Prenus - The Pretty Nessus .. Thing
This is a quickly hacked together Ruby script that can consume version 2 nessus files (with the help of an udpated ruby-nessus gem) and allows the output of a few different formats, including:
Static HTML files with jQuery Datatables and Highcharts graphs
XLS file (Actually a HTML Table with an .xls extension) with unique Nessus vulns and associated IPs
Afterglow (afterglow.sourceforge.net/), 2 column CSV files
Circos (circos.ca) tableviewer text file
Hosts information, formatted in a 3 column CSV output
Install the Prenus gem:
gem install prenus
Download the .nessus files from Nessus you want to Prettify (make sure they're version 2 files, not version 1)
Cd into the folder where the files are
prenus -t html -o tmp *.nessus
Happy Happy Joy Joy
Command Line Options
Usage: prenus <options> [INPUT] Specific Options: -h, --help Display this screen -c, --config FILE Load a YAML formatted config file -o, --ouput DIR/FILE Defaults to '.' -t, --type TYPE Select: xls, html, glow, circos or host. Defaults to html --header-file FILE Optional HTML FILE to be inserted into the top of the index.html file when using HTML output -s, --severity LEVEL Defaults to 3 for High -> Critical. For large datasets 4 is saner -f, --filter FILTER Only show these Nessus IDs. For multiple separate with commas 12345,23232,21212 -d, --debug Displays stats and other debugging -v, --version Shows the version
If you specify a config file (see the example prenus.yaml) file, this allows you to override some host information, or skip vulns for particular hosts.
Output is handled in a few different ways, if you're running as type 'html', then this option is a folder. If you don't specify a folder, then the HTML files, js files, image files etc are built into the current folder. You might not want this, so give it a folder name, such as 'tmp' to output the files to the ./tmp sub-folder.
If the type is not 'html', then this is the file which will be used for output, or, can be omitted to simply output to the screen (STDOUT)
Type specifies what output parser you want:
html - Outputs a number of HTML files
xls - Outputs a HTML TABLE text with an .xls extension, which can be opened by fairly modern versions of Excel
glow - Outputs a CSV formatted text which can be consumed by Afterglow
circos - Outputs a tabular style text file which can be consumed by the Circos Tableviewer tool
host - Outputs a CSV formatted file with host information (just ip, os and hostname)
By default this is html
This sets the bottom severity which will be included for output. For example, if severity is 0, then all vulnerabilities identified as informational, low, medium, high and critical will be included. If severity is 3 then only high and critical will be included.
By default this is 3.
This option doesn't apply to the html output, but, for all other output types, this allows you to output only explicitly listed Nessus Plugin IDs. For example: 54343,34443,12345
If flagged, then we'll output some raw data.
If you want to add some optional branding to top of the html files (when using HTML output type). Create a file with some HTML content, and then point this option to the file. Voila. BRAAANDING
Afterglow - what?
So, you're interested in creating some pretty Afterglow/Graphviz files to see relationships between Nessus IDs and Hosts? Look no further!
Using the example colouring Afterglow properties file (prenus.properties) you can execute this to graph critical vulns (as long as you have afterglow working with all its dependencies, PLUS you have Graphviz installed and working (# which neato))
This will only work if you're in Afterglow's src/perl/graph/ folder:
prenus -t glow -s 4 /folder/where/nessus/files/are/*.nessus | ./afterglow -t -c /folder/where/prenus.properties | neato -v -Tpng -Gnormalize=true -Goutputorder=edgesfirst -o prenus.png
Circos - huh?
What about those pretty awesome Circos graphs huh?
Well, getting GD and all the other Circos dependencies was a bit of a pain in the butt on OS X 10.7, but after a bunch of googling and checking out the following URLs, it seemed to work okay. (Might help, probably not: gist.github.com/3214492) (I think I also had to update the #!s on top of the .pl files :/)
You might also need to fiddle with the circos.conf file, but eventually I had it working pretty solidly. I had circos installed in ~/circos/circos-0.62-1/ and the circos tools in ~/circos/circos-tools-0.16/
This will only work if you're in the Circos Tools tableviewer folder (in my instance, ~/circos/circos-tools-0.16/tools/tableviewer/)
prenus -t circos -s 4 /folder/where/nessus/files/are/*.nessus | bin/parse-table -conf samples/parse-table-01.conf | bin/make-conf -dir data ../../../circos-0.62-1/bin/circos -conf etc/circos.conf -outputfile prenus.png
This will dump the png into the img/ folder.
Version 0.0.12 - The –header-file option now applies to all HTML files
Version 0.0.11 - A bunch of cosmetic changes. PLUS, a new optional command line flag to add HTML content to the top of the index.html file.
Version 0.0.10 - Added new pie graph to HTML output, and updated pie graph generater to allow for setting of colours
Version 0.0.9 - Added Nokogiri gem dep
Version 0.0.8 - Default HTML output directory - plus - can filter out severity issues for HTML. Updated gemspec, removed internal gem
Version 0.0.7 - Included push update for XLS output - and updated version statements
Version 0.0.6 - Updated the version in the prenus file
Version 0.0.5 - FUUUU Did it again. Botched the gem push #facepalm. This is identical to 0.0.4
Version 0.0.4 - Shifted my copy of ruby-nessus into my lib/gemcache folder
Version 0.0.3 - Botched the gem push - like a chump - this should be identical to 0.0.2
Version 0.0.2 - Updated input - handles duplicate hosts a bit nicer (but not much nicer)
Version 0.0.1 - initial release .. buggy to the max