Phillip Rice
2014-09-23 08:09:45 UTC
Hi
I am in the process of developing a Splunk app for OpenVAS and have a couple of questions, hopefully I can get some help :)
I have had a few problems with using the report formats which are already available in OpenVAS, I have ended up using the CSV-Results report and running some transformations to alter the format so it is "~" separated rather than "," due to the inconsistencies with the double quoting around fields etc.
I would like to modify the report in OpenVAS for make it use "~" by default and remove all quotes but I have not been able to find the required steps/import scripts in the source files, can anyone help with this?
Secondly. I would like to try and use an alert to trigger the generation and export of the report over a standard TCP stream. It seems the Sourcefire type connector could be modified to achieve this. Splunk can be setup to listen on any TCP port and accept incoming files/reports. Any help which may lead to be able to test this would be great. Alternatively, if the OpenVAS report can be saved to the local file system using alerts Splunk can monitor that directory and ingest the report files that way.
Thanks
Phil
Phillip Rice
Information Security Analyst
Trimble Hosting Services
Ipswich - UK
+44 1473 696359
This email may contain confidential information that is intended only for the listed recipient(s) of this email. Any unauthorized review, use, disclosure or distribution is prohibited. If you believe you have received this email in error, please immediately delete this email and any attachments, and inform me via reply e-mail.
I am in the process of developing a Splunk app for OpenVAS and have a couple of questions, hopefully I can get some help :)
I have had a few problems with using the report formats which are already available in OpenVAS, I have ended up using the CSV-Results report and running some transformations to alter the format so it is "~" separated rather than "," due to the inconsistencies with the double quoting around fields etc.
I would like to modify the report in OpenVAS for make it use "~" by default and remove all quotes but I have not been able to find the required steps/import scripts in the source files, can anyone help with this?
Secondly. I would like to try and use an alert to trigger the generation and export of the report over a standard TCP stream. It seems the Sourcefire type connector could be modified to achieve this. Splunk can be setup to listen on any TCP port and accept incoming files/reports. Any help which may lead to be able to test this would be great. Alternatively, if the OpenVAS report can be saved to the local file system using alerts Splunk can monitor that directory and ingest the report files that way.
Thanks
Phil
Phillip Rice
Information Security Analyst
Trimble Hosting Services
Ipswich - UK
+44 1473 696359
This email may contain confidential information that is intended only for the listed recipient(s) of this email. Any unauthorized review, use, disclosure or distribution is prohibited. If you believe you have received this email in error, please immediately delete this email and any attachments, and inform me via reply e-mail.