Join the Conversation
- Find Answers
- :
- Apps & Add-ons
- :
- All Apps and Add-ons
- :
- All Apps and Add-ons
- :
- Nessus vulnerability solution
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I am trying to find all hosts affected by a specific vulnerability and the solution to remediate that vulnerability as suggested by nessus. Since the solution field is present in the nessus:plugin field and every other information needed present in the nessus:scan sourcetype, nothing I have come up with seems to work. The end result should look something like this.
Vulnerability | Host-IP(s) | Solution
XSS vulnerability | 10.10.10.10 | Patch it
10.10.10.20
10.10.10.30
Thanks
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Do you have the Splunk Add-on for Tenable installed on your search head? This has automatic lookups to add the plugin data to the nessus:scan sourcetype. You need to enable the saved searches for this to work.
http://docs.splunk.com/Documentation/AddOns/released/Nessus/Enablesavedsearch
Do you get results when you run this search? It should contain all of the plugin data, including the solution:
|inputlookup nessus_plugin_lookup
If so, and the automatic lookup is not working, you can do the lookup manually by adding the following to your nessus:scan search:
|lookup nessus_plugin_lookup id AS plugin_id OUTPUTNEW
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Do you have the Splunk Add-on for Tenable installed on your search head? This has automatic lookups to add the plugin data to the nessus:scan sourcetype. You need to enable the saved searches for this to work.
http://docs.splunk.com/Documentation/AddOns/released/Nessus/Enablesavedsearch
Do you get results when you run this search? It should contain all of the plugin data, including the solution:
|inputlookup nessus_plugin_lookup
If so, and the automatic lookup is not working, you can do the lookup manually by adding the following to your nessus:scan search:
|lookup nessus_plugin_lookup id AS plugin_id OUTPUTNEW
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks spayneort, that totally did it for me.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
First, determine one host that you know has the vulnerability but not the patch. Using the host name, search the index to find an event that identifies the vulnerability. Once you find the event, determine a search that will find all hosts that have that kind of event. We will call this "Search 1"
Next, determine one host that has received the patch. Using the host name, search the index to find an event that documents the host receiving the patch. Once you find the event, determine a search that will find all hosts that have received the patch. We will call this "Search 2".
Then run this...
(Search 1) OR (search 2)
| eval rectype=if(some test for search1,"Vulnerable","Patched")
| stats values(rectype) as rectype by host
| where (mvcount(rectype) < 1) AND (rectype="Vulnerable")
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Announcing Modern Navigation: A New Era of Splunk User Experience
Modernize your Splunk Apps – Introducing Python 3.13 in Splunk
Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...
