One of my passions in information security is finding new ways to look at old problems. Big problems and small problems, doesn’t really matter. I’ve found a really useful way to look at these problems is visualising them. Last year this led me to hack together Burpdot, a Burp Suite log file to Graphviz “DOT” language formatted file for transformation into a graphic. Over the past few months we’ve been spending quite a bit of time with Nessus, and when you’re dumped with tons of hosts and hundreds and hundreds of findings what are you meant to do?
I don’t believe many would argue that the default Nessus web UI is ideal for analysing bulk data. And I’m not the only person to construct something to parse and process Nessus files into HTML/XLS files, you can see Jason Oliver’s work here. Hence, Prenus, the Pretty Nessus .. thing. Combining my love of Nessus, visualisation, and hacking stuff together.
Following the same principles as Burpdot, Prenus simply consumes Nessus version 2 exported XML files, and outputs the data in a few different formats. Initially, I was interested in finding a better way to analyse the results (Personally, I find the the Flash web interface frustrating), so the first output was a collection of static HTML files with Highcharts generated pie and bar graphs.
For example, the below creates a folder called ‘report’ with a bunch of HTML files:
$ prenus -t html -o report *.nessus
Not just wanting to end there, I thought it’d be useful to also generate a simple 2 column CSV formatted output that could be consumed and processed by Afterglow.
$ prenus -t glow *.nessus 46015 (4),10.0.0.5 46015 (4),10.0.0.20 46015 (4),10.0.0.15 53532 (4),10.0.0.5 53532 (4),10.0.0.20 53532 (4),10.0.0.15 ..
But, if piped through Afterglow with our prenus.properties file, and then through Graphviz (in this instance Neato), you get something like this (I had to run this from within the afterglow/src/perl/graph folder):
$ prenus -t glow ~/prenus/*.nessus | ./afterglow.pl -t -c ~/prenus/prenus.properties | neato -v -Tpng -Gnormalize=true -Goutputorder=edgesfirst -o prenus.png
If you prefer a Circos-style graph you can do that too. The circos output mode generates a tab formatted table output which can be consumed by the Circos “TableViewer” tool. Wrapping that together is relatively simple (I use the word simple here lightly, getting Circos working on OS X was a bit of a pain due to GD deps, but, super simple to do on Linux). The following two commands assume the following directory layout:
Executed from within the “tableviewer” folder, the following should create a file called “prenus.png” in the “img” folder.
$ prenus -t circos ~/prenus/*.nessus | bin/parse-table -conf samples/parse-table-01.conf | bin/make-conf -dir data
$ ../../../circos-0.62-1/bin/circos -conf etc/circos.conf -outputfile prenus
Potentially useful for you analysis, or maybe just some prettiness to add to your reports. Any methods or tools that can help dig through stacks of data are pretty useful to us. The above diagram has a few layout issues, so if you want to just analyse your critical severity issues you can include the “-s 4” flag to prenus.
I’ve got an ad-hoc list of enhancements which include:
- 1. Construct an EC2 bootstrap to allow you to deploy this on a throw-away environment so as not having to fight with the damn dependencies like I did
- 2. Look at using d3.js for ALL chart generation instead
- 3. Perhaps just looking at a standalone Rails app for your own deployment (either local, Heroku or whatever)
Let me know what you think, or, just grab the code and have a play yourself: https://github.com/AsteriskLabs/prenus