All Apps and Add-ons

Connection error after upgrading to sourcefire 6.0.1.1

phaelf
Explorer

After upgrading sourcefire to version 6.0.1.1 from 5.4.1 the estreamer_client.pl script fails to connect and retrieve the logs. Analyzing the packets we can see that there is a error in the SSL handshake. The script requests come in TLS1.0 and the server is replaying with TLS1.2.

Here is the SSL connection in the script.

verbose("Connecting to $cli_opt->{server} port $cli_opt->{port}");
my $client = new IO::Socket::SSL( Domain        => $cli_opt->{domain},
                                  PeerAddr      => $cli_opt->{server},
                                  PeerPort      => $cli_opt->{port},
                                  Proto         => 'tcp',
                                  SSL_version   => 'TLSv12',
                                  SSL_use_cert  => 1,
                                  SSL_cert_file => $crtfile,
                                  SSL_key_file  => $keyfile,
                                  SSL_verify_mode => 'SSL_VERIFY_NONE')
    or die("Can't connect to $cli_opt->{server} port $cli_opt->{port}: ".IO::Socket::SSL::errstr()."\n\n");

Is there another way of retrieving sourcefire logs into splunk? Or how can the script be edited so that the sourcefire server accepts the connection.

We use "Splunk Add-on for Cisco FireSIGHT" http://docs.splunk.com/Documentation/AddOns/latest/Sourcefire/Description which then needs the "eStreamer for splunk" app for the data collection.

0 Karma

douglashurd
Builder

I may have a fix for you. We have a modified version of the app that forces TLS v1 upon connection to the FMC. Please mail me at dohurd@cisco.com and I can email you the new app. I'll try to post it to Splunk apps today too.

mayashankarmish
New Member

No IP addresses were changed during the upgrade. We regenerated the certificate and that's also not working

0 Karma

douglashurd
Builder

Has the IP address of either side of the connection changed during the upgrade?

Additionally, have you attempted creating a new client entry in the FMC and downloading the newly created certificate?

0 Karma
.conf21 CFS Extended through 5/20!

Don't miss your chance
to share your Splunk
wisdom in-person or
virtually at .conf21!

Call for Speakers has
been extended through
Thursday, 5/20!