topic Re: Installing Splunk Phantom on CentOS 7.6. RPM file in installation guide is invalid in Splunk SOAR

Installing Splunk Phantom on CentOS 7.6. RPM file in installation guide is invalid

mdundas — Sun, 07 Jun 2020 17:47:45 GMT

Hello all,

I am attempting to install Splunk Phantom 4.5 (not the Phantom App for Splunk) on a CentOS 7.6 VM on ESXi. Using the installation guide from the Phantom site, I first made sure ports 22, 80, and 443 were open, then I downloaded the necessary repositories, cleared YUM's caches, and did a yum update.
Then when I tried to install the .rpm file, I got an error message in the terminal saying
"The requested URL returned error: 404 Not Found."
I tried pinging the address in the terminal and entering in the URL in my browser, and it still looks like this rpm Splunk provided is invalid. Is there somewhere I can download a working .rpm? This is the version I tried to use from the installation manual: https://repo.phantom.us/phantom/4.5/base/7/x86_64/phantom_repo-4.5.7532-1.x86_64.rpm
Any help would be appreciated.

Re: Installing Splunk Phantom on CentOS 7.6. RPM file in installation guide is invalid

koocies — Fri, 21 Jun 2019 15:21:13 GMT

It's possible that your DNS is not resolving the host name for the URL. Can you ping the host or do a nslookup on the host to see if you are able to resolve the hostname?

Re: Installing Splunk Phantom on CentOS 7.6. RPM file in installation guide is invalid

mdundas — Fri, 21 Jun 2019 15:53:47 GMT

Yes, I have tried pinging the host and doing an nslookup on both my VM and local computer. It says it is a non-existent domain.

Re: Installing Splunk Phantom on CentOS 7.6. RPM file in installation guide is invalid

mdundas — Fri, 21 Jun 2019 15:55:36 GMT

Could it be that I need to somehow be signed into my Splunk Phantom account when I try to download the rpm file? I am not sure how I would do this.

Re: Installing Splunk Phantom on CentOS 7.6. RPM file in installation guide is invalid

koocies — Fri, 21 Jun 2019 16:18:38 GMT

what's the host that you are trying to nslookup on?

Re: Installing Splunk Phantom on CentOS 7.6. RPM file in installation guide is invalid

mdundas — Fri, 21 Jun 2019 16:22:42 GMT

So first I tried: https://repo.phantom.us/phantom/4.5/base/7/x86_64/phantom_repo-4.5.7532-1.x86_64.rpm

, which is the rpm file I am trying to download.

And when that didn't work, I tried just https://repo.phantom.us. That didn't work either.

Re: Installing Splunk Phantom on CentOS 7.6. RPM file in installation guide is invalid

koocies — Fri, 21 Jun 2019 16:26:36 GMT

okay, so when you're testing to see if you can resolve a hostname you need to remove the "http://" part, that's not considered part of the hostname. The hostname in this case is repo.phantom.us
Try "nslookup repo.phantom.us" and let me know if you get an IP back. I did it on my laptop and got a response that the host "repo.phantom.us" is IP "54.165.15.205". you should get something similar if not the same

Re: Installing Splunk Phantom on CentOS 7.6. RPM file in installation guide is invalid

mdundas — Fri, 21 Jun 2019 16:32:30 GMT

Ok thank you, yes I was able to hit repo.phantom.us and I got an IP. But I don't get anything when I do an nslookup on the whole address.

Re: Installing Splunk Phantom on CentOS 7.6. RPM file in installation guide is invalid

koocies — Fri, 21 Jun 2019 16:50:04 GMT

you can't nslookup a URL, only the hostname "epo.phantom.us".

Now if you want to test the URL, which in this case is "https://repo.phantom.us/phantom/4.5/base/7/x86_64/phantom_repo-4.5.7532-1.x86_64.rpm" you'll need a different tool. Right now it sounds like you can get an IP address so Splunk knowns who to call. but splunk needs to talk to that server over HTTPS. nslookup doesn't understand HTTPS or any other protocol other than DNS, which is used to retrieve an IP using a host name. If your not too familiar with DNS I would highly recommend read up on a simple introduction. it will help you in future.

Okay enough explanation, the next step is to see if we can actually talk to that server over HTTPS. Their are a number of tools that can be used to test this, but my personal favorite is nmap. see if you have nmap install using the command "nmap -V". if you get a "command not found" you'll need to install it. you can install it using this command as root "yum install nmap -y"

okay, with nmap we can test ports. The protocol HTTPS run over 443 (usually). so the command "nmap -p 443 repo.phantom.us" will tell us if that port is opened. give that a try and let me know if the port state says "open".

sorry for the long reply

Re: Installing Splunk Phantom on CentOS 7.6. RPM file in installation guide is invalid

mdundas — Fri, 21 Jun 2019 17:09:46 GMT

Thank you for your help. So when I did the nmap scan, I found that port 443 was open and running https as a service.

Re: Installing Splunk Phantom on CentOS 7.6. RPM file in installation guide is invalid

koocies — Wed, 30 Sep 2020 01:01:34 GMT

okay, so so far we found that you can get an IP & you can connect with no problems. This is good. The problem is looking less and less like it's on your end.

I just did a check on that URL using another tool "wget", with the command "wget https://repo.phantom.us/phantom/4.5/base/7/x86_64/phantom_repo-4.5.7532-1.x86_64.rpm". wget will let you download resource over HTTP & HTTPS and it's a great way to troubleshoot HTTP and HTTPS. I also got a 404 error, so I don't think you are alone on this.

I opened that link in my browser, but I went one directory back, so I opened "https://repo.phantom.us/phantom/4.5/base/7/x86_64/". There you can see the list of RPM files available. I don't see a file listed with the name "phantom_repo-4.5.7532-1.x86_64.rpm" so that resource is indeed missing.

My recommendation at this point is to open a support ticket if you can or see if you can download an older version of Phantom. if you put in a ticket make sure to inform them that you troubleshooted and you are able to connect perfectly fine. Also inform them that the URL "https://repo.phantom.us/phantom/4.5/base/7/x86_64/" shows the file is missing

sorry for putting you through all this but I think it's good to check connectivity first before looking any where else.

Re: Installing Splunk Phantom on CentOS 7.6. RPM file in installation guide is invalid

mdundas — Fri, 21 Jun 2019 17:56:36 GMT

That is good to hear that the problem is not on my end. I will reach out to Splunk and see if either I can get an older version or if they can send me a tarball. Thanks for your help!

Re: Installing Splunk Phantom on CentOS 7.6. RPM file in installation guide is invalid

koocies — Sat, 22 Jun 2019 14:19:03 GMT

good luck there

Re: Installing Splunk Phantom on CentOS 7.6. RPM file in installation guide is invalid

mdundas — Mon, 24 Jun 2019 12:11:28 GMT

They had just updated the installation manual, and the correct version was on there. I now have Phantom completely installed. Thanks again!