search

tenable / pyTenable

Python Library for interfacing into Tenable's platform APIs
https://pytenable.readthedocs.io
MIT License
354 stars 173 forks source link

How to use pluginText filter ? #646

Closed Barnoux closed 1 year ago

Barnoux commented 1 year ago

Hello,

I didn't find a documentation that could help me to resolve this. How do you use correctly pluginText filter like in this code bellow ?

#!python3
from tenable.sc import TenableSC
import logging
import getpass

if __name__ == '__main__':
    logging.basicConfig(level=logging.INFO, format='%(asctime)s - %(levelname)s - %(message)s')
    logging.info('Start of program')
    PASSWORD = getpass.getpass(prompt="Please enter your tenable user PASSWORD for barnoux...\n>")
    ip = ''
    username = ''
    # Connection to Tenable.sc API
    sc = TenableSC(ip, port=443)
    sc.login(username, PASSWORD)
    PC_NOT_REBOOT = [result.get('dnsName') for result in sc.analysis.vulns(('pluginID', '=', '35453'),
                                                                           ('repositoryIDs', '=', '11'),
                                                                           ('lastSeen', '=', '0:7'),
                                                                           tool='listvuln' )]
    PC_SU_AUGUST = [result for result in sc.analysis.vulns(('pluginID', '=', '93962'),
                                                                           ('repositoryIDs', '=', '11'),
                                                                           ('lastSeen', '=', '0:7'),
                                                                           ('pluginText,', '=', 'Latest effective update level : 08_2022')
                                                                          )]

I got this error: restfly.errors.APIError: [403: POST] https://172.20.37.35:443/rest/analysis body=b'{"type":"regular","response":"","error_code":146,"error_msg":"The filter \'pluginText,\' is invalid (valid filters: acceptedRisk, acceptRiskStatus, assetID, auditFileID, benchmarkName, cceID, cpe, cveID, baseCVSSScore, cvssVector, cvssV3BaseScore, cvssV3Vector, dataFormat, daysMitigated, daysToMitigated, dnsName, exploitAvailable, exploitFrameworks, familyID, firstSeen, iavmID, ip, lastMitigated, lastSeen, mitigatedStatus, msbulletinID, outputAssets, patchPublished, pluginModified, pluginPublished, pluginID, pluginName, pluginText, pluginType, policyID, port, protocol, recastRisk, recastRiskStatus, repositoryIDs, responsibleUserIDs, vulnRoutedUserIDs, vulnRoutingRuleID, severity, solutionID, stigSeverity , tcpport, udpport, uuid, vulnPublished, wasMitigated, xref, vprScore, assetCriticalityRating, hostUUID, assetExposureScore, aesSeverity).\\n","warnings":[],"timestamp":1668531958}\n'

ChadKlunck commented 1 year ago

The error message shows an extra comma in the filter:

The filter \'pluginText,\' is invalid

On the PC_SU_AUGUST line, change:

('pluginText,', '=', 'Latest effective update level : 08_2022')

to

('pluginText', '=', 'Latest effective update level : 08_2022')
Barnoux commented 1 year ago

Thank you and sorry ^^* And if i want to use regex instead, do you know what is the synthax ?

aseemsavio commented 1 year ago

@Barnoux Tenable.SC's analysis API does not seem to be supporting regex. Also, the vulns method in pyTenable accepts the following for the field - filters:

a list of tuples. Each tuple is broken down into (field, operator, value)

Refer: https://pytenable.readthedocs.io/en/stable/api/sc/analysis.html#tenable.sc.analysis.AnalysisAPI.vulns

Barnoux commented 1 year ago

Thanks a lot for the answers !