- Splunk Answers
- :
- Using Splunk
- :
- Splunk Dev
- :
- How do I run NMAP on search results?
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How do I run NMAP on search results?
Is there a way I can run Splunk against search results?
For example in pseudo-code: destination_url=bad_site.com | nmap -A source_ip
The assumption would be that there would only be a few IPs.
All the searches on Answers have returned several apps such as Asset Discovery and Simple NMAP, but nothing so far about sending IPs found into NMAP.
Should I wrap NMAP into a python or shell script and do it that way?
Thanks.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Consider creating custom command to run nmap against a provided IP address. See http://docs.splunk.com/Documentation/Splunk/6.5.0/Search/Aboutcustomsearchcommands.
If this reply helps you, Karma would be appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
OK, I created a custom command, but I'm not configured correctly. It won't pass the search result to the script.
Here is my script (/etc/apps/search/bin/scanip.py):
import subprocess,sys,os
nmap = "nmap -A " + sys.argv[1]
p = subprocess.Popen(nmap, shell=True, stderr=subprocess.PIPE)
while True:
out = p.stderr.read(1)
if out == '' and p.poll() != None:
break
if out != '':
sys.stdout.write(out)
sys.stdout.flush()
Here is my search:
sourcetype=WinDNS | table source_address | head 1 | scanip source_address
Here is the output from the search:
Starting Nmap 7.31 ( https://nmap.org ) at 2016-11-20 20:07 EST
Failed to resolve "source_address".
WARNING:Nmap done: 0 IP addresses (0 hosts up) scanned in 0.29 seconds
No targets were specified
Yet, I if run the following search:
| scanip 10.10.10.10
I get the expected nmap results.
So how to I get splunk to pass the value of source_address or whatever field instead of the string?
It seems to have something to do with http://docs.splunk.com/Documentation/Splunk/6.2.3/AdvancedDev/Searchscripts
but I can't get the syntax right.
Thanks for any suggestions or links with better examples.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
After looking as this and asking around some other sources, it seems the best way to do this is to export the list of ips to a CSV, call a script to run nmap against that csv, which either exports to a XML which is then re-imported back into Splunk or send the nmap output to ANOTHER script which puts the output into csv which then can be used as a lookup table.
So for now, this effort is going on the back burner.
Thanks to @richgalloway for the suggestions provided.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try
... | scanip $source_address$
If this reply helps you, Karma would be appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
sourcetype=WinDNS | table source_address | head 1 | scanip $source_address$
Starting Nmap 7.31 ( https://nmap.org ) at 2016-11-21 07:54 EST
Failed to resolve "$".
WNmap done: 0 IP addresses (0 hosts up) scanned in 0.72 seconds
ARNING: No targets were specified
sourcetype=WinDNS | table source_address | head 1 | scanip $$source_address$$
Starting Nmap 7.31 ( https://nmap.org ) at 2016-11-21 07:55 EST
Failed to resolve "45981source_address45981".
WARNmap done: 0 IP addresses (0 hosts up) scanned in 0.30 seconds
NING: No targets were specified
sourcetype=WinDNS | table source_address | head 1 | scanip \$source_address\$
Starting Nmap 7.31 ( https://nmap.org ) at 2016-11-21 07:56 EST
Failed to resolve "$source_address$".
WARNNmap done: 0 IP addresses (0 hosts up) scanned in 0.46 seconds
ING: No targets were specified
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
One last guess:
... | scanip 'source_address'
Note the single quotes.
If this reply helps you, Karma would be appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Nope
Starting Nmap 7.31 ( https://nmap.org ) at 2016-11-21 09:46 EST
Failed to resolve "source_address".
WANmap done: 0 IP addresses (0 hosts up) scanned in 0.45 seconds
RNING: No targets were specified
It shows double quotes in the response whether or not I put single or double quotes in the search bar.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
XtremeNmapParser FTW to convert the xml to JSON and then used HEC to send it all to Spunk!
https://github.com/xtormin/XtremeNmapParser/issues/1
More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk
.conf24 | Personalize your .conf experience with Learning Paths!
Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...
