Splunk Enterprise Security

Error when polling TAXII feeds with Enterprise Security

Stefanie
Builder

I am unable to make the Threat Intelligence input for hailataxii work using on-prem Splunk Enterprise. Splunk Enterprise version 8.2.4 and Enterprise Security version 7.0.0.

 

The Threat Intelligence Audit dashboard shows "TAXII feed polling starting"

The Intelligence Audit events below show an error message  

2022-01-10 20:11:51,120+0000 ERROR pid=3116 tid=MainThread file=threatlist.py:download_taxii:476 | <urlopen error [Errno 111] Connection refused>
Traceback (most recent call last):
File "/opt/splunk/lib/python3.7/urllib/request.py", line 1350, in do_open
encode_chunked=req.has_header('Transfer-encoding'))
File "/opt/splunk/lib/python3.7/http/client.py", line 1281, in request
self._send_request(method, url, body, headers, encode_chunked)
File "/opt/splunk/lib/python3.7/http/client.py", line 1327, in _send_request
self.endheaders(body, encode_chunked=encode_chunked)
File "/opt/splunk/lib/python3.7/http/client.py", line 1276, in endheaders
self._send_output(message_body, encode_chunked=encode_chunked)
File "/opt/splunk/lib/python3.7/http/client.py", line 1036, in _send_output
self.send(msg)
File "/opt/splunk/lib/python3.7/http/client.py", line 976, in send
self.connect()
File "/opt/splunk/etc/apps/SA-ThreatIntelligence/contrib/libtaxii/clients.py", line 478, in connect
(self.host, self.port), self.timeout, self.source_address)
File "/opt/splunk/lib/python3.7/socket.py", line 728, in create_connection
raise err
File "/opt/splunk/lib/python3.7/socket.py", line 716, in create_connection
sock.connect(sa)
ConnectionRefusedError: [Errno 111] Connection refused
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
File "/opt/splunk/etc/apps/SA-ThreatIntelligence/bin/threatlist.py", line 439, in download_taxii
taxii_message = handler.run(args, handler_args)
File "/opt/splunk/etc/apps/SA-ThreatIntelligence/bin/taxii_client/__init__.py", line 173, in run
return self._poll_taxii_11(parsed_args)
File "/opt/splunk/etc/apps/SA-ThreatIntelligence/bin/taxii_client/__init__.py", line 81, in _poll_taxii_11
http_resp = client.call_taxii_service2(args.get('url'), args.get('service'), tm11.VID_TAXII_XML_11, poll_xml, port=args.get('port'), timeout=args['timeout'])
File "/opt/splunk/etc/apps/SA-ThreatIntelligence/contrib/libtaxii/clients.py", line 344, in call_taxii_service2
response = urllib.request.urlopen(req, timeout=timeout)
File "/opt/splunk/lib/python3.7/urllib/request.py", line 222, in urlopen
return opener.open(url, data, timeout)
File "/opt/splunk/lib/python3.7/urllib/request.py", line 525, in open
response = self._open(req, data)
File "/opt/splunk/lib/python3.7/urllib/request.py", line 543, in _open
'_open', req)
File "/opt/splunk/lib/python3.7/urllib/request.py", line 503, in _call_chain
result = func(*args)
File "/opt/splunk/etc/apps/SA-ThreatIntelligence/contrib/libtaxii/clients.py", line 374, in https_open
return self.do_open(self.get_connection, req)
File "/opt/splunk/lib/python3.7/urllib/request.py", line 1352, in do_open
raise URLError(err)
urllib.error.URLError: <urlopen error [Errno 111] Connection refused>

 

Any ideas??? 

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...