Asset Discovery app not returning OS signatures

mikeely · ‎01-11-2012

We're running the asset discovery app on a Linux indexer, and it returns data just fine for hosts, but for some reason nothing is showing up in the OS signatures field. I ran $SPLUNK_HOME/etc/apps/asset_discovery/bin/nmap.sh -A -O just as in the scripted input, and it returns just fine, greppable output and all. Takes fifteen minutes to run in a /24 network which is somewhat worrying and maybe the proximate cause of failure on the Splunk side. Thoughts?

mikeely · ‎01-26-2012

Any thoughts?

mw · ‎06-11-2014

Relevant field extractions can be found (roughly) here: http://localhost:8000/en-US/manager/launcher/data/props/extractions?ns=asset_discovery&pwnr=-&search...

tmccool · ‎06-11-2014

Do we know which job contains the field extraction for this - eg - the file that needs to get fixed?

mw · ‎01-26-2012

If you look at the raw scan results in splunk and they contain proper OS signatures, then the field extraction isn't catching it. You can modify the extraction in that case. If the raw results don't contain signatures it's an issue with nmap itself.

mikeely · ‎01-13-2012

It has to be running as root: when I tried to run nmap.sh as splunk user the output was: "./nmap.sh: line 96: ifconfig: command not found" and I know it's working better than that. I should have mentioned having set the setuid bit on nmap but apparently that was not needed.

Here's an example output from running ./nmap.sh -A -O as root:

Host: 192.168.1.32 (hostname.example.com)   Ports: 135/open/tcp//msrpc//Microsoft Windows RPC/, 139/open/tcp//netbios-ssn///, 445/open/tcp//microsoft-ds//Microsoft Windows 2003 microsoft-ds/, 515/open/tcp//printer//Microsoft lpd/, 1025/open/tcp//msrpc//Microsoft Windows RPC/, 3389/open/tcp//microsoft-rdp//Microsoft Terminal Service/, 8080/open/tcp//http-proxy?///   OS: Microsoft Windows 98SE + IE5.5sp1|Microsoft Windows XP SP2 or 2003 Server   Seq Index: 9999999  IPID Seq: Incremental

That's accurate to the given host. It looks like it's returning good data.

mw · ‎01-13-2012

What user is the scan running as?

What does the raw data look like? Is the OS string included? A single result should look something like this sample (notice the "OS: Linux ..." portion at the end).

Host: 192.168.1.2 ()    Ports: 22/open/tcp//ssh//OpenSSH 5.1p1 Debian 5 (protocol 2.0)/, 80/open/tcp//http//Apache httpd/, 111/open/tcp//rpcbind//2 (rpc #100000)/, 443/open/tcp//ssl|http//Apache httpd/, 8089/open/tcp//ssl|http//Splunkd httpd/, 9001/open/tcp//vnc//VNC (protocol 3.8)/, 9002/open/tcp//vnc//VNC (protocol 3.8)/    Ignored State: closed (993) OS: Linux 2.6.17 - 2.6.31   Seq Index: 205  IP ID Seq: All zeros

Finally, nmap isn't always successful in matching a fingerprint to the OS. In those cases, please consult nmap.org: http://nmap.org/book/osdetect-unidentified.html#osdetect-contrib

Regarding the scan time, 15 minutes for a subnet sounds fairly reasonable to me. The scan time will really depend on the characteristics of the network itself -- how many hosts are online, for instance. Fortunately, with this app you can distribute scanners out to multiple subnets and scan many subnets in roughly that same amount of time.

blebit · ‎11-26-2014

hi MW,
i see that Asset Discovery on my Splunk is scanning only the host on the same subnet where splunk server is.
do i have to make any configuration?
Thanks

Asset Discovery app not returning OS signatures

Uncovering Multi-Account Fraud with Splunk Banking Analytics

Secure Your Future: A Deep Dive into the Compliance and Security Enhancements for the ...

New This Month in Splunk Observability Cloud - Synthetic Monitoring updates, UI ...