Monday, June 25, 2012

Patchlink XML to XLS



I had a task this week to create a vulnerability assessment report using Lumension Scan results -

I received the output from the tool in a few formats PDF and XML and as XML was the only parsable format I set out to turn it into some usable results. This resulted in a few interesting security findings related to this tool that I will talk about later.

Now up front I need to give credit to @dhongyt (David Trang) who put most of the work into the engine of this code and while I had the vision and did some tweaking I would not have finished this fast with out his work.

This bit of code is very similar to my that works with Nessus, it turns multiple Lumention files (you may know this product under its old name Harris Patchlink) into a XLS or HTML report.

The command-line looks like this;

java XMLPatchlinkReader input.xml > output.[xls/html]

and the end result is a table with the following headers

Vuln ID, Severity, Name, Description, Solution, CVE, Host(s)

Now the interesting part of this tool -
It would seem Lumention uses the following categories for vulnerabilities in the tool

High, Moderate, Low, Warning

in most tools ‘Warning’ would be in this order like a note or informational and for the most part they are BUT they also mix in item with not current fix and compliance / configuration issues that would normally fall into other risk levels.

I personally combined this category of result with the CVSS score from the CVSS database. If you need a quick way to look up this data for a lot of CVE numbers you can build a lookup table by downloading all the .xml files from the site

and running the following command

 grep -h -f query *.xml | sed 's/<entry id="//g' | sed 's/">//g' | sed
's/      <cvss:score>//g' | sed 's/<\/cvss:score>//g' | sed
'/[0-9]\.[0-9]/G' tmp | sed '/CVE/{x;p;x;}' | sed '/./,/$/!d' | sed -e
'N;s/\n/ /'

This will give you a CSV of CVE-Number, CVSS Score that you can loop through for info.

Now I would have to caution you that CVE number pre 2000 are a little out of whack with risk views of today so make sure to use common since when adjusting the risk values manually for your scan and environment but the data is valuable and can be very important if you have a High risk configuration issue showing up as a Warning.

As always I hope it helps you all out, if you have questions post away or email.

- Also remember as security professionals its good to know all of the tools and how to use them not just one. The world has a lot of vulnerability scanners and its good to be able to use them all and know the quarks associated with them. Also this chart may be helpful if you are mapping between scanners as it gives you a matchable field in the CVE number.



No comments:

Post a Comment