I have HTML like this:
<pluginName>Microsoft Windows SMB Shares Unprivileged Access</pluginName>
I can get the Plugin name using REX like this:
rex "(?i)<PluginName>(?P<Vunerability_Name>[^<]+)"
In the _raw event there are more than one PluginName per event so I can use this command:
| rex max_match=100 "(?i)<PluginName>(?P<Vunerability_Name>[^<]+)" |
My question is How do I write this to the props.conf File. I tried this and it didn't work
EXTRACT-Vunerability_Name = max_match=100 (?i)<PluginName>(?P<Vunerability_Name>[^<]+)
I can not correctly post the sample
<ReportItem>
<port>www (443/tcp)</port><severity>2</severity>
<pluginID>51192</pluginID>
<pluginName>SSL Certificate signed with an unknown Certificate Authority</pluginName>
<data>Synopsis :\n\nThe SSL certificate for this service is signed by an unknown\ncertificate authority.\n\nDescription :\n\nThe X.509 certificate of the remote host is not signed by a known\npublic
certificate authority. If the remote host is a public host in\nproduction, this nullifies the use of SSL as anyone could establish a\nman in the middle attack against the remote host.\n\nSolution :\n
\nPurchase or generate a proper certificate for this service.\n\nRisk factor :\n\nMedium / CVSS Base Score : 6.4\n(CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:N)\n\n\nPlugin output :\n*** ERROR: Unknown root
CA in the chain:\nCountry: US\nCommon Name: 192.168.125.253\n\n\n\nCertificate chain:\n|-Country: US\n|-Common Name: 192.168.125.253\n|\n\n\n</data></ReportItem>
<ReportItem>
<port>www (443/tcp)</port><severity>2</severity>
<pluginID>26928</pluginID>
<pluginName>SSL Weak Cipher Suites Supported</pluginName>
<data>Synopsis :\n\nThe remote service supports the use of weak SSL ciphers.\n\nDescription :\n\nThe remote host supports the use of SSL ciphers that offer either weak\nencryption or no encryption at
all.\n\nNote: This is considerably easier to exploit if the attacker is on the\nsame physical network.\n\nSee also :\n\nhttp://www.openssl.org/docs/apps/ciphers.html\n\nSolution :\n\nReconfigure the
affected application if possible to avoid use of weak\nciphers.\n\nRisk factor :\n\nMedium / CVSS Base Score : 4.3\n(CVSS2#AV:N/AC:M/Au:N/C:P/I:N/A:N)\n\n\nPlugin output :\nHere is the list of weak
SSL ciphers supported by the remote server :\n\n Low Strength Ciphers (< 56-bit key)\n SSLv3\n EXP-EDH-RSA-DES-CBC-SHA Kx=DH(512) Au=RSA Enc=DES(40) Mac=SHA1
export \n EXP-DES-CBC-SHA Kx=RSA(512) Au=RSA Enc=DES(40) Mac=SHA1 export \n EXP-RC2-CBC-MD5 Kx=RSA(512) Au=RSA Enc=RC2(40)
Mac=MD5 export \n EXP-RC4-MD5 Kx=RSA(512) Au=RSA Enc=RC4(40) Mac=MD5 export \n TLSv1\n EXP-EDH-RSA-DES-CBC-SHA Kx=DH(512) Au=RSA
Enc=DES(40) Mac=SHA1 export \n EXP-DES-CBC-SHA Kx=RSA(512) Au=RSA Enc=DES(40) Mac=SHA1 export \n EXP-RC2-CBC-MD5 Kx=RSA(512)
Enc=DES(40) Mac=SHA1 export \n EXP-DES-CBC-SHA Kx=RSA(512) Au=RSA Enc=DES(40) Mac=SHA1 export \n EXP-RC2-CBC-MD5 Kx=RSA(512)
ciphername}\n Kx={key exchange}\n Au={authentication}\n Enc={symmetric encryption method}\n Mac={message authentication code}\n {export flag}\n\n\nOther references :
CWE:327,CWE:326,CWE:753,CWE:803,CWE:720\n</data></ReportItem>
<ReportItem>
<port>www (443/tcp)</port><severity>2</severity>
<pluginID>42873</pluginID>
<pluginName>SSL Medium Strength Cipher Suites Supported</pluginName>
<data>Synopsis :\n\nThe remote service supports the use of medium strength SSL ciphers.\n\nDescription :\n\nThe remote host supports the use of SSL ciphers that offer medium\nstrength encryption,
which we currently regard as those with key \nlengths at least 56 bits and less than 112 bits.\n\nNote: This is considerably easier to exploit if the attacker is on the\nsame physical network.\n\nSolution :\n
\nReconfigure the affected application if possible to avoid use of\nmedium strength ciphers.\n\nRisk factor :\n\nMedium / CVSS Base Score : 4.3\n(CVSS2#AV:N/AC:M/Au:N/C:P/I:N/A:N)\n\n\nPlugin
output :\nHere is the list of medium strength SSL ciphers supported by the remote server :\n\n Medium Strength Ciphers (>= 56-bit and < 112-bit key)\n SSLv3\n EDH-RSA-DES-CBC-SHA
Kx=DH Au=RSA Enc=DES(56) Mac=SHA1 \n DES-CBC-SHA Kx=RSA Au=RSA Enc=DES(56) Mac=SHA1 \n TLSv1\n EDH-RSA-DES-CBC-SHA
Kx=DH Au=RSA Enc=DES(56) Mac=SHA1 \n DES-CBC-SHA Kx=RSA Au=RSA Enc=DES(56) Mac=SHA1 \n\nThe fields above are :\n\n {OpenSSL
ciphername}\n Kx={key exchange}\n Au={authentication}\n Enc={symmetric encryption method}\n Mac={message authentication code}\n {export flag}\n\n\n</data></ReportItem>
Using the max_match= I get all three but not with the (?im)
As you can see by the sample
This does not show anything, can you not edit your answer and add the text in `` (backticks)
Instead of using the max_match=100
can you try using "(?im)
"...
So you could test your rex command using...
| rex max_match=100 "(?im)<PluginName>(?P<Vunerability_Name>[^<]+)" |
and you props should be...
EXTRACT-Vunerability_Name = (?im)<PluginName>(?P<Vunerability_Name>[^<]+)
I believe this will work.
If it answers your question can you mark the answer as accepted to help the community.
Regards,
MHibbin
The REX test worked but the EXTRACT did not.
When I took out the max_match=100 from the rex command I did not find all the matches in the events.
I will post a larger sample of the event data.