Splunk Enterprise Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Error when polling TAXII feeds with Enterprise Security

Stefanie
Builder
‎01-10-2022 12:18 PM

I am unable to make the Threat Intelligence input for hailataxii work using on-prem Splunk Enterprise. Splunk Enterprise version 8.2.4 and Enterprise Security version 7.0.0.

 

The Threat Intelligence Audit dashboard shows "TAXII feed polling starting"

The Intelligence Audit events below show an error message  

2022-01-10 20:11:51,120+0000 ERROR pid=3116 tid=MainThread file=threatlist.py:download_taxii:476 | <urlopen error [Errno 111] Connection refused>
Traceback (most recent call last):
File "/opt/splunk/lib/python3.7/urllib/request.py", line 1350, in do_open
encode_chunked=req.has_header('Transfer-encoding'))
File "/opt/splunk/lib/python3.7/http/client.py", line 1281, in request
self._send_request(method, url, body, headers, encode_chunked)
File "/opt/splunk/lib/python3.7/http/client.py", line 1327, in _send_request
self.endheaders(body, encode_chunked=encode_chunked)
File "/opt/splunk/lib/python3.7/http/client.py", line 1276, in endheaders
self._send_output(message_body, encode_chunked=encode_chunked)
File "/opt/splunk/lib/python3.7/http/client.py", line 1036, in _send_output
self.send(msg)
File "/opt/splunk/lib/python3.7/http/client.py", line 976, in send
self.connect()
File "/opt/splunk/etc/apps/SA-ThreatIntelligence/contrib/libtaxii/clients.py", line 478, in connect
(self.host, self.port), self.timeout, self.source_address)
File "/opt/splunk/lib/python3.7/socket.py", line 728, in create_connection
raise err
File "/opt/splunk/lib/python3.7/socket.py", line 716, in create_connection
sock.connect(sa)
ConnectionRefusedError: [Errno 111] Connection refused
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
File "/opt/splunk/etc/apps/SA-ThreatIntelligence/bin/threatlist.py", line 439, in download_taxii
taxii_message = handler.run(args, handler_args)
File "/opt/splunk/etc/apps/SA-ThreatIntelligence/bin/taxii_client/__init__.py", line 173, in run
return self._poll_taxii_11(parsed_args)
File "/opt/splunk/etc/apps/SA-ThreatIntelligence/bin/taxii_client/__init__.py", line 81, in _poll_taxii_11
http_resp = client.call_taxii_service2(args.get('url'), args.get('service'), tm11.VID_TAXII_XML_11, poll_xml, port=args.get('port'), timeout=args['timeout'])
File "/opt/splunk/etc/apps/SA-ThreatIntelligence/contrib/libtaxii/clients.py", line 344, in call_taxii_service2
response = urllib.request.urlopen(req, timeout=timeout)
File "/opt/splunk/lib/python3.7/urllib/request.py", line 222, in urlopen
return opener.open(url, data, timeout)
File "/opt/splunk/lib/python3.7/urllib/request.py", line 525, in open
response = self._open(req, data)
File "/opt/splunk/lib/python3.7/urllib/request.py", line 543, in _open
'_open', req)
File "/opt/splunk/lib/python3.7/urllib/request.py", line 503, in _call_chain
result = func(*args)
File "/opt/splunk/etc/apps/SA-ThreatIntelligence/contrib/libtaxii/clients.py", line 374, in https_open
return self.do_open(self.get_connection, req)
File "/opt/splunk/lib/python3.7/urllib/request.py", line 1352, in do_open
raise URLError(err)
urllib.error.URLError: <urlopen error [Errno 111] Connection refused>

 

Any ideas??? 

0 Karma
Reply
Get Updates on the Splunk Community!

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

You’ve probably heard the latest about AppDynamics joining the Splunk Observability portfolio, deepening our ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

As we’ve seen, integrating Kubernetes environments with Splunk Observability Cloud is a quick and easy way to ...

Cloud Platform & Enterprise: Classic Dashboard Export Feature Deprecation

As of Splunk Cloud Platform 9.3.2408 and Splunk Enterprise 9.4, classic dashboard export features are now ...