I have errors in the app Obelisk Threat Intel and the app doesn't work that well anymore.
I have removed the app according to the step below:
Stop Splunk
Remove the app from the directory structure on Linux:
rm –rf /opt/splunk/etc/apps/obelisk-threat-intel
rm -rf /opt/splunk/etc/apps/TA_obelisk-threat
Start Splunk
I checked and the index was also gone.
Install the app again thru the menu "Manage Apps"
After the app is uploaded and installed, restart Splunk.
I waited more than 2 days and see still the same errors:
ERROR ExecProcessor - message from "/opt/splunk/etc/apps/TA_obelisk-threat/bin/scripts/starter_script.sh" IndexError: list index out of range
ERROR ExecProcessor - message from "/opt/splunk/etc/apps/TA_obelisk-threat/bin/scripts/starter_script.sh" feodoIPs = p[0].split()
ERROR ExecProcessor - message from "/opt/splunk/etc/apps/TA_obelisk-threat/bin/scripts/starter_script.sh" File "/opt/splunk/etc/apps/TA_obelisk-threat/bin/obelisk_threat_intel.py", line 750, in parseEmergingThreatsBlockList
ERROR ExecProcessor - message from "/opt/splunk/etc/apps/TA_obelisk-threat/bin/scripts/starter_script.sh" parseEmergingThreatsBlockList(raw_threatlist)
ERROR ExecProcessor - message from "/opt/splunk/etc/apps/TA_obelisk-threat/bin/scripts/starter_script.sh" File "/opt/splunk/etc/apps/TA_obelisk-threat/bin/obelisk_threat_intel.py", line 966, in main
ERROR ExecProcessor - message from "/opt/splunk/etc/apps/TA_obelisk-threat/bin/scripts/starter_script.sh" main()
ERROR ExecProcessor - message from "/opt/splunk/etc/apps/TA_obelisk-threat/bin/scripts/starter_script.sh" File "/opt/splunk/etc/apps/TA_obelisk-threat/bin/obelisk_threat_intel.py", line 1076, in
ERROR ExecProcessor - message from "/opt/splunk/etc/apps/TA_obelisk-threat/bin/scripts/starter_script.sh" Traceback (most recent call last):
Who has any idea how I can solve this?
I found the solution my self. After some peeking and poking the next steps brought me to a solution. I don’t now if it is the correct / perfect solution but it works.
I downloaded from github [ https://github.com/ransomvik ]
The following two :
I stopped Splunk
removed the directories :
/opt/splunk/etc/apps/obelisk-threat-intel
/opt/splunk/etc/apps/TA_obelisk-threat
command : rm -RF /opt/splunk/etc/apps/obelisk-threat-intel
command : rm -RF /opt/splunk/etc/apps/TA_obelisk-threat
I unzipped the two downloaded files in the directory /opt/splunk/etc/apps/
I removed “-master” from the name of the directories
I edited the file /opt/splunk/etc/apps/TA_obelisk-threat/bin/obelisk_threat_intel.py
changed “ p = re.findall('^# Feodo(.?)^# Zeus',urlResults,re.DOTALL|re.MULTILINE)”
into “p = re.findall('^# Feodo(.?)',urlResults,re.DOTALL|re.MULTILINE)”
In it is row 747
started Splunk again , waited for a couple of hours and yes it works again.
I found the solution my self. After some peeking and poking the next steps brought me to a solution. I don’t now if it is the correct / perfect solution but it works.
I downloaded from github [ https://github.com/ransomvik ]
The following two :
I stopped Splunk
removed the directories :
/opt/splunk/etc/apps/obelisk-threat-intel
/opt/splunk/etc/apps/TA_obelisk-threat
command : rm -RF /opt/splunk/etc/apps/obelisk-threat-intel
command : rm -RF /opt/splunk/etc/apps/TA_obelisk-threat
I unzipped the two downloaded files in the directory /opt/splunk/etc/apps/
I removed “-master” from the name of the directories
I edited the file /opt/splunk/etc/apps/TA_obelisk-threat/bin/obelisk_threat_intel.py
changed “ p = re.findall('^# Feodo(.?)^# Zeus',urlResults,re.DOTALL|re.MULTILINE)”
into “p = re.findall('^# Feodo(.?)',urlResults,re.DOTALL|re.MULTILINE)”
In it is row 747
started Splunk again , waited for a couple of hours and yes it works again.