Support » Guides » From Nessus to Word
In this guide we’re going to cover the process of creating a custom Dradis template to display data imported from Nessus. The same concepts apply to any of the other plugins.
Remember that you can merge the output from multiple tools using the Plugin Manager.
Other similar guides:
You will also learn how to filter and sort the findings in the report by CVSSv2 ranges.
You can click on the images in the guide to get a bigger/uncropped version.
We want to create a template with three sections:
Here are some screenshots of the structure of the final report we are aiming for:
Summary of findings by host
Full details in each host
List of issues, with affected hosts
You can download the guide’s resources including a sample Nessus file and the finished template using the Download resources box in the sidebar.
The Plugin Manager is the module you can use to map between the output of different tools and the format you need for your report.
For example, some tools will have vulnerability names whilst others will have issue titles. Some will have a descriptions and others will provide a background, some talk about recommendations and others about mitigation, etc.
To make things more interesting we’re going to have different nomenclature in our report to the default that Nessus provides. What Nessus calls a plugin name, we will call a Title. Nessus’ description field will become our issue background and the solution field will be renamed to mitigation. We use the Plugin Manager to define the mapping between these different names.
The Plugin Manager kicks in just after uploading one of the files supported by the tool (Nessus, Qualys, Nexpose, etc.). It uses user-defined templates to map between the names and structure defined in the original file produced by the tool and those that you needs for your report.
For example, the following
<ReportHost> content from a Nessus file:
<ReportHost name="10.0.0.1"> <HostProperties> <tag name="host-ip">10.0.0.1</tag> <tag name="host-fqdn">dc1.localdomain</tag> <tag name="operating-system">Windows Server 2008</tag> <tag name="mac-address">00:01:02:03:04:05</tag> <tag name="netbios-name">DC1</tag> <tag name="HOST_END">Tue Aug 9 09:59:24 2011</tag> <tag name="HOST_START">Tue Aug 9 09:50:18 2011</tag> </HostProperties> <ReportItem/> </ReportHost>
Will be transformed in this Dradis note:
#[Host information]# Name: 10.0.0.1 IP address: 10.0.0.1 FQDN: dc1.localdomain OS: Windows Server 2008 Mac address: 00:01:02:03:04:05 Netbios name: DC1 #[Scan information]# Scan started: Tue Aug 9 09:50:18 2011 Scan ended: Tue Aug 9 09:59:24 2011
By defining the following template in the Plugin Manager:
#[Host information]# Name: %report_host.name% IP address: %report_host.ip% FQDN: %report_host.fqdn% OS: %report_host.operating_system% Mac address: %report_host.mac_address% Netbios name: %report_host.netbios_name% #[Scan information]# Scan started: %report_host.scan_start_time% Scan ended: %report_host.scan_stop_time%
The original plugin names are between
% symbols. As you can see, you can move them around or group them in the way that makes more sense to you.
We’ll learn how to define your own templates a bit later in this guide.
Each plugin defines a series of templates for different concepts used by the tool they are importing from. For example, Nessus defines two templates:
<ReportItem>data of the uploaded file.
<ReportItem>entry in the uploaded file.
Log into your Dradis Pro appliance and locate the Plugin Manager under the
Plugins link in the main navigation bar:
NessusUpload link on the left-hand side of the screen. As already discussed about, some plugins such as Nessus define more than one template. You can switch between templates using the upper-right dropwdown list:
Report item template and paste the following in the
#[Title]# %report_item.plugin_name% #[Background]# %report_item.description% #[Mitigation]# %report_item.solution% #[CVSSv2]# %report_item.cvss_base_score%
At this point the preview window should be showing you this mapping:
We have effectively renamed the fields from Nessus to the labels we need for the report. This is exactly what the Plugin Manager is about.
The Nessus plugin provides access to a handful of other fields (exploitability ease, presence in Canvas, Core and Metasploit, CVE references, etc.) but we are not interested in those for this example. You can see the full list of available fields by clicking on the
Available fields link on the left-hand side
Each template defines its own fields which in turn depend on the information that the tool makes available to us.
Now that we have configured the Plugin Manager to fit our needs we can upload a file (use the sample provided in the resources package for this guide). Confirm that the Issues that have been added to the report conform to the structure we have defined in the template above.
It’s time to fire up Word and create our report template.
Conceptually what we’re trying to do in this section is easy: list all the hosts and for each of them create display the list of issues that affect it ordered by severity.
To accomplish this we are going to need a
Node content control (to cycle through all the hosts) and inside it, 4
Issue content controls (one for each risk rating) with the corresponding
CVSSv2 filters. As a refresher, this is how you define a filter (read more in Advanced reporting: filters, groups and properties):
In this case we are listing all the hosts again, but we want to provide full details about each of the issues including the background, solution and plugin output.
There is nothing special about this section. If you need more information about reporting by host, or displaying the Evidence associated with a given instance please revisit the Reporting by host, reporting by issue guide.
This one is another simple section but it is interesting as it provides the information the other way around. Instead of going from each host and displaying all the issues that affect it, we will cycle through the issues and display all the hosts affected by them.
We have different tables for each of the risk ratings and in each table we have three content controls:
Titlefield of the issue.
Affectedmeta-field. This is a special field that lists the label of all the nodes affected by a given issue (those that have a piece of Evidence linking them to the issue).
Issuetag with the corresponding
If you are following along with the resources package, you will notices something strange. After uploading the Nessus file you get plenty of issues in Dradis, but when you export, you only get a handful of them in the report:
In the exported report
This is the expected result, and it has to do with the way in which we have defined our issue filters. If you remember we defined our informational findings as those having a CVSSv2 score of 0:
If you open any of the issues that don’t appear in the report you will see that they don’t have an associated CVSSv2 score. Nessus doesn’t assign one to these type of issues. When a field exists in your Plugin Manager template but is not available in the source file, we fall back to provide a
n/a (i.e. not available) value. Like this:
This means that we could adjust the filter in our Word template to capture all this findings in the report:
This will match all those informational entries which will now be included in the final report:
Mini-intro to the Plugin Manager
A summary of issues affecting each host
Summary of issues
Why are only 4 issues exported?
Our users can download the resources used in this guide here.