All Apps and Add-ons

Splunk Add-on for Symantec Endpoint Protection 2.1.1: Malware category lookup table not updating

adamblock2
Path Finder

We are currently running version 2.1.1 of the Splunk Add-on for Symantec Endpoint Protection on Splunk 6.2.3. I have set up the app to automatically update the malware category lookup table with the latest list of threats and risks from Symantec. The symantec_ep_malware_categories.csv lookup table is not being updated, however.

I tried looking at index=_internal source="*ta_symantec-ep.log". This following events are returned:

2016-04-11 10:14:39,846 INFO pid=24710 tid=MainThread file=malware_category_update.py:run:84 | End reading session key
2016-04-11 10:14:39,846 INFO pid=24710 tid=MainThread file=malware_category_update.py:run:80 | Start reading session key
2016-04-11 10:14:39,846 INFO pid=24710 tid=MainThread file=malware_category_update.py:run:79 | Script input start.
2016-04-11 10:14:39,857 INFO pid=24710 tid=MainThread file=malware_category_update.py:run:176 | This is not the cluster captain. Do not run the malare_category_update.

Our search heads are not currently clustered, so I do not understand why it is stating "This is not the cluster captain. Do not run the malare_category_update."

0 Karma

splunk_cv
Explorer

Hi,

i have the same issue. I tryed to debug the http connections with tcpdump and with Splunk logs in index=_internal source="*ta_symantec-ep.log

My thoughts is that the page where the app is looking for the updates has been dismissed. Look at these logs:

2016-05-26 16:20:26,149 INFO pid=40591 tid=MainThread file=malware_category_update.py:run:170 | The SPL is executed correctly.
host = splnkshmi-prd04.sky.local source = /splunkdata/splunk/var/log/splunk/ta_symantec-ep.log sourcetype = ta_symantec-ep

2016-05-26 16:20:25,833 INFO pid=40591 tid=MainThread file=malware_category_update.py:run:164 | Start the SPL
host = splnkshmi-prd04.sky.local source = /splunkdata/splunk/var/log/splunk/ta_symantec-ep.log sourcetype = ta_symantec-ep

2016-05-26 16:20:25,833 INFO pid=40591 tid=MainThread file=malware_category_update.py:run:162 | Start the SPL
host = splnkshmi-prd04.sky.local source = /splunkdata/splunk/var/log/splunk/ta_symantec-ep.log sourcetype = ta_symantec-ep

2016-05-26 16:20:25,671 INFO pid=40591 tid=MainThread file=malware_category_update.py:extract_xml:36 | Requesting url:http://www.symantec.com/xml/rss/azlistings.jsp?azid=_1234567890
host = splnkshmi-prd04.sky.local source = /splunkdata/splunk/var/log/splunk/ta_symantec-ep.log sourcetype = ta_symantec-ep

2016-05-26 16:20:25,645 INFO pid=40591 tid=MainThread file=malware_category_update.py:extract_xml:36 | Requesting url:http://www.symantec.com/xml/rss/azlistings.jsp?azid=Z
host = splnkshmi-prd04.sky.local source = /splunkdata/splunk/var/log/splunk/ta_symantec-ep.log sourcetype = ta_symantec-ep

2016-05-26 16:20:25,614 INFO pid=40591 tid=MainThread file=malware_category_update.py:extract_xml:36 | Requesting url:http://www.symantec.com/xml/rss/azlistings.jsp?azid=Y
host = splnkshmi-prd04.sky.local source = /splunkdata/splunk/var/log/splunk/ta_symantec-ep.log sourcetype = ta_symantec-ep

2016-05-26 16:20:25,587 INFO pid=40591 tid=MainThread file=malware_category_update.py:extract_xml:36 | Requesting url:http://www.symantec.com/xml/rss/azlistings.jsp?azid=X
host = splnkshmi-prd04.sky.local source = /splunkdata/splunk/var/log/splunk/ta_symantec-ep.log sourcetype = ta_symantec-ep

2016-05-26 16:20:25,553 INFO pid=40591 tid=MainThread file=malware_category_update.py:extract_xml:36 | Requesting url:http://www.symantec.com/xml/rss/azlistings.jsp?azid=W
host = splnkshmi-prd04.sky.local source = /splunkdata/splunk/var/log/splunk/ta_symantec-ep.log sourcetype = ta_symantec-ep

2016-05-26 16:20:25,528 INFO pid=40591 tid=MainThread file=malware_category_update.py:extract_xml:36 | Requesting url:http://www.symantec.com/xml/rss/azlistings.jsp?azid=V
host = splnkshmi-prd04.sky.local source = /splunkdata/splunk/var/log/splunk/ta_symantec-ep.log sourcetype = ta_symantec-ep

2016-05-26 16:20:25,502 INFO pid=40591 tid=MainThread file=malware_category_update.py:extract_xml:36 | Requesting url:http://www.symantec.com/xml/rss/azlistings.jsp?azid=U
host = splnkshmi-prd04.sky.local source = /splunkdata/splunk/var/log/splunk/ta_symantec-ep.log sourcetype = ta_symantec-ep

2016-05-26 16:20:25,474 INFO pid=40591 tid=MainThread file=malware_category_update.py:extract_xml:36 | Requesting url:http://www.symantec.com/xml/rss/azlistings.jsp?azid=T
host = splnkshmi-prd04.sky.local source = /splunkdata/splunk/var/log/splunk/ta_symantec-ep.log sourcetype = ta_symantec-ep

2016-05-26 16:20:25,449 INFO pid=40591 tid=MainThread file=malware_category_update.py:extract_xml:36 | Requesting url:http://www.symantec.com/xml/rss/azlistings.jsp?azid=S
host = splnkshmi-prd04.sky.local source = /splunkdata/splunk/var/log/splunk/ta_symantec-ep.log sourcetype = ta_symantec-ep

2016-05-26 16:20:25,425 INFO pid=40591 tid=MainThread file=malware_category_update.py:extract_xml:36 | Requesting url:http://www.symantec.com/xml/rss/azlistings.jsp?azid=R
host = splnkshmi-prd04.sky.local source = /splunkdata/splunk/var/log/splunk/ta_symantec-ep.log sourcetype = ta_symantec-ep

2016-05-26 16:20:25,399 INFO pid=40591 tid=MainThread file=malware_category_update.py:extract_xml:36 | Requesting url:http://www.symantec.com/xml/rss/azlistings.jsp?azid=Q
host = splnkshmi-prd04.sky.local source = /splunkdata/splunk/var/log/splunk/ta_symantec-ep.log sourcetype = ta_symantec-ep

2016-05-26 16:20:25,374 INFO pid=40591 tid=MainThread file=malware_category_update.py:extract_xml:36 | Requesting url:http://www.symantec.com/xml/rss/azlistings.jsp?azid=P
host = splnkshmi-prd04.sky.local source = /splunkdata/splunk/var/log/splunk/ta_symantec-ep.log sourcetype = ta_symantec-ep

2016-05-26 16:20:25,349 INFO pid=40591 tid=MainThread file=malware_category_update.py:extract_xml:36 | Requesting url:http://www.symantec.com/xml/rss/azlistings.jsp?azid=O
host = splnkshmi-prd04.sky.local source = /splunkdata/splunk/var/log/splunk/ta_symantec-ep.log sourcetype = ta_symantec-ep

2016-05-26 16:20:25,322 INFO pid=40591 tid=MainThread file=malware_category_update.py:extract_xml:36 | Requesting url:http://www.symantec.com/xml/rss/azlistings.jsp?azid=N
host = splnkshmi-prd04.sky.local source = /splunkdata/splunk/var/log/splunk/ta_symantec-ep.log sourcetype = ta_symantec-ep

2016-05-26 16:20:25,299 INFO pid=40591 tid=MainThread file=malware_category_update.py:extract_xml:36 | Requesting url:http://www.symantec.com/xml/rss/azlistings.jsp?azid=M
host = splnkshmi-prd04.sky.local source = /splunkdata/splunk/var/log/splunk/ta_symantec-ep.log sourcetype = ta_symantec-ep

2016-05-26 16:20:25,276 INFO pid=40591 tid=MainThread file=malware_category_update.py:extract_xml:36 | Requesting url:http://www.symantec.com/xml/rss/azlistings.jsp?azid=L
host = splnkshmi-prd04.sky.local source = /splunkdata/splunk/var/log/splunk/ta_symantec-ep.log sourcetype = ta_symantec-ep

2016-05-26 16:20:25,247 INFO pid=40591 tid=MainThread file=malware_category_update.py:extract_xml:36 | Requesting url:http://www.symantec.com/xml/rss/azlistings.jsp?azid=K
host = splnkshmi-prd04.sky.local source = /splunkdata/splunk/var/log/splunk/ta_symantec-ep.log sourcetype = ta_symantec-ep

2016-05-26 16:20:25,219 INFO pid=40591 tid=MainThread file=malware_category_update.py:extract_xml:36 | Requesting url:http://www.symantec.com/xml/rss/azlistings.jsp?azid=J
host = splnkshmi-prd04.sky.local source = /splunkdata/splunk/var/log/splunk/ta_symantec-ep.log sourcetype = ta_symantec-ep

2016-05-26 16:20:25,192 INFO pid=40591 tid=MainThread file=malware_category_update.py:extract_xml:36 | Requesting url:http://www.symantec.com/xml/rss/azlistings.jsp?azid=I
host = splnkshmi-prd04.sky.local source = /splunkdata/splunk/var/log/splunk/ta_symantec-ep.log sourcetype = ta_symantec-ep

2016-05-26 16:20:25,169 INFO pid=40591 tid=MainThread file=malware_category_update.py:extract_xml:36 | Requesting url:http://www.symantec.com/xml/rss/azlistings.jsp?azid=H
host = splnkshmi-prd04.sky.local source = /splunkdata/splunk/var/log/splunk/ta_symantec-ep.log sourcetype = ta_symantec-ep

2016-05-26 16:20:25,144 INFO pid=40591 tid=MainThread file=malware_category_update.py:extract_xml:36 | Requesting url:http://www.symantec.com/xml/rss/azlistings.jsp?azid=G
host = splnkshmi-prd04.sky.local source = /splunkdata/splunk/var/log/splunk/ta_symantec-ep.log sourcetype = ta_symantec-ep

2016-05-26 16:20:25,117 INFO pid=40591 tid=MainThread file=malware_category_update.py:extract_xml:36 | Requesting url:http://www.symantec.com/xml/rss/azlistings.jsp?azid=F
host = splnkshmi-prd04.sky.local source = /splunkdata/splunk/var/log/splunk/ta_symantec-ep.log sourcetype = ta_symantec-ep

2016-05-26 16:20:25,094 INFO pid=40591 tid=MainThread file=malware_category_update.py:extract_xml:36 | Requesting url:http://www.symantec.com/xml/rss/azlistings.jsp?azid=E
host = splnkshmi-prd04.sky.local source = /splunkdata/splunk/var/log/splunk/ta_symantec-ep.log sourcetype = ta_symantec-ep

2016-05-26 16:20:25,068 INFO pid=40591 tid=MainThread file=malware_category_update.py:extract_xml:36 | Requesting url:http://www.symantec.com/xml/rss/azlistings.jsp?azid=D
host = splnkshmi-prd04.sky.local source = /splunkdata/splunk/var/log/splunk/ta_symantec-ep.log sourcetype = ta_symantec-ep

2016-05-26 16:20:25,045 INFO pid=40591 tid=MainThread file=malware_category_update.py:extract_xml:36 | Requesting url:http://www.symantec.com/xml/rss/azlistings.jsp?azid=C
host = splnkshmi-prd04.sky.local source = /splunkdata/splunk/var/log/splunk/ta_symantec-ep.log sourcetype = ta_symantec-ep

2016-05-26 16:20:25,022 INFO pid=40591 tid=MainThread file=malware_category_update.py:extract_xml:36 | Requesting url:http://www.symantec.com/xml/rss/azlistings.jsp?azid=B
host = splnkshmi-prd04.sky.local source = /splunkdata/splunk/var/log/splunk/ta_symantec-ep.log sourcetype = ta_symantec-ep

2016-05-26 16:20:24,975 INFO pid=40591 tid=MainThread file=malware_category_update.py:extract_xml:36 | Requesting url:http://www.symantec.com/xml/rss/azlistings.jsp?azid=A
host = splnkshmi-prd04.sky.local source = /splunkdata/splunk/var/log/splunk/ta_symantec-ep.log sourcetype = ta_symantec-ep

2016-05-26 16:20:24,874 INFO pid=40591 tid=MainThread file=malware_category_update.py:run:88 | This is a single instance or cluster captain. Run the malare_category_update.
host = splnkshmi-prd04.sky.local source = /splunkdata/splunk/var/log/splunk/ta_symantec-ep.log sourcetype = ta_symantec-ep

2016-05-26 16:20:24,853 INFO pid=40591 tid=MainThread file=malware_category_update.py:run:84 | End reading session key
host = splnkshmi-prd04.sky.local source = /splunkdata/splunk/var/log/splunk/ta_symantec-ep.log sourcetype = ta_symantec-ep

2016-05-26 16:20:24,853 INFO pid=40591 tid=MainThread file=malware_category_update.py:run:80 | Start reading session key
host = splnkshmi-prd04.sky.local source = /splunkdata/splunk/var/log/splunk/ta_symantec-ep.log sourcetype = ta_symantec-ep

2016-05-26 16:20:24,852 INFO pid=40591 tid=MainThread file=malware_category_update.py:run:79 | Script input start.

You can see that the script start to contact different urls (from A to Z and one last link) and all the steps are mode properly. But f you try to contact those links you'll obtain a page with this phrase: http://www.symantec.com/business/landing/azlisting.jsp The Threat Explorer is a comprehensive resource for daily, accurate and up-to-date information on the latest threats, risks and vulnerabilities. en-us

Maybe Symantec moved the tables. I hope someone will answer or update the app.

0 Karma

moosterhof_splu
Splunk Employee
Splunk Employee

Hello!
Does this mean the URLs inside the script need to be modified? Let me know if anything requires updating.

0 Karma

splunk_cv
Explorer

No, nothing has to be updated. If you're practice with Python, you can check the script "malware_category_update.py" in "\Splunk_TA_symantec-ep\bin" to understand how the app woks about the malware table update.

In particular, if you have a single SH and not a cluster, i supposed you made a mistake during the configuration of the update. In fact, looking at the scriptl you should see the line "This is a single instance or cluster captain. Run the malare_category_update." (line 88) while your log talks about a SH cluster, just like the script thinks that you have a SH cluser configuration. Because you are not in a cluster config, the script can't find the "cluster captain" and skips the update (line 176).

I think you have to check your setup following the documentation here: http://docs.splunk.com/Documentation/AddOns/latest/SymantecEP/Setup

It's a very simple configuration.

Matteo

0 Karma

splunk_cv
Explorer

Hi,

the assumption i made was right. Now the pages http://www.symantec.com/xml/rss/azlistings.jsp?azid= are full of information.

I can confirm that the lookupt table is now correctly updated.

0 Karma

moosterhof_splu
Splunk Employee
Splunk Employee

Hello!
If you are using version 2.1.1, you are probably not running the "syslog" version of the symantec EP TA. I suggest you retag the question with the right App. Unfortunately I do now know the answer to your question.

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...