Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

Creating Custom Reports With Nessus 4

XSLT Reporting

A new feature in Nessus 4 is the ability to use XSLT stylesheets to create custom reports. The stylesheets read the .nessus XML file and allow you to create a number of different report styles, such as HTML and CSV, as well as extract or sort specific data from the scan results. Nessus 4 comes with several built-in stylesheets that can sort results and display a report based on several criteria, including:

  • Sort By CVE
  • Sort By IP Address
  • Sort By Port
  • Sort By Vulnerability

You can use this feature in conjunction with the report filtering to more easily create custom reports.

Using the Built-In Stylesheets

This feature is especially useful for filtering low priority alerts in scan results that are using audit file checking. Typically, there are many low priority alerts mixed in the results, which can make analyzing a report difficult by taking away from higher priority issues:

N4-Report-UNIX-2b.png

The screenshot above shows a scan of one particular host and some example results from a UNIX compliance check. You can select from the default stylesheets using the pull down menu at the bottom. Once you've selected a stylesheet, click the "View template..." button to view the results, which will automatically open in your default web browser. Reports that contain large result sets can be filtered based on user-defined criteria. For example, to restrict the results to display only High alerts, setup a filter as follows:

Click for larger image

Now the NessusClient will only display the High alerts in the report output. Next, you can select "Sort By Vulnerability Detail" and then click "View template..."

N4-FilteredResults.png

This will produce an HTML report that only contains the High alerts:

N4-HighAlertReport.png

Creating Your Own Customized Reports

Let’s take a look at an example of filtering a large report from a network-based scan. This report contains several hosts with a large amount of scan data. Using the defaults, I can generate a report that will display the vulnerability details as described above:

N4-ListOfVulnerabilities.png

This report enables you to see each of the plugin IDs that were triggered and click on them to go to a section of the report with more details. However, there is a lot of data to sift through. Additionally, when I pull up the report I only get the plugin IDs in the table at the top (in the left hand column) and the severity level in the right hand column. While I may know a few plugin IDs from memory, I don't have the entire database memorized (shame on me). We can easily fix the first problem by creating a filter to hone in on certain portions of the report:

Click for larger image

Rather than just keying in on a particular plugin ID or severity level, I like to add keywords to search the plugin report. This provides a much broader picture of my vulnerabilities and presents a greater chance that I will catch something interesting. In this example I use the keyword "share", to search for open file shares on the network, without limiting myself to a particular type of share. Next I want to modify the report, so I made a copy of the "Sort By Vulnerability Detail" report and place it where the XSL reports are stored in the Nessus data directory. Refer to the table below for the location of the data directory on the supported platforms.

Nessus Data Directory Locations

Windows C:\Program Files\Tenable\Nessus\data
Linux /opt/nessus/var/nessus-client/data
Mac OS X /Library/Nessus/data

When creating a custom stylesheet, make sure that it has a ".xsl" extension or it will not show up in the NessusClient. Once the stylesheet has been created, restart the NessuClient and it will show up in the stylesheet pull down menu. I edited my stylesheet copy to add the following column to the report template:

XSLT Code

<td width="40%" align="left">
<xsl:attribute name="href"><![CDATA[#]]><xsl:value-of select="concat($reportname,'',pluginName)" /></xsl:attribute>
<u>
<xsl:value-of select="pluginName" />
</u>
</td>

I saved my changes, restarted the NessusClient, and ran my report. The above code produced a new column that lists the plugin name in a center column within the "List of vulnerabilities" table:

CustomReport.png

You can see that we have some interesting results from our search filter. We get to see both SMB and NFS shares that were found readable during the scan. We can click on any of the plugin IDs and it will take us to that section of the report and display the vulnerability details for each host.

Conclusion

The new XSLT reporting function is very flexible and easy to use. The built-in reports, in combination with the filtering feature, provide a quick way to create customized reports in several different formats. XSLT enables interaction with the .nessus XML format so the end user can write and define custom report styles. You can start by modifying some of the existing stylesheets, then move on to creating new ones on your own. Whether you are creating brand new reports or modifying the existing ones, you are encouraged to share your work with the community. If you think that others will benefit from your custom reports please head over to the Nessus discussions forum and feel free to post your work. This is a great way to get feedback on your stylesheets and participate in the community.

Resources


Subscribe to the Tenable Blog

Subscribe
Try for Free Buy Now

Try Tenable.io

FREE FOR 30 DAYS

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Sign up now.

Buy Tenable.io

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

65 assets

$2,275

Buy Now

Try for Free Buy Now

Try Nessus Professional Free

FREE FOR 7 DAYS

Nessus® is the most comprehensive vulnerability scanner on the market today. Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy Nessus Professional

Nessus® is the most comprehensive vulnerability scanner on the market today. Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy a multi-year license and save. Add Advanced Support for access to phone, email, community and chat support 24 hours a day, 365 days a year. Full details here.

Try for Free Buy Now

Try Tenable.io Web Application Scanning

FREE FOR 30 DAYS

Enjoy full access to our latest web application scanning offering designed for modern applications as part of the Tenable.io platform. Safely scan your entire online portfolio for vulnerabilities with a high degree of accuracy without heavy manual effort or disruption to critical web applications. Sign up now.

Buy Tenable.io Web Application Scanning

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

5 FQDNs

$3,578

Buy Now

Try for Free Contact Sales

Try Tenable.io Container Security

FREE FOR 30 DAYS

Enjoy full access to the only container security offering integrated into a vulnerability management platform. Monitor container images for vulnerabilities, malware and policy violations. Integrate with continuous integration and continuous deployment (CI/CD) systems to support DevOps practices, strengthen security and support enterprise policy compliance.

Buy Tenable.io Container Security

Tenable.io Container Security seamlessly and securely enables DevOps processes by providing visibility into the security of container images – including vulnerabilities, malware and policy violations – through integration with the build process.

Learn More about Industrial Security

Get a Demo of Tenable.sc

Please fill out the form below with your contact information and a sales representative will contact you shortly to schedule a demo. You may also include a short comment (limited to 255 characters). Please note that fields with asterisks (*) are mandatory.

Try for Free Contact Sales

Try Tenable Lumin

FREE FOR 30 DAYS

Visualize and explore your Cyber Exposure, track risk reduction over time and benchmark against your peers with Tenable Lumin.

Buy Tenable Lumin

Contact a Sales Representative to see how Lumin can help you gain insight across your entire organization and manage cyber risk.