Splunk Cisco_IPS app no longer pulls from IPS

 Problem

After an upgrade to Splunk 6, the Cisco_IPS app fails to download IPS logs.

 Troubleshooting

  1. Navigate to /var/log/splunk/sdee_get.log
  2. Events like the following show up

    Exception thrown in sdee.get(): URLError: <urlopen error [Errno 1] _ssl.c:521 error:1407741A:SSL routines:SSL23_GET_SERVER_HELLO:tlsv1 alert decode error>
    

 Fix

Note: Upgrade to the latest version and you shouldn’t experience the problem anymore. App Link

Info for the fix was pulled from: This Splunk forum

  1. Navigate to /etc/apps/Splunk_CiscoIPS/bin/pysdee/
  2. Edit: pySDEE.py
  3. Directly after the default import statements, paste the following.

    # The section below is to override the default socket connection
    # which will fail with these devices. The newer version of openssl
    # in Python does not support the ciphers these devices would like to use
    
    import httplib
    from httplib import HTTPConnection, HTTPS_PORT
    import ssl
    import socket
    
    class HTTPSConnection(HTTPConnection):
        default_port = HTTPS_PORT
    
        def __init__(self, host, port=None, key_file=None, cert_file=None, strict=None, timeout=socket._GLOBAL_DEFAULT_TIMEOUT, source_address=None):
            HTTPConnection.__init__(self, host, port, strict, timeout, source_address)
            self.key_file = key_file
            self.cert_file = cert_file
    
            def connect(self):
                sock = socket.create_connection((self.host, self.port), self.timeout, self.source_address)
            if self._tunnel_host:
                self.sock = sock
                self._tunnel()
            self.sock = ssl.wrap_socket(sock, self.key_file, self.cert_file, ssl_version=ssl.PROTOCOL_TLSv1)
    
    #now we override the one in httplib
    httplib.HTTPSConnection = HTTPSConnection
    # ssl_version corrections are done
    

Depending on your IPS, you may need to change

ssl.PROTOCOL_TLSv1

to

ssl.PROTOCOL_SSLv3

Restart Splunkd and you should be good to go.

 
33
Kudos
 
33
Kudos

Now read this

Splunk Deployment Server: Grab all deployment clients

There are times when you need to know what’s out there. If you’re like me, you have thousands of deployment clients in the environment, and browsing to the GUI interface to see your forwarders just doesn’t cut it. The following can be... Continue →