All Apps and Add-ons

Python Script is erroring out at ZeusIPs

andresmanriquez
Engager

We noticed that the threat intel is not being populated using the Obelisk Threat Intel App for majority of the Intel sources. The error code received was:

Traceback (most recent call last):
 File "/opt/splunk/etc/apps/TA_obelisk-threat/bin/obelisk_threat_intel.py", line 1015, in 
   main()
 File "/opt/splunk/etc/apps/TA_obelisk-threat/bin/obelisk_threat_intel.py", line 935, in main
   parseZeus(raw_threatlist)
 File "/opt/splunk/etc/apps/TA_obelisk-threat/bin/obelisk_threat_intel.py", line 635, in parseZeus
   zeusIPs = zeusIPs[2].split('\n')
IndexError: list index out of range

derekarnold
Communicator

Thanks for bringing this to my attention. This has been fixed in the latest release.

0 Karma

pmelon
Explorer

I'm getting the below:

bash-4.2$ /opt/splunk/bin/splunk cmd python /opt/splunk/etc/apps/TA_obelisk-threat/bin/obelisk_threat_intel.py
logfile_name: /opt/splunk/etc/apps/TA_obelisk-threat/logs/obelisk_threat_lists_script10-03-2019-14-01-21.log
[*] Script Started at: 10-03-2019 14:01:21 GMT

[*] Script version: 3.4.6
URL: http://rules.emergingthreats.net/fwrules/emerging-Block-IPs.txt
user_agent_bool: true
Finished retrieving 849 IPs from SpamHaus.
Finished retrieving 23 IPs from Dshield.
Traceback (most recent call last):
File "/opt/splunk/etc/apps/TA_obelisk-threat/bin/obelisk_threat_intel.py", line 1076, in
main()
File "/opt/splunk/etc/apps/TA_obelisk-threat/bin/obelisk_threat_intel.py", line 966, in main
parseEmergingThreatsBlockList(raw_threatlist)
File "/opt/splunk/etc/apps/TA_obelisk-threat/bin/obelisk_threat_intel.py", line 750, in parseEmergingThreatsBlockList
feodoIPs = p[0].split()
IndexError: list index out of range

I'll try to fix it myself, but I thought you would want to know. If I do fix, I'll dump it here.

0 Karma

andresmanriquez
Engager

This was solved by commenting it out. It looks like Zues Tracker is not longer available.

0 Karma
Get Updates on the Splunk Community!

Detecting Remote Code Executions With the Splunk Threat Research Team

WATCH NOWRemote code execution (RCE) vulnerabilities pose a significant risk to organizations. If exploited, ...

Enter the Splunk Community Dashboard Challenge for Your Chance to Win!

The Splunk Community Dashboard Challenge is underway! This is your chance to showcase your skills in creating ...

.conf24 | Session Scheduler is Live!!

.conf24 is happening June 11 - 14 in Las Vegas, and we are thrilled to announce that the conference catalog ...