Creating Custom Reports With Nessus 4
XSLT Reporting
A new feature in Nessus 4 is the ability to use XSLT stylesheets to create custom reports. The stylesheets read the .nessus XML file and allow you to create a number of different report styles, such as HTML and CSV, as well as extract or sort specific data from the scan results. Nessus 4 comes with several built-in stylesheets that can sort results and display a report based on several criteria, including:
- Sort By CVE
- Sort By IP Address
- Sort By Port
- Sort By Vulnerability
You can use this feature in conjunction with the report filtering to more easily create custom reports.
Using the Built-In Stylesheets
This feature is especially useful for filtering low priority alerts in scan results that are using audit file checking. Typically, there are many low priority alerts mixed in the results, which can make analyzing a report difficult by taking away from higher priority issues:
The screenshot above shows a scan of one particular host and some example results from a UNIX compliance check. You can select from the default stylesheets using the pull down menu at the bottom. Once you've selected a stylesheet, click the "View template..." button to view the results, which will automatically open in your default web browser. Reports that contain large result sets can be filtered based on user-defined criteria. For example, to restrict the results to display only High alerts, setup a filter as follows:
Now the NessusClient will only display the High alerts in the report output. Next, you can select "Sort By Vulnerability Detail" and then click "View template..."
This will produce an HTML report that only contains the High alerts:
Creating Your Own Customized Reports
Let’s take a look at an example of filtering a large report from a network-based scan. This report contains several hosts with a large amount of scan data. Using the defaults, I can generate a report that will display the vulnerability details as described above:
This report enables you to see each of the plugin IDs that were triggered and click on them to go to a section of the report with more details. However, there is a lot of data to sift through. Additionally, when I pull up the report I only get the plugin IDs in the table at the top (in the left hand column) and the severity level in the right hand column. While I may know a few plugin IDs from memory, I don't have the entire database memorized (shame on me). We can easily fix the first problem by creating a filter to hone in on certain portions of the report:
Rather than just keying in on a particular plugin ID or severity level, I like to add keywords to search the plugin report. This provides a much broader picture of my vulnerabilities and presents a greater chance that I will catch something interesting. In this example I use the keyword "share", to search for open file shares on the network, without limiting myself to a particular type of share. Next I want to modify the report, so I made a copy of the "Sort By Vulnerability Detail" report and place it where the XSL reports are stored in the Nessus data directory. Refer to the table below for the location of the data directory on the supported platforms.
Nessus Data Directory Locations
| Windows | C:\Program Files\Tenable\Nessus\data |
| Linux | /opt/nessus/var/nessus-client/data |
| Mac OS X | /Library/Nessus/data |
When creating a custom stylesheet, make sure that it has a ".xsl" extension or it will not show up in the NessusClient. Once the stylesheet has been created, restart the NessuClient and it will show up in the stylesheet pull down menu. I edited my stylesheet copy to add the following column to the report template:
XSLT Code
|
<td width="40%" align="left"> <xsl:attribute name="href"><![CDATA[#]]><xsl:value-of select="concat($reportname,'',pluginName)" /></xsl:attribute> <u> <xsl:value-of select="pluginName" /> </u> </td> |
I saved my changes, restarted the NessusClient, and ran my report. The above code produced a new column that lists the plugin name in a center column within the "List of vulnerabilities" table:
You can see that we have some interesting results from our search filter. We get to see both SMB and NFS shares that were found readable during the scan. We can click on any of the plugin IDs and it will take us to that section of the report and display the vulnerability details for each host.
Conclusion
The new XSLT reporting function is very flexible and easy to use. The built-in reports, in combination with the filtering feature, provide a quick way to create customized reports in several different formats. XSLT enables interaction with the .nessus XML format so the end user can write and define custom report styles. You can start by modifying some of the existing stylesheets, then move on to creating new ones on your own. Whether you are creating brand new reports or modifying the existing ones, you are encouraged to share your work with the community. If you think that others will benefit from your custom reports please head over to the Nessus discussions forum and feel free to post your work. This is a great way to get feedback on your stylesheets and participate in the community.
Resources
Related Articles
Study: Tenable Offers Fastest, Broadest Coverage of CISA's KEV Catalog
October 23, 2023Tenable ranked first in multiple vulnerability management categories, including the most comprehensive coverage and quickest detection of CISA's Known Exploited Vulnerabilities, according to a Miercom report commissioned by Tenable.
Tuning Network Assessments for Performance and Resource Usage
September 13, 2022Using the correct tool for the job and optimizing scanner placement will have a large impact on scan efficiency with Nessus, Tenable.io and Tenable.sc.
Terrascan Joins the Nessus Community, Enabling Nessus To Validate Modern Cloud Infrastructures
May 17, 2022The addition of Terrascan to the Nessus family of products helps users better secure cloud native infrastructure by identifying misconfigurations, security weaknesses, and policy violations by scanning Infrastructure as Code repositories.
Tenable and Thales Collaborate to Provide Cyber Defense Simulations to Better Secure Operational Technology Environments
April 18, 2024The heart of the Welsh Valleys is home to the Thales Ebbw Vale campus, a world-class facility jointly funded by the Welsh government as part of its regeneration program for the region. At the core of the facility is the Cyber Range, a simulation and virtualization platform for training, testing, exercising and R&D. Tenable has joined the lineup of solutions used to run real world simulations in this controlled environment.
Oracle April 2024 Critical Patch Update Addresses 239 CVEs
April 17, 2024Oracle addresses 239 CVEs in its second quarterly update of 2024 with 441 patches, including 38 critical updates.
Strengthening the Nessus Software Supply Chain with SLSA
April 16, 2024You know Tenable as a cybersecurity industry leader whose world-class exposure management products are trusted by our approximately 43,000 customers, including about 60% of the Fortune 500. But sometimes we like to give you a peek behind the curtain to share how we protect our own house against cyberattacks – and that’s what this blog is about. Today we’re sharing our experience adopting the supply-chain security framework SLSA, with the hopes that the lessons we learned will be helpful to you.
- Nessus