Monday, June 25, 2012

The Details - Plugin Output

Code:
https://github.com/JasonMOliver/Java_Parsers/blob/master/XMLValidate_wPlugOut.java

-----

I have been working a lot of fix validation and logic validation this week and was able to develop a few tricks. Both use the XMLValidate source, but one is an enhanced version.

The code I have for XMLValidate is used thus:
java XMLValidate <fileName> <pluginID>

You can check for more than one pluginID at a time just simply keep adding them as args to the command.

The output looks like this:

--------
java XMLValidate ScanInput.nessus 30218

PluginID: 30218 was located as item 11903 scanned for in the plugin_set.
----> PluginID 30218 was identified on host 10.10.10.1
----> PluginID 30218 was identified on host 10.10.10.2

Scanned Hosts:
10.10.10.1
10.10.10.2
10.10.10.3
10.10.10.4
10.10.10.5


Now I needed in the first task to feed in a list of pluginIDs that was gathered from a set of old scans and see if they were found in the new scan files. The logic worked like this:

Build a list of pluginIDs found in the old files and save them to a txt file (this can be done by using XMLTable and grabbing the PluginID column).

Then you would want to use the XMLValidate in the following way:


for i in $(cat nessusIDs.txt); do java XMLValidate New-ScanOutput.nessus $i >> NewScan_Validation.txt; done;

The result being a txt file with the validation results of all the pluginIDs.

Fairly simple.

---

The next task was a kick back on a specific PluginID that a person had found as a false positive. In this case I needed to know out of the scan files what machines was the pluginID on and what was the specifics as to what was found and what was searched for on the machine. In Nessus this is in the plugin_output of the XML structure.

So above I modified the XMLValidate to include the plugin_output to the screen for each host that the vulnerability was found on in the file.

The output looks as follows:

----> PluginID 11936 was identified on host 10.10.10.1
--------->
Remote operating system : CISCO IOS 12.4(19)
Confidence Level : 100
Method : SNMP

The remote host is running CISCO IOS 12.4(19)


This can come in handy when a vulnerability was found on many hosts and you need standard out for the details. For example you could then grep out the OS and conduct counts.

for i in *.xml; do java XMLValidate_wPlugOut $i 11936 >> Scan_Validation.txt; done;

grep ‘Remote operating system :’ Scan_Validation.txt | sort | uniq -c


Would results in a list of each OS found and a count of each unique item.

In the end this was just one more way to work with the Nessus XML data from the command-line for speed of analysis. I hope it helps

cheers

No comments:

Post a Comment