All Apps and Add-ons

Asset Discovery app not returning OS signatures

mikeely
Path Finder

We're running the asset discovery app on a Linux indexer, and it returns data just fine for hosts, but for some reason nothing is showing up in the OS signatures field. I ran $SPLUNK_HOME/etc/apps/asset_discovery/bin/nmap.sh -A -O just as in the scripted input, and it returns just fine, greppable output and all. Takes fifteen minutes to run in a /24 network which is somewhat worrying and maybe the proximate cause of failure on the Splunk side. Thoughts?

Tags (1)
0 Karma

mikeely
Path Finder

Any thoughts?

0 Karma

mw
Splunk Employee
Splunk Employee
0 Karma

tmccool
New Member

Do we know which job contains the field extraction for this - eg - the file that needs to get fixed?

0 Karma

mw
Splunk Employee
Splunk Employee

If you look at the raw scan results in splunk and they contain proper OS signatures, then the field extraction isn't catching it. You can modify the extraction in that case. If the raw results don't contain signatures it's an issue with nmap itself.

0 Karma

mikeely
Path Finder

It has to be running as root: when I tried to run nmap.sh as splunk user the output was: "./nmap.sh: line 96: ifconfig: command not found" and I know it's working better than that. I should have mentioned having set the setuid bit on nmap but apparently that was not needed.

Here's an example output from running ./nmap.sh -A -O as root:

Host: 192.168.1.32 (hostname.example.com)   Ports: 135/open/tcp//msrpc//Microsoft Windows RPC/, 139/open/tcp//netbios-ssn///, 445/open/tcp//microsoft-ds//Microsoft Windows 2003 microsoft-ds/, 515/open/tcp//printer//Microsoft lpd/, 1025/open/tcp//msrpc//Microsoft Windows RPC/, 3389/open/tcp//microsoft-rdp//Microsoft Terminal Service/, 8080/open/tcp//http-proxy?///   OS: Microsoft Windows 98SE + IE5.5sp1|Microsoft Windows XP SP2 or 2003 Server   Seq Index: 9999999  IPID Seq: Incremental

That's accurate to the given host. It looks like it's returning good data.

0 Karma

mw
Splunk Employee
Splunk Employee

What user is the scan running as?

What does the raw data look like? Is the OS string included? A single result should look something like this sample (notice the "OS: Linux ..." portion at the end).

Host: 192.168.1.2 ()    Ports: 22/open/tcp//ssh//OpenSSH 5.1p1 Debian 5 (protocol 2.0)/, 80/open/tcp//http//Apache httpd/, 111/open/tcp//rpcbind//2 (rpc #100000)/, 443/open/tcp//ssl|http//Apache httpd/, 8089/open/tcp//ssl|http//Splunkd httpd/, 9001/open/tcp//vnc//VNC (protocol 3.8)/, 9002/open/tcp//vnc//VNC (protocol 3.8)/    Ignored State: closed (993) OS: Linux 2.6.17 - 2.6.31   Seq Index: 205  IP ID Seq: All zeros

Finally, nmap isn't always successful in matching a fingerprint to the OS. In those cases, please consult nmap.org: http://nmap.org/book/osdetect-unidentified.html#osdetect-contrib

Regarding the scan time, 15 minutes for a subnet sounds fairly reasonable to me. The scan time will really depend on the characteristics of the network itself -- how many hosts are online, for instance. Fortunately, with this app you can distribute scanners out to multiple subnets and scan many subnets in roughly that same amount of time.

0 Karma

blebit
Path Finder

hi MW,
i see that Asset Discovery on my Splunk is scanning only the host on the same subnet where splunk server is.
do i have to make any configuration?
Thanks

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...