Developed by: Mike Wilson (mwilson at splunk.com)
The latest version of Splunk seems to have changed something in the way LD_LIBRARY_PATH is handled. If you are not receiving scan data and you're sure that everything is enabled and setup properly, it's quite possible that you're just being affected by this. More information and a fix can be found here: http://answers.splunk.com/answers/105439/no-port_scan-data. Please let me know if you encounter this issue.
Notes on the Windows scripted input, nmap.cmd (which calls nmap.vbs): You must create the file bin\nmap.path which contains the full path to your nmap.exe (i.e. C:\Program Files\Nmap\nmap.exe). There is an example_nmap.path in the bin directory. If you do not do this, the input will fail. The Windows scripts are lightly tested, please report bugs.
This app utilizes its own "asset_discovery" index. All searches have been created to use eventtypes which reference index=asset_discovery which can easily be overriden depending on your needs.
This app utilizes the nmap command, but does not provide it. It assumes that the command is available and in the path. Additionally, the nmap binary works best if it is run as root. Running as a standard user will most likely yield unexpected results.
This app utilizes a scripted input, nmap.sh or nmap.cmd, to execute nmap scans of (hopefully) any type. The included scripted input will automatically include the necessary argument for "Grepable" output format as defined by nmap.org.
The scripted input will attempt to find the current host's IP address and, if no other target is given, use that IP to perform a scan of the local subnet. In this way, the app can be deployed to remote forwarders to regularly scan the forwarder's subnet, without having to configure the target for each individual forwarder. This behavior can be overriden by passing a "-t target_spec" argument to the script.
With no arguments given, the scripted input will perform a ping scan of the local subnet of the current system:
nmap -oG - -v -R -sP -PE 192.168.1.158/24
You may pass standard nmap arguments through in order to perform a port scan. An input of "nmap.sh -A -O" will yield:
nmap -oG - -A -O 192.168.1.158/24
In order to set a target, use the "-t" option (not a standard nmap option). "nmap.cmd -t 10.159.1.100-150" will yield:
nmap -oG - -v -R -sP -PE 10.158.1.100-150
In the event that you'd prefer to have a small number of scan points which will scan multiple networks you'll need to create some custom data inputs. There are 2 types of inputs for this app: ping scans and port scans. Knowing that, from your Splunk instance (i.e. the scan point) head to Manager -> Data Inputs -> Scripts and search for "nmap". There should be 4 results, a ping scan and port scan for *nix, and the same for Windows. Find the appropriate input and "Clone" it. Enter the proper command for your situation (e.g. For a port scan of 2 subnets, something like: /opt/splunk/demo/etc/apps/asset_discovery/bin/nmap.sh -A -O -t 10.159.26.0/24 -t 10.59.27.0/24) and leave the remaining fields alone, click "Save".
You can have a single scan which has many targets, per the previous example, or you may create new inputs for each in the event that you'd like to stagger their execution, etc. You should be able to pass in any standard nmap arguments. A "-oG" option will be automatically inserted in order to force the "Grepable" format. Targets should be prefixed with a "-t" switch per the example.
Only those network connection which are initiated by nmap for the purpose of scanning.
The nmap.sh or nmap.cmd scripted input can be run directly from the command line for testing. However, nmap's stderr is redirected to null, so you may want to comment that out when testing (e.g., change 2>/dev/null to #2>/dev/null)
The latest version of Splunk seems to have changed something in the way LD_LIBRARY_PATH is handled. If you are not receiving scan data and you're sure that everything is enabled and setup properly, it's quite possible that you're just being affected by this. More information and a fix can be found here: http://answers.splunk.com/answers/105439/no-port_scan-data
Port Signature chart will be empty when drilling down from an "OS Signature" chart to the
port overview. This is because of quoting issues in a match operation which I don't have
an elegant fix for currently
Nmap and its open source goodness: nmap.org
Update for Splunk 6.0
As a Splunkbase app developer, you will have access to all Splunk development resources and receive a 10GB license to build an app that will help solve use cases for customers all over the world. Splunkbase has 1000+ apps from Splunk, our partners and our community. Find an app for most any data source and user need, or simply create your own with help from our developer portal.