Re: [cti-users] Re: TAXII Query help required... (using Soltra Edge)

["Jordan, Bret" <bret.jordan@bluecoat.com>]

Chris,

Please join the TAXII SC and help us build a better and easier to implement Query for TAXII.  We have been talking about this very topic a lot this past week on our slack channel.  I want to make sure the things we design will work for the people that are trying to use them.

Bret 

Sent from my Commodore 64

On Sep 12, 2015, at 6:11 AM, Aharon Chernin <achernin@soltra.com> wrote:

Chris,

Edge currently does not support TAXII Query Language. There are a number of reasons why we chose to not adopt it. A few of them being: high complexity, difficulty in implementation, and no market adoption (it doesn't make sense to spend resources on something that is not gaining traction). 

A number of options are available to you:

1) We have a new soon to be released proprietary query API that we will use until an improved TAXII 2.0 query is implemented.

2) I think we can assist you in reaching your immediate query goals. You can contact our support team at support@soltra.com and they can walk you through immediate methods to query the system.

Aharon Chernin

CTO

SOLTRA | An FS-ISAC & DTCC Company

18301 Bermuda green Dr

Tampa, fl 33647

813.470.2173 | achernin@soltra.com

www.soltra.com

---

From: cti-users@lists.oasis-open.org <cti-users@lists.oasis-open.org> on behalf of Chris O'Brien <COBrien@cert.gov.uk>
Sent: Saturday, September 12, 2015 7:27 AM
To: cti-users@lists.oasis-open.org
Subject: [cti-users] TAXII Query help required... (using Soltra Edge)

 

Hi all,

 

So, fully appreciate that we’re talking future in the CTI TC and SC’s, but I’m playing with an experiment on the current version of taxii for which I could use some help. I’m reasonably comfortable with stix, but taxii is still a bit new for me.

 

I’m trying to set up a method of querying a taxii service for a specific observable (initially an IP address, but hopefully for different observable types too) and – at first – just return a yes/no whether it exists in the repo. I’ve been trying to follow the guidance in https://taxiiproject.github.io/releases/1.1/TAXII_Default_Query_Specification.pdf and I’m sending requests to an offline copy of Soltra Edge using a customised version of the TAXIIExample.py script. I’m building the query as per the examples in the above linked spec, but the response I’m getting is a fully formed taxii error message (which at least means it understands what I’m asking, I suppose) saying that ‘Query’ is an unknown message type.

 

The good news is that I have control of the repository that I’m searching in, so I can predetermine the structure of the hosted stix objects (and, hence, can be explicit with the Target in the tdq declarations). However, I can’t even seem to get it to like the taxii:Query message type first – so it’s not even dropping in to the tdq sections. None of the taxii 1.1 spec information seems to make reference to anything outside discovery, poll, inbox and feed_info – was the query message type deprecated? Am I missing something?

 

Thanks in advance for your help!

 

Chris