All Apps and Add-ons

Connection error after upgrading to sourcefire 6.0.1.1

phaelf
Explorer

After upgrading sourcefire to version 6.0.1.1 from 5.4.1 the estreamer_client.pl script fails to connect and retrieve the logs. Analyzing the packets we can see that there is a error in the SSL handshake. The script requests come in TLS1.0 and the server is replaying with TLS1.2.

Here is the SSL connection in the script.

verbose("Connecting to $cli_opt->{server} port $cli_opt->{port}");
my $client = new IO::Socket::SSL( Domain        => $cli_opt->{domain},
                                  PeerAddr      => $cli_opt->{server},
                                  PeerPort      => $cli_opt->{port},
                                  Proto         => 'tcp',
                                  SSL_version   => 'TLSv12',
                                  SSL_use_cert  => 1,
                                  SSL_cert_file => $crtfile,
                                  SSL_key_file  => $keyfile,
                                  SSL_verify_mode => 'SSL_VERIFY_NONE')
    or die("Can't connect to $cli_opt->{server} port $cli_opt->{port}: ".IO::Socket::SSL::errstr()."\n\n");

Is there another way of retrieving sourcefire logs into splunk? Or how can the script be edited so that the sourcefire server accepts the connection.

We use "Splunk Add-on for Cisco FireSIGHT" http://docs.splunk.com/Documentation/AddOns/latest/Sourcefire/Description which then needs the "eStreamer for splunk" app for the data collection.

0 Karma

douglashurd
Builder

I may have a fix for you. We have a modified version of the app that forces TLS v1 upon connection to the FMC. Please mail me at dohurd@cisco.com and I can email you the new app. I'll try to post it to Splunk apps today too.

mayashankarmish
New Member

No IP addresses were changed during the upgrade. We regenerated the certificate and that's also not working

0 Karma

douglashurd
Builder

Has the IP address of either side of the connection changed during the upgrade?

Additionally, have you attempted creating a new client entry in the FMC and downloading the newly created certificate?

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...