All Apps and Add-ons

Obelisk Threat Intel: Error in app

johnvdzon
Explorer

I have errors in the app Obelisk Threat Intel and the app doesn't work that well anymore.
I have removed the app according to the step below:

Stop Splunk
Remove the app from the directory structure on Linux:
rm –rf /opt/splunk/etc/apps/obelisk-threat-intel
rm -rf /opt/splunk/etc/apps/TA_obelisk-threat
Start Splunk

I checked and the index was also gone.

Install the app again thru the menu "Manage Apps"
After the app is uploaded and installed, restart Splunk.

I waited more than 2 days and see still the same errors:

ERROR ExecProcessor - message from "/opt/splunk/etc/apps/TA_obelisk-threat/bin/scripts/starter_script.sh" IndexError: list index out of range
ERROR ExecProcessor - message from "/opt/splunk/etc/apps/TA_obelisk-threat/bin/scripts/starter_script.sh"     feodoIPs = p[0].split()
ERROR ExecProcessor - message from "/opt/splunk/etc/apps/TA_obelisk-threat/bin/scripts/starter_script.sh"   File "/opt/splunk/etc/apps/TA_obelisk-threat/bin/obelisk_threat_intel.py", line 750, in parseEmergingThreatsBlockList
ERROR ExecProcessor - message from "/opt/splunk/etc/apps/TA_obelisk-threat/bin/scripts/starter_script.sh"     parseEmergingThreatsBlockList(raw_threatlist)
ERROR ExecProcessor - message from "/opt/splunk/etc/apps/TA_obelisk-threat/bin/scripts/starter_script.sh"   File "/opt/splunk/etc/apps/TA_obelisk-threat/bin/obelisk_threat_intel.py", line 966, in main
ERROR ExecProcessor - message from "/opt/splunk/etc/apps/TA_obelisk-threat/bin/scripts/starter_script.sh"     main()
ERROR ExecProcessor - message from "/opt/splunk/etc/apps/TA_obelisk-threat/bin/scripts/starter_script.sh"   File "/opt/splunk/etc/apps/TA_obelisk-threat/bin/obelisk_threat_intel.py", line 1076, in 
ERROR ExecProcessor - message from "/opt/splunk/etc/apps/TA_obelisk-threat/bin/scripts/starter_script.sh" Traceback (most recent call last):

Who has any idea how I can solve this?

0 Karma
1 Solution

johnvdzon
Explorer

I found the solution my self. After some peeking and poking the next steps brought me to a solution. I don’t now if it is the correct / perfect solution but it works.

I downloaded from github [ https://github.com/ransomvik ]

The following two :

  • TA_obelisk-threat
  • obelisk-threat-intel

I stopped Splunk
removed the directories :

/opt/splunk/etc/apps/obelisk-threat-intel
/opt/splunk/etc/apps/TA_obelisk-threat

command : rm -RF /opt/splunk/etc/apps/obelisk-threat-intel
command : rm -RF /opt/splunk/etc/apps/TA_obelisk-threat

I unzipped the two downloaded files in the directory /opt/splunk/etc/apps/

I removed “-master” from the name of the directories

I edited the file /opt/splunk/etc/apps/TA_obelisk-threat/bin/obelisk_threat_intel.py

changed “ p = re.findall('^# Feodo(.?)^# Zeus',urlResults,re.DOTALL|re.MULTILINE)”
into “p = re.findall('^# Feodo(.
?)',urlResults,re.DOTALL|re.MULTILINE)”

In it is row 747

started Splunk again , waited for a couple of hours and yes it works again.

View solution in original post

johnvdzon
Explorer

I found the solution my self. After some peeking and poking the next steps brought me to a solution. I don’t now if it is the correct / perfect solution but it works.

I downloaded from github [ https://github.com/ransomvik ]

The following two :

  • TA_obelisk-threat
  • obelisk-threat-intel

I stopped Splunk
removed the directories :

/opt/splunk/etc/apps/obelisk-threat-intel
/opt/splunk/etc/apps/TA_obelisk-threat

command : rm -RF /opt/splunk/etc/apps/obelisk-threat-intel
command : rm -RF /opt/splunk/etc/apps/TA_obelisk-threat

I unzipped the two downloaded files in the directory /opt/splunk/etc/apps/

I removed “-master” from the name of the directories

I edited the file /opt/splunk/etc/apps/TA_obelisk-threat/bin/obelisk_threat_intel.py

changed “ p = re.findall('^# Feodo(.?)^# Zeus',urlResults,re.DOTALL|re.MULTILINE)”
into “p = re.findall('^# Feodo(.
?)',urlResults,re.DOTALL|re.MULTILINE)”

In it is row 747

started Splunk again , waited for a couple of hours and yes it works again.

Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

(view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...