Support: Issues Adding TAXII Server

[zhantt1]

Support Questions

I am attempting to link an OpenTAXII server to a MISP instance under Sync Actions > List TAXII Servers.
When I click "Add TaxiiServer", I experienced problems with some fields.

• Baseurl field appears limited to only 11 characters.
• Api Root and Collection dropdowns do not list any entries

I inputted the name, owner, and baseurl of the TAXII server and pressed Submit. The web dev console printed a 500 Internal Server error.

I've attached images of the baseurl field being restricted to 11 characters, the empty dropdown from the Api Root field, and the popup error after pressing Submit.

Thanks for any insight.

MISP version

2.4.166

Operating System

Ubuntu

Operating System version

22.04

PHP version

7.4

Browser

Firefox

Browser version

No response

Relevant log output

No response

Extra attachments

Code of Conduct

• I agree to follow this project's Code of Conduct

[Byhird]

Seeing this same issue with the baseurl field limited to only 11 characters, including after upgrade to v2.4.168

EDIT: I don't know enough about PHP but I did find reference in app/Model/AppModel.php (line 1913)

'baseurl' int(11) NOT NULL DEFAULT 0,

[00gxd14g]

Has anyone used this feature before?

[adulau]

@iglocska just confirmed the bug.

[iglocska]

Fixed on 2.4, make sure you git pull and the DB change should be applied automatically.

[Byhird]

Looks like that did the trick, baseurl is now able to be filled out correctly. I think fixing this bug has lead to #8941 however.

[zhantt1]

I've updated to 2.4.168 and confirmed that the base URL can be filled. However, the dropdowns for API root and Collection are still empty. Does anyone know how to set those fields?

[ArchieCrawford1]

@zhantt1 Hey did you ever get an answer for this, because I cant fill out API root or Collections either

[zhantt1]

@ArchieCrawford1 unfortunately, I haven't heard anything.

[00gxd14g]

I didn't hear either

[isaeed22]

We have the same Issue.

[dogmachine]

this issue was introduced a while ago, and it doesn't seem like upgrading problematic versions to fixed versions fixes the db schema, and leaves the baseurl column in the taxii_servers table as int(11).

if you upgrade your misp to the most recent version (2.4.170) and go to diagnostics, you will see that it dislikes the taxii_servers table's baseurl column. it will tell you that running something like the following will fix it:

ALTER TABLE `taxii_servers` MODIFY COLUMN `baseurl` varchar(191) DEFAULT "0" NOT NULL COLLATE utf8mb4_unicode_ci ;

this does not appear to occur automatically when upgrading, or by running the cake console updatedb or whatever command, so if you log into your misp db and run the above, it should fix it for you.

i imagine that the project will eventually fix this, but in the meantime, this works.

[zhantt1]

Thanks for the tip @dogmachine. Looks like I still needed to run that command when updating MISP to 2.4.171. Unfortunately, I'm still seeing empty dropdowns in the API root and collection fields. Since I can't set those, I don't see a way to connect to the TAXII 2.1 server in my environment.

[Byhird]

CIRCL have provided an article to help out https://www.misp-project.org/2023/04/29/MISP.how.to.push.to.a.taxii.server.html/ which specifies using medallion to create your Taxii 2.1 server.

I've noticed in my troubleshooting that MISP is very particular about the URL it searches for to find the API root and collections, it tries to go to https://example.com/api/ while I had an opentaxii setup that was using https://example.com/services/ - I ended up having to move away from opentaxii's implementation and towards medallion (see: https://github.com/oasis-open/cti-taxii-server).

[UFOSmuggler]

@zhantt1 as @Byhird mentioned the config of these is a bit funny. you basically need to put the base url of the taxii2.1 service in, like https://taxii2.blah.com/ and not anything like https://taxii2.blah.com/taxii2/ (it is expecting the path where it will be able to find /taxii2/) or anything you might expect from reading the taxii2.1 spec. once you have entered that (with appropriate port if not uri schema conforming) you can click the spanner icons and the drop down fields will populate.

it'd be nice if you could just type them in too, which is how everything else in misp works. even if you could type them in though, the taxii2.1 spec says api roots can be full urls or relative paths, and what misp records is neither. needs a bit of work making the language used less ambiguous.

[UFOSmuggler]

also it appears the collection id isn't stored in the db anywhere that i can see. there isn't a collection column in the taxii_server table, and the collection id appears to be hard coded as mentioned here

[zhantt1]

Thanks @Byhird and @UFOSmuggler, your comments were helpful. I set up a medallion instance (using the memory backend) and confirmed that the API roots and collections appeared when I click on the spanner icon.

Unfortunately, the "push to TAXII" button does not seem to work. When I press the button, the UI displays "TAXII push initiated", but the medallion console does not show any new API requests. I updated the medallion config to include a collection with the hardcoded collection ID @UFOSmuggler linked under the API root I was pushing to, but this did not work either (the collection remained empty). I have a few sample events and attributes in MISP that I expected would be pushed.

Has anyone had any success pushing to their TAXII server? Also is there a feature to poll from the TAXII server?

[dragsu]

I tried pushing a simple MISP event into an OpenTAXII instance without success. In my setup, MISP event is imported into MISP using MISP in-built STIX importer and tried to export that into the OpenTAXII instance. Based on @UFOSmuggler's findings I went and hard-coded the API root (tested both /services, /services/inbox based on my OpenTAXII config) and the collection name and I got a failed status in the jobs page. Below errors are thrown at debug logs.

2023-06-02 12:57:03 Notice: Undefined variable: technique in [/var/www/MISP/app/Console/Command/ServerShell.php, line 810]
2023-06-02 12:57:03 Notice: Undefined variable: HttpSocket in [/var/www/MISP/app/Console/Command/ServerShell.php, line 810]
2023-06-02 12:57:03 Notice: Trying to access array offset on value of type null in [/var/www/MISP/app/Model/Event.php, line 1343]
2023-06-02 12:57:03 Notice: Trying to access array offset on value of type null in [/var/www/MISP/app/Model/Event.php, line 1343]```

[zhantt1]

@dragsu I checked my MISP logs and also see those messages when I attempt to push to my medallion server.

[UFOSmuggler]

The further I dig into this the more I am convinced that the wrong code was merged or something. I don't think it could have worked for anyone.

[iglocska]

Interesting, we'll have have a look with @chrisr3d, we only tried pushing to medallion, that seems to have worked, but it's super early days for the taxii push, so your mileage may vary.

[UFOSmuggler]

Hi @iglocska and @chrisr3d, thanks for taking a look into this.

This makes me think it cannot have worked and must be the wrong code:

To create a taxii push job, the push_taxii command calls the taxii push function with the wrong arguments. I'm guessing one of these is meant to be different.

If I fix this, it then seems the taxii server filter arguments don't evaluate correctly and every event in my MISP instance is sent to push (though fails to do so, presumably hits execution timeout). I don't yet know why that is though.

Other than that, as mentioned above there doesn't appear to be anywhere in the DB or app model to store the taxii collection uuid you want to push to, and it seems to be hard coded.

I'm not great at PHP though, so I could be misunderstanding what is going on there. Apologies if this is the case.

[iglocska]

No worries, high chance those are correct observations and we've accidentally left something hard-coded in there that worked for us. We'll revise it today and the fixes will be in the next release.

[iglocska]

I've pushed a first fix for testing, indeed it was broken as hell. Still rolling with a hard-coded collection, will change that this afternoon if all goes right, some meetings first though... :)

[pdelv]

Hello everyone; I'm having issues with Taxii servers connected with MISP.
First of all, I tried the OpenTAXII way. Still, I had a huge problem with the API root caused by a lack of information/experience: even if the server was running and I could operate via cabby, I couldn't have the API root and collection in MISP.

Then I switched to Medallion and succeeded in creating a Taxii server and connecting to MISP, but I'm having issues pushing data to the Taxii server.
For this test, I used the default medallion collection stored in memory used to test adding objects (365fed99-08fa-fdcd-a1b3-fb247eb41d01). I set it both in version 2.0 and 2.1
Every time I try to push data, I get an error, and in the log file, I always read this:
stix2.exceptions.ExtraPropertiesError: Unexpected properties for CustomAttribute: (interoperability).

Do anyone had and solved the same problem?
Thanks a lot!

[UFOSmuggler]

hi @pdelv

if you were using cabby then i am assuming your opentaxii instance was only configured for taxii 1.x (which misp does not support) as cabby only supports taxii 1.x

is there any chance you could share the misp event that you are attempting to push to the medallion server?

[pdelv]

Dear @UFOSmuggler,
Thanks for your answer.
I used OPENTaxii and Cabby as the first experiment to connect MISP and a Taxii server for personal project reasons.
Reading the MISP suggestion, I switched to Medallion with better results.
As I wrote, I always have errors while pushing IoC from MISP to Medallion, but as I can read from logs, it could be MISP cause or, more probably, some misconfiguration in the chain.
Can you help me figure out the problem?
I attached an extract of the error log and one of the packets prepared by MISP to be uploaded.
Still, many thanks!

exec-errors_extract.log
xma6bu2CuVsa.json.txt

[UFOSmuggler]

g'day @pdelv

i ingested your (rather strange) misp event and successfully pushed it to my medallion instance:

192.168.5.121 - - [10/Jul/2023 01:46:50] "GET /trustgroup1/ HTTP/1.1" 200 -
192.168.5.121 - - [10/Jul/2023 01:46:50] "GET /trustgroup1/collections/91a7b528-80eb-42ed-a74d-c6fbd5a26116/ HTTP/1.1" 200 -
192.168.5.121 - - [10/Jul/2023 01:46:50] "POST /trustgroup1/collections/91a7b528-80eb-42ed-a74d-c6fbd5a26116/objects/ HTTP/1.1" 202 -

$ curl -sg -u 'admin:Password0' -H 'Accept: application/taxii+json;version=2.1' 'http://192.168.5.100:5000/trustgroup1/collections/91a7b528-80eb-42ed-a74d-c6fbd5a26116/objects/?added_after=2023-07-10T00:00:00Z'
{"more": true, "next": "ec3ed441-fd36-4f1f-b391-7107decddb2e", "objects": [{"created": "2023-02-02T06:07:23.000Z", "created_by_ref": "identity--55f6ea65-aa10-4c5a-bf01-4f84950d210f", "id": "x-misp-attribute--e4dab548-f062-41f3-ad1d-57cc0e453b6d", "labels": ["misp:type=\"other\"", "misp:category=\"External analysis\""], "modified": "2023-02-02T06:07:23.000Z", "spec_version": "2.1", "type": "x-misp-attribute", "x_misp_category": "External analysis", "x_misp_type": "other", "x_misp_value": "56024f6c-da70-4584-b689-48ef950d210f=2.2106538382861213e-05"}, {"created": "2023-02-02T06:07:24.000Z", "created_by_ref": "identity--55f6ea65-aa10-4c5a-bf01-4f84950d210f", "id": "x-misp-attribute--b3df798d-5c74-4c6a-b675-8208de3b5192", "labels": ["misp:type=\"other\"", "misp:category=\"External analysis\""], "modified": "2023-02-02T06:07:24.000Z", "spec_version": "2.1", "type": "x-misp-attribute", "x_misp_category": "External analysis", "x_misp_type": "other", "x_misp_value": "5cf66e53-b5f8-43e7-be9a-49880a3b4631=0.01734013120196037"}, {"created": "2023-02-02T06:07:24.000Z", "created_by_ref": "identity--55f6ea65-aa10-4c5a-bf01-4f84950d210f", "id": "x-misp-attribute--0d8d2739-8a78-4217-9e7f-36b48e071aa9", "labels": ["misp:type=\"other\"", "misp:category=\"External analysis\""], "modified": "2023-02-02T06:07:24.000Z", "spec_version": "2.1", "type": "x-misp-attribute", "x_misp_category": "External analysis", "x_misp_type": "other", "x_misp_value": "56bdf779-46f8-4353-bdf9-2bb95bce2212=0.0036333028754682206"}, {"created": "2023-02-02T06:07:25.000Z", "created_by_ref": "identity--55f6ea65-aa10-4c5a-bf01-4f84950d210f", "id": "x-misp-attribute--fc0d87b6-fbfa-4e69-9ffc-8a40d8cf20ee", "labels": ["misp:type=\"other\"", "misp:category=\"External analysis\""], "modified": "2023-02-02T06:07:25.000Z", "spec_version": "2.1", "type": "x-misp-attribute", "x_misp_category": "External analysis", "x_misp_type": "other", "x_misp_value": "593798b3-3924-4c43-9742-0d9fc25ed030=0.0003812362872199539"}, {"created": "2023-02-02T06:07:25.000Z", "created_by_ref": "identity--55f6ea65-aa10-4c5a-bf01-4f84950d210f", "id": "x-misp-attribute--30ce94f0-8cad-4018-8ac5-4c126f3a7e0f", "labels": ["misp:type=\"other\"", "misp:category=\"External analysis\""], "modified": "2023-02-02T06:07:25.000Z", "spec_version": "2.1", "type": "x-misp-attribute", "x_misp_category": "External analysis", "x_misp_type": "other", "x_misp_value": "55f6ea5e-2c60-40e5-964f-47a8950d210f=0.1693075608413478"}, {"created": "2023-02-02T06:07:25.000Z", "created_by_ref": "identity--55f6ea65-aa10-4c5a-bf01-4f84950d210f", "id": "x-misp-attribute--853c5a80-144a-4027-8935-f93a9709dca1", "labels": ["misp:type=\"other\"", "misp:category=\"External analysis\""], "modified": "2023-02-02T06:07:25.000Z", "spec_version": "2.1", "type": "x-misp-attribute", "x_misp_category": "External analysis", "x_misp_type": "other", "x_misp_value": "581b5fea-818c-441a-bd1d-49798e96ca05=0.00018683597317342064"}, {"created": "2023-02-02T06:07:26.000Z", "created_by_ref": "identity--55f6ea65-aa10-4c5a-bf01-4f84950d210f", "id": "x-misp-attribute--6c1ab022-4964-4abe-a2c0-597ecf71102a", "labels": ["misp:type=\"other\"", "misp:category=\"External analysis\""], "modified": "2023-02-02T06:07:26.000Z", "spec_version": "2.1", "type": "x-misp-attribute", "x_misp_category": "External analysis", "x_misp_type": "other", "x_misp_value": "56743359-c860-4361-b1dc-7b65d56c6cd2=0.0059049061594057565"}, {"created": "2023-02-02T06:07:27.000Z", "created_by_ref": "identity--55f6ea65-aa10-4c5a-bf01-4f84950d210f", "id": "x-misp-attribute--56697d9f-512d-4fde-8249-19db06f403b6", "labels": ["misp:type=\"other\"", "misp:category=\"External analysis\""], "modified": "2023-02-02T06:07:27.000Z", "spec_version": "2.1", "type": "x-misp-attribute", "x_misp_category": "External analysis", "x_misp_type": "other", "x_misp_value": "569f692d-b290-40cc-ae1a-2c48ff32448e=0.0006627584610978737"}, {"created": "2023-02-02T06:07:27.000Z", "created_by_ref": "identity--55f6ea65-aa10-4c5a-bf01-4f84950d210f", "id": "x-misp-attribute--a3bd0272-7ab0-46e4-8d56-a263d0f16f91", "labels": ["misp:type=\"other\"", "misp:category=\"External analysis\""], "modified": "2023-02-02T06:07:27.000Z", "spec_version": "2.1", "type": "x-misp-attribute", "x_misp_category": "External analysis", "x_misp_type": "other", "x_misp_value": "55f6ea5f-fd34-43b8-ac1d-40cb950d210f=0.09311796367668336"}, {"created": "2023-02-02T06:07:28.000Z", "created_by_ref": "identity--55f6ea65-aa10-4c5a-bf01-4f84950d210f", "id": "x-misp-attribute--b4387020-9dbe-48ec-a92c-0732ae3e217c", "labels": ["misp:type=\"other\"", "misp:category=\"External analysis\""], "modified": "2023-02-02T06:07:28.000Z", "spec_version": "2.1", "type": "x-misp-attribute", "x_misp_category": "External analysis", "x_misp_type": "other", "x_misp_value": "56c42374-fdb8-4544-a218-41ffc0a8ab16=0.0547489608014275"}]}

i am wondering if your stix libraries are not the misp project forked ones. try this:

#4107 (comment)

[zhantt1]

@dragsu I configured my OpenTAXII instance for TAXII 2 by following your thread here eclecticiq/OpenTAXII#247 and am using a fixed version of OpenTAXII (andrewbeard/OpenTAXII@2d135dd) to bypass the UUID encoding bug. I am able to query my OpenTAXII API root from MISP, but cannot query the collection (dropdown is empty). I know the collection exists, because I can query it using curl. Do you have any ideas on what could be wrong?

There are also error messages in error.log when I click the spanner for querying the collection:

2023-07-12 16:53:26 Error: [BadRequestException] Something went wrong with the request or the remote side is having issues.
Request URL: /taxii_servers/getCollections
Stack Trace:
#0 /var/www/MISP/app/Controller/TaxiiServersController.php(159): TaxiiServer->queryInstance()
#1 [internal function]: TaxiiServersController->getCollections()
#2 /var/www/MISP/app/Lib/cakephp/lib/Cake/Controller/Controller.php(499): ReflectionMethod->invokeArgs()
#3 /var/www/MISP/app/Lib/cakephp/lib/Cake/Routing/Dispatcher.php(193): Controller->invokeAction()
#4 /var/www/MISP/app/Lib/cakephp/lib/Cake/Routing/Dispatcher.php(167): Dispatcher->_invoke()
#5 /var/www/MISP/app/webroot/index.php(99): Dispatcher->dispatch()
#6 {main}

[UFOSmuggler]

hi @zhantt1, can you please show me an example of how you can curl the collection? this will help me figure out whether or not your "api root" as configured in the screenshot is correct or not. i expect that it is just wanting http://192.168.3.79:9000/ rather than a uuid and whatever follows.

feel free to redact stuff from your curl example.

[dragsu]

@zhantt1 is your BaseUrl consist of taxii2 slug? It should look like http://:/taxii2

If you want to do more debugging you can play with the Python script separately. It can be found under /var/www/MISP/app/files/scripts/taxii/taxii_push.py.

E.g. /var/www/MISP/app/files/scripts/taxii/taxii_push.py --dir <where MISP data is stored> --baseurl <http://<ip>:<port>/taxii2> --key <auth_key> --api_root <api-uuid> --collection <collection-uuid>

@UFOSmuggler Even though API Root field is showing the entire URI, under the hood I think it only tracks the API Root id, which is a UUID.

[UFOSmuggler]

@UFOSmuggler Even though API Root field is showing the entire URI, under the hood I think it only tracks the API Root id, which is a UUID.

@dragsu api roots are just strings or uris. you could choose to have one as a uuid, but usually they are meant to be a human readable thematic grouping of taxii resources. additionally, /taxii2 is the discovery endpoint that tells you where and what the api roots are. it MUST be at /taxii2. misp takes the base url, searches for a discovery service on /taxii2, uses it to populate the api root dropdown which in turn populates the collection dropdown.

I enter http://192.168.5.100:5000 (a locally running dockerised medallion taxii 2.1 server) into misp, add my "api key" (base64 credentials in this case), and hit the api root wrench, medallion returns:

192.168.5.100 - - [13/Jul/2023 22:25:00] "GET /taxii2/ HTTP/1.1" 200 -

It now knows the api roots, and i select "trustgroup1" from the dropdown. i now click the collections wrench, medallion returns:

192.168.5.100 - - [13/Jul/2023 22:25:05] "GET /trustgroup1/collections/ HTTP/1.1" 200 -

It now knows the collections, and i can select one from the dropdown and hit save.

edit: collection ids are uuids though, which may be what you're thinking about.

for completeness, here is a curl conversation also reflecting the above:

$ curl -sg -u 'admin:Password0' -H 'Accept: application/taxii+json;version=2.1' 'http://192.168.5.100:5000/taxii2/'|jq
{
  "api_roots": [
    "http://localhost:5000/api1/",
    "http://localhost:5000/api2/",
    "http://localhost:5000/trustgroup1/"
  ],
  "contact": "string containing contact information",
  "default": "http://localhost:5000/trustgroup1/",
  "description": "This TAXII Server contains a listing of",
  "title": "Some TAXII Server"
}

$ curl -sg -u 'admin:Password0' -H 'Accept: application/taxii+json;version=2.1' 'http://192.168.5.100:5000/trustgroup1/collections/'|jq
{
  "collections": [
    {
      "can_read": true,
      "can_write": true,
      "id": "472c94ae-3113-4e3e-a4dd-a9f4ac7471d4",
      "media_types": [
        "application/stix+json;version=2.1"
      ],
      "title": "This data collection is for testing querying across collections"
    },
    ...snip...
  ]
}

At no point do we see uuids for api roots, only collection ids.

further, here is what is in the taxii_servers table:

MariaDB [misp]> select * from taxii_servers\G
*************************** 1. row ***************************
         id: 2
       uuid: 3fa90357-7c94-4c2b-8720-dc4804021ca4
       name: local medallion
      owner: ufosmuggler
    baseurl: http://192.168.5.100:5000/
   api_root: trustgroup1
description: a medallion server
    filters: {"tags": ["taxii"]}
    api_key: YWRtaW46UGFzc3dvcmQw
 collection: 91a7b528-80eb-42ed-a74d-c6fbd5a26116
1 row in set (0.001 sec)

i believe this id and uuid is for misp purposes rather than anything taxii related and simply reflects the set of configuration options chosen for that specific taxii server.

my comment to the other user was noting a uuid as their api root, which i doubt should be there, which is why i asked to see a curl example.

[dragsu]

@UFOSmuggler Thanks for the explanation.

My curl command for API discovery returns API roots as a collection of /taxii2/<uuid-string> paths and for some reason, MISP seems to be dropping /taxii2/ slug when it tries to query the collection info(/<uuid-string>/collections/ ) and it fails. I managed to get around this by adding /taxii2 at the BaseUrl.

[UFOSmuggler]

@dragsu that sounds like a possibly misconfigured opentaxii instance?

there shouldn't be anything under /taxii2/ unless you've specified it as an api root so its not just the discovery endpoint (unsure if opentaxii would even allow this)?
/taxii2/ is for discovery only, so when you query an api root for collections it should look like /api-root-name/collections/

it is possible but generally unusual that you'd have api roots that are literally uuids.

could you share your opentaxii config? feel free to redact stuff

[UFOSmuggler]

@dragsu actually the spec does allow for api roots to be under taxii2, nothing explicitly forbids it and they even show it as an example of a valid api root, my apologies.

[dragsu]

Just for completeness, I have posted the config at eclecticiq/OpenTAXII#247 (comment).

[zhantt1]

@UFOSmuggler here is my curl command and response.

curl -u USER:PASS http://192.168.3.79:9000/taxii2/840a78f6-ccb1-4b72-89a9-0a9060b22a55/collections/da64f809-cbf1-42bb-8d71-63f73ecff586/objects/

{"more": false, "objects": [{"id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9", "type": "marking-definition", "spec_version": "marking-definition", "name": "TLP:WHITE", "created": "2017-01-20T00:00:00.000Z", "modified": "2022-07-29T13:42:44.472979Z", "definition": {"tlp": "white"}, "definition_type": "tlp"}]}

[zhantt1]

@dragsu I have been experimenting with taxii_push.py without success.

When I use the baseURL http://192.168.3.79:9000/taxii2/, http://192.168.3.79:9000, or http://192.168.3.79:9000/ I get:

Traceback (most recent call last):
  File "/var/www/MISP/app/files/scripts/taxii/taxii_push.py", line 429, in main
    push_content(args.dir, args.baseurl, args.api_root, args.collection, args.key)
  File "/var/www/MISP/app/files/scripts/taxii/taxii_push.py", line 405, in push_content
    max_content_length = api_root.max_content_length
  File "/var/www/MISP/venv/lib/python3.10/site-packages/taxii2client/v21/__init__.py", line 546, in max_content_length
    self._ensure_loaded_information()
  File "/var/www/MISP/venv/lib/python3.10/site-packages/taxii2client/v21/__init__.py", line 562, in _ensure_loaded_information
    self.refresh_information()
  File "/var/www/MISP/venv/lib/python3.10/site-packages/taxii2client/v21/__init__.py", line 601, in refresh_information
    response = self.__raw = self._conn.get(self.url,
  File "/var/www/MISP/venv/lib/python3.10/site-packages/taxii2client/common.py", line 310, in get
    raise e
  File "/var/www/MISP/venv/lib/python3.10/site-packages/taxii2client/common.py", line 300, in get
    resp.raise_for_status()
  File "/var/www/MISP/venv/lib/python3.10/site-packages/requests/models.py", line 1021, in raise_for_status
    raise HTTPError(http_error_msg, response=self)
requests.exceptions.HTTPError: 404 Client Error: NOT FOUND for url: http://192.168.3.79:9000/taxii2//840a78f6-ccb1-4b72-89a9-0a9060b22a55/

I made potential progress with the baseURL http://192.168.3.79:9000/taxii2, but now there is an error with the MISP JSON (also if I use this baseURL in the MISP UI, the API root dropdown is empty):

Traceback (most recent call last):                                                                              [33/399]
  File "/var/www/MISP/app/files/scripts/taxii/taxii_push.py", line 370, in convert_misp_dir                             
    stix_bundle = convert_misp_file(event_file)                                                                         
  File "/var/www/MISP/app/files/scripts/taxii/taxii_push.py", line 340, in convert_misp_file                            
    converter.parse_json_content(str(misp_file))                                                                        
  File "/var/www/MISP/app/files/scripts/misp-stix/misp_stix_converter/misp2stix/misp_to_stix2.py", line 72, in parse_jso
n_content                                                                                                               
    self.parse_misp_event(json_content)                                                                                 
  File "/var/www/MISP/app/files/scripts/misp-stix/misp_stix_converter/misp2stix/misp_to_stix2.py", line 107, in parse_mi
sp_event                                                                                                                
    self._parse_misp_event(misp_event)                                                                                  
  File "/var/www/MISP/app/files/scripts/misp-stix/misp_stix_converter/misp2stix/misp_to_stix2.py", line 117, in _parse_m
isp_event                                                                                                               
    self._handle_identity_from_event()                                                                                  
  File "/var/www/MISP/app/files/scripts/misp-stix/misp_stix_converter/misp2stix/misp_to_stix2.py", line 151, in _handle_
identity_from_event                                                                                                     
    identity = self._create_identity_object(orgc['name'])                                                               
  File "/var/www/MISP/app/files/scripts/misp-stix/misp_stix_converter/misp2stix/misp_to_stix21.py", line 1626, in _creat
e_identity_object                                                                                                       
    return self._create_identity(identity_args)                                                                         
  File "/var/www/MISP/app/files/scripts/misp-stix/misp_stix_converter/misp2stix/misp_to_stix21.py", line 1614, in _creat
e_identity                                                                                                              
    return Identity(**identity_args)                                                                                    
  File "/var/www/MISP/venv/lib/python3.10/site-packages/stix2/base.py", line 157, in __init__                           
    raise ExtraPropertiesError(cls, custom_kwargs)                                                                      
stix2.exceptions.ExtraPropertiesError: Unexpected properties for Identity: (interoperability).

This was the same MISP event that I successfully pushed to Medallion (an event with an IP attribute). I exported the event to JSON and removed the "response" field around the event:

{"Event":{"id":"12","orgc_id":"1","org_id":"1","date":"2023-02-28","threat_level_id":"1","info":"test to misp","published":false,"uuid":"f449dc7f-7860-4806-8aa2-e877853045f5","attribute_count":"1","analysis":"0","timestamp":"1677614146","distribution":"1","proposal_email_lock":false,"locked":false,"publish_timestamp":"0","sharing_group_id":"0","disable_correlation":false,"extends_uuid":"","protected":null,"event_creator_email":"admin@admin.test","Org":{"id":"1","name":"ORGNAME","uuid":"28976f68-bf52-48c5-a4d1-db59400cab83","local":true},"Orgc":{"id":"1","name":"ORGNAME","uuid":"28976f68-bf52-48c5-a4d1-db59400cab83","local":true},"Attribute":[{"id":"8","type":"ip-src","category":"Network activity","to_ids":false,"uuid":"fab8fd9f-2f54-4ed4-8075-4c04d2923618","event_id":"12","distribution":"5","timestamp":"1677606440","comment":"","sharing_group_id":"0","deleted":false,"disable_correlation":false,"object_id":"0","object_relation":null,"first_seen":null,"last_seen":null,"value":"54.54.54.54","Galaxy":[],"ShadowAttribute":[]}],"ShadowAttribute":[],"RelatedEvent":[],"Galaxy":[],"Object":[],"EventReport":[],"CryptographicKey":[],"Tag":[{"id":"9","name":"to-taxii","colour":"#c2c2c2","exportable":true,"user_id":"0","hide_tag":false,"numerical_value":null,"is_galaxy":false,"is_custom_galaxy":false,"local_only":false,"local":0,"relationship_type":null}]}}

[UFOSmuggler]

hi @zhantt1 @dragsu

i've fired up opentaxii again and set up some taxii 2.1 resources. it appears that all api roots being under /taxii2/ and all api roots being uuids is a common opentaxii taxii 2.1 pattern that i had somehow forgotten about. so in both of your cases, you appear to have bog standard opentaxii looking configurations, apologies for my earlier skepticism.

however, i have discovered that misp is incorrectly dealing with the api roots presented by opentaxii. if i ask opentaxii for its api roots i get:

$ curl -su 'admin:admin' http://192.168.5.100:9000/taxii2/|jq .
{
  "title": "OpenTAXII",
  "default": "/taxii2/1cbd7c30-48ea-431e-8d76-c611bc6f27a4/",
  "api_roots": [
    "/taxii2/1cbd7c30-48ea-431e-8d76-c611bc6f27a4/"
  ]
}

as you can see, the api root is /taxii2/blah. when I add this server to MISP, it chooses to omit the /taxii2/ from the api root, and makes http requests to /1cbd7c30-48ea-431e-8d76-c611bc6f27a4/ instead:

GET /1cbd7c30-48ea-431e-8d76-c611bc6f27a4/collections/ HTTP/1.1
Host: 192.168.5.100:9000
Connection: close
User-Agent: CakePHP
Accept: application/taxii+json;version=2.1
Content-type: application/taxii+json;version=2.1

obviously the opentaxii server doesn't like this, and we cannot populate the collections dropdown as a result.

someone appears to have noticed this already in this issue.

[dragsu]

@zhantt1 Try using http://192.168.3.79:9000 as the base URL to get the API root (spanner icon) and then update the base URL to http://192.168.3.79:9000/taxii2 to get the collections (spanner icon). That should keep the configurations and should be able to save it.

Also, I did a quick test with taxii_push.py, and if you remove the Event key from the payload it should work.

        {
            "id": "1261",
            .....
            ....
        }

@UFOSmuggler that aligns with what I observed in my previous testing. I'm not sure whether it is something MISP needs to fix or OpenTAXII. As far as I know, there is no one with write access to OpenTAXII repo.

I briefly looked at OpenTAXII code (snippet below) and I think it needs the/taxii2/ prefix to route requests correctly as they support both TAXII v1 and v2 .

@register_handler(r"^/taxii2/$", handles_own_auth=True)
    def discovery_handler(self):
        if context.account is None and not self.config["public_discovery"]:
            raise Unauthorized()
        response = {
            "title": self.config["title"],
        }
        for key in ["description", "contact"]:
            if self.config.get(key):
                response[key] = self.config.get(key)
        default_api_root, api_roots = self.persistence.get_api_roots()
        if default_api_root:
            response["default"] = f"/taxii2/{default_api_root.id}/"
        response["api_roots"] = [f"/taxii2/{api_root.id}/" for api_root in api_roots]
        return make_taxii2_response(response)

    @register_handler(r"^/taxii2/(?P<api_root_id>[^/]+)/$", handles_own_auth=True)
    def api_root_handler(self, api_root_id):
        try:
            api_root = self.persistence.get_api_root(api_root_id=api_root_id)
        except DoesNotExistError:
            if context.account is None:
                raise Unauthorized()
            raise NotFound()
        if context.account is None and not api_root.is_public:
            raise Unauthorized()
        response = {
            "title": api_root.title,
            "versions": ["application/taxii+json;version=2.1"],
            "max_content_length": self.config["max_content_length"],
        }
        if api_root.description:
            response["description"] = api_root.description
        return make_taxii2_response(response)

[UFOSmuggler]

I'm not sure whether it is something MISP needs to fix or OpenTAXII. As far as I know, there is no one with write access to OpenTAXII repo.

@dragsu it's misp's taxii implementation not conforming to the taxii 2.1 spec, so misp need to fix it. shouldn't be a huge change. you could probably force all the correct data into the taxii_servers table directly and get it to work today.

[zhantt1]

@UFOSmuggler thanks for digging further.

@dragsu Your workaround for setting the collection worked, thanks.

I then attempted to push data (an event with an IP attribute) to OpenTAXII via the UI. I did not notice any errors in MISP's error.log.
However, there was an error on the OpenTAXII side:

{"event": "Exception on /taxii2/840a78f6-ccb1-4b72-89a9-0a9060b22a55/collections/da64f809-cbf1-42bb-8d71-63f73ecff586/objects/ [POST]", "exc_info": ["<class 'KeyError'>", "KeyError('modified')", "<traceback object at 0x7f66772bb380>"], "logger": "opentaxii.middleware", "level": "error", "timestamp": "2023-07-17T17:55:50.849337Z"}
{"event": "Error handling request /taxii2/840a78f6-ccb1-4b72-89a9-0a9060b22a55/collections/da64f809-cbf1-42bb-8d71-63f73ecff586/objects/", "exc_info": ["<class 'TypeError'>", "TypeError(\"The view function for 'opentaxii_services_view' did not return a valid response. The function either returned None or ended without a return statement.\")", "<traceback object at 0x7f6677437d80>"], "logger": "gunicorn.error", "level": "error", "timestamp": "2023-07-17T17:55:50.849961Z"}

Then, I tried using the taxii_push.py script. I updated the event JSON by removing the "Event" field as you recommended. The script returns an error and the same error message appeared on the OpenTAXII side as before.

taxii_push [CRITICAL] An error occurred!
Traceback (most recent call last):
  File "/var/www/MISP/app/files/scripts/taxii/taxii_push.py", line 429, in main
    push_content(args.dir, args.baseurl, args.api_root, args.collection, args.key)
  File "/var/www/MISP/app/files/scripts/taxii/taxii_push.py", line 419, in push_content
    push_taxii_envelope(taxii_collection, taxii_envelope_bytes)
  File "/var/www/MISP/app/files/scripts/taxii/taxii_push.py", line 232, in push_taxii_envelope
    status = taxii_collection.add_objects(
  File "/var/www/MISP/venv/lib/python3.10/site-packages/taxii2client/v21/__init__.py", line 459, in add_objects
    status_json = self._conn.post(self.objects_url, headers=headers, data=data)
  File "/var/www/MISP/venv/lib/python3.10/site-packages/taxii2client/common.py", line 354, in post
    resp.raise_for_status()
  File "/var/www/MISP/venv/lib/python3.10/site-packages/requests/models.py", line 1021, in raise_for_status
    raise HTTPError(http_error_msg, response=self)
requests.exceptions.HTTPError: 500 Server Error: Internal Server Error for url: http://192.168.3.79:9000/taxii2/840a78f6-ccb1-4b72-89a9-0a9060b22a55/collections/da64f809-cbf1-42bb-8d71-63f73ecff586/objects/

My guess is that the MISP to STIX translation does not create a "modified" field leading to the KeyError('modified') on the OpenTAXII side. When I attempted to push a STIX object without that field to OpenTAXII via curl, OpenTAXII returned error 400 saying it was invalid STIX. The STIX spec itself says the "modified" field is optional.

[dragsu]

Which version of misp-stix library (https://github.com/MISP/misp-stix) you are using?

[zhantt1]

@dragsu based on the readme's badge link in /var/www/MISP/app/files/scripts/misp-stix, it is misp-stix 2.4.172.

[dragsu]

@zhantt1 If you can drop your payload, I can give it a quick test.

[zhantt1]

@dragsu thanks, here is the MISP data I tried to use for taxii_push.py

{"id":"14","orgc_id":"1","org_id":"1","date":"2023-06-14","threat_level_id":"1","info":"to taxii 2","published":false,"uuid":"04c7c38b-e3c4-4332-a003-3c90c87f56cd","attribute_count":"1","analysis":"0","timestamp":"1686765102","distribution":"1","proposal_email_lock":false,"locked":false,"publish_timestamp":"0","sharing_group_id":"0","disable_correlation":false,"extends_uuid":"","protected":null,"event_creator_email":"admin@admin.test","Org":{"id":"1","name":"ORGNAME","uuid":"28976f68-bf52-48c5-a4d1-db59400cab83","local":true},"Orgc":{"id":"1","name":"ORGNAME","uuid":"28976f68-bf52-48c5-a4d1-db59400cab83","local":true},"Attribute":[{"id":"10","type":"md5","category":"Artifacts dropped","to_ids":false,"uuid":"fdb53bfc-3531-4bc7-88be-a411e96d02ab","event_id":"14","distribution":"5","timestamp":"1686765102","comment":"","sharing_group_id":"0","deleted":false,"disable_correlation":false,"object_id":"0","object_relation":null,"first_seen":null,"last_seen":null,"value":"fc5e038d38a57032085441e7fe7010b0","Galaxy":[],"ShadowAttribute":[]}],"ShadowAttribute":[],"RelatedEvent":[],"Galaxy":[],"Object":[],"EventReport":[],"CryptographicKey":[],"Tag":[{"id":"9","name":"to-taxii","colour":"#c2c2c2","exportable":true,"user_id":"0","hide_tag":false,"numerical_value":null,"is_galaxy":false,"is_custom_galaxy":false,"local_only":false,"local":0,"relationship_type":null}]}

[dragsu]

@zhantt1 sorry for the late reply. I have successfully pushed the data into my TAXII server using taxii_push.py and MISP itself. I can view uploaded STIX objects from MISP without any issues.

{
    "id": "file--fdb53bfc-3531-4bc7-88be-a411e96d02ab",
    "type": "file",
    "spec_version": "file",
    "hashes": {
        "MD5": "fc5e038d38a57032085441e7fe7010b0"
    }
}

On a different note, I reckon it will be very handy to have STIX collection management capability as part of the TAXII Servers configuration in MISP.

[zhantt1]

@dragsu sounds like there is a problem somewhere with my set up. Can you tell me how to update misp-stix to the latest version on a MISP instance? Thanks.

[dragsu]

@zhantt1 If there are any library issues, they should be written to one of the error logs (exec-errors.log) I think. MISP-STIX is a submodule (https://github.com/MISP/MISP/tree/2.4/app/files/scripts) it gets checked out as part of MISP installation/upgrade. So if you upgrade MISP it should also upgrade MISP-STIX library.

Apart from that I had to pip install, pytz, simplejson, stix2-patterns, ordered_set, lxml, mixbox, taxii2-client, stix, and stix2.

[UFOSmuggler]

@zhantt1 in addition to dragsu's advice you could try this

[zhantt1]

Update, I was troubleshooting today against MISP 2.4.173. I confirmed that STIX objects were being received on the Open TAXII side (identity, observed data, and file) by adding a print statement in their code. However, OpenTAXII for some reason was not able to properly ingest them into the collection (same KeyError as before).

Then I updated MISP to 2.4.174 and now get an error on the MISP side in exec-errors.log:

I think I saw that error in the thread @UFOSmuggler linked, but haven't looked deeply.

[pdelv]

g'day @pdelv

i ingested your (rather strange) misp event and successfully pushed it to my medallion instance:

192.168.5.121 - - [10/Jul/2023 01:46:50] "GET /trustgroup1/ HTTP/1.1" 200 -
192.168.5.121 - - [10/Jul/2023 01:46:50] "GET /trustgroup1/collections/91a7b528-80eb-42ed-a74d-c6fbd5a26116/ HTTP/1.1" 200 -
192.168.5.121 - - [10/Jul/2023 01:46:50] "POST /trustgroup1/collections/91a7b528-80eb-42ed-a74d-c6fbd5a26116/objects/ HTTP/1.1" 202 -

$ curl -sg -u 'admin:Password0' -H 'Accept: application/taxii+json;version=2.1' 'http://192.168.5.100:5000/trustgroup1/collections/91a7b528-80eb-42ed-a74d-c6fbd5a26116/objects/?added_after=2023-07-10T00:00:00Z'
{"more": true, "next": "ec3ed441-fd36-4f1f-b391-7107decddb2e", "objects": [{"created": "2023-02-02T06:07:23.000Z", "created_by_ref": "identity--55f6ea65-aa10-4c5a-bf01-4f84950d210f", "id": "x-misp-attribute--e4dab548-f062-41f3-ad1d-57cc0e453b6d", "labels": ["misp:type=\"other\"", "misp:category=\"External analysis\""], "modified": "2023-02-02T06:07:23.000Z", "spec_version": "2.1", "type": "x-misp-attribute", "x_misp_category": "External analysis", "x_misp_type": "other", "x_misp_value": "56024f6c-da70-4584-b689-48ef950d210f=2.2106538382861213e-05"}, {"created": "2023-02-02T06:07:24.000Z", "created_by_ref": "identity--55f6ea65-aa10-4c5a-bf01-4f84950d210f", "id": "x-misp-attribute--b3df798d-5c74-4c6a-b675-8208de3b5192", "labels": ["misp:type=\"other\"", "misp:category=\"External analysis\""], "modified": "2023-02-02T06:07:24.000Z", "spec_version": "2.1", "type": "x-misp-attribute", "x_misp_category": "External analysis", "x_misp_type": "other", "x_misp_value": "5cf66e53-b5f8-43e7-be9a-49880a3b4631=0.01734013120196037"}, {"created": "2023-02-02T06:07:24.000Z", "created_by_ref": "identity--55f6ea65-aa10-4c5a-bf01-4f84950d210f", "id": "x-misp-attribute--0d8d2739-8a78-4217-9e7f-36b48e071aa9", "labels": ["misp:type=\"other\"", "misp:category=\"External analysis\""], "modified": "2023-02-02T06:07:24.000Z", "spec_version": "2.1", "type": "x-misp-attribute", "x_misp_category": "External analysis", "x_misp_type": "other", "x_misp_value": "56bdf779-46f8-4353-bdf9-2bb95bce2212=0.0036333028754682206"}, {"created": "2023-02-02T06:07:25.000Z", "created_by_ref": "identity--55f6ea65-aa10-4c5a-bf01-4f84950d210f", "id": "x-misp-attribute--fc0d87b6-fbfa-4e69-9ffc-8a40d8cf20ee", "labels": ["misp:type=\"other\"", "misp:category=\"External analysis\""], "modified": "2023-02-02T06:07:25.000Z", "spec_version": "2.1", "type": "x-misp-attribute", "x_misp_category": "External analysis", "x_misp_type": "other", "x_misp_value": "593798b3-3924-4c43-9742-0d9fc25ed030=0.0003812362872199539"}, {"created": "2023-02-02T06:07:25.000Z", "created_by_ref": "identity--55f6ea65-aa10-4c5a-bf01-4f84950d210f", "id": "x-misp-attribute--30ce94f0-8cad-4018-8ac5-4c126f3a7e0f", "labels": ["misp:type=\"other\"", "misp:category=\"External analysis\""], "modified": "2023-02-02T06:07:25.000Z", "spec_version": "2.1", "type": "x-misp-attribute", "x_misp_category": "External analysis", "x_misp_type": "other", "x_misp_value": "55f6ea5e-2c60-40e5-964f-47a8950d210f=0.1693075608413478"}, {"created": "2023-02-02T06:07:25.000Z", "created_by_ref": "identity--55f6ea65-aa10-4c5a-bf01-4f84950d210f", "id": "x-misp-attribute--853c5a80-144a-4027-8935-f93a9709dca1", "labels": ["misp:type=\"other\"", "misp:category=\"External analysis\""], "modified": "2023-02-02T06:07:25.000Z", "spec_version": "2.1", "type": "x-misp-attribute", "x_misp_category": "External analysis", "x_misp_type": "other", "x_misp_value": "581b5fea-818c-441a-bd1d-49798e96ca05=0.00018683597317342064"}, {"created": "2023-02-02T06:07:26.000Z", "created_by_ref": "identity--55f6ea65-aa10-4c5a-bf01-4f84950d210f", "id": "x-misp-attribute--6c1ab022-4964-4abe-a2c0-597ecf71102a", "labels": ["misp:type=\"other\"", "misp:category=\"External analysis\""], "modified": "2023-02-02T06:07:26.000Z", "spec_version": "2.1", "type": "x-misp-attribute", "x_misp_category": "External analysis", "x_misp_type": "other", "x_misp_value": "56743359-c860-4361-b1dc-7b65d56c6cd2=0.0059049061594057565"}, {"created": "2023-02-02T06:07:27.000Z", "created_by_ref": "identity--55f6ea65-aa10-4c5a-bf01-4f84950d210f", "id": "x-misp-attribute--56697d9f-512d-4fde-8249-19db06f403b6", "labels": ["misp:type=\"other\"", "misp:category=\"External analysis\""], "modified": "2023-02-02T06:07:27.000Z", "spec_version": "2.1", "type": "x-misp-attribute", "x_misp_category": "External analysis", "x_misp_type": "other", "x_misp_value": "569f692d-b290-40cc-ae1a-2c48ff32448e=0.0006627584610978737"}, {"created": "2023-02-02T06:07:27.000Z", "created_by_ref": "identity--55f6ea65-aa10-4c5a-bf01-4f84950d210f", "id": "x-misp-attribute--a3bd0272-7ab0-46e4-8d56-a263d0f16f91", "labels": ["misp:type=\"other\"", "misp:category=\"External analysis\""], "modified": "2023-02-02T06:07:27.000Z", "spec_version": "2.1", "type": "x-misp-attribute", "x_misp_category": "External analysis", "x_misp_type": "other", "x_misp_value": "55f6ea5f-fd34-43b8-ac1d-40cb950d210f=0.09311796367668336"}, {"created": "2023-02-02T06:07:28.000Z", "created_by_ref": "identity--55f6ea65-aa10-4c5a-bf01-4f84950d210f", "id": "x-misp-attribute--b4387020-9dbe-48ec-a92c-0732ae3e217c", "labels": ["misp:type=\"other\"", "misp:category=\"External analysis\""], "modified": "2023-02-02T06:07:28.000Z", "spec_version": "2.1", "type": "x-misp-attribute", "x_misp_category": "External analysis", "x_misp_type": "other", "x_misp_value": "56c42374-fdb8-4544-a218-41ffc0a8ab16=0.0547489608014275"}]}

i am wondering if your stix libraries are not the misp project forked ones. try this:

#4107 (comment)

Dear @UFOSmuggler thanks a lot for your answer, and sorry for the late reply, but it was a really dense period. I wanted to give you positive feedback that I managed my TAXII issues before writing you back.
Anyway, after your suggestion, I managed to upload some IoC to my medallion server.
I also tried downloading some events from MISP, converting them into STIX format, and trying to feed them to Medallion, but I had some formatting problems.
I first downloaded some IoC from MISP using pymisp libraries, converted it into STIX format, and then converted them into JSON using the STIXJSONEncoder.
After this, I converted the JSON in text and changed all the '"' with '/"' to prepare it for the CURL command.
Obviously, it couldn't work so smoothly. The first question: is there any document on how the Medallion CURL and fields have to be set?
How should I format the attributes for a correct CURL? Does it accepts multiple values for each field, like:
'"labels":[
"misp_instance:type="vulnerability"",
"misp_instance:category="External analysis"",
"misp_instance:to_ids="False""
]'

May I ask for some help in figuring out how to prepare this curl to be sent to Medallion?
I also posted an extract of the JSON and converted text to be used for the curl.

I'm sorry if my question could look so noob but i'm not that experienced in this field.
Thanks a lot in advance for your help!
P

P.s. One example curl I used:
curl -i -X POST http://192.168.1.164:5000/trustgroup1/collections/365fed99-08fa-fdcd-a1b3-fb247eb41d01/objects/ -H "Accept: application/taxii+json;version=2.1" -H "Content-Type: application/taxii+json;version=2.1" -H "Authorization: Basic YWRtaW46UGFzc3dvcmQw" -A "Signals Corps Curl Demo Client/1.0" -d "{"objects":[{"type":"x-misp-attribute","spec_version":"2.1","id":"x-misp-attribute--e4dab548-f062-41f3-ad1d-57cc0e453b6d","created":"2023-02-02T06:07:23.000Z","modified":"2023-02-02T06:07:23.000Z","pattern_type":"stix","created_by_ref":"identity--55f6ea65-aa10-4c5a-bf01-4f84950d210f","x_misp_category":"External analysis", "x_misp_type":"other","x_misp_value":"56024f6c-da70-4584-b689-48ef950d210f=2.2106538382861213e-05"},{"created":"2023-02-02T06:07:24.000Z","created_by_ref":"identity--55f6ea65-aa10-4c5a-bf01-4f84950d210f","id":"x-misp-attribute--b3df798d-5c74-4c6a-b675-8208de3b5192","modified":"2023-02-02T06:07:24.000Z","spec_version":"2.1","type":"x-misp-attribute","x_misp_category":"External analysis","x_misp_type": "other","x_misp_value":"5cf66e53-b5f8-43e7-be9a-49880a3b4631=0.01734013120196037"}]}"
output.txt
output.json.txt

[zhantt1]

Update, I was troubleshooting today against MISP 2.4.173. I confirmed that STIX objects were being received on the Open TAXII side (identity, observed data, and file) by adding a print statement in their code. However, OpenTAXII for some reason was not able to properly ingest them into the collection (same KeyError as before).

Then I updated MISP to 2.4.174 and now get an error on the MISP side in exec-errors.log:

I think I saw that error in the thread @UFOSmuggler linked, but haven't looked deeply.

Update: I reverted back to 2.4.173 and was able to push an md5 attribute to medallion. However, exec-errors.log reports errors:

[zhantt1]

Update: I installed MISP 2.4.174 on a different machine and was able to push to medallion after I manually installed the python package taxii2-client.

Unfortunately, my opentaxii instance still does not like the data MISP 2.4.174 is sending 🤷‍♂️