topic Re: Help with outputlookup in Splunk Search

Help with outputlookup

jambajuice — Fri, 10 Dec 2010 09:48:56 GMT

I am trying to create a lookup table from evenst similar to the following:

results|192.168.2|192.168.2.183|microsoft-ds (445/tcp)|44416|Security Hole|Synopsis :  Arbitrary code can be executed on the remote host through its SMB client.  Description :  The version of the SMB client software installed on the remote  Windows host is affected by two vulnerabilities that could allow  arbitrary code execution Solution :  Microsoft has released a set of patches for Windows 2000, XP, 2003, Vista, 2008, 7, and 2008 R2 :  http://www.microsoft.com/technet/security/bulletin/ms10-006.mspx  Risk factor :  High / CVSS Base Score : 7.6 (CVSS2#AV:N/AC:H/Au:N/C:C/I:C/A:C) CVSS Temporal Score : 6.0 (CVSS2#E:POC/RL:OF/RC:C) Public Exploit Available : true  Plugin output :  - C:\\Windows\\system32\\drivers\\Mrxsmb.sys has not been patched Remote version : 6.1.7600.16385 Should be : 6.1.7600.16499  CVE : CVE-2010-0016, CVE-2010-0017 BID : 38093, 38100 Other references : OSVDB:62243, OSVDB:62244, CWE:362

I would like the output lookup table to look like this (for some reason when I upload this comment it doesn't display the results in a list):

host,db,id
192.168.2.183,CVE,CVE-2010-0016
192.168.2.183,CVE,CVE-2010-0017
192.168.2.183,BID,38093
192.168.2.183,BID,38100
192.168.2.183,OSVDB,62243
192.168.2.183,OSVDB,62244
192.168.2.183,CWE,362

Since there can be zero or more entries for each of the major vulnerability tracking databases, I have no idea how to extract these individually.

Any help would be greatly appreciated.

Thanks.

Craig

Re: Help with outputlookup

southeringtonp — Fri, 10 Dec 2010 11:28:48 GMT

To your note about not displaying the results in a list -- you can either put four spaces in front of each line, or highlight the section and click on the '1010' button in the text edit box.

Re: Help with outputlookup

southeringtonp — Fri, 10 Dec 2010 12:46:46 GMT

Here's a really messy way. With some more thought it should be possible to simplify:

...
| rex field=_raw max_match=100 "(?<xref_list>(CVE|BID|OSVDB|CWE)\s*:\s*((, )?(CVE-)?([\d+-]+))*)"
| mvexpand xref_list
| rex field=xref_list "^(?<db>\w+)\s*:\s*(?<id_list>.*)$"
| eval id=split(id_list, ",")
| mvexpand id
| table src_ip, db, id
| outputlookup yourlookup

(Assuming you've already extracted src_ip on your own, you end up wth...

rex -- Find each reference in the raw event. For now, treat multiple events under one label (CVE and BID) as a single reference. As written, the IDs can only contain numbers and dashes, except for an optional "CVE" prefix.

xref_list
---------
CVE : CVE-2010-0016, CVE-2010-0017`
BID : 38093, 38100
OSVDB:62243
OSVDB:62244
CWE:362

mvexpand -- Expand each event into multiple lines. (CVE and BID lists are still lumped together). Now you have 5 events instead of 1.

rex -- Now split the xref_list into two separate fields, pulling out the value of db and leaving the rest in id.

eval -- Still 5 events, but now you have true multi-value fields for the CVE and BID enties.

mvexpand -- Now expand again to break each CVE/BID entry into its own event. The associated value of db will be retained for each of the resulting events.

table -- Limit the list of fields to those desired

outputlookup -- Save your lookup table