We noticed that the threat intel is not being populated using the Obelisk Threat Intel App for majority of the Intel sources. The error code received was:
Traceback (most recent call last):
File "/opt/splunk/etc/apps/TA_obelisk-threat/bin/obelisk_threat_intel.py", line 1015, in
main()
File "/opt/splunk/etc/apps/TA_obelisk-threat/bin/obelisk_threat_intel.py", line 935, in main
parseZeus(raw_threatlist)
File "/opt/splunk/etc/apps/TA_obelisk-threat/bin/obelisk_threat_intel.py", line 635, in parseZeus
zeusIPs = zeusIPs[2].split('\n')
IndexError: list index out of range
Thanks for bringing this to my attention. This has been fixed in the latest release.
I'm getting the below:
bash-4.2$ /opt/splunk/bin/splunk cmd python /opt/splunk/etc/apps/TA_obelisk-threat/bin/obelisk_threat_intel.py
logfile_name: /opt/splunk/etc/apps/TA_obelisk-threat/logs/obelisk_threat_lists_script10-03-2019-14-01-21.log
[*] Script Started at: 10-03-2019 14:01:21 GMT
[*] Script version: 3.4.6
URL: http://rules.emergingthreats.net/fwrules/emerging-Block-IPs.txt
user_agent_bool: true
Finished retrieving 849 IPs from SpamHaus.
Finished retrieving 23 IPs from Dshield.
Traceback (most recent call last):
File "/opt/splunk/etc/apps/TA_obelisk-threat/bin/obelisk_threat_intel.py", line 1076, in
main()
File "/opt/splunk/etc/apps/TA_obelisk-threat/bin/obelisk_threat_intel.py", line 966, in main
parseEmergingThreatsBlockList(raw_threatlist)
File "/opt/splunk/etc/apps/TA_obelisk-threat/bin/obelisk_threat_intel.py", line 750, in parseEmergingThreatsBlockList
feodoIPs = p[0].split()
IndexError: list index out of range
I'll try to fix it myself, but I thought you would want to know. If I do fix, I'll dump it here.
This was solved by commenting it out. It looks like Zues Tracker is not longer available.