All Apps and Add-ons

Obelisk Threat Intel: Error in app

johnvdzon
Explorer

I have errors in the app Obelisk Threat Intel and the app doesn't work that well anymore.
I have removed the app according to the step below:

Stop Splunk
Remove the app from the directory structure on Linux:
rm –rf /opt/splunk/etc/apps/obelisk-threat-intel
rm -rf /opt/splunk/etc/apps/TA_obelisk-threat
Start Splunk

I checked and the index was also gone.

Install the app again thru the menu "Manage Apps"
After the app is uploaded and installed, restart Splunk.

I waited more than 2 days and see still the same errors:

ERROR ExecProcessor - message from "/opt/splunk/etc/apps/TA_obelisk-threat/bin/scripts/starter_script.sh" IndexError: list index out of range
ERROR ExecProcessor - message from "/opt/splunk/etc/apps/TA_obelisk-threat/bin/scripts/starter_script.sh"     feodoIPs = p[0].split()
ERROR ExecProcessor - message from "/opt/splunk/etc/apps/TA_obelisk-threat/bin/scripts/starter_script.sh"   File "/opt/splunk/etc/apps/TA_obelisk-threat/bin/obelisk_threat_intel.py", line 750, in parseEmergingThreatsBlockList
ERROR ExecProcessor - message from "/opt/splunk/etc/apps/TA_obelisk-threat/bin/scripts/starter_script.sh"     parseEmergingThreatsBlockList(raw_threatlist)
ERROR ExecProcessor - message from "/opt/splunk/etc/apps/TA_obelisk-threat/bin/scripts/starter_script.sh"   File "/opt/splunk/etc/apps/TA_obelisk-threat/bin/obelisk_threat_intel.py", line 966, in main
ERROR ExecProcessor - message from "/opt/splunk/etc/apps/TA_obelisk-threat/bin/scripts/starter_script.sh"     main()
ERROR ExecProcessor - message from "/opt/splunk/etc/apps/TA_obelisk-threat/bin/scripts/starter_script.sh"   File "/opt/splunk/etc/apps/TA_obelisk-threat/bin/obelisk_threat_intel.py", line 1076, in 
ERROR ExecProcessor - message from "/opt/splunk/etc/apps/TA_obelisk-threat/bin/scripts/starter_script.sh" Traceback (most recent call last):

Who has any idea how I can solve this?

0 Karma
1 Solution

johnvdzon
Explorer

I found the solution my self. After some peeking and poking the next steps brought me to a solution. I don’t now if it is the correct / perfect solution but it works.

I downloaded from github [ https://github.com/ransomvik ]

The following two :

  • TA_obelisk-threat
  • obelisk-threat-intel

I stopped Splunk
removed the directories :

/opt/splunk/etc/apps/obelisk-threat-intel
/opt/splunk/etc/apps/TA_obelisk-threat

command : rm -RF /opt/splunk/etc/apps/obelisk-threat-intel
command : rm -RF /opt/splunk/etc/apps/TA_obelisk-threat

I unzipped the two downloaded files in the directory /opt/splunk/etc/apps/

I removed “-master” from the name of the directories

I edited the file /opt/splunk/etc/apps/TA_obelisk-threat/bin/obelisk_threat_intel.py

changed “ p = re.findall('^# Feodo(.?)^# Zeus',urlResults,re.DOTALL|re.MULTILINE)”
into “p = re.findall('^# Feodo(.
?)',urlResults,re.DOTALL|re.MULTILINE)”

In it is row 747

started Splunk again , waited for a couple of hours and yes it works again.

View solution in original post

johnvdzon
Explorer

I found the solution my self. After some peeking and poking the next steps brought me to a solution. I don’t now if it is the correct / perfect solution but it works.

I downloaded from github [ https://github.com/ransomvik ]

The following two :

  • TA_obelisk-threat
  • obelisk-threat-intel

I stopped Splunk
removed the directories :

/opt/splunk/etc/apps/obelisk-threat-intel
/opt/splunk/etc/apps/TA_obelisk-threat

command : rm -RF /opt/splunk/etc/apps/obelisk-threat-intel
command : rm -RF /opt/splunk/etc/apps/TA_obelisk-threat

I unzipped the two downloaded files in the directory /opt/splunk/etc/apps/

I removed “-master” from the name of the directories

I edited the file /opt/splunk/etc/apps/TA_obelisk-threat/bin/obelisk_threat_intel.py

changed “ p = re.findall('^# Feodo(.?)^# Zeus',urlResults,re.DOTALL|re.MULTILINE)”
into “p = re.findall('^# Feodo(.
?)',urlResults,re.DOTALL|re.MULTILINE)”

In it is row 747

started Splunk again , waited for a couple of hours and yes it works again.

Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...