Version 1.1
Convert TAXII threat intelligence feeds into firewall-consumable External Dynamic Lists (EDL).
THIS IS A PROOF OF CONCEPT TOOL
This tool was developed as a proof of concept and is NOT intended for production use without proper security review. See Security Considerations section below for important details.
- Tested on: macOS 15.7.1, Ubuntu 22.04 LTS
- Testing scope: Functionality and security features
- Data source: Arctic Wolf Threat Feed (STIX2 format)
STIX2EDL connects to TAXII 2.1 servers, fetches threat intelligence indicators, and serves them in EDL format for consumption by firewalls and security appliances. It supports multiple collections, persistent storage, automatic refresh, and provides a secure web interface for management.
- Password-Protected Access - Session-based authentication with configurable timeout
- Three-State Health Indicators - Green (healthy), Amber (warning), Red (critical)
- Auto-Refresh Scheduling - Automatic periodic indicator updates
- Collection Management - Enable/disable collections individually
- TAXII 2.1 Support - Connects to any TAXII 2.1 compliant server
- Multiple Collections - Manage multiple threat feeds simultaneously
- EDL Export - Generates firewall-ready External Dynamic Lists
- Web Interface - Modern, responsive dashboard for management
- Persistent Storage - SQLite database with automatic deduplication
- CSV Export - Download indicators in CSV format
- RESTful API - Full API for automation and integration
- Indicator Lifecycle Tracking - First seen, last seen, and revocation tracking
- Python 3.10 or higher
- pip
- Clone or download the repository:
cd stix2edl- Run the setup script:
chmod +x setup.sh
./setup.shThis will:
- Install Python dependencies
- Create configuration template
- Set up the templates directory
- Configure your TAXII collections:
cp config.yaml.example config.yaml
# Edit config.yaml with your TAXII server details and auth credentials- Run the application:
python3 taxii_threat_intel.py- Access the web interface:
http://localhost:5000
Edit config.yaml to configure your TAXII connections:
# TAXII Server Authentication
username: "your-username"
password: "your-password"
# Collections to fetch
collections:
- url: "https://taxii-server.com/taxii2/collections/abc123/objects/"
name: "Malware Indicators"
enabled: true
- url: "https://taxii-server.com/taxii2/collections/def456/objects/"
name: "Phishing URLs"
enabled: true
# Maximum pages to fetch per collection (each page ~100 objects)
max_pages: 50- username/password - TAXII server Basic Auth credentials
- collections - List of TAXII collection endpoints
- url - Full URL to collection's
/objects/endpoint - name - Friendly name for the collection
- enabled - Set to
falseto disable a collection
- url - Full URL to collection's
- max_pages - Limit pages fetched per collection (prevents runaway queries)
The web dashboard provides:
- Overall Status - Total indicators, last update time
- Collection Cards - Individual collection health and stats
- Refresh Actions - Update all or individual collections
- Export Options - Download CSV or view EDL
STIX2EDL provides External Dynamic List (EDL) feeds for firewall consumption:
GET /api/edl/allReturns all indicators from all enabled collections in EDL format (one indicator per line).
Example:
http://your-server:5000/api/edl/all
GET /api/edl/collection/<index>Returns indicators from a specific collection by index (starting at 0).
Examples:
http://your-server:5000/api/edl/collection/0
http://your-server:5000/api/edl/collection/1
Supported Indicator Types:
- IPv4 addresses
- IPv6 addresses
- Domain names
- URLs
- File hashes (MD5, SHA-1, SHA-256)
- Navigate to Objects > External Dynamic Lists
- Create new list:
- Type: URL
- Source:
http://your-server:5000/api/edl/all - Check Interval: Hourly
- Use in security policies
- Navigate to Security Fabric > External Connectors
- Create Threat Feed:
- URI:
http://your-server:5000/api/edl/all - Refresh Rate: 60 minutes
- URI:
- Apply to policies
- Navigate to Objects > Object Management
- Add URL List:
- URL:
http://your-server:5000/api/edl/all - Update Interval: 3600 seconds
- URL:
- Use in access control policies
External Dynamic List format is a simple text file with one indicator per line:
192.168.1.100
10.0.0.5
malicious.com
evil-site.net
http://phishing.example.com/login
5d41402abc4b2a76b9719d911017c592
Supported Indicator Types:
- IP addresses (IPv4/IPv6)
- Domain names
- URLs
- File hashes (MD5, SHA-1, SHA-256)
- TAXII Client - Connects to TAXII 2.1 servers
- SQLite Database - Stores indicators persistently
- Flask Web Server - Serves web UI and API
- Background Initialization - Non-blocking startup
- Application starts †’ Loads from database (if exists)
- If no data †’ Fetches from TAXII servers
- Indicators stored in SQLite with deduplication
- Web UI and API serve indicators in various formats
stix2edl/
””€”€ taxii_threat_intel.py # Main application
””€”€ config.yaml # Configuration
””€”€ requirements.txt # Python dependencies
””€”€ templates/
├── index.html # Dashboard
├── settings.html # Settings page
└── login.html # Login page
””€”€ indicators.db # SQLite database (created on first run)
”””€”€ README.md
Test your configuration:
python3 test_config.pyThis validates:
- TAXII server connectivity
- Authentication credentials
- Collection accessibility
- STIX object parsing
The application may take a few minutes to initialize on first run while fetching indicators. The web server starts immediately and shows a progress page.
- Check collections are enabled in
config.yaml - Verify TAXII credentials are correct
- Run
python3 test_config.pyto diagnose - Check logs for errors
- Verify the collection URL is correct (must end with
/objects/) - Check authentication credentials
- Ensure network access to TAXII server
- Check TAXII server is online
To clear all data and refetch:
rm indicators.db
python3 taxii_threat_intel.py- Startup - Fast (loads from database)
- First Run - Depends on indicator count (typically 1-5 minutes)
- Refresh - Depends on indicator count
- EDL Generation - Instant (served from cache)
- Database Size - ~1MB per 10,000 indicators
WARNING: This is a proof of concept tool. Review security implications before deployment.
- Password Protection: Web UI protected by session-based authentication
- Login Password: Stored in database (system_meta table)
- Session Timeout: Configurable (default 72 hours)
- First-Time Setup: Set password on first access
- Storage: TAXII credentials stored in
config.yamlin plain text - Mitigation:
- Use dedicated credentials not used elsewhere
- Read-only TAXII access
- Restrict file system access
- Production Alternatives:
- Environment variables
- Secrets management (HashiCorp Vault, AWS Secrets Manager)
- Encrypted configuration
Recommended setup:
# Allow only firewall to access EDL feeds
iptables -A INPUT -p tcp --dport 5000 -s <firewall-ip> -j ACCEPT
iptables -A INPUT -p tcp --dport 5000 -s 127.0.0.1 -j ACCEPT
iptables -A INPUT -p tcp --dport 5000 -j DROP
# Or use SSH tunnel for admin access
ssh -L 5000:localhost:5000 user@serverThis software is provided as-is for testing and proof of concept purposes. The author assumes no liability for security issues, data breaches, or damages resulting from use of this software.
Contributions welcome! Please:
- Fork the repository
- Create a feature branch
- Make your changes
- Submit a pull request
MIT License - see LICENSE file for details
- Issues: GitHub Issues
- Documentation: This README
- Configuration Help: See
config.yaml.example
-
v1.1 - Security, UI improvements, and health monitoring
- Password-protected web UI with session management
- Three-state health indicators (Green/Amber/Red)
- Auto-refresh scheduling with persistence
- Settings page for web-based configuration
- Indicator lifecycle tracking (first seen, last seen)
- Collection-level refresh control
-
v1.0 - Initial release
- TAXII 2.1 support
- Multiple collections
- EDL export
- Web interface
- SQLite persistence
Built with:
- Flask - Web framework
- taxii2-client - TAXII 2.1 client library
- SQLite - Database
STIX2EDL v1.1 - Converting threat intelligence to actionable security