Archive

CiscoIPS Script not working in Splunk Universal Forwarder

Path Finder

Hi All,

I have installed the universal forwarder and im planning to install the Cisco IPS Script as part of the universal forwarder.

So under /home/splunkforwarder/etc/apps/Splunk_CiscoIPS/local

I created a new file called inputs.conf and added the below content

[script:///home/splunkforwarder/etc/apps/SplunkCiscoIPS/bin/getipsfeed.py dev XXXXXX X.X.X.X 30]
disabled = 0
interval = 30
passAuth = splunk-system-user
source = SDEE
sourcetype = cisco
ips_syslog
host = 10.201.79.43
index = main

I restarted the splunk forwarder and checked if the script has got triggered.

I dint see Splunk triggering the script. Hence tried to manually run the script.

-bash-4.1$ vi get_ips_feed.py
-bash-4.1$ python /home/splunkforwarder/etc/apps/Splunk_CiscoIPS/bin/get_ips_feed.py dev Cisco@123 10.201.79.43 30
Traceback (most recent call last):
  File "/home/splunkforwarder/etc/apps/Splunk_CiscoIPS/bin/get_ips_feed.py", line 8, in <module>
    import splunk.entity as entity
ImportError: No module named splunk.entity

Can someone please tell me how to overcome this Import Error as i'm trying to trigger the script from the Splunk Forwarder.

All your suggestions will help me overcome this issue and proceed further.

0 Karma

Splunk Employee
Splunk Employee

As of SplunkTAcisco-ips 2.1.2 this modification should no longer be necessary. https://apps.splunk.com/app/1903/

0 Karma

Communicator

As well as needing a Splunk Heavy Forwarder, you also will need to modify the Cisco IPS app, as it has not been updated to run with Splunk 6.

Edit Splunk_CiscoIPS/bin/pysdee/pySDEE.py and add this block below the imports at the top of the file

# The section below is to override the default socket connection
# which will fail with these devices. The newer version of openssl
# in Python does not support the ciphers these devices would like to use
import httplib
from httplib import HTTPConnection, HTTPS_PORT
import ssl
import socket

class HTTPSConnection(HTTPConnection):
    "This class allows communication via SSL."
    default_port = HTTPS_PORT

    def __init__(self, host, port=None, key_file=None, cert_file=None,
        strict=None, timeout=socket._GLOBAL_DEFAULT_TIMEOUT,
        source_address=None):
        HTTPConnection.__init__(self, host, port, strict, timeout,
            source_address)
        self.key_file = key_file
        self.cert_file = cert_file

    def connect(self):
        "Connect to a host on a given (SSL) port."
        sock = socket.create_connection((self.host, self.port),
            self.timeout, self.source_address)
        if self._tunnel_host:
            self.sock = sock
            self._tunnel()
        # this is the only line we modified from the httplib.py file
        # we added the ssl_version variable
        self.sock = ssl.wrap_socket(sock, self.key_file, self.cert_file, ssl_version=ssl.PROTOCOL_SSLv3)

#now we override the one in httplib
httplib.HTTPSConnection = HTTPSConnection
# ssl_version corrections are done
0 Karma

Splunk Employee
Splunk Employee

You can make these changes or use a 5.x version of the Heavy Forwarder. Either way should work.

0 Karma

Splunk Employee
Splunk Employee

The Splunk Universal Forwarder does not ship with Python, so you won't have the necessary Python modules needed (like splunk.entity). Download and install the Splunk Heavy Forwarder and you should be good to go.