cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
kdick
Explorer
Member since: ‎12-20-2012
‎06-05-2020
Community Statistics
Posts 6
Solutions 1
Karma Given 7
Karma Received 2
Member Since ‎12-20-2012
Activity Feed
Topics I've Started
No posts to display.
View All

Re: Does anyone use Incapsula API to integrate Inc...

by in Getting Data In
‎04-20-2015 02:46 PM
‎04-20-2015 02:46 PM
An update for anyone looking to integrate Imperva with Splunk. Incapsula has released an upgraded SIEM API with support for standard CEF and W3C formats and realtime reporting. This answer relates to the old API, you are better off looking into the new SIEM integration options: https://www.incapsula.com/blog/turnkey-siem-integration.html ... View more

Re: Does anyone use Incapsula API to integrate Inc...

by in Getting Data In
‎02-24-2015 09:57 AM
‎02-24-2015 09:57 AM
great hope it helped! Just wanted to update, I ended up changing the parser to not include events for requests that have no attack pattern attached. This gives less verbose data, but it ends up working out better for my needs at least. If you want to change this also, just comment out lines 100 and 101 from the answer. Here is the example: requestFields.update(extractFields(next(attacks))) # Uncomment if you would like to make events for requests that do not have an attack stanza # if len(attacks_list) == 1 : # eventList.append(normalizeFieldsToMapping(requestFields)) for attack in attacks: attack_vectors_list = request.split("-- Attack Vector:") ... View more

Re: Does anyone use Incapsula API to integrate Inc...

by in Getting Data In
‎02-02-2015 05:50 PM
‎02-02-2015 05:50 PM
Hi Davis, It sounds like you already have an api script going and just need a parser. If that is the case I have a function you can use. I have written a function in python that can parse the incapsula event data. Pass this function the event data from the api as a string and it will return a tuple with the first element being a list of ordered dicts(each ordereddict is an event) and the max timestamp in epoch as an integer. The fieldnames are normalized to the Splunk common information model where possible. The reason I am returning the max timestamp in addition to the events is to use it to handle the APIs pagination. You can only get 100 results at a time so you need to pass the highest timestamp to the next api call or your checkpointing logic. This parser creates one event for each "attack vector" stanza, with the fields from the enclosing stanza placed into the event. Take a look at this and see if it suits your needs. You may want to just wait, however, as Imperva has indicated they will be rolling out simpler SIEM integration in the coming months. EDIT: Forgot to mention, you need to import re (pythons regular expression module) for this function to work. ## Returns a tuple containing an array of ordered dictionaries (the events) and the max timestamp. ([event1,event2,...],max_ts) def parse(data): def extractFields(fieldsString): fields={} i=0 while i<len(fieldsString): if fieldsString[i] == '[': value="" name="" i+=1 while fieldsString[i]!='=' and fieldsString[i]!="]": name+=fieldsString[i] i+=1 if fieldsString[i] =="]": value=name name="signature" i-=1 i+=1 while fieldsString[i]!=']': value+=fieldsString[i] i+=1 fields[name]=value i+=1 return fields def normalizeFieldsToMapping(unNormalizedEvent): FIELD_MAPPING = [('Timestamp' , 'timestamp'), ('AccountID', 'account_id'), ('AccountName' , 'account_name'), ('SiteId', 'dest_id'), ('SiteName', 'dest_name'), ('EventID' , 'event_id'), ('EventTimestamp', 'event_timestamp'), ('EventType', 'event_type'), ('ClientIP' , 'src_ip'), ('ClientApp' , 'src_app'), ('VisitID', 'visit_id'), ('StartTime' , 'visit_start_date'), ('ClientApplication', 'src_application'), ('ClientType' , 'client_type'), ('UserAgent' , 'http_user_agent'), ('SupportsCookies' , 'supports_cookies'), ('SupportsJavaScript' , 'supports_javascript'), ('Country' , 'src_country'), ('ServedVia' , 'served_via'), ('NumberOfHitsOnVisit' , 'hit_count'), ('NumberOfPageViewsOnVisit' , 'page_view_count'), ('EntryReferer' , 'http_referrer'), ('EntryPage' , 'url'), ('URL' , 'uri'), ('ResponseCode' , 'response_code'), ('RequestResult' , 'request_result'), ('NumRequests' , 'request_count'), ('RequestsIndexOnVisit' , 'requests_index_on_visit'), ('QueryString', 'query_string'), ('PostData', 'post_data'), ('Referer', 'visit_http_referrer'), ('IncidentID', 'incident_id'), ('Rid','rid'), ('RuleName', 'signature'), ('ActionTaken', 'action'), ('AttemptedOn', 'attempted_on'), ('ThreatPattern', 'threat_pattern'), ('AttackInternalCode', 'attack_internal_code')] normalizedEvent = OrderedDict() for field in FIELD_MAPPING: if field[0] in unNormalizedEvent: normalizedEvent[field[1]] = unNormalizedEvent[field[0]] else: normalizedEvent[field[1]] = '' return normalizedEvent events = data.split("==================================================") eventList = [] max_ts = 0 for event in events: if "max-ts:" in event: max_ts = int(re.search('max-ts:\s(\d*)',event).group(1)) visitsSplit = event.split("---- VISITS ----") eventInfo=visitsSplit[0] eventFields=extractFields(eventInfo) ## Parse the events. if len(visitsSplit)>1: visits=visitsSplit[1].split("---- VISIT ----") for visit in visits: requests=iter(visit.split("-- Request")) visitFields=eventFields.copy() visitFields.update(extractFields(next(requests))) for request in requests: attacks_list=request.split("-- Attack Info:") requestFields=visitFields.copy() attacks = iter(attacks_list) requestFields.update(extractFields(next(attacks))) if len(attacks_list) == 1 : eventList.append(normalizeFieldsToMapping(requestFields)) for attack in attacks: attack_vectors_list = request.split("-- Attack Vector:") attackFields = requestFields.copy() attack_vectors = iter(attack_vectors_list) attackFields.update(extractFields(next(attack_vectors))) if len(attack_vectors_list) ==1: eventList.append(normalizeFieldsToMapping(attackFields)) for attack_vector in attack_vectors: subEventFields = attackFields.copy() subEventFields.update(extractFields(attack_vector)) eventList.append(normalizeFieldsToMapping(subEventFields)) return eventList,max_ts ... View more

Re: Cisco IPS Error [errno="" 8]

by in Getting Data In
‎05-22-2014 03:20 PM
1 Karma
‎05-22-2014 03:20 PM
1 Karma
Hi Sean, The indent error is coming from these lines: 1 if self._tunnel_host: 2 self.sock = sock 3 self._tunnel() It should be: 1 if self._tunnel_host: 2 self.sock = sock 3 self._tunnel() Python will throw an error on the first one because it is expecting an indentation after the if. The code I had in my post will not work for you as I have hardcoded SSLv3 and you need TLSv1. I have uploaded the full PSYDEE script that should work for you onto pastebin: http://pastebin.com/jCdhjHED Please try and replace your pySDEE.py file with that. Let me know how that works. ... View more

Re: Cisco IPS Error [errno="" 8]

by in Getting Data In
‎05-22-2014 10:34 AM
‎05-22-2014 10:34 AM
Sorry for posting a new answer! I don't have enough Karma to comment apparently ¯_(ツ)_/¯ ... View more

Re: Cisco IPS Error [errno="" 8]

by in Getting Data In
‎05-22-2014 10:31 AM
1 Karma
‎05-22-2014 10:31 AM
1 Karma
dshpritz thank you for the answer! it has a few issues however. http://answers.splunk.com/answers/105193/cisco-ips-error-errno-8/135759 has an indentation error. Seanp this is the cause of your problem and the reason the sdeegetlog is not populating. In addition, not all cisco IPS SDEE servers run TLSv1, I had to set mine to SSLv3. Go to the cisco sdee server in your browser to check which version of ssl is needed. After fixing the indentation errors (copy paste issue perhaps?) and changing the manual SSL input to ssl_version=ssl.PROTOCOL_SSLv3 I was able to connect succesfully! seanp go ahead and try this and see if you can get it working. Dshspritz, can you edit your answer to correct the indentation? I will upload what is currently working for me, hopefully I dont' encounter the same indentation errors from copy paste into this splunk answers site. # The section below is to override the default socket connection # which will fail with these devices. The newer version of openssl # in Python does not support the ciphers these devices would like to use import httplib from httplib import HTTPConnection, HTTPS_PORT import ssl import socket class HTTPSConnection(HTTPConnection): default_port = HTTPS_PORT def __init__(self, host, port=None, key_file=None, cert_file=None, strict=None, timeout=socket._GLOBAL_DEFAULT_TIMEOUT, source_address=None): HTTPConnection.__init__(self, host, port, strict, timeout, source_address) self.key_file = key_file self.cert_file = cert_file def connect(self): sock = socket.create_connection((self.host, self.port), self.timeout, self.source_address) if self._tunnel_host: self.sock = sock self._tunnel() self.sock = ssl.wrap_socket(sock, self.key_file, self.cert_file, ssl_version=ssl.PROTOCOL_SSLv3) #now we override the one in httplib httplib.HTTPSConnection = HTTPSConnection # ssl_version corrections are done ... View more
Contact Me
Online Status
Offline
Date Last Visited
‎06-05-2020 02:04 AM
Karma from
View All
Karma given to