All Apps and Add-ons

Obelisk Threat Intel: Error in app

johnvdzon
Explorer

I have errors in the app Obelisk Threat Intel and the app doesn't work that well anymore.
I have removed the app according to the step below:

Stop Splunk
Remove the app from the directory structure on Linux:
rm –rf /opt/splunk/etc/apps/obelisk-threat-intel
rm -rf /opt/splunk/etc/apps/TA_obelisk-threat
Start Splunk

I checked and the index was also gone.

Install the app again thru the menu "Manage Apps"
After the app is uploaded and installed, restart Splunk.

I waited more than 2 days and see still the same errors:

ERROR ExecProcessor - message from "/opt/splunk/etc/apps/TA_obelisk-threat/bin/scripts/starter_script.sh" IndexError: list index out of range
ERROR ExecProcessor - message from "/opt/splunk/etc/apps/TA_obelisk-threat/bin/scripts/starter_script.sh"     feodoIPs = p[0].split()
ERROR ExecProcessor - message from "/opt/splunk/etc/apps/TA_obelisk-threat/bin/scripts/starter_script.sh"   File "/opt/splunk/etc/apps/TA_obelisk-threat/bin/obelisk_threat_intel.py", line 750, in parseEmergingThreatsBlockList
ERROR ExecProcessor - message from "/opt/splunk/etc/apps/TA_obelisk-threat/bin/scripts/starter_script.sh"     parseEmergingThreatsBlockList(raw_threatlist)
ERROR ExecProcessor - message from "/opt/splunk/etc/apps/TA_obelisk-threat/bin/scripts/starter_script.sh"   File "/opt/splunk/etc/apps/TA_obelisk-threat/bin/obelisk_threat_intel.py", line 966, in main
ERROR ExecProcessor - message from "/opt/splunk/etc/apps/TA_obelisk-threat/bin/scripts/starter_script.sh"     main()
ERROR ExecProcessor - message from "/opt/splunk/etc/apps/TA_obelisk-threat/bin/scripts/starter_script.sh"   File "/opt/splunk/etc/apps/TA_obelisk-threat/bin/obelisk_threat_intel.py", line 1076, in 
ERROR ExecProcessor - message from "/opt/splunk/etc/apps/TA_obelisk-threat/bin/scripts/starter_script.sh" Traceback (most recent call last):

Who has any idea how I can solve this?

0 Karma
1 Solution

johnvdzon
Explorer

I found the solution my self. After some peeking and poking the next steps brought me to a solution. I don’t now if it is the correct / perfect solution but it works.

I downloaded from github [ https://github.com/ransomvik ]

The following two :

  • TA_obelisk-threat
  • obelisk-threat-intel

I stopped Splunk
removed the directories :

/opt/splunk/etc/apps/obelisk-threat-intel
/opt/splunk/etc/apps/TA_obelisk-threat

command : rm -RF /opt/splunk/etc/apps/obelisk-threat-intel
command : rm -RF /opt/splunk/etc/apps/TA_obelisk-threat

I unzipped the two downloaded files in the directory /opt/splunk/etc/apps/

I removed “-master” from the name of the directories

I edited the file /opt/splunk/etc/apps/TA_obelisk-threat/bin/obelisk_threat_intel.py

changed “ p = re.findall('^# Feodo(.?)^# Zeus',urlResults,re.DOTALL|re.MULTILINE)”
into “p = re.findall('^# Feodo(.
?)',urlResults,re.DOTALL|re.MULTILINE)”

In it is row 747

started Splunk again , waited for a couple of hours and yes it works again.

View solution in original post

johnvdzon
Explorer

I found the solution my self. After some peeking and poking the next steps brought me to a solution. I don’t now if it is the correct / perfect solution but it works.

I downloaded from github [ https://github.com/ransomvik ]

The following two :

  • TA_obelisk-threat
  • obelisk-threat-intel

I stopped Splunk
removed the directories :

/opt/splunk/etc/apps/obelisk-threat-intel
/opt/splunk/etc/apps/TA_obelisk-threat

command : rm -RF /opt/splunk/etc/apps/obelisk-threat-intel
command : rm -RF /opt/splunk/etc/apps/TA_obelisk-threat

I unzipped the two downloaded files in the directory /opt/splunk/etc/apps/

I removed “-master” from the name of the directories

I edited the file /opt/splunk/etc/apps/TA_obelisk-threat/bin/obelisk_threat_intel.py

changed “ p = re.findall('^# Feodo(.?)^# Zeus',urlResults,re.DOTALL|re.MULTILINE)”
into “p = re.findall('^# Feodo(.
?)',urlResults,re.DOTALL|re.MULTILINE)”

In it is row 747

started Splunk again , waited for a couple of hours and yes it works again.

Get Updates on the Splunk Community!

AppDynamics Summer Webinars

This summer, our mighty AppDynamics team is cooking up some delicious content on YouTube Live to satiate your ...

SOCin’ it to you at Splunk University

Splunk University is expanding its instructor-led learning portfolio with dedicated Security tracks at .conf25 ...

Credit Card Data Protection & PCI Compliance with Splunk Edge Processor

Organizations handling credit card transactions know that PCI DSS compliance is both critical and complex. The ...