Solved: Obelisk Threat Intel: Error in app

johnvdzon · ‎10-02-2019

I have errors in the app Obelisk Threat Intel and the app doesn't work that well anymore.
I have removed the app according to the step below:

Stop Splunk
Remove the app from the directory structure on Linux:
rm –rf /opt/splunk/etc/apps/obelisk-threat-intel
rm -rf /opt/splunk/etc/apps/TA_obelisk-threat
Start Splunk

I checked and the index was also gone.

Install the app again thru the menu "Manage Apps"
After the app is uploaded and installed, restart Splunk.

I waited more than 2 days and see still the same errors:

ERROR ExecProcessor - message from "/opt/splunk/etc/apps/TA_obelisk-threat/bin/scripts/starter_script.sh" IndexError: list index out of range
ERROR ExecProcessor - message from "/opt/splunk/etc/apps/TA_obelisk-threat/bin/scripts/starter_script.sh"     feodoIPs = p[0].split()
ERROR ExecProcessor - message from "/opt/splunk/etc/apps/TA_obelisk-threat/bin/scripts/starter_script.sh"   File "/opt/splunk/etc/apps/TA_obelisk-threat/bin/obelisk_threat_intel.py", line 750, in parseEmergingThreatsBlockList
ERROR ExecProcessor - message from "/opt/splunk/etc/apps/TA_obelisk-threat/bin/scripts/starter_script.sh"     parseEmergingThreatsBlockList(raw_threatlist)
ERROR ExecProcessor - message from "/opt/splunk/etc/apps/TA_obelisk-threat/bin/scripts/starter_script.sh"   File "/opt/splunk/etc/apps/TA_obelisk-threat/bin/obelisk_threat_intel.py", line 966, in main
ERROR ExecProcessor - message from "/opt/splunk/etc/apps/TA_obelisk-threat/bin/scripts/starter_script.sh"     main()
ERROR ExecProcessor - message from "/opt/splunk/etc/apps/TA_obelisk-threat/bin/scripts/starter_script.sh"   File "/opt/splunk/etc/apps/TA_obelisk-threat/bin/obelisk_threat_intel.py", line 1076, in 
ERROR ExecProcessor - message from "/opt/splunk/etc/apps/TA_obelisk-threat/bin/scripts/starter_script.sh" Traceback (most recent call last):

Who has any idea how I can solve this?

johnvdzon · ‎10-05-2019

I found the solution my self. After some peeking and poking the next steps brought me to a solution. I don’t now if it is the correct / perfect solution but it works.

I downloaded from github [ https://github.com/ransomvik ]

The following two :

TA_obelisk-threat
obelisk-threat-intel

I stopped Splunk
removed the directories :

/opt/splunk/etc/apps/obelisk-threat-intel
/opt/splunk/etc/apps/TA_obelisk-threat

command : rm -RF /opt/splunk/etc/apps/obelisk-threat-intel
command : rm -RF /opt/splunk/etc/apps/TA_obelisk-threat

I unzipped the two downloaded files in the directory /opt/splunk/etc/apps/

I removed “-master” from the name of the directories

I edited the file /opt/splunk/etc/apps/TA_obelisk-threat/bin/obelisk_threat_intel.py

changed “ p = re.findall('^# Feodo(.?)^# Zeus',urlResults,re.DOTALL|re.MULTILINE)”
into “p = re.findall('^# Feodo(.?)',urlResults,re.DOTALL|re.MULTILINE)”

In it is row 747

started Splunk again , waited for a couple of hours and yes it works again.

View solution in original post

johnvdzon · ‎10-05-2019