Splunk Search
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Help with outputlookup

jambajuice
Communicator
‎12-10-2010 01:48 AM

I am trying to create a lookup table from evenst similar to the following:

results|192.168.2|192.168.2.183|microsoft-ds (445/tcp)|44416|Security Hole|Synopsis :  Arbitrary code can be executed on the remote host through its SMB client.  Description :  The version of the SMB client software installed on the remote  Windows host is affected by two vulnerabilities that could allow  arbitrary code execution Solution :  Microsoft has released a set of patches for Windows 2000, XP, 2003, Vista, 2008, 7, and 2008 R2 :  http://www.microsoft.com/technet/security/bulletin/ms10-006.mspx  Risk factor :  High / CVSS Base Score : 7.6 (CVSS2#AV:N/AC:H/Au:N/C:C/I:C/A:C) CVSS Temporal Score : 6.0 (CVSS2#E:POC/RL:OF/RC:C) Public Exploit Available : true  Plugin output :  - C:\\Windows\\system32\\drivers\\Mrxsmb.sys has not been patched Remote version : 6.1.7600.16385 Should be : 6.1.7600.16499  CVE : CVE-2010-0016, CVE-2010-0017 BID : 38093, 38100 Other references : OSVDB:62243, OSVDB:62244, CWE:362

I would like the output lookup table to look like this (for some reason when I upload this comment it doesn't display the results in a list):

host,db,id
192.168.2.183,CVE,CVE-2010-0016
192.168.2.183,CVE,CVE-2010-0017
192.168.2.183,BID,38093
192.168.2.183,BID,38100
192.168.2.183,OSVDB,62243
192.168.2.183,OSVDB,62244
192.168.2.183,CWE,362

Since there can be zero or more entries for each of the major vulnerability tracking databases, I have no idea how to extract these individually.

Any help would be greatly appreciated.

Thanks.

Craig

Tags (1)
0 Karma
Reply

southeringtonp
Motivator
‎12-10-2010 04:46 AM

Here's a really messy way. With some more thought it should be possible to simplify:

...
| rex field=_raw max_match=100 "(?<xref_list>(CVE|BID|OSVDB|CWE)\s*:\s*((, )?(CVE-)?([\d+-]+))*)"
| mvexpand xref_list
| rex field=xref_list "^(?<db>\w+)\s*:\s*(?<id_list>.*)$"
| eval id=split(id_list, ",")
| mvexpand id
| table src_ip, db, id
| outputlookup yourlookup

(Assuming you've already extracted src_ip on your own, you end up wth...

  • rex -- Find each reference in the raw event. For now, treat multiple events under one label (CVE and BID) as a single reference. As written, the IDs can only contain numbers and dashes, except for an optional "CVE" prefix.

    • xref_list
---------
CVE : CVE-2010-0016, CVE-2010-0017`
BID : 38093, 38100
OSVDB:62243
OSVDB:62244
CWE:362

  • mvexpand -- Expand each event into multiple lines. (CVE and BID lists are still lumped together). Now you have 5 events instead of 1.

  • rex -- Now split the xref_list into two separate fields, pulling out the value of db and leaving the rest in id.

  • eval -- Still 5 events, but now you have true multi-value fields for the CVE and BID enties.

  • mvexpand -- Now expand again to break each CVE/BID entry into its own event. The associated value of db will be retained for each of the resulting events.

  • table -- Limit the list of fields to those desired

  • outputlookup -- Save your lookup table

    • 0 Karma
    Reply

    southeringtonp
    Motivator
    ‎12-10-2010 03:28 AM

    To your note about not displaying the results in a list -- you can either put four spaces in front of each line, or highlight the section and click on the '1010' button in the text edit box.

    0 Karma
    Reply
    Get Updates on the Splunk Community!

    Developer Spotlight with Brett Adams

    In our third Spotlight feature, we're excited to shine a light on Brett—a Splunk consultant, innovative ...

    Index This | What can you do to make 55,555 equal 500?

    April 2025 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

    Say goodbye to manually analyzing phishing and malware threats with Splunk Attack ...

    In today’s evolving threat landscape, we understand you’re constantly bombarded with phishing and malware ...
    Top