Skip to content

Instantly share code, notes, and snippets.

@adulau

adulau/taxii-curl.md

Last active November 14, 2022 15:11
Show Gist options
  • Save adulau/103abe79e1f9f680221350e5f352dcc9 to your computer and use it in GitHub Desktop.
Save adulau/103abe79e1f9f680221350e5f352dcc9 to your computer and use it in GitHub Desktop.
Download ZIP
TAXII using curl
Raw
taxii-curl.md

Using curl to get data from TAXII

curl -H "Content-Type: application/xml" -H "X-TAXII-Accept: urn:taxii.mitre.org:message:xml:1.1" -H "X-TAXII-Content-Type: urn:taxii.mitre.org:message:xml:1.1" -X POST -d "@post.data" hailataxii.com/taxii-data

And the XML query (assuming you know the collection_name):

<taxii_11:Poll_Request xmlns:taxii="http://taxii.mitre.org/messages/taxii_xml_binding-1" xmlns:taxii_11="http://taxii.mitre.org/messages/taxii_xml_binding-1.1" xmlns:tdq="http://taxii.mitre.org/query/taxii_default_query-1" message_id="a0784cd6-13d9-4395-889b-8614e7ca55a4" collection_name="guest.Abuse_ch">
  <taxii_11:Poll_Parameters allow_asynch="false">
    <taxii_11:Response_Type>FULL</taxii_11:Response_Type>
  </taxii_11:Poll_Parameters>
</taxii_11:Poll_Request>

Using curl for TAXII 2.1 collection discovery

First find the api_roots

curl -H "Authorization: Basic MYBASE64===" -H "Accept: application/taxii+json;version=2.1" http://superserver.com/taxii2/

{"api_roots": ["http://superserver.com/api2_1/"], "contact": "Mr STIX", "default": "http://superserver.com/api2_1/", "description": "Contains enough shit for you to play with", "title": "Some TAXII Server"

Second find the collections from the api_roots

curl -H "Authorization: Basic MYBASE64===" -H "Accept: application/taxii+json;version=2.1" http://superserver.com/api2_1/collections/

{"collections": [{"can_read": true, "can_write": true, "description": "Collection where to find some shitty STIX 2 content", "id": "01f156b1-703b-4ce9-bf5a-7c15b510cfea", "media_types": ["application/stix+json;version=2.0", "application/stix+json;version=2.1"], "title": "STIX 2 content"}]}

Get the info from the collections

curl -H "Authorization: Basic MYBASE64===" -H "Accept: application/taxii+json;version=2.1" http://superserver.com/api2_1/collections/01f156b1-703b-4ce9-bf5a-7c15b510cfea/

{"can_read": true, "can_write": true, "description": "Collection where to find some shitty STIX 2 content", "id": "01f156b1-703b-4ce9-bf5a-7c15b510cfea", "media_types": ["application/stix+json;version=2.0", "application/stix+json;version=2.1"], "title": "STIX 2 content"}
@IanGabes
Copy link

IanGabes commented Oct 7, 2019
edited
Loading

A basic discover request requires the follow post body (useful for some debugging instead of trying to download all the packages):

<Discovery_Request xmlns="http://taxii.mitre.org/messages/taxii_xml_binding-1.1" message_id="1"/>

Additionally auth can be added with:

curl --user "{username}:{password}" ....

Thanks for the original gist, saved me some time : )

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment