Solved: Proofpoint - ET Splunk TA - Proxy settings

morganfw · ‎03-30-2020

Hello,
I've installed Proofpoint - ET Splunk TA v1.1.5 on Splunk Enterprise v7.2.9.1 and I need to configure a Proxy for exit on Internet.

- Issue:
I need to use a Proxy for exit on Internet, and when I set Proxy globally on OS, I can contact all sites, but Proofpoint - ET Splunk TA cannot contact Proofpoint API through Proxy, I assume that App contact Proofpoint API directly.

After some debugging, I've seen line 101 on $SPLUNK_HOME/etc/apps/TA-etintel/bin/update_repdata.py file that reports

def make_url(authcode, fname):
       url = 'https://rules.emergingthreatspro.com/{0}/reputation/{1}'.format(
            authcode, fname)
       request = Request(url)
       logger.debug("Version is %s", VERSION)
       agent = "ET-SPLUNK-TA (" + VERSION + ")"
       logger.debug("User-agent is %s", agent)
       request.add_header("User-agent", agent)
       return request

I want to know how to setup Proxy lines into the script for exit Internet.

I suggest to make a modification on next App version, and add option to allow the user to modify Proxy Settings through App Web Interface on Splunk.

Any suggestion for quick resolve with a WA?
Regards

morganfw · ‎05-05-2020

Hello,
I managed the change of the proxy with following modification in $SPLUNK_HOME/etc/apps/TA-etintel/bin/update_repdata.py

- Original script -

def make_url(authcode, fname):
    url = 'https://rules.emergingthreatspro.com/{0}/reputation/{1}'.format(
        authcode, fname)
    request = Request(url)
    request.set_proxy('http://<your_proxy>:<your_port>','http')
    logger.debug("Version is %s", VERSION)
    agent = "ET-SPLUNK-TA (" + VERSION + ")"
    logger.debug("User-agent is %s", agent)
    request.add_header("User-agent", agent)
    return request

- Modified script (adding "request.set_proxy" below line 104) -

def make_url(authcode, fname):
    url = 'https://rules.emergingthreatspro.com/{0}/reputation/{1}'.format(
        authcode, fname)
    request = Request(url)
    request.set_proxy('http://<your_proxy>:<your_port>','http')
    logger.debug("Version is %s", VERSION)
    agent = "ET-SPLUNK-TA (" + VERSION + ")"
    logger.debug("User-agent is %s", agent)
    request.add_header("User-agent", agent)
    return request

Thank you.

View solution in original post

morganfw · ‎05-05-2020

Hello,
I managed the change of the proxy with following modification in $SPLUNK_HOME/etc/apps/TA-etintel/bin/update_repdata.py

- Original script -

def make_url(authcode, fname):
    url = 'https://rules.emergingthreatspro.com/{0}/reputation/{1}'.format(
        authcode, fname)
    request = Request(url)
    request.set_proxy('http://<your_proxy>:<your_port>','http')
    logger.debug("Version is %s", VERSION)
    agent = "ET-SPLUNK-TA (" + VERSION + ")"
    logger.debug("User-agent is %s", agent)
    request.add_header("User-agent", agent)
    return request

- Modified script (adding "request.set_proxy" below line 104) -

def make_url(authcode, fname):
    url = 'https://rules.emergingthreatspro.com/{0}/reputation/{1}'.format(
        authcode, fname)
    request = Request(url)
    request.set_proxy('http://<your_proxy>:<your_port>','http')
    logger.debug("Version is %s", VERSION)
    agent = "ET-SPLUNK-TA (" + VERSION + ")"
    logger.debug("User-agent is %s", agent)
    request.add_header("User-agent", agent)
    return request

Thank you.

PavelP · ‎03-30-2020

have you tried to set

export HTTP_PROXY=http://proxy:port

in Splunk init or Unit file? The Request python module supports proxy configuration by setting the environment variables:

https://2.python-requests.org/en/v2.8.1/user/advanced/#proxies

Proofpoint - ET Splunk TA - Proxy settings

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor