Thanks For Downloading!Review the documentation below and follow any custom installation steps. If no install steps are listed, most Splunk Apps and Add-ons can be installed as follows: Windows: Decompress the downloaded file using a tool like 7-Zip and place the resulting folder into Unix/Linux: Decompress the downloaded file using a tool like DescriptionThe asset discovery application provides ping scans, port scans, operating system and port fingerprinting through the use of nmap in order to gain visibility into asset availability, port statistics, and even rogue device detection. The app can be deployed on a per-subnet basis in order to provide distributed scanning capabilities. Splunk for Asset DiscoveryVersion: 20121101.0 Developed by: Mike Wilson (mwilson at splunk.com) NoteworthyNew Windows Support (please read): New in this version is a Windows scripted input, nmap.cmd (which calls nmap.vbs). You must create the file bin\nmap.path which contains the full path to your nmap.exe (i.e. C:\Program Files\Nmap\nmap.exe). There is an example_nmap.path in the bin directory. If you do not do this, the input will fail. The Windows scripts are lightly tested, please report bugs. Optional Dependency: If you have the Google Maps app installed (version 1.1 or better), a mapping view will be available for use. There is a lookup file which you should populate in order to geolocate internal IP addresses. GeneralThis app utilizes its own "asset_discovery" index. All searches have been created to use eventtypes which reference index=asset_discovery which can easily be overriden depending on your needs. This app utilizes the nmap command, but does not provide it. It assumes that the command is available and in the path. Additionally, the nmap binary works best if it is run as root or setuid root. Running as a standard user will most likely yield unexpected results. This app utilizes a scripted input, nmap.sh or nmap.cmd, to execute nmap scans of (hopefully) any type. The included scripted input will automatically include the necessary argument for "Grepable" output format as defined by nmap.org. The scripted input will attempt to find the current host's IP address and, if no other target is given, use that IP to perform a scan of the local subnet. In this way, the app can be deployed to remote forwarders to regularly scan the forwarder's subnet, without having to configure the target for each individual forwarder. This behavior can be overriden by passing a "-t target_spec" argument to the script. Lastly, the nmap command (i.e. nmap.exe) works best when run as root or setuid root. With no arguments given, the scripted input will perform a ping scan of the local subnet of the current system: You may pass standard nmap arguments through in order to perform a port scan. An input of "nmap.sh -A -O" will yield: In order to set a target, use the "-t" option (not a standard nmap option). "nmap.cmd -t 10.159.1.100-150" will yield: Customizing scan targetsIn the event that you'd prefer to have a small number of scan points which will scan multiple networks you'll need to create some custom data inputs. There are 2 types of inputs for this app: ping scans and port scans. Knowing that, from your Splunk instance (i.e. the scan point) head to Manager -> Data Inputs -> Scripts and search for "nmap". There should be 4 results, a ping scan and port scan for *nix, and the same for Windows. Find the appropriate input and "Clone" it. Enter the proper command for your situation (e.g. For a port scan of 2 subnets, something like: /opt/splunk/demo/etc/apps/asset_discovery/bin/nmap.sh -A -O -t 10.159.26.0/24 -t 10.59.27.0/24) and leave the remaining fields alone, click "Save". You can have a single scan which has many targets, per the previous example, or you may create new inputs for each in the event that you'd like to stagger their execution, etc. You should be able to pass in any standard nmap arguments. A "-oG" option will be automatically inserted in order to force the "Grepable" format. Targets should be prefixed with a "-t" switch per the example. ConnectionsInternal: External: TroubleshootingThe nmap.sh or nmap.cmd scripted input can be run directly from the command line for testing. Known IssuesPort Signature chart will be empty when drilling down from an "OS Signature" chart to the CreditsNmap and its open source goodness: nmap.org This app utilizes the awesome work of SPP (www.spp.at) and their Google Maps Splunk app for mapping, and of course Google for making that possible Versions and Release Notes
Version 20121101.0 (current version - updated Nov 01, 2012)
release notes:
Version 20121101.0 Known Issues:
Version 20120615.0
(updated Jun 15, 2012)
release notes:
Backfill real-time oveview to rt-1d@d |
HI, I would like to scan few numbers of subnets; how do I pass that as textfile input to this scan? I know nmap accepts subnets from txt file using -iL option.
where do I configure this in the APP?
Please review the "Customizing scan targets" above and let me know what needs clarification.
Hello First of all, I want to thank you for very useful app.
Secondly, I would like to pull the mac address information from the scans. It will be very useful to have that information as part of the real time data.
If I dump my nmap scan data to xml I can see MAC address information, but I fail to find it using Splunk. Is it possible to get such data ? If so, how ?
I'm new to Splunk and don't know if is possible to import nmap scans reports or not. If it is, how ? Otherwise, it may be a nice feature to add.
Regards,
CR
Mac addresses could be added. I'd have to move to a different output format to do so, which isn't really a big deal, but it's not something I've had time for lately. Can you give me an idea of what you were looking to do with that info included?
Hello Mike, I would like to track, monitor and inventory mac addresses on a dhcp oriented network. Since IPs change often I need to be able to track devices by Mac addresses instead. In addition, is there a way to set or modify the default OS when an scan gives you multiple OS results ? It will make the OS signature statistics more accurate, at least in my case. Regards, CR.
Hello First of all, I want to thank you for very useful app. Secondly, I would like to pull the mac address information from the scans. It will be very useful to have that information as part of the real time data.
If I dump my nmap scan data to xml I can see MAC information, but I fail to find it using Splunk. Is it possible to get such data ? If so, how ?
I'm new to Splunk and don't know if is possible to import scans reports or not. If it is, how ? Otherwise, it may be a nice feature to add.
Regards,
Dave
Fantastic app thanks alot it works ok on Windows but I might see if it is better on a linux box.
On my Windows 2008 R2 server with Nmap 6.01 When a scan is running over a /24 subnet the splunkd service chuggs and I cannot get to the splunk web page. No problem now I have the scan scheduled to run at 2am.
Can you compare results from previous scans to see if a new port is enabled on a server/ipaddress?
Thanks
Thanks, and thanks for the 5 star review!
Nmap can certainly bog down a system. You could offload the scan to a box running a Universal Forwarder plus the app, and have it forward to the Splunk server.
A search similar to this will show differences: eventtype=port_scan dest=192.168.1.8 | head 2 | diff attribute=port_signature
ok awesome thanks that worked great. Further to this is there a way to give all the differences for a range of addresses. Instead of a single ip address?
eventtype=port_scan dest=192.168.1.* | head 2 | diff attribute=port_signature for each ip
So a recursive check of each ip address against its previous results.
Try something like this:
eventtype=port_scan | dedup 2 dest | rex "Ports: (?<port_stuff>.*)\s+Ignored.*" | stats values(port_stuff) as ports by dest | where mvcount(ports) > 1
How do you use this app can you please elaborate on the documentation on how to create custom scans or where to add those lines mentioned above ????????
Go to Manager > Data Inputs > Scripts. Depending if you are on a windows or *nix machine will determine which input to clone and modify. You will see 4 scripts using a nmap path, clone the one most applicable. When the new window opens to modify the script the "Command" is where you will put the full path to nmap (Windows) C:Program....nmap.cmd and now add arguments per your desire -PE -O -A etc etc.Adjust other parameters as necessary and Save.
hello how do you configure this app to run custom scans ????
Can you please elaborate on your documentation
A problem was raised, in distributed environment, for version = 20110704.0
I've replaced the savedsearch reference in the eventtype in version 20120615.0. Hopefully this fixes the issue.
ok, a tad confused about this app. there is no place in the App gui to add options or scan targets. directions on how to modify the App (xml, etc) to allow this would be useful. we have to resort to manually editing the local/inputs.conf file ??
also, i see some have posted about scanning multiple targets, the nmap.sh has a section for parsing out multiple -t args, so -t x.x.x.128/25 y.y.y.0/23 z.z.z.0/22 should work (caveat below).
here's some odd stuff i have noticed with Nmap 5.51 (linux): 1. it's best to use --osscan-guess with the -O option 2. passing multiple target subnets to nmap for scanning returns odd results vs. only passing a single target subnet. i think this is a bug in Nmap, but you should test this before lumping multiple targets into your conf stanza's, etc. try running "nmap -sS -O --osscan-guess -oA file subnet subnet" vs same command with just a single subnet, do the results come out the same?
The default behavior of the included scripts is to scan the local subnet so that the app can be distributed to UFs without needing to configure inputs.conf individually. In the case where you just want to throw up a single scan point you're correct that you'd want to edit the local/inputs.conf and disable the existing inputs and create new ones:
# inputs.conf
# disable default port scan [script://./bin/nmap.sh -A -O] disabled = 1
# new [script://./bin/nmap.sh -A -O --osscan-guess -t 192.168.1-255] interval = 14400 source = nmap sourcetype = port_scan index = asset_discovery disabled = 0
Great app, I'm having problems scanning networks class b...
can someone give an example to the input line needed to scan class b of let say 10.2.0.0/16
I tried :
nmap.cmd -O -v -sT -t 10.2.0.0/16
and got an error in splunkd.log:
WARN iniFile ... Canot parse into key-value pair ...
The only scan that worked for me is :
nmap.cmd -O -v -sT -t 10.2.0.1-254 and so on .but I hope there is a better way to add class b...
Found a work around to the class B scanning by writing nmap.cmd -O -v -sT 10.2.0.0/16 -t 127.0.0.1 * (but I guess it is due to my poor knowledge in vb or python...) I hope there will be a fix to in the the app itself...
Thanks gooza. Are you getting output from the class b scan at all? Do you get different behavior from the nmap.cmd call (at a command line, for instance) vs. directly calling your system'2 nmap.exe?
Love the app, a couple of issues though while running it on our Linux indexer:
- OS signature is not being returned for any host.
- When I go to the Real Time Overview, the following error shows up on top: "Unable to get viewstate information; formatting may not be correct" and nothing ever shows up on that page.
If your system does not have NMAP, get it here: http://nmap.org/download.html