Re: Aggregating vulnerability report data?

From: Javier Fernández-Sanguino Peña (jfernandez@germinus.com)
Date: Fri Mar 14 2003 - 12:27:48 EST

• Next message: MILES John M: "RE: HW/SW Rogue AP Wireless Detection"
• Previous message: R. DuFresne: "Re: HW/SW Rogue AP Wireless Detection"
• In reply to: ahecker@evilscientist.com: "Aggregating vulnerability report data?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Mensaje citado por ahecker@evilscientist.com:

> Folks,
>
> Been googling for an answer to this for a number of weeks now, but have had
> no success, so I figured I'd toss it out to the forum & see what y'all
> think.

The nessus (-devel) lists are searchable at http://marc.theaimsgroup.com/
(more specifically http://marc.theaimsgroup.com/?l=nessus-devel&r=1&w=2) you
might find it useful to go through the database integration development that is
being implemented for nessus (in the USE_SQL CVS branch).

It currently is possible to take the nessus reports and dump them to a database.
See more on this below.

>
> I've been involved in doing vulnerability assessments (and penetration tests)
> for some time now; I use *both* nessus and ISS Internet Security Scanner, but
> have yet found a way to correlate and aggregate their information into one
> comprehemsive document. The only thing I've seen that even purports to do
> something like this is the HArris STATAnalyzer, but I can't get any real,
> solid info on *it*, either.

Since ISS's tool uses an SQL database (MSDE IIRC) to store the results you can
dump the Nessus results into this same database (using the tools below) and work
from there. Notice that since both Nessus and Internet Scanner do use a common
vulnerability representation (i.e. CVE, cve.mitre.org) it is possible to
generate reports with the information on vulnerabilities found by both scanners
rather easily.

You just need to understand both Nessus E/R schema (see below) and Internet
Scanner's (read the documentation) to work useful SQL queries to correlate both
information.

Of course you can use third party products to correlate this information. But
Nessus support might be lacking in those.

>
> Anyone have any pointers for me? It'd be much appreciated.
>

On the Nessus side:
- For the database information:
http://cvs.nessus.org/cgi-bin/cvsweb.cgi/nessus-core/doc/database/?hideattic=0&only_with_tag=NESSUS_SQL#dirlist
- For the tool to extract the information:
http://cvs.nessus.org/cgi-bin/cvsweb.cgi/nessus-tools/nessus-extract/?hideattic=0&only_with_tag=NESSUS_SQL

Oh! And if you manage to do something please contribute it to the list :-)

Regards

Javier Fernandez-Sanguino
Security Division
Germinus
 

----------------------------------------------------------------------------
Did you know that you have VNC running on your network?
Your hacker does. Plug your security holes now!
Download a free 15-day trial of VAM:
http://www2.stillsecure.com/download/sf_vuln_list.html

• Next message: MILES John M: "RE: HW/SW Rogue AP Wireless Detection"
• Previous message: R. DuFresne: "Re: HW/SW Rogue AP Wireless Detection"
• In reply to: ahecker@evilscientist.com: "Aggregating vulnerability report data?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:53:30 EDT