All Apps and Add-ons

Centurion - Threat Hunting Feed Aggregator v1.0.1 on Splunk Enterprise version 7.2.9.1: How to configure proxy settings?

morganfw
Path Finder

Hello,

I've installed Centurion - Threat Hunting Feed Aggregator v1.0.1 on Splunk Enterprise version 7.2.9.1 and I need to configure a proxy for exit on the internet.

Any suggestion for where to put proxy settings for quick resolving with a WA?

I suggest making a modification on the next App version to add the option to allow the user to modify proxy settings through the App web interface on Splunk.

Regards

Labels (1)
0 Karma
1 Solution

morganfw
Path Finder

Hello,
I've found a WA for now.
On variables.py under $SPLUNK_HOME/etc/apps/Centurion/bin you need to insert proxy config for requests module:

 import requests

 proxies = {
     'http': 'http://<your_proxy>:<your_proxy_port>',
     'https': 'http://<your_proxy>:<your_proxy_port>',
 }

then you need to configure single py services scripts that use Python requests module adding proxies import and configurations, following example is for abuseip.py, on line 8 modify script from:

 from variables import abuseipkey,index_name

to

 from variables import abuseipkey,index_name,proxies

then on requests.get on line 59, modify from:

 res = requests.get(url, params=params)

to

 res = requests.get(url, params=params, proxies=proxies)

and so on for all services that use Python requests module.

For services that not use Python requests module, you need to declare Proxy and add set_tunnel, so for AlienVault.py modify line 33 and 34 from:

 conn = httplib.HTTPSConnection("otx.alienvault.com")
 conn1 = httplib.HTTPSConnection("otx.alienvault.com")

to

 conn = httplib.HTTPSConnection("<your_proxy>", <your_port>)
 conn.set_tunnel("otx.alienvault.com")
 conn1 = httplib.HTTPSConnection("<your_proxy>", <your_port>)
 conn1.set_tunnel("otx.alienvault.com")

and so on for other services that not using Python requests module.

For neutrino.py on line 44 before string:

reqReputation = urllib2.Request(urlReputation, urllib.urlencode(params).encode("utf-8"))

you need to add following lines:

 ## Proxy Mod START
 proxy = urllib2.ProxyHandler({'https': 'http://<your_proxy>:<your_proxy_port>'})
 opener = urllib2.build_opener(proxy)
 urllib2.install_opener(opener)
  ## Proxy Mod END

I strongly suggest in next App version to make the ability to configure Proxy globally on App, not all companies have te ability to exit Internet directly from Splunk.

Regards

View solution in original post

0 Karma

morganfw
Path Finder

Hello,
I've found a WA for now.
On variables.py under $SPLUNK_HOME/etc/apps/Centurion/bin you need to insert proxy config for requests module:

 import requests

 proxies = {
     'http': 'http://<your_proxy>:<your_proxy_port>',
     'https': 'http://<your_proxy>:<your_proxy_port>',
 }

then you need to configure single py services scripts that use Python requests module adding proxies import and configurations, following example is for abuseip.py, on line 8 modify script from:

 from variables import abuseipkey,index_name

to

 from variables import abuseipkey,index_name,proxies

then on requests.get on line 59, modify from:

 res = requests.get(url, params=params)

to

 res = requests.get(url, params=params, proxies=proxies)

and so on for all services that use Python requests module.

For services that not use Python requests module, you need to declare Proxy and add set_tunnel, so for AlienVault.py modify line 33 and 34 from:

 conn = httplib.HTTPSConnection("otx.alienvault.com")
 conn1 = httplib.HTTPSConnection("otx.alienvault.com")

to

 conn = httplib.HTTPSConnection("<your_proxy>", <your_port>)
 conn.set_tunnel("otx.alienvault.com")
 conn1 = httplib.HTTPSConnection("<your_proxy>", <your_port>)
 conn1.set_tunnel("otx.alienvault.com")

and so on for other services that not using Python requests module.

For neutrino.py on line 44 before string:

reqReputation = urllib2.Request(urlReputation, urllib.urlencode(params).encode("utf-8"))

you need to add following lines:

 ## Proxy Mod START
 proxy = urllib2.ProxyHandler({'https': 'http://<your_proxy>:<your_proxy_port>'})
 opener = urllib2.build_opener(proxy)
 urllib2.install_opener(opener)
  ## Proxy Mod END

I strongly suggest in next App version to make the ability to configure Proxy globally on App, not all companies have te ability to exit Internet directly from Splunk.

Regards

0 Karma

ektasiwani
Communicator

@morganfw  Thank you so much for your valuable feedback. Please check out the latest version of the app.  We have the option to configure proxy settings now using the setup page. 

0 Karma

ektasiwani
Communicator

Hello morganfw,

you can edit "server.conf" file to configure splunkd to work with a proxy.

https://docs.splunk.com/Documentation/Splunk/8.0.3/Admin/ConfigureSplunkforproxy

0 Karma

morganfw
Path Finder

Sorry, I don't need proxy to be configured globally, but I need proxy configuration per App.

The proxy configuration mentioned in above url is for splunkd only and doesn't work with Apps.

0 Karma
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...