Open MarioVilas opened 10 years ago
OpenVAS plugin need more work yet.
As @MarioVilas says, there are a lot of plugins that currently are not processes and so, ignored.
Other improvement y to create, on the fly, a custom configuration depending of the installed tools in the install machine of GoLismero. For example: If we running the nmap plugin, maybe, we can feedback OpenVAS with their results, avoiding to do duplicate work.
Creating a OpenVAS template on the fly, we can disable a lot of redundant plugins, like the traceroute.
Indeed. I'll create a new ticket for the plugins overlap idea.
Example entry for traceroute results:
<result id="9b33e09b-0580-4108-a5b5-2cc0d3b1c7ce">
<subnet>192.168.0.27</subnet>
<host>192.168.0.27</host>
<port>general/icmp</port>
<nvt oid="192.168.0.0.4.1.25623.1.0.12264">
<name>Record route</name>
<cvss_base>0.0</cvss_base>
<risk_factor>None</risk_factor>
<cve>NOCVE</cve>
<bid>NOBID</bid>
</nvt>
<threat>Low</threat>
<description>
Here is the route recorded between 192.168.0.25 and 192.168.0.27 : 192.168.0.2. 192.168.0.4. 192.168.0.37. 192.168.0.27. 192.168.0.5. 192.168.0.1. 192.168.0.26.
</description>
<original_threat>Low</original_threat>
<notes/>
<overrides/>
</result>
Example portscan results:
<scan_start>Wed Sep 25 16:08:33 2013</scan_start>
<ports start="1" max="1000">
<port>
ms-wbt-server (3389/tcp)
<host>192.168.0.6</host>
<threat>High</threat>
</port>
<port>
general/tcp
<host>192.168.0.6</host>
<threat>Medium</threat>
</port>
(...)
</ports>
<result_count>
(...crap...)
</result_count>
<results start="1" max="1000">
<result id="2c91159d-adf5-43b8-b36b-b50dbdc5a1a8">
(...etc here go the results...)
Example CPE results:
<result id="562aed52-23ef-403d-9586-5b13f616c03b">
<subnet>192.168.0.27</subnet>
<host>192.168.0.27</host>
<port>general/CPE-T</port>
<nvt oid="192.168.0.0.4.1.25623.1.0.810002">
<name>CPE Inventory</name>
<cvss_base>0.0</cvss_base>
<risk_factor>None</risk_factor>
<cve>NOCVE</cve>
<bid>NOBID</bid>
</nvt>
<threat>Log</threat>
<description>192.168.0.27|cpe:/o:microsoft:windows</description>
<original_threat>Log</original_threat>
<notes/>
<overrides/>
</result>
We should also try an authenticated scan against an SSH server, to see what checks does OpenVAS perform locally in that case.
Added that for add new types :)
We're currently discarding the Log results from OpenVAS, since they're not always vulnerabilities, and require manual parsing for each case.
However, a good enhancement would be to recognize at least some of those cases and extract some information from them - for example the traceroute and port scans.
We should also research how much information we can get from the rest of the XML file, since maybe all of the information gathering results can be extracted.
This is especially important considering the fact OpenVAS already does many things some of our other tools do, and we don't want to force the user to, for example, run port scans twice -once with OpenVAS and once with Nmap- just because we can't parse the results of the OpenVAS port scan.