Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Cisco IPS Error [errno="" 8]

seanp
Path Finder
‎10-08-2013 12:31 PM

I have been attempting to setup the Cisco IPS app for Splunk 6. However I am getting the following error in the sdee_get.log:

INFO - Checking for exsisting SubscriptionID on host: <IPADDRESS>
INFO - No exsisting SubscriptionID for host: <IPADDRESS>
INFO - Attempting to connect to sensor: <IPADDRESS>
INFO - Successfully connected to: <IPADDRESS>
ERROR - Connecting to sensor - <IPADDRESS>: URLError: <urlopen error [Errno 8] _ssl.c:521: EOF occurred in violation of protocol>

where is the IP address of the IPS. Does anyone have any thoughts into what the error is? Any help is greatly appreciated

Tags (2)
Reply
1 Solution
Solved! Jump to solution
Solution

dwaddle
SplunkTrust
SplunkTrust
‎10-08-2013 03:41 PM

This looks a whole lot like https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/965371 which seems to be a bug in OpenSSL when attempting to do TLS version renegotiation. The bug was fixed in OpenSSL upstream and in Debian / Ubuntu.

But, Splunk ships with its own version of OpenSSL. In Splunk 6.0.0 it seems to be OpenSSL 1.0.1e, which is likely affected by this issue.

Ther launchpad link above suggests some (very very very hackish) workarounds like updating python standard library files. I would personally open a support case w/ Splunk and in the meanwhile perhaps downgrade to Splunk 5.0.5, which has an older OpenSSL. Or, you could install a 5.0.5 forwarder just for your IPS app...

View solution in original post

Reply
Solved! Jump to solution

Masa
Splunk Employee
Splunk Employee
‎10-15-2013 04:09 PM

By the way, Cisco IPS app is not compatible with 6.0 as of today, 10/15/2013.

0 Karma
Reply
Solved! Jump to solution

seanp
Path Finder
‎10-09-2013 08:56 AM

I was starting get to that same conclusion but you are correct dwaddle. I had a co-worker who has OpenSSL 0.9.8y (Windows) run:

openssl s_client -connect

and connects no problem but when I run it using OpenSSL 1.0.1e it fails. I will contact tech support and see what they say.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...