Is there a way I can run Splunk against search results?
For example in pseudo-code: destination_url=bad_site.com | nmap -A source_ip
The assumption would be that there would only be a few IPs.
All the searches on Answers have returned several apps such as Asset Discovery and Simple NMAP, but nothing so far about sending IPs found into NMAP.
Should I wrap NMAP into a python or shell script and do it that way?
Thanks.
Consider creating custom command to run nmap against a provided IP address. See http://docs.splunk.com/Documentation/Splunk/6.5.0/Search/Aboutcustomsearchcommands.
OK, I created a custom command, but I'm not configured correctly. It won't pass the search result to the script.
Here is my script (/etc/apps/search/bin/scanip.py):
import subprocess,sys,os
nmap = "nmap -A " + sys.argv[1]
p = subprocess.Popen(nmap, shell=True, stderr=subprocess.PIPE)
while True:
out = p.stderr.read(1)
if out == '' and p.poll() != None:
break
if out != '':
sys.stdout.write(out)
sys.stdout.flush()
Here is my search:
sourcetype=WinDNS | table source_address | head 1 | scanip source_address
Here is the output from the search:
Starting Nmap 7.31 ( https://nmap.org ) at 2016-11-20 20:07 EST
Failed to resolve "source_address".
WARNING:Nmap done: 0 IP addresses (0 hosts up) scanned in 0.29 seconds
No targets were specified
Yet, I if run the following search:
| scanip 10.10.10.10
I get the expected nmap results.
So how to I get splunk to pass the value of source_address or whatever field instead of the string?
It seems to have something to do with http://docs.splunk.com/Documentation/Splunk/6.2.3/AdvancedDev/Searchscripts
but I can't get the syntax right.
Thanks for any suggestions or links with better examples.
After looking as this and asking around some other sources, it seems the best way to do this is to export the list of ips to a CSV, call a script to run nmap against that csv, which either exports to a XML which is then re-imported back into Splunk or send the nmap output to ANOTHER script which puts the output into csv which then can be used as a lookup table.
So for now, this effort is going on the back burner.
Thanks to @richgalloway for the suggestions provided.
Try
... | scanip $source_address$
sourcetype=WinDNS | table source_address | head 1 | scanip $source_address$
Starting Nmap 7.31 ( https://nmap.org ) at 2016-11-21 07:54 EST
Failed to resolve "$".
WNmap done: 0 IP addresses (0 hosts up) scanned in 0.72 seconds
ARNING: No targets were specified
sourcetype=WinDNS | table source_address | head 1 | scanip $$source_address$$
Starting Nmap 7.31 ( https://nmap.org ) at 2016-11-21 07:55 EST
Failed to resolve "45981source_address45981".
WARNmap done: 0 IP addresses (0 hosts up) scanned in 0.30 seconds
NING: No targets were specified
sourcetype=WinDNS | table source_address | head 1 | scanip \$source_address\$
Starting Nmap 7.31 ( https://nmap.org ) at 2016-11-21 07:56 EST
Failed to resolve "$source_address$".
WARNNmap done: 0 IP addresses (0 hosts up) scanned in 0.46 seconds
ING: No targets were specified
One last guess:
... | scanip 'source_address'
Note the single quotes.
Nope
Starting Nmap 7.31 ( https://nmap.org ) at 2016-11-21 09:46 EST
Failed to resolve "source_address".
WANmap done: 0 IP addresses (0 hosts up) scanned in 0.45 seconds
RNING: No targets were specified
It shows double quotes in the response whether or not I put single or double quotes in the search bar.
XtremeNmapParser FTW to convert the xml to JSON and then used HEC to send it all to Spunk!
https://github.com/xtormin/XtremeNmapParser/issues/1