Nessus Dashboard

It is an understatement to say that data visualization is important. Fortunately, ELSA comes with dashboard functionality using the Google Visualization API. I have created a sample Nessus dashboard. It uses the Nessus class I created in the previous blog post. I did not create this to handle every functional need you might have in your vulnerability management program. However, I did create some charts with, what I would consider, important information that is worth highlighting. I also use a sampling of the charts available. As always you can get this dashboard here.

After you have downloaded and saved off nessus_dasboard.txt from my Gitub repo you will want to import it into ELSA. To do this, open up the nessus_dashboard.txt text file and copy all of the text in it (Ctrl-A). Next, from the ELSA console click the ELSA menu button in the top left and select Dashboards.

You will want to select Create/import new dashboard. A box comes up that will prompt you for a Title, Alias, Auth and then the option to paste your dashboard in for importing. The import box looks small, but don't worry if you just paste all the text from the dashboard in it will work fine.

A new dashboard will have been created. Now under the Action drop down box select View and your Nessus dashboard should open in a new tab. The dashboard I created has six charts associated with it. I will briefly cover each one. The top chart is a column chart that shows the ports found open in a Nessus scan. I found this information by querying for the Nessus ID (nid) 22964. I maximized this chart by selecting the 'Maximize' option when editing it. Notice the port numbers show up on the bars and the frequency of occurrence is along the y-axis.

Next I have a pie chart that shows the count of vulnerabilities by severity. In the Nessus world severity is determined by CVSS score. Severity 3 is the highest and 0 is the lowest. This maybe a bug or more likely I did something wrong, but I could not get my title to show on this pie chart. If anyone knows how to fix this please let me know. In the chart below you see that the most common severity is 1 (blue) followed by 3 (red), 0 (green) and 2 (orange). 

Directly below the pie chart is an area graph that shows high severity Adobe Reader vulnerabilities by host IP address. Similar concept below it but this time it is a bar chart for Oracle Java vulnerabilities. Notice how when you hover over each bar or column the host IP address shows up. This can be helpful if you have a lot of hosts. 

A couple things to note here. I have a single query per chart. There is nothing stopping you from including multiple queries on one chart as long as they have the same 'groupby:' parameter. It might make sense to do a single chart with multiple third party vulnerabilities graphed on it. You can accomplish this when you edit the charts by adding another query. I have an example of how this might look.

On the ELSA wiki Martin calls out a table chart that is somewhat hidden among the 'More' category when selecting chart types. This table works well if you have if you have a lot of text to display. I have created a table chart below that lists high severity Microsoft Security Bulletins, their associated short summary and their frequency.

Finally, I saved the coolest chart type for last; the gauge chart. This chart is really only practical when the 'groupby' category of your query has less then 10 items. Anymore then that and it is very difficult to see the gauges. Unfortunately, I may have run into the same bug as the pie chart above because this chart also will not show its title. Again, if you know why please let me know and I will get it fixed. CVSS Base score can be a helpful indicator of a vulnerability severity. Nessus also provides a helpful field on whether there is a public exploit available. The gauges below list the number of vulnerabilities with a high severity rating (CVSS Base > 7) and a public exploit available grouped by Nessus ID. The areas of green, orange and red on the gauge can be dynamically assigned to values of your choosing. Very cool stuff. 

Feel free to experiment and if you have any good suggestions I would love to hear about them. Check back on my Github account. I will post a similar dashboard soon that goes with my OpenVAS class. 

Nessus to ELSA

How to

This is the second post in a series on getting vulnerability assessment data into ELSA. This time we tackle Nessus v2 format. I won't review all the things I did in the previous post because the concepts are exactly the same. Essentially, you can download my Python script from Github here. The commands to run the script are essentially the same:

# python NessustoELSA.py -i report.nessus -s
# mysql < nessus_db_setup.sql
# mv nessus.log /opt/elsa/node/
# cd /opt/elsa/node/
# perl elsa.pl -f nessus.log

Again, this is very similar to the OpenVAS script. Below is a screenshots of a search.

Design Decisions

I tried to tag all the fields from Nessus that I thought were significant. These include host (IP), public exploit available, port, CVSS base score, vulnerability description, severity, etc... I left out the full description and the solution fields. I plan on creating a plugin soon so a user can click the 'Info' link to visit Tenable's website to get that information. Stay tuned for the next blog post on performing searches of vulnerability assessment data and creating dash boards.

OpenVAS to ELSA

Introduction

This post will be the first of a series of posts that I am doing about getting vulnerability assessment data into ELSA. My first stab at this will taking data from the free, open source vulnerability scanner, OpenVAS. If you don't already know, OpenVAS was forked from Nessus several years ago. It has an open source feed of vulnerabilities called the OpenVAS NVT feed. There is also a commercial feed you can get from Greenbone.

I have created a Python script that will take a OpenVAS scan, formatted in XML and produce a file in a format that ELSA can easily parse. In addition it can create a .SQL file that you can use to use to update the schema of the MySQL database that ELSA relies on. 

How to

First open up the ELSA web console and hit the drop down box to view the classes. You will see all of the classes that ELSA currently ships with. After we update the database schema we will see a class created for OpenVAS.

After a quick review of the ELSA web console you can go grab the script from Github here.

The OpenVAStoElsa.py script has several options. You can specify the input file (OpenVAS report downloaded in XML format) and the output file (where you want to save the OpenVAS ELSA log to). In addition there is an '-e' flag that allows you to specify what class ID you want to give OpenVAS. ELSA leaves IDs greater than or equal to 10000 for custom classes. Finally, you can use the '-s' flag for telling the script to output a .SQL file with the necessary database changes. You will want to run this only the first time.

# python OpenVAStoELSA.py -i report.xml -s
# mysql < openvas_db_setup.sql
# mv openvas.log /opt/elsa/node/
# cd /opt/elsa/node/
# perl elsa.pl -f openvas.log

The commands above shows the steps necessary to get your data into ELSA with the script. (Note: These commands were all done on the Security Onion. If you manually installed ELSA on your own machine, your directories may be different.) Initially, you run the script and specify the input file with the '-i' option and specify that you want the .SQL file with the '-s' flag. Next you pipe the openvas_db_setup.sql file into MySQL to establish the schema. You then copy the log file the script created over to the directory ELSA node directory. (You can of course point the ELSA script to your log file as well). ELSA ships with a Perl script for importing log data into ELSA. You run this using the '-f' flag and then specify the log to import. After a few short seconds your log data should be in ELSA!

Design Decisions

As with any project, you have to make a few design decisions along the way. I decided to add five custom fields that were not already in ELSA: CVSS Base Score, OID, Vulnerability Description, Risk Factor and CVE. In addition to its default fields: time stamp, host, program, and class; ELSA gives you six integers (i0-5) and six strings (s0-5). You can read the comments of my script and see how I utilized these fields. If you are familiar with the OpenVAS XML schema you will notice that I did not include absolutely every field in the message part of the log. I tried to include all of the fields which I felt were significant.

Going Forward

As I said earlier, this is the first post of a series on getting your vulnerability assessment data into ELSA. In the very near future I will release a similar script to get Nessus data into ELSA. In addition I will be releasing some code for custom dash boards that you can import into ELSA. These dash boards highlight in graphical format vulnerability assessment data.