Deployment Architecture

Virustotal Checker: Why are we receiving "Socket Timeout. Check Your Internet Connection" error in the vtc_message field?

ejharts2015
Communicator

We just upgraded to the VirusTotal Checker 1.3 version and now we get a "Socket Timeout. Please Check Your Internet Connection" error in the vtc_message field.

In the vt_link field states "Not connected..."

We're using a search head cluster and indexer cluster. We pushed the app out via our master/deployer box.

Any thoughts?

1 Solution

dpreston31
Engager

More than likely due to VirusTotal's CAPTCHA. I was getting this error as well, then did a manual MD5 hash search on VirusTotal.com, proved I was not a robot with CAPTCHA, reran the VT Splunk search and got past the Socket Timeout error.

If VirusTotal Checker could implement API access to VirusTotal, that would be great..MmmK..Thanks!

😉

View solution in original post

ahskylehowson
New Member

Did anybody get this to work? I'm running into the same issue and hoping someone found a way to include the virustotal api key's.

0 Karma

dpreston31
Engager

More than likely due to VirusTotal's CAPTCHA. I was getting this error as well, then did a manual MD5 hash search on VirusTotal.com, proved I was not a robot with CAPTCHA, reran the VT Splunk search and got past the Socket Timeout error.

If VirusTotal Checker could implement API access to VirusTotal, that would be great..MmmK..Thanks!

😉

dpreston31
Engager

Did some research and found out that automating VirusTotal lookups is restricted to 4 lookups per minute. Both via VirusTotal Checker's method of appending hashes o a virustotal.com search URL, and via the VT Public API 2.0 access.

https://www.virustotal.com/en/documentation/public-api/#getting-ip-reports

Explains why in the screenshots he limited the search to 10 events "head 10". Which by the way, successfully works and retrieves VT results only after I go to VirusTotal.com and do the CAPTCHA.

Peterman
Explorer

@dpreston31 wrote:

Did some research and found out that automating VirusTotal lookups is restricted to 4 lookups per minute. Both via VirusTotal Checker's method of appending hashes o a virustotal.com search URL, and via the VT Public API 2.0 access.

https://www.virustotal.com/en/documentation/public-api/#getting-ip-reports 

Explains why in the screenshots he limited the search to 10 events "head 10". Which by the way, successfully works and retrieves VT results only after I go to VirusTotal.com and do the CAPTCHA.


i also wanna know why in the screenshots he limited the search to 10 events "head 10"

Bloodnite
Path Finder

I'm assuming this is tied to the API key piece that needs implemented still in the app? I may just make it work myself =\

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...