-
Notifications
You must be signed in to change notification settings - Fork 108
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request #1167 from splunk/feature/ADDON-37084-add-sc4s-fil…
…ter-for-tenable ADDON-37084: Adding the support for Tenable.nnm logs
- Loading branch information
Showing
4 changed files
with
111 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,43 @@ | ||
# Vendor - Tenable | ||
|
||
|
||
## Product - Tenable.nnm | ||
|
||
| Ref | Link | | ||
|----------------|---------------------------------------------------------------------------------------------------------| | ||
| Splunk Add-on | https://splunkbase.splunk.com/app/4060/ | | ||
| Product Manual | https://docs.tenable.com/integrations/Splunk/Content/Splunk2/ProcessWorkflow.htm | | ||
|
||
|
||
### Sourcetypes | ||
|
||
| sourcetype | notes | | ||
|----------------|---------------------------------------------------------------------------------------------------------| | ||
| tenable:nnm:vuln | None | | ||
|
||
### Sourcetype and Index Configuration | ||
|
||
| key | sourcetype | index | notes | | ||
|----------------|----------------|----------------|----------------| | ||
| tenable_nnm | tenable:nnm:vuln | netfw | none | | ||
|
||
### Filter type | ||
|
||
MSG Parsing | ||
|
||
### Options | ||
|
||
| Variable | default | description | | ||
|----------------|----------------|----------------| | ||
| SC4S_LISTEN_TENABLE_SYSLOG_TCP_PORT | empty string | Enable a TCP port for this specific vendor product using a comma-separated list of port numbers | | ||
| SC4S_LISTEN_TENABLE_SYSLOG_UDP_PORT | empty string | Enable a UDP port for this specific vendor product using a comma-separated list of port numbers | | ||
| SC4S_ARCHIVE_TENABLE_SYSLOG | no | Enable archive to disk for this specific source | | ||
| SC4S_DEST_TENABLE_SYSLOG_HEC | no | When Splunk HEC is disabled globally set to yes to enable this specific source | | ||
|
||
### Verification | ||
|
||
An active device will generate frequent events. Use the following search to validate events are present per source device | ||
|
||
``` | ||
index=<asconfigured> sourcetype=enable:nnm:vuln | stats count by host | ||
``` |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,18 @@ | ||
block parser tenable_syslog-parser() { | ||
channel { | ||
rewrite { | ||
r_set_splunk_dest_default( | ||
index('netfw') | ||
sourcetype('tenable:nnm:vuln') | ||
vendor_product("tenable_nnm") | ||
); | ||
}; | ||
|
||
}; | ||
}; | ||
application tenable_syslog[sc4s-syslog] { | ||
filter { | ||
"${PROGRAM}" eq "nnm"; | ||
}; | ||
parser { tenable_syslog-parser(); }; | ||
}; |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,49 @@ | ||
# Copyright 2019 Splunk, Inc. | ||
# | ||
# Use of this source code is governed by a BSD-2-clause-style | ||
# license that can be found in the LICENSE-BSD2 file or at | ||
# https://opensource.org/licenses/BSD-2-Clause | ||
|
||
from jinja2 import Environment | ||
|
||
from .sendmessage import * | ||
from .splunkutils import * | ||
from .timeutils import * | ||
|
||
import pytest | ||
env = Environment() | ||
|
||
|
||
#<134>May 7 12:39:29 nnm.home.cugnet.net nnm: 192.168.100.1:0|192.168.100.60:0|17|18|Generic Protocol Detection|This plugin determines the IP protocols running on the remote machine.|The remote host is utilizing the following IP protocols : protocol number 17 (udp) |NONE | ||
testdata = [ | ||
'{{ mark }}{{ bsd }} {{ host }} nnm: 127.0.0.1:0|127.0.0.2:0|17|18|Generic Protocol Detection|This plugin determines the IP protocols running on the remote machine.|The remote host is utilizing the following IP protocols : protocol number 17 (udp) |NONE', | ||
'{{ mark }}{{ bsd }} {{ host }} nnm: 127.0.0.3:8080|127.0.0.4:0|6|0|new-open-port|NNM identifies which ports are open or listening on a host. This is detected by observing the response sent from a server or the \'SYN-ACK\' sent when receiving a connection.||INFO', | ||
'{{ mark }}{{ bsd }} {{ host }} nnm: 127.0.0.5:53|127.0.0.6:51329|17|7117|SSL Client Error Code Detection|The client has responded with an SSL error message of : 'Close notify ' Level : 'Warning' Source IP : 192.168.100.1 Dest. IP : 192.168.100.60 |Plugin Output N/A|NONE' | ||
] | ||
|
||
@pytest.mark.parametrize("event", testdata) | ||
def test_tenable(record_property, setup_wordlist, get_host_key, setup_splunk, setup_sc4s, event): | ||
host = get_host_key | ||
|
||
dt = datetime.datetime.now() | ||
iso, bsd, time, date, tzoffset, tzname, epoch = time_operations(dt) | ||
|
||
# Tune time functions | ||
epoch = epoch[:-7] | ||
|
||
mt = env.from_string(event + "\n") | ||
message = mt.render(mark="<166>", bsd=bsd, host=host) | ||
|
||
sendsingle(message, setup_sc4s[0], setup_sc4s[1][514]) | ||
|
||
st = env.from_string( | ||
"search index=netfw _time={{ epoch }} sourcetype=\"tenable:nnm:vuln\" (host=\"{{ host }}\" OR \"{{ host }}\")") | ||
search = st.render(epoch=epoch, host=host) | ||
|
||
resultCount, eventCount = splunk_single(setup_splunk, search) | ||
|
||
record_property("host", host) | ||
record_property("resultCount", resultCount) | ||
record_property("message", message) | ||
|
||
assert resultCount == 1 |