Monday, June 25, 2012

Risk Stats V2



Ok - I spent some time with techs in the field this week and found they really need more data about the hosts when working with risk & scans.

So I created XMLVulnStatsV2 this adds in the following columns to the table that may be helpful data about the hosts in addition to the IP address.

The output table now includes
  • FQDN
  • OS
  • Mac Address
  • Scan Start Time
For all the techs looking for a quick view of the set of scans they have conducted this is it.

Additional data on the core source is below.


The first version of the script will work from a .nessus file or multiple .nessus files and give you the following summery data - this script requires Excel to do some of the front end math. Due to the use of Excel the impact levels can be modified after the fact to gain more accurate results.

The command-line works as follows:

java XMLVulnStats Output.xls *.nessus

The output will be a table with the following columns
  •  IP Address
  •  Total CVSS Count - This totals the CVSS score for all Vulns on the Host
  •  Critical Count
  •  High Count
  •  Medium Count
  •  Low Count
  •  None Count
  •  Host Criticality - Adjustable figure between 100-1000 ranking hosts
  •  Risk Score - Total CVSS * Host Criticality
  •  Total Vuln - Total of Critical, High, Med, Low Vulns
  •  Average CVSS
Additionally you will get an Average System Risk Level calculation based on the averages for all hosts.

Note that you will need to set the Host Criticality for your system after the script is run based on system knowledge. In the Federal / NIST space I have been using a spread based on the FIPS 199 level (i.e. if its a moderate system hosts are ranked between 400-600 based on impact, workstations 400, domain controllers 600, etc)



No comments:

Post a Comment