TAXII Server Support

[njaravelil]

Some of te threat feeds I follow uses Taxii polls and is there any out of the box integration to connect to STIX 2.0/TAXII services? IInterested to see how others are integrated such TI feeds with Suricata & Zeek . Any further inputs are appreciated.

[InfosecGoon]

Good morning!

There's no direct support for STIX/TAXII in Security Onion -- generally, you would want to import that information into a Threat Intelligence Platform and then use that TIP to generate rules for Zeek and Suricata.

If you're not currently using a TIP, MISP is an excellent free and open platform that supports importing via TAXII and can be used to generate rules for Zeek Intel and Suricata.

MISP homepage: https://www.misp-project.org/
MISP TAXII Server: https://github.com/MISP/MISP-Taxii-Server
MISP / SO Integration: https://github.com/weslambert/securityonion-misp

Hope that helps!

--Matt