Splunk Enterprise Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Error when polling TAXII feeds with Enterprise Security

Stefanie
Builder
‎01-10-2022 12:18 PM

I am unable to make the Threat Intelligence input for hailataxii work using on-prem Splunk Enterprise. Splunk Enterprise version 8.2.4 and Enterprise Security version 7.0.0.

 

The Threat Intelligence Audit dashboard shows "TAXII feed polling starting"

The Intelligence Audit events below show an error message  

2022-01-10 20:11:51,120+0000 ERROR pid=3116 tid=MainThread file=threatlist.py:download_taxii:476 | <urlopen error [Errno 111] Connection refused>
Traceback (most recent call last):
File "/opt/splunk/lib/python3.7/urllib/request.py", line 1350, in do_open
encode_chunked=req.has_header('Transfer-encoding'))
File "/opt/splunk/lib/python3.7/http/client.py", line 1281, in request
self._send_request(method, url, body, headers, encode_chunked)
File "/opt/splunk/lib/python3.7/http/client.py", line 1327, in _send_request
self.endheaders(body, encode_chunked=encode_chunked)
File "/opt/splunk/lib/python3.7/http/client.py", line 1276, in endheaders
self._send_output(message_body, encode_chunked=encode_chunked)
File "/opt/splunk/lib/python3.7/http/client.py", line 1036, in _send_output
self.send(msg)
File "/opt/splunk/lib/python3.7/http/client.py", line 976, in send
self.connect()
File "/opt/splunk/etc/apps/SA-ThreatIntelligence/contrib/libtaxii/clients.py", line 478, in connect
(self.host, self.port), self.timeout, self.source_address)
File "/opt/splunk/lib/python3.7/socket.py", line 728, in create_connection
raise err
File "/opt/splunk/lib/python3.7/socket.py", line 716, in create_connection
sock.connect(sa)
ConnectionRefusedError: [Errno 111] Connection refused
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
File "/opt/splunk/etc/apps/SA-ThreatIntelligence/bin/threatlist.py", line 439, in download_taxii
taxii_message = handler.run(args, handler_args)
File "/opt/splunk/etc/apps/SA-ThreatIntelligence/bin/taxii_client/__init__.py", line 173, in run
return self._poll_taxii_11(parsed_args)
File "/opt/splunk/etc/apps/SA-ThreatIntelligence/bin/taxii_client/__init__.py", line 81, in _poll_taxii_11
http_resp = client.call_taxii_service2(args.get('url'), args.get('service'), tm11.VID_TAXII_XML_11, poll_xml, port=args.get('port'), timeout=args['timeout'])
File "/opt/splunk/etc/apps/SA-ThreatIntelligence/contrib/libtaxii/clients.py", line 344, in call_taxii_service2
response = urllib.request.urlopen(req, timeout=timeout)
File "/opt/splunk/lib/python3.7/urllib/request.py", line 222, in urlopen
return opener.open(url, data, timeout)
File "/opt/splunk/lib/python3.7/urllib/request.py", line 525, in open
response = self._open(req, data)
File "/opt/splunk/lib/python3.7/urllib/request.py", line 543, in _open
'_open', req)
File "/opt/splunk/lib/python3.7/urllib/request.py", line 503, in _call_chain
result = func(*args)
File "/opt/splunk/etc/apps/SA-ThreatIntelligence/contrib/libtaxii/clients.py", line 374, in https_open
return self.do_open(self.get_connection, req)
File "/opt/splunk/lib/python3.7/urllib/request.py", line 1352, in do_open
raise URLError(err)
urllib.error.URLError: <urlopen error [Errno 111] Connection refused>

 

Any ideas??? 

0 Karma
Reply
Get Updates on the Splunk Community!

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...