Extract information from OpenVAS, not just vulnerabilities

cr0hn / golismero-legacy

THIS IS A LEGACY VERSION PRESERVED FOR BACKUP, DO NOT USE

http://golismero-project.com

15 stars 4 forks source link

Extract information from OpenVAS, not just vulnerabilities #249

Open MarioVilas opened 10 years ago

MarioVilas commented 10 years ago

We're currently discarding the Log results from OpenVAS, since they're not always vulnerabilities, and require manual parsing for each case.

However, a good enhancement would be to recognize at least some of those cases and extract some information from them - for example the traceroute and port scans.

We should also research how much information we can get from the rest of the XML file, since maybe all of the information gathering results can be extracted.

This is especially important considering the fact OpenVAS already does many things some of our other tools do, and we don't want to force the user to, for example, run port scans twice -once with OpenVAS and once with Nmap- just because we can't parse the results of the OpenVAS port scan.

cr0hn commented 10 years ago

OpenVAS plugin need more work yet.

As @MarioVilas says, there are a lot of plugins that currently are not processes and so, ignored.

Other improvement y to create, on the fly, a custom configuration depending of the installed tools in the install machine of GoLismero. For example: If we running the nmap plugin, maybe, we can feedback OpenVAS with their results, avoiding to do duplicate work.

Creating a OpenVAS template on the fly, we can disable a lot of redundant plugins, like the traceroute.

MarioVilas commented 10 years ago

Indeed. I'll create a new ticket for the plugins overlap idea.

MarioVilas commented 10 years ago

Example entry for traceroute results:

<result id="9b33e09b-0580-4108-a5b5-2cc0d3b1c7ce">
<subnet>192.168.0.27</subnet>
<host>192.168.0.27</host>
<port>general/icmp</port>
<nvt oid="192.168.0.0.4.1.25623.1.0.12264">
<name>Record route</name>
<cvss_base>0.0</cvss_base>
<risk_factor>None</risk_factor>
<cve>NOCVE</cve>
<bid>NOBID</bid>
</nvt>
<threat>Low</threat>
<description>
Here is the route recorded between 192.168.0.25 and 192.168.0.27 : 192.168.0.2. 192.168.0.4. 192.168.0.37. 192.168.0.27. 192.168.0.5. 192.168.0.1. 192.168.0.26.
</description>
<original_threat>Low</original_threat>
<notes/>
<overrides/>
</result>

MarioVilas commented 10 years ago

Example portscan results:

<scan_start>Wed Sep 25 16:08:33 2013</scan_start>
<ports start="1" max="1000">
<port>
ms-wbt-server (3389/tcp)
<host>192.168.0.6</host>
<threat>High</threat>
</port>
<port>
general/tcp
<host>192.168.0.6</host>
<threat>Medium</threat>
</port>

(...)

</ports>
<result_count>

(...crap...)

</result_count>
<results start="1" max="1000">
<result id="2c91159d-adf5-43b8-b36b-b50dbdc5a1a8">

(...etc here go the results...)

MarioVilas commented 10 years ago

Example CPE results:

<result id="562aed52-23ef-403d-9586-5b13f616c03b">
<subnet>192.168.0.27</subnet>
<host>192.168.0.27</host>
<port>general/CPE-T</port>
<nvt oid="192.168.0.0.4.1.25623.1.0.810002">
<name>CPE Inventory</name>
<cvss_base>0.0</cvss_base>
<risk_factor>None</risk_factor>
<cve>NOCVE</cve>
<bid>NOBID</bid>
</nvt>
<threat>Log</threat>
<description>192.168.0.27|cpe:/o:microsoft:windows</description>
<original_threat>Log</original_threat>
<notes/>
<overrides/>
</result>

MarioVilas commented 10 years ago

We should also try an authenticated scan against an SSH server, to see what checks does OpenVAS perform locally in that case.

cr0hn commented 10 years ago

Added that for add new types :)