a little nudge of setup help - PLEASE

ghost commented 6 years ago

Hello,

I have the app installed onto my SH and need a little nudge please.

Dashboards load and all looks promising, then faced with this: and...

Thanks for the version 0.0, great work... Would also appreaciate the nudge!

Cheers!

ghost commented 6 years ago

From the logs window it seems the python is running input_misp.py.

I took a look at the python files.

Seems that the issue is that the csv's are not being created in the "lookups" folder.

The misp index is set - uncommented lines in the indexes.conf file.
The misp index is selected when specifying the URL and API key in the MISP input fields within splunkWeb.

also changed teh transforms.conf to: (not sure it matters)


# [filename]
# batch_index_query = 0
# case_sensitive_match = 1
# filename = filename.csv

[ASN] batch_index_query = 0 case_sensitive_match = 1 filename = AS.csv

[content] batch_index_query = 0 case_sensitive_match = 1 filename = text.csv

[dest] batch_index_query = 0 case_sensitive_match = 1 filename = domain.csv

[dest_ip] batch_index_query = 0 case_sensitive_match = 1 filename = ip-dst.csv

[file_hash_md5] batch_index_query = 0 case_sensitive_match = 1 filename = md5.csv

[file_hash_sha1] batch_index_query = 0 case_sensitive_match = 1 filename = sha1.csv

[file_hash_ssdeep] batch_index_query = 0 case_sensitive_match = 1 filename = ssdeep.csv

[file_name] batch_index_query = 0 case_sensitive_match = 1 filename = filename.csv

[http_user_agent] batch_index_query = 0 case_sensitive_match = 1 filename = user-agent.csv

[recipient] batch_index_query = 0 case_sensitive_match = 1 filename = email-dst.csv

[src_ip] batch_index_query = 0 case_sensitive_match = 1 filename = ip-src.csv

[src_user] batch_index_query = 0 case_sensitive_match = 1 filename = email-src.csv

[subject] batch_index_query = 0 case_sensitive_match = 1 filename = email-subject.csv

[url] batch_index_query = 0 case_sensitive_match = 1 filename = url.csv



I am using MISP version 2.4.91
Not sure if the API calls are going through.. any idea how to check?

ghost commented 6 years ago

more troubleshooting findings..

splunk@splunkdemo:/opt/splunk/etc/apps/TA-misp/bin$ /opt/splunk/bin/splunk cmd python /opt/splunk/etc/apps/TA-misp/bin/input_misp.py
/opt/splunk/etc/apps/TA-misp/bin/pymisp/api.py:21: UserWarning: You're using python 2, it is strongly recommended to use python >=3.5
  warnings.warn("You're using python 2, it is strongly recommended to use python >=3.5")
/opt/splunk/etc/apps/TA-misp/bin/pymisp/abstract.py:12: UserWarning: You're using python 2, it is strongly recommended to use python >=3.5
  warnings.warn("You're using python 2, it is strongly recommended to use python >=3.5")
/opt/splunk/etc/apps/TA-misp/bin/pymisp/mispevent.py:24: UserWarning: You're using python 2, it is strongly recommended to use python >=3.5
  warnings.warn("You're using python 2, it is strongly recommended to use python >=3.5")
/opt/splunk/etc/apps/TA-misp/bin/pymisp/api.py:50: UserWarning: You're using python 2, it is strongly recommended to use python >=3.4
  warnings.warn("You're using python 2, it is strongly recommended to use python >=3.4")
^CTraceback (most recent call last):
  File "/opt/splunk/etc/apps/TA-misp/bin/input_misp.py", line 116, in <module>
    sys.exit(MispInputScript().run(sys.argv))
  File "/opt/splunk/etc/apps/TA-misp/bin/splunklib/modularinput/script.py", line 55, in run
    return self.run_script(args, EventWriter(), sys.stdin)
  File "/opt/splunk/etc/apps/TA-misp/bin/splunklib/modularinput/script.py", line 71, in run_script
    self._input_definition = InputDefinition.parse(input_stream)
  File "/opt/splunk/etc/apps/TA-misp/bin/splunklib/modularinput/input_definition.py", line 50, in parse
    root = ET.parse(stream).getroot()
  File "<string>", line 62, in parse
  File "<string>", line 38, in parse
KeyboardInterrupt
splunk@splunkdemo:/opt/splunk/etc/apps/TA-misp/bin$ python input_misp.py
bash: python: command not found
splunk@splunkdemo:/opt/splunk/etc/apps/TA-misp/bin$ #!/usr/bin/env python
splunk@splunkdemo:/opt/splunk/etc/apps/TA-misp/bin$  /usr/bin/python3 input_misp.py
Traceback (most recent call last):
  File "input_misp.py", line 10, in <module>
    import ConfigParser
ImportError: No module named 'ConfigParser'

changed import to "configparser"

Then:

splunk@splunkdemo:/opt/splunk/etc/apps/TA-misp/bin$ /usr/bin/python3 input_misp.py
/usr/local/lib/python3.5/dist-packages/requests/__init__.py:91: RequestsDependencyWarning: urllib3 (dev) or chardet (4.0.0) doesn't match a supported version!
  RequestsDependencyWarning)
Traceback (most recent call last):
  File "/opt/splunk/etc/apps/TA-misp/bin/splunklib/modularinput/event_writer.py", line 20, in <module>
    from cStringIO import StringIO
ImportError: No module named 'cStringIO'

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "input_misp.py", line 14, in <module>
    from splunklib.modularinput import *
  File "/opt/splunk/etc/apps/TA-misp/bin/splunklib/modularinput/__init__.py", line 8, in <module>
    from .event_writer import EventWriter
  File "/opt/splunk/etc/apps/TA-misp/bin/splunklib/modularinput/event_writer.py", line 22, in <module>
    from StringIO import StringIO

stricaud / TA-misp

a little nudge of setup help - PLEASE #7