About the Author
Cody Dumont is a former Marine turned Geek, then Security Geek. Cody started in IT during March of 1995, while in the Marines as a former 0311 (Infantry) attending MRC (Micro Computer Repair Course) at 29 Palms CA. Cody then went on to be awarded the Navy Achievement Medal for the IT related work performed for the 24th MEU. After leaving the Marine Corps with a bad knee, go figure, he started working a for a few companies in the North East. Cody currently works for Tenable Network Security www.tenable.com as a Sr. Information Security Content Analyst.
Cody currently holds a MS in Information Technology (Specialty in Information Security) from Capella University, a BS in Information Management from Daniel Webster College. Cody has many industry certifications, starting with MCSE (NT4), MSCE (2k), Exchange (2K), CNE (5), A+, Security +, CCNA, CCNA Security, CCNP, CCIP, CISSP, CCSP, RSA enVision CSE, GCWN (Gold), GCFA, GCFE, and GXPN.
Cody,
You asked that I check in with you on your vulnerability parser. How’s it going? Any updates?
Also, I have a question on the output format. The xls is great for delivering results. Is there a way to include the IP on the highvuln/medvuln/lowvuln tabs? I know we can sort from the main page, but sometimes that is too difficult for management 🙂 Perhaps this is something I could edit for my configuration if you point me in the right direction. On that same note, is there a way to include conditional formatting to colorize the high and mediums on the main page straight from the template?
Thank you for your help.
Whinston
Please Note: I edited comment to remove the personal information posted.
I usually do a pivot table or something like that after the fact depending on the report. But we can create any table you would like in the script. I would caution to list all the IP’s with Low Medium and High tables, only because the IP count in there, if you add would like to simply create a tables similar to first table you mention but sorting by High, Medium and Low, we can add that. But that is just a sort on that first table.
Hey cody I was wondering if you can shoot me that unreleased version of your parser? I was the one who asked about the domain issues with the latest version, and id be happy to test any new versions you have.
Cody, first of all many thanks are due to you, this parser is the easiest to use and most powerful program of its type I’ve found out there! I have a similar request to Whinston above, I would like to be able to show all the IPs associated with a particular vulnerability on each of the high, medium, and low tabs. I am a perl novice but I was wondering if there was a way for me to make this script show the associated IPs in a cell alongside each vulnerability, or if that was something you had planned for a future release. Please email me! Thank you!
To add that feature in to the spreadsheet would make the spreadsheet extremely large, so I don’t plan on adding it. However the good news is, that you can do it now. if you go to the “host_scan_data” tab, the select the filter for the Plugin ID, and Severity you can see all the IP’s with that severity. There are 4 severity levels, 0 – 3. Listed below are the meanings of the severity.
Severity 0 – is the port scan Nessus preforms
Severity 1 – is a Low Severity Vulnerability
Severity 2 – is a Medium Severity Vulnerability
Severity 3 – is a High Severity Vulnerability
So as you can see you can already sort on this information.
If you wanted to do this in perl, I am sure you can, I would suggest using XPATH modules to do so.
I hope this helps.
Hi Cody,
I love your script and use it often. I was wondering if it is simple to create a new tab called ‘Access Points’ and all the findings matching Plugin ID 11026 wuld show up in there. I’ve been successful creating a new tab but cannot import results matching that plugin ID.
Can you email me or respond with code when you get a chance. This would be very helpful! Thank you again.
I can make that change in july some time, when I do a lot of other updates.
Cody,
I’m looking to parse configs from cisco as well. I don’t have a good parser and am interested in test driving yours. For some odd reason the .zip is not working for download (or Im getting blocked/filtered). Can you shoot it to my email?
Thanks for your time!
John
I am sending you a new copy in email.
I have encountered a network relying on zone firewall on the routers. The creator made extensive use of object groups in the ACLs, but you likely already know that the show access list command does not expand the object groups on routers. Has any of your wok addressed this?
I am trying to use v16 on a windows machine to parse a nessus v2 file. While the parser finds the file fine, it does not recognize it as a valid file. (I manually checked the file and the required string “NessusClientData_v2” is in my file. Can you give me some troubleshooting steps?
In the upcoming version of the ACL parser this is addressed. But all coding over the last 8 months has been at a stand still due to the work load I had. However that is changing due to recent change in jobs. I hope to start coding in the ACL Parser soon.
Try v18 and if it does not work, email and let me know. I will load up a windows machine to test with.
I am getting a error saying can’t XML/TreePP.PM. I don’t see this file in the directory either though the xml modules is installed. Any recommendations?
This is usually found when you don’t have the perl modules installed. Look at the earlier posts and there are instructions for installing the perl modules.
I keep getting the following error when running the nessus parser:
“Can’t find Unicode property definition “A” at parse_nessus_xml.v20.pl line 1364.”
I can get the script to run just fine for individual scans (nessus v2 files), but when I created a v2 file for my Security Center repositories and run the script with the ‘-d’ option, I get the error.
That is really interesting, I have not tried to use the .nessus file from the SecurityCenter repository. I have used the .nessus files downloaded from the Scan Data tab in SecurityCenter with the parser and they worked fine. I would say there must be something different in the repository export .nessus file. I will try testing that as I develop the next version of the parser. But that said, I would recommend using the SecurityCenter API and query the data. Also you can get a lot of great stuff from SecurityCenter App feed with all the dashboards, reports and assets.
I have considered developing a new script that uses the API to build the same spreadsheet, but I have not started the development.
Cody,
You have a great parser that I use shamelessly. I run into this problem every time I get a large number of IPs (about 10,000) I get the following error message ” FILE is not using the Nessus version 2 format, and will NOT be parsed!!!” I am absolutely sure it is version 2 Nessus. Thanks in advance for all your help and your contributions.
Regards,
Rob
Hi Cody- Just found your parser. Getting 403 Unauthorized when I run the script and provide credentials and url. What typically causes this?
The SecurityCenter is at:
Nessus Product: Nessus
Engine:5.2.7
Web UI: 2.3.16 (master #124)
PluginsLast Updated: October 27, 2014
Plugin Set: 201410272215
Expiration: October 28, 2014
I am not sure, the only time i have seen this is when the URL was wrong.
Hi Cody,
Thanks for the great parser. Can I use the same parser to parse mcafee vulnerability manager(MVM) XML reports. If yes, what changes are required? If no then can you point me in right direction in parsing MVM xml reports?
Awaiting your reply..
Does anyone know, if Robert got the following error figured out: !!FILE is not using the Nessus version 2 format, and will NOT be parsed!!!” I’m using Nessus version 4.0 and so it’s supposed to be in V2 format as well. I’ve only got about 1000 different IP’s of scan data i would liked to get parsed. Any ideas?!!
Nessus v4 is not supported any more, Tenable extended the format so I have had change the code.
Hey Cody,
The nessus parser has been an incredibly valuable tool. Wondering if you’re still maintaining it?
Sure am, the after this update, the script will change and be app API.
Cody,
Thank you for your efforts in this never ending project and we appreciate what you are doing.
If you have any help/sources/references with using regex within ACAS to extract plugin output information please keep us abreast.
Hubert Black
J
Hi Cody,
there seem to be a little bug with your script while parsing results that contain plugin ID 11137 (and maybe others). The fact that there’s a comma in the plugin name just causes every column data to be shifted and not correctly fitted in the resulting xls. Can you please check?
Thanks.
When using the Nessus parser, I sometimes run into this error that prevents the spreadsheet from being created.
Can’t call method “add_worksheet” on an undefined value at parse_nessus_xml.v22.pl line 1553.
Any ideas for a workaround? It’s happened several times for completely different scans and the error happens for line #.
Thanks!
Can I buy you a beer/ take donations? This saved me a massive amount of time and headache. Thank you.
Hi Cody,
Thanks for sharing your Nessus XML parser.
I hit a bug in parse_nessus_xml.v24.pl while parsing plugin ID 10860 containing a username with parenthesis, the username was “IWAM_plesk(default)” and the error message:
Unmatched ( in regex; marqued by <– HERE in m/(\s\s\-\s)IWAM_plesk( <– HERE default/ at parse_nessus_xml.v24.pl line 1457.
Interestingly, the bug doesn't trigger if I strip down the XML completely, I need to left the previous ReportItem in place (plugin id 10914) to get the error message.
You can contact me offline if you need more info/testing.
Hi there, love your work mate, this has helped me alot, are you still maintaining and is there any reason to not be using it with the latest nessus ? Cheers
Hi M. Dumont
Thanks you for the excellent parser.
However i notice it only input the cvss2.
would it be possible to include the cvss3 score and temporal.
It would be greatly appreciated.
Regards
Awesome script thanks for creating this. I am the Information Security Officer for several education service centers in Texas. Your work has immensely helped K-12 education be more secure.
Thank you, a new version will be coming out soon.
There is new version coming out in few weeks.
All versions of Nessus are fine, I will be publishing a new copy soon 🙂
I fixed this recently, and new version is will be released in a few weeks.
All good man, hope you are using this still, and new copy is coming 🙂