Closed Tatsuya-hasegawa closed 1 year ago
I will have a look into it. We recently/currently improving the Splunk SOAR/Phantom installation. It could be that we forgot to update the local version. Let me take a look. Thank you for reporting it.
Thank you for the reply. The Packer and Terraform is mixed in the current version. That is very confusing. I expect that Packer unification is accomplished .
FYI: I tried it on my macOS 12.2 along with https://attack-range.readthedocs.io/en/latest/Attack_Range_Local.html.
By the way, do you know there is a splunk soar (phantom) lab anywhere for free ?
I would like to try Phantom and Splunk Enterprise Security as soon as possible.
Packer doesn't need to be used. You can disable it with:
general:
use_prebuilt_images_with_packer: '0'
In order to install Splunk SOAR, you can request a free trial and download Splunk SOAR from here: https://www.splunk.com/en_us/download/soar-free-trial.html
You need to copy the downloaded file into .../attack_range/apps/. Then you will add the following part to your attack_range.yml:
phantom_server:
phantom_server: "1"
phantom_app: "splunk_soar-unpriv-5.5.0.108488-3ac4a627-el7-x86_64.tgz"
You need to replace the phantom_app with the file name, which you downloaded. Then you can run the build command.
Splunk Enterprise Security doesn't have a free trial which can be downloaded. In order to try out Splunk ES, you need to contact Splunk Sales.
@P4T12ICK Thank you for the info. I tried like that , however this error still appears.
PLAY [all] *********************************************************************
TASK [phantom : change phantom admin password] *********************************
fatal: [ar-phantom-attack-range-key-pair-ar]: FAILED! => {"ansible_facts": {"discovered_interpreter_python": "/usr/bin/python"}, "changed": false, "elapsed": 0, "msg": "Status code was -1 and not [200]: Request failed: <urlopen error [Errno 111] Connection refused>", "redirected": false, "status": -1, "url": "https://127.0.0.1:8443/rest/user_settings"}
PLAY RECAP *********************************************************************
ar-phantom-attack-range-key-pair-ar : ok=0 changed=0 unreachable=0 failed=1 skipped=0 rescued=0 ignored=0
Ansible failed to complete successfully. Any error output should be
visible above. Please fix these errors and try again.
my attack_range.yml
general:
cloud_provider: local
attack_range_password: Zw1ZL7Fv8piQObsjnVU
# for phantom from https://github.com/splunk/attack_range/issues/776
use_prebuilt_images_with_packer: '0'
local: {}
windows_servers:
- hostname: ar-win-dc
windows_image: windows-2019-v3-0-0
create_domain: '1'
install_red_team_tools: '1'
bad_blood: '1'
- hostname: ar-win-2
windows_image: windows-2016-v3-0-0
join_domain: '1'
install_red_team_tools: '1'
linux_servers:
- hostname: ar-linux
phantom_server:
phantom_server: "1"
phantom_app: "splunk_soar-unpriv-6.0.0.114895-cb859067-el7-x86_64.tgz"
phantom_community_username: 'my community username'
phantom_community_password: 'my community password '
phantom_version: "6.0.0.114895"
Could you give me a hint of how to debug or solve ? Thank you in advance.
Issue #783
Hi @P4T12ICK, hope you doing well, I did it the exact same action as per quote:
While I still getting error below. 3xtreme3_#776_Error local-exec provisioner.txt
Here's my attack_range.yml file content. 3xtreme3_attack_range.txt
Packer doesn't need to be used. You can disable it with:
general: use_prebuilt_images_with_packer: '0'
In order to install Splunk SOAR, you can request a free trial and download Splunk SOAR from here: https://www.splunk.com/en_us/download/soar-free-trial.html
You need to copy the downloaded file into .../attack_range/apps/. Then you will add the following part to your attack_range.yml:
phantom_server: phantom_server: "1" phantom_app: "splunk_soar-unpriv-5.5.0.108488-3ac4a627-el7-x86_64.tgz"
You need to replace the phantom_app with the file name, which you downloaded. Then you can run the build command.
Splunk Enterprise Security doesn't have a free trial which can be downloaded. In order to try out Splunk ES, you need to contact Splunk Sales.
You get connection issues to the server. Could it be that your IP Address changed or you have other connection issues?
You get connection issues to the server. Could it be that your IP Address changed or you have other connection issues?
I've checked my local connection to AWS instance and the connection is success. I've also make sure that my public IP is in the security group.
It could be a connection issue, is there a way to troubleshoot it?
You get connection issues to the server. Could it be that your IP Address changed or you have other connection issues?
I've checked my local connection to AWS instance and the connection is success. I've also make sure that my public IP is in the security group.
It could be a connection issue, is there a way to troubleshoot it?
Hi @P4T12ICK Hope this find you well, I manage to access to the phantom server by SSH, but check on the running services I didn't see phantom is running. To troubleshoot, I've also ensure that the ACL in AWS VPC and the Security Group is allowing any inbound and outbound, but I still getting this:
Sorry for the delay. This should be fixed.
Hi @P4T12ICK,
I'm still getting the same Phantom error above on my Local build.
2023-11-03 22:51:05,345 - INFO - attack_range - [action] > build
Bringing machine 'ar-phantom-attack-range-key-pair-ar' up with 'virtualbox' provider...
Bringing machine 'ar-splunk-attack-range-key-pair-ar' up with 'virtualbox' provider...
Bringing machine 'ar-win-attack-range-key-pair-ar-0' up with 'virtualbox' provider...
Bringing machine 'ar-win-attack-range-key-pair-ar-1' up with 'virtualbox' provider...
Bringing machine 'ar-linux-attack-range-key-pair-ar-0' up with 'virtualbox' provider...
==> ar-phantom-attack-range-key-pair-ar: Checking if box 'centos/7' version '2004.01' is up to date...
==> ar-phantom-attack-range-key-pair-ar: Running provisioner: ansible...
ar-phantom-attack-range-key-pair-ar: Running ansible-playbook...
[DEPRECATION WARNING]: "include" is deprecated, use include_tasks/import_tasks
instead. This feature will be removed in version 2.16. Deprecation warnings can
be disabled by setting deprecation_warnings=False in ansible.cfg.
PLAY [all] *********************************************************************
TASK [phantom : change phantom admin password] *********************************
fatal: [ar-phantom-attack-range-key-pair-ar]: FAILED! => {"ansible_facts": {"discovered_interpreter_python": "/usr/bin/python"}, "changed": false, "elapsed": 0, "msg": "Status code was -1 and not [200]: Request failed: <urlopen error [Errno 111] Connection refused>", "redirected": false, "status": -1, "url": "https://127.0.0.1:8443/rest/user_settings"}
PLAY RECAP *********************************************************************
ar-phantom-attack-range-key-pair-ar : ok=0 changed=0 unreachable=0 failed=1 skipped=0 rescued=0 ignored=0
Ansible failed to complete successfully. Any error output should be
visible above. Please fix these errors and try again.
2023-11-03 22:51:12,502 - ERROR - attack_range - vagrant failed to build
@Tatsuya-hasegawa - was your issue resolved?
Hello,
Phantom build fails every time in local.
Would you check this issue ? I think that installing phantom is needed before configure_phantom.yml. /terraform/ansible/roles/phantom/tasks/main.yml
It looks using terraform/ansible procedure. Could you prepare packer file for local ?
my attack_range.yml
Thank you in advance. Best regards,