All Apps and Add-ons
Highlighted

Centurion - Threat Hunting Feed Aggregator v1.0.1 on Splunk Enterprise version 7.2.9.1: How to configure proxy settings?

Path Finder

Hello,

I've installed Centurion - Threat Hunting Feed Aggregator v1.0.1 on Splunk Enterprise version 7.2.9.1 and I need to configure a proxy for exit on the internet.

Any suggestion for where to put proxy settings for quick resolving with a WA?

I suggest making a modification on the next App version to add the option to allow the user to modify proxy settings through the App web interface on Splunk.

Regards

Labels (1)
0 Karma
Highlighted

Re: Centurion - Threat Hunting Feed Aggregator v1.0.1 on Splunk Enterprise version 7.2.9.1: How to configure proxy settings?

Communicator

Hello morganfw,

you can edit "server.conf" file to configure splunkd to work with a proxy.

https://docs.splunk.com/Documentation/Splunk/8.0.3/Admin/ConfigureSplunkforproxy

0 Karma
Highlighted

Re: Centurion - Threat Hunting Feed Aggregator v1.0.1 on Splunk Enterprise version 7.2.9.1: How to configure proxy settings?

Path Finder

Sorry, I don't need proxy to be configured globally, but I need proxy configuration per App.

The proxy configuration mentioned in above url is for splunkd only and doesn't work with Apps.

0 Karma
Highlighted

Re: Centurion - Threat Hunting Feed Aggregator v1.0.1 on Splunk Enterprise version 7.2.9.1: How to configure proxy settings?

Path Finder

Hello,
I've found a WA for now.
On variables.py under $SPLUNK_HOME/etc/apps/Centurion/bin you need to insert proxy config for requests module:

 import requests

 proxies = {
     'http': 'http://<your_proxy>:<your_proxy_port>',
     'https': 'http://<your_proxy>:<your_proxy_port>',
 }

then you need to configure single py services scripts that use Python requests module adding proxies import and configurations, following example is for abuseip.py, on line 8 modify script from:

 from variables import abuseipkey,index_name

to

 from variables import abuseipkey,index_name,proxies

then on requests.get on line 59, modify from:

 res = requests.get(url, params=params)

to

 res = requests.get(url, params=params, proxies=proxies)

and so on for all services that use Python requests module.

For services that not use Python requests module, you need to declare Proxy and add set_tunnel, so for AlienVault.py modify line 33 and 34 from:

 conn = httplib.HTTPSConnection("otx.alienvault.com")
 conn1 = httplib.HTTPSConnection("otx.alienvault.com")

to

 conn = httplib.HTTPSConnection("<your_proxy>", <your_port>)
 conn.set_tunnel("otx.alienvault.com")
 conn1 = httplib.HTTPSConnection("<your_proxy>", <your_port>)
 conn1.set_tunnel("otx.alienvault.com")

and so on for other services that not using Python requests module.

For neutrino.py on line 44 before string:

reqReputation = urllib2.Request(urlReputation, urllib.urlencode(params).encode("utf-8"))

you need to add following lines:

 ## Proxy Mod START
 proxy = urllib2.ProxyHandler({'https': 'http://<your_proxy>:<your_proxy_port>'})
 opener = urllib2.build_opener(proxy)
 urllib2.install_opener(opener)
  ## Proxy Mod END

I strongly suggest in next App version to make the ability to configure Proxy globally on App, not all companies have te ability to exit Internet directly from Splunk.

Regards

View solution in original post

0 Karma
Speak Up for Splunk Careers!

We want to better understand the impact Splunk experience and expertise has has on individuals' careers, and help highlight the growing demand for Splunk skills.