reporting and host normalization (getting rid of duplicate Hosts)

[emory]

Issue

When reporting against nessus data, a finding such as 'Apache < 2.0.55 Multiple Vulnerabilities' can exist on a number of ports per host, but currently risu will point out every occurrence of a host with a finding, and when that includes tcp ports 80, 443, 8080 and who knows where else, the findings reported will appear inflated and potentially annoy the recipient.

Question/Workarounds?

How should a user of risu write their templates to normalize hosts (hostname or IP address) when running reports like notable_vulnerabilities or technical_findings?

Is there presently a way to do this?

[hammackj]

Currently there is no normalization of this data. Something like this is on my list of things to add but I really dont have a solution for this at the moment. I am open to any idea.

The only idea I can come up with is to unique the plugin_id per each host so that only 1 plugin is shown for each host. That could cause some misleading results though in an automated process.

[drewbrunson]

I ran into something like this a couple of years ago for a client that wanted to track output from another product based around nessus. I resolved it then by assuming that for each unique IP/hostname there should be one or more unique plugin IDs. I also associated each record with a date stamp so that if I subsequently found an identical IP/PluginID pair with a later date I could treat it as a rescan and update rather than add. With this I could have single IP/hostname referencing multiple unique PluginIDs each referencing multiple results etc. depending on the IP/Plugin pairing. It's been a couple of years since I looked at the code, but the client was happy with the results. Don't know if this gives you any ideas, but...