On Tue, 2002-08-13 at 21:28, Greg wrote:
> I would like to setup Nessus to scan my network using a cronjob, and I wanted
> the results to be imported into a MySQL database. Has anyone created a similar
> setup, and if so how would I go about doing it?
I used to have a huge shell script written in /bin/bash that would grep
through a directory of .NSR files and provide a nice searchable web
interface. But handling multiple scans on different dates for the same
host became too much of a bear. So I converted the whole lot to MySQL
and PHP under Apache. If I had the cycles to spare to make the code a
bit more public, I'd post it, as you could use it out of the box; maybe
later in the year if I find those spare cycles...
I created three tables in database 'nessus':
* scripts -
NASL script ID is primary key.
Has fields for "Category", CVE, script name, and summary.
* scans -
Has fields for IP address, scan date, DNS name of host,
NetBIOS name of host, "pretty name" of host, and a boolean
flag "latest" that is set only for the most recent scan of
any given IP address.
* report -
There is one "report" record for each line in a .NSR or .NBE
file. It has a "scan" field that references table "scans".
It has a "script" field that references table "scripts" but
that can be NULL. And it has generic fields for port number,
port name, port protocol (enum TCP or UDP), severity
(enum "Security Warning", ..Note, ..Hole), and then "report"
(the text nessus generated for that line).
When adding a .NSR or .NBE, the PHP command-line script first walks
through /usr/local/lib/nessus/plugins and parses all of the .NASL files,
updating the "scripts" table with each. This takes about 4 seconds in
php-4. There is a static list of "script" records that are
hand-entered, corresponding to the .NES binary scripts as well as those
hard-coded into the nessusd executable.
Then, for each IP address in the .NSR or .NBE, I perform a reverse DNS
lookup to get the FQDN, call out to Samba's 'nmblookup' utility to find
the NetBIOS name, and then compute the "pretty name" which is the
leftmost DNS name component followed in parenthesis by the NetBIOS name
(but only if the two differ). I save this data in a "scans" record. If
there is no timestamp line in the .NBE file (e.g. it's a .NSR) then I
use the file creation date of the .NSR to set the scan-date field.
For each line in the .NSR/.NBE corresponding to the IP address in hand,
I split the line by "|" characters, storing the port name/number/proto
and then the report text into several "report" records all pointing to
the corresponding "scans" and "scripts" record.
Finally, after all the .NSR and .NBE have been imported, I made a pass
that sets all of the "latest scan" flags in "scans" to false, save for
the most recent scan, set to true.
The web CGI (a single .php file, actually) has a form at the top where
you pick the category from a drop-down list, enter a script name, host
name or ip, port number, or cve; and it searches against whatever
criteria you enter (ANDing them all together, while supporting
wildcards) and displays a list of gategories (and how many "latest"
reports were found for that category), ditto for test names if a
category was selected from the drop-down, and a list of hosts and scan
dates. Also shown is a table with columns for severity (hole, warn,
note or general) and rows for port name/number, where security holes are
shown in red, warnings in orange, and so on. Clicking a port number
adds the port number to the criteria in the search form at top and
auto-resubmits for you.
If the user then clicks on a host or scan date, then the data for that
"scans" entry is appended to the page, defaultly sorting by severity,
then by host, then by port number; but the user can click on a port
number or host-name to reorganize the output to sort thereby. Report
text for security holes is shown in red, warnings in orange, etc etc.,
to make it easily locatable.
Anyway, that's how I wrote my nessus->mysql->wwweb app. :-)
Kris
-
[EMAIL PROTECTED]: general discussions about Nessus.
* To unsubscribe, send a mail to [EMAIL PROTECTED] with
"unsubscribe nessus" in the body.
