topic Re: How do I run NMAP on search results? in Splunk Dev

How do I run NMAP on search results?

reswob4 — Fri, 18 Nov 2016 20:44:01 GMT

Is there a way I can run Splunk against search results?

For example in pseudo-code: destination_url=bad_site.com | nmap -A source_ip

The assumption would be that there would only be a few IPs.

All the searches on Answers have returned several apps such as Asset Discovery and Simple NMAP, but nothing so far about sending IPs found into NMAP.

Should I wrap NMAP into a python or shell script and do it that way?

Thanks.

Re: How do I run NMAP on search results?

richgalloway — Sun, 20 Nov 2016 00:29:05 GMT

Consider creating custom command to run nmap against a provided IP address. See http://docs.splunk.com/Documentation/Splunk/6.5.0/Search/Aboutcustomsearchcommands.

Re: How do I run NMAP on search results?

reswob4 — Mon, 21 Nov 2016 01:17:25 GMT

OK, I created a custom command, but I'm not configured correctly. It won't pass the search result to the script.

Here is my script (/etc/apps/search/bin/scanip.py):

import subprocess,sys,os

nmap = "nmap -A " + sys.argv[1]


p = subprocess.Popen(nmap, shell=True, stderr=subprocess.PIPE)
while True:
    out = p.stderr.read(1)
    if out == '' and p.poll() != None:
        break
    if out != '':
        sys.stdout.write(out)
        sys.stdout.flush()

Here is my search:

sourcetype=WinDNS | table source_address | head 1 | scanip source_address

Here is the output from the search:

Starting Nmap 7.31 ( https://nmap.org ) at 2016-11-20 20:07 EST
Failed to resolve "source_address".
WARNING:Nmap done: 0 IP addresses (0 hosts up) scanned in 0.29 seconds
No targets were specified

Yet, I if run the following search:

| scanip 10.10.10.10

I get the expected nmap results.

So how to I get splunk to pass the value of source_address or whatever field instead of the string?

It seems to have something to do with http://docs.splunk.com/Documentation/Splunk/6.2.3/AdvancedDev/Searchscripts

but I can't get the syntax right.

Thanks for any suggestions or links with better examples.

Re: How do I run NMAP on search results?

richgalloway — Mon, 21 Nov 2016 12:53:55 GMT

Try

... | scanip $source_address$

Re: How do I run NMAP on search results?

reswob4 — Tue, 29 Sep 2020 11:54:12 GMT

sourcetype=WinDNS | table source_address | head 1 | scanip $source_address$

Starting Nmap 7.31 ( https://nmap.org ) at 2016-11-21 07:54 EST
Failed to resolve "$".
WNmap done: 0 IP addresses (0 hosts up) scanned in 0.72 seconds
ARNING: No targets were specified

sourcetype=WinDNS | table source_address | head 1 | scanip $$source_address$$

Starting Nmap 7.31 ( https://nmap.org ) at 2016-11-21 07:55 EST
Failed to resolve "45981source_address45981".
WARNmap done: 0 IP addresses (0 hosts up) scanned in 0.30 seconds
NING: No targets were specified

sourcetype=WinDNS | table source_address | head 1 | scanip \$source_address\$

Starting Nmap 7.31 ( https://nmap.org ) at 2016-11-21 07:56 EST
Failed to resolve "$source_address$".
WARNNmap done: 0 IP addresses (0 hosts up) scanned in 0.46 seconds
ING: No targets were specified

Re: How do I run NMAP on search results?

richgalloway — Mon, 21 Nov 2016 13:57:41 GMT

One last guess:

... | scanip 'source_address'
Note the single quotes.

Re: How do I run NMAP on search results?

reswob4 — Mon, 21 Nov 2016 14:56:16 GMT

Nope

Starting Nmap 7.31 ( https://nmap.org ) at 2016-11-21 09:46 EST
Failed to resolve "source_address".
WANmap done: 0 IP addresses (0 hosts up) scanned in 0.45 seconds
RNING: No targets were specified

It shows double quotes in the response whether or not I put single or double quotes in the search bar.

Re: How do I run NMAP on search results?

reswob4 — Mon, 12 Dec 2016 15:40:16 GMT

After looking as this and asking around some other sources, it seems the best way to do this is to export the list of ips to a CSV, call a script to run nmap against that csv, which either exports to a XML which is then re-imported back into Splunk or send the nmap output to ANOTHER script which puts the output into csv which then can be used as a lookup table.

So for now, this effort is going on the back burner.

Thanks to @richgalloway for the suggestions provided.

Re: How do I run NMAP on search results?

RMcCurdyDOTcom — Thu, 17 Aug 2023 19:03:09 GMT

XtremeNmapParser FTW to convert the xml to JSON and then used HEC to send it all to Spunk!

https://github.com/xtormin/XtremeNmapParser/issues/1