1. Install prereqs on Debian 8.6
apt-get install libxml2-dev libxslt1-dev python-dev zlib1g-dev python-pycurl python-pip
2. Install libtaxii
pip install libtaxii
3. Cron this script to pull different TAXII feeds from hailataxii.com, and convert them into lists that bro can put into the Intel Framework.
#!/bin/sh
## TAXII feed script
## Pulls feeds from hailataxii
## and formats them into something
## bro and RPZ can use
##
# cleanup
rm -f output/*
rm -rf polls/
mkdir polls
# grab all feeds and save in polls then go up a level
cd polls
/usr/local/bin/python2.7 /usr/local/lib/python2.7/site-packages/libtaxii/scripts/poll_client.py --url http://hailataxii.com:80/taxii-data --username guest --pass guest --collection guest.Abuse_ch 2>&1
/usr/local/bin/python2.7 /usr/local/lib/python2.7/site-packages/libtaxii/scripts/poll_client.py --url http://hailataxii.com:80/taxii-data --username guest --pass guest --collection guest.CyberCrime_Tracker 2>&1
/usr/local/bin/python2.7 /usr/local/lib/python2.7/site-packages/libtaxii/scripts/poll_client.py --url http://hailataxii.com:80/taxii-data --username guest --pass guest --collection guest.MalwareDomainList_Hostlist 2>&1
cd ..
# format for bro and RPZ
for file in polls/guest.Abuse_ch*.xml; do cat $file | grep DomainNameObj | cut -d ">" -f2 | cut -d "<" -f1 >> output/ABUSE_TEMP; done
sed -i -e /^$/d output/ABUSE_TEMP
cat output/ABUSE_TEMP | sort -u > /data/bro/feeds/TAXII_ABUSE_DOM
for file in polls/guest.CyberCrime_Tracker*.xml; do cat $file | grep DomainNameObj | cut -d ">" -f2 | cut -d "<" -f1 >> output/CYBERCRIME_TEMP; done
sed -i -e /^$/d output/CYBERCRIME_TEMP
cat output/CYBERCRIME_TEMP | sort -u > /data/bro/feeds/TAXII_CYBERCRIME_DOM
for file in polls/guest.MalwareDomainList_Hostlist*.xml; do cat $file | grep DomainNameObj | cut -d ">" -f2 | cut -d "<" -f1 >> output/MDL_TEMP; done
sed -i -e /^$/d output/MDL_TEMP
cat output/MDL_TEMP | sort -u > /data/bro/feeds/TAXII_MDL_DOM
0 Comments