If you've been following along in our series on Nessus, you've now learned how to install and configure Nessus, use the vulnerability scanner and incorporate it into your enterprise. If you're like most security practitioners, you're probably now facing a mountain of data, have no time to read through it and are wondering whether using Nessus is really practical for your complex environment. Rest assured there are methods to save you from this madness! In this tip, we'll explore three techniques that may help you get the most out of Nessus and manage the data produced by this valuable tool. We'll look at manipulating output files, parsing data with Perl scripts and creating a Nessus database.
Perhaps the most straightforward way of handling these reports is to simply manipulate the output files that Nessus produces after each scan. One straightforward way of doing this is to use the Unix diff command to compare two output files from different scans. Before doing this, you'll want to first process them into a more readable format. You can take a raw .nbe file and process it using the following commands:
<![CDATA[nessus -i example.nbe -o example.nsr]]>
This converts the file into a less verbose format that excludes timestamps and other less relevant data. Once you have these, you'll want to sort the output to facilitate the diff:
<![CDATA[sort example.nsr > sorted.nsr]]>
Then, run the diff command on the sorted output files as follows:
<![CDATA[diff older_sorted.nsr newer_sorted.nsr]]>
Working with these files can be a bit cumbersome, but this is a good quick-and-dirty approach to comparing Nessus output files.
Scripting in Perl allows you to automate some of these functions. While you could certainly use any scripting language to perform the type of raw-text manipulation described above, choosing Perl allows you to access some powerful library modules through the Comprehensive Perl Archive Network (CPAN) (http://www.cpan.org).
Chief among these is the Parse::Nessus::NBE module, which allows you to quickly perform text processing of NBE output files without writing tedious parsing code. The module may be installed using the following CPAN command:
<![CDATA[install Parse::Nessus::NBE]]>
Once you have it installed, you may make use of the following predefined functions in your Perl code by including the statement use Parse::Nessus::NBE in your header:
- nbanners(@input) returns a list of welcome banners for each system included in the input data while nos(@input) provides a list of operating systems
- nports(@input, $port) returns a list of all hosts listening on the specified port.
- nwebdirs(@input) returns two lists: the first contains all open access Web directories while the second contains those that require authentication
- nnfs(@input) returns a list of NFS shares
Other functions in the module allow you to query by plug-in ID, return a summary count of hosts by operating system and/or service, and provide a summary count by vulnerability.
Creating a Nessus database is the obvious extension to this effort. Once you have Perl scripts that effectively parse the NBE files, you may wish to consider writing the results to a database using Perl's DBI module. If you store historical records of scan results, you'll soon have a treasure trove of vulnerability data combined with the flexibility of SQL queries.
This tip should have you well on your way toward developing a Nessus reporting infrastructure for your organization. The key principle is to be creative! Nessus provides a great deal of raw information that's yours for the taking. Parse, store and manipulate it however you wish to achieve your information security objectives.
This tip was originally published on SearchSecurity.com as part of their Nessus technical guide.
NESSUS TECHNICAL GUIDE
Introduction
How to get started
How to run a system scan
How to build an enterprise scanning program
How to manage Nessus reports
How to simplify security scans
How to use Nessus with the SANS Top 20
About the author:
Mike Chapple, CISSP is an IT Security Professional with the University of Notre Dame. He previously served as an information security researcher with the National Security Agency and the U.S. Air Force. Mike is a frequent contributor to SearchSecurity, a technical editor for Information Security magazine and the author of several information security titles including the CISSP Prep Guide and Information Security Illuminated.
