2016-11-18 12:57:01 +01:00
# MISP Taxii Server
2016-11-19 16:45:47 +01:00
2017-06-29 14:54:15 +02:00
[](https://landscape.io/github/MISP/MISP-Taxii-Server/master)
2016-11-19 16:45:47 +01:00
2016-11-18 12:57:01 +01:00
A set of configuration files to use with EclecticIQ's OpenTAXII implementation,
along with a callback for when data is sent to the TAXII Server's inbox.
2016-11-18 13:22:12 +01:00
## Installation
2018-10-24 18:40:59 +02:00
### Docker install
For a really simple sqlite-based installation (plug and play, no persistence)
```bash
docker pull floatingghost/misp-taxii-server
docker run -it \
-e PERSIST_CONNECTION_STRING="sqlite:///persist.db" \
-e AUTH_CONNECTION_STRING="sqlite:///auth.db" \
-e MISP_URL="https://mymisp" \
-e MISP_KEY="myapikey" \
-e TAXII_USER=root \
-e TAXII_PASS=root
-p 9000:9000 \
taxii
```
That'll get you set up with a basic server, but is not recommended for production.
Switch the connection strings to use an external database for that.
This docker image currently just runs the base server with no supplimentary scripts.
### Manual install
2016-11-18 13:22:12 +01:00
Download the repository with
```bash
2016-11-19 16:53:27 +01:00
git clone --recursive https://github.com/MISP/MISP-Taxii-Server
2016-11-18 13:22:12 +01:00
```
This will also download the OpenTAXII Server, which you should install with
```bash
2018-01-11 11:25:44 +01:00
# There's some weird bug wherein pip can't parse >=1.1.111
2017-07-25 11:00:46 +02:00
sudo pip3 install libtaxii==1.1.111
2016-11-18 13:22:12 +01:00
cd OpenTAXII
sudo python3 setup.py install
```
You'll then need to set up your TAXII database. As you're using MISP, you'll likely
already have a MySQL environment running.
Run the following commands to create your databases
```bash
mysql -u [database user] -p
# Enter Database password
mysql> create database taxiiauth;
mysql> create database taxiipersist;
mysql> grant all on taxiiauth.* to 'taxii'@'%' identified by 'some_password';
mysql> grant all on taxiipersist.* to 'taxii'@'%' identified by 'some_password';
mysql> exit;
```
2017-09-27 00:31:51 +02:00
Now, with that data, copy `config/config.default.yaml` over to `config/config.yaml` and open it. Edit the `db_connection` parameters to match your environment. Change `auth_api -> parameters -> secret` whilst you're here as well.
2017-05-30 14:00:59 +02:00
Do not forget to set your MISP server's URL and API key at the bottom.
2016-11-18 13:22:12 +01:00
If you wish, you can edit the taxii service definitions in `services.yaml` ,
or the collections to be created in `collections.yaml` ; full documentation on how this is set up is available at [OpenTaxii's docs ](https://opentaxii.readthedocs.io/en/stable/configuration.html ).
Now it's time to create all your SQL tables. Luckily OpenTaxii comes with commands for this.
You're going to want to export your configuration file to a variable as well.
```bash
2017-05-30 14:00:59 +02:00
# Install mysqlclient for python3 if you haven't already done so
apt-get install libmysqlclient-dev # for mysql_config
pip3 install mysqlclient
2016-11-23 16:31:56 +01:00
# An example of this config is in the config directory
2016-11-18 13:22:12 +01:00
export OPENTAXII_CONFIG=/path/to/config.yaml
2017-05-30 14:00:59 +02:00
export PYTHONPATH=.
2016-11-18 13:22:12 +01:00
2016-11-23 16:31:56 +01:00
opentaxii-create-services -c config/services.yaml
opentaxii-create-collections -c config/collections.yaml
2016-11-18 13:22:12 +01:00
# Create a user account
# Set the username and password to whatever you want
opentaxii-create-account -u root -p root
```
2017-05-30 14:00:59 +02:00
OpenTaxii is now ready to roll, we've just gotta do one more thing.
2016-11-18 13:22:12 +01:00
2017-05-30 14:00:59 +02:00
In the repository root directory, run
2016-11-18 13:22:12 +01:00
```bash
sudo python3 setup.py install
```
This will install the TAXII hooks to run when we have new data.
Now we should be ready to go!
```bash
opentaxii-run-dev
```
This should tell you that there is now a server running on `localhost:9000` (maybe a different port if you changed it). If there are no errors, you're good!
If you want to test everything is working, run
```bash
taxii-push --path http://localhost:9000/services/inbox -f stix_sample.xml \
--dest collection --username root --password root
```
Obviously replace anything that differs in your system.
2017-03-31 11:45:28 +02:00
The client should say "Content Block Pushed Successfully" if all went well.
2016-11-18 13:22:12 +01:00
Now you have a TAXII server hooked up to MISP, you're able to send STIX files to the inbox and have them uploaded directly to MISP. So that's nice < 3
2016-12-28 11:53:45 +01:00
There is also an experimental feature to push MISP events to the TAXII server when they're published - that's in `scripts/push_published_to_taxii.py` . It seems to work, but may occasionally re-upload duplicate events to MISP.
2017-03-31 11:44:41 +02:00
## Automated TAXII -> MISP Sync
2017-03-31 13:45:56 +02:00
If you want, there is the ability to synchronise between a remote TAXII server and the local MISP server.
2017-03-31 11:44:41 +02:00
```bash
$ install-remote-server.sh
[MISP-TAXII-SERVER]
POLLING SERVER INSTALLATION
FRIENDLY SERVER NAME:
< Add a unique server name here , can be anything >
```
This will then install 2 files to `~/.misptaxii` , one for a local server and one for the remote servers.
Edit these files as needed. Run `install-remote-server.sh` once for each remote server you want to add.
You'll probably want to put the sync script on a crontab,
First, run
```bash
echo `which python3` `which run-taxii-poll.py`
```
to get the path of your script, copy it. Then
```bash
crontab -e
```
This will open your crontab. Paste in
```cron
2017-07-08 00:01:35 +02:00
0 */6 * * * < the output of that echo command you just ran >
2017-03-31 11:44:41 +02:00
```
This will run the polling script every 6 hours to keep things all synced up.
