-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 I, too, will look this over, but here is an update regarding what I have done in our environment since my post:
BTW: I noticed that the xml output when using the Windows version of Nessus 3.0.6 is FAR different than what is produced using v 3.0.6 on Solaris via the commandline. Not only are XML tags arranged differently, they are named differently! I spent a month learning XSLT so I could generate html reports grouped and sorted by Risk Factor (part of the Desc element in Windows; part of Data element in Solaris) based upon the xml file format produced by the Windows version. Now I need to start from scratch!!! Arrrrggghhhhhh! (Unless, of course, a newer version comes along and makes them the same <grin>. 1) Solaris does not have a GTK gui client as stated earlier so I must run nessus from the command line. 2) I can use the Windows GUI client to configure the scan/plugin settings. The Windows GUI client stores the equivalent of the .nessusrc file in the directory "C:\Documents and Settings\<username>\Local Settings\Application Data\Tenable\Nessus Client" in an xml file named policies.xml. This file can be run through an XSLT file to generate a .nessusrc file that can be used on Solaris (or other *nix platform) when running nessus commandline scans. This is actually my next step in simplifying the process of creating separate .nessusrc files for each type of scan I want to perform. When I have finished the XSLT file, I can certainly share it with you. I imagine it will simply create a unix text file (or Windows text file that you can copy/paste into a unix file being edited in VI via an SSH session <grin>) that matches the format required. Shouldn't be too difficult, but I need some uninterrupted time <grin>... 3) Once the .nessusrc-* file is generated, I can use update-nessusrc to generate a "full" .nessusrc style file that lists all available plugins disabled except the ones I desire. You will notice that the pseudo-.nessusrc file generated by the client lists only the plugins you have enabled. If you use this directly as your .nessusrc file and run nessus from the commandline, you will be greatly disappointed to learn that the .nessusrc file will be overwritten at scan time and ALL available (non-destructive I hope) plugins will be added to it and ENABLED BY DEFAULT (which is by design. After all, if a new plugin comes along, you want it included automatically, right? <grin>). This, of course, means your "quick and specific" scan will take FAR longer to execute than desired, and will produce far different results than expected. So, what I have done to date: 1) created a directory structure on my Solaris box like this (outside of /opt/nessus) and access is restricted to only those of us with a valid business need to know (least privilege, you know <grin>): /reports /reports/results ==> Receives the output files from scans (in xml format in my case. Personal preference.) /reports/results/html ==> Where I currently place the html reports generated by whatever XSLT file I choose /reports/targets ==> Contains files that list the IP ranges I wish to scan (john (just my machine <grin>), user.seg.1, etc.) /reports/profiles ==> Stores the various .nessusrc files I use for different scans (need to EXPORT NESSUSHOME="/reports/profiles" if you want to use the default .nessusrc file) /reports/saxon8 ==> Contains the saxon8b XSLT engine (java version) so I can use different XSLT's to generate different types of html report files via commandline. /reports/scripts ==> Contains shell scripts and perl scripts I use to automate things (run_scan takes a profile, targets file, user ID and password, then runs nessus commandline to generate the output file in the format I like (xml) and dumps it into the "/reports/results" directory with a date stamp on it. Eventually, this will be done via crontab... I have a script I use to convert the xml result file using whatever XSLT file I want to generate the html report file. I find the html results from the basic nessus.xsl file to be somewhat cumbersome so I create XSLT files to view by Risk Factor, By severity (which is different than Risk Factor), By operating System, etc. 2) I downloded the update-nessusrc perl script mentioned in another post. VERY useful script, thank you dear Author! 3) I created separate profiles for each scan type I wish to perform (sometimes just scanning network segments to see what is there such as Access Points, different (non-standard) O/S's, etc. These profiles are named appropriately (.nessusrc-os for an O/S scan, etc.) 4) I run update-nessusrc against the individual .nessusrc-* files to update the list of available plugins and turn off all except the ones I want in my scan. (This works well provided you know exactly which plugins you want. I have created a script to update the .nessusrc-os profile I use because I am too lazy to remember all of the syntax to disable all plugins, then anable just the ones I want <grin>) 5) I execute a run_scan script to invoke nessus from commandline using whichever profile I want and whichever set of targets I want. 6) I execute the run_report script to generate the report in the desired html format > -----Original Message----- > From: Jeff Chapin [mailto:[EMAIL PROTECTED] > Sent: Monday, October 22, 2007 12:42 PM > To: [EMAIL PROTECTED]; [email protected] > Cc: Olson, John (CTECH) > Subject: RE: managing scan reports + launching nessus script > > Actually, it appears that I may need to find an older copy of > Nessus Client, as it appears at first glance that 3.0.0 may > not work with these alterations. > > > > The executable is a different name, which is no big deal, but > the fact that the “reports_styles” folder appears to be > missing tells me this might be an issue… > > > > Jeff > > > > > > emailsignature_logo > > JEFF CHAPIN > SYSTEM ADMINISTRATOR > > T8DESIGN.COM | P 319.266.7574 - x267 | 877.T8IDEAS | F 888.290.4675 > > > > > This e-mail, including attachments, is covered by the > Electronic Communications Privacy Act, 18 U.S.C. 2510-2521, > is confidential, and may be legally privileged. If you are > not the intended recipient, you are hereby notified that any > retention, dissemination, distribution, or copying of this > communication is strictly prohibited. Please reply to the > sender that you have received the message in error, and then > please delete it. Thank you. > > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] > Sent: Monday, October 22, 2007 12:23 PM > To: Jeff Chapin; [email protected] > Cc: [EMAIL PROTECTED] > Subject: RE: managing scan reports + launching nessus script > > > > > Hey Jeff, > > (I've included John Olson regarding a prior email that I > didnt' get to -- info on how I use windows nessus and a batch > file to ensure all my reports are in a common location -- > sounds like a question you had in a nessus 3.0.6 on solaris > thread -- hope it helps -- that info after the xsl info) > > If you use the Windows version (NessusGui.exe), these sound > very much like just what you're after: Reports are generated > by classification. I'm looking into what else I can do, but > also will be looking at the new format and possibilities > available based on recent similar threads with Renaud. > > Changes: > Original: Option to view by Host, or by Vulnerability > Added: Option to View by Host or Vulnerabilty, and further > restrict to Holes & Warnings, Just Holes, Just Warnings, and > Just Info > > This change lets me create just critical, or medium to > critical reports, as needed. Info can often be way too much > information. > > Original: Regardless if addresses were entered as hostname or > IP, the result shows only the IP > Added: info from Plugin ID 12053, so that hostname now shows > up in the "View by Host" reports (dependant on Plugin ID > 12053 pulling in the info) > > This resolves my "which host was that again?" questions, as > well as resolving DHCP issues by making the hostname readily > available. > > Thanks to cmarshall of webmasterworld.com for helping me > through the xsl on the hostname! > > Extract the following to "C:\Program > Files\Tenable\Nessus\report_styles" as the default windows > locations. backup beforehand if necessary, they can't > coexist. I don't know of any reason why they couldn't also > be used on the Linux side but I haven't investigated that > yet. (If someone does, let me know -- I need to test that > route out too, and soon) > > > > There was also a recent thread about the report location > issue(by John Olson) -- nessus stores report information > under the user accounts, which can be less than helpful. > Here's the cheesy batch file we use. In brief: > > It opens in notepad a file called "Wind.bat" which simply > launches windump.exe to packet capture a scan for later > analysis in case we have a target host problem. The end user > simply gives the files a name/date. It then uses the start > command to open the capture in a separate dos window. > It then launches nessus. when nessus closes, it copies all > the captures to a network location (which I've mapped as X) > It then copies the report data to a neutral location. > Finally, it copies all the logs to a neutral location. Any > client can then import as needed. > > %username% is a variable for the logged in user's acct name. > The file runs from the all users desktop folder so everyone > sees it. works like a champ. Pause at the end stops it. > > > > @echo off > @echo Welcome to the Nessus Scanning batch file @echo. > @echo Windump -- Capturing the Scan > @echo First, edit the wind.bat file to packet capture, by > changing the "<file>" > @echo name, currently "c:\capture\<file>". Do NOT change the > "capture" > @echo directory location, as doing so prevents this batch > file from automating @echo capture file backup. Capture > files will be located at @echo > \\yourserver\yourshare\Vulnerability_Scanning\Captures. > @echo. > @echo Once you are done editing close the file... > @notepad.exe "C:\Documents and Settings\All Users\Desktop\wind.bat" > start cmd /k "C:\Documents and Settings\All Users\Desktop\wind.bat" > @echo Close Nessus when you are done scanning to begin file > copy @"C:\Program Files\Tenable\Nessus\NessusGUI.exe" > @echo Copying the packet captures.... > @echo. > @echo. > xcopy /d /e /c /h /y c:\captures\*.* > x:\vulnerability_scanning\captures\ > @echo Now copying the Nessus Report raw data (can be imported > into any Nessus Installation) @echo. > @echo. > xcopy /d /e /c /h /y "C:\Documents and > Settings\%username%\Tenable\Nessus\reports\*.*" > x:\vulnerability_scanning\reports\ > @echo Now copying the Nessus log repository @echo. > @echo. > xcopy /d /e /c /h /y "C:\Program > Files\Tenable\Nessus\logs\*.*" x:\vulnerability_scanning\logs\ @echo. > @echo. > @echo Finished! Exiting happens if you pause > > (note: \\yourserver\yourshare above, is my "x:\" drive, i.e. > "net use x: \\yourserver\yourshare) > > Good luck, hope it helps, > Mike > > > > > > "John Scherff" <[EMAIL PROTECTED]> > > 10/22/2007 09:54 AM > > To > > "Jeff Chapin" <[EMAIL PROTECTED]>, <[email protected]> > > cc > > <[EMAIL PROTECTED]> > > Subject > > RE: managing scan reports > > > > > > > > > Jeff, > > Mike Vasquez has done some really cool stuff in this area. > Search the posts for his email address and you'll find some > answers, or shoot him a message. Keep the discussion on the > list if you can; questions like yours come up often. > > John Scherff > > ________________________________ > > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Jeff Chapin > Sent: Monday, October 22, 2007 9:47 AM > To: [email protected] > Subject: managing scan reports > > Hello all, > What sort of tools do people use to manage reports generated > by Nessus? I used to use NessusWX to filter out what I wanted > in the reports, etc, but this tool seems to be discontinued. > I would love to be able to report just the critical, and just > the medium/etc. Sorting by number of vulrebilities found > would also be a plus. > > Thanks , > Jeff > > > emailsignature_logo > > JEFF CHAPIN > SYSTEM ADMINISTRATOR > > T8DESIGN.COM | P 319.266.7574 - x267 | 877.T8IDEAS | F 888.290.4675 > > > > > > > This e-mail, including attachments, is covered by the > Electronic Communications Privacy Act, 18 U.S.C. 2510-2521, > is confidential, and may be legally privileged. If you are > not the intended recipient, you are hereby notified that any > retention, dissemination, distribution, or copying of this > communication is strictly prohibited. Please reply to the > sender that you have received the message in error, and then > please delete it. Thank you. > > -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.0.6 (Build 6060) iQEVAwUBRx0G8tczbpxETmLMAQjpeQf+KCpAuRS74EK0/64HVcmw8btxLHTHEfCL pUvR+p6qGa9WsoA4L8rI7x59ZPsYcg2R2JQDulqVyOg4WQhCj0u2Lx5N7dmLJvxl wSB0yOwSOvfkD3kpkIJzGRLRrt2Ikai311Vo8xqb4bfOupOfC35y0F3Q1UTgaDT5 WlJb2c+OJm6VsIgaZSrvAZsFYAluK+HyZWhJbnVWyX1lu1YJU4QJ9V8tMK+2rqBF nbH2fGLoY2khh+jXKlIv0Qq+x1xf+ydrz+ZbITJyGgaa8zsWVfVlD7+1wGQPFFvU F7LJH/TptmxPO0gkCkRUS9ienX1HJhCmT47EW3Tcb9hY0fzAXcfbOg== =Rucj -----END PGP SIGNATURE----- This e-mail message is being sent solely for use by the intended recipient(s) and may contain confidential information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by phone or reply by e-mail, delete the original message and destroy all copies. Thank you. _______________________________________________ Nessus mailing list [email protected] http://mail.nessus.org/mailman/listinfo/nessus
