Splunk Search

Problem pulling multiple values from field-extraction within a subsearch

jonathangrant74
Explorer

Good day. I am trying to use a subsearch to extract SSL certificate Subject Alternative Names (SAN) from Nessus scan data and I'm running into the issue with subsearches only returning 1 value in a multi-value field. If I run the search as the primary search, it returns all of the applicable values; however, when run as a subsearch, it only returns 1 value. I understand that by default the subsearch will only return the first value, but I'm trying to find a way to get all of the values over to the main search.

I've searched around and have seen some articles asking a very similar question and I've not been able to use any of the proposed solutions successfully. I tried using "format" in my subsearch, but when I use that, I get zero result returned to the main search. I've also seen solutions that suggest edits to the the props.conf file, but I have not tried that yet.

I think this is a common thing and it may not be possible to do what I'm trying to do, but I wanted to reach out to the community to see if anyone has any suggestions that I can try before I give on on this one. Thank you in advance for your time reading this and any input you might have.

Below is a sample snippet from the Nessus log data containing the SANs as well as the subsearch and regex I'm using for the SAN (certSAN) field extraction.

Sample Extract from Raw Data:
\nKey Usage: Digital Signature, Key Encipherment, Sata Encipherment\n\nExtension: Subject Alternative Name (2.5.29.17)\nCritical: 0\DNS: sample1.test.com\nDNS: sample2.test.com\nDNS: sample3.test.com\n

Search String:
main search |join ip [search index=tenablesc pluginText="Subject Alternative Name" |rex field=pluginText "DNS: (?[^\n]+)" |fields +ip, certSAN]

0 Karma
1 Solution

jonathangrant74
Explorer

WooHoo! I was able to get this working and I am now pulling all of the SAN values for applicable SSL certificates. Technically the multiple SAN values are 1 value as they are all on the same line, but I think I can correct this in the final report; but that is just vanity. As long as I can pull all of the SANS from the cert, I'm happy.

I appended 'max_match=0' to the rex string; 0 being indefinite matches. Here is what the working search string looks like:

main search |join ip [index=tenablesc pluginText="Subject Alternative Name"|rex max_match=0 field=data "DNS: (?<certSAN>[^\\n]+)"|fields ip certSAN]|makemv certSAN delim="\nDNS: "|replace *\n with * in certSAN

I hope this is helpful to someone at some point having a similar issue.

View solution in original post

0 Karma

sander980
Explorer

Hi, I had a similar requirement today and this post put me on the right path I also wanted to get the individual dns names out. For this I used mvindex which seems to work well without a subsearch.
Sharing in case it helps you with that report!

main search
| rex field=pluginText max_match=0 "DNS: (?[^\n\s]+)"
| eval Subject_AN=mvindex(SAN,0,-1)

0 Karma

jonathangrant74
Explorer

WooHoo! I was able to get this working and I am now pulling all of the SAN values for applicable SSL certificates. Technically the multiple SAN values are 1 value as they are all on the same line, but I think I can correct this in the final report; but that is just vanity. As long as I can pull all of the SANS from the cert, I'm happy.

I appended 'max_match=0' to the rex string; 0 being indefinite matches. Here is what the working search string looks like:

main search |join ip [index=tenablesc pluginText="Subject Alternative Name"|rex max_match=0 field=data "DNS: (?<certSAN>[^\\n]+)"|fields ip certSAN]|makemv certSAN delim="\nDNS: "|replace *\n with * in certSAN

I hope this is helpful to someone at some point having a similar issue.

0 Karma

cmerriman
Super Champion

try something like this: main search |join ip [index=tenablesc pluginText="Subject Alternative Name"|rex field=data "DNS: (?<certSAN>[^\\n]+)"|fields ip certSAN]|makemv certSAN delim="\nDNS: "|replace *\n with * in certSAN

assuming the dns extraction is for the certsan field. your regex needed a field name called out and then i made it an mv field after the subsearch.

0 Karma

jonathangrant74
Explorer

Thank you for the input. I tried running the additional commands you suggested and the search errored out with this message:

Error in 'makemv' command: Option 'certSANdelim=\nDNS: ' is invalid.

On a separate note, I noticed that I accidentally neglected to include the 'search' command prior to "index=..." in my subsearch from my initial post. I have it properly defined in my actual Splunk search btw 😉

0 Karma

jonathangrant74
Explorer

Sorry for the delay in my response!! I was given a few priority projects that I had to knock out before I was able to spend time on this again.

Anyhoo, I added the suggested makemv string to my search and it is still only pulling one of the SAN names; however, when I manually check the test-target, the Nessus log within Splunk contains 5 SAN names, so I know there is still more there.

Back to the drawing board 🙂

0 Karma

cmerriman
Super Champion

My mistake. I had a typo There needs to be a space between certSAN and delim. I have fixed it in my original post

0 Karma
Get Updates on the Splunk Community!

Improve Your Security Posture

Watch NowImprove Your Security PostureCustomers are at the center of everything we do at Splunk and security ...

Maximize the Value from Microsoft Defender with Splunk

 Watch NowJoin Splunk and Sens Consulting for this Security Edition Tech TalkWho should attend:  Security ...

This Week's Community Digest - Splunk Community Happenings [6.27.22]

Get the latest news and updates from the Splunk Community here! News From Splunk Answers ✍️ Splunk Answers is ...