0

我目前的问题是我无法使用终端命令通过 cabby 客户端推送 STIX 数据。抱歉标记不佳,但我没有足够的声誉来创建 MISP 或 cabby 标记。

到目前为止,我有一个本地 MISP 实例正在运行和工作,并且我安装了到目前为止也可以工作的 cabby 客户端。或者至少当我将 STIX 数据从像 hailataxii 这样的 TAXII 服务器拉到我的硬盘驱动器时。但是每次我尝试通过 cabby cli 命令将这些数据从我的硬盘驱动器推送到我的 MISP 实例时,我都会收到错误消息。

这是我使用的命令:

taxii-push --path http://localhost/ -f /home/misp/Schreibtisch/guest-Abuse_ch_ea2ae69756ed810fe869d8a328c96a0e --username (username) --password (password) --verify no --header Authorization:(misp api key) -v

这是我得到的错误:

2021-05-27 10:32:09,277 cabby.dispatcher INFO: Sending Inbox_Message to http://localhost/
2021-05-27 10:32:09,277 cabby.dispatcher DEBUG: Request:
<taxii_11:Inbox_Message xmlns:taxii="http://taxii.mitre.org/messages/taxii_xml_binding-1" xmlns:taxii_11="http://taxii.mitre.org/messages/taxii_xml_binding-1.1" xmlns:tdq="http://taxii.mitre.org/query/taxii_default_query-1" message_id="a7196aae-d98d-4ad4-8a7d-ba9dd5e737b0">
  <taxii_11:Content_Block>
    <taxii_11:Content_Binding binding_id="urn:stix.mitre.org:xml:1.1.1"/>
    <taxii_11:Content>
      <stix:STIX_Package xmlns:cyboxCommon="http://cybox.mitre.org/common-2" xmlns:cybox="http://cybox.mitre.org/cybox-2" xmlns:cyboxVocabs="http://cybox.mitre.org/default_vocabularies-2" xmlns:marking="http://data-marking.mitre.org/Marking-1" xmlns:simpleMarking="http://data-marking.mitre.org/extensions/MarkingStructure#Simple-1" xmlns:tlpMarking="http://data-marking.mitre.org/extensions/MarkingStructure#TLP-1" xmlns:TOUMarking="http://data-marking.mitre.org/extensions/MarkingStructure#Terms_Of_Use-1" xmlns:opensource="http://hailataxii.com" xmlns:edge="http://soltra.com/" xmlns:stixCommon="http://stix.mitre.org/common-1" xmlns:stixVocabs="http://stix.mitre.org/default_vocabularies-1" xmlns:stix="http://stix.mitre.org/stix-1" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" id="edge:Package-54bf83aa-ddb6-4f57-9f86-5ae5de955a7e" version="1.1.1" timestamp="2021-05-25T13:03:13.586979+00:00">
    <stix:STIX_Header>
        <stix:Handling>
            <marking:Marking>
                <marking:Controlled_Structure>../../../../descendant-or-self::node()</marking:Controlled_Structure>
                <marking:Marking_Structure xsi:type="tlpMarking:TLPMarkingStructureType" color="WHITE"/>
                <marking:Marking_Structure xsi:type="TOUMarking:TermsOfUseMarkingStructureType">
                    <TOUMarking:Terms_Of_Use>zeustracker.abuse.ch | Abuse source[https://sslbl.abuse.ch/blacklist/] - As for all abuse.ch projects, the use of the SSL Blacklist is free for both commercial and non-commercial usage without any limitation. However, if you are a commercial vendor of security software/services and you want to integrate data from the SSL Blacklist into your products / services, you will have to ask for permission first by contacting me using the contact form [http://www.abuse.ch/?page_id=4727].'
</TOUMarking:Terms_Of_Use>
                </marking:Marking_Structure>
                <marking:Marking_Structure xsi:type="simpleMarking:SimpleMarkingStructureType">
                    <simpleMarking:Statement>Unclassified (Public)</simpleMarking:Statement>
                </marking:Marking_Structure>
            </marking:Marking>
        </stix:Handling>
    </stix:STIX_Header>
    <stix:Observables cybox_major_version="2" cybox_minor_version="1" cybox_update_version="0">
        <cybox:Observable id="opensource:Observable-87fd80af-647f-43ab-8992-3fe478593793">
            <cybox:Observable_Composition operator="OR">
                <cybox:Observable idref="opensource:Observable-2aa6d9ec-633a-4dbf-9410-64efce2422ff">
                </cybox:Observable>
                <cybox:Observable idref="opensource:Observable-010363d5-cca4-47ac-8538-23a1151fbcfd">
                </cybox:Observable>
                <cybox:Observable idref="opensource:Observable-e49fe4fb-6aef-486d-be21-0ec8a371ddb1">
                </cybox:Observable>
            </cybox:Observable_Composition>
        </cybox:Observable>
    </stix:Observables>
</stix:STIX_Package>
    </taxii_11:Content>
    <taxii_11:Timestamp_Label>2021-05-27T08:32:09.276236+00:00</taxii_11:Timestamp_Label>
  </taxii_11:Content_Block>
</taxii_11:Inbox_Message>

2021-05-27 10:32:09,280 urllib3.connectionpool DEBUG: Starting new HTTP connection (1): localhost:80
2021-05-27 10:32:09,281 urllib3.connectionpool DEBUG: http://localhost:80 "POST / HTTP/1.1" 302 202
2021-05-27 10:32:09,283 urllib3.connectionpool DEBUG: Starting new HTTPS connection (1): localhost:443
2021-05-27 10:32:09,296 py.warnings WARNING: /home/misp/venv/local/lib/python2.7/site-packages/urllib3/connectionpool.py:1020: InsecureRequestWarning: Unverified HTTPS request is being made to host 'localhost'. Adding certificate verification is strongly advised. See: https://urllib3.readthedocs.io/en/latest/advanced-usage.html#ssl-warnings
  InsecureRequestWarning,

2021-05-27 10:32:09,306 urllib3.connectionpool DEBUG: https://localhost:443 "GET / HTTP/1.1" 403 341
2021-05-27 10:32:09,306 cabby.dispatcher DEBUG: Response:
<?xml version="1.0" encoding="UTF-8"?>
<response><name>Authentication failed. Please make sure you pass the API key of an API enabled user along in the Authorization header.</name><message>Authentication failed. Please make sure you pass the API key of an API enabled user along in the Authorization header.</message><url>/</url></response>

2021-05-27 10:32:09,306 cabby.cli.commons ERROR: HTTP Error: status code 403
Traceback (most recent call last):
  File "/home/misp/venv/local/lib/python2.7/site-packages/cabby/cli/commons.py", line 174, in run_client
    run_func(client, args.uri, args)
  File "/home/misp/venv/local/lib/python2.7/site-packages/cabby/cli/push.py", line 51, in _runner
    client.push(content, binding, collection_names=args.collections, uri=path)
  File "/home/misp/venv/local/lib/python2.7/site-packages/cabby/client11.py", line 332, in push
    service_type=const.SVC_INBOX)
  File "/home/misp/venv/local/lib/python2.7/site-packages/cabby/abstract.py", line 200, in _execute_request
    return do_request()
  File "/home/misp/venv/local/lib/python2.7/site-packages/cabby/abstract.py", line 196, in do_request
    timeout=self.timeout,
  File "/home/misp/venv/local/lib/python2.7/site-packages/cabby/dispatcher.py", line 54, in send_taxii_request
    stream, headers = request_stream(session, url, request_body, timeout)
  File "/home/misp/venv/local/lib/python2.7/site-packages/cabby/dispatcher.py", line 91, in request_stream
    raise_http_error(response.status_code, response.raw)
  File "/home/misp/venv/local/lib/python2.7/site-packages/cabby/dispatcher.py", line 34, in raise_http_error
    raise HTTPError(status_code)
HTTPError: HTTP Error: status code 403

我认为在这个错误日志中有两件事很重要:

HTTP 错误:状态代码 403 <--- 所以我不允许

身份验证失败。请确保您在授权标头中传递启用 API 的用户的 API 密钥。<---- 以及为什么我不被允许

进一步澄清。我的 MISP 实例没有经过 https 加密,因此暂时可以忽略警告。到目前为止,我尝试的是创建一个 MISP 也拒绝的新 API 密钥。我创建了一个新的管理员用户,但 MISP 也拒绝了它。我尝试了几种不同的方法来传递标头中的 api 密钥,但也没有成功。

也许有人知道我的错误是什么。我期待着你的回答亲切的陌生人。这玩意快把我逼疯了^^

亲切的问候,德威利旺卡

4

0 回答 0