All Apps and Add-ons

Splunk Add-on for Symantec Endpoint Protection 2.1.1: Malware category lookup table not updating

adamblock2
Path Finder

We are currently running version 2.1.1 of the Splunk Add-on for Symantec Endpoint Protection on Splunk 6.2.3. I have set up the app to automatically update the malware category lookup table with the latest list of threats and risks from Symantec. The symantec_ep_malware_categories.csv lookup table is not being updated, however.

I tried looking at index=_internal source="*ta_symantec-ep.log". This following events are returned:

2016-04-11 10:14:39,846 INFO pid=24710 tid=MainThread file=malware_category_update.py:run:84 | End reading session key
2016-04-11 10:14:39,846 INFO pid=24710 tid=MainThread file=malware_category_update.py:run:80 | Start reading session key
2016-04-11 10:14:39,846 INFO pid=24710 tid=MainThread file=malware_category_update.py:run:79 | Script input start.
2016-04-11 10:14:39,857 INFO pid=24710 tid=MainThread file=malware_category_update.py:run:176 | This is not the cluster captain. Do not run the malare_category_update.

Our search heads are not currently clustered, so I do not understand why it is stating "This is not the cluster captain. Do not run the malare_category_update."

0 Karma

splunk_cv
Explorer

Hi,

i have the same issue. I tryed to debug the http connections with tcpdump and with Splunk logs in index=_internal source="*ta_symantec-ep.log

My thoughts is that the page where the app is looking for the updates has been dismissed. Look at these logs:

2016-05-26 16:20:26,149 INFO pid=40591 tid=MainThread file=malware_category_update.py:run:170 | The SPL is executed correctly.
host = splnkshmi-prd04.sky.local source = /splunkdata/splunk/var/log/splunk/ta_symantec-ep.log sourcetype = ta_symantec-ep

2016-05-26 16:20:25,833 INFO pid=40591 tid=MainThread file=malware_category_update.py:run:164 | Start the SPL
host = splnkshmi-prd04.sky.local source = /splunkdata/splunk/var/log/splunk/ta_symantec-ep.log sourcetype = ta_symantec-ep

2016-05-26 16:20:25,833 INFO pid=40591 tid=MainThread file=malware_category_update.py:run:162 | Start the SPL
host = splnkshmi-prd04.sky.local source = /splunkdata/splunk/var/log/splunk/ta_symantec-ep.log sourcetype = ta_symantec-ep

2016-05-26 16:20:25,671 INFO pid=40591 tid=MainThread file=malware_category_update.py:extract_xml:36 | Requesting url:http://www.symantec.com/xml/rss/azlistings.jsp?azid=_1234567890
host = splnkshmi-prd04.sky.local source = /splunkdata/splunk/var/log/splunk/ta_symantec-ep.log sourcetype = ta_symantec-ep

2016-05-26 16:20:25,645 INFO pid=40591 tid=MainThread file=malware_category_update.py:extract_xml:36 | Requesting url:http://www.symantec.com/xml/rss/azlistings.jsp?azid=Z
host = splnkshmi-prd04.sky.local source = /splunkdata/splunk/var/log/splunk/ta_symantec-ep.log sourcetype = ta_symantec-ep

2016-05-26 16:20:25,614 INFO pid=40591 tid=MainThread file=malware_category_update.py:extract_xml:36 | Requesting url:http://www.symantec.com/xml/rss/azlistings.jsp?azid=Y
host = splnkshmi-prd04.sky.local source = /splunkdata/splunk/var/log/splunk/ta_symantec-ep.log sourcetype = ta_symantec-ep

2016-05-26 16:20:25,587 INFO pid=40591 tid=MainThread file=malware_category_update.py:extract_xml:36 | Requesting url:http://www.symantec.com/xml/rss/azlistings.jsp?azid=X
host = splnkshmi-prd04.sky.local source = /splunkdata/splunk/var/log/splunk/ta_symantec-ep.log sourcetype = ta_symantec-ep

2016-05-26 16:20:25,553 INFO pid=40591 tid=MainThread file=malware_category_update.py:extract_xml:36 | Requesting url:http://www.symantec.com/xml/rss/azlistings.jsp?azid=W
host = splnkshmi-prd04.sky.local source = /splunkdata/splunk/var/log/splunk/ta_symantec-ep.log sourcetype = ta_symantec-ep

2016-05-26 16:20:25,528 INFO pid=40591 tid=MainThread file=malware_category_update.py:extract_xml:36 | Requesting url:http://www.symantec.com/xml/rss/azlistings.jsp?azid=V
host = splnkshmi-prd04.sky.local source = /splunkdata/splunk/var/log/splunk/ta_symantec-ep.log sourcetype = ta_symantec-ep

2016-05-26 16:20:25,502 INFO pid=40591 tid=MainThread file=malware_category_update.py:extract_xml:36 | Requesting url:http://www.symantec.com/xml/rss/azlistings.jsp?azid=U
host = splnkshmi-prd04.sky.local source = /splunkdata/splunk/var/log/splunk/ta_symantec-ep.log sourcetype = ta_symantec-ep

2016-05-26 16:20:25,474 INFO pid=40591 tid=MainThread file=malware_category_update.py:extract_xml:36 | Requesting url:http://www.symantec.com/xml/rss/azlistings.jsp?azid=T
host = splnkshmi-prd04.sky.local source = /splunkdata/splunk/var/log/splunk/ta_symantec-ep.log sourcetype = ta_symantec-ep

2016-05-26 16:20:25,449 INFO pid=40591 tid=MainThread file=malware_category_update.py:extract_xml:36 | Requesting url:http://www.symantec.com/xml/rss/azlistings.jsp?azid=S
host = splnkshmi-prd04.sky.local source = /splunkdata/splunk/var/log/splunk/ta_symantec-ep.log sourcetype = ta_symantec-ep

2016-05-26 16:20:25,425 INFO pid=40591 tid=MainThread file=malware_category_update.py:extract_xml:36 | Requesting url:http://www.symantec.com/xml/rss/azlistings.jsp?azid=R
host = splnkshmi-prd04.sky.local source = /splunkdata/splunk/var/log/splunk/ta_symantec-ep.log sourcetype = ta_symantec-ep

2016-05-26 16:20:25,399 INFO pid=40591 tid=MainThread file=malware_category_update.py:extract_xml:36 | Requesting url:http://www.symantec.com/xml/rss/azlistings.jsp?azid=Q
host = splnkshmi-prd04.sky.local source = /splunkdata/splunk/var/log/splunk/ta_symantec-ep.log sourcetype = ta_symantec-ep

2016-05-26 16:20:25,374 INFO pid=40591 tid=MainThread file=malware_category_update.py:extract_xml:36 | Requesting url:http://www.symantec.com/xml/rss/azlistings.jsp?azid=P
host = splnkshmi-prd04.sky.local source = /splunkdata/splunk/var/log/splunk/ta_symantec-ep.log sourcetype = ta_symantec-ep

2016-05-26 16:20:25,349 INFO pid=40591 tid=MainThread file=malware_category_update.py:extract_xml:36 | Requesting url:http://www.symantec.com/xml/rss/azlistings.jsp?azid=O
host = splnkshmi-prd04.sky.local source = /splunkdata/splunk/var/log/splunk/ta_symantec-ep.log sourcetype = ta_symantec-ep

2016-05-26 16:20:25,322 INFO pid=40591 tid=MainThread file=malware_category_update.py:extract_xml:36 | Requesting url:http://www.symantec.com/xml/rss/azlistings.jsp?azid=N
host = splnkshmi-prd04.sky.local source = /splunkdata/splunk/var/log/splunk/ta_symantec-ep.log sourcetype = ta_symantec-ep

2016-05-26 16:20:25,299 INFO pid=40591 tid=MainThread file=malware_category_update.py:extract_xml:36 | Requesting url:http://www.symantec.com/xml/rss/azlistings.jsp?azid=M
host = splnkshmi-prd04.sky.local source = /splunkdata/splunk/var/log/splunk/ta_symantec-ep.log sourcetype = ta_symantec-ep

2016-05-26 16:20:25,276 INFO pid=40591 tid=MainThread file=malware_category_update.py:extract_xml:36 | Requesting url:http://www.symantec.com/xml/rss/azlistings.jsp?azid=L
host = splnkshmi-prd04.sky.local source = /splunkdata/splunk/var/log/splunk/ta_symantec-ep.log sourcetype = ta_symantec-ep

2016-05-26 16:20:25,247 INFO pid=40591 tid=MainThread file=malware_category_update.py:extract_xml:36 | Requesting url:http://www.symantec.com/xml/rss/azlistings.jsp?azid=K
host = splnkshmi-prd04.sky.local source = /splunkdata/splunk/var/log/splunk/ta_symantec-ep.log sourcetype = ta_symantec-ep

2016-05-26 16:20:25,219 INFO pid=40591 tid=MainThread file=malware_category_update.py:extract_xml:36 | Requesting url:http://www.symantec.com/xml/rss/azlistings.jsp?azid=J
host = splnkshmi-prd04.sky.local source = /splunkdata/splunk/var/log/splunk/ta_symantec-ep.log sourcetype = ta_symantec-ep

2016-05-26 16:20:25,192 INFO pid=40591 tid=MainThread file=malware_category_update.py:extract_xml:36 | Requesting url:http://www.symantec.com/xml/rss/azlistings.jsp?azid=I
host = splnkshmi-prd04.sky.local source = /splunkdata/splunk/var/log/splunk/ta_symantec-ep.log sourcetype = ta_symantec-ep

2016-05-26 16:20:25,169 INFO pid=40591 tid=MainThread file=malware_category_update.py:extract_xml:36 | Requesting url:http://www.symantec.com/xml/rss/azlistings.jsp?azid=H
host = splnkshmi-prd04.sky.local source = /splunkdata/splunk/var/log/splunk/ta_symantec-ep.log sourcetype = ta_symantec-ep

2016-05-26 16:20:25,144 INFO pid=40591 tid=MainThread file=malware_category_update.py:extract_xml:36 | Requesting url:http://www.symantec.com/xml/rss/azlistings.jsp?azid=G
host = splnkshmi-prd04.sky.local source = /splunkdata/splunk/var/log/splunk/ta_symantec-ep.log sourcetype = ta_symantec-ep

2016-05-26 16:20:25,117 INFO pid=40591 tid=MainThread file=malware_category_update.py:extract_xml:36 | Requesting url:http://www.symantec.com/xml/rss/azlistings.jsp?azid=F
host = splnkshmi-prd04.sky.local source = /splunkdata/splunk/var/log/splunk/ta_symantec-ep.log sourcetype = ta_symantec-ep

2016-05-26 16:20:25,094 INFO pid=40591 tid=MainThread file=malware_category_update.py:extract_xml:36 | Requesting url:http://www.symantec.com/xml/rss/azlistings.jsp?azid=E
host = splnkshmi-prd04.sky.local source = /splunkdata/splunk/var/log/splunk/ta_symantec-ep.log sourcetype = ta_symantec-ep

2016-05-26 16:20:25,068 INFO pid=40591 tid=MainThread file=malware_category_update.py:extract_xml:36 | Requesting url:http://www.symantec.com/xml/rss/azlistings.jsp?azid=D
host = splnkshmi-prd04.sky.local source = /splunkdata/splunk/var/log/splunk/ta_symantec-ep.log sourcetype = ta_symantec-ep

2016-05-26 16:20:25,045 INFO pid=40591 tid=MainThread file=malware_category_update.py:extract_xml:36 | Requesting url:http://www.symantec.com/xml/rss/azlistings.jsp?azid=C
host = splnkshmi-prd04.sky.local source = /splunkdata/splunk/var/log/splunk/ta_symantec-ep.log sourcetype = ta_symantec-ep

2016-05-26 16:20:25,022 INFO pid=40591 tid=MainThread file=malware_category_update.py:extract_xml:36 | Requesting url:http://www.symantec.com/xml/rss/azlistings.jsp?azid=B
host = splnkshmi-prd04.sky.local source = /splunkdata/splunk/var/log/splunk/ta_symantec-ep.log sourcetype = ta_symantec-ep

2016-05-26 16:20:24,975 INFO pid=40591 tid=MainThread file=malware_category_update.py:extract_xml:36 | Requesting url:http://www.symantec.com/xml/rss/azlistings.jsp?azid=A
host = splnkshmi-prd04.sky.local source = /splunkdata/splunk/var/log/splunk/ta_symantec-ep.log sourcetype = ta_symantec-ep

2016-05-26 16:20:24,874 INFO pid=40591 tid=MainThread file=malware_category_update.py:run:88 | This is a single instance or cluster captain. Run the malare_category_update.
host = splnkshmi-prd04.sky.local source = /splunkdata/splunk/var/log/splunk/ta_symantec-ep.log sourcetype = ta_symantec-ep

2016-05-26 16:20:24,853 INFO pid=40591 tid=MainThread file=malware_category_update.py:run:84 | End reading session key
host = splnkshmi-prd04.sky.local source = /splunkdata/splunk/var/log/splunk/ta_symantec-ep.log sourcetype = ta_symantec-ep

2016-05-26 16:20:24,853 INFO pid=40591 tid=MainThread file=malware_category_update.py:run:80 | Start reading session key
host = splnkshmi-prd04.sky.local source = /splunkdata/splunk/var/log/splunk/ta_symantec-ep.log sourcetype = ta_symantec-ep

2016-05-26 16:20:24,852 INFO pid=40591 tid=MainThread file=malware_category_update.py:run:79 | Script input start.

You can see that the script start to contact different urls (from A to Z and one last link) and all the steps are mode properly. But f you try to contact those links you'll obtain a page with this phrase: http://www.symantec.com/business/landing/azlisting.jsp The Threat Explorer is a comprehensive resource for daily, accurate and up-to-date information on the latest threats, risks and vulnerabilities. en-us

Maybe Symantec moved the tables. I hope someone will answer or update the app.

0 Karma

moosterhof_splu
Splunk Employee
Splunk Employee

Hello!
Does this mean the URLs inside the script need to be modified? Let me know if anything requires updating.

0 Karma

splunk_cv
Explorer

No, nothing has to be updated. If you're practice with Python, you can check the script "malware_category_update.py" in "\Splunk_TA_symantec-ep\bin" to understand how the app woks about the malware table update.

In particular, if you have a single SH and not a cluster, i supposed you made a mistake during the configuration of the update. In fact, looking at the scriptl you should see the line "This is a single instance or cluster captain. Run the malare_category_update." (line 88) while your log talks about a SH cluster, just like the script thinks that you have a SH cluser configuration. Because you are not in a cluster config, the script can't find the "cluster captain" and skips the update (line 176).

I think you have to check your setup following the documentation here: http://docs.splunk.com/Documentation/AddOns/latest/SymantecEP/Setup

It's a very simple configuration.

Matteo

0 Karma

splunk_cv
Explorer

Hi,

the assumption i made was right. Now the pages http://www.symantec.com/xml/rss/azlistings.jsp?azid= are full of information.

I can confirm that the lookupt table is now correctly updated.

0 Karma

moosterhof_splu
Splunk Employee
Splunk Employee

Hello!
If you are using version 2.1.1, you are probably not running the "syslog" version of the symantec EP TA. I suggest you retag the question with the right App. Unfortunately I do now know the answer to your question.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...