Hello,
I've installed Centurion - Threat Hunting Feed Aggregator v1.0.1 on Splunk Enterprise version 7.2.9.1 and I need to configure a proxy for exit on the internet.
Any suggestion for where to put proxy settings for quick resolving with a WA?
I suggest making a modification on the next App version to add the option to allow the user to modify proxy settings through the App web interface on Splunk.
Regards
Hello,
I've found a WA for now.
On variables.py under $SPLUNK_HOME/etc/apps/Centurion/bin you need to insert proxy config for requests module:
import requests
proxies = {
'http': 'http://<your_proxy>:<your_proxy_port>',
'https': 'http://<your_proxy>:<your_proxy_port>',
}
then you need to configure single py services scripts that use Python requests module adding proxies import and configurations, following example is for abuseip.py, on line 8 modify script from:
from variables import abuseipkey,index_name
to
from variables import abuseipkey,index_name,proxies
then on requests.get on line 59, modify from:
res = requests.get(url, params=params)
to
res = requests.get(url, params=params, proxies=proxies)
and so on for all services that use Python requests module.
For services that not use Python requests module, you need to declare Proxy and add set_tunnel, so for AlienVault.py modify line 33 and 34 from:
conn = httplib.HTTPSConnection("otx.alienvault.com")
conn1 = httplib.HTTPSConnection("otx.alienvault.com")
to
conn = httplib.HTTPSConnection("<your_proxy>", <your_port>)
conn.set_tunnel("otx.alienvault.com")
conn1 = httplib.HTTPSConnection("<your_proxy>", <your_port>)
conn1.set_tunnel("otx.alienvault.com")
and so on for other services that not using Python requests module.
For neutrino.py on line 44 before string:
reqReputation = urllib2.Request(urlReputation, urllib.urlencode(params).encode("utf-8"))
you need to add following lines:
## Proxy Mod START
proxy = urllib2.ProxyHandler({'https': 'http://<your_proxy>:<your_proxy_port>'})
opener = urllib2.build_opener(proxy)
urllib2.install_opener(opener)
## Proxy Mod END
I strongly suggest in next App version to make the ability to configure Proxy globally on App, not all companies have te ability to exit Internet directly from Splunk.
Regards
Hello,
I've found a WA for now.
On variables.py under $SPLUNK_HOME/etc/apps/Centurion/bin you need to insert proxy config for requests module:
import requests
proxies = {
'http': 'http://<your_proxy>:<your_proxy_port>',
'https': 'http://<your_proxy>:<your_proxy_port>',
}
then you need to configure single py services scripts that use Python requests module adding proxies import and configurations, following example is for abuseip.py, on line 8 modify script from:
from variables import abuseipkey,index_name
to
from variables import abuseipkey,index_name,proxies
then on requests.get on line 59, modify from:
res = requests.get(url, params=params)
to
res = requests.get(url, params=params, proxies=proxies)
and so on for all services that use Python requests module.
For services that not use Python requests module, you need to declare Proxy and add set_tunnel, so for AlienVault.py modify line 33 and 34 from:
conn = httplib.HTTPSConnection("otx.alienvault.com")
conn1 = httplib.HTTPSConnection("otx.alienvault.com")
to
conn = httplib.HTTPSConnection("<your_proxy>", <your_port>)
conn.set_tunnel("otx.alienvault.com")
conn1 = httplib.HTTPSConnection("<your_proxy>", <your_port>)
conn1.set_tunnel("otx.alienvault.com")
and so on for other services that not using Python requests module.
For neutrino.py on line 44 before string:
reqReputation = urllib2.Request(urlReputation, urllib.urlencode(params).encode("utf-8"))
you need to add following lines:
## Proxy Mod START
proxy = urllib2.ProxyHandler({'https': 'http://<your_proxy>:<your_proxy_port>'})
opener = urllib2.build_opener(proxy)
urllib2.install_opener(opener)
## Proxy Mod END
I strongly suggest in next App version to make the ability to configure Proxy globally on App, not all companies have te ability to exit Internet directly from Splunk.
Regards
@morganfw Thank you so much for your valuable feedback. Please check out the latest version of the app. We have the option to configure proxy settings now using the setup page.
Hello morganfw,
you can edit "server.conf" file to configure splunkd to work with a proxy.
https://docs.splunk.com/Documentation/Splunk/8.0.3/Admin/ConfigureSplunkforproxy
Sorry, I don't need proxy to be configured globally, but I need proxy configuration per App.
The proxy configuration mentioned in above url is for splunkd only and doesn't work with Apps.