Dealing with Nessus logs

2 Replies

Dealing with Nessus logs. Debugging Nessus scans is a very interesting topic. And it is not very well described even in Tenable University course. It become especially interesting when you see strange network errors in the scan results. Let’s see how we can troubleshoot Nessus scans without sending Nessus DB files to Tenable  (which is, of course, the default way 😉 ).

Nessus Logs

Default logging

Let’s see default Nessus logs. I cleared log nessusd.messages file to have only logs of the latest scan:

# echo "" > /opt/nessus/var/nessus/logs/nessusd.messages

and restarted Nessus:

# /bin/systemctl start nessusd.service

I scan only one host (test-linux-host01, 192.168.56.12) with the Advanced scan profile. No default settings was set.

As you can see from the cpe report, it’s typical Linux host with ssh server:

typical Linux host with ssh

What’s in the logs?

Continue reading

Converting Nmap xml scan reports to json

2 Replies

Converting Nmap xml scan reports to json. Unfortunately, Nmap can not save the results in json. All available output options:

-oN <filespec> (normal output)
-oX <filespec> (XML output)
-oS <filespec> (ScRipT KIdd|3 oUTpuT)
-oG <filespec> (grepable output)
-oA <basename> (Output to all formats)

And processing xml results may not be easy an easy task. Just look how I analyze the contents of the Nessus report in “Parsing Nessus v2 XML reports with python“. Not the most readable code, right? And what alternatives do we have?

Nmap json scan report

Formal XML to json conversion is impossible. Formats are very different. However, there are python modules, for example xmltodict, that can reliably convert XML into Python structures of dictionaries, lists and strings. However, they have to change some names of parameters to avoid collisions. In my opinion this is not a big price for convenience.

So, let’s see how this will work for Nmap command:

nmap -sV -oX nmap_output.xml avleonov.com 1>/dev/null 2>/dev/null

Continue reading

Non-reliable Nessus scan results

5 Replies

Non-reliable Nessus scan results. Do you perform massive unauthenticated vulnerability scans with Nessus? It might be a bad idea. It seems that Nessus is not reliable enough to assess hundreds and thousands of hosts in one scan and can lose some valuable information.

Non-reliable Nessus scan results

The thing is that sometimes Nessus does not detect open ports and services correctly. And without successful service detection it will not launch other vulnerability detection plugins (see Nessus Scan stages in my post about Tenable University ). Scan results for the host will be empty, however in reality it may have some critical vulnerabilities, that you simply will not see!

Upd. When you use Nessus inside your corporate network only, it might not be issue for you. But if you deploy Nessus on some remote hosting to perform regular perimeter scans, emulating attacker’s actions, it’s quite a possibility that you will face such kind of errors. Especially if Nessus and scan targets are placed in different geograpfical locations and it takes many hops for Nessus to reach each target. If you use load balancers in your organisation to increase capacity and reliability of applications, this can also lead to errors.

Anyway, it’s good to know when Nessus was not able to detect services on some hosts and you should not relly on these  scan results. Let’s see how we can figure this out.

Continue reading

Masking Vulnerability Scan reports

Leave a reply

Masking Vulnerability Scan reports. Continuing the series of posts about Kenna (“Analyzing Vulnerability Scan data“, “Connectors and REST API“) and similar services. Is it actually safe to send your vulnerability data to some external cloud service for analysis? Leakage of such information can potentially cause great damage to your organization, right?

Masking Vulnerability Scans

It’s once again a problem of trust to vendor. IMHO, in some cases it may make sense to hide the real hostnames and ip-addresses of the target hosts in scan reports. So, it would be clear for analysis vendor that some critical vulnerability exists somewhere, but it would not be clear where exactly.

To do this, each hostname/ip-address should be replaced to some values of similar type and should be replaced on the same value each time. So the algorithms of Kenna-like service could work with this masked reports. This mean that we need to create a replacement dictionary.

Continue reading

Tenable University: Nessus Certificate of Proficiency

4 Replies

Tenable University: Nessus Certificate of Proficiency. Yesterday I finished “Nessus Certificate of Proficiency” learning plan at Tenable University and passed the final test. Here I would like to share my impressions.

Nessus Certificate test completed

First of all, few words about my motivation. I use Nessus literally every day at work. So, it was fun to check my knowledge. I already wrote about Tenable education portal in “Study Vulnerability Assessment in Tenable University for free” post. It’s free. It’s available for everyone on demand. However, Tenable customers get access to way more content.

At this moment there are four learning plan available for Tenable customers: for Nessus, Tenable.io, SecurityCenter and SecurityCenter Continuous View. Each learning plan consist of short video lessons grouped in courses and the final test.

Continue reading

Kenna Security: Connectors and REST API

1 Reply

Kenna Security: Connectors and REST API. In the last post about Kenna Security cloud service I mentioned their main features for analyzing data from different vulnerability scanners. Now let’s see how to import Tenable Nessus scan results in Kenna. Here you can see the list of connectors for all supported products:

Kenna connectors

Three connectors for Nessus are available:

  • Nessus Importer retrieves existing scan results from your Nessus server.
  • Nessus Scanner can schedule scans on your Nessus server.
  • Nessus XML imports xml (.Nessus2) files.

First two connectors work with Nessus server directly. And they probably won’t work anymore with Nessus Professional 7, because of API removing (see “New Nessus 7 Professional and the end of cost-effective Vulnerability Management (as we knew it)“). If Nessus server is deployed on-premise you should use special Kenna Virtual Tunnel.

Last “Nessus XML” connector is the most flexible. No matter how you got your scan results, it will be possible to import them to Kenna. See how to get XML reports from from Nessus server in a post “Retrieving scan results through Nessus API“.  You can upload XML scan results using Kenna web GUI (not very efficient way, but for testing – why not?) or REST API.

To use Kenna REST API you will need an Application Token. Go to the the Settings menu -> Applications:

Kenna settings

Continue reading

Nessus Manager disappeared and Tenable.io On-Prem was announced

4 Replies

Nessus Manager disappeared and Tenable.io On-Prem was announced. If you open Tenable Products page right now you will not see Nessus Manager there anymore.  Nessus Manager page “The Power of Nessus for Teams” was also deleted.

Tenable products

However, it is still mentioned in the product comparison. Agent-Based Scanning in SecurityCenter and SecurityCenter Continuous View “* Requires Tenable.io Vulnerability Management or Nessus Manager for agent management.”

Continue reading