diff --git a/docs/sources/Tenable/index.md b/docs/sources/Tenable/index.md new file mode 100644 index 0000000000..9ea8fb6b19 --- /dev/null +++ b/docs/sources/Tenable/index.md @@ -0,0 +1,43 @@ +# Vendor - Tenable + + +## Product - Tenable.nnm + +| Ref | Link | +|----------------|---------------------------------------------------------------------------------------------------------| +| Splunk Add-on | https://splunkbase.splunk.com/app/4060/ | +| Product Manual | https://docs.tenable.com/integrations/Splunk/Content/Splunk2/ProcessWorkflow.htm | + + +### Sourcetypes + +| sourcetype | notes | +|----------------|---------------------------------------------------------------------------------------------------------| +| tenable:nnm:vuln | None | + +### Sourcetype and Index Configuration + +| key | sourcetype | index | notes | +|----------------|----------------|----------------|----------------| +| tenable_nnm | tenable:nnm:vuln | netfw | none | + +### Filter type + +MSG Parsing + +### Options + +| Variable | default | description | +|----------------|----------------|----------------| +| SC4S_LISTEN_TENABLE_SYSLOG_TCP_PORT | empty string | Enable a TCP port for this specific vendor product using a comma-separated list of port numbers | +| SC4S_LISTEN_TENABLE_SYSLOG_UDP_PORT | empty string | Enable a UDP port for this specific vendor product using a comma-separated list of port numbers | +| SC4S_ARCHIVE_TENABLE_SYSLOG | no | Enable archive to disk for this specific source | +| SC4S_DEST_TENABLE_SYSLOG_HEC | no | When Splunk HEC is disabled globally set to yes to enable this specific source | + +### Verification + +An active device will generate frequent events. Use the following search to validate events are present per source device + +``` +index= sourcetype=enable:nnm:vuln | stats count by host +``` \ No newline at end of file diff --git a/mkdocs.yml b/mkdocs.yml index 82c37bed81..6e46a2962d 100644 --- a/mkdocs.yml +++ b/mkdocs.yml @@ -56,6 +56,7 @@ nav: - Splunk: sources/Splunk/index.md - Broadcom: sources/Broadcom/index.md - Tanium: sources/Tanium/index.md + - Tenable: sources/Tenable/index.md - Tintri: sources/tintri/index.md - Trend: sources/Trend/index.md - Ubiquiti: sources/Ubiquiti/index.md diff --git a/package/etc/conf.d/conflib/syslog/app-tenable_syslog.conf b/package/etc/conf.d/conflib/syslog/app-tenable_syslog.conf new file mode 100644 index 0000000000..1590834026 --- /dev/null +++ b/package/etc/conf.d/conflib/syslog/app-tenable_syslog.conf @@ -0,0 +1,18 @@ +block parser tenable_syslog-parser() { + channel { + rewrite { + r_set_splunk_dest_default( + index('netfw') + sourcetype('tenable:nnm:vuln') + vendor_product("tenable_nnm") + ); + }; + + }; +}; +application tenable_syslog[sc4s-syslog] { + filter { + "${PROGRAM}" eq "nnm"; + }; + parser { tenable_syslog-parser(); }; +}; diff --git a/tests/test_tenable.py b/tests/test_tenable.py new file mode 100644 index 0000000000..7303563f8f --- /dev/null +++ b/tests/test_tenable.py @@ -0,0 +1,49 @@ +# Copyright 2019 Splunk, Inc. +# +# Use of this source code is governed by a BSD-2-clause-style +# license that can be found in the LICENSE-BSD2 file or at +# https://opensource.org/licenses/BSD-2-Clause + +from jinja2 import Environment + +from .sendmessage import * +from .splunkutils import * +from .timeutils import * + +import pytest +env = Environment() + + +#<134>May 7 12:39:29 nnm.home.cugnet.net nnm: 192.168.100.1:0|192.168.100.60:0|17|18|Generic Protocol Detection|This plugin determines the IP protocols running on the remote machine.|The remote host is utilizing the following IP protocols : protocol number 17 (udp) |NONE +testdata = [ + '{{ mark }}{{ bsd }} {{ host }} nnm: 127.0.0.1:0|127.0.0.2:0|17|18|Generic Protocol Detection|This plugin determines the IP protocols running on the remote machine.|The remote host is utilizing the following IP protocols : protocol number 17 (udp) |NONE', + '{{ mark }}{{ bsd }} {{ host }} nnm: 127.0.0.3:8080|127.0.0.4:0|6|0|new-open-port|NNM identifies which ports are open or listening on a host. This is detected by observing the response sent from a server or the \'SYN-ACK\' sent when receiving a connection.||INFO', + '{{ mark }}{{ bsd }} {{ host }} nnm: 127.0.0.5:53|127.0.0.6:51329|17|7117|SSL Client Error Code Detection|The client has responded with an SSL error message of : 'Close notify ' Level : 'Warning' Source IP : 192.168.100.1 Dest. IP : 192.168.100.60 |Plugin Output N/A|NONE' +] + +@pytest.mark.parametrize("event", testdata) +def test_tenable(record_property, setup_wordlist, get_host_key, setup_splunk, setup_sc4s, event): + host = get_host_key + + dt = datetime.datetime.now() + iso, bsd, time, date, tzoffset, tzname, epoch = time_operations(dt) + + # Tune time functions + epoch = epoch[:-7] + + mt = env.from_string(event + "\n") + message = mt.render(mark="<166>", bsd=bsd, host=host) + + sendsingle(message, setup_sc4s[0], setup_sc4s[1][514]) + + st = env.from_string( + "search index=netfw _time={{ epoch }} sourcetype=\"tenable:nnm:vuln\" (host=\"{{ host }}\" OR \"{{ host }}\")") + search = st.render(epoch=epoch, host=host) + + resultCount, eventCount = splunk_single(setup_splunk, search) + + record_property("host", host) + record_property("resultCount", resultCount) + record_property("message", message) + + assert resultCount == 1