Parser issue

Question

Parser issue

argupta23 opened this issue 5 years ago · 4 comments

Hello Marco,

Appreciate the efforts you have put in here and thanks for sharing it with the community.

A quick observation based on some testing I did.

Scenario 1
running "nmap -T4 -A -p 1-1000 -oX 1401.xml 192.168.2.140 " the xml file contains

      1401.xml:<address addr="192.168.2.140" addrtype="ipv4"/>

Scenario 2
running " nmap -A -O -oX 1402.xml 192.168.2.140" the xml file contains

     1402.xml:<address addr="192.168.2.140" addrtype="ipv4"/>
     1402.xml:<address addr="xx:xx:xx:xx:xx:xx" addrtype="mac" vendor="Super Micro Computer"/> ---- this line is additional

Note the difference of an additional line with address addr in scenario2. This is where your VulntoES.py script uses the second entry and populates Elasticsearch with the following entry

protocol:
tcp
scanner:
nmap
service:
ssh
ip:
xx:xx:xx:xx:xx:xx -- mac address
product_version:
7.6
port:
22
state:
open
scripts.ssh-hostkey:
2048 xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
time:
May 29th 2019, 10:39:06.000
product_name:
OpenSSH
_id:
iNE_BGsB7OQXLf0qdKjo
_type:
vuln
_index:
nmap-vuln-to-es
_score:
1

It applies this to each subsequent port entry for that host within the file.

Will appreciate if you can please take a look into it and update your script accordingly.

Thanks

Answer 1 · 2019-06-04T19:54:52.000Z

Hi @argupta23, thanks for your feedback!
Can you try to clone the develop branch and test it with your data? It should be fixed now.

Let me know if it works as intended

Answer 2 · 2019-06-05T02:02:15.000Z

Hi @argupta23, thanks for your feedback!
Can you try to clone the develop branch and test it with your data? It should be fixed now.

Let me know if it works as intended

Hello Marco,

Thanks, It does work.
One suggestion or a potential enhancement would be to also save the MAC address field if present in the nmap output to the elasticsearch record. This enables one to filter based on MAC and figure out the associated IP address overtime which is not possible in the current context.

Please let me know what you think.

Answer 3 · 2019-06-05T16:06:52.000Z

Hi @argupta23, nice suggestion! I just pushed a slight modification that should record also the MAC address.
I'd be grateful if you could test it (just a git pull should do!)

Thanks!

Answer 4 · 2019-06-05T16:23:24.000Z

Hi @argupta23, nice suggestion! I just pushed a slight modification that should record also the MAC address.
I'd be grateful if you could test it (just a git pull should do!)

Thanks!

Hello Marco, this should work. I am assuming that you would need to update your ELK templates to reflect his new "mac" field?

Thanks