Splunk SOAR (f.k.a. Phantom)

Installing Splunk Phantom on CentOS 7.6. RPM file in installation guide is invalid

mdundas
Explorer

Hello all,

I am attempting to install Splunk Phantom 4.5 (not the Phantom App for Splunk) on a CentOS 7.6 VM on ESXi. Using the installation guide from the Phantom site, I first made sure ports 22, 80, and 443 were open, then I downloaded the necessary repositories, cleared YUM's caches, and did a yum update.
Then when I tried to install the .rpm file, I got an error message in the terminal saying
"The requested URL returned error: 404 Not Found."
I tried pinging the address in the terminal and entering in the URL in my browser, and it still looks like this rpm Splunk provided is invalid. Is there somewhere I can download a working .rpm? This is the version I tried to use from the installation manual: https://repo.phantom.us/phantom/4.5/base/7/x86_64/phantom_repo-4.5.7532-1.x86_64.rpm
Any help would be appreciated.

Labels (2)

koocies
Path Finder

It's possible that your DNS is not resolving the host name for the URL. Can you ping the host or do a nslookup on the host to see if you are able to resolve the hostname?

0 Karma

mdundas
Explorer

Yes, I have tried pinging the host and doing an nslookup on both my VM and local computer. It says it is a non-existent domain.

0 Karma

koocies
Path Finder

what's the host that you are trying to nslookup on?

0 Karma

mdundas
Explorer

So first I tried: https://repo.phantom.us/phantom/4.5/base/7/x86_64/phantom_repo-4.5.7532-1.x86_64.rpm

, which is the rpm file I am trying to download.

And when that didn't work, I tried just https://repo.phantom.us. That didn't work either.

0 Karma

koocies
Path Finder

okay, so when you're testing to see if you can resolve a hostname you need to remove the "http://" part, that's not considered part of the hostname. The hostname in this case is repo.phantom.us
Try "nslookup repo.phantom.us" and let me know if you get an IP back. I did it on my laptop and got a response that the host "repo.phantom.us" is IP "54.165.15.205". you should get something similar if not the same

0 Karma

mdundas
Explorer

Ok thank you, yes I was able to hit repo.phantom.us and I got an IP. But I don't get anything when I do an nslookup on the whole address.

0 Karma

koocies
Path Finder

you can't nslookup a URL, only the hostname "epo.phantom.us".

Now if you want to test the URL, which in this case is "https://repo.phantom.us/phantom/4.5/base/7/x86_64/phantom_repo-4.5.7532-1.x86_64.rpm" you'll need a different tool. Right now it sounds like you can get an IP address so Splunk knowns who to call. but splunk needs to talk to that server over HTTPS. nslookup doesn't understand HTTPS or any other protocol other than DNS, which is used to retrieve an IP using a host name. If your not too familiar with DNS I would highly recommend read up on a simple introduction. it will help you in future.

Okay enough explanation, the next step is to see if we can actually talk to that server over HTTPS. Their are a number of tools that can be used to test this, but my personal favorite is nmap. see if you have nmap install using the command "nmap -V". if you get a "command not found" you'll need to install it. you can install it using this command as root "yum install nmap -y"

okay, with nmap we can test ports. The protocol HTTPS run over 443 (usually). so the command "nmap -p 443 repo.phantom.us" will tell us if that port is opened. give that a try and let me know if the port state says "open".

sorry for the long reply

0 Karma

mdundas
Explorer

Thank you for your help. So when I did the nmap scan, I found that port 443 was open and running https as a service.

0 Karma

koocies
Path Finder

okay, so so far we found that you can get an IP & you can connect with no problems. This is good. The problem is looking less and less like it's on your end.

I just did a check on that URL using another tool "wget", with the command "wget https://repo.phantom.us/phantom/4.5/base/7/x86_64/phantom_repo-4.5.7532-1.x86_64.rpm". wget will let you download resource over HTTP & HTTPS and it's a great way to troubleshoot HTTP and HTTPS. I also got a 404 error, so I don't think you are alone on this.

I opened that link in my browser, but I went one directory back, so I opened "https://repo.phantom.us/phantom/4.5/base/7/x86_64/". There you can see the list of RPM files available. I don't see a file listed with the name "phantom_repo-4.5.7532-1.x86_64.rpm" so that resource is indeed missing.

My recommendation at this point is to open a support ticket if you can or see if you can download an older version of Phantom. if you put in a ticket make sure to inform them that you troubleshooted and you are able to connect perfectly fine. Also inform them that the URL "https://repo.phantom.us/phantom/4.5/base/7/x86_64/" shows the file is missing

sorry for putting you through all this but I think it's good to check connectivity first before looking any where else.

0 Karma

mdundas
Explorer

That is good to hear that the problem is not on my end. I will reach out to Splunk and see if either I can get an older version or if they can send me a tarball. Thanks for your help!

0 Karma

koocies
Path Finder

good luck there

0 Karma

mdundas
Explorer

They had just updated the installation manual, and the correct version was on there. I now have Phantom completely installed. Thanks again!

0 Karma

mdundas
Explorer

Could it be that I need to somehow be signed into my Splunk Phantom account when I try to download the rpm file? I am not sure how I would do this.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...