I have the app installed on my SearchHead (for the dashboards & Searches), and I deployed the app on two machines separated by subnet (windows-based); utilizing nmap.cmd.
I get results when I do:
index="asset_discovery" sourcetype="ping_scan"
however, I see that the field extraction for the dest_ip seems to only pull the top host value... in this case:
dest_ip (3)--
192.168.0.0
192.168.1.0
169.254.0.0
when I look at the raw nmap output, it does, indeed have a full scan result:
# Nmap 7.80 scan initiated Fri Nov 01 15:03:05 2019 as: "C:\\Program Files\\nmap\\nmap.exe" -oG - -v -R -sP -PE 192.168.0.0/24
# Ports scanned: TCP(0;) UDP(0;) SCTP(0;) PROTOCOLS(0;)
Host: 192.168.0.0() Status: Down
Host: 192.168.0.1() Status: Up
Host: 192.168.0.2 (web.server.example.com) Status: Up
Show all 258 lines
Looking at props.conf:
[source::nmap]
SHOULD_LINEMERGE = False
EXTRACT-nmap_ping = (?i)^Host: (?<dest_ip>\S+)\s+\((?<dest_host>\S*)\)\s+Status: (?<status>(Up|Down))\s*$
this checks out using my regex checker...
But for some reason, it's not picking up the other hosts from the nmap output.
Has anyone seen this before?
Second to this, I have not been able to get the port_scan to complete successfully on either of the scanning hosts.
Thanks, in advance.
--RP
@marycordova
I don't believe the events are breaking correctly.
Please see the attached screenshot.
My props.conf:
# props.conf
[source::nmap]
SHOULD_LINEMERGE = False
EXTRACT-nmap_ping = (?i)^Host: (?<dest_ip>\S+)\s+\((?<dest_host>\S*)\)\s+Status: (?<status>(Up|Down))\s*$
[port_scan]
EXTRACT-nmap_full = (?i)^Host: (?<dest_ip>\S+)\s+\((?<dest_host>\S*)\)\s+Ports: (?<port_signature>.*?)(?:\s+Ignored Stat
e: \w+ \(\d*\))*(?:\s+OS:\s+(?<os_signature>.*?))*(?:\s+Seq Index:\s+(?<seq_index>\d+))*(?:\s+IP ID Seq: (?<ip_id>.*?))*
(?:\s+Status:\s+(?<status>(Up|Down)))*$
REPORT-nmap_portinfo = nmap_portinfo
FIELDALIAS-os = os_signature as os
FIELDALIAS-dest = dest_ip as dest
