Nessus and Splunk

Introduction

Inspired by my IP360 and Splunk integration project (here and here), I wanted to do the same for Tenable Nessus.  In a previous role I implemented Nessus + SecurityCenter and for the most part had a positive experience.  The interface was modern and I liked that SecurityCenter performed simple load balancing across multiple Nessus scanners.  We didn’t have PVS or LCE as part of our implementation so SecurityCenter was strictly used as a management and reporting tool for our Nessus scanners.  At the same time, the more I used SecurityCenter the more the engineer in me felt I could probably script up something to perform a lot of the same reporting myself.

Nessus is arguably more popular than IP360 given it’s starting cost (free) so I figured there might already be some kind of Splunk integration already available.  I found a couple projects but nothing that did exactly what I was looking for, namely enterprise-level reporting and scoring.

Nessus API

The only API I’ve used is IP360’s so I was excited to check out the Nessus API to see how it differed and to give me more experience writing Python.  The major difference between the two APIs is that Nessus uses a REST API.  So where I was making XML-RPC requests in IP360, I was using HTTP GETs and POSTs to communicate in Nessus.  Overall, I found the REST API simpler to write and easier to understand.  All requests are returned as some kind of XML output, so you simply need to parse the XML data for what you’re looking for.

Nessus Tools

Given one standalone Nessus scanner, I didn’t really need my script to do that much to accomplish my goals.  I just needed it to perform three simple tasks:

  • Download Scan Reports: this downloads the detailed vulnerability reports in XML format
  • Download Scan Templates: this downloads the configurations for each scan
  • Download Plugins to .csv: this downloads all the plugin (vulnerability check) data to a .csv file to be used as a lookup file in Splunk

Given the simplicity of the REST API calls, the hard part was then to parse the XML for the data that I wanted.  Python has a nice XML library that makes this simple enough.  After a bit of time I had something usable.

Below are screenshots of the script in action:

[Nessus Tools help screen]

[Nessus Tools in action]

Here’s some sample output in Splunk-friendly log format:


[04/21/2014 15:45:42] name="Scan Report" event_id="10001" vendor="Tenable" product="Nessus" sr_id="e81d741b-0e6a-4776-18ad-47a24e0a13fa1aaf2e568f681b42" sr_report="Scan 2" sr_end="03/31/2014 18:54:07" sr_hostip="192.168.207.218" sr_hostfqdn="nessus-test" sr_hostnetbiosname="" sr_os="Linux Kernel 3.8.0-37-generic on Ubuntu 12.04" sr_pluginid="19506"
[04/21/2014 15:45:42] name="Scan Report" event_id="10001" vendor="Tenable" product="Nessus" sr_id="e81d741b-0e6a-4776-18ad-47a24e0a13fa1aaf2e568f681b42" sr_report="Scan 2" sr_end="03/31/2014 18:54:07" sr_hostip="192.168.207.218" sr_hostfqdn="nessus-test" sr_hostnetbiosname="" sr_os="Linux Kernel 3.8.0-37-generic on Ubuntu 12.04" sr_pluginid="39520"
[04/21/2014 15:45:42] name="Scan Report" event_id="10001" vendor="Tenable" product="Nessus" sr_id="e81d741b-0e6a-4776-18ad-47a24e0a13fa1aaf2e568f681b42" sr_report="Scan 2" sr_end="03/31/2014 18:54:07" sr_hostip="192.168.207.218" sr_hostfqdn="nessus-test" sr_hostnetbiosname="" sr_os="Linux Kernel 3.8.0-37-generic on Ubuntu 12.04" sr_pluginid="45590"
[04/21/2014 15:45:42] name="Scan Report" event_id="10001" vendor="Tenable" product="Nessus" sr_id="e81d741b-0e6a-4776-18ad-47a24e0a13fa1aaf2e568f681b42" sr_report="Scan 2" sr_end="03/31/2014 18:54:07" sr_hostip="192.168.207.218" sr_hostfqdn="nessus-test" sr_hostnetbiosname="" sr_os="Linux Kernel 3.8.0-37-generic on Ubuntu 12.04" sr_pluginid="54615"
[04/21/2014 15:45:42] name="Scan Report" event_id="10001" vendor="Tenable" product="Nessus" sr_id="e81d741b-0e6a-4776-18ad-47a24e0a13fa1aaf2e568f681b42" sr_report="Scan 2" sr_end="03/31/2014 18:54:07" sr_hostip="192.168.207.218" sr_hostfqdn="nessus-test" sr_hostnetbiosname="" sr_os="Linux Kernel 3.8.0-37-generic on Ubuntu 12.04" sr_pluginid="11936"
[04/21/2014 15:45:42] name="Scan Report" event_id="10001" vendor="Tenable" product="Nessus" sr_id="e81d741b-0e6a-4776-18ad-47a24e0a13fa1aaf2e568f681b42" sr_report="Scan 2" sr_end="03/31/2014 18:54:07" sr_hostip="192.168.207.218" sr_hostfqdn="nessus-test" sr_hostnetbiosname="" sr_os="Linux Kernel 3.8.0-37-generic on Ubuntu 12.04" sr_pluginid="25221"
[04/21/2014 15:45:42] name="Scan Report" event_id="10001" vendor="Tenable" product="Nessus" sr_id="e81d741b-0e6a-4776-18ad-47a24e0a13fa1aaf2e568f681b42" sr_report="Scan 2" sr_end="03/31/2014 18:54:07" sr_hostip="192.168.207.218" sr_hostfqdn="nessus-test" sr_hostnetbiosname="" sr_os="Linux Kernel 3.8.0-37-generic on Ubuntu 12.04" sr_pluginid="25221"
[04/21/2014 15:45:42] name="Scan Template" event_id="10002" vendor="Tenable" product="Nessus" st_id="template-ac3ccc73-298c-f5ed-1aea-0c8e6f322d0da5ec69aa883d1a77" st_name="Big Network" st_policyid="-2" st_policyname="Linux Scan" st_owner="eric" st_target="192.168.1.5,192.168.2.0/24" st_starttime="On Demand" st_rules="n/a" st_timezone="n/a"
[04/21/2014 15:45:42] name="Scan Template" event_id="10002" vendor="Tenable" product="Nessus" st_id="template-17a11b19-01e3-3db0-ce54-5768a7ee7d9800ae4e40a7721feb" st_name="Windows Network" st_policyid="-1" st_policyname="Windows Scan" st_owner="eric" st_target="192.168.207.134" st_starttime="20140331T153000" st_rules="FREQ=DAILY;INTERVAL=1" st_timezone="US/Central"
[04/21/2014 15:45:42] name="Scan Template" event_id="10002" vendor="Tenable" product="Nessus" st_id="template-63d1e0a2-dbea-d9e3-d6b3-28b53a49a725a225f8a38373eaf3" st_name="Linux Network" st_policyid="-2" st_policyname="Linux Scan" st_owner="eric" st_target="192.168.207.166,192.168.207.218" st_starttime="On Demand" st_rules="n/a" st_timezone="n/a"

Finally, here’s a sample Splunk dashboard.  I won’t go too much into what each panel means as they’re either self-explanatory or already covered in the IP360 integration posts.  Note that Nessus uses CVSS scoring as opposed to IP360 and its unique scoring formula.  This causes the “Vulnerability Impacts” chart to be less useful since CVSS scores have a maximum limit.

Splunk - Nessus Vulnerability Management Dashboard

Splunk – Nessus Vulnerability Management Dashboard

It was much quicker to write the script and create the Splunk dashboards for Nessus since I already had some good experience doing the same with IP360.  In the future, I’d like to add some drop down menus, pretty it up a bit, and ultimately make it more “enterprise-ready.”

Related Posts

Zeekurity Zen – Part IX: How To Update Zeek

Zeekurity Zen – Part IX: How To Update Zeek

This is part of the Zeekurity Zen Zeries on building a Zeek (formerly Bro) network sensor. Overview In our Zeek journey thus far, we've: Set up Zeek to monitor some network traffic. Used Zeek Package Manager to install packages. Configured Zeek to send logs to Splunk...

Elastic Explained: How-To Guides For The Elastic Stack

Elastic Explained: How-To Guides For The Elastic Stack

Elastic develops the popular log analytics platform, the Elastic Stack, which supports a variety of search, observability, and security use cases through its many out of the box integrations.  It's a great platform for collecting, analyzing, and visualizing data from...

How To Deploy Elastic Agent on macOS with Microsoft Intune

How To Deploy Elastic Agent on macOS with Microsoft Intune

This guide details how to deploy Elastic Agent on macOS using Intune.  For Windows, please use my companion guide. Using Elastic Agent with Elastic SIEM is a great way to secure and monitor your environment.  Not only does it provide full endpoint security...

Transform Your Business & Operate at Peak Efficiency

Contact Us