fix: compatibility with splunk 8

This commit is contained in:
Ming Di Leom 2023-02-04 22:31:02 +00:00
parent b6238927b5
commit 0cc9e2fd64
No known key found for this signature in database
GPG Key ID: 32D3E28E96A695E8
4 changed files with 33 additions and 19 deletions

View File

@ -3,8 +3,9 @@ image: python:slim
variables:
PIP_CACHE_DIR: "$CI_PROJECT_DIR/.cache/pip"
PACKAGE_VERSION: $CI_COMMIT_TAG
ADDON_PACKAGE: "malware_filter-${PACKAGE_VERSION}.tar.gz"
PACKAGE_REGISTRY_URL: "${CI_API_V4_URL}/projects/${CI_PROJECT_ID}/packages/generic/${CI_PROJECT_NAME}/${PACKAGE_VERSION}"
ADDON_PACKAGE: "malware_filter-${PACKAGE_VERSION}.tar.gz"
ADDON_PACKAGE_LEGACY: "malware_filter-${PACKAGE_VERSION}-splunk8.tar.gz"
stages:
- test
@ -51,6 +52,9 @@ upload:
curl --header "JOB-TOKEN: ${CI_JOB_TOKEN}" --upload-file ${ADDON_PACKAGE} ${PACKAGE_REGISTRY_URL}/${ADDON_PACKAGE}
sha256sum "$ADDON_PACKAGE" > "${ADDON_PACKAGE}.sha256sum"
curl --header "JOB-TOKEN: ${CI_JOB_TOKEN}" --upload-file "${ADDON_PACKAGE}.sha256sum" "${PACKAGE_REGISTRY_URL}/${ADDON_PACKAGE}.sha256sum"
curl --header "JOB-TOKEN: ${CI_JOB_TOKEN}" --upload-file ${ADDON_PACKAGE_LEGACY} ${PACKAGE_REGISTRY_URL}/${ADDON_PACKAGE_LEGACY}
sha256sum "$ADDON_PACKAGE_LEGACY" > "${ADDON_PACKAGE_LEGACY}.sha256sum"
curl --header "JOB-TOKEN: ${CI_JOB_TOKEN}" --upload-file "${ADDON_PACKAGE_LEGACY}.sha256sum" "${PACKAGE_REGISTRY_URL}/${ADDON_PACKAGE_LEGACY}.sha256sum"
release_job:
stage: release
@ -68,3 +72,7 @@ release_job:
url: "${PACKAGE_REGISTRY_URL}/${ADDON_PACKAGE}"
- name: ${ADDON_PACKAGE}.sha256sum
url: "${PACKAGE_REGISTRY_URL}/${ADDON_PACKAGE}.sha256sum"
- name: ${ADDON_PACKAGE_LEGACY}
url: "${PACKAGE_REGISTRY_URL}/${ADDON_PACKAGE_LEGACY}"
- name: ${ADDON_PACKAGE_LEGACY}.sha256sum
url: "${PACKAGE_REGISTRY_URL}/${ADDON_PACKAGE_LEGACY}.sha256sum"

View File

@ -15,7 +15,7 @@
Provide custom search commands to update [malware-filter](https://gitlab.com/malware-filter) lookups. Each command downloads from a source CSV and emit rows as events which can then be piped to a lookup file or used as a subsearch. Each command is exported globally and can be used in any app. This add-on currently does not have any UI.
Compatible with Splunk 9.x. Splunk 8.x requires [additional configuration](#splunk-8x) to avoid issue.
Compatible with Splunk 9.x. For Splunk 8.x, install "\*-splunk8.tar.gz" instead.
## Installation
@ -150,18 +150,6 @@ Recommend to update the lookup file "opendbl_ip.csv" every 15 minutes (cron `*/1
Source: https://opendbl.net/
## Splunk 8.x
Splunk scheduler may not run scheduled searches (alert/report) without this workaround.
Add the following config to `$SPLUNK_HOME/etc/apps/malware_filter/local/commands.conf`.
```conf
[default]
chunked = false
generating = true
```
## Disable individual commands
Settings -> All configurations -> filter by "malware_filter" app

View File

@ -40,8 +40,7 @@ def version():
)
app_conf = ConfigParser()
app_conf.read(app_conf_path)
launcher = app_conf["launcher"] if "launcher" in app_conf.sections() else {}
return launcher.get("version", "")
return app_conf["launcher"]["version"]
def exclusion(tarinfo):
@ -86,3 +85,24 @@ pkg_file = f"malware_filter-{version()}.tar.gz"
print(f"Creating {pkg_file}...")
with tarfile.open(pkg_file, "w:gz") as tar:
tar.add(".", filter=exclusion)
# Splunk 8 workaround
# Splunk scheduler may not run scheduled searches (alert/report) without this workaround
commands_conf_path = path.join(
"default",
"commands.conf",
)
commands_conf = ConfigParser()
commands_conf.read(commands_conf_path)
commands_conf["default"]["chunked"] = "false"
with open(commands_conf_path, "w") as f:
commands_conf.write(f)
pkg_file_8 = f"malware_filter-{version()}-splunk8.tar.gz"
print(f"Creating {pkg_file_8}...")
with tarfile.open(pkg_file_8, "w:gz") as tar:
tar.add(".", filter=exclusion)
commands_conf["default"]["chunked"] = "true"
with open(commands_conf_path, "w") as f:
commands_conf.write(f)

View File

@ -1,9 +1,7 @@
#
# Custom search command
#
[default]
chunked = true
python.version = python3
generating = true
[geturlhausfilter]
filename = geturlhausfilter.py