Getting Data In

REX for HTML

hartfoml
Motivator

I have HTML like this:

<pluginName>Microsoft Windows SMB Shares Unprivileged Access</pluginName>

I can get the Plugin name using REX like this:

rex "(?i)<PluginName>(?P<Vunerability_Name>[^<]+)"

In the _raw event there are more than one PluginName per event so I can use this command:

| rex max_match=100 "(?i)<PluginName>(?P<Vunerability_Name>[^<]+)" |

My question is How do I write this to the props.conf File. I tried this and it didn't work

EXTRACT-Vunerability_Name = max_match=100 (?i)<PluginName>(?P<Vunerability_Name>[^<]+)
Tags (2)
0 Karma

hartfoml
Motivator

I can not correctly post the sample

<ReportItem>
<port>www (443/tcp)</port><severity>2</severity>
<pluginID>51192</pluginID>
<pluginName>SSL Certificate signed with an unknown Certificate Authority</pluginName>
<data>Synopsis :\n\nThe SSL certificate for this service is signed by an unknown\ncertificate authority.\n\nDescription :\n\nThe X.509 certificate of the remote host is not signed by a known\npublic 
certificate authority.  If the remote host is a public host in\nproduction, this nullifies the use of SSL as anyone could establish a\nman in the middle attack against the remote host.\n\nSolution :\n
\nPurchase or generate a proper certificate for this service.\n\nRisk factor :\n\nMedium / CVSS Base Score : 6.4\n(CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:N)\n\n\nPlugin output :\n*** ERROR: Unknown root
CA in the chain:\nCountry: US\nCommon Name: 192.168.125.253\n\n\n\nCertificate chain:\n|-Country: US\n|-Common Name: 192.168.125.253\n|\n\n\n</data></ReportItem>
<ReportItem>
<port>www (443/tcp)</port><severity>2</severity>
<pluginID>26928</pluginID>
<pluginName>SSL Weak Cipher Suites Supported</pluginName>
<data>Synopsis :\n\nThe remote service supports the use of weak SSL ciphers.\n\nDescription :\n\nThe remote host supports the use of SSL ciphers that offer either weak\nencryption or no encryption at 
all.\n\nNote: This is considerably easier to exploit if the attacker is on the\nsame physical network.\n\nSee also :\n\nhttp://www.openssl.org/docs/apps/ciphers.html\n\nSolution :\n\nReconfigure the 
affected application if possible to avoid use of weak\nciphers.\n\nRisk factor :\n\nMedium / CVSS Base Score : 4.3\n(CVSS2#AV:N/AC:M/Au:N/C:P/I:N/A:N)\n\n\nPlugin output :\nHere is the list of weak 
SSL ciphers supported by the remote server :\n\n  Low Strength Ciphers (&lt; 56-bit key)\n    SSLv3\n      EXP-EDH-RSA-DES-CBC-SHA    Kx=DH(512)    Au=RSA     Enc=DES(40)        Mac=SHA1   
export     \n      EXP-DES-CBC-SHA            Kx=RSA(512)   Au=RSA     Enc=DES(40)        Mac=SHA1   export     \n      EXP-RC2-CBC-MD5            Kx=RSA(512)   Au=RSA     Enc=RC2(40)        
Mac=MD5    export     \n      EXP-RC4-MD5                Kx=RSA(512)   Au=RSA     Enc=RC4(40)        Mac=MD5    export     \n    TLSv1\n      EXP-EDH-RSA-DES-CBC-SHA    Kx=DH(512)    Au=RSA 
Enc=DES(40)        Mac=SHA1   export     \n      EXP-DES-CBC-SHA            Kx=RSA(512)   Au=RSA     Enc=DES(40)        Mac=SHA1   export     \n      EXP-RC2-CBC-MD5            Kx=RSA(512)   
Enc=DES(40)        Mac=SHA1   export     \n      EXP-DES-CBC-SHA            Kx=RSA(512)   Au=RSA     Enc=DES(40)        Mac=SHA1   export     \n      EXP-RC2-CBC-MD5            Kx=RSA(512)   
ciphername}\n  Kx={key exchange}\n  Au={authentication}\n  Enc={symmetric encryption method}\n  Mac={message authentication code}\n  {export flag}\n\n\nOther references : 
CWE:327,CWE:326,CWE:753,CWE:803,CWE:720\n</data></ReportItem>
<ReportItem>
<port>www (443/tcp)</port><severity>2</severity>
<pluginID>42873</pluginID>
<pluginName>SSL Medium Strength Cipher Suites Supported</pluginName>
<data>Synopsis :\n\nThe remote service supports the use of medium strength SSL ciphers.\n\nDescription :\n\nThe remote host supports the use of SSL ciphers that offer medium\nstrength encryption, 
which we currently regard as those with key \nlengths at least 56 bits and less than 112 bits.\n\nNote: This is considerably easier to exploit if the attacker is on the\nsame physical network.\n\nSolution :\n
\nReconfigure the affected application if possible to avoid use of\nmedium strength ciphers.\n\nRisk factor :\n\nMedium / CVSS Base Score : 4.3\n(CVSS2#AV:N/AC:M/Au:N/C:P/I:N/A:N)\n\n\nPlugin 
output :\nHere is the list of medium strength SSL ciphers supported by the remote server :\n\n  Medium Strength Ciphers (&gt;= 56-bit and &lt; 112-bit key)\n    SSLv3\n      EDH-RSA-DES-CBC-SHA        
Kx=DH         Au=RSA     Enc=DES(56)        Mac=SHA1   \n      DES-CBC-SHA                Kx=RSA        Au=RSA     Enc=DES(56)        Mac=SHA1   \n    TLSv1\n      EDH-RSA-DES-CBC-SHA        
Kx=DH         Au=RSA     Enc=DES(56)        Mac=SHA1   \n      DES-CBC-SHA                Kx=RSA        Au=RSA     Enc=DES(56)        Mac=SHA1   \n\nThe fields above are :\n\n  {OpenSSL 
ciphername}\n  Kx={key exchange}\n  Au={authentication}\n  Enc={symmetric encryption method}\n  Mac={message authentication code}\n  {export flag}\n\n\n</data></ReportItem>
0 Karma

hartfoml
Motivator

Using the max_match= I get all three but not with the (?im)

0 Karma

hartfoml
Motivator

As you can see by the sample

shows up three times in the same event

0 Karma

MHibbin
Influencer

This does not show anything, can you not edit your answer and add the text in `` (backticks)

0 Karma

MHibbin
Influencer

Instead of using the max_match=100 can you try using "(?im)"...

So you could test your rex command using...

| rex max_match=100 "(?im)<PluginName>(?P<Vunerability_Name>[^<]+)" |

and you props should be...

EXTRACT-Vunerability_Name = (?im)<PluginName>(?P<Vunerability_Name>[^<]+)

I believe this will work.

If it answers your question can you mark the answer as accepted to help the community.

Regards,

MHibbin

0 Karma

hartfoml
Motivator

The REX test worked but the EXTRACT did not.

When I took out the max_match=100 from the rex command I did not find all the matches in the events.

I will post a larger sample of the event data.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...