In response to Zate's question:
I scan ~9000 devices in a monthly cycle. I run 1 Nessus scanner on 1.0 GHz PIII under Debian
Linux
I deliver monthly reports relating to suspected
problems and some next working day reports about critical problems to relevant
departmental contacts (for multiple departments/network organisational
units).
I update Nessus signatures and Nessus if necessary
monthly then restart Nessus server. After adjusting the plugins config I
taking a copy or the relevant .nessusrc file that I will be using for batch
scans.
I use my own system to automate scanning written in
Perl calling FreeTDS to access remote MS SQL databases. The scripts are run
by cron and download the next batch of addresses to scan, run the scan then
upload the results to the SQL database (I parse the NBE format output using
Perl). There are some bells-and-whistles such as reporting, locking, logging and
stopping scans that have not completed on time (just in case) of
course.
A table in my SQL database is updated regularly with
ARP cache data from all the switches so that I can focus on devices that have
been live recently on the network. I do not rely on response to ping because
many systems do not respond now (XP firewall). Completely blind scanning
would waste a huge amount of time. Only scanning registered IP addresses could
miss rogue devices. We have an IP device registration database in which
registered devices are classified by type etc. I do not only scan for registered
devices, however, the database allows me to avoid routinely scanning network
infrastructure devices. I can also decide whether to scan a
device depending on how recently I scanned it, whether to exclude it for
some reason, etc. using SQL data. New results for host are inserted
after any old results are deleted. Scan data is purged from the database if and
when it reaches month old.
I have written a VB program that allows me to select
Nessus results for a department or group (or department unknown) from
the database (this is possible because of our IP registration database). I can
then select records on the basis of risk classification, OS version, IP
number, subnet, port, CVE etc. I have a button to make selection of the
most concerning records easy. I can then send an email with attached report
addressed by default to the correct contact. This stage is semi-automatic so I
can review the data and make judgements and include
comments in the email (I don't think Nessus can be used well without some
experience because it might give advice like "disable this..." without even
knowing the context). I use a SQL data driven Excel spreadsheet to give me an
overview report and show which departments/groups need to be sent a report this
month. When records are emailed out I can flag in the DB which ones have been
reported so I don't repeat myself. Departmental contacts can inform me if they
have concluded that some IP address/Plugin number combination is providing
false-positives that they don't want to see again; I can feed that
back into my DB to modify how data is selected for subsequent
reports.
I have some daily scheduled SQL routines that email me
about new items of interest in the data (such as banners saying "drug of
choice"), FTP servers running on unusual port number etc.
(As you see I have done a lot of stuff myself. I think
I started doing some of it before off-the-shelf solutions began to appear. If I
was starting again I would do some things differently i.e. make even more use of
SQL server. Nevertheless, I doubt that anything off-the-shelf would be as
customised or customisable (by me) for my enterprise as what I now have in
place.)
--
Carl Nelson
Distributed Systems Support Section, Computer Centre, University of Leicester, Leicester, LE1 7RH, U.K.
Tel: +44 (0)116 252 2060, Fax: +44 (0)116 252 5027
Carl Nelson
Distributed Systems Support Section, Computer Centre, University of Leicester, Leicester, LE1 7RH, U.K.
Tel: +44 (0)116 252 2060, Fax: +44 (0)116 252 5027
Good Morning All,
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Zate Berg
Sent: 09 November 2006 14:14
To: [email protected]
Subject: Nessus in the Enterprise
I was wondering if anyone could contact me off the list to discuss how they have Nessus setup and deployed in a large network. I am not finding much information on things like reporting and a centralized web interface.
Mainly looking for info such as
* what you run it on,
* how many scanners you use,
* how you manage user access to the scanners,
* do you use a central Web console of some kind? (does a full featured one exist?)
* How do you store your reports?
Thanks :)
--
Zate
_______________________________________________ Nessus mailing list [email protected] http://mail.nessus.org/mailman/listinfo/nessus
