Splunk Search

How to write regex to extract Port numbers and status from nmap output?



this took at least three days of my life but I still couldn't handle it, please, I need help

I have a data file includes output of nmap traces (couple of traces on different times on each IP) in our subnet like this:

host starttime="1402600202" endtime="1402601288" status state="up" reason="echo-reply" address addr="" addrtype="ipv4" hostnames hostname name="sunvirt01.srv.be" type="PTR" hostnames ports extraports state="filtered" count="985" extrareasons reason="no-responses" count="985" extraports: port protocol="tcp" portid="20" state state="closed" reason="reset" reason_ttl="63" service name="ftp-data" method="table" conf="3" port port protocol="tcp" portid="21" state state="open" reason="syn-ack" reason_ttl="63"/ service name="ftp" product="ProFTPD" method="probed" conf="10" cpe cpe:/a:proftpd:proftpd cpe service port port protocol="tcp" portid="22" port protocol="tcp" portid="222" state state="open" reason="syn-ack" reason_ttl="63" service name="tcpwrapped" method="probed" ...
(os)portused state="open" proto="tcp" portid="21"/ portused state="closed" proto="tcp" portid="20"/ osmatch name="Linux 3.0" accuracy="99" line="47080" (...)

what I need is a table to show the IP address and "open" Ports on that machine beside the service(s) are using that open port, something like this(e.g):

------ -----IP ----- ------- Ports ----- ----- Service -------21------------------ ftp

(if there are more open ports o one host they have to be listed below "Ports" by their services)

I'm using this regex: (?i) portid="(?P[^"]+) to extract Port numbers but unfortunately in some cases I face with values like 21/ or duplicate values like this:

21 --- ftp

80 --- http



or like this one:

20 ---

443 --- http


21 ---- ftp


( I mean I need the duplicate values to be removed (or not detected) or values with "/" at the end which I have no idea about them!) can you give me some hint or the right regex I have to used to extract only open ports (once without considering duplicates at the rest)?

I've even tried this one but still doesn't work properly... :

rex max_match=10 "(?i) portid=\"(?P[^\"]+)"|rename FIELDNAME as OpenPorts|rex max_match=10 "(?im)^<\w+><\w+\s+\w+=\"(?P[^\"]+)" |rename FIELDNAME as status

I think this is related to part after (os) or at least tell me what's the meanin of that part that repeats the result? or how can I ignore that part in my search?

I'm waiting for any kind of help,

Thanks in advance

Tags (4)


This is how I parse .gnmap files.

| eval ports=split(_raw,",")
| mvexpand ports
| Search ports!="*host*"
| rex field=_raw "Host:\s(?<dest_ip>\d+.\d+.\d+.\d+)\s+\((?<fqdn>.*)\)"
| rex field=ports "(?<port>\d+)\/+(?<status>\w+)\/+(?<proto>\w+)\/+(?<desc>\w+|\/)"
| rex field=_raw "OS:\s(?<os>\w+)"
| table dest_ip fqdn port status proto desc os

Path Finder

what does this line do ?
| foreach %* [eval <>=mvindex(<>,0)]


Extraneous, I will remove it.

0 Karma


Assuming that for each port mentioned in log we have "portid=", "state=" and "service name=" then this might work

your base search
| rex field=_raw "addr=\"(?< ip>[^\"]+)" max_match=10 
| rex field=_raw "portid=\"(?< port>[^\"]+)" max_match=10
| rex field=_raw "state=\"(?< state>[^\"]+)" max_match=10 
| rex field=_raw "service name=\"(?< service>[^\"]+)" max_match=10
| eval allFields= if(match(state, "open"), mvzip(port, service), "")
| table ip, allFields

Note: Due to formatting issue, each field **< ip>, < port>, < state>, < service_name> ** has a space between "<" and first letter of field name. Remove those spaces when runnign the query
Keep max_match according to your need

0 Karma


Check if this works (?i)portid=\"(?P.*?\d+)\W

0 Karma
Get Updates on the Splunk Community!

Splunk Observability Cloud | Unified Identity - Now Available for Existing Splunk ...

Raise your hand if you’ve already forgotten your username or password when logging into an account. (We can’t ...

Index This | How many sides does a circle have?

February 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

Registration for Splunk University is Now Open!

Are you ready for an adventure in learning?   Brace yourselves because Splunk University is back, and it's ...