xxx.xxx.xxx.xx.cable.dyn.cableonline.com.mx * Mozilla List: TLD is .com.mx, so the domain is cableonline.com.mx * IANA List: TLD is .mx, so the domain is com.mx This works as expected. What you are asking for is that the tool take the longest one on both lists, which is a new feature. Thanks for the idea 🙂 ... View more

As described by the Mozilla Suffix List, .net.mx is a TLD. As well as others like .com.mx, or .org.mx If you only want to parse the first part, set the list to iana or to custom if you have your own custom list. ... View more

The collections are created "on the fly", that's the whole purpose of nosql, to avoid table schemas. The collections are created when they are "needed", and not at startup as you describe. In short, the atomic_indicators collection is created only when Splice has to store such indicators, meaning it has previously read an IOC file where extractable indicators have been found (like an IPv4 for example). It is possible that the RSS feed include unexpected characters (I don't know, just guessing here). So, what I would recommend is to manually download an IOC file and store it manually in the directory you configured as modular input. Be sure to store a valid OpenIOC file or a STIX file. For the log part, have a look in the splunkd.log. Out of curiosity, why do you use Splice and not ES? ... View more

The tables, or collections in the NoSQL world, are automatically created by Splice. IF it can create the raw collection like you suggest it but it cannot create the atomic_indicators one, it could be a right permission issue, or most likely that the ingested IOCs do not contains technical indicators. Have you tried with some samples from iocbucket.org for example? ... View more

They are similar issues already reported, none linked to Splice so far, did you deployed Splice on your Indexers as well? Ex: http://answers.splunk.com/answers/131053/solved-error-banner-message-exit-code-255-btool-command.html ... View more

SPLICE do not uses the data model searches. I don't see any reason nor configuration element that could interfere with the data model searches. ... View more

Integration with STIX/TAXII start with ES 3.3 http://www.splunk.com/view/splunk-app-for-enterprise-security-doubles-customer-base/SP-CAAANZE ... View more

Splice and Enterprise Security 3.3 allows you to connect directly to any TAXII feed (it's a standardized protocol) and they have been successfully tested with Soltra Edge. Regarding Splice, you can configure a certificate based authentication through the parameters taxii_cert_pem and taxii_cert_key. ... View more

The problem is in a third party library that Splice uses (pzlocal). The problem is related to CentOS 7 which had removed one particular file the library was relying on. My testing indicates that Mongo 2.4, 2.6 and 3.0 are working correctly with Splice. Workaround: Create a file /etc/sysconfig/clock which contains the appropriate timezone like "Europe/Paris" # cat /etc/sysconfig/clock ZONE="Europe/Paris" # The bug is known by the library developers: https://github.com/regebro/tzlocal/issues/19 ... View more

I've done my testing with Mongo 2.4 on a CentOS 6.x system but it doesn't means that other versions are not compatible, they simply are not tested. ... View more

It might be linked to an improper IOC definition. You can try to add a local directory monitor (Data Inputs > IOC - Mount Point) and add an IOC in there. If there is no issues with the mongo configuration the IOC should be added to the mongo (so the issue is related to what's carried over the taxii feed). If you do have an IOC file that make SPLICE fails, please send it to me via email. ... View more

SPLICE is a prototype and as any prototype, there are some limitations. One workaround would be to use the iocexportcsv command to create CSV lists of technical indicators that you would after refer via lookups or ES Threat List. And yes the command localop retrieve all the data the process it on the SH. ... View more

did you ran the setup to configure the mongo URI ? Everything you need should be in the embedded docs. ... View more

Have you tried to use one of the provided feeds from hailataxii.com? Or what feed do you use? Have you checked the rights on the Mongo side if you restricted it (ie: does the provided user can create a database or a collections)? ... View more

That should help: source="/tmp/tmp.log" | base64 field="secret" action="decode" | search secret="*127.0.0.1*" ... View more

since the first answer, SPLICE has been successfully tested with http://www.hailataxii.com feeds (-: ... View more

Could you please send me an email ? I would like to submit you a patch for testing. Thanks. ... View more

Thanks for your feedback. Can you be more specific on the use case or need? What's missing/blocker if you don't have this feature? ... View more