Skip to content

Splunk plugin

The Vulners Splunk Plugin converts Splunk into a potent platform for vulnerability assessment and security scanning by utilizing the comprehensive Vulners.com vulnerability database.

Note

  • The current distribution package is optimized for a single-machine environment but is fully compatible with setups that include one indexer and one search head on a single machine. It includes components for the forwarder, indexer, and search head.
  • Despite Splunk's AppInspect guidance against custom indexes, this package includes one for convenience in single-machine setups. Multi-machine users should adjust accordingly (details below).
  • For simple installations without separate indexers, use the package as is. For more complex deployments, refer to the slim partitioning section below.

Installation Steps

Dashboard app

Install

In Splunk dashboard search head go to 

Apps -> Install app from file -> choose [vulners-lookup-*.tar.gz](https://github.com/vulnersCom/splunk-vulners/blob/master/result/vulners-lookup-0.0.3.tar.gz)

Then restart Splunk

Add Vulners API key

  • get API key from vulners.com

  • add API key to Vulners Splunk dashboard

Create vulners index

Since the forwarder app forwards data to the index named vulners, it has to be present in the system. 

Settings -> Indexes -> New Index

Add receiving port

If you are using Splunk for the first time, don't forget to set data receiver 

Settings -> Forwarding and receiving -> Configure receiving -> New Receiving port

Forwarder app

Install

Unpack vulners_lookup.tar.gz into $SPLUNK_FORWARDER_HOME/etc/apps/

Python libs

Install the following Python libs on forwarder machines 

pip3 install distro getmac ifaddr futures
and restart Splunk forwarder

Add forward server

If you are installing forwarder for the first time, you have to add forward-server

Usage

Seach for packages collected by forwarder

By default, the forwarder sends information about packages hourly or right after restart. To see collected packages run search 

index=vulners

Run Vulners audit

Vulners application runs audit script automatically at 9 o'clock in the morning. Alternatively, you can select saved search 

| savedsearch vulners_report

Using slim

NB: The process of DU creation has been tested and should work without issues. However no tests have been conducted regarding the use of the deployment server. Any feedback on that would be appreciated.

  • Install slim as in the instructions (take note of this bug though)
  • Create a package slim package -o result/ ./vulners-lookup/
  • Partition the package into deployment units slim partition -o deployment-units/ vulners-lookup-0.0.3.tar.gz
  • Use your deployment server for installation
Back to top