In the security world, knowing what you have to secure is the very first step in protecting yourself. A good security team has constant awareness of what information assets exist in the organization, and how important each of them is in terms of risk (computed as risk = threats x vulnerabilities). In order to do something like “make sure all of your servers are secure,” you first need to know a few things about each of your servers. How many servers you have, what operating systems they are running, and which servers are actually online are all very relevant questions. In our organization, we have chosen to use Splunk (http://www.splunk.com) for all of our “operational intelligence,” and there is a very useful App called “Splunk for Asset Discovery” which we used to answer those three important questions above.
Splunk for Asset Discovery is a very simple tool that does the following things:
1) Creates a special index inside Splunk called “asset_discovery”
2) Provides saved searches the pull useful information from the “asset_discovery” index
3) Provides a shell script, which can be customized, to run the NMAP scanner on interval
4) Creates a scripted input for Splunk that runs as often as you set, firing off the NMAP shell script as an action and indexing NMAPs results into Splunk.
Installation of the App is as simple as going to SplunkBase and downloading the App (http://splunk-base.splunk.com/apps/25242/splunk-for-asset-discovery)or searching “Asset Discovery” from the Apps section of Splunk’s Manager.
Important: This App utilizes the nmap command but does not provide it, so it is necessary to install nmap and add it to your PATH if it is not installed already. Also, the nmap command works best when executed as root, so if your Splunk installation is not already running as root, be sure set “chmod +s nmap” to run nmap as root.
After installing and enabling the App, a little bit of configuration is necessary to make the system perform correctly. The Apps configuration files should be located in the “/opt/splunk/etc/apps/asset_discovery/” directory. Conforming to Splunk’s app guidelines, there is a default/ directory and a local/ directory, each containing an app.conf and an inputs.conf. Also, the shell script which actually launches NMAP is in the bin/ directory, named nmap.sh. The configuration magic happens in local/inputs.conf:
### SAMPLE INPUTS.CONF ###
# ping scan
[script://./bin/nmap.sh -t 192.168.0.0/16]
interval = 900source = nmap
sourcetype = ping_scan
index = asset_discovery
disabled = 0
# basic port scan
[script://./bin/nmap.sh -A -O 192.168.0.0/16]
interval = 14400
source = nmap
sourcetype = port_scan
index = asset_discovery
disabled = 0
There are a few important bits to notice about inputs.conf
1) There are two separate blocks, one for ping scans and one for port scans. Each has the correct settings to input the data with the right sourcetypes to interact with the App on the Web.
2) In this example, we added an IP range (192.168.0.0/16) to force NMAP to scan that particular range. By default, bin/nmap.sh is scripted to scan the IP range *OF THE SERVER THAT EXECUTES THE SCRIPT*. In our case this was undesired.
3) By default, the sample blocks come with “disabled = 1”, which prevent it from working. Change this to 0 to actually allow scanning.
4) Interval time is measured in seconds. 900 = every 15 minutes.
5) You can choose to only run ping scans, leaving port scans disabled. This will allow you to actively discover assets on your network, but it will deprive you of the Apps ability to do OS Fingerprinting, etc.
6) You can added as many blocks as necessary to scan each range of your network, simply copy and paste.
Once you have made the necessary changes to your inputs.conf, save it and restart Splunk. Splunk will automatically start running nmap.sh based on your preferences and indexes the results over time. Before long, you will have a detailed view of your environment in the Asset Discovery App within Splunk Web.
Splunk for Asset Discovery – http://splunk-base.splunk.com/apps/25242/splunk-for-asset-discovery
NMAP – http://nmap.org
CedarCrestone – http://www.cedarcrestone.com/