All Apps and Add-ons

Why is the Splunk Add-on for Nessus indexing running Nessus scans, even after setting index_events_for_unsuccessful_scans to "0"?

Explorer

I'm having an issue where Splunk is indexing running Nessus scans despite having changed the index_events_for_unsuccessful_scans option to 0 in Splunk_TA_Nessus/local/nessus.conf. I've tried everything I can think of, but the issue persists.

I've restarted Splunk, deleted and recreated the input, restarted the machine it's running on, edited the default version of nessus.conf, and deleted and reinstalled the Add-On. Despite this, I'm still getting the incomplete scan data.

Has anyone else had this problem and been able to fix it? I'm using the brand new release of the add-on (which is otherwise great, by the way).

0 Karma
1 Solution

Splunk Employee
Splunk Employee

Hi gharrison

Can you please explain more about 'getting the incomplete scan data', what does the 'incomplete data' mean here. I think if you set index_events_for_unsuccessful_scans=0, the result of the unsuccessful scan won't be fetched after your configuration. If it is not the case, you can file a support ticket and we can have further investigation.

View solution in original post

0 Karma

Splunk Employee
Splunk Employee

Hi gharrison

Can you please explain more about 'getting the incomplete scan data', what does the 'incomplete data' mean here. I think if you set index_events_for_unsuccessful_scans=0, the result of the unsuccessful scan won't be fetched after your configuration. If it is not the case, you can file a support ticket and we can have further investigation.

View solution in original post

0 Karma

Explorer

Sure thing. I did some more testing yesterday and it looks like setting index_events_for_unsuccessful_scans=0 does work for SOME types of incomplete scans, specifically aborted scans. However, the add-on still pulls running scans even when that option is set to 0. In the nessus.conf file, the comment for this option states it should not be pulling running scan data, which is why I think there may be an issue.

0 Karma

New Member

I am experiencing the same issue as gharrison90 in the Splunk TA Nessus add-on 5.0.0.

Inside the Splunk_TA_nessus/bin/nessus_config.py file, it appears that there is no check or conversion of the configuration string value to the proper boolean value.

line 52: self.fields_scan = ("index_events_for_unsuccessful_scans")

This makes it look like it is storing the value as a string, which will always evaluate to true unless it is an empty string.

A similar issue appears in the Splunk_TA_nessus/bin/nessus_data_collector.py file as well, where it does not appear that it is doing any check to convert the string value to a boolean true or false. It just looks like it is checking if a value is set.

line 140: if self.config.get("index_events_for_unsuccessful_scans", True):

Any one else able to verify this?

0 Karma

New Member

Looks like the app needs to be patched to utilize the normaliser.Boolean() function or similar:

Similar to what is being used in the Splunk_TA_nessus/bin/ta_tenable_rh_sc_inputs.py function to normalize the "disabled" option for the inputs.conf file:

line:20 normalisers = {"disabled": normaliser.Boolean()}

0 Karma

Splunk Employee
Splunk Employee

Hi Madc0w

You are correct. I think it is a bug in our add-on. We'll fix the issue in the next release. You can apply the code below in nessus_data_collector.py for a quick fix.

line 12: import splunktalib.common.util as util

line 140: change if self.config.get("index_events_for_unsuccessful_scans", True): to
          if util.is_true(self.config.get("index_events_for_unsuccessful_scans", True)):

Explorer

Rwang, the fix you provided seems to work. Thanks for taking the time to reply with it. I'll mark this answer as accepted.

0 Karma