Splunk Enterprise Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Splunk Enterprise Security: After upgrading from Splunk 6.3.3 to 6.5.0, why are these threat lists failing to download?

ttchorz
Path Finder
‎10-26-2016 10:24 AM

After moving to Splunk 6.5 from Splunk 6.3.3, the following threat intelligence sources fail to download. Splunk ES was upgraded to 4.5

I checked the server has internet access. I also excluded corresponding URLs from the proxy. 

msg="A threat intelligence download has failed" stanza="hailataxii_malware" status="Retrieved document from TAXII feed

msg="A threat intelligence download has failed" stanza="mozilla_public_suffix_list" status="threat list download failed after multiple retries
Reply

ttchorz
Path Finder
‎01-12-2017 07:01 AM

This has been noted as a bag in ES 4.5 version. the bag has been fixed in the 4.5.1 version.

Thanks jwelch for your help on that!

0 Karma
Reply

jwelch_splunk
Splunk Employee
Splunk Employee
‎10-26-2016 06:41 PM

Hi,
The first message you have there is actually a success, but is a result of SOLNESS-10559. This can be safely suppressed:
/opt/splunk/etc/apps/DA-ESS-ThreatIntelligence/local
Create a file called inputs.conf if one does not already exist. If it does just add:

[configuration_check://confcheck_failed_threat_download]
suppress = (Retrieved document from TAXII feed)

A restart will be required.

Cause: a search string is off here in confcheck_failed_threat_download.py

As far as your second error, I would need more information to try and work out the issue. Perhaps the third party site was unavailable at the time the download was attempted. Is the second error still happening for you?

Reply

ttchorz
Path Finder
‎10-27-2016 05:28 AM

mozilla_public_suffix_list is set to update every 3 hours and it keeps failing every time it tries to update.

I checked the site and it is accessible - 

https://publicsuffix.org/list/effective_tld_names.dat

What other information would you like to see to help diagnose?

0 Karma
Reply

jwelch_splunk
Splunk Employee
Splunk Employee
‎10-27-2016 07:12 AM

I would do a wget from the Splunk SH itself, and see what the behavior is:

 wget https://publicsuffix.org/list/effective_tld_names.dat

Also is this windows or Linux?

0 Karma
Reply

ttchorz
Path Finder
‎10-27-2016 10:11 AM

I am running Windows 😞

I will provide the output once I figure out an alternative to wget on Windows

0 Karma
Reply

ttchorz
Path Finder
‎10-27-2016 10:26 AM

There seems to be a problem with the certificate trust. It cold be something to do with TLS 1.2

Any ways to bypass the certificate verification in Splunk?

C:\Program Files (x86)\GnuWin32\bin>wget https://publicsuffix.org/list/effective
_tld_names.dat
SYSTEM_WGETRC = c:/progra~1/wget/etc/wgetrc
syswgetrc = C:\Program Files (x86)\GnuWin32/etc/wgetrc
--2016-10-27 13:20:47--  https://publicsuffix.org/list/effective_tld_names.dat
Resolving publicsuffix.org... 63.245.213.24
Connecting to publicsuffix.org|63.245.213.24|:443... connected.
ERROR: cannot verify publicsuffix.org's certificate, issued by `/C=US/O=DigiCert
 Inc/CN=DigiCert SHA2 Secure Server CA':
  Unable to locally verify the issuer's authority.
ERROR: certificate common name `static-san.mozilla.org' doesn't match requested
host name `publicsuffix.org'.
To connect to publicsuffix.org insecurely, use `--no-check-certificate'.
Unable to establish SSL connection.
0 Karma
Reply

jwelch_splunk
Splunk Employee
Splunk Employee
‎10-27-2016 11:03 AM

When you do this wget command, it has nothing to do with splunk. Splunk is not in the picture here.

0 Karma
Reply

ttchorz
Path Finder
‎10-27-2016 11:08 AM

Understood. When used wget --no-check-certificate a file was downloaded with no issues.

C:\Program Files (x86)\GnuWin32\bin>wget --no-check-certificate https://publicsu
ffix.org/list/effective_tld_names.dat
SYSTEM_WGETRC = c:/progra~1/wget/etc/wgetrc
syswgetrc = C:\Program Files (x86)\GnuWin32/etc/wgetrc
--2016-10-27 14:06:13--  https://publicsuffix.org/list/effective_tld_names.dat
Resolving publicsuffix.org... 63.245.213.24
Connecting to publicsuffix.org|63.245.213.24|:443... connected.
WARNING: cannot verify publicsuffix.org's certificate, issued by `/C=US/O=DigiCe
rt Inc/CN=DigiCert SHA2 Secure Server CA':
  Unable to locally verify the issuer's authority.
WARNING: certificate common name `static-san.mozilla.org' doesn't match requeste
d host name `publicsuffix.org'.
HTTP request sent, awaiting response... 200 OK
Length: 190800 (186K) [text/plain]
Saving to: `effective_tld_names.dat'

100%[======================================>] 190,800      614K/s   in 0.3s

2016-10-27 14:06:13 (614 KB/s) - `effective_tld_names.dat' saved [190800/190800]
0 Karma
Reply

goodsellt
Contributor
‎10-28-2016 11:02 AM

Do you have the addresses of the CA servers removed from the proxy as well? It seems possible that the proxy is messing with the data inside of the cert validation request.

I had a similar issue with the Splunk App for AWS (receiving invalid cert response, even though checking the cert with openssl showed it was valid) and I had to force Splunk to ignore the proxy environment variable to correct the problem?

0 Karma
Reply
Get Updates on the Splunk Community!

Monitoring Amazon Elastic Kubernetes Service (EKS)

As we’ve seen, integrating Kubernetes environments with Splunk Observability Cloud is a quick and easy way to ...

Cloud Platform & Enterprise: Classic Dashboard Export Feature Deprecation

As of Splunk Cloud Platform 9.3.2408 and Splunk Enterprise 9.4, classic dashboard export features are now ...

Explore the Latest Educational Offerings from Splunk (November Releases)

At Splunk Education, we are committed to providing a robust learning experience for all users, regardless of ...