I am trying to create a lookup table from evenst similar to the following:
results|192.168.2|192.168.2.183|microsoft-ds (445/tcp)|44416|Security Hole|Synopsis : Arbitrary code can be executed on the remote host through its SMB client. Description : The version of the SMB client software installed on the remote Windows host is affected by two vulnerabilities that could allow arbitrary code execution Solution : Microsoft has released a set of patches for Windows 2000, XP, 2003, Vista, 2008, 7, and 2008 R2 : http://www.microsoft.com/technet/security/bulletin/ms10-006.mspx Risk factor : High / CVSS Base Score : 7.6 (CVSS2#AV:N/AC:H/Au:N/C:C/I:C/A:C) CVSS Temporal Score : 6.0 (CVSS2#E:POC/RL:OF/RC:C) Public Exploit Available : true Plugin output : - C:\\Windows\\system32\\drivers\\Mrxsmb.sys has not been patched Remote version : 6.1.7600.16385 Should be : 6.1.7600.16499 CVE : CVE-2010-0016, CVE-2010-0017 BID : 38093, 38100 Other references : OSVDB:62243, OSVDB:62244, CWE:362
I would like the output lookup table to look like this (for some reason when I upload this comment it doesn't display the results in a list):
host,db,id 192.168.2.183,CVE,CVE-2010-0016 192.168.2.183,CVE,CVE-2010-0017 192.168.2.183,BID,38093 192.168.2.183,BID,38100 192.168.2.183,OSVDB,62243 192.168.2.183,OSVDB,62244 192.168.2.183,CWE,362
Since there can be zero or more entries for each of the major vulnerability tracking databases, I have no idea how to extract these individually.
Any help would be greatly appreciated.
To your note about not displaying the results in a list -- you can either put four spaces in front of each line, or highlight the section and click on the '1010' button in the text edit box.
Here's a really messy way. With some more thought it should be possible to simplify:
... | rex field=_raw max_match=100 "(?<xref_list>(CVE|BID|OSVDB|CWE)\s*:\s*((, )?(CVE-)?([\d+-]+))*)" | mvexpand xref_list | rex field=xref_list "^(?<db>\w+)\s*:\s*(?<id_list>.*)$" | eval id=split(id_list, ",") | mvexpand id | table src_ip, db, id | outputlookup yourlookup
(Assuming you've already extracted
src_ip on your own, you end up wth...
rex-- Find each reference in the raw event. For now, treat multiple events under one label (CVE and BID) as a single reference. As written, the IDs can only contain numbers and dashes, except for an optional "CVE" prefix.
xref_list --------- CVE : CVE-2010-0016, CVE-2010-0017` BID : 38093, 38100 OSVDB:62243 OSVDB:62244 CWE:362
mvexpand-- Expand each event into multiple lines. (CVE and BID lists are still lumped together). Now you have 5 events instead of 1.
rex-- Now split the
xref_listinto two separate fields, pulling out the value of
dband leaving the rest in
eval-- Still 5 events, but now you have true multi-value fields for the CVE and BID enties.
mvexpand-- Now expand again to break each CVE/BID entry into its own event. The associated value of
dbwill be retained for each of the resulting events.
table-- Limit the list of fields to those desired
outputlookup-- Save your lookup table