search

LimberDuck / nessus-file-reader

CLI tool and python module which enables you to parse nessus scan files from Nessus and Tenable.SC by (C) Tenable, Inc.
https://limberduck.org
GNU General Public License v3.0
39 stars 4 forks source link

Parsing errors? #12

Open xkillbit opened 1 year ago

xkillbit commented 1 year ago

Hello,

Here is the CLI tool count followed by a script that dumps each Vuln Name by criticality and provides a count. Notice the counts are not the same. In this example, lets focus on just the Criticals: image

Nessus web interface for comparison: image

As you can see by comparing, the parser does not account for "Unsupported Web Server Detection".

I've attached the dummy data from the scan against the HTB environment, followed by the script used to dump and count each vuln by severity.

dummy_data.zip

import nessus_file_reader as nfr
nessus_scan_file = r"dummy_data.nessus"
root = nfr.file.nessus_scan_file_root_element(nessus_scan_file)

critical_plugin_tracking={}
high_plugin_tracking={}
medium_plugin_tracking={}
for report_host in nfr.scan.report_hosts(root):
   report_items_per_host = nfr.host.report_items(report_host)
   for report_item in report_items_per_host:
      report_host_ip = nfr.host.resolved_ip(report_host)
      plugin_id = int(nfr.plugin.report_item_value(report_item, 'pluginID'))
      risk_factor = nfr.plugin.report_item_value(report_item, 'risk_factor')
      plugin_name = nfr.plugin.report_item_value(report_item, 'pluginName')
      port = nfr.plugin.report_item_value(report_item, 'port')

      #print('\t', plugin_id, '  \t\t\t', risk_factor,'  \t\t\t', report_host_ip,'  \t\t\t', plugin_name)
      if plugin_name not in critical_plugin_tracking:
         if risk_factor == 'Critical':
            critical_plugin_tracking[plugin_name] = [report_host_ip+':'+port]
         elif risk_factor =='High':
            high_plugin_tracking[plugin_name] = [report_host_ip+':'+port]
         elif risk_factor =='Medium':
            medium_plugin_tracking[plugin_name] = [report_host_ip+':'+port]
      else:
         if risk_factor == 'Critical':
              critical_plugin_tracking[plugin_name].append(report_host_ip+':'+port)
         elif risk_factor == 'High':
              high_plugin_tracking[plugin_name].append(report_host_ip+':'+port)
         elif risk_factor == 'Medium':
              medium_plugin_tracking[plugin_name].append(report_host_ip+':'+port)
         else:
            pass

print('== CRITICALS: ==')
c = 0
for k,v in critical_plugin_tracking.items():
   print(k,':',v)
   c += 1
print('Count:{}\n'.format(c))
print('== HIGHS ==')

c = 0
for k,v in high_plugin_tracking.items():
   print(k,':',v)
   c += 1
print('Count:{}\n'.format(c))
print('')
c = 0
print('== MEDIUMS ==')
for k,v in medium_plugin_tracking.items():
   print(k,':',v)   
   c+=1
print('Count:{}\n'.format(c))

I would appreciate any help.

xkillbit commented 1 year ago

any update here?

xkillbit commented 1 year ago

any update?

lapolis commented 9 months ago

I guess it's a bit late but... For some reason, in your .nessus file, "Unsupported Web Server Detection" is marked as severity="3" instead of severity="4". Anyway, in a real life scenario, the same host has severity="4" pluginID="97994" pluginName="Microsoft IIS 6.0 Unsupported Version Detection" and hence would be flagged as EoL.

Other than that, both Nessus plugins has the same Output.

damian-krawczyk commented 8 months ago

@xkillbit I checked your attachment, it's not reported as Critical, because nfr cli reports based on Risk Factor.

https://github.com/LimberDuck/nessus-file-reader/blob/b4cddcf8fd26212b6b7513fc9ba6de0f89270ac5/nessus_file_reader/__main__.py#L159

Risk Factor in your case is High:

<ReportItem port="80" svc_name="www" protocol="tcp" severity="3" pluginID="34460" pluginName="Unsupported Web Server Detection" pluginFamily="Web Servers">
<cvss3_base_score>10.0</cvss3_base_score>
<cvss_base_score>7.5</cvss_base_score>
<risk_factor>High</risk_factor>

I assume Nessus takes into account <cvss3_base_score>10.0</cvss3_base_score> and shows it as Critical. We would need to have similar solution here. Like option use CVSSv2 or use CVSSv3, then

  1. If cvss3_base_score exists in the output check it's score and report level
  2. If cvss3_base_score does not exists use CVSSv2 anyway.
Threat
Level		 CVSS v2.0
June 2007		 CVSS v3.0
June 2015		 CVSS v3.1
June 2019
Critical 10 9.0 - 10.0 9.0 - 10.0
High 7.0 - 9.9 7.0 - 8.9 7.0 - 8.9
Medium 4.0 - 6.9 4.0 - 6.9 4.0 - 6.9
Low 0.0 - 3.9 0.1 - 3.9 0.1 - 3.9
Info 0.0 0.0

What value do you have set in Nessus for severity_basis ? CVSSv2 or CVSSv3?

image

@lapolis thanks for the input.