Monday, June 25, 2012

Risk Stats V3

Code:
https://github.com/JasonMOliver/Java_Parsers/blob/master/XMLVulnStatsV3.java

-----

Ok - I had an interesting idea to put in some summery data into this report so it ended in a rev 3

Now when you run XMLVulnStatsV3 you will get two extra tables at the bottom with the risk chart. One has summery data on how many unique hosts were scanned and how many failed authentication. Also the items that failed auth are now highlighted pink in the report.

Additionally you get a list of the hosts with OS that failed authentication. Note that this process supports rescans in the set so if you scan a machine 4 times and one authenticated it will not show up in the final list of hosts with failed auth.

Additional data on the core source is below.

---


The first version of the script XMLVulnStats.java will work from a .nessus file or multiple .nessus files and give you the following summery data - this script requires Excel to do some of the front end math. Due to the use of Excel the impact levels can be modified after the fact to gain more accurate results.

The command-line works as follows:

java XMLVulnStatsV3 Output.xls *.nessus

The output will be a table with the following columns

  •  IP Address
  •  Total CVSS Count - This totals the CVSS score for all Vulns on the Host
  •  Critical Count
  •  High Count
  •  Medium Count
  •  Low Count
  •  None Count
  •  Host Criticality - Adjustable figure between 100-1000 ranking hosts
  •  Risk Score - Total CVSS * Host Criticality
  •  Total Vuln - Total of Critical, High, Med, Low Vulns
  •  Average CVSS
  • Scan Depth

Additionally you will get an Average System Risk Level calculation based on the averages for all hosts.

Note that you will need to set the Host Criticality for your system after the script is run based on system knowledge. In the Federal / NIST space I have been using a spread based on the FIPS 199 level (i.e. if its a moderate system hosts are ranked between 400-600 based on impact, workstations 400, domain controllers 600, etc)

Hope you all are having fun with the data - any ideas send them my way.

cheers

JSN

No comments:

Post a Comment