Splunk Search

estreamer pkcs with password

mbassettjr
Explorer

How do you set the estreamer app to use a password for the pkcs file? I am able to test connectivity by passing it on the commandline for ssl_test.pl but how do i specify the password for the app to use by default?

Also, how do the events make it into splunk?

0 Karma

sspencer_splunk
Splunk Employee
Splunk Employee

This solution helps resolve this error message:

[07:20][bin]$ python estreamer.py
[07:20][bin]$ SFPkcs12 : Unable to get certificate

First, there are a few prerequisites to ensure this solution works:

  • You have generated an eStreamer client certificate using Sourcefire's Defense Center GUI.
  • The password on the certificate does not have any special characters that require escaping in the scripts below.
  • You have read and implemented the following instructions:
    1. $SPLUNK_HOME/etc/apps/Sourcefire/README file
    2. $SPLUNK_HOME/etc/apps/Sourcefire/bin/README file
    3. $SPLUNK_HOME/etc/apps/Sourcefire/docs folder

There are three additional caveats:

  • The ssl_test.pl script doesn't seem to like any extra .pkcs12 files lying around in the $SPLUNK_HOME/etc/apps/Sourcefire/bin directory. Remove any unused .pkcs12 files from that directory.
  • The certificate password will appear in cleartext in various internal Splunk logs and it may appear in "ps" output. It is outside of the scope of this answer to provide obfuscation techniques for this issue.
  • This solution does not scale beyond one Sourcefire Defense Center. If there is a need to communicate with more than one Defense Center, create a second copy of the Sourcefire App (for example, $SPLUNK_HOME/etc/apps/Sourcefire2) and make similar changes to the copy.

The solution lies in modifying two of the files found in $SPLUNK_HOME/etc/apps/Sourcefire/bin:

  • SFPkcs12.pm, and
  • estreamer.py

Start by making local backup copies of both files. Now, edit the SFPkcs12.pm file and locate line 25. It should look like this:

$opts->(password) = ''

Insert your certificate's password between the two single quotes, like so:

$opts->(password) = 'my_awesome_password'

Save the file. Now, edit the estreamer.py file and locate line 56. It should look like this:

estreamer = subprocess.Popen("%s %s -o splunk" % \

Insert your certificate's password and the "-pa" flag between the letter k and the double-quote, like so:

estreamer = subprocess.Popen("%s %s -o splunk -pa=my_awesome_password" % \

Save the file. Run the estreamer.py script again and you should see Sourcefire events appear on STDOUT. Enable the estreamer.py input, if necessary. Sourcefire events should start appearing in Splunk with sourcetype=estreamer.


To answer your second question, the estreamer.py script collects events from the Defense Center and logs them to $SPLUNK_HOME/etc/apps/Sourcefire/log/estreamer.log and/or $SPLUNK_HOME/etc/apps/Sourcefire/log/estreamer_pcap.log. Splunk monitors those two files and indexes new data as it appears in those files. See the app's inputs.conf files for more details.

Did you miss .conf21 Virtual?

Good news! The event's keynotes and many of its breakout sessions are now available online, and still totally FREE!