Is is possible to bring in failed scan events? I've attached a screenshot of a sample failed scan that I'm seeing in the Qualys web UI. I can find no associated event in Splunk for this failure event.
... View more
Hello,
This app adds a modular input, so you'll want to navigate to Settings->Data Inputs->FTP Input and click "New". This is where you'll configure hostname, username/password, file path, etc.
... View more
@wryanthomas - really sorry to hear you're having this issue. You aren't by chance behind a proxy are you?
We tested this in IE, FireFox, Safari, and Chrome across both Windows and OSX and are unable to recreate any of these errors.
The returned JSON is from Splunk's AppInspect API so if it were universally malformed we would be seeing it as well.
You could also try to use Postman to communicate with the AppInspect API just to see if its returning any of the same errors: http://dev.splunk.com/view/appinspect/SP-CAAAFDU
... View more
Ah, Safari. Testing in Safari appears to work. Not sure how else to try and reproduce the issue on our end.
For a potential quick fix you could try modifying some JavaScript. If you go in to appserver/static/lib/application.js and modify line 129 from that.setMessage(response.msg, "success"); to be something like that.setMessage("Successfully authenticated.", "success"); .
You may have to run _bump in the browser to clear the static caching after you've made the change. So, it would be something like https://<splunk>/en-US/_bump .
... View more
Thanks for information.
Looking at the errors, this one specifically window.controllers/Controllers is deprecated. Do not use it for UA detection. appears to be FireFox related - are you using FireFox?
We tested this in FireFox 67, and 68 with no errors. Also, tested in the latest Edge, IE, and Chrome with no issues.
Do you have any browser plugins installed that may be interfering?
... View more
Hi @wryanthomas, thanks for reaching out.
We've tested this on 7.2 and 7.3 and have not been able to reproduce this issue.
Would you be able to check your browser's console window to see if any errors are being thrown when you attempt to login?
... View more
@morganfw thanks for reaching out. In regards to the second issue: as a potential quick fix you could modify getshodan.py on line 109 and add a time.sleep(1) to pause for 1 second before resuming with the next request.
So, it would look like:
for net in self.netlist:
time.sleep(1)
query = "net:%s" % net
results += api.search(query)['matches']
Let us know if that fixes the second issue for you.
Then we can work on implementing a permanent fix for the next release, as well as addressing the first issue.
... View more
Additionally, Shodan actually says "the free API key doesn’t have access to HTTPS or Telnet results. I believe that if you do a direct IP lookup (instead of a search request) then you will be able to see the HTTPS/ Telnet information even with a free API key.", but the custom command in the app does not support this. This is definitely something that we can look into adding into the app.
... View more
Hi @D2SI, do you happen to be using a free Shodan API key? It appears when testing this using a free API key no 443 ports show, but when using a paid API key 443 does show up.
... View more
What version of splunk are you running?
What search heads are listed in the Cluster Master? (It should just be the search heads and the cluster master, not any of the other stuff)
What does your outputs.conf look like on the HF?
... View more
install the Splunk_TA_nix on the splunk infrastructure as necessary
this will tell you where you need to install it:
http://docs.splunk.com/Documentation/AddOns/released/UnixLinux/Install
this will show you how to install it on the different servers:
https://docs.splunk.com/Documentation/AddOns/released/Overview/Distributedinstall
Enable data and scripted inputs as necessary in deployment-apps/Splunk_TA_nix/local/inputs.conf (or in another app) on the deployment server
I recommend creating a "baseline_nix_inputs" for this purpose
Push both the Splunk_TA_nix and your "baseline_nix_inputs" apps to your client machines using the deployment server
This will show you how to deploy apps to clients:
http://docs.splunk.com/Documentation/Splunk/latest/Updating/Updateconfigurations
... View more
In my case, it turns out that it was EXTRA fields in the lookup table that are not listed in the docs (http://docs.splunk.com/Documentation/ES/4.2.1/User/AssetandIdentityCorrelation#Asset_lookup_header)
Once I removed the extra fields, it worked without any problems.
BUG-FIX request: Can this be fixed so that the python just ignores the extra fields?
... View more
Here's more details about how that works:
http://docs.splunk.com/Documentation/Splunk/latest/Data/Monitorfilesanddirectories#How_Splunk_Enterprise_monitors_archived_files
... View more
Does estreamer log data clean up after itself?
If not, what's the best way to accomplish this if I don't have access to add a logrotate script?
... View more
We have deprecated this app in favor of a new app, and a TA with API capabilities. Please use those instead:
Hurricane Labs App for Vulnerability Management: http://apps.splunk.com/app/1861/
Hurricane Labs Add-On for Nessus : http://apps.splunk.com/app/1860/
... View more
This is working for me with without the log facility and level.
\w+\s\d+\s\d{1,2}:\d{1,2}:\d{1,2}\sMessage\sforwarded\sfrom\s([^:]+)
If you need to include it you could do:
\<\d{2}\>\w+\s\d+\s\d{1,2}:\d{1,2}:\d{1,2}\sMessage\sforwarded\sfrom\s([^:]+)
... View more