All Apps and Add-ons

Virustotal TA Error

Communicator

Has anyone managed to get the virustotal TA (https://splunkbase.splunk.com/app/4283/) working ? I am getting the following error:

Unexpected error when querying VirusTotal API: HTTPSConnectionPool(host='www.virustotal.com', port=443): Max retries exceeded with url: /vtapi/v2/file/report?.... (Caused by : [Errno 10061] No connection could be made because the target machine actively refused it)

0 Karma

Path Finder

Hi muralianup,

Sorry to hear you are having trouble with the TA. I am the developer of this Add-on, so hopefully I can help you out.
As I have not encountered this issue previously, could you provide me with some more details about your environment to help me diagnose this problem?

Some information that might help me:
- Version of VirusTotal TA you're using
- Whether the Splunk instance you installed it on is Splunk Cloud or on-premises
- Version of Splunk
- Type of Splunk instance (e.g. Search Head, Indexer, Heavy Forwarder, All-In-One)
- Does your environment require a proxy to call out to the internet

The error you got would indicate that there may be a connectivity issue (maybe a firewall?) preventing the TA from connecting to the VirusTotal API endpoints. But if you are using version 2.0.0 (which is fairly new), it is also possible there is a connectivity bug somewhere that my testing didn't catch. Any information you are able to provide, will go a long way to helping me find the issue.

Thanks,
Tomasz

0 Karma

Communicator

Hi Tomasz, thanks for jumping in. So, the TA is installed on Splunk ES (cloud - Version:7.2.7.4) instance which is throwing the following error messages:

The limit has been reached for log messages in info.csv. 13 messages have not been written to info.csv. Refer to search.log for these messages or limits.conf to configure this limit.
[idx-i-0164f585a5c92c18a.merck.splunkcloud.com] HTTPError at "/opt/splunk/var/run/searchpeers/sh-i-051e06f061f25a5b1.merck.splunkcloud.com-1568379893/apps/TA-VirusTotal/bin/splunklib/binding.py", line 1228 : HTTP 404 Not Found -- Application does not exist: TA-VirusTotal
[idx-i-016d50225de4df6a6.merck.splunkcloud.com] HTTPError at "/opt/splunk/var/run/searchpeers/sh-i-051e06f061f25a5b1.merck.splunkcloud.com-1568379893/apps/TA-VirusTotal/bin/splunklib/binding.py", line 1228 : HTTP 404 Not Found -- Application does not exist: TA-VirusTotal

Then I installed it on my test Splunk SH (Splunk Enterprise Version:
7.3.1) where I was getting the following "Unexpected error when querying VirusTotal API: HTTPSConnectionPool(host='www.virustotal.com', port=443): Max retries exceeded with url: /vtapi/v2/file/report?.... (Caused by : [Errno 10061] No connection could be made because the target machine actively refused it)".

I am yet to test it from my home network. Interestingly I was told by a teammate that we are not allowed to make any http/https connection from Splunk cloud / ES app as it is paid and expensive. We are now in the process of testing it in the any of our intermediate forwarders.

0 Karma

Path Finder

Hi maralianup,

So "Application does not exist: TA-VirusTotal" is a known issue. (although I had only ever seen it affect Splunk versions <7.0 ) Basically, what's happening is that the indexers are trying to use the "| virustotal" command as a StreamingCommand. As such, they try to find a local copy and execute it. However, as the TA is only installed on the Search Head; this fails.

I will investigate a proper solution now that I know this issue is still active. In the mean time, a quick fix, is to add "| table *" just before any use of "| virustotal" (please note that you may need to change the TA's saved searches too in order to have full functionality with this patch). This will force all results to go to the search head before executing the "| virustotal" command; effectively resolving the issue. You may find additional information about this here: https://gitlab.com/adarma_public_projects/splunk/TA-VirusTotal (under the "Known Issues" header).

I am not personally aware of any costs associated with using http/https calls on Splunk Cloud. It might be worth clarifying this with your Splunk Cloud Account Manager or with a ticket to Splunk Cloud Support.

As for your test SH: It might be worth verifying whether the connectivity is restricted in any way, perhaps there is a firewall preventing any connections to non-whitelisted IP addresses (i.e. www.virustotal.com ) or perhaps you need to egress through a proxy (proxy settings can be configured in the Setup page for the TA).

Please let me know if this helps you resolve the problem. I will try to debug the errors on my end and see if I can't determine why the "Application does not exist" issue is still happening.

0 Karma