Tag Archives: bash

Adding custom NASL plugins to Tenable Nessus

Making custom NASL scripts (plugins) for Nessus is a pretty complicated process. Basically, NASL (Nessus Attack Scripting Language) is an internal instrument of Tenable and it seem that they are not really interested in sharing it with the community. The only publicly available official documentation, NASL Reference Guide and NASL2 reference manual, was written at least 13 years ago. Certainly many things changed since then in the actual product.

Adding custom NASL plugins to Tenable Nessus

However, it’s still possible to add custom NASL scripts into the plugin set of your Nessus server. Let’s see how to do it. Everything was tested in the latest Nessus 8.

Continue reading

Assessing Linux Security Configurations with SCAP Workbench

Recently I had a chance to work with OpenSCAP. It’s a set of free and open-source tools for Linux Configuration Assessment and  a collection security content in SCAP (Security Content Automation Protocol) format.

In this post I will write about SCAP Workbench. It is a GUI application that can check the configuration of your local Linux host (or the remote host via ssh; note that agent installation is required), and show the settings that are not comply with some security standard, for example PCI DSS or DISA STIG.

SCAP Workbench PCI DSS CentOS7 localhost

Moreover, you can generate the script for automated remediation. You can also create your own scan profiles based on existing  SCAP content.

Continue reading

Sending FireEye HX data to Splunk

FireEye HX is an agent-based Endpoint Protection solution. Something like an antivirus, but focused on Advanced Persistent Threats (APT). It has an appliance with GUI where you can manage the agents and see information about detected security incidents.

As with any agent-based solution, it’s necessary to ensure that the agents are installed on every supported host in your network. You may also want to analyze the alerts automatically. And for both purposes you can use Splunk. Let’s see how to do it. 😉

FireEye HX appliance login screen

Note, everything bellow is for FireEye Endpoint Security (HX) 4.0.6 and Splunk 7.0.2. If you use some other version, the things may be quite different.

The main idea is following. We should present FireEye hosts and alerts data in JSON format, add some mandatory fields ans send this packages to Splunk using HTTP Event connector. Then we can process it in Splunk like I’ve shown in “How to correlate different events in Splunk and make dashboards“.

Continue reading

Vulchain scan workflow and search queries

This post will be about my Vulnerability Scanner project – Vulchain. Recently I’ve spent couple of my weekends almost exclusively on coding: refactoring the scan engine, creating API and GUI.

Vulchain scan workflow and search queries

I was doing it because of the conferences, where I will be speaking soon:

Pretty intense schedule for a guy who spends most of his time in PyCharm and Linux console. 😉 Very excited! So, it seemed right to add a couple of slides about my project and show that something is already working.

Continue reading

Vulners.com and ranges of dates

I have already wrote earlier how to automatically retrieve data from the Vulners.com vulnerability database: if you need objects of some particular type, it’s better use Collection API, if you want to get different types of objects using advanced queries, your choice is Search API v.3.

But what if we want to get, not all the objects, but only new or modified ones in a some date range? How can we do it in Vulners?

Vulners.com date ranges

Search queries

Each object in Vulners (vulnerability, patch, bulletin, etc.) has a publication date, and modification date. You can see it if you open some Vulners object in json format, for example CVE-2017-6301:

        "published": "2017-02-23T23:59:00",
        "modified": "2017-02-24T14:45:17",

Continue reading