Ok - I spent some time with techs in the field this week and found they really need more data about the hosts when working with risk & scans.
So I created XMLVulnStatsV2 this adds in the following columns to the table that may be helpful data about the hosts in addition to the IP address.
The output table now includes
- Mac Address
- Scan Start Time
Additional data on the core source is below.
The first version of the script XMLVulnStats.java will work from a .nessus file or multiple .nessus files and give you the following summery data - this script requires Excel to do some of the front end math. Due to the use of Excel the impact levels can be modified after the fact to gain more accurate results.
The command-line works as follows:
java XMLVulnStats Output.xls *.nessus
The output will be a table with the following columns
- IP Address
- Total CVSS Count - This totals the CVSS score for all Vulns on the Host
- Critical Count
- High Count
- Medium Count
- Low Count
- None Count
- Host Criticality - Adjustable figure between 100-1000 ranking hosts
- Risk Score - Total CVSS * Host Criticality
- Total Vuln - Total of Critical, High, Med, Low Vulns
- Average CVSS
Note that you will need to set the Host Criticality for your system after the script is run based on system knowledge. In the Federal / NIST space I have been using a spread based on the FIPS 199 level (i.e. if its a moderate system hosts are ranked between 400-600 based on impact, workstations 400, domain controllers 600, etc)