json -p 10000

i get this (bold for emphasis):

WARNING: Use "yarn jar" to launch YARN applications.

16/10/15 12:14:55 INFO taxii.TaxiiHandler: Loading configuration: TaxiiConnectionConfig{endpoint=http://localhost:9000/services/discovery, port=443, proxy=null, username='guest', password='******', type=DISCOVER, allowedIndicatorTypes=domainname:FQDN,address:IPV_4_ADDR, collection='guest.MalwareDomainList_Hostlist', subscriptionId='null', beginTime=Thu Oct 13 00:00:00 UTC 2016, table=threatintel:t}

16/10/15 12:14:55 INFO taxii.TaxiiHandler: Initializing client..

16/10/15 12:14:55 INFO taxii.TaxiiHandler: Discovering endpoint

16/10/15 12:14:57 INFO taxii.TaxiiHandler: Request made : org.mitre.taxii.messages.xml11.DiscoveryRequest => org.mitre.taxii.messages.xml11.DiscoveryResponse (expected org.mitre.taxii.messages.xml11.DiscoveryResponse)

16/10/15 12:14:57 INFO taxii.TaxiiHandler: Discovered endpoint as http://localhost:9000/services/poll

16/10/15 12:14:57 INFO taxii.TaxiiHandler: Configured, starting polling http://localhost:9000/services/poll for guest.MalwareDomainList_Hostlist

16/10/15 12:14:57 INFO taxii.TaxiiHandler: Polling...10/15/16 12:14 PM

16/10/15 12:14:57 INFO taxii.TaxiiHandler: Begin Time: 2016-10-13T00:00:00Z

16/10/15 12:14:57 INFO taxii.TaxiiHandler: Request made : org.mitre.taxii.messages.xml11.PollRequest => org.mitre.taxii.messages.xml11.PollResponse (expected org.mitre.taxii.messages.xml11.PollResponse)

16/10/15 12:14:57 INFO taxii.TaxiiHandler: Got Poll Response with 0 blocks

16/10/15 12:15:07 INFO taxii.TaxiiHandler: Polling...10/15/16 12:15 PM

16/10/15 12:15:07 INFO taxii.TaxiiHandler: Begin Time: 2016-10-15T12:14:57Z

16/10/15 12:15:07 ERROR taxii.TaxiiHandler: Connection pool shut down

java.lang.IllegalStateException: Connection pool shut down

at org.apache.metron.httpcore.dataload.util.Asserts.check(Asserts.java:34) at org.apache.metron.httpcore.dataload.pool.AbstractConnPool.lease(AbstractConnPool.java:169) at org.apache.metron.httpcore.dataload.impl.conn.PoolingHttpClientConnectionManager.requestConnection(PoolingHttpClientConnectionManager.java:217) at org.apache.metron.httpcore.dataload.impl.execchain.MainClientExec.execute(MainClientExec.java:158) at org.apache.metron.httpcore.dataload.impl.execchain.ProtocolExec.execute(ProtocolExec.java:195) at org.apache.metron.httpcore.dataload.impl.execchain.RetryExec.execute(RetryExec.java:85) at org.apache.metron.httpcore.dataload.impl.execchain.RedirectExec.execute(RedirectExec.java:108) at org.apache.metron.httpcore.dataload.impl.client.InternalHttpClient.doExecute(InternalHttpClient.java:186) at org.apache.metron.httpcore.dataload.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:82) at org.mitre.taxii.client.HttpClient.callTaxiiService(HttpClient.java:297) at org.apache.metron.dataloads.nonbulk.taxii.TaxiiHandler.call(TaxiiHandler.java:336) at org.apache.metron.dataloads.nonbulk.taxii.TaxiiHandler.call(TaxiiHandler.java:242) at org.apache.metron.dataloads.nonbulk.taxii.TaxiiHandler.run(TaxiiHandler.java:171) at java.util.TimerThread.mainLoop(Timer.java:555) at java.util.TimerThread.run(Timer.java:505)

Exception in thread "Timer-0" java.lang.RuntimeException: Unable to make request

at org.apache.metron.dataloads.nonbulk.taxii.TaxiiHandler.run(TaxiiHandler.java:214) at java.util.TimerThread.mainLoop(Timer.java:555) at java.util.TimerThread.run(Timer.java:505)

Caused by: java.lang.IllegalStateException: Connection pool shut down

at org.apache.metron.httpcore.dataload.util.Asserts.check(Asserts.java:34) at org.apache.metron.httpcore.dataload.pool.AbstractConnPool.lease(AbstractConnPool.java:169) at org.apache.metron.httpcore.dataload.impl.conn.PoolingHttpClientConnectionManager.requestConnection(PoolingHttpClientConnectionManager.java:217) at org.apache.metron.httpcore.dataload.impl.execchain.MainClientExec.execute(MainClientExec.java:158) at org.apache.metron.httpcore.dataload.impl.execchain.ProtocolExec.execute(ProtocolExec.java:195) at org.apache.metron.httpcore.dataload.impl.execchain.RetryExec.execute(RetryExec.java:85) at org.apache.metron.httpcore.dataload.impl.execchain.RedirectExec.execute(RedirectExec.java:108) at org.apache.metron.httpcore.dataload.impl.client.InternalHttpClient.doExecute(InternalHttpClient.java:186) at org.apache.metron.httpcore.dataload.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:82) at org.mitre.taxii.client.HttpClient.callTaxiiService(HttpClient.java:297) at org.apache.metron.dataloads.nonbulk.taxii.TaxiiHandler.call(TaxiiHandler.java:336) at org.apache.metron.dataloads.nonbulk.taxii.TaxiiHandler.call(TaxiiHandler.java:242) at org.apache.metron.dataloads.nonbulk.taxii.TaxiiHandler.run(TaxiiHandler.java:171) ... 2 more

am i missing somthing?

i am not behind a proxy, this is a cloud based server, there is no real firewall between me and the internet, there is no local firewall, there is no SSL interception, i can access other sites with no issues, and metron as a whole is functional.

thanks for any insight.

Re: Pushing STIX/Taxii feeds from Opentaxii server into HBASE

avatar
author-rank ankur_vyavahark
Contributor

Created on ‎07-27-2017 04:56 PM

@asubramanian

What version of ansible did you use to get the opentaxii feed? i tried running it on 2.0.0.2 and still getting service not defined error while checking the opentaxii status, the service is running though. I followed the work around steps but still the same error.

Re: Pushing STIX/Taxii feeds from Opentaxii server into HBASE

avatar
author-rank ankur_vyavahark
Contributor

Created on ‎08-08-2017 04:22 PM

I have got taxii to work but i keep getting error message "Exception in thread "main" java.lang.IllegalStateException: Extractor must be a STIX Extractor" when i try to push the feed to Hbase

Here's what the extractor file looks like

{
"config": {
"zk_quorum": "node1:2181",
"columns": {
"stix_address_categories" : "IPV_4_ADDR"
},
"indicator_column": "ip",
"type" : "malicious_ip",
"separator" : ","
}
,"extractor" : "STIX"
}

Re: Pushing STIX/Taxii feeds from Opentaxii server into HBASE

avatar
author-rank 308741831
Contributor

Created on ‎08-22-2017 07:31 AM

Have you solve this problem. I got the same mistake. The version of Metron is 0.4.0.

Re: Pushing STIX/Taxii feeds from Opentaxii server into HBASE

avatar
author-rank asubramanian
Super Collaborator

Created on ‎08-22-2017 08:48 AM

@ankur V and @leo lee - looks like you are hitting into https://issues.apache.org/jira/browse/METRON-1026. This has been fixed with latest bits of metron. Can you give it a try?

Re: Pushing STIX/Taxii feeds from Opentaxii server into HBASE

avatar
author-rank 308741831
Contributor

Created on ‎08-22-2017 11:04 AM

Okay ,Thank you so much.

Re: Pushing STIX/Taxii feeds from Opentaxii server into HBASE

avatar
author-rank 308741831
Contributor

Created on ‎08-22-2017 01:15 PM

I got the follow mistake when load opentaxii feeds to hbase. Metron version is 0.4.0

[root@node1 ~]# /usr/metron/0.4.0/bin/threatintel_taxii_load.sh -b "2016-08-01 00:00:00" -c ~/connection_config.json -e ~/extractor.json -p 10000
17/08/22 03:35:01 WARN extractor.TransformFilterExtractorDecorator: Unable to setup zookeeper client - zk_quorum url not provided. **This will limit some Stellar functionality**
Exception in thread "main" java.lang.IllegalStateException: Extractor must be a STIX Extractor
at org.apache.metron.dataloads.nonbulk.taxii.TaxiiLoader.main(TaxiiLoader.java:202)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at org.apache.hadoop.util.RunJar.run(RunJar.java:233)
at org.apache.hadoop.util.RunJar.main(RunJar.java:148)

so what can i do to solve this? Any help will be appreciated.

Re: Pushing STIX/Taxii feeds from Opentaxii server into HBASE

avatar
author-rank ankur_vyavahark
Contributor

Created on ‎08-22-2017 02:08 PM

@leo leeWe fixed the issue by modifying the JAR files and replacing the metron-data-management-0.4.0.jar in /usr/metron/0.4.0/lib with the modified jar follow the instructions noted in https://github.com/apache/metron/pull/643/files see if that helps if not let me know i can upload the JAR file (its 100M though)

Re: Pushing STIX/Taxii feeds from Opentaxii server into HBASE

avatar
author-rank ankur_vyavahark
Contributor

Created on ‎08-22-2017 02:09 PM

Thanks for the headsup @asubramanian

Re: Pushing STIX/Taxii feeds from Opentaxii server into HBASE

avatar
author-rank 308741831
Contributor

Created on ‎08-24-2017 06:11 AM

Thanks to your help,I handled this correctly.

Announcements
What's New @ Cloudera
Cloudera Data Engineering 1.23: Access Spark from Your Favor...
What's New @ Cloudera
HBase REST server scaling support is Generally Available
What's New @ Cloudera
New CLI option in the update-database command
What's New @ Cloudera
New Action menu item in the Cloudera Operational Database UI
What's New @ Cloudera
Get the list of supported instance types in the Cloudera Ope...
View More Announcements
Version history
Last update:
‎10-04-2016 09:32 AM
Updated by:
Super Collaborator
Contributors