Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Parsing errors? #12

Open
xkillbit opened this issue May 25, 2023 · 4 comments
Open

Parsing errors? #12

xkillbit opened this issue May 25, 2023 · 4 comments

Comments

@xkillbit
Copy link

xkillbit commented May 25, 2023
edited
Loading

Hello,

Here is the CLI tool count followed by a script that dumps each Vuln Name by criticality and provides a count. Notice the counts are not the same. In this example, lets focus on just the Criticals:
image

Nessus web interface for comparison:
image

As you can see by comparing, the parser does not account for "Unsupported Web Server Detection".

I've attached the dummy data from the scan against the HTB environment, followed by the script used to dump and count each vuln by severity.

dummy_data.zip

import nessus_file_reader as nfr
nessus_scan_file = r"dummy_data.nessus"
root = nfr.file.nessus_scan_file_root_element(nessus_scan_file)

critical_plugin_tracking={}
high_plugin_tracking={}
medium_plugin_tracking={}
for report_host in nfr.scan.report_hosts(root):
   report_items_per_host = nfr.host.report_items(report_host)
   for report_item in report_items_per_host:
      report_host_ip = nfr.host.resolved_ip(report_host)
      plugin_id = int(nfr.plugin.report_item_value(report_item, 'pluginID'))
      risk_factor = nfr.plugin.report_item_value(report_item, 'risk_factor')
      plugin_name = nfr.plugin.report_item_value(report_item, 'pluginName')
      port = nfr.plugin.report_item_value(report_item, 'port')

      #print('\t', plugin_id, '  \t\t\t', risk_factor,'  \t\t\t', report_host_ip,'  \t\t\t', plugin_name)
      if plugin_name not in critical_plugin_tracking:
         if risk_factor == 'Critical':
            critical_plugin_tracking[plugin_name] = [report_host_ip+':'+port]
         elif risk_factor =='High':
            high_plugin_tracking[plugin_name] = [report_host_ip+':'+port]
         elif risk_factor =='Medium':
            medium_plugin_tracking[plugin_name] = [report_host_ip+':'+port]
      else:
         if risk_factor == 'Critical':
              critical_plugin_tracking[plugin_name].append(report_host_ip+':'+port)
         elif risk_factor == 'High':
              high_plugin_tracking[plugin_name].append(report_host_ip+':'+port)
         elif risk_factor == 'Medium':
              medium_plugin_tracking[plugin_name].append(report_host_ip+':'+port)
         else:
            pass

print('== CRITICALS: ==')
c = 0
for k,v in critical_plugin_tracking.items():
   print(k,':',v)
   c += 1
print('Count:{}\n'.format(c))
print('== HIGHS ==')

c = 0
for k,v in high_plugin_tracking.items():
   print(k,':',v)
   c += 1
print('Count:{}\n'.format(c))
print('')
c = 0
print('== MEDIUMS ==')
for k,v in medium_plugin_tracking.items():
   print(k,':',v)   
   c+=1
print('Count:{}\n'.format(c))

I would appreciate any help.
@xkillbit
Copy link
Author

any update here?

@xkillbit
Copy link
Author

any update?

@lapolis
Copy link

lapolis commented Jan 23, 2024

I guess it's a bit late but... For some reason, in your .nessus file, "Unsupported Web Server Detection" is marked as severity="3" instead of severity="4". Anyway, in a real life scenario, the same host has severity="4" pluginID="97994" pluginName="Microsoft IIS 6.0 Unsupported Version Detection" and hence would be flagged as EoL.

Other than that, both Nessus plugins has the same Output.

@damian-krawczyk
Copy link
Collaborator

@xkillbit I checked your attachment, it's not reported as Critical, because nfr cli reports based on Risk Factor.

nessus-file-reader/nessus_file_reader/__main__.py

Line 159 in b4cddcf

report_host_critical += nfr.host.number_of_plugins_per_risk_factor(report_host, 'Critical')

Risk Factor in your case is High:

<ReportItem port="80" svc_name="www" protocol="tcp" severity="3" pluginID="34460" pluginName="Unsupported Web Server Detection" pluginFamily="Web Servers">
<cvss3_base_score>10.0</cvss3_base_score>
<cvss_base_score>7.5</cvss_base_score>
<risk_factor>High</risk_factor>

I assume Nessus takes into account <cvss3_base_score>10.0</cvss3_base_score> and shows it as Critical. We would need to have similar solution here. Like option use CVSSv2 or use CVSSv3, then

  1. If cvss3_base_score exists in the output check it's score and report level
  2. If cvss3_base_score does not exists use CVSSv2 anyway.
Threat
Level		 CVSS v2.0
June 2007		 CVSS v3.0
June 2015		 CVSS v3.1
June 2019
Critical 10 9.0 - 10.0 9.0 - 10.0
High 7.0 - 9.9 7.0 - 8.9 7.0 - 8.9
Medium 4.0 - 6.9 4.0 - 6.9 4.0 - 6.9
Low 0.0 - 3.9 0.1 - 3.9 0.1 - 3.9
Info 0.0 0.0

What value do you have set in Nessus for severity_basis ? CVSSv2 or CVSSv3?

image

@lapolis thanks for the input.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@damian-krawczyk @lapolis @xkillbit