topic Re: Estreamer to Microsoft Sentinel in Network Security

Estreamer to Microsoft Sentinel

AshbyJohnDNV — Mon, 09 Sep 2024 09:41:20 GMT

Tring to get an on-prem virtual FMC server and Azure based Ubuntu box to operate as estreamer in CEF. Cannot get past the following error TypeError: SSLContext.wrap_socket() got an unexpected keyword argument 'keyfile' - full output below.

Ubuntu 24.04 LTS
Kernel: Linux 6.8.0-1013-azure
Architecture: x86-64
Hardware Vendor: Microsoft Corporation
Hardware Model: Virtual Machine
Firmware Version: Hyper-V UEFI Release v4.1
Firmware Date: Mon 2024-05-13
Firmware Age: 3month 4w

fp-05-firepower-cli# python3 --version
Python 3.12.3

2024-09-09T09:36:57.674824 Diagnostics INFO Checking that configFilepath (estreamer.conf) exists
2024-09-09 09:36:57,683 Diagnostics INFO Check certificate
2024-09-09 09:36:57,684 Diagnostics INFO Creating connection
2024-09-09 09:36:57,684 Connection INFO Connecting to 172.xx.yy.abc:8302
2024-09-09 09:36:57,684 Connection INFO Using TLS v1.0
Traceback (most recent call last):
File "/home/azureuser/fp-05-firepower-cli/./estreamer/diagnostics.py", line 169, in main
diagnostics.execute()
File "/home/azureuser/fp-05-firepower-cli/./estreamer/diagnostics.py", line 83, in execute
connection.connect()
File "/home/azureuser/fp-05-firepower-cli/estreamer/connection.py", line 73, in connect
self.socket = ssl.wrap_socket(
^^^^^^^^^^^^^^^^
TypeError: SSLContext.wrap_socket() got an unexpected keyword argument 'keyfile'

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
File "/home/azureuser/fp-05-firepower-cli/./estreamer/diagnostics.py", line 180, in <module>
Diagnostics.main()
File "/home/azureuser/fp-05-firepower-cli/./estreamer/diagnostics.py", line 175, in main
logger.exception(ex)
File "/home/azureuser/fp-05-firepower-cli/estreamer/crossprocesslogging/baseClient.py", line 106, in exception
data = self.__serialise( data, True )
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/home/azureuser/fp-05-firepower-cli/estreamer/crossprocesslogging/baseClient.py", line 35, in __serialise
message = data.__class__.__name__ + ': ' + data.message
^^^^^^^^^^^^
AttributeError: 'TypeError' object has no attribute 'message'

Re: Estreamer to Microsoft Sentinel

Mark Elsen — Mon, 09 Sep 2024 11:13:19 GMT

- That's an internal python error in Lib/ssl.py , you may try other or recent python version (if possible)

Re: Estreamer to Microsoft Sentinel

AshbyJohnDNV — Mon, 09 Sep 2024 13:32:09 GMT

Thanks for the reply.....

python3-openssl is already the newest version (23.2.0-1). So this could be the wrong version? Does eStreamer only work with one particular version? Is it that I may not be able to downgrade? thanks

Re: Estreamer to Microsoft Sentinel

Mark Elsen — Mon, 09 Sep 2024 15:11:58 GMT

- Not sure on that but I found that the FMC version must be 6.0 and above : https://www.cisco.com/c/en/us/td/docs/security/firepower/70/api/eNcore/eNcore_Operations_Guide_v08.html

Re: Estreamer to Microsoft Sentinel

kim-b — Wed, 18 Sep 2024 13:41:57 GMT

I got the same issue, getting the same errors (worked fine untill two days ago). I'm running Python 3.10.12.
Havent done any updates/changes to either encore or FMC.

Re: Estreamer to Microsoft Sentinel

AshbyJohnDNV — Wed, 18 Sep 2024 14:57:52 GMT

Could not get OpenSSl to work without using the -legacy switch to split the pkcs12 file - openssl on the linux box with version of python was too problematic....

Re: Estreamer to Microsoft Sentinel

AshbyJohnDNV — Wed, 18 Sep 2024 15:05:14 GMT

One error being seen is..............

" File "/home/srvSentinel/fp-05-microsoft-sentinel-connector-python3/estreamer/streams/udp.py", line 63, in write
self.socket.send( data.encode( self.encoding ) )
ConnectionRefusedError: [Errno 111] Connection refused"

did think a UDP connection came into it

Re: Estreamer to Microsoft Sentinel

kim-b — Fri, 20 Sep 2024 09:54:00 GMT

To be clear, i was running "fp-05-firepower-cli", (which apprently is EOL since this year also) but reverted to "eStreamer-eNcore-cli-3.5.4". Had the same issue with cert, but solved with -legacy as well. Everything seems to be working fine with the eStreamer-eNcore-cli (Had to edit file so it was running with python2.7 instead of 3).

Re: Estreamer to Microsoft Sentinel

AshbyJohnDNV — Fri, 20 Sep 2024 11:41:10 GMT

Could you elaborate on "Had to edit file so it was running with python2.7 instead of 3" please. Thanks!

Re: Estreamer to Microsoft Sentinel

kim-b — Fri, 20 Sep 2024 14:39:34 GMT

Yes i was refering to the encore.sh file, if you check at the top it has a line pybin="python3"

That determines the python version it will run when executed, i changed that one to "python2.7".

Re: Estreamer to Microsoft Sentinel

AshbyJohnDNV — Tue, 03 Dec 2024 15:50:38 GMT

Resolved by using the FQDN of the FMC server in the estreamer.conf file