All Apps and Add-ons

Splunk add on for Cisco IPS 2.1.5 has error conneting to sensor

molinarf
Communicator

I recently migrated my Splunk from Windows 2012 to Linux (CentOS). I am currently running Splunk Enterprise 6.3.2. I added the Splunk add on for Cisco IPS ver. 2.1.5 and had to manually configure the inputs.conf file just to get Splunk to do a successful connection to the IPS. Now that the SDEE subscription is valid, I get this error:

ERROR - Connecting to sensor - X.X.X.2: Traceback (most recent call last): File "/opt/splunk/etc/apps/Splunk_TA_cisco-ips/bin/get_ips_feed.py", line 99, in run sdee.open() File "/opt/splunk/etc/apps/Splunk_TA_cisco-ips/bin/pysdee/pySDEE.py", line 187, in open self._request(params) File "/opt/splunk/etc/apps/Splunk_TA_cisco-ips/bin/pysdee/pySDEE.py", line 163, in _request data = urllib2.urlopen(req) File "/opt/splunk/lib/python2.7/urllib2.py", line 154, in urlopen return opener.open(url, data, timeout) File "/opt/splunk/lib/python2.7/urllib2.py", line 431, in open response = self._open(req, data) File "/opt/splunk/lib/python2.7/urllib2.py", line 449, in _open '_open', req) File "/opt/splunk/lib/python2.7/urllib2.py", line 409, in _call_chain result = func(*args) File "/opt/splunk/lib/python2.7/urllib2.py", line 1240, in https_open context=self._context) File "/opt/splunk/lib/python2.7/urllib2.py", line 1197, in do_open raise URLError(err) URLError:

0 Karma

jmantor
Path Finder

Klaxdal's fix works. Why hasn't it been integrated into the stock TA yet? It's been almost a year!

0 Karma

klaxdal
Contributor

Are your using Splunk 6.4 ?

If so the new python 2.7.11 libs seem to bork out the Base64 password conversion section of pySDEE.py located in:

/opt/splunk/etc/apps/Splunk_TA_cisco-ips/bin/pysdee

So... here is what I did do change it:

Replace 164 of the file with the following:

req.add_header('Authorization', "BASIC %s" % (self._b64pass.replace('\n', '')))

Worked like a charm

- INFO - Attempting to connect to sensor: ips-2
Wed Apr 27 09:35:57 2016 - INFO - Successfully connected to: -ips-2
Wed Apr 27 09:35:57 2016 - INFO - Checking for existing SubscriptionID on host: ips-1
Wed Apr 27 09:35:57 2016 - INFO - No existing SubscriptionID for host: -ips-1
Wed Apr 27 09:35:57 2016 - INFO - Attempting to connect to sensor: -ips-1
Wed Apr 27 09:35:57 2016 - INFO - Successfully connected to: -ips-1
Wed Apr 27 09:35:59 2016 - INFO - Successfully connected to: ips-1
Wed Apr 27 09:35:59 2016 - INFO - host="candeal-ips-1" SessionID="48436f106cdef9a21176c4151b7bfacd" SubscriptionID="sub-3-5bae0fff"
Wed Apr 27 09:35:59 2016 - INFO - Successfully connected to: - INFO - Attempting to connect to sensor: candeal-ips-2
Wed Apr 27 09:35:57 2016 - INFO - Successfully connected to: candeal-ips-2
Wed Apr 27 09:35:57 2016 - INFO - Checking for existing SubscriptionID on host: candeal-ips-1
Wed Apr 27 09:35:57 2016 - INFO - No existing SubscriptionID for host: candeal-ips-1
Wed Apr 27 09:35:57 2016 - INFO - Attempting to connect to sensor: candeal-ips-1
Wed Apr 27 09:35:57 2016 - INFO - Successfully connected to: candeal-ips-1
Wed Apr 27 09:35:59 2016 - INFO - Successfully connected to: candeal-ips-1
Wed Apr 27 09:35:59 2016 - INFO - host="candeal-ips-1" SessionID="48436f106cdef9a21176c4151b7bfacd" SubscriptionID="sub-3-5bae0fff"
Wed Apr 27 09:35:59 2016 - INFO - Successfully connected to: ips-2
Wed Apr 27 09:35:59 2016 - INFO - host="candeal-ips-2" SessionID="92422ed39a6138baab166b468b6d532c" SubscriptionID="sub-3-848eb720"

Let me know how you make out .

kmanson
Path Finder

Klaxdal,
Your answer should really be its own question and answer. It solved my issue with Cisco IPS with Splunk 6.4. One thing to note is I had to restart Splunk twice for it to start working, the first restart it threw an error, but the second restart it worked.

Error after first restart
ERROR - Exception thrown in sdee.get(): Traceback (most recent call last): File "/opt/splunk/etc/apps/Splunk_TA_cisco-ips/bin/get_ips_feed.py", line 117, in run sdee.get() File "/opt/splunk/etc/apps/Splunk_TA_cisco-ips/bin/pysdee/pySDEE.py", line 211, in get self._request(params, **kwargs) File "/opt/splunk/etc/apps/Splunk_TA_cisco-ips/bin/pysdee/pySDEE.py", line 163, in _request data = urllib2.urlopen(req) File "/opt/splunk/lib/python2.7/urllib2.py", line 154, in urlopen return opener.open(url, data, timeout) File "/opt/splunk/lib/python2.7/urllib2.py", line 437, in open response = meth(req, response) File "/opt/splunk/lib/python2.7/urllib2.py", line 550, in http_response 'http', request, response, code, msg, hdrs) File "/opt/splunk/lib/python2.7/urllib2.py", line 475, in error return self._call_chain(*args) File "/opt/splunk/lib/python2.7/urllib2.py", line 409, in _call_chain result = func(*args) File "/opt/splunk/lib/python2.7/urllib2.py", line 558, in http_error_default raise HTTPError(req.get_full_url(), code, msg, hdrs, fp) HTTPError: HTTP Error 400: Bad Request

0 Karma

kevinsplunkdotc
Explorer

Changed to TLSv1 and changed line per your instructions. Worked like a champ!
Thanks!!

0 Karma

klaxdal
Contributor

You have an email address ? I will just email you the .py file ...

0 Karma

klaxdal
Contributor

Create a throw away gmail account and I will send the .py to you . Replace the one you have .

0 Karma

tequilalinux
New Member
0 Karma

klaxdal
Contributor

Just sent ...

0 Karma

tequilalinux
New Member

Thanks klaxdal, I replaced the file and now I get this error:

Sat Jun  4 13:27:37 2016 - ERROR - Connecting to sensor - X.X.X.X : Traceback (most recent call last):   File "/opt/splunk/etc/apps/Splunk_TA_cisco-ips/bin/get_ips_feed.py", line 99, in run     sdee.open()   File "/opt/splunk/etc/apps/Splunk_TA_cisco-ips/bin/pysdee/pySDEE.py", line 188, in open     self._request(params)   File "/opt/splunk/etc/apps/Splunk_TA_cisco-ips/bin/pysdee/pySDEE.py", line 164, in _request     data = urllib2.urlopen(req)   File "/opt/splunk/lib/python2.7/urllib2.py", line 154, in urlopen     return opener.open(url, data, timeout)   File "/opt/splunk/lib/python2.7/urllib2.py", line 431, in open     response = self._open(req, data)   File "/opt/splunk/lib/python2.7/urllib2.py", line 449, in _open     '_open', req)   File "/opt/splunk/lib/python2.7/urllib2.py", line 409, in _call_chain     result = func(*args)   File "/opt/splunk/lib/python2.7/urllib2.py", line 1240, in https_open     context=self._context)   File "/opt/splunk/lib/python2.7/urllib2.py", line 1197, in do_open     raise URLError(err) URLError:  

Sat Jun  4 13:27:34 2016 - INFO - Successfully connected to: X.X.X.X

Sat Jun  4 13:27:34 2016 - INFO - Attempting to connect to sensor: X.X.X.X
0 Karma

klaxdal
Contributor

Oh ya and either try connecting with TLSv1_1 or TLSv1 first .

0 Karma

tequilalinux
New Member

Hi, could you please clarify this change:

Replace 164 of the file with the following :
req.add_header('Authorization', "BASIC %s" % (self._b64pass.replace('\n', '')))

This means that the original line:
req.add_header('Authorization', "BASIC %s" % (self._b64pass))

Will be replaced with:
req.add_header('Authorization', "BASIC %s" % (self._b64pass.replace('\n', '')))

??

0 Karma

klaxdal
Contributor

Yes your assumption is correct -this should fix the issue when running 6.4

Let me know how you make out .

Kristofer

0 Karma

tequilalinux
New Member

Hi Kristofer,

I still have this issue and no data coming from CISCO IPS

Sat Jun  4 11:57:09 2016 - ERROR - Connecting to sensor - X.X.X.X: Traceback (most recent call last):   File "/opt/splunk/etc/apps/Splunk_TA_cisco-ips/bin/get_ips_feed.py", line 99, in run     sdee.open()   File "/opt/splunk/etc/apps/Splunk_TA_cisco-ips/bin/pysdee/pySDEE.py", line 187, in open     self._request(params)   File "/opt/splunk/etc/apps/Splunk_TA_cisco-ips/bin/pysdee/pySDEE.py", line 163, in _request     data = urllib2.urlopen(req)   File "/opt/splunk/lib/python2.7/urllib2.py", line 154, in urlopen     return opener.open(url, data, timeout)   File "/opt/splunk/lib/python2.7/urllib2.py", line 437, in open     response = meth(req, response)   File "/opt/splunk/lib/python2.7/urllib2.py", line 550, in http_response     'http', request, response, code, msg, hdrs)   File "/opt/splunk/lib/python2.7/urllib2.py", line 475, in error     return self._call_chain(*args)   File "/opt/splunk/lib/python2.7/urllib2.py", line 409, in _call_chain     result = func(*args)   File "/opt/splunk/lib/python2.7/urllib2.py", line 558, in http_error_default     raise HTTPError(req.get_full_url(), code, msg, hdrs, fp) HTTPError: HTTP Error 401: Unauthorized 
0 Karma

klaxdal
Contributor

Remember you need to restart Splunk after every change to a .py file - did you restart ?

0 Karma

tequilalinux
New Member

Yes, I restarted splunk after .py change and this is what I get

Sat Jun  4 14:48:03 2016 - ERROR - Connecting to sensor - X.X.X.X: Traceback (most recent call last):   File "/opt/splunk/etc/apps/Splunk_TA_cisco-ips/bin/get_ips_feed.py", line 99, in run     sdee.open()   File "/opt/splunk/etc/apps/Splunk_TA_cisco-ips/bin/pysdee/pySDEE.py", line 188, in open     self._request(params)   File "/opt/splunk/etc/apps/Splunk_TA_cisco-ips/bin/pysdee/pySDEE.py", line 164, in _request     data = urllib2.urlopen(req)   File "/opt/splunk/lib/python2.7/urllib2.py", line 154, in urlopen     return opener.open(url, data, timeout)   File "/opt/splunk/lib/python2.7/urllib2.py", line 431, in open     response = self._open(req, data)   File "/opt/splunk/lib/python2.7/urllib2.py", line 449, in _open     '_open', req)   File "/opt/splunk/lib/python2.7/urllib2.py", line 409, in _call_chain     result = func(*args)   File "/opt/splunk/lib/python2.7/urllib2.py", line 1240, in https_open     context=self._context)   File "/opt/splunk/lib/python2.7/urllib2.py", line 1197, in do_open     raise URLError(err) URLError: 
0 Karma

bwooden
Splunk Employee
Splunk Employee

This looks similar to a bug (ADDON-6014) that was encountered after upgrade to Splunk 6.3 (the root cause was a newer version of Python in Splunk 6.3 which contained changes to the urllib2 library that TA uses).

That was resolved in Cisco IPS version 2.1.5 -- which you mention you have in your original question.

My initial hypothesis would be that the IPS query code was not updated appropriately. Was the IPS TA installed from scratch or upgraded from a previous version? Either should be fine but I'm trying to learn more about the environment to determine what could be causing this. Do you have a support case open? In this specific case, it may be easier to help by reviewing a diag.

0 Karma

molinarf
Communicator

The IPS TA was installed from scratch on this newly built server. I opened a support case as well, #

000328995 .
I have also been looking at the pySDEE.py file in /opt/splunk/etc/apps/Splunk_TA_cisco-ips/bin/pysdee and noticed that the file references TLSv1_1 rather than SSLv3 and I don't know if that is an issue. I made a change to the file to use the SSLv3 and if that doesn't clear up the problem, I will change it back.

Thank you.

0 Karma

molinarf
Communicator

I forgot to add, that I have a distributed setup with a search head and an indexer.

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...