All Apps and Add-ons

Splunk Add-on for Cisco IPS: Why am I unable to connect to Cisco IPS after upgrading to Splunk 6.3?

arber
Communicator

Hi,

I'm trying to gather logs from an IPS into Splunk. the Splunk Add-on for Cisco IPS is configured, however, it looks like no subscription is created.

On sdee_get.log we have this:

(Thu Nov 12 21:36:45 2015 - INFO - Checking for existing SubscriptionID on host: x.x.x.x
Thu Nov 12 21:36:45 2015 - INFO - No existing SubscriptionID for host: x.x.x.x
Thu Nov 12 21:36:45 2015 - INFO - Attempting to connect to sensor: x.x.x.x
Thu Nov 12 21:36:45 2015 - INFO - Successfully connected to: x.x.x.x
Thu Nov 12 21:36:45 2015 - ERROR - Connecting to sensor - x.x.x.x: Traceback (most recent call last):   File "/opt/splunk/etc/apps/Splunk_TA_cisco-ips/bin/get_ips_feed.py", line 99, in run     sdee.open()   File "/opt/splunk/etc/apps/Splunk_TA_cisco-ips/bin/pysdee/pySDEE.py", line 187, in open     self._request(params)   File "/opt/splunk/etc/apps/Splunk_TA_cisco-ips/bin/pysdee/pySDEE.py", line 163, in _request     data = urllib2.urlopen(req)   File "/opt/splunk/lib/python2.7/urllib2.py", line 154, in urlopen     return opener.open(url, data, timeout)   File "/opt/splunk/lib/python2.7/urllib2.py", line 431, in open     response = self._open(req, data)   File "/opt/splunk/lib/python2.7/urllib2.py", line 449, in _open     '_open', req)   File "/opt/splunk/lib/python2.7/urllib2.py", line 409, in _call_chain     result = func(*args)   File "/opt/splunk/lib/python2.7/urllib2.py", line 1240, in https_open     context=self._context)   File "/opt/splunk/lib/python2.7/urllib2.py", line 1166, in do_open     h = http_class(host, timeout=req.timeout, **http_conn_args) TypeError: __init__() got an unexpected keyword argument 'context')

The version of splunk we are using is 6.3
What can be the issue for this ?
Thanks

1 Solution

dgrubb_splunk
Splunk Employee
Splunk Employee

As indicated on Splunkbase this app is not rated for 6.3 and there is a known bug around this issue:

ADDON-6014 Can no longer connect to Cisco IPS after upgrading the Spunk platform to version 6.3

http://docs.splunk.com/Documentation/AddOns/latest/CiscoIPS/Releasenotes#Known_issues

View solution in original post

klaxdal
Contributor

I have it working on 6.4.1 - see my other post - you need to make a slight change in how python passes the IPS credentials under the new version

0 Karma

tequilalinux
New Member

Thank you for your answer, but I copied the pySDEE.py file but did not work, is there something else I need to modify.

0 Karma

tequilalinux
New Member

Could someone make it work for 6.4 ?

0 Karma

arber
Communicator

Hi
thanks for the update. I tried to upgrade. but for me it is still not working this is what i have in the logs

Fri Dec 18 16:32:39 2015 - INFO - Checking for existing SubscriptionID on host: X.x.x.x
Fri Dec 18 16:32:39 2015 - INFO - No existing SubscriptionID for host: x.x.x.x
Fri Dec 18 16:32:39 2015 - INFO - Attempting to connect to sensor: x.x.x.x
Fri Dec 18 16:32:39 2015 - INFO - Successfully connected to: x.x.x.x
Fri Dec 18 16:33:38 2015 - ERROR - Connecting to sensor - x.x.x.x: Traceback (most recent call last): File "/opt/splunk/etc/apps/Splunk_TA_cisco-ips/bin/get_ips_feed.py", line 99, in run sdee.open() File "/opt/splunk/etc/apps/Splunk_TA_cisco-ips/bin/pysdee/pySDEE.py", line 187, in open self._request(params) File "/opt/splunk/etc/apps/Splunk_TA_cisco-ips/bin/pysdee/pySDEE.py", line 163, in _request data = urllib2.urlopen(req) File "/opt/splunk/lib/python2.7/urllib2.py", line 127, in urlopen return _opener.open(url, data, timeout) File "/opt/splunk/lib/python2.7/urllib2.py", line 404, in open response = self._open(req, data) File "/opt/splunk/lib/python2.7/urllib2.py", line 422, in _open '_open', req) File "/opt/splunk/lib/python2.7/urllib2.py", line 382, in _call_chain result = func(*args) File "/opt/splunk/lib/python2.7/urllib2.py", line 1222, in https_open return self.do_open(httplib.HTTPSConnection, req) File "/opt/splunk/lib/python2.7/urllib2.py", line 1184, in do_open raise URLError(err) URLError:

Any idea what can be the issue ?

Thanks for the support

0 Karma

klaxdal
Contributor

This will fix your issue - things it seems are handled a little "differently" in python 2.7.9 . Save this code ( below ) as "pySDEE.py" in your /bin for the IPS app

import urllib
import urllib2
import base64
import time
import types

import xml.dom.minidom

import httplib
from httplib import HTTPConnection, HTTPS_PORT
import ssl
import socket

import ssl

class HTTPSConnection(HTTPConnection):
default_port = HTTPS_PORT

def __init__(self, host, port=None, key_file=None, cert_file=None,
             strict=None, timeout=socket._GLOBAL_DEFAULT_TIMEOUT,
             source_address=None, context=None):
    HTTPConnection.__init__(self, host, port, strict, timeout,
                            source_address)
    self.key_file = key_file
    self.cert_file = cert_file

def connect(self):
    sock = socket.create_connection((self.host, self.port),
                                    self.timeout, self.source_address)
    if self._tunnel_host:
        self.sock = sock
        self._tunnel()
    # SSL vs TLS
    self.sock = ssl.wrap_socket(
        sock,
        self.key_file,
        self.cert_file,
        ssl_version=ssl.PROTOCOL_TLSv1_1)

httplib.HTTPSConnection = HTTPSConnection

def parse_open(action, data):
doc = xml.dom.minidom.parseString(data)
try:
sess = doc.getElementsByTagName('env:Header')[0].getElementsByTagName(
'sd:oobInfo')[0].getElementsByTagName('sd:sessionId')[0]
sessionid = sess.firstChild.wholeText
except:
sessionid = "IOS_ROUTER"

subscript = doc.getElementsByTagName(
    'env:Body')[0].getElementsByTagName('sd:subscriptionId')[0]
subscriptionid = subscript.firstChild.wholeText

return [sessionid, subscriptionid]

def nano(epoch):
return int(epoch * 1e9)

def epoch(nano):
return (nano / 1e9)

class SDEE:

def __init__(self, **kwargs):
    try:
        self._callback = kwargs['callback']
    except:
        self._callback = ''

    try:
        self._format = kwargs['format']
    except:
        self._format = 'raw'

    try:
        self._timeout = kwargs['timeout']
    except:
        self._timeout = 1

    try:
        self._user = kwargs['user']
    except:
        self._user = ''

    try:
        self._password = kwargs['password']
    except:
        self._password = ''

    try:
        self._host = kwargs['host']
    except:
        self._host = 'localhost'

    try:
        self._method = kwargs['method']
    except:
        self._method = 'https'

    try:
        self._resource = kwargs['resource']
    except:
        self._resource = 'cgi-bin/sdee-server'

    self._uri = "%s://%s/%s" % (self._method, self._host, self._resource)

    try:
        self._sessionid = kwargs['sessionid']
    except:
        self._sessionid = ''

    try:
        self._subscriptionid = kwargs['subscriptionid']
    except:
        self._subscriptionid = ''

    try:
        self._starttime = kwargs['starttime']
    except:
        self._starttime = nano(time.time())

    self._b64pass = base64.encodestring(
        "%s:%s" % (self._user, self._password))

    self._response = ''

    try:
        self._force = kwargs['force']
    except:
        self._force = 'yes'

def data(self):
    return self._response

def Password(self, passwd):
    self._password = passwd
    self._b64pass = base64.encodestring(
        "%s:%s" %
        (self._user, self._password))

def User(self, username):
    self._user = username
    self._b64pass = base64.encodestring(
        "%s:%s" %
        (self._user, self._password))

def Host(self, host):
    self._host = host
    self._uri = "%s://%s/%s" % (self._method, self._host, self._resource)

def Method(self, method):
    self._method = method
    self._uri = "%s://%s/%s" % (self._method, self._host, self._resource)

def Resource(self, resource):
    self._resource = resource
    self._uri = "%s://%s/%s" % (self._method, self._host, self._resource)

def _request(self, params, **kwargs):
    req = urllib2.Request("%s?%s" % (self._uri, params))
    req.add_header('Authorization', "BASIC %s" % (self._b64pass))
    data = urllib2.urlopen(req)
    self._response = data.read()
    if self._action == 'open':
        self._sessionid, self._subscriptionid = parse_open(
            self._action, self._response)
    elif self._action == 'close':
        print data.read()
    elif self._action == 'cancel':
        print data.read()
    elif self._action == 'get':
        if isinstance(self._callback, types.FunctionType):
            self._callback(**kwargs)
    elif self._action == 'query':
        pass

def open(self, **kwargs):
    self._action = 'open'
    param_dict = {
        "events": "evIdsAlert",
        "action": "open",
        "force": self._force}
    if self._subscriptionid != '':
        param_dict['subscriptionId'] = self._subscriptionid
    params = urllib.urlencode(param_dict)
    self._request(params)

def close(self, **kwargs):
    self._action = 'close'
    params = urllib.urlencode({"action": "close",
                               "subscriptionId": self._subscriptionid})
    self._request(params)

def cancel(self, **kwargs):
    self._action = 'cancel'
    params = urllib.urlencode({
        "action": "cancel",
        "subscriptionId": self._subscriptionid,
        "sessionId": self._sessionid})
    self._request(params)

def get(self, **kwargs):

    self._action = 'get'
    params = urllib.urlencode({"confirm": "yes",
                               "timeout": "1",
                               "maxNbrofEvents": "20",
                               "action": self._action,
                               "subscriptionId": self._subscriptionid})
    self._request(params, **kwargs)

def query(self, **kwargs):
    pass
0 Karma

molinarf
Communicator

I am using version 2.1.5 and am having this problem. I tried to do what you posted, and I still get this error even though Splunk is able to successfully connect to the IPS.

0 Karma

klaxdal
Contributor

Send me a message with your email if you wish for me to send you the working pySDEE.py file

0 Karma

ilirb
Path Finder

hi Arber,

Seems like I focused on the results only, and checked only the dasboards. Strangely enough I have also similar errors (though they look a bit different, since you seem to have splunk installed in a Linux machine, and I have Windows server):

ERROR - Exception thrown in sdee.get(): Traceback (most recent call last):

File "C:\Program Files\Splunk\etc\apps\Splunk_TA_cisco-ips\bin\get_ips_feed.py", line 117, in run sdee.get()

File "C:\Program Files\Splunk\etc\apps\Splunk_TA_cisco-ips\bin\pysdee\pySDEE.py", line 211, in get self._request(params, **kwargs)

File "C:\Program Files\Splunk\etc\apps\Splunk_TA_cisco-ips\bin\pysdee\pySDEE.py", line 163, in _request data = urllib2.urlopen(req)

File "C:\Program Files\Splunk\Python-2.7\Lib\urllib2.py", line 154, in urlopen return opener.open(url, data, timeout)

File "C:\Program Files\Splunk\Python-2.7\Lib\urllib2.py", line 431, in open response = self._open(req, data)
File "C:\Program Files\Splunk\Python-2.7\Lib\urllib2.py", line 449, in _open '_open', req)

File "C:\Program Files\Splunk\Python-2.7\Lib\urllib2.py", line 409, in _call_chain result = func(*args)

File "C:\Program Files\Splunk\Python-2.7\Lib\urllib2.py", line 1240, in https_open context=self._context) File "C:\Program Files\Splunk\Python-2.7\Lib\urllib2.py", line 1197, in do_open raise URLError(err)
URLError: ,

However, when I check the dashboards and fetching of logs, the results are there (IPS analyst, overview, etc) they show relevant results as expected.

Let's see if any advanced user/expert suggests us how to address these error messages and eventually solve your problem. I don't seem to have the answer.

Ilir

0 Karma

ilirb
Path Finder

http://docs.splunk.com/Documentation/AddOns/latest/CiscoIPS/Releasenotes

Cisco IPS app version 2.1.5 is out which claims to fix this. Haven't tried it yet though.

0 Karma

ilirb
Path Finder

Hello,

I tried upgrading, and it seems to work. The only complaint recieved was that:

The lookup table 'cisco_ips_vendor_info_lookup' does not exist. It is referenced by configuration 'cisco:ips:syslog'.

I manually added to 'lookups' folder as described here http://docs.splunk.com/Documentation/AddOns/released/CiscoIPS/Lookups and the warning disappeared.

Good luck with yours,
Ilir

0 Karma

dgrubb_splunk
Splunk Employee
Splunk Employee

As indicated on Splunkbase this app is not rated for 6.3 and there is a known bug around this issue:

ADDON-6014 Can no longer connect to Cisco IPS after upgrading the Spunk platform to version 6.3

http://docs.splunk.com/Documentation/AddOns/latest/CiscoIPS/Releasenotes#Known_issues

Get Updates on the Splunk Community!

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...

Industry Solutions for Supply Chain and OT, Amazon Use Cases, Plus More New Articles ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Enterprise Security Content Update (ESCU) | New Releases

In November, the Splunk Threat Research Team had one release of new security content via the Enterprise ...