Skip to content

Commit

Permalink
Merge pull request #1167 from splunk/feature/ADDON-37084-add-sc4s-fil…
Browse files Browse the repository at this point in the history
…ter-for-tenable

ADDON-37084: Adding the support for Tenable.nnm logs
  • Loading branch information
Ryan Faircloth authored May 25, 2021
2 parents 4de4634 + b72276e commit 2ccb0cf
Show file tree
Hide file tree
Showing 4 changed files with 111 additions and 0 deletions.
43 changes: 43 additions & 0 deletions docs/sources/Tenable/index.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,43 @@
# Vendor - Tenable


## Product - Tenable.nnm

| Ref | Link |
|----------------|---------------------------------------------------------------------------------------------------------|
| Splunk Add-on | https://splunkbase.splunk.com/app/4060/ |
| Product Manual | https://docs.tenable.com/integrations/Splunk/Content/Splunk2/ProcessWorkflow.htm |


### Sourcetypes

| sourcetype | notes |
|----------------|---------------------------------------------------------------------------------------------------------|
| tenable:nnm:vuln | None |

### Sourcetype and Index Configuration

| key | sourcetype | index | notes |
|----------------|----------------|----------------|----------------|
| tenable_nnm | tenable:nnm:vuln | netfw | none |

### Filter type

MSG Parsing

### Options

| Variable | default | description |
|----------------|----------------|----------------|
| SC4S_LISTEN_TENABLE_SYSLOG_TCP_PORT | empty string | Enable a TCP port for this specific vendor product using a comma-separated list of port numbers |
| SC4S_LISTEN_TENABLE_SYSLOG_UDP_PORT | empty string | Enable a UDP port for this specific vendor product using a comma-separated list of port numbers |
| SC4S_ARCHIVE_TENABLE_SYSLOG | no | Enable archive to disk for this specific source |
| SC4S_DEST_TENABLE_SYSLOG_HEC | no | When Splunk HEC is disabled globally set to yes to enable this specific source |

### Verification

An active device will generate frequent events. Use the following search to validate events are present per source device

```
index=<asconfigured> sourcetype=enable:nnm:vuln | stats count by host
```
1 change: 1 addition & 0 deletions mkdocs.yml
Original file line number Diff line number Diff line change
Expand Up @@ -56,6 +56,7 @@ nav:
- Splunk: sources/Splunk/index.md
- Broadcom: sources/Broadcom/index.md
- Tanium: sources/Tanium/index.md
- Tenable: sources/Tenable/index.md
- Tintri: sources/tintri/index.md
- Trend: sources/Trend/index.md
- Ubiquiti: sources/Ubiquiti/index.md
Expand Down
18 changes: 18 additions & 0 deletions package/etc/conf.d/conflib/syslog/app-tenable_syslog.conf
Original file line number Diff line number Diff line change
@@ -0,0 +1,18 @@
block parser tenable_syslog-parser() {
channel {
rewrite {
r_set_splunk_dest_default(
index('netfw')
sourcetype('tenable:nnm:vuln')
vendor_product("tenable_nnm")
);
};

};
};
application tenable_syslog[sc4s-syslog] {
filter {
"${PROGRAM}" eq "nnm";
};
parser { tenable_syslog-parser(); };
};
49 changes: 49 additions & 0 deletions tests/test_tenable.py
Original file line number Diff line number Diff line change
@@ -0,0 +1,49 @@
# Copyright 2019 Splunk, Inc.
#
# Use of this source code is governed by a BSD-2-clause-style
# license that can be found in the LICENSE-BSD2 file or at
# https://opensource.org/licenses/BSD-2-Clause

from jinja2 import Environment

from .sendmessage import *
from .splunkutils import *
from .timeutils import *

import pytest
env = Environment()


#<134>May 7 12:39:29 nnm.home.cugnet.net nnm: 192.168.100.1:0|192.168.100.60:0|17|18|Generic Protocol Detection|This plugin determines the IP protocols running on the remote machine.|The remote host is utilizing the following IP protocols : protocol number 17 (udp) |NONE
testdata = [
'{{ mark }}{{ bsd }} {{ host }} nnm: 127.0.0.1:0|127.0.0.2:0|17|18|Generic Protocol Detection|This plugin determines the IP protocols running on the remote machine.|The remote host is utilizing the following IP protocols : protocol number 17 (udp) |NONE',
'{{ mark }}{{ bsd }} {{ host }} nnm: 127.0.0.3:8080|127.0.0.4:0|6|0|new-open-port|NNM identifies which ports are open or listening on a host. This is detected by observing the response sent from a server or the \'SYN-ACK\' sent when receiving a connection.||INFO',
'{{ mark }}{{ bsd }} {{ host }} nnm: 127.0.0.5:53|127.0.0.6:51329|17|7117|SSL Client Error Code Detection|The client has responded with an SSL error message of : &apos;Close notify &apos; Level : &apos;Warning&apos; Source IP : 192.168.100.1 Dest. IP : 192.168.100.60 |Plugin Output N/A|NONE'
]

@pytest.mark.parametrize("event", testdata)
def test_tenable(record_property, setup_wordlist, get_host_key, setup_splunk, setup_sc4s, event):
host = get_host_key

dt = datetime.datetime.now()
iso, bsd, time, date, tzoffset, tzname, epoch = time_operations(dt)

# Tune time functions
epoch = epoch[:-7]

mt = env.from_string(event + "\n")
message = mt.render(mark="<166>", bsd=bsd, host=host)

sendsingle(message, setup_sc4s[0], setup_sc4s[1][514])

st = env.from_string(
"search index=netfw _time={{ epoch }} sourcetype=\"tenable:nnm:vuln\" (host=\"{{ host }}\" OR \"{{ host }}\")")
search = st.render(epoch=epoch, host=host)

resultCount, eventCount = splunk_single(setup_splunk, search)

record_property("host", host)
record_property("resultCount", resultCount)
record_property("message", message)

assert resultCount == 1

0 comments on commit 2ccb0cf

Please sign in to comment.