Good day. I am trying to use a subsearch to extract SSL certificate Subject Alternative Names (SAN) from Nessus scan data and I'm running into the issue with subsearches only returning 1 value in a multi-value field. If I run the search as the primary search, it returns all of the applicable values; however, when run as a subsearch, it only returns 1 value. I understand that by default the subsearch will only return the first value, but I'm trying to find a way to get all of the values over to the main search.
I've searched around and have seen some articles asking a very similar question and I've not been able to use any of the proposed solutions successfully. I tried using "format" in my subsearch, but when I use that, I get zero result returned to the main search. I've also seen solutions that suggest edits to the the props.conf file, but I have not tried that yet.
I think this is a common thing and it may not be possible to do what I'm trying to do, but I wanted to reach out to the community to see if anyone has any suggestions that I can try before I give on on this one. Thank you in advance for your time reading this and any input you might have.
Below is a sample snippet from the Nessus log data containing the SANs as well as the subsearch and regex I'm using for the SAN (certSAN) field extraction.
Sample Extract from Raw Data:
\nKey Usage: Digital Signature, Key Encipherment, Sata Encipherment\n\nExtension: Subject Alternative Name (2.5.29.17)\nCritical: 0\DNS: sample1.test.com\nDNS: sample2.test.com\nDNS: sample3.test.com\n
Search String:
main search |join ip [search index=tenablesc pluginText="Subject Alternative Name" |rex field=pluginText "DNS: (?[^\n]+)" |fields +ip, certSAN]
WooHoo! I was able to get this working and I am now pulling all of the SAN values for applicable SSL certificates. Technically the multiple SAN values are 1 value as they are all on the same line, but I think I can correct this in the final report; but that is just vanity. As long as I can pull all of the SANS from the cert, I'm happy.
I appended 'max_match=0' to the rex string; 0 being indefinite matches. Here is what the working search string looks like:
main search |join ip [index=tenablesc pluginText="Subject Alternative Name"|rex max_match=0 field=data "DNS: (?<certSAN>[^\\n]+)"|fields ip certSAN]|makemv certSAN delim="\nDNS: "|replace *\n with * in certSAN
I hope this is helpful to someone at some point having a similar issue.
Hi, I had a similar requirement today and this post put me on the right path I also wanted to get the individual dns names out. For this I used mvindex which seems to work well without a subsearch.
Sharing in case it helps you with that report!
main search
| rex field=pluginText max_match=0 "DNS: (?[^\n\s]+)"
| eval Subject_AN=mvindex(SAN,0,-1)
WooHoo! I was able to get this working and I am now pulling all of the SAN values for applicable SSL certificates. Technically the multiple SAN values are 1 value as they are all on the same line, but I think I can correct this in the final report; but that is just vanity. As long as I can pull all of the SANS from the cert, I'm happy.
I appended 'max_match=0' to the rex string; 0 being indefinite matches. Here is what the working search string looks like:
main search |join ip [index=tenablesc pluginText="Subject Alternative Name"|rex max_match=0 field=data "DNS: (?<certSAN>[^\\n]+)"|fields ip certSAN]|makemv certSAN delim="\nDNS: "|replace *\n with * in certSAN
I hope this is helpful to someone at some point having a similar issue.
try something like this: main search |join ip [index=tenablesc pluginText="Subject Alternative Name"|rex field=data "DNS: (?<certSAN>[^\\n]+)"|fields ip certSAN]|makemv certSAN delim="\nDNS: "|replace *\n with * in certSAN
assuming the dns extraction is for the certsan field. your regex needed a field name called out and then i made it an mv field after the subsearch.
Thank you for the input. I tried running the additional commands you suggested and the search errored out with this message:
Error in 'makemv' command: Option 'certSANdelim=\nDNS: ' is invalid.
On a separate note, I noticed that I accidentally neglected to include the 'search' command prior to "index=..." in my subsearch from my initial post. I have it properly defined in my actual Splunk search btw 😉
Sorry for the delay in my response!! I was given a few priority projects that I had to knock out before I was able to spend time on this again.
Anyhoo, I added the suggested makemv string to my search and it is still only pulling one of the SAN names; however, when I manually check the test-target, the Nessus log within Splunk contains 5 SAN names, so I know there is still more there.
Back to the drawing board 🙂
My mistake. I had a typo There needs to be a space between certSAN and delim. I have fixed it in my original post