Nessus and Splunk

Introduction

Inspired by my IP360 and Splunk integration project (here and here), I wanted to do the same for Tenable Nessus.  In a previous role I implemented Nessus + SecurityCenter and for the most part had a positive experience.  The interface was modern and I liked that SecurityCenter performed simple load balancing across multiple Nessus scanners.  We didn’t have PVS or LCE as part of our implementation so SecurityCenter was strictly used as a management and reporting tool for our Nessus scanners.  At the same time, the more I used SecurityCenter the more the engineer in me felt I could probably script up something to perform a lot of the same reporting myself.

Nessus is arguably more popular than IP360 given it’s starting cost (free) so I figured there might already be some kind of Splunk integration already available.  I found a couple projects but nothing that did exactly what I was looking for, namely enterprise-level reporting and scoring.

Nessus API

The only API I’ve used is IP360’s so I was excited to check out the Nessus API to see how it differed and to give me more experience writing Python.  The major difference between the two APIs is that Nessus uses a REST API.  So where I was making XML-RPC requests in IP360, I was using HTTP GETs and POSTs to communicate in Nessus.  Overall, I found the REST API simpler to write and easier to understand.  All requests are returned as some kind of XML output, so you simply need to parse the XML data for what you’re looking for.

Nessus Tools

Given one standalone Nessus scanner, I didn’t really need my script to do that much to accomplish my goals.  I just needed it to perform three simple tasks:

  • Download Scan Reports: this downloads the detailed vulnerability reports in XML format
  • Download Scan Templates: this downloads the configurations for each scan
  • Download Plugins to .csv: this downloads all the plugin (vulnerability check) data to a .csv file to be used as a lookup file in Splunk

Given the simplicity of the REST API calls, the hard part was then to parse the XML for the data that I wanted.  Python has a nice XML library that makes this simple enough.  After a bit of time I had something usable.

Below are screenshots of the script in action:

[Nessus Tools help screen]

[Nessus Tools in action]

Here’s some sample output in Splunk-friendly log format:


[04/21/2014 15:45:42] name="Scan Report" event_id="10001" vendor="Tenable" product="Nessus" sr_id="e81d741b-0e6a-4776-18ad-47a24e0a13fa1aaf2e568f681b42" sr_report="Scan 2" sr_end="03/31/2014 18:54:07" sr_hostip="192.168.207.218" sr_hostfqdn="nessus-test" sr_hostnetbiosname="" sr_os="Linux Kernel 3.8.0-37-generic on Ubuntu 12.04" sr_pluginid="19506"
[04/21/2014 15:45:42] name="Scan Report" event_id="10001" vendor="Tenable" product="Nessus" sr_id="e81d741b-0e6a-4776-18ad-47a24e0a13fa1aaf2e568f681b42" sr_report="Scan 2" sr_end="03/31/2014 18:54:07" sr_hostip="192.168.207.218" sr_hostfqdn="nessus-test" sr_hostnetbiosname="" sr_os="Linux Kernel 3.8.0-37-generic on Ubuntu 12.04" sr_pluginid="39520"
[04/21/2014 15:45:42] name="Scan Report" event_id="10001" vendor="Tenable" product="Nessus" sr_id="e81d741b-0e6a-4776-18ad-47a24e0a13fa1aaf2e568f681b42" sr_report="Scan 2" sr_end="03/31/2014 18:54:07" sr_hostip="192.168.207.218" sr_hostfqdn="nessus-test" sr_hostnetbiosname="" sr_os="Linux Kernel 3.8.0-37-generic on Ubuntu 12.04" sr_pluginid="45590"
[04/21/2014 15:45:42] name="Scan Report" event_id="10001" vendor="Tenable" product="Nessus" sr_id="e81d741b-0e6a-4776-18ad-47a24e0a13fa1aaf2e568f681b42" sr_report="Scan 2" sr_end="03/31/2014 18:54:07" sr_hostip="192.168.207.218" sr_hostfqdn="nessus-test" sr_hostnetbiosname="" sr_os="Linux Kernel 3.8.0-37-generic on Ubuntu 12.04" sr_pluginid="54615"
[04/21/2014 15:45:42] name="Scan Report" event_id="10001" vendor="Tenable" product="Nessus" sr_id="e81d741b-0e6a-4776-18ad-47a24e0a13fa1aaf2e568f681b42" sr_report="Scan 2" sr_end="03/31/2014 18:54:07" sr_hostip="192.168.207.218" sr_hostfqdn="nessus-test" sr_hostnetbiosname="" sr_os="Linux Kernel 3.8.0-37-generic on Ubuntu 12.04" sr_pluginid="11936"
[04/21/2014 15:45:42] name="Scan Report" event_id="10001" vendor="Tenable" product="Nessus" sr_id="e81d741b-0e6a-4776-18ad-47a24e0a13fa1aaf2e568f681b42" sr_report="Scan 2" sr_end="03/31/2014 18:54:07" sr_hostip="192.168.207.218" sr_hostfqdn="nessus-test" sr_hostnetbiosname="" sr_os="Linux Kernel 3.8.0-37-generic on Ubuntu 12.04" sr_pluginid="25221"
[04/21/2014 15:45:42] name="Scan Report" event_id="10001" vendor="Tenable" product="Nessus" sr_id="e81d741b-0e6a-4776-18ad-47a24e0a13fa1aaf2e568f681b42" sr_report="Scan 2" sr_end="03/31/2014 18:54:07" sr_hostip="192.168.207.218" sr_hostfqdn="nessus-test" sr_hostnetbiosname="" sr_os="Linux Kernel 3.8.0-37-generic on Ubuntu 12.04" sr_pluginid="25221"
[04/21/2014 15:45:42] name="Scan Template" event_id="10002" vendor="Tenable" product="Nessus" st_id="template-ac3ccc73-298c-f5ed-1aea-0c8e6f322d0da5ec69aa883d1a77" st_name="Big Network" st_policyid="-2" st_policyname="Linux Scan" st_owner="eric" st_target="192.168.1.5,192.168.2.0/24" st_starttime="On Demand" st_rules="n/a" st_timezone="n/a"
[04/21/2014 15:45:42] name="Scan Template" event_id="10002" vendor="Tenable" product="Nessus" st_id="template-17a11b19-01e3-3db0-ce54-5768a7ee7d9800ae4e40a7721feb" st_name="Windows Network" st_policyid="-1" st_policyname="Windows Scan" st_owner="eric" st_target="192.168.207.134" st_starttime="20140331T153000" st_rules="FREQ=DAILY;INTERVAL=1" st_timezone="US/Central"
[04/21/2014 15:45:42] name="Scan Template" event_id="10002" vendor="Tenable" product="Nessus" st_id="template-63d1e0a2-dbea-d9e3-d6b3-28b53a49a725a225f8a38373eaf3" st_name="Linux Network" st_policyid="-2" st_policyname="Linux Scan" st_owner="eric" st_target="192.168.207.166,192.168.207.218" st_starttime="On Demand" st_rules="n/a" st_timezone="n/a"

Finally, here’s a sample Splunk dashboard.  I won’t go too much into what each panel means as they’re either self-explanatory or already covered in the IP360 integration posts.  Note that Nessus uses CVSS scoring as opposed to IP360 and its unique scoring formula.  This causes the “Vulnerability Impacts” chart to be less useful since CVSS scores have a maximum limit.

Splunk - Nessus Vulnerability Management Dashboard

Splunk – Nessus Vulnerability Management Dashboard

It was much quicker to write the script and create the Splunk dashboards for Nessus since I already had some good experience doing the same with IP360.  In the future, I’d like to add some drop down menus, pretty it up a bit, and ultimately make it more “enterprise-ready.”


Stuff I recommend:

Web Hosting: SiteGround
ericooi.com is proudly hosted by SiteGround. Performance and customer service are top notch. Quick and easy https implementation via built-in Let's Encrypt integration.

VPN: Private Internet Access
When I'm using a public internet access point, I use Private Internet Access to secure my connections. Easy to use, fast speeds, and no logs.

Cell Phone: Ting
I don't use many minutes or much data since I'm usually on Wi-Fi, making Ting a smart choice. It features nationwide coverage, fast LTE, and pay as you go rates.

1 thought on “Nessus and Splunk

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.