Posts by chrissmith

    Another interesting way to install Python packages is from within Node-RED itself. I have attached a flow that allows for specifying a set of Python packages to install (space delimited) in the "packages to install" node.


    I also added another flow that displays the current version of the Python DXL client that is installed.




    The code for the flow is as follows:


    Thanks,

    Chris

    Would be great to have OpenDXL Python Libs on the docker image, so that we can use Python-based Nodes too.

    Agreed. We could definitely add the common OpenDXL libraries by default, but the intent is to allow for any set of Python libraries to be installed.


    To install a Python package you can do the following (after opening a shell in the container):

    Shell-Script: Install Python Package
    1. cd /data
    2. source node-red-py2-env/bin/activate
    3. pip install <package>


    If you want to install a NPM package you can do the following (after opening a shell in the container):

    Shell-Script: Install NPM Package
    1. cd /data
    2. npm install <package> --save


    Also, it is important to map an external volume to the "/data" VOLUME. This allows any installed packages (and flows) to persist when the Node-RED image is upgraded.


    Thanks,

    Chris

    Any idea when the Node-RED extension will be released? I see the source code but there are not any releases and it does not appear in NPM.

    The first set of DXL Node-RED nodes have been released. These provide core level DXL functionality (sending/receiving events, invoking services, exposing services).


    Also, a DXL-specific Docker image was released that includes the core nodes as well as some enhancements that simplify integration with Docker tools such as Kitematic.


    Thanks,

    Chris

    Hi-


    The above command is used to provision the OpenDXL Python Client. During provisioning the configuration files will be created and populated, key pairs will be generated, etc.


    You can find details about it via the following link:


    https://opendxl.github.io/open…html#basiccliprovisioning


    There are other ways to provision the client as well. The following pages walks through the various options:


    https://opendxl.github.io/open…provisioningoverview.html


    Thanks,

    Chris

    chrissmith added a new solution:

    Quote

    Overview

    The MISP DXL Python client library provides a high level wrapper for invoking the MISP REST APIs via the Data Exchange Layer(DXL) fabric.

    This client requires the MISP DXL Service to be running and available on the DXL fabric.

    Documentation

    See the Wiki for an overview of the MISP DXL Python Client Library and usage examples.


    See the MISP DXL Python Client Library documentation for installation instructions, API documentation, and usage examples.

    chrissmith added a new solution:

    Quote

    Overview

    The MISP DXL Python Service exposes access to the MISP REST APIs via the Data Exchange Layer (DXL) fabric. The service also provides support for forwarding MISP ZeroMQ message notifications to the DXL fabric.

    Documentation

    See the Wiki for an overview of the MISP DXL Python Service and usage examples.


    See the MISP DXL Python Service documentation for installation instructions, API documentation, and usage examples.

    Great question.


    The ability to restart Docker containers is a feature of Docker itself, not anything OpenDXL related. The following page discusses the various options that can be used when instantiating a container:


    https://docs.docker.com/config…containers-automatically/


    As an example, the following command could be used to instantiate a VirusTotal container that would always restart:


    docker run -d –-name dxlvtapiservice --restart always -v /home/myuser/dxlvtapiservice-config:/opt/dxlvtapiservice-config opendxl/opendxl-virustotal-service-python


    Thanks,

    Chris

    I would to see if I can send ePO a message or PC name and IP and see if it can trigger an event like a system scan.

    At this time, the best way to interact with ePO with an OpenDXL client is via the ePO DXL Service.


    To simplify the deployment of this service, a Docker container is available that can be quickly instantiated with Kitematic (see the Getting Started With OpenDXL Video Series) .


    Once installed and configured (see Service Configuration) you can use the OpenDXL Console to send requests to the service and ultimately to ePO via DXL.


    Please let us know if you need any further help configuring the service, using the OpenDXL Console, or sending requests to ePO.


    Thanks,

    Chris

    Hi-


    There are a couple of ways to send an event.


    You could send an event via an OpenDXL Client (Python, etc.). For example:



    Another way without any coding required would be to use the OpenDXL Console. The following series of videos walks through the steps to configure an OpenDXL environment, including the OpenDXL Console.


    Getting Started With OpenDXL Video Series


    DXL allows you to create your own topics. Some topics that are registered by products require authorization. You mention wanting to see the event in ePO. What is the use case you are trying to achieve by sending the event?


    Thanks a lot,

    Chris

    Great question!


    DXL intentionally does not dictate the format of the payload. This allows for a wide variety of integrations to be published on the fabric.


    Currently, the vast majority of solutions utilize JSON, but there are some that use XML, and others that use raw binary.


    With that said, for a particular sets of topics, it absolutely make sense to standardize the payloads. As you mention standardizing on the topics that utilize STIX and CEF makes sense. We have discussed adding a new section to this site that documents the "catalog" of topics and related formats that are available on DXL. I think something like this will be necessary as the number of integrations available on DXL continues to grow.


    Hope this helps,

    Chris


    Those errors indicate that the client is unable to connect to some of the broker(s) that are listed in the dxlclient.config file. Many times those errors can be ignored if the client is ultimately able to connect to one of the brokers listed.


    Do the OpenDXL client samples run successfully?


    Thanks,

    Chris

    I am not very informed on this particular integration, but based on the error message and the fact that it is attempting to set a TIE reputation, my guess is that it is an authorization issue.


    The client that is running this script must be authorized to set TIE reputations.


    The FAQ for the TIE DXL Python Client Library contains the following:

    Q: I receive a timeout, "dxlclient.exceptions.WaitTimeoutException: Timeout waiting for response to message", when attempting to set the reputation of a file/certificate


    A: This typically occurs due to the Python client not having permission to send messages to the /mcafee/service/tie/file/reputation/set topic (for files) and the /mcafee/service/tie/cert/reputation/set topic (for certificates).


    The following page provides an example of authorizing a Python client to send messages to an authorization group. While the example is based on McAfee Active Response (MAR), the instructions are the same with the exception of swapping the TIE Server Set Enterprise Reputation authorization group in place of Active Response Server API:


    https://opendxl.github.io/open…on/pydoc/marsendauth.html


    Hope this helps,

    Chris

    Great question.


    At this point (as you mentioned), the authentication to the fabric is certificate-based. Once a connection has been established, certificates or tags (if ePO-managed) are used to control what the particular connection can send or receive.


    The identity on the fabric is the connection identifier. In ePO-managed fabrics this is the GUID of the McAfee agent that the connection was made on behalf of.


    There have been a number of discussions regarding the enhancement of the fabric to provide a richer set of authorization models (use of tokens, etc.).


    With the fabric as it stands today, you can develop your own session-based interaction model with services. The following thread post contains details about invoking the same service instance on the fabric (versus round-robin semantics):


    Discussion Thread: Multiple services?


    With the type on invocation model described in the link above, the service could provide its own authentication model, sessions, etc.


    Thanks,

    Chris

    You need to build the distribution.


    To do that, you need to run the following command in the cloned source directory:


    python dist.py


    You also need to have Sphinx installed for the documentation generation. Thus, prior to running the above command install Sphinx via PIP:


    pip install sphinx


    Thanks,

    Chris