Thursday, November 28, 2013

Vulnerability Data into ELSA

At Security BSides Augusta I released a script that would take a variety of vulnerability scanner data and import it into ELSA. I have been meaning to get a blog post about its usage but just haven't gotten around to in. With a couple days off of the holiday, here it is.

First the script is called VAtoELSA.py and you get find it at my Github account. I have created Nessus and OpenVAS to ELSA scripts in the past. This script combines all of the above plus it adds support for NMap and Nikto all in one place.

The script is very straight forward to use. Simply give it a Nessus, OpenVAS, NMap, or Nikto output report in XML format and an ELSA IP address and you should be off to the races.
$ python VAtoELSA.py –i report.nessus –r nessus –e elsa_ip


Before running the script for the first time you will want to create the XML and SQL file for ELSA to recognize the syslog output the script provides.  The -x and -s option will automatically create it for you and output them to files.


"Usage: VAtoELSA.py [-i input_file | input_file=input_file] [-e elsa_ip | elsa_ip=elsa_ip_address] [-r report_type | --report_type=type] [-s | --create-sql-file] [-x | --create-xml-file][-h | --help]"


As always I welcome feedback and would be happy to add any more vulnerability assessment tools to it if you have recommendations. I would ask that you send me a sanitized output report file since I might have limited access to the tool.
at

5 comments:

  1. DrewDecember 7, 2013 at 1:32 PM

    Hi there, I love seeing new things that interface with ELSA, awesome stuff in your posts. Could you elaborate with more examples on prepping ELSA to import the vuln scan report data? Could you also show a few example commands in the appropriate order to bring more clarity on the proper way to do this with your script? Forgive me but I am also really curious as to how you use your vulnerability report data once its in ELSA, what is your use case(s)? Doesn't having this data in your ELSA server pose a much larger risk if your ELSA box with this data were to ever be comprised? Just some of my initial questions and thoughts, thanks again for all your work with this!

    ReplyDelete
    Replies
    1. Christopher RimondiDecember 7, 2013 at 7:04 PM

      Thanks for the comment. You will need to do two things in order to prep ELSA. First use the -s option with the script. This outputs a SQL file to the current directory. You can use that to alter the MySQL schema with the proper statements. Just run # mysql < va_to_elsa.sql. The file name might be something different but you get the idea. Next you can run the script with the -x option. It will create a file in the current working directory that has the parsing patterns necessary to add to the syslog-ng parsing file. In newer versions of ELSA this is merged.xml. Just copy and paste the contents of that file and add under the pattern tag in the XML.

      The use cases can be varied. I run through some use cases in my Bsides talk. Google 'Eying the Onion' and you will find the video of the talk. In short I think it is valuable to keep configuration data with event data in your environment. So queries like show me all hosts with a vulnerable version of Java that went to a foreign site using the word 'java' in the user agent string.

      Finally, per you question about data posing a risk in ELSA. My answer is that the risk it adds is negligible and is far, far outweighed by the benefit. If you are actively scanning your environment the consolidated listing of vulnerabilities has to be somewhere. (Usually in a PDF or Doc on a network share). Why not put it somewhere it can be leveraged? If you are running ELSA in the common use case, i.e behind a firewall on your internal network, then if an attacker owns that box chances are they own the rest of the network and you are already sunk :)

      Delete
  2. Adam BrudoNovember 10, 2015 at 1:21 AM

    Useful information to keep in mind!
    I also want to add that nowadays there a lot of services to prevent data breaches. I must admit the most reliable service nowadays - Virtual Data Room. And iDeals vdr virtual data room is the best on the market.

    ReplyDelete
  3. Niamh KellyNovember 5, 2016 at 2:40 AM

    We are the makers and quickening agents of your image esteem, business system and business income. Online networking permits your showcasing effort an extraordinary chance to wake up with your intended interest group, contacting them uncommonly conveying identity and perceivability parallel to your other action."http://www.gurufocus.com/news/455893/is-palo-altos-recent-drop-an-opportunity-to-buy
    "

    ReplyDelete
  4. hackers phaseJuly 1, 2022 at 11:27 AM

    The representation of this article is actually superb. I think this is a genuinely beneficial and instructive article for everyone, I appreciate this kind of writing, Thankful to you for sharing an article like this.Professional Cell Phone Hacker in Usa

    ReplyDelete

Subscribe to: Post Comments (Atom)

AWS Glue, Fitbit and a "Health Data Lake" - part 1

A couple years ago I got a Charge HR Fitbit device. I have worn it off and on for the past couple years. It has been mildly entertaining to ...