Nessus Analyzer

[saadkadhi]

Request Type

Analyzer Request

Work Environment

Irrelevant

Analyzer Description

Create an analyzer that takes as input an IP address or a FQDN and launches a scan using Nessus by leveraging its API. That will allow the analyst to quickly assess the attack surface of the asset, the services that it is exposing on the network, their vulnerabilities, banners and so on.

Additional Details

The analyzer must not allow the analyst to launch a scan against assets that do not belong to their constituency. So it must be configured prior to use with the IP addresses, ranges, CIDR, domain names of the constituency. When an observable is submitted, it must check it against its configuration and refuses to run if it is not among or within the configured IP addresses, ranges, CIDR or domain names.

The analyzer should not allow authenticated scans as the current Cortex has no authentication and we'd risk leaking the credentials Nessus would use to authenticate. Moreover, if the asset have been compromised, an authenticated scan would tip off the attacker that something is going on. They could also capture the Nessus credentials as a result and launch lateral movements through the network.

The analyzer must not retrieve the full-fedged Nessus report by default. It should limit the information to what an analyst really needs like services, banners, critical and high severity vulnerabilities.

The analyzer must use a safe scanning policy. Instructions (in the documentation for ex.) should be provided on how to set up the policy on Nessus.

[saadkadhi]

@guillomovitch provided an analyzer a few days ago. See PR #20. @jeromeleonard can you please test it and provide feedback?