Cisco IPS addon, Splunk 6 and ssl errors

blmurphy · ‎12-10-2013

Have recently installed Splunk 6 Enterprise and realize that the Cisco IPS addon only states 5.0 support not 6.0 but was hoping I could get it to pull the SDEE data from my Cisco IPS.

Running:
IPS-4260-K9
Build Version: 7.0(4)E4
Current Signature version: IPS-sig-S756-req-E4.pkg

Installed the version 2.0.0 of the addon and the Cisco Security Suite and am getting my ASA firewall working with providing the syslog data to the suite but unable to get the IPS addon to successfully connect to pull data.

Out of the box I receive:

12/10/13
8:17:43.000 AM

Tue Dec 10 08:17:43 2013 - ERROR - Connecting to sensor - 139.67.126.218: URLError:
host = splunk.serv14.eiu.edu source = /opt/splunk/var/log/splunk/sdee_get.log sourcetype = sdee_connection
12/10/13
8:17:42.000 AM

Tue Dec 10 08:17:42 2013 - INFO - Successfully connected to: 139.67.126.218
host = splunk.serv14.eiu.edu source = /opt/splunk/var/log/splunk/sdee_get.log sourcetype = sdee_connection
12/10/13
8:17:42.000 AM

Tue Dec 10 08:17:42 2013 - INFO - Attempting to connect to sensor: 139.67.126.218
host = splunk.serv14.eiu.edu source = /opt/splunk/var/log/splunk/sdee_get.log sourcetype = sdee_connection
12/10/13
8:17:42.000 AM

Tue Dec 10 08:17:42 2013 - INFO - No exsisting SubscriptionID for host: 139.67.126.218
host = splunk.serv14.eiu.edu source = /opt/splunk/var/log/splunk/sdee_get.log sourcetype = sdee_connection
12/10/13
8:17:42.000 AM

Tue Dec 10 08:17:42 2013 - INFO - Checking for exsisting SubscriptionID on host: 139.67.126.218

I have seen a similar posting on the answers site with no real answers.

I attempted to hack my ssl.py file to change the PROTOCOL_VERSION to be SSLv3 instead of the default TLSv1 and that seemed to get closer but still had SSL errors as well as it seemed to break my ability to search for splunk apps (wierd). So I backed that off and was hoping someone could give me the straight scoop on whether this is even something I should pursue or if there was going to be some modification to the addon to work with Splunk 6?

Thanks.

Brian Murphy
Eastern Illinois University

dshpritz · ‎05-14-2014

You may want to check out the answer I posted here: http://answers.splunk.com/answers/105193/cisco-ips-error-errno-8/135759. It is possible to override the SSL selection in the Python code.

fraijof · ‎01-08-2014

I struggled with this for several weeks. Even opened a case with Splunk with no solution. However, finally managed to get this working.

I created a new Virtural Machine.
Loaded Red Hat Fedora 19 ( min. install )
Installed Server Splunk 5.5
Install Splunk CiscoIPS app
cd /opt/splunk/etc/system/local
vi inputs.conf
[default]
host = splunkforwarder
[monitor:///opt/splunk/etc/apps/Splunk_CiscoIPS/var/log/ips_sdee.log.ips.XXXXXXXX]

So I'm pushing this data to Splunk 6 Server and it works been working for about 3 months now.
Hope this helps. Splunk could not give me any ETA on an update to this issue. Had I known this broke after going to Splunk 6 I'd would have stayed on Splunk 5.5.

halr9000 · ‎01-09-2014

For the record @fraijof and others, we are seeing some headway on the Cisco security suite apps just in the past two weeks. Look for some updates to happen pretty soon. If you'd like to participate in the development or just follow along, it's happening here: https://github.com/splunk/splunk-app-cisco-security-suite

Cisco IPS addon, Splunk 6 and ssl errors

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!