I have setup the Splunk Add-on for Nessus and both the scan data and plugin data is coming through as expected. Strangely enough though, I'm not seeing any "port" field or similar within the scan data.
For example, if Nessus discovers an OpenSSH related vulnerability, chances are the port it reports will be "22 / tcp". I'm not seeing this field anywhere within the scan data that Splunk is pulling in. Even in the raw data view (which is the converted JSON data), there is no port information for any vulnerability. Checking the respective reports in Nessus however does confirm that port information is there.
This could well be an issue with the Nessus REST API, in that it might not be divulging the port information when it should be, OR, maybe the Splunk Add-on is missing the port field in the conversion process. As soon as I get some time I'll be querying the Nessus REST API manually to see what it's returning and assuming the port information is there I guess it will then become a debugging exercise on the Splunk TA.
Has anyone else had this problem?
Nessus version is 6.5.3 (#40)
Splunk Add-on for Nessus version is 4.0.0
Splunk version is Enterprise 6.1.2
Any help would be greatly appreciated.
---- UPDATE ----
Have done some more investigation and found that the TA's python scripts are initially getting data out of Nessus in the .nessus XML format. This data does indeed have port information. Below I have grepped out a few lines from a .nessus file as an example...
<ReportItem port="0" svc_name="general" protocol="tcp" severity="0" pluginID="25220" pluginName="TCP/IP Timestamps Supported" pluginFamily="General">
<ReportItem port="1720" svc_name="h323hostcall?" protocol="tcp" severity="0" pluginID="10335" pluginName="Nessus TCP scanner" pluginFamily="Port scanners">
<ReportItem port="5269" svc_name="jabber-server?" protocol="tcp" severity="0" pluginID="10335" pluginName="Nessus TCP scanner" pluginFamily="Port scanners">
<ReportItem port="5061" svc_name="sip" protocol="tcp" severity="0" pluginID="10335" pluginName="Nessus TCP scanner" pluginFamily="Port scanners">
Then within /opt/Splunk/etc/apps/Splunk_TA_nessus/bin/nessusclienthandler2.py I found the following code that indicates that the port information should be parsed out from the above examples...
elif name == "ReportItem": self.isReportItemElement = 1 self.reportItem['Port'] = attributes.get("svc_name") + " (" + self.replaceUnknown(attributes.get("port")) + "/" + self.replaceUnknown(attributes.get("protocol")) + ")" self.reportItem['Severity'] = self.replaceUnknown(attributes.get("severity")) self.reportItem['PluginFamily'] = self.replaceUnknown(attributes.get("pluginFamily")) self.reportItem['PluginID'] = self.replaceUnknown(attributes.get("pluginID")) self.reportItem['PluginName'] = self.replaceUnknown(attributes.get("pluginName"))
... but this isn't working. I get all the other elements in the Splunk data, such as Severity, PluginFamily and so on, but not the port.
There appears to be something wrong within the python scripts included in the TA but there are several scripts all tied to each other and I have no idea where to start looking. Help!