All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Optiv Treat Intel Splash only two lists get populated

joni73
Explorer
‎11-24-2016 12:40 PM

Hi all

Well I guess a picture says more than a thousand words, so I will try to show you the problem.

alt text

As you Malc0de and Emerging Threats get populated. The others have an N/A.

If I look in the troubleshooting logs, I'll see this:

[] Script Started at: 11-24-2016 12:42:35 GMT
[] Script version: 3.00
URL: http://rules.emergingthreats.net/fwrules/emerging-Block-IPs.txt
Finished retrieving 818 IPs from SpamHaus.
Finished retrieving 23 IPs from Dshield.
Finished retrieving 716 IPs from Feodo.
URL: http://rules.emergingthreats.net/blockrules/compromised-ips.txt
Finished retrieving 1423 Emerging Threats Compromised IPs.
URL: http://www.binarydefense.com/banlist.txt
Finished retrieving 4336 IPs from Binary Defense.
URL: http://malc0de.com/bl/IP_Blacklist.txt
Finished retrieving 262 malc0de_IPs.
URL: https://reputation.alienvault.com/reputation.generic
Forbidden
Access denied!
[*] Executing get alerts script.

If I try to run the optiv_threat_lists.py manually, I'll get this:

/opt/splunk/etc/apps/optiv_threat_intel/bin# ./optiv_threat_lists.py
logfile_name: /opt/splunk/var/log/splunk/optiv_threat_lists_script11-24-2016-20-29-58.log
[*] Script Started at: 11-24-2016 20:29:58 GMT

[*] Script version: 3.00
URL: http://rules.emergingthreats.net/fwrules/emerging-Block-IPs.txt
Finished retrieving 818 IPs from SpamHaus.
Finished retrieving 23 IPs from Dshield.
Finished retrieving 716 IPs from Feodo.
URL: http://rules.emergingthreats.net/blockrules/compromised-ips.txt
Finished retrieving 1423 Emerging Threats Compromised IPs.
URL: http://www.binarydefense.com/banlist.txt
Finished retrieving 4370 IPs from Binary Defense.
URL: http://malc0de.com/bl/IP_Blacklist.txt
Finished retrieving 255 malc0de_IPs.
URL: https://reputation.alienvault.com/reputation.generic
Forbidden
Access denied!
Traceback (most recent call last):
File "./optiv_threat_lists.py", line 883, in
main()
File "./optiv_threat_lists.py", line 817, in main
parseAlienVault(raw_threatlist)
File "./optiv_threat_lists.py", line 703, in parseAlienVault
AlienVaultIPs = urlResults.split('# Generic format')
AttributeError: 'int' object has no attribute 'split'

Any help would be appreciated.

Thank you

Preview file
1 KB
Reply
1 Solution
Solved! Jump to solution
Solution

derekarnold
Communicator
‎11-24-2016 01:52 PM

Dev here. I am getting the same thing. AlienVault changed something with their feed. I am working on a new release to address some issues. In the meantime, try this:

Open optiv_threat_lists.py
Go to line 817
Comment out the line specified. 

raw_threatlist = getUrl(urlList[4].strip('\n'),'true') 
#if len(str(raw_threatlist)) > 3:
    #parseAlienVault(raw_threatlist)

^^^^^Put a hash mark in front of parseAlienVault

Restart splunk. Just tested it and it fixed the issue for me.

View solution in original post

Reply
Solved! Jump to solution

joni73
Explorer
‎11-25-2016 03:35 AM

One note, if you are working on a new release, I too have the problems mentioned in this thread (https://answers.splunk.com/answers/439382/optiv-threat-intel-after-initial-configuration-get.html). I am able to use the workaround mentioned, by modifying the conf files directly, but It isn't possible to modify this through the Splunk GUI (the changes from the config files aren't shown in the GUI either). This is just FYI 🐵

Have a nice weekend.

0 Karma
Reply
Solved! Jump to solution

joni73
Explorer
‎11-25-2016 12:07 AM

Thank you very much. This did indeed help 🐵

alt text

As you can see, it now populates most fields. Off course the AlienVault isn't working. Strangely enough the Binary Defence isn't, but I'll give the splunk search a look.

Again, thank you for your help.

Preview file
1 KB
0 Karma
Reply
Solved! Jump to solution
Solution

derekarnold
Communicator
‎11-24-2016 01:52 PM

Dev here. I am getting the same thing. AlienVault changed something with their feed. I am working on a new release to address some issues. In the meantime, try this:

Open optiv_threat_lists.py
Go to line 817
Comment out the line specified. 

raw_threatlist = getUrl(urlList[4].strip('\n'),'true') 
#if len(str(raw_threatlist)) > 3:
    #parseAlienVault(raw_threatlist)

^^^^^Put a hash mark in front of parseAlienVault

Restart splunk. Just tested it and it fixed the issue for me.

Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...