Tuesday, February 12, 2013

OpenVAS to ELSA

Introduction

This post will be the first of a series of posts that I am doing about getting vulnerability assessment data into ELSA. My first stab at this will taking data from the free, open source vulnerability scanner, OpenVAS. If you don't already know, OpenVAS was forked from Nessus several years ago. It has an open source feed of vulnerabilities called the OpenVAS NVT feed. There is also a commercial feed you can get from Greenbone.

I have created a Python script that will take a OpenVAS scan, formatted in XML and produce a file in a format that ELSA can easily parse. In addition it can create a .SQL file that you can use to use to update the schema of the MySQL database that ELSA relies on. 

How to


First open up the ELSA web console and hit the drop down box to view the classes. You will see all of the classes that ELSA currently ships with. After we update the database schema we will see a class created for OpenVAS.

After a quick review of the ELSA web console you can go grab the script from Github here.


The OpenVAStoElsa.py script has several options. You can specify the input file (OpenVAS report downloaded in XML format) and the output file (where you want to save the OpenVAS ELSA log to). In addition there is an '-e' flag that allows you to specify what class ID you want to give OpenVAS. ELSA leaves IDs greater than or equal to 10000 for custom classes. Finally, you can use the '-s' flag for telling the script to output a .SQL file with the necessary database changes. You will want to run this only the first time.

# python OpenVAStoELSA.py -i report.xml -s
# mysql < openvas_db_setup.sql
# mv openvas.log /opt/elsa/node/
# cd /opt/elsa/node/
# perl elsa.pl -f openvas.log

The commands above shows the steps necessary to get your data into ELSA with the script. (Note: These commands were all done on the Security Onion. If you manually installed ELSA on your own machine, your directories may be different.) Initially, you run the script and specify the input file with the '-i' option and specify that you want the .SQL file with the '-s' flag. Next you pipe the openvas_db_setup.sql file into MySQL to establish the schema. You then copy the log file the script created over to the directory ELSA node directory. (You can of course point the ELSA script to your log file as well). ELSA ships with a Perl script for importing log data into ELSA. You run this using the '-f' flag and then specify the log to import. After a few short seconds your log data should be in ELSA!






Design Decisions

As with any project, you have to make a few design decisions along the way. I decided to add five custom fields that were not already in ELSA: CVSS Base Score, OID, Vulnerability Description, Risk Factor and CVE. In addition to its default fields: time stamp, host, program, and class; ELSA gives you six integers (i0-5) and six strings (s0-5). You can read the comments of my script and see how I utilized these fields. If you are familiar with the OpenVAS XML schema you will notice that I did not include absolutely every field in the message part of the log. I tried to include all of the fields which I felt were significant.

Going Forward

As I said earlier, this is the first post of a series on getting your vulnerability assessment data into ELSA. In the very near future I will release a similar script to get Nessus data into ELSA. In addition I will be releasing some code for custom dash boards that you can import into ELSA. These dash boards highlight in graphical format vulnerability assessment data.




at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

AWS Glue, Fitbit and a "Health Data Lake" - part 1

A couple years ago I got a Charge HR Fitbit device. I have worn it off and on for the past couple years. It has been mildly entertaining to ...