Solved: Anyone use SPLICE app to import TAXII feeds from S...

jeffy_a · ‎02-04-2015

Having some trouble getting the IOC - TAXII feed input configured to poll our Soltra Edge repository. Has anyone gotten this working yet? Authentication is fine/tested, it connects to the right port, etc, even finds the default feed, but when trying to download the feed I get this error:

-0800 ERROR ExecProcessor - message from "python /opt/splunk/etc/apps/SA-Splice/bin/taxii.py" something went wrong with TAXII polling: StartTag: invalid element name, line 2789, column 2

I'm not really sure where to go from here, but if anyone could point me in the right direction, or where to look, that would be great. Thanks,

Jeff

cleroux_splunk · ‎02-13-2015

This error is related to improper IOCs carried over TAXII. This is not a SPLICE issue.
The bug is either in the TAXII server or the TAXII feed that let invalid messages be carried over TAXII/XML.

SPLICE v1.3.4 will provides a way to identify problematic IOCs.

Technical details can be found here: https://github.com/TAXIIProject/libtaxii/issues/170

View solution in original post

cleroux_splunk · ‎02-13-2015

This error is related to improper IOCs carried over TAXII. This is not a SPLICE issue.
The bug is either in the TAXII server or the TAXII feed that let invalid messages be carried over TAXII/XML.

SPLICE v1.3.4 will provides a way to identify problematic IOCs.

Technical details can be found here: https://github.com/TAXIIProject/libtaxii/issues/170

jeffy_a · ‎02-13-2015

Thanks for your help with this Cedric, I'll be passing along the analysis and comments to the folks at Soltra. All the best,

Jeff

Anyone use SPLICE app to import TAXII feeds from Soltra Edge?

Dashboard Studio Challenge - Learn New Tricks, Showcase Your Skills, and Win Prizes!

Introducing Edge Processor: Next Gen Data Transformation

Take the 2021 Splunk Career Survey for $50 in Amazon Cash