All Apps and Add-ons

Optiv Threat Intel App in a Distributed Environment

Makinde
New Member

Hi Derek,

My question is a combination of other questions that have previously been asked however after trying the suggested fixes I still don't get any results.

Here are my questions;

  1. I get the error "External search command 'dnslookup' returned error code 1" in the app searches. Any suggestions on how to resolve this or is this part of a bigger issue below?

  2. I have a distributed environment and Splunk installed on a different drive. I installed Splunk on my search head however I got errors from my indexers saying they received logs for an index that hasn't been defined (my environment is such that we have the search heads configured to forward any locally generated logs to the indexers hence why I probably got that error) so I created the Optiv index on my indexers that fixed that error. I also went to every conf file and changed all the "C:\Program files\Splunk" to "E:\Program files\Splunk..." and all the "opt\Splunk" to "E:\Program files\Splunk...". However I noticed the lookups files aren't being populated but I am able to search the raw threat intelligence in splunk from about 10 sources, however the app summary page only shows information from three sources.

Something just doesn't feel right, I don't think I have it configured as it should be. Can you give any suggestions?

Thanks,

0 Karma

derekarnold
Communicator

For 2, you are going to need the optiv index on your indexers. There's an indexes.conf included in the app to help with this. Could you post the contents of the troubleshooting tab? A healthy set of connections would look something like this:

[*] Script Started at: 08-31-2016 09:09:19 GMT
[*] Script version: 3.00
URL: http://rules.emergingthreats.net/fwrules/emerging-Block-IPs.txt
Finished retrieving 809 IPs from SpamHaus.
Finished retrieving 23 IPs from Dshield.
Finished retrieving 692 IPs from Feodo.
URL: http://rules.emergingthreats.net/blockrules/compromised-ips.txt
Finished retrieving 1224 Emerging Threats Compromised IPs.
URL: http://www.binarydefense.com/banlist.txt
Finished retrieving 7828 IPs from Binary Defense.
URL: http://malc0de.com/bl/IP_Blacklist.txt
Finished retrieving 48 malc0de_IPs.
URL: https://reputation.alienvault.com/reputation.generic
Finished retrieving 12150 IPs from AlienVault.
URL: https://check.torproject.org/exit-addresses
Finished retrieving 1093 TorExitNodes.
URL: https://zeustracker.abuse.ch/blocklist.php?download=ipblocklist
Finished retrieving 162 IPs from Zeus.
URL: https://palevotracker.abuse.ch/blocklists.php?download=ipblocklist
Finished retrieving 14 IPs from Palevo.
URL: http://www.openbl.org/lists/base_1days.txt
Finished retrieving 150 IPs from Open Blocklist base 1 day.
URL: http://avant.it-mate.co.uk/dl/Tools/hpHosts/hosts.txt
Finished retrieving 211470 HP Hosts by MalwareBytes Domains.
URL: http://www.malwaredomainlist.com/hostslist/hosts.txt
Finished retrieving 618 Malware Domains.
URL: https://isc.sans.edu/feeds/suspiciousdomains_High.txt
Finished retrieving 141 ISC SANS Suspicious Domains.
URL: https://openphish.com/feed.txt
Finished retrieving 2757 Open Phish URLs.
URL: http://data.phishtank.com/data/online-valid.csv
Finished retrieving 34316 Phish Tank URLs.
URL: http://osint.bambenekconsulting.com/feeds/c2-ipmasterlist.txt
Finished retrieving 329 Bambenek IPs.
URL: http://www.talosintel.com/feeds/ip-filter.blf
Finished retrieving 12680 Talos Intel IPs.
URL: http://malc0de.com/bl/ZONES
Finished retrieving 54 Malc0de Domains.
URL: http://autoshun.org/files/shunlist.csv
URL: http://cinsscore.com/list/ci-badguys.txt
Finished retrieving 573 CI Army Badguys IPs.
[*] Starting python get alerts script.
[*] Looking for old log files to clear.

I am wondering if the lookups aren't populating because the search head cannot connect to the URLs containing the threat intelligence sources. The list of URLs to whitelist are in the README.txt at the bottom as well as the troubleshooting tab of the app. If you are getting partial threat lists some network control is blocking the queries (firewall, proxy, ids/ips).

If you perform this search you should get something similar. If some threat lists are missing (less than 20) or have counts of zero, check the above. Cheers.

index=optiv earliest=-12h | top 50 threat_list_name

AlienVault_IP_Blocklist 12147   4.230812
Binary_Defense_IPs  7825    2.725455
CI_Army_Badguys_IPs 572 0.199228
Dshield_Top_Attackers   20  0.006966
Emerging_Threats_Compromised_IPs    1224    0.42632
Feodo   692 0.241024
HP_Hosts_By_MalwareBytes    211468  73.654513
ISC_SANS_Suspicious 140 0.048762
Malware_Domains 617 0.214902
OpenBL_1day 149 0.051897
Open_Phish_URLs 2756    0.959918
Palevo_CandC    14  0.004876
Phish_Tank_URLs 34315   11.951948
Spamhaus_Drop_Nets  809 0.281775
TorExitNodes    1092    0.380345
Zeus    162 0.056425
bambenekIPs 328 0.114243
malc0de_Domains 53  0.01846
malc0de_IPs 47  0.01637
talos_intel_IPs 12678   4.41576
0 Karma

Makinde
New Member

Hi Derek,

I was able to get the app working last week and it worked fine up until Friday last week, however since then I have not been able to pull any results in, seems like the app is disabled however it isn't.

This issue seems to be the same even in my test environment. The troubleshooting tab never returns any results for me, both when the app is working fine and when it isn't.

Any ideas?

Thanks,
Makinde

0 Karma

derekarnold
Communicator

Please run a .\splunk diag on any Splunk servers running the Optiv app. I have provided a box link to upload to. I am especially interested in the optiv_threat_lists*.log file in %SPLUNK_HOME%\var\log\splunk/

0 Karma

Makinde
New Member

Hi Derek,

Di you have a chance to get to my question yet?

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...