All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Splunk Addon for Tenable/ Nessus Pro 8

ghostdog920
Path Finder
‎02-22-2019 04:50 AM

I am trying to setup the splunk addon for tenable to pull scan reports from our nessus pro box. I have setup the addon on a heavy forwarder with the information needed but i never see anything come over. My fear in researching is that this functionality doesn't work as smoothly based on issues i have seen others have. I wondered if anyone has successfully gotten this working and how? My settings are: (please note that my heavy forwarder performs no indexing functionality, so the "nessus" index is only created on my actual indexer. Hoping this isn't the problem.)

Metrics
Nessus Host Scans
Nessus Server URL
https://nessuspro:8834
Start Date
1999/01/01
Batch Size
100000
Interval
43200
Index
nessus
Status
Enabled

0 Karma
Reply

centrafraserk
Path Finder
‎03-21-2019 08:12 AM

As far as I know this is related to the change of API format that was introduced in Nessus 8. I do not believe this addon currently works for the new API structure, but it certainly should be able to. I have seen some projects on github that are able to pull from Nessus 8.x so my plan was to try to edit this Splunk app with similar logic.

Some additional API information from the Tenable community boards:

Scan exports are still fully supported in 8.1.0. This functionality may have changed in how it needs to be queried, so it is very important to read the API documentation for your existing version for 3rd party integrations.

The XML format you're referring to we call the 'nessus' format, but it does follow the xml format as well, that is just how it is labelled in our system.

In order to properly gather a scan result as a XML, you will first need to trigger the export by sending an authenticated (using the api keys) post request to:

Https://x.x.x.x:8834/scans/{scan_id}/export

The body of this request should contain json formatted data such as this:

{ "format": "nessus" }

In response you will get JSON formatted data such as:

{ "token": , "file": }

taking that file_id, you would then be able to gather the export with the following GET request:

https://x.x.x.x/scans/{scan_id}/export/{file_id}/download

0 Karma
Reply
Get Updates on the Splunk Community!

Detecting Remote Code Executions With the Splunk Threat Research Team

REGISTER NOWRemote code execution (RCE) vulnerabilities pose a significant risk to organizations. If ...

Observability | Use Synthetic Monitoring for Website Metadata Verification

If you are on Splunk Observability Cloud, you may already have Synthetic Monitoringin your observability ...

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

Tuesday, May 14, 2024  |  11AM PT / 2PM ET Register to Attend Join us for this Tech Talk and learn how to ...