OpenDXL-WildFireTIE

  • jnetz added a new solution:

    Quote

    Customers are regularly challenged by having made multiple high dollar investments in disjointed best of breed solutions. As such, point-to-point integration is usually required to bridge the gap in architectures offering synergistic value to the organization. And, since WildFire is a very popular sandbox technology from PaloAlto Networks that many customers employ, this module integrates the value of WildFire sandboxing technologies, cloud or on premise appliances, with the effective threat mitigation at the endpoint offered by McAfee's Threat Intelligence Exchange (TIE).


    Icon by Vecteezy licensed under Attribution-ShareAlike 3.0 Unported (CC BY-SA 3.0).

    Jesse Netz, CISSP, C|EH, ITIL

    McAfee Systems Engineer, Pre-Sales Engineering East

    M: 302.608.4758

  • Hi, i ran into an issues with this module ... after staring the wf.py i will get the following Errors...


    #############################################


    python dxlwildfiretie/wf.py


    dxlclient.exceptions.WaitTimeoutException: Timeout waiting for response to message: {2dec0cf3-327a-4471-a3be-b7aeddc23f93}


    Any hints or suggestions ?

  • I am not very informed on this particular integration, but based on the error message and the fact that it is attempting to set a TIE reputation, my guess is that it is an authorization issue.


    The client that is running this script must be authorized to set TIE reputations.


    The FAQ for the TIE DXL Python Client Library contains the following:

    Q: I receive a timeout, "dxlclient.exceptions.WaitTimeoutException: Timeout waiting for response to message", when attempting to set the reputation of a file/certificate


    A: This typically occurs due to the Python client not having permission to send messages to the /mcafee/service/tie/file/reputation/set topic (for files) and the /mcafee/service/tie/cert/reputation/set topic (for certificates).


    The following page provides an example of authorizing a Python client to send messages to an authorization group. While the example is based on McAfee Active Response (MAR), the instructions are the same with the exception of swapping the TIE Server Set Enterprise Reputation authorization group in place of Active Response Server API:


    https://opendxl.github.io/open…on/pydoc/marsendauth.html


    Hope this helps,

    Chris

  • I'm having the same error above, but with this in front of it:


    2017-10-13 20:43:11,150 dxlclient.broker - ERROR - Socket could not be created. Error Code : None Message timed out

    2017-10-13 20:43:11,206 dxlclient.broker - ERROR - Socket could not be created. Error Code : None Message timed out


    I have added the certificate to the Topic Authorizations as well.


  • Those errors indicate that the client is unable to connect to some of the broker(s) that are listed in the dxlclient.config file. Many times those errors can be ignored if the client is ultimately able to connect to one of the brokers listed.


    Do the OpenDXL client samples run successfully?


    Thanks,

    Chris

  • Hi!


    i see this error when running the wf.py:


    Traceback (most recent call last):

    File "wf.py", line 165, in <module>

    reputations_dict[FileProvider.GTI]["trustLevel"]==TrustLevel.NOT_SET) or \

    KeyError: 1


    did i miss some configuration?

  • OK - I see. This error exists because its expecting GTI to be available. Please enable GTI in your TIE policy. I'll update to handle the exception more gracefully.

    Jesse Netz, CISSP, C|EH, ITIL

    McAfee Systems Engineer, Pre-Sales Engineering East

    M: 302.608.4758