Closed Tatsuya-hasegawa closed 1 year ago
P4T12ICK
commented
1 year ago I will have a look into it. We recently/currently improving the Splunk SOAR/Phantom installation. It could be that we forgot to update the local version. Let me take a look. Thank you for reporting it.
Tatsuya-hasegawa
commented
1 year ago Thank you for the reply. The Packer and Terraform is mixed in the current version. That is very confusing. I expect that Packer unification is accomplished .
FYI: I tried it on my macOS 12.2 along with https://attack-range.readthedocs.io/en/latest/Attack_Range_Local.html.
By the way, do you know there is a splunk soar (phantom) lab anywhere for free ?
I would like to try Phantom and Splunk Enterprise Security as soon as possible.
P4T12ICK
commented
1 year ago Packer doesn't need to be used. You can disable it with:
general:
use_prebuilt_images_with_packer: '0'In order to install Splunk SOAR, you can request a free trial and download Splunk SOAR from here: https://www.splunk.com/en_us/download/soar-free-trial.html
You need to copy the downloaded file into .../attack_range/apps/. Then you will add the following part to your attack_range.yml:
phantom_server:
phantom_server: "1"
phantom_app: "splunk_soar-unpriv-5.5.0.108488-3ac4a627-el7-x86_64.tgz" You need to replace the phantom_app with the file name, which you downloaded. Then you can run the build command.
Splunk Enterprise Security doesn't have a free trial which can be downloaded. In order to try out Splunk ES, you need to contact Splunk Sales.
Tatsuya-hasegawa
commented
1 year ago @P4T12ICK Thank you for the info. I tried like that , however this error still appears.
PLAY [all] *********************************************************************
TASK [phantom : change phantom admin password] *********************************
fatal: [ar-phantom-attack-range-key-pair-ar]: FAILED! => {"ansible_facts": {"discovered_interpreter_python": "/usr/bin/python"}, "changed": false, "elapsed": 0, "msg": "Status code was -1 and not [200]: Request failed: <urlopen error [Errno 111] Connection refused>", "redirected": false, "status": -1, "url": "https://127.0.0.1:8443/rest/user_settings"}
PLAY RECAP *********************************************************************
ar-phantom-attack-range-key-pair-ar : ok=0 changed=0 unreachable=0 failed=1 skipped=0 rescued=0 ignored=0
Ansible failed to complete successfully. Any error output should be
visible above. Please fix these errors and try again.my attack_range.yml
general:
cloud_provider: local
attack_range_password: Zw1ZL7Fv8piQObsjnVU
# for phantom from https://github.com/splunk/attack_range/issues/776
use_prebuilt_images_with_packer: '0'
local: {}
windows_servers:
- hostname: ar-win-dc
windows_image: windows-2019-v3-0-0
create_domain: '1'
install_red_team_tools: '1'
bad_blood: '1'
- hostname: ar-win-2
windows_image: windows-2016-v3-0-0
join_domain: '1'
install_red_team_tools: '1'
linux_servers:
- hostname: ar-linux
phantom_server:
phantom_server: "1"
phantom_app: "splunk_soar-unpriv-6.0.0.114895-cb859067-el7-x86_64.tgz"
phantom_community_username: 'my community username'
phantom_community_password: 'my community password '
phantom_version: "6.0.0.114895"Could you give me a hint of how to debug or solve ? Thank you in advance.
3xtreme3
commented
1 year ago Issue #783
Hi @P4T12ICK, hope you doing well, I did it the exact same action as per quote:
While I still getting error below. 3xtreme3_#776_Error local-exec provisioner.txt
Here's my attack_range.yml file content. 3xtreme3_attack_range.txt
Packer doesn't need to be used. You can disable it with:
general: use_prebuilt_images_with_packer: '0'In order to install Splunk SOAR, you can request a free trial and download Splunk SOAR from here: https://www.splunk.com/en_us/download/soar-free-trial.html
You need to copy the downloaded file into .../attack_range/apps/. Then you will add the following part to your attack_range.yml:
phantom_server: phantom_server: "1" phantom_app: "splunk_soar-unpriv-5.5.0.108488-3ac4a627-el7-x86_64.tgz"You need to replace the phantom_app with the file name, which you downloaded. Then you can run the build command.
Splunk Enterprise Security doesn't have a free trial which can be downloaded. In order to try out Splunk ES, you need to contact Splunk Sales.
P4T12ICK
commented
1 year ago You get connection issues to the server. Could it be that your IP Address changed or you have other connection issues?
3xtreme3
commented
1 year ago You get connection issues to the server. Could it be that your IP Address changed or you have other connection issues?
I've checked my local connection to AWS instance and the connection is success. I've also make sure that my public IP is in the security group.
It could be a connection issue, is there a way to troubleshoot it?
3xtreme3
commented
1 year ago You get connection issues to the server. Could it be that your IP Address changed or you have other connection issues?
I've checked my local connection to AWS instance and the connection is success. I've also make sure that my public IP is in the security group.
It could be a connection issue, is there a way to troubleshoot it?
Hi @P4T12ICK
Hope this find you well, I manage to access to the phantom server by SSH, but check on the running services I didn't see phantom is running. To troubleshoot, I've also ensure that the ACL in AWS VPC and the Security Group is allowing any inbound and outbound, but I still getting this:
P4T12ICK
commented
1 year ago Sorry for the delay. This should be fixed.
irwan-ismail
commented
11 months ago Hi @P4T12ICK,
I'm still getting the same Phantom error above on my Local build.
2023-11-03 22:51:05,345 - INFO - attack_range - [action] > build
Bringing machine 'ar-phantom-attack-range-key-pair-ar' up with 'virtualbox' provider...
Bringing machine 'ar-splunk-attack-range-key-pair-ar' up with 'virtualbox' provider...
Bringing machine 'ar-win-attack-range-key-pair-ar-0' up with 'virtualbox' provider...
Bringing machine 'ar-win-attack-range-key-pair-ar-1' up with 'virtualbox' provider...
Bringing machine 'ar-linux-attack-range-key-pair-ar-0' up with 'virtualbox' provider...
==> ar-phantom-attack-range-key-pair-ar: Checking if box 'centos/7' version '2004.01' is up to date...
==> ar-phantom-attack-range-key-pair-ar: Running provisioner: ansible...
ar-phantom-attack-range-key-pair-ar: Running ansible-playbook...
[DEPRECATION WARNING]: "include" is deprecated, use include_tasks/import_tasks
instead. This feature will be removed in version 2.16. Deprecation warnings can
be disabled by setting deprecation_warnings=False in ansible.cfg.
PLAY [all] *********************************************************************
TASK [phantom : change phantom admin password] *********************************
fatal: [ar-phantom-attack-range-key-pair-ar]: FAILED! => {"ansible_facts": {"discovered_interpreter_python": "/usr/bin/python"}, "changed": false, "elapsed": 0, "msg": "Status code was -1 and not [200]: Request failed: <urlopen error [Errno 111] Connection refused>", "redirected": false, "status": -1, "url": "https://127.0.0.1:8443/rest/user_settings"}
PLAY RECAP *********************************************************************
ar-phantom-attack-range-key-pair-ar : ok=0 changed=0 unreachable=0 failed=1 skipped=0 rescued=0 ignored=0
Ansible failed to complete successfully. Any error output should be
visible above. Please fix these errors and try again.
2023-11-03 22:51:12,502 - ERROR - attack_range - vagrant failed to build
@Tatsuya-hasegawa - was your issue resolved?
Hello,
Phantom build fails every time in local.
Would you check this issue ? I think that installing phantom is needed before configure_phantom.yml. /terraform/ansible/roles/phantom/tasks/main.yml
It looks using terraform/ansible procedure. Could you prepare packer file for local ?
my attack_range.yml
Thank you in advance. Best regards,