Skip to content

Splunk - Vulners App

Vulners Application for Splunk allows one to use Splunk as a Vulnerability assessment platform and security scanner.

Notes

  • Current Distro was created on a single machine environment. It was tested in a simple installation with one indexer and search head on a single machine as well. As a result it is a whole package that includes parts for all three Splunk components: forwarder, indexer and search head.
  • In spite of Splunk official documentation for AppInspect claiming no indexes definitions are allowed, this package still has one for easier use in a single machine installation. Note that you will have to delete the file and create a new index with the same name on your indexer if you have a separate one (step 4 in the installation process below).
  • The following installation process is a straightforward one for a case without indexers and uses the provided package as is. The package has however been tested against generating deployment units, look at generate DU for a quick reference.

Installation

Dashboard App

Install

In Splunk dashboard on your search-head go to

Apps -> Install app from file -> choose [vulners-lookup-*.tar.gz](./result/vulners-lookup-0.0.1.tar.gz)

then restart Splunk Enterprise

Add Vulners-API key

Create vulners index

Since the forwarder app forwards data to the index named vulners, it has to be present in the system.

Settings -> Indexes -> New Index

Add receiving port

If you are using Splunk for the first time, don't forget to Set data receiver

Settings -> Forwarding and receiving -> Configure receiving -> New Receiving port


Forwarder App

Install

Unpack vulners_lookup.tar.gz into $SPLUNK_FORWARDER_HOME/etc/apps/

Python Libs

Install following Python libs on forwarder machines

pip3 install distro getmac ifaddr futures
and restart Splunk Forwarder

Add forward server

If you are installing forwarder for the first time you have to add forward-server


Usage

Seach for packages collected by forwarders

By default Forwarder is sending information about packages hourly or right after restart. To see collected packages run search

index=vulners

Run Vulners audit

Vulners application is running audit script automatically at 9 o'clock in the morning. Alternatively you can hit saved search

| savedsearch vulners_report 

All collected data

Using slim

NB The process of DU creation has been tested and should work without issues. However no tests have been conducted regarding use of deployment server. Any feedback on that would be appreciated.

  • Install slim as in the instruction (take note of this bug though)
  • Create a package slim package -o result/ ./vulners-lookup/
  • Partition the package into deployment units slim partition -o deployment-units/ vulners-lookup-0.0.1.tar.gz
  • Use your deployment server for installation
Back to top