pulling in Alienvault OTX pulses into Security Onion 2 not working

[hankjrad]

Hello Gents,
I followed the instruction on https://docs.securityonion.net/en/2.3/alienvault-otx.html?highlight=alienvault#installation to pull pulses to Security Onion 2.3.1 but it is not working. It seems there has been a change in some directories in Security Onion 2. Any advice please?

[TOoSmOotH]

Those docs have not been updated yet. Let me know if you figure it out and we can update the documentation.

[hankjrad]

Hi Mike, yes i found a workaround and it worked.

First, I modified some paths in the securityonion-otx bash file (attached the modified one , make sure to remove .txt ext).
After running the securityonion-otx bash file, you must install python-pip then install requests and configparser modules else bro-otx.py file won't run properly. To install the modules, we should install pip first as follows:
1- sudo yum install python-pip
2- sudo pip install requests
3- sudo pip install ConfigParser (case-sensitive)

Now, bro-otx.py script will work properly and IOCs will be pulled from Alienvault, however I still need to know the path where I should save the otx.dat file for Security Onion to match the IOCs inside this file? please advise

securityonion-otx.txt

[TOoSmOotH]

/opt/so/saltstack/local/salt/zeek/policy/intel will get synced to all sensors.

[hankjrad]

I saved the otx.dat file to /opt/so/saltstack/local/salt/zeek/policy/intel but still not getting an Intel hit when testing