Perhaps the most straightforward way of handling these reports is to simply manipulate the output files that Nessus produces after each scan. One straightforward way of doing this is to use the Unix diff command to compare two output files from different scans. Before doing this, you'll want to first process them into a more readable format. You can take a raw .nbe file and process it using the following commands:
This converts the file into a less verbose format that excludes timestamps and other less relevant data. Once you have these, you'll want to sort the output to facilitate the diff:
Then, run the diff command on the sorted output files as follows:
Working with these files can be a bit cumbersome, but this is a good quick-and-dirty approach to comparing Nessus output files.
Scripting in Perl allows you to automate some of these functions. While you could certainly use any scripting language to perform the type of raw-text manipulation described above, choosing Perl allows you to access some powerful library modules through the Comprehensive Perl Archive Network (CPAN) (http://www.cpan.org).
Chief among these is the Parse::Nessus::NBE module, which allows you to quickly perform text processing of NBE output files without writing tedious parsing code. The module may be installed using the following CPAN command:
Once you have it installed, you may make use of the following predefined functions in your Perl code by including the statement use Parse::Nessus::NBE in your header:
- nbanners(@input) returns a list of welcome banners for each system included in the input data while nos(@input) provides a list of operating systems
- nports(@input, $port) returns a list of all hosts listening on the specified port.
- nwebdirs(@input) returns two lists: the first contains all open access Web directories while the second contains those that require authentication
- nnfs(@input) returns a list of NFS shares
Other functions in the module allow you to query by plug-in ID, return a summary count of hosts by operating system and/or service, and provide a summary count by vulnerability.
Creating a Nessus database is the obvious extension to this effort. Once you have Perl scripts that effectively parse the NBE files, you may wish to consider writing the results to a database using Perl's DBI module. If you store historical records of scan results, you'll soon have a treasure trove of vulnerability data combined with the flexibility of SQL queries.
This tip should have you well on your way toward developing a Nessus reporting infrastructure for your organization. The key principle is to be creative! Nessus provides a great deal of raw information that's yours for the taking. Parse, store and manipulate it however you wish to achieve your information security objectives.
Introduction: What is Nessus?
How to install and configure Nessus
How to run a system scan
How to build an enterprise scanning program
Nessus: Managing data
How to simplify security scans
How to use Nessus with the SANS Top 20
|Mike Chapple, CISSP is an IT Security Professional with the University of Notre Dame. He previously served as an information security researcher with the National Security Agency and the U.S. Air Force. Mike is a frequent contributor to SearchSecurity, a technical editor for Information Security magazine and the author of several information security titles including the CISSP Prep Guide and Information Security Illuminated.|
This was first published in January 2006