If you've been following along in our series on Nessus, you've now learned how to install and configure Nessus, use the vulnerability

    Requires Free Membership to View

scanner and incorporate it into your enterprise. If you're like most security practitioners, you're probably now facing a mountain of data, have no time to read through it and are wondering whether using Nessus is really practical for your complex environment. Rest assured there are methods to save you from this madness! In this tip, we'll explore three techniques that may help you get the most out of Nessus and manage the data produced by this valuable tool. We'll look at manipulating output files, parsing data with Perl scripts and creating a Nessus database.

Perhaps the most straightforward way of handling these reports is to simply manipulate the output files that Nessus produces after each scan. One straightforward way of doing this is to use the Unix diff command to compare two output files from different scans. Before doing this, you'll want to first process them into a more readable format. You can take a raw .nbe file and process it using the following commands:

nessus -i example.nbe -o example.nsr

This converts the file into a less verbose format that excludes timestamps and other less relevant data. Once you have these, you'll want to sort the output to facilitate the diff:

sort example.nsr > sorted.nsr

Then, run the diff command on the sorted output files as follows:

diff older_sorted.nsr newer_sorted.nsr

Working with these files can be a bit cumbersome, but this is a good quick-and-dirty approach to comparing Nessus output files.

Scripting in Perl allows you to automate some of these functions. While you could certainly use any scripting language to perform the type of raw-text manipulation described above, choosing Perl allows you to access some powerful library modules through the Comprehensive Perl Archive Network (CPAN) (http://www.cpan.org).

Chief among these is the Parse::Nessus::NBE module, which allows you to quickly perform text processing of NBE output files without writing tedious parsing code. The module may be installed using the following CPAN command:

install Parse::Nessus::NBE

Once you have it installed, you may make use of the following predefined functions in your Perl code by including the statement use Parse::Nessus::NBE in your header:

  • nbanners(@input) returns a list of welcome banners for each system included in the input data while nos(@input) provides a list of operating systems
  • nports(@input, $port) returns a list of all hosts listening on the specified port.
  • nwebdirs(@input) returns two lists: the first contains all open access Web directories while the second contains those that require authentication
  • nnfs(@input) returns a list of NFS shares

Other functions in the module allow you to query by plug-in ID, return a summary count of hosts by operating system and/or service, and provide a summary count by vulnerability.

Creating a Nessus database is the obvious extension to this effort. Once you have Perl scripts that effectively parse the NBE files, you may wish to consider writing the results to a database using Perl's DBI module. If you store historical records of scan results, you'll soon have a treasure trove of vulnerability data combined with the flexibility of SQL queries.

This tip should have you well on your way toward developing a Nessus reporting infrastructure for your organization. The key principle is to be creative! Nessus provides a great deal of raw information that's yours for the taking. Parse, store and manipulate it however you wish to achieve your information security objectives.


NESSUS TECHNICAL GUIDE

  Introduction
  How to get started
  How to run a system scan
  How to build an enterprise scanning program
  How to manage Nessus reports
  How to simplify security scans
  How to use Nessus with the SANS Top 20

ABOUT THE AUTHOR:
Mike Chapple, CISSP is an IT Security Professional with the University of Notre Dame. He previously served as an information security researcher with the National Security Agency and the U.S. Air Force. Mike is a frequent contributor to SearchSecurity, a technical editor for Information Security magazine and the author of several information security titles including the CISSP Prep Guide and Information Security Illuminated.


This was first published in January 2006

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.