Closed stevelodin closed 12 years ago
stevelodin
commented
12 years ago It wiped out my Nessus xml tags, let's try this again without tag delimiters:
tag name="system-type" ->general-purpose tag name="operating-system" ->Microsoft Windows Server 2003, Enterprise Edition (English) tag name="MS11-056" ->2507938 tag name="MS11-054" ->2555917 tag name="mac-address" ->00:50:56:9d:4c:ef
hammackj
commented
12 years ago Thanks for the report. What version of Nessus did you use? I will test that and see if I can reproduce this
stevelodin
commented
12 years ago I am using Nessus version 4.4.1 build 15078, web server version 2.4.14.
Thanks!
On Wed, Aug 10, 2011 at 2:26 PM, hammackj < reply@reply.github.com>wrote:
Thanks for the report. What version of Nessus did you use? I will test that and see if I can reproduce this
Reply to this email directly or view it on GitHub: https://github.com/hammackj/risu/issues/38#issuecomment-1775291
hammackj
commented
12 years ago Have you tried re-downloading the report from the Nessus gui? It looks like it may have been corrupt. I cannot recreate this yet.
stevelodin
commented
12 years ago I tried a couple different reloads here.
1) Create new MySQL database 2) Create new tables 3) Load Nessus Data a) Use the previous .nessus report files (exported from Nessus web interface with only HIGH vulnerabilities) b) Create new .nessus report file with no filters
In both cases for #3), the hosts.os field is incorrect. It appears like it takes the last field between the tag name operating-system and tag name mac-address and sticks that in the hosts.os field. This is always a tag name with an MS Security Bulletin. Some examples from the .nessus report file below:
hammackj
commented
12 years ago Looking into this will have a patch as soon as I can.
Sent from my Phone
On Aug 19, 2011, at 8:50 AM, stevelodin reply@reply.github.com wrote:
I tried a couple different reloads here.
1) Create new MySQL database 2) Create new tables 3) Load Nessus Data a) Use the previous .nessus report files (exported from Nessus web interface with only HIGH vulnerabilities) b) Create new .nessus report file with no filters
In both cases for #3), the hosts.os field is incorrect. It appears like it takes the last field between the tag name operating-system and tag name mac-address and sticks that in the hosts.os field. This is always a tag name with an MS Security Bulletin. Some examples from the .nessus report file below:
Fails
Microsoft Windows Server 2008 Service Pack 2 2507938 2555917 2525694 <- this tag gets put in hosts.os field00:xx:56:xx:xx:xx ## FailsMicrosoft Windows XP Professional (English) 2535512 2530548 2544521 2536276 2478663 2476490 2507938 2503665 2555917 2518864 2544893 <- this tag gets put in hosts.os field00:xx:56:xx:xx:xx ## WorksMicrosoft Windows Server 2003 Service Pack 2 00:xx:56:xx:xx:xx ## FailsMicrosoft Windows Server 2008 R2 Standard 00:50:56:9c:00:44 2556532 2539636 2563894 2478663 2560656 2567680 2507938 2559049 2487367 <- this tag gets put in hosts.mac field172.16.5.91 Looks like it has something to do with those MS security bulletin tag names. Looking at the code, do they not match and get put into the @valid_ms_patches array? Thanks for the help. Steve On Sat, Aug 13, 2011 at 6:46 PM, hammackj < reply@reply.github.com>wrote: > Have you tried re-downloading the report from the Nessus gui? It looks like > it may have been corrupt. I cannot recreate this yet. > > ## > > Reply to this email directly or view it on GitHub: > https://github.com/hammackj/risu/issues/38#issuecomment-1799321 ## Cell: +1-317-840-9088 LinkedIn: http://www.linkedin.com/in/stevelodin Twitter: http://twitter.com/stevelodin ## Reply to this email directly or view it on GitHub: https://github.com/hammackj/risu/issues/38#issuecomment-1851087
hammackj
commented
12 years ago Can you me send your .nessus file, I cannot seem to recreate this by editing a .nessus file to be like that. I should have a fix soon. I have a hunch on what the issue is, just no way to test it.
System: RISU 1.4.6, MySQL 5.5, Ruby 1.9.2 p180
It appears that loading the tag name "operating-system" into the database doesn't work consistently.
Example of hosts.os table from a loaded .nessus file using the MySQL CLI:
mysql> select hosts.os from hosts; +----------------------------------------------------------------+ | os | +----------------------------------------------------------------+ | 2555917 | | Windows 7 Professional | | Windows 7 Professional | | 2525694 | | 2544893 | | 2476687 | | 816093 | | 2476687 | | Linux Kernel 2.6 on CentOS 5 | | 2544893 | | 2555917 | | Microsoft Windows Server 2008 R2 Standard | | 2530095 | | Microsoft Windows Server 2003, Standard Edition (English) | | 2555917 |
A specific example - host 10.3.11.72
mysql> select hosts.fqdn, hosts.ip, hosts.os from hosts where hosts.fqdn like "% oem%"; +-----------------------------+------------+---------+ | fqdn | ip | os | +-----------------------------+------------+---------+ | mah-oem1.corporate.xxxx.com | 10.3.11.72 | 2555917 | +-----------------------------+------------+---------+ 1 row in set (0.00 sec)
mysql>
Those numbers listed in the OS field seem to correspond to a subsequent tag when looking at the raw .nessus file:
I tried another load of the data (risu --config-file test.cfg load_file.nessus) and the same issue occurred so it wasn't a one-time event.
Also, looking at the MAC address field, I see potentially the same problem. Sometime a MAC address, sometimes a number.
f2:89:0a:xx:xx:15 2525694 00:50:56:xx:xx:44 00:50:56:xx:xx:38 2555917 2555917 00:50:56:xx:xx:c2 00:50:56:xx:xx:72
I've never done Ruby coding, so I haven't really tracked down the error problem. Seems like a parsing issue in the OS field or some of those tags maybe. I don't really have a workaround either.
Thanks for any help here. Steve