Tag Archives: Tenable SecurityCenter

Tenable.IO VM: connected scanners and asset UUIDs

3 Replies

Tenable.IO VM: connected scanners and asset UUIDs. I have already wrote earlier about new features of Tenable.io VM cloud vulnerability scanner. In this post, I would like to show how Tenable.io cloud service works with Nessus scanner deployed inside your network. Spoiler! Everything is very different from Nessus and Tenable SecurityCenter.

Nessus registration process

I also would like to demonstrate how Nessus creates Asset IDs (Tenable UUIDs) on the the host during authenticated scanning and how can we get this IDs from the scan results.

Continue reading

Installing Nessus for SecurityCenter on laptop

4 Replies

Installing Nessus for SecurityCenter on laptop. The great thing about Tenable SecurityCenter: when you buy it you also get hundreds of licenses for Nessus.  You can google different types of SecurityCenter bundles with “SecurityCenter Continuous View – On Premise” request. “Scanners” here mean SC scanners:

You will need these scanner licenses to deploy Nessus hosts on your network, connect them to your Tenable SecurityCenter and manage scan process using SecurityCenter via graphical user interface or API. Of course, with all the restrictions on amount of IP addresses that you can scan.

At the same time, these Nessus for SecurityCenter servers are fully functional. Technically this servers are the same as Nessus Professional. Nessus for SecurityCenter has the same web interface, where you can create multiple user accounts, manage the scans in GUI and API, scan any amount of IP addresses. Scan data will be stored locally on your Nessus server and your SecurityCenter will not see it or use it in any way. This is really great. And I hope it is a feature and not a bug.

However, there are some differences. Nessus Professional downloads security plugins and makes activation using remote Tenable severs. Nessus for SecurityCenter does these things using SecurityCenter in your network.

So, when you have such a great amount of Nessus licenses you may want to install one on your own laptop. It might be really useful for debugging. For example, when you are developing your own nasl scripts, to enable them in Nessus, you will need to restart it. And you will not probably want to do it on the Nessus server where dozens of scanning jobs are running.

In this post I will try to install Nessus on Centos 7 in VirtualBox, configure port forwarding, activate and update Nessus plugins with SecurityCenter.

Continue reading

Fast comparison of Nessus and OpenVAS knowledge bases

17 Replies

Fast comparison of Nessus and OpenVAS knowledge bases. In my opinion, quality of knowledge base is the most important characteristic of Vulnerability Management (VM) product. Maybe it’s because I have spent significant amount of time making different security content for vulnerability scanners and this is some form of professional deformation. 🙂 The fact is that nowadays we have dozens of VM solutions on the market, which have very different knowledge bases and thus different abilities for detecting vulnerabilities. And really nobody talk about this. I can recommend related post “Tenable doesn’t want to be Tenable anymore” and especially HD Moore’s comment to that post. It describes the reason why nobody interested now in quality of detection. Maximum what we, end-users, can hear from the vendor about it’s knowledge base is an amount of vulnerability checks: 40000-80000 and approximate list of supported systems. There is a massive false belief that detection quality of the products is approximately the same and it’s better talk about dashboards, reports, SIEM-like capabilities. To demonstrate that the difference actually exists I made a pretty primitive comparison of Nessus and OpenVAS knowledge bases.

I chose these two products, mainly because information on their NASL plugins is available at Vulners.com. As I also wrote earlier how you can use easily parse Vulners archives in python, so you can repeat it for yourself. I talked about this topic at Pentestit webinar about Vulners. If you are familiar with Russian, you can also check this out. 😉 The slides for this presentation are available here.

Why I call this comparison fast and primitive? I don’t define the structure of KBs for this product and don’t carefully map one nasl script to another. I suppose it may be a theme for another posts. Instead I am looking at the CVE links. If two scanners detect can the same vulnerabilities, they should have the same CVE links in all the NASL scripts, right? In reality we have a great difference between the products and more than a half of the CVEs can’t be detected by using both of them.

CVE links from NASL plugins

All CVEs: 80196
OpenVAS CVE links: 29240
Nessus CVE links: 35032
OpenVAS vs. Nessus: 3787;25453;9579

Continue reading

Retrieving product expiration dates from Tenable Customer Support Portal

Leave a reply

Retrieving product expiration dates from Tenable Customer Support Portal. I don’t say that it is a rocket science or something, but maybe someone will need to automate Tenable Support portal routine, and here will be a script, which can be used. My own case was to get expiration date for purchased and trial Tenable products. To know in advance when and what products should be bought and updated.

Registered Products

It turned out that getting this data from deployed products via APIs is not as trivial as it sounds, but I will write about this topic next time.

Continue reading

Export anything to Splunk with HTTP Event Collector

15 Replies

Export anything to Splunk with HTTP Event Collector. In a previous post I described how to export Nessus scan reports to Splunk server using standard app. Today let’s see how to export any structured data presented in JSON, including of course Nessus scan reports, to Splunk using HTTP Event Collector.

http event collector Splunk

First of all, we should create new HTTP Event Collector

http://your_splunk_host:8000/en-US/manager/launcher/http-eventcollector

And press “New Token” button

Continue reading

Exporting Nessus scan results to Splunk

6 Replies

Exporting Nessus scan results to Splunk. In this first post I want to write about Splunk and Nessus integration via official “Splunk Add-on for Tenable”: how to install this application, its pros and cons.

Splunk official addon for Nessus

You can download Splunk application package for Tenable Nessus and SecurityCenter from official website here (free registration is required). All documentation is available here.

Continue reading

Tenable SecurityCenter and its API

20 Replies

Tenable SecurityCenter and its API. SecurityCenter is an enterprise level vulnerability management product of Tenable Network Security. As the name implies, the it is designed to be the center of Tenable security infrastructure. SecurityCenter takes data from other Tenable products: Passive Vulnerability Scanner (PVS), Log Correlation Engine (LCE), Nessus, and provides a powerful GUI interface for searching and reporting. Sounds familiar? Well, yes, it is something like SIEM, but with a strong emphasis on Vulnerability Management.

Tenable SecurityCenter 5

I’ve took this screenshot from SC5 video presentation in Spanish.

In this post, I certainly will not fully cover SC functionality and all the features of its API. I just would like to pay tribute to a convenient asset mechanism of SecurityCenter and show very basic operation of SecurityCenter API: retrieving the results of the vulnerability scanning (as I did it for Nessus in “Retrieving scan results through Nessus API“).
Continue reading