Re: Why can't I download from OpenCTI Stream Feed ...

goji · ‎03-27-2025

Hi,
I just want to input OpenCTI feed from OpenCTI to Splunk.

I followed installation instruction.
https://splunkbase.splunk.com/app/7485

But, there is an error in _internal index as follows.

2025-03-27 16:50:02,889 ERROR pid=17581 tid=MainThread file=base_modinput.py:log_error:309 | Error in ListenStream loop, exit, reason: HTTPSConnectionPool(host='192.168.0.15', port=8080): Max retries exceeded with url: /stream/2cfe507d-1345-402d-82c7-eb8939228bf0?recover=2025-03-27T07:50:02Z (Caused by SSLError(SSLError(1, '[SSL: UNKNOWN_PROTOCOL] unknown protocol (_ssl.c:1106)')))

And I was able to access OpenCTI feeds using curl in Splunk enfironement and browser as well, but I can't access the OpenCTI stream using StreamID from Splunk to fetch the data. I think SSL is one of the issues.

Please tell me if you know how to fetch the OpenCTI data to Splunk

livehybrid · ‎03-27-2025

Hi @goji

Having checked the python code within this app - it looks like it is forcing SSL Verification when connecting to the OpenCTI endpoint.

response = helper.send_http_request(url, method, parameters=None, payload=None,
                                        headers=None, cookies=None, verify=True, cert=None,
                                        timeout=None, use_proxy=True)

This means that you would need to provide a OpenCTI URL on a DNS name with a valid SSL Certificate.

When you tried to connect using curl, did you need to pass param like "-k" to skip SSL Verification?

Are you able to use a DNS name and add a valid SSL certificate to the OpenCTI server? If not then I think the only other option would be to modify the script to turn off SSL verification (Its a shame the app author hasnt provided this option). The issue with this is it can leave you with a fragile environment, in that if you upgrade the app in the future then it will override your changes.

If you want to test this approach then you can try making the following modifications - but remember the caveats (This is obviously sub-optimal!)

TA-opencti-add-on/bin/input_module_opencti_indicators.py - Lines 224-226

    response = helper.send_http_request(url, method, parameters=None, payload=None,
headers=None, cookies=None, verify=True, cert=None,
timeout=None, use_proxy=True)

Change verify=True to verify=False

And the modalert:

TA-opencti-add-on/bin/ta_opencti_add_on/alert_actions_base.py - Line 108
    def send_http_request(self, url, method, parameters=None, payload=None, headers=None, cookies=None, verify=True, cert=None, timeout=None, use_proxy=True):

Again, change verify=True to verify=False

Please let me know how you get on and consider adding karma to this or any other answer if it has helped.
Regards

Will

goji · ‎03-27-2025

After all, there is such a thing as the norm not being the norm,
By default, the opencti URL is http://ip:8080 (not https)
Splunk's OpenCTI forces you to enter only “https://” as you are operating.
And I can't change it back to “http”. So I guess there was an error.
I edited the URL of the file ta_opencti_add_on_settings.conf in ta directly (https -> https) and restarted.
Then I was able to load the data. Thanks!

livehybrid · ‎03-28-2025

Ah yes good spot @goji

By editing in the config file directly you are bypassing the validation that is built-in that stops you saving it via the UI. At this point the Verify=true in the python code has no effect because its using http anyway 🙂

Thanks for letting me know.

Why can't I download from OpenCTI Stream Feed into Splunk?

JSON

Can’t make it to .conf25? Join us online!

What Is Splunk? Here’s What You Can Do with Splunk

Level Up Your .conf25: Splunk Arcade Comes to Boston

Manual Instrumentation with Splunk Observability Cloud: How to Instrument Frontend ...

Are you a member of the Splunk Community?