topic No port_scan data in All Apps and Add-ons

No port_scan data

richgalloway — Mon, 28 Sep 2020 14:56:02 GMT

We're running Splunk for Asset Discovery 6.0 under Splunk 6 on an Ubuntu system. The app has been running for a week, but we have no data in the asset_discovery index. There are several input scripts defined and enabled, including '$SPLUNK_HOME/etc/apps/asset_discovery/bin/nmap.sh -A -O 192.168.100.0/24'. If I run this command manually, I see data for all of the hosts in that subnet. However, a search of 'index=asset_discovery' returns no events. nmap is owned by root. I assume it is running as root also since all of Splunk does so.

I see nothing in splunkd.log other than "INFO ExecProcessor - New scheduled exec process:
/opt/splunk/etc/apps/asset_discovery/bin/nmap.sh -A -O 192.168.100.0/24."

Where is my port_scan data going?

Re: No port_scan data

lukejadamec — Wed, 09 Oct 2013 17:42:20 GMT

Did you check the default index?
You can also check Manager>Index to see if the asset_discovery index was created and if it contains any data.

Re: No port_scan data

richgalloway — Wed, 09 Oct 2013 17:45:19 GMT

I've searched 'sourcetype=port_scan' and 'source=nmap' without an index specified and get no results.

Index manager says asset_discovery has zero events.

Re: No port_scan data

lukejadamec — Wed, 09 Oct 2013 18:01:24 GMT

What is the interval in the asset_discovery inputs.conf for that script?

Re: No port_scan data

richgalloway — Wed, 09 Oct 2013 18:06:25 GMT

1800 seconds

Re: No port_scan data

lukejadamec — Wed, 09 Oct 2013 18:23:48 GMT

Is the owner:group of the nmap binary root:root

And the permissions set to 4755?
It could be a suid bit problem that you're not seeing when you run it yourself as root.

Re: No port_scan data

richgalloway — Wed, 09 Oct 2013 18:26:35 GMT

-rwxr-xr-x 1 root root 1972032 Jan 4 2013 /usr/bin/nmap*

Splunk is running as root so wouldn't nmap also run as root?

Re: No port_scan data

mikaelbje — Fri, 11 Oct 2013 12:06:15 GMT

I'm having the same problem. Running nmap through nmap.sh for a port scan works in the bash shell, even as the splunk user, but nothing is added for port_scan to Splunk. Tried running Splunk as root and splunk

Re: No port_scan data

mikaelbje — Mon, 28 Sep 2020 14:57:28 GMT

I figured it out. I had to chmod +s the nmap binary. I also had to chsnge ifconfig in nmap.sh to /sbin/ifconfig. This was in Ubuntu

Restarting Splunk shouldn't be necessary AFAIK as you are only modifying Linux permissions for a binary that's called. However I have Splunk running as the "splunk" user, so if you're running as root it should absolutely work. My permissions for reference:

-rwsr-s--- 1 root adm 756464 Dec 14  2011 /usr/bin/nmap

groups splunk
splunk : splunk adm

Running this from command line works fine, also as a scripted input in Splunk:

/opt/splunk/etc/apps/asset_discovery/bin/nmap.sh -A -O -t 172.24.201.0/24

Since this is Ubuntu sh is a symbolic link to dash, not bash, but it should work in bash too.

asset_discovery/local/inputs.conf



[script://./bin/nmap.sh -A -O -t 172.24.201.0/24]

disabled = false

index = asset_discovery

interval = 3600

sourcetype = port_scan

source = nmap

Re: No port_scan data

richgalloway — Tue, 15 Oct 2013 12:05:11 GMT

I made the same changes and still no data. Did you have to restart Splunk?

Re: No port_scan data

mikaelbje — Wed, 16 Oct 2013 06:47:17 GMT

I updated my answer. Not sure if it's any help. You might try restarting Splunk just in case.

Re: No port_scan data

richgalloway — Mon, 28 Sep 2020 14:59:13 GMT

I restarted Splunk and still am getting no port_scan data. In fact, my asset_discovery index contains nothing at all.

Re: No port_scan data

mikaelbje — Wed, 16 Oct 2013 12:24:12 GMT

Can you paste your inputs.conf?

Re: No port_scan data

richgalloway — Mon, 28 Sep 2020 14:59:31 GMT

[script://./bin/nmap.sh]
disabled = 0

[script://./bin/nmap.sh -A -O]
disabled = 0

[script:///opt/splunk/etc/apps/asset_discovery/bin/nmap.sh -p14147 -t 172.16.42.
64 172.16.42.220 172.16.42.230]
disabled = false
index = asset_discovery
interval = 60
source = nmap
sourcetype = port_scan

Re: No port_scan data

mw — Wed, 16 Oct 2013 20:47:35 GMT

Rich, I'm not sure what's up here. Could you shoot me an email when you have a chance and we can try doing some debugging? I'm curious about what's happening here as well, particularly since I really haven't changed the scanning stuff in the latest version. mwilson at splunk dot com.

Re: No port_scan data

richgalloway — Fri, 18 Oct 2013 12:51:45 GMT

Redirecting the nmap.sh output to a file showed nmap was failing because of a missing OpenSSL library.

nmap: /opt/splunk/lib/libcrypto.so.1.0.0: version `OPENSSL_1.0.0' not found (required by nmap)
nmap: /opt/splunk/lib/libssl.so.1.0.0: version `OPENSSL_1.0.0' not found (required by nmap)

Adding unset LD_LIBRARY_PATH to nmap.sh fixed the problem.

Thanks to Splunk tech support for their help with this.

Re: No port_scan data

jrodman — Mon, 28 Sep 2020 15:11:06 GMT

The reason setting the executable setUID works (which I don't recommend!) is that Linux sanitizes the environment when jumping through a setuid gate, specifically dropping LD_LIBRARY_PATH and other linker controls, so that a user cannot execute arbitrary code as root trivially.

Thus this indirectly requests the action the app should have taken in the first place, to strip the library path when running a system binary.

Re: No port_scan data

mario_traf — Mon, 28 Sep 2020 15:58:42 GMT

Hi,
I also have a similar problem. I can see data within a splunk search "index=asset_discovery sourcetype=port_scan", but the eventtype port_scan (index=asset_discovery sourcetype=port_scan "Host:" "Ports:" "Ignored State:" ) doesn't produce anything as my script isn't generating any "Ignored State:"

I am running the following script:
/opt/splunk/etc/apps/asset_discovery/bin/nmap.sh -A -O -t 172.20.32.0/24 --max-retries 1 --osscan-guess --system-dns
and I have added "unset LD_LIBRARY_PATH" to the nmap.sh script as well as ensuring that nmap is chmod'ed so the splunk user can use it.
Have a missed something and argument when calling the script?
Mario

Re: No port_scan data

mw — Wed, 26 Feb 2014 05:14:22 GMT

You can edit the eventtype to remove that portion.

Re: No port_scan data

mario_traf — Thu, 27 Feb 2014 07:59:10 GMT

I wasn't sure if the ignored state was needed or not.
anyway, I have done as suggested.
turns out that the version of nmap I am using doesn't generate the "Ignored State:" text anymore