All Apps and Add-ons

OPENSSL_1.0.0 not found ERROR when using Splunk's DATA Input PCAP with Bro App

nkleck
New Member

Splunk Enterprise standalone instance (v6.6.3) on Ubuntu 16.04.

I'm getting the following error below. Originally, I tried with current Bro version. but reverted back to Bro v2.2 and still got the error. I get the error if I apt-get install Bro OR compile it from source. So I'm confident the version of Bro I'm using is not causing this error. The modular input seems fine, being that it sees the PCAP. I've also configured the local/inputs.conf, but we haven't gotten that far, so Splunk trying to run Bro errors out.

I saw there are other similar problems, and the solution was to unset LD_LIBRARY_PATH, but I don't see how I can do that with the Bro binary file.

Is anyone using the Bro PCAP data input? I must have gone wrong during installation somewhere?

In Splunk Web > Settings > Data Inputs > PCAPS

name: Bro Pcap Repo
pcap dir: /stoqdata/bro/
recursive: false
log dir: /var/log/bro
Bro binary: /opt/bro/bin/bro
Bro options: -C

Bro script: /opt/splunk/etc/apps/Splunk_TA_bro/bin/bro/extract-all.bro
Bro seed file: /opt/splunk/etc/apps/Splunk_TA_bro/bin/bro/bro.seeds
Ingest Content: false
Maximum execution time: 3000

when installing Bro:
$ sudo apt-get install cmake make gcc g++ flex bison libpcap-dev libssl-dev python-dev swig zlib1g-dev
$ sudo apt-get install libgeoip-dev
$ wget http://geolite.maxmind.com/download/geoip/database/GeoLiteCity.dat.gz
$ gunzip GeoLiteCity.dat.gz
$ sudo mv GeoLiteCity.dat /usr/share/GeoIP/GeoIPCity.dat

then either use apt-get to install Bro or compile it from source. I am able to use the Bro binary on my own to analyze PCAP files. It's only when Splunk attempts to do it, does it fail.

EXCERPTS FROM Splunk_TA_bro.log after ingest pcap:
bro installed via apt-get:
2017-08-23 12:25:48,298 INFO Parsing /stoqdata/bro/inside.pcap
2017-08-23 12:25:48,298 INFO running command = export BRO_SEED_FILE='/opt/splunk/etc/apps/Splunk_TA_bro/bin/bro/bro.seeds' && '/usr/bin/bro' '-C -r' -r '/stoqdata/bro/inside.pcap' '/opt/splunk/etc/apps/Splunk_TA_bro/bin/bro/extract-all.bro'
2017-08-23 12:25:48,308 ERROR something went wrond during Bro execution: /usr/bin/bro: /opt/splunk/lib/libssl.so.1.0.0: version `OPENSSL_1.0.0' not found (required by /usr/bin/bro)
/usr/bin/bro: /opt/splunk/lib/libcrypto.so.1.0.0: version `OPENSSL_1.0.0' not found (required by /usr/bin/bro)

bro v2.5.1 compiled from source:
2017-08-23 13:11:22,085 INFO Parsing /stoqdata/bro/inside.pcap
2017-08-23 13:11:22,090 INFO running command = export BRO_SEED_FILE='/opt/splunk/etc/apps/Splunk_TA_bro/bin/bro/bro.seeds' && '/opt/bro/bin/bro' '-C' -r '/stoqdata/bro/inside.pcap' '/opt/splunk/etc/apps/Splunk_TA_bro/bin/bro/extract-all.bro'
2017-08-23 13:11:22,099 ERROR something went wrond during Bro execution: /opt/bro/bin/bro: /opt/splunk/lib/libssl.so.1.0.0: version `OPENSSL_1.0.0' not found (required by /opt/bro/bin/bro)
/opt/bro/bin/bro: /opt/splunk/lib/libcrypto.so.1.0.0: version `OPENSSL_1.0.0' not found (required by /opt/bro/bin/bro)

bro v2.2 compiled from source:
2017-08-23 13:47:07,669 INFO Parsing /stoqdata/bro/inside.pcap
2017-08-23 13:47:07,673 INFO running command = export BRO_SEED_FILE='/opt/splunk/etc/apps/Splunk_TA_bro/bin/bro/bro.seeds' && '/opt/bro/bin/bro' '-C' -r '/stoqdata/bro/inside.pcap' '/opt/splunk/etc/apps/Splunk_TA_bro/bin/bro/extract-all.bro' 
2017-08-23 13:47:07,683 ERROR something went wrond during Bro execution: /opt/bro/bin/bro: /opt/splunk/lib/libcrypto.so.1.0.0: version `OPENSSL_1.0.0' not found (required by /opt/bro/bin/bro)
/opt/bro/bin/bro: /opt/splunk/lib/libssl.so.1.0.0: version `OPENSSL_1.0.0' not found (required by /opt/bro/bin/bro)
0 Karma

jkat54
SplunkTrust
SplunkTrust

I see this error from time to time when installing apps with ssl support.

Typically means you need to install openssl or openssl-devel

Try sudo apt-get install openssl openssl-devel

0 Karma

nkleck
New Member

you modifications are not entirely correct. I am not getting an error when installing Bro. I am able to install bro. I am even able to run it via a terminal and get log output from pcap files.

What i am not able to do is have Splunk's pcap molular input ingest a pcap from a directory and use BRO to parse it, as the Splunk add-on for Bro IDS suggests.

im not entirely sure, but i think it has to do with libraries splunk is using vs libraries ive installed outside splunk.

i checked, openssl already installed, ubuntu doesnt have a openssl-dev or -devel, its libssl-dev, which was already installed.

0 Karma

jkat54
SplunkTrust
SplunkTrust

I see. Have you tried symlinking /opt/splunk/lib/libcrypto.so.1.0.0 to LD_CONFIG_PATH/libcrypto.so.1.0.0 whatever that is in your environment

Same for libssl

0 Karma

jkat54
SplunkTrust
SplunkTrust

Also make sure the Splunk user has execute permission on the file that's linked to as well.

Seems it would be easier to set the correct LD_CONFIG_PATH in Splunk when loading the brodns python files. I'm sure they developed it that way.... you really might want to echo $LD_CONFIG_PATH and check to see if the files are there (as the Splunk user). And if not, set the correct path with 'export LD_CONFIG_PATH=/usr/lib64/packages' or whatever it should be

0 Karma

jkat54
SplunkTrust
SplunkTrust

Sorry replace CONFIG with LIBRARY

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...