Wednesday, January 23, 2013

Comparing 2 Nessus Scans

I had to face a challenge today of comparing 2 nessus reports and identifying the progress made towards fixing the vulnerabilities.

First, I used nessus to export each report respectively to a csv file.

Second, I removed the first line of the csv file.

Third, I built 2 tables to accept the input with the following sql respectively:

create table nessusScan1(pluginID INT, CVE VARCHAR(40), CVSS VARCHAR(40), risk VARCHAR(40), ip VARCHAR(40), protocol VARCHAR(40), port INT, name mediumblob, synopsis mediumblob, description mediumblob, solution mediumblob, pluginoutput mediumblob);

create table nessusScan2(pluginID INT, CVE VARCHAR(40), CVSS VARCHAR(40), risk VARCHAR(40), ip VARCHAR(40), protocol VARCHAR(40), port INT, name mediumblob, synopsis mediumblob, description mediumblob, solution mediumblob, pluginoutput mediumblob);

Forth, I inserted the data from the csv file into the respective table:

load data local infile 'Nessus1.csv' into table nessusScan1 fields terminated by ',' enclosed by '"' lines terminated by '\n'; 

load data local infile 'Nessus2.csv' into table nessusScan2 fields terminated by ',' enclosed by '"' lines terminated by '\n'; 

Fifth, I built 2 tables to collect the results of a query due to not wanting to wait for a join:

create table Totals1 (name mediumblob, risk VARCHAR(20), totals INT);

create table Totals2 (name mediumblob, risk VARCHAR(20), totals INT);

Sixth, I populated the table I created with the results of critical and high risk items:

INSERT INTO Totals1 (name, risk, totals) select name, risk, count(DISTINCT ip) AS total FROM nessusScan1 WHERE (risk='Critical' OR risk='High') GROUP BY name ORDER BY risk,total DESC;

INSERT INTO Totals2 (name, risk, totals) select name, risk, count(DISTINCT ip) AS total FROM nessusScan2 WHERE (risk='Critical' OR risk='High') GROUP BY name ORDER BY risk,total DESC;

Seventh, then I was able to do a join on the totals table to see the progress that had been made between the scans (This does not show the new vulnerabilities that were identified in the more recent scan):

SELECT a.name, a.risk, a.totals AS "Totals1", b.totals AS "Totals2" FROM Totals1 a, Totals2 b WHERE a.name=b.name;

There probably is an easier way to accomplish this, however I wanted to document this so I can use it in the future also.

Enjoy...

No comments:

Post a Comment

Test Authentication from Linux Console using python3 pexpect

Working with the IT420 lab, you will discover that we need to discover a vulnerable user account.  The following python3 script uses the pex...