All Apps and Add-ons

Does the Splunk Add-on for Nessus retrieve port information within scan data?


I have setup the Splunk Add-on for Nessus and both the scan data and plugin data is coming through as expected. Strangely enough though, I'm not seeing any "port" field or similar within the scan data.

For example, if Nessus discovers an OpenSSH related vulnerability, chances are the port it reports will be "22 / tcp". I'm not seeing this field anywhere within the scan data that Splunk is pulling in. Even in the raw data view (which is the converted JSON data), there is no port information for any vulnerability. Checking the respective reports in Nessus however does confirm that port information is there.

This could well be an issue with the Nessus REST API, in that it might not be divulging the port information when it should be, OR, maybe the Splunk Add-on is missing the port field in the conversion process. As soon as I get some time I'll be querying the Nessus REST API manually to see what it's returning and assuming the port information is there I guess it will then become a debugging exercise on the Splunk TA.

Has anyone else had this problem?

Nessus version is 6.5.3 (#40)
Splunk Add-on for Nessus version is 4.0.0
Splunk version is Enterprise 6.1.2

Any help would be greatly appreciated.

---- UPDATE ----

Have done some more investigation and found that the TA's python scripts are initially getting data out of Nessus in the .nessus XML format. This data does indeed have port information. Below I have grepped out a few lines from a .nessus file as an example...

<ReportItem port="0" svc_name="general" protocol="tcp" severity="0" pluginID="25220" pluginName="TCP/IP Timestamps Supported" pluginFamily="General">
<ReportItem port="1720" svc_name="h323hostcall?" protocol="tcp" severity="0" pluginID="10335" pluginName="Nessus TCP scanner" pluginFamily="Port scanners">
<ReportItem port="5269" svc_name="jabber-server?" protocol="tcp" severity="0" pluginID="10335" pluginName="Nessus TCP scanner" pluginFamily="Port scanners">
<ReportItem port="5061" svc_name="sip" protocol="tcp" severity="0" pluginID="10335" pluginName="Nessus TCP scanner" pluginFamily="Port scanners">

Then within /opt/Splunk/etc/apps/Splunk_TA_nessus/bin/ I found the following code that indicates that the port information should be parsed out from the above examples...

            elif name == "ReportItem":
                self.isReportItemElement = 1
                self.reportItem['Port'] = attributes.get("svc_name") + " (" + self.replaceUnknown(attributes.get("port")) + "/" + self.replaceUnknown(attributes.get("protocol")) + ")"
                self.reportItem['Severity'] = self.replaceUnknown(attributes.get("severity"))
                self.reportItem['PluginFamily'] = self.replaceUnknown(attributes.get("pluginFamily"))
                self.reportItem['PluginID'] = self.replaceUnknown(attributes.get("pluginID"))
                self.reportItem['PluginName'] = self.replaceUnknown(attributes.get("pluginName"))

... but this isn't working. I get all the other elements in the Splunk data, such as Severity, PluginFamily and so on, but not the port.

There appears to be something wrong within the python scripts included in the TA but there are several scripts all tied to each other and I have no idea where to start looking. Help!

0 Karma

Splunk Employee
Splunk Employee

Hi, a support ticket would be helpful so that we can troubleshoot, triage, and fix.

0 Karma


Hmmm.. nobody??? Can anyone confirm if they see port information in the imported data?

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In the last month, the Splunk Threat Research Team (STRT) has had 2 releases of new security content via the ...

Announcing the 1st Round Champion’s Tribute Winners of the Great Resilience Quest

We are happy to announce the 20 lucky questers who are selected to be the first round of Champion's Tribute ...

We’ve Got Education Validation!

Are you feeling it? All the career-boosting benefits of up-skilling with Splunk? It’s not just a feeling, it's ...