My question is a combination of other questions that have previously been asked however after trying the suggested fixes I still don't get any results.
Here are my questions;
I get the error "External search command 'dnslookup' returned error code 1" in the app searches. Any suggestions on how to resolve this or is this part of a bigger issue below?
I have a distributed environment and Splunk installed on a different drive. I installed Splunk on my search head however I got errors from my indexers saying they received logs for an index that hasn't been defined (my environment is such that we have the search heads configured to forward any locally generated logs to the indexers hence why I probably got that error) so I created the Optiv index on my indexers that fixed that error. I also went to every conf file and changed all the "C:\Program files\Splunk" to "E:\Program files\Splunk..." and all the "opt\Splunk" to "E:\Program files\Splunk...". However I noticed the lookups files aren't being populated but I am able to search the raw threat intelligence in splunk from about 10 sources, however the app summary page only shows information from three sources.
Something just doesn't feel right, I don't think I have it configured as it should be. Can you give any suggestions?
For 2, you are going to need the optiv index on your indexers. There's an indexes.conf included in the app to help with this. Could you post the contents of the troubleshooting tab? A healthy set of connections would look something like this:
[*] Script Started at: 08-31-2016 09:09:19 GMT [*] Script version: 3.00 URL: http://rules.emergingthreats.net/fwrules/emerging-Block-IPs.txt Finished retrieving 809 IPs from SpamHaus. Finished retrieving 23 IPs from Dshield. Finished retrieving 692 IPs from Feodo. URL: http://rules.emergingthreats.net/blockrules/compromised-ips.txt Finished retrieving 1224 Emerging Threats Compromised IPs. URL: http://www.binarydefense.com/banlist.txt Finished retrieving 7828 IPs from Binary Defense. URL: http://malc0de.com/bl/IP_Blacklist.txt Finished retrieving 48 malc0de_IPs. URL: https://reputation.alienvault.com/reputation.generic Finished retrieving 12150 IPs from AlienVault. URL: https://check.torproject.org/exit-addresses Finished retrieving 1093 TorExitNodes. URL: https://zeustracker.abuse.ch/blocklist.php?download=ipblocklist Finished retrieving 162 IPs from Zeus. URL: https://palevotracker.abuse.ch/blocklists.php?download=ipblocklist Finished retrieving 14 IPs from Palevo. URL: http://www.openbl.org/lists/base_1days.txt Finished retrieving 150 IPs from Open Blocklist base 1 day. URL: http://avant.it-mate.co.uk/dl/Tools/hpHosts/hosts.txt Finished retrieving 211470 HP Hosts by MalwareBytes Domains. URL: http://www.malwaredomainlist.com/hostslist/hosts.txt Finished retrieving 618 Malware Domains. URL: https://isc.sans.edu/feeds/suspiciousdomains_High.txt Finished retrieving 141 ISC SANS Suspicious Domains. URL: https://openphish.com/feed.txt Finished retrieving 2757 Open Phish URLs. URL: http://data.phishtank.com/data/online-valid.csv Finished retrieving 34316 Phish Tank URLs. URL: http://osint.bambenekconsulting.com/feeds/c2-ipmasterlist.txt Finished retrieving 329 Bambenek IPs. URL: http://www.talosintel.com/feeds/ip-filter.blf Finished retrieving 12680 Talos Intel IPs. URL: http://malc0de.com/bl/ZONES Finished retrieving 54 Malc0de Domains. URL: http://autoshun.org/files/shunlist.csv URL: http://cinsscore.com/list/ci-badguys.txt Finished retrieving 573 CI Army Badguys IPs. [*] Starting python get alerts script. [*] Looking for old log files to clear.
I am wondering if the lookups aren't populating because the search head cannot connect to the URLs containing the threat intelligence sources. The list of URLs to whitelist are in the README.txt at the bottom as well as the troubleshooting tab of the app. If you are getting partial threat lists some network control is blocking the queries (firewall, proxy, ids/ips).
If you perform this search you should get something similar. If some threat lists are missing (less than 20) or have counts of zero, check the above. Cheers.
index=optiv earliest=-12h | top 50 threat_list_name
AlienVault_IP_Blocklist 12147 4.230812 Binary_Defense_IPs 7825 2.725455 CI_Army_Badguys_IPs 572 0.199228 Dshield_Top_Attackers 20 0.006966 Emerging_Threats_Compromised_IPs 1224 0.42632 Feodo 692 0.241024 HP_Hosts_By_MalwareBytes 211468 73.654513 ISC_SANS_Suspicious 140 0.048762 Malware_Domains 617 0.214902 OpenBL_1day 149 0.051897 Open_Phish_URLs 2756 0.959918 Palevo_CandC 14 0.004876 Phish_Tank_URLs 34315 11.951948 Spamhaus_Drop_Nets 809 0.281775 TorExitNodes 1092 0.380345 Zeus 162 0.056425 bambenekIPs 328 0.114243 malc0de_Domains 53 0.01846 malc0de_IPs 47 0.01637 talos_intel_IPs 12678 4.41576
I was able to get the app working last week and it worked fine up until Friday last week, however since then I have not been able to pull any results in, seems like the app is disabled however it isn't.
This issue seems to be the same even in my test environment. The troubleshooting tab never returns any results for me, both when the app is working fine and when it isn't.
Please run a .\splunk diag on any Splunk servers running the Optiv app. I have provided a box link to upload to. I am especially interested in the optiv_threat_lists*.log file in %SPLUNK_HOME%\var\log\splunk/
Di you have a chance to get to my question yet?