Splunk Enterprise Security

Error when polling TAXII feeds with Enterprise Security

Stefanie
Builder

I am unable to make the Threat Intelligence input for hailataxii work using on-prem Splunk Enterprise. Splunk Enterprise version 8.2.4 and Enterprise Security version 7.0.0.

 

The Threat Intelligence Audit dashboard shows "TAXII feed polling starting"

The Intelligence Audit events below show an error message  

2022-01-10 20:11:51,120+0000 ERROR pid=3116 tid=MainThread file=threatlist.py:download_taxii:476 | <urlopen error [Errno 111] Connection refused>
Traceback (most recent call last):
File "/opt/splunk/lib/python3.7/urllib/request.py", line 1350, in do_open
encode_chunked=req.has_header('Transfer-encoding'))
File "/opt/splunk/lib/python3.7/http/client.py", line 1281, in request
self._send_request(method, url, body, headers, encode_chunked)
File "/opt/splunk/lib/python3.7/http/client.py", line 1327, in _send_request
self.endheaders(body, encode_chunked=encode_chunked)
File "/opt/splunk/lib/python3.7/http/client.py", line 1276, in endheaders
self._send_output(message_body, encode_chunked=encode_chunked)
File "/opt/splunk/lib/python3.7/http/client.py", line 1036, in _send_output
self.send(msg)
File "/opt/splunk/lib/python3.7/http/client.py", line 976, in send
self.connect()
File "/opt/splunk/etc/apps/SA-ThreatIntelligence/contrib/libtaxii/clients.py", line 478, in connect
(self.host, self.port), self.timeout, self.source_address)
File "/opt/splunk/lib/python3.7/socket.py", line 728, in create_connection
raise err
File "/opt/splunk/lib/python3.7/socket.py", line 716, in create_connection
sock.connect(sa)
ConnectionRefusedError: [Errno 111] Connection refused
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
File "/opt/splunk/etc/apps/SA-ThreatIntelligence/bin/threatlist.py", line 439, in download_taxii
taxii_message = handler.run(args, handler_args)
File "/opt/splunk/etc/apps/SA-ThreatIntelligence/bin/taxii_client/__init__.py", line 173, in run
return self._poll_taxii_11(parsed_args)
File "/opt/splunk/etc/apps/SA-ThreatIntelligence/bin/taxii_client/__init__.py", line 81, in _poll_taxii_11
http_resp = client.call_taxii_service2(args.get('url'), args.get('service'), tm11.VID_TAXII_XML_11, poll_xml, port=args.get('port'), timeout=args['timeout'])
File "/opt/splunk/etc/apps/SA-ThreatIntelligence/contrib/libtaxii/clients.py", line 344, in call_taxii_service2
response = urllib.request.urlopen(req, timeout=timeout)
File "/opt/splunk/lib/python3.7/urllib/request.py", line 222, in urlopen
return opener.open(url, data, timeout)
File "/opt/splunk/lib/python3.7/urllib/request.py", line 525, in open
response = self._open(req, data)
File "/opt/splunk/lib/python3.7/urllib/request.py", line 543, in _open
'_open', req)
File "/opt/splunk/lib/python3.7/urllib/request.py", line 503, in _call_chain
result = func(*args)
File "/opt/splunk/etc/apps/SA-ThreatIntelligence/contrib/libtaxii/clients.py", line 374, in https_open
return self.do_open(self.get_connection, req)
File "/opt/splunk/lib/python3.7/urllib/request.py", line 1352, in do_open
raise URLError(err)
urllib.error.URLError: <urlopen error [Errno 111] Connection refused>

 

Any ideas??? 

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...