×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
kore
Explorer
Member since: ‎09-26-2011
‎06-05-2020
Community Statistics
Posts 3
Solutions 1
Karma Given 0
Karma Received 0
Member Since ‎09-26-2011
View All

Re: LINE_BREAKER for nmap output

by in Getting Data In
‎09-26-2023 07:03 AM
‎09-26-2023 07:03 AM
got nasty gram for posting links search online for freeload101 github in scripts nmap_fruit.sh ... View more

Re: Field extraction help - gnmap and troubleshoot...

by in Splunk Search
‎10-04-2012 10:51 PM
‎10-04-2012 10:51 PM
Okay that was a headache, but satisfying nonetheless - in hindsight (as it always is), it was actually much more straightforward than then numerous avenues I looked into. I was able to extract all services, ports, daemons and banners using the following setup below. In addition, I found it useful to separate out subdomains also. Unfortunately the regexes will not work for all domains/subdomains, but YMMV. /path/to/greppable/nmap/output.gnmap inputs.conf [monitor:///path/to/greppable/nmap/*.gnmap] index = nmap sourcetype = nmap queue = parsingQueue disabled = 0 props.conf [nmap] SHOULD_LINEMERGE = false LINE_BREAKER = ([\r\n]+) TRANSFORMS-nmap = NMAPsetnull,NMAPsetparsing EXTRACT-ip = (?i)Host: (?P<ip>[^ ]+) EXTRACT-hostname = (?i)^[^\(]*\((?P<hostname>[^\)]+) EXTRACT-subdomain = (?i)\(.*?\.(?P<subdomain>\w+\.\w+\.\w+\.\w+)(?=\)) EXTRACT-domain = (?i)\..*?\.(?P<domain>\w+\.\w+\.\w+)(?=\)) REPORT-ports = ports transforms.conf [NMAPsetnull] REGEX = . DEST_KEY = queue FORMAT = nullQueue [NMAPsetparsing] REGEX = Ports: DEST_KEY = queue FORMAT = indexQueue [ports] REGEX = \s(?<port>\d+)/(?<state>[^/]+)/(?<proto>[^/]+)//(?<daemon>[^/]*)//(?<banner>[^/]*)/ DEFAULT_VALUE = null MV_ADD = TRUE One specific note regarding greppable NMAP output that you should take care with. A very small number of services discovered by NMAP and dumped into greppable NMAP output are formatted incorrectly. e.g.: 2049/open/tcp//nfs (nfs V2-4)/(nfs:100003*2-4)/2-4 (rpc #100003)/ 111/open/tcp//rpcbind/N// It's enough to skew your results. The backslashes are in the incorrect spot when compared with all the other NMAP discovered services. The format should be: 2049/open/tcp//nfs (nfs V2-4)//(nfs:100003*2-4)/2-4 (rpc #100003)/ 111/open/tcp//rpcbind//N/ If your network does have services that are formatted by NMAP like this, you may wish to run a find/replace over your gnmap files something like follows: sed -i 's"2049\/open\/tcp\/\/nfs "2049\/open\/tcp\/\/nfs\//"pg' *.gnmap sed -i 's"111\/open\/tcp\/\/rpcbind\/N\/\/"111\/open\/tcp\/\/rpcbind\/\/N\/"pg' *.gnmap sed -i 's"111\/open\/tcp\/\/rpcbind\s"111\/open\/tcp\/\/rpcbind\/\/"pg' *.gnmap Which corrects the three anomalous services I discovered on the networks I look at. You may find more (drop a note here!) or you may need to adjust those regexes for sed to parse them properly. ... View more
Contact Me
Online Status
Offline
Date Last Visited
‎06-05-2020 02:03 AM