All Apps and Add-ons

Does the Splunk Add-on for Nessus retrieve port information within scan data?

damuscat
Explorer

I have setup the Splunk Add-on for Nessus and both the scan data and plugin data is coming through as expected. Strangely enough though, I'm not seeing any "port" field or similar within the scan data.

For example, if Nessus discovers an OpenSSH related vulnerability, chances are the port it reports will be "22 / tcp". I'm not seeing this field anywhere within the scan data that Splunk is pulling in. Even in the raw data view (which is the converted JSON data), there is no port information for any vulnerability. Checking the respective reports in Nessus however does confirm that port information is there.

This could well be an issue with the Nessus REST API, in that it might not be divulging the port information when it should be, OR, maybe the Splunk Add-on is missing the port field in the conversion process. As soon as I get some time I'll be querying the Nessus REST API manually to see what it's returning and assuming the port information is there I guess it will then become a debugging exercise on the Splunk TA.

Has anyone else had this problem?

Nessus version is 6.5.3 (#40)
Splunk Add-on for Nessus version is 4.0.0
Splunk version is Enterprise 6.1.2

Any help would be greatly appreciated.

---- UPDATE ----

Have done some more investigation and found that the TA's python scripts are initially getting data out of Nessus in the .nessus XML format. This data does indeed have port information. Below I have grepped out a few lines from a .nessus file as an example...

<ReportItem port="0" svc_name="general" protocol="tcp" severity="0" pluginID="25220" pluginName="TCP/IP Timestamps Supported" pluginFamily="General">
<ReportItem port="1720" svc_name="h323hostcall?" protocol="tcp" severity="0" pluginID="10335" pluginName="Nessus TCP scanner" pluginFamily="Port scanners">
<ReportItem port="5269" svc_name="jabber-server?" protocol="tcp" severity="0" pluginID="10335" pluginName="Nessus TCP scanner" pluginFamily="Port scanners">
<ReportItem port="5061" svc_name="sip" protocol="tcp" severity="0" pluginID="10335" pluginName="Nessus TCP scanner" pluginFamily="Port scanners">

Then within /opt/Splunk/etc/apps/Splunk_TA_nessus/bin/nessusclienthandler2.py I found the following code that indicates that the port information should be parsed out from the above examples...

            elif name == "ReportItem":
                self.isReportItemElement = 1
                self.reportItem['Port'] = attributes.get("svc_name") + " (" + self.replaceUnknown(attributes.get("port")) + "/" + self.replaceUnknown(attributes.get("protocol")) + ")"
                self.reportItem['Severity'] = self.replaceUnknown(attributes.get("severity"))
                self.reportItem['PluginFamily'] = self.replaceUnknown(attributes.get("pluginFamily"))
                self.reportItem['PluginID'] = self.replaceUnknown(attributes.get("pluginID"))
                self.reportItem['PluginName'] = self.replaceUnknown(attributes.get("pluginName"))

... but this isn't working. I get all the other elements in the Splunk data, such as Severity, PluginFamily and so on, but not the port.

There appears to be something wrong within the python scripts included in the TA but there are several scripts all tied to each other and I have no idea where to start looking. Help!

0 Karma

jcoates_splunk
Splunk Employee
Splunk Employee

Hi, a support ticket would be helpful so that we can troubleshoot, triage, and fix.

0 Karma

damuscat
Explorer

Hmmm.. nobody??? Can anyone confirm if they see port information in the imported data?

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...