All Apps and Add-ons

Why is the Splunk Add-on for Nessus indexing running Nessus scans, even after setting index_events_for_unsuccessful_scans to "0"?

gharrison90
Explorer

I'm having an issue where Splunk is indexing running Nessus scans despite having changed the index_events_for_unsuccessful_scans option to 0 in Splunk_TA_Nessus/local/nessus.conf. I've tried everything I can think of, but the issue persists.

I've restarted Splunk, deleted and recreated the input, restarted the machine it's running on, edited the default version of nessus.conf, and deleted and reinstalled the Add-On. Despite this, I'm still getting the incomplete scan data.

Has anyone else had this problem and been able to fix it? I'm using the brand new release of the add-on (which is otherwise great, by the way).

0 Karma
1 Solution

rwang_splunk
Splunk Employee
Splunk Employee

Hi gharrison

Can you please explain more about 'getting the incomplete scan data', what does the 'incomplete data' mean here. I think if you set index_events_for_unsuccessful_scans=0, the result of the unsuccessful scan won't be fetched after your configuration. If it is not the case, you can file a support ticket and we can have further investigation.

View solution in original post

0 Karma

rwang_splunk
Splunk Employee
Splunk Employee

Hi gharrison

Can you please explain more about 'getting the incomplete scan data', what does the 'incomplete data' mean here. I think if you set index_events_for_unsuccessful_scans=0, the result of the unsuccessful scan won't be fetched after your configuration. If it is not the case, you can file a support ticket and we can have further investigation.

0 Karma

gharrison90
Explorer

Sure thing. I did some more testing yesterday and it looks like setting index_events_for_unsuccessful_scans=0 does work for SOME types of incomplete scans, specifically aborted scans. However, the add-on still pulls running scans even when that option is set to 0. In the nessus.conf file, the comment for this option states it should not be pulling running scan data, which is why I think there may be an issue.

0 Karma

madc0w
New Member

I am experiencing the same issue as gharrison90 in the Splunk TA Nessus add-on 5.0.0.

Inside the Splunk_TA_nessus/bin/nessus_config.py file, it appears that there is no check or conversion of the configuration string value to the proper boolean value.

line 52: self.fields_scan = ("index_events_for_unsuccessful_scans")

This makes it look like it is storing the value as a string, which will always evaluate to true unless it is an empty string.

A similar issue appears in the Splunk_TA_nessus/bin/nessus_data_collector.py file as well, where it does not appear that it is doing any check to convert the string value to a boolean true or false. It just looks like it is checking if a value is set.

line 140: if self.config.get("index_events_for_unsuccessful_scans", True):

Any one else able to verify this?

0 Karma

madc0w
New Member

Looks like the app needs to be patched to utilize the normaliser.Boolean() function or similar:

Similar to what is being used in the Splunk_TA_nessus/bin/ta_tenable_rh_sc_inputs.py function to normalize the "disabled" option for the inputs.conf file:

line:20 normalisers = {"disabled": normaliser.Boolean()}

0 Karma

rwang_splunk
Splunk Employee
Splunk Employee

Hi Madc0w

You are correct. I think it is a bug in our add-on. We'll fix the issue in the next release. You can apply the code below in nessus_data_collector.py for a quick fix.

line 12: import splunktalib.common.util as util

line 140: change if self.config.get("index_events_for_unsuccessful_scans", True): to
          if util.is_true(self.config.get("index_events_for_unsuccessful_scans", True)):

gharrison90
Explorer

Rwang, the fix you provided seems to work. Thanks for taking the time to reply with it. I'll mark this answer as accepted.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...