dradis:professional

Support » Guides » From Nessus to Word

From Nessus to Word

In this guide we’re going to cover the process of creating a custom Dradis template to display data imported from Nessus. The same concepts apply to any of the other plugins.

Remember that you can merge the output from multiple tools using the Plugin Manager.

Other similar guides:

You will also learn how to filter and sort the findings in the report by CVSSv2 ranges.

You can click on the images in the guide to get a bigger/uncropped version.

1 The result

We want to create a template with three sections:

  • First, we will have a summary section where the issues affecting each host are listed sorted by severity.
  • In the second section we will have the same list of hosts but this time each issue will be described in full detail.
  • Finally we want a section that lists all the issues in the environment along with all the hosts affected by them.

Here are some screenshots of the structure of the final report we are aiming for:

Summary of findings by host

Full details in each host

List of issues, with affected hosts

You can download the guide’s resources including a sample Nessus file and the finished template using the Download resources box in the sidebar.

2 Mini-intro to the Plugin Manager

The Plugin Manager is the module you can use to map between the output of different tools and the format you need for your report.

For example, some tools will have vulnerability names whilst others will have issue titles. Some will have a descriptions and others will provide a background, some talk about recommendations and others about mitigation, etc.

To make things more interesting we’re going to have different nomenclature in our report to the default that Nessus provides. What Nessus calls a plugin name, we will call a Title. Nessus’ description field will become our issue background and the solution field will be renamed to mitigation. We use the Plugin Manager to define the mapping between these different names.

2.1 How does it work?

The Plugin Manager kicks in just after uploading one of the files supported by the tool (Nessus, Qualys, Nexpose, etc.). It uses user-defined templates to map between the names and structure defined in the original file produced by the tool and those that you needs for your report.

For example, the following <ReportHost> content from a Nessus file:

sample_scan.nessus

<ReportHost name="10.0.0.1">
  <HostProperties>
    <tag name="host-ip">10.0.0.1</tag>
    <tag name="host-fqdn">dc1.localdomain</tag>
    <tag name="operating-system">Windows Server 2008</tag>
    <tag name="mac-address">00:01:02:03:04:05</tag>
    <tag name="netbios-name">DC1</tag>
    <tag name="HOST_END">Tue Aug  9 09:59:24 2011</tag>
    <tag name="HOST_START">Tue Aug  9 09:50:18 2011</tag>
  </HostProperties>
  <ReportItem/>
</ReportHost>

Will be transformed in this Dradis note:


#[Host information]#
Name: 10.0.0.1
IP address: 10.0.0.1
FQDN: dc1.localdomain
OS: Windows Server 2008
Mac address: 00:01:02:03:04:05
Netbios name: DC1

#[Scan information]#
Scan started: Tue Aug  9 09:50:18 2011
Scan ended: Tue Aug  9 09:59:24 2011

By defining the following template in the Plugin Manager:


#[Host information]#
Name: %report_host.name%
IP address: %report_host.ip%
FQDN: %report_host.fqdn%
OS: %report_host.operating_system%
Mac address: %report_host.mac_address%
Netbios name: %report_host.netbios_name%

#[Scan information]#
Scan started: %report_host.scan_start_time%
Scan ended: %report_host.scan_stop_time%

The original plugin names are between % symbols. As you can see, you can move them around or group them in the way that makes more sense to you.

We’ll learn how to define your own templates a bit later in this guide.

2.2 Available templates

Each plugin defines a series of templates for different concepts used by the tool they are importing from. For example, Nessus defines two templates:

  • Report host template: this is information about the host. In the Nessus export file, these information will be in the <ReportHost> and <HostProperties> tags.
    The output of this template will be added as a note to the different hosts identified in the uploaded file.
  • Report item template: this contains the information about each vulnerability identified by Nessus. It corresponds to the <ReportItem> data of the uploaded file.
    Dradis will create a new Issue in your project for each <ReportItem> entry in the uploaded file.

2.3 Defining your mapping

Log into your Dradis Pro appliance and locate the Plugin Manager under the Plugins link in the main navigation bar:

Find the NessusUpload link on the left-hand side of the screen. As already discussed about, some plugins such as Nessus define more than one template. You can switch between templates using the upper-right dropwdown list:

Select the Report item template and paste the following in the Editor window:


#[Title]#
%report_item.plugin_name%

#[Background]#
%report_item.description%

#[Mitigation]#
%report_item.solution%

#[CVSSv2]#
%report_item.cvss_base_score%

At this point the preview window should be showing you this mapping:

We have effectively renamed the fields from Nessus to the labels we need for the report. This is exactly what the Plugin Manager is about.

The Nessus plugin provides access to a handful of other fields (exploitability ease, presence in Canvas, Core and Metasploit, CVE references, etc.) but we are not interested in those for this example. You can see the full list of available fields by clicking on the Available fields link on the left-hand side Editor section:

Each template defines its own fields which in turn depend on the information that the tool makes available to us.

Now that we have configured the Plugin Manager to fit our needs we can upload a file (use the sample provided in the resources package for this guide). Confirm that the Issues that have been added to the report conform to the structure we have defined in the template above.

It’s time to fire up Word and create our report template.

3 A summary of issues affecting each host

Conceptually what we’re trying to do in this section is easy: list all the hosts and for each of them create display the list of issues that affect it ordered by severity.

To accomplish this we are going to need a Node content control (to cycle through all the hosts) and inside it, 4 Issue content controls (one for each risk rating) with the corresponding CVSSv2 filters. As a refresher, this is how you define a filter (read more in Advanced reporting: filters, groups and properties):

14p{text-align:center}.

4 Detailed information

In this case we are listing all the hosts again, but we want to provide full details about each of the issues including the background, solution and plugin output.

There is nothing special about this section. If you need more information about reporting by host, or displaying the Evidence associated with a given instance please revisit the Reporting by host, reporting by issue guide.

5 Summary of issues

This one is another simple section but it is interesting as it provides the information the other way around. Instead of going from each host and displaying all the issues that affect it, we will cycle through the issues and display all the hosts affected by them.

We have different tables for each of the risk ratings and in each table we have three content controls:

  • The Title field of the issue.
  • The Affected meta-field. This is a special field that lists the label of all the nodes affected by a given issue (those that have a piece of Evidence linking them to the issue).
  • The enclosing Issue tag with the corresponding CVSSv2 filter.

6 Why are only 4 issues exported?

If you are following along with the resources package, you will notices something strange. After uploading the Nessus file you get plenty of issues in Dradis, but when you export, you only get a handful of them in the report:

In the exported report

In Dradis

This is the expected result, and it has to do with the way in which we have defined our issue filters. If you remember we defined our informational findings as those having a CVSSv2 score of 0:

If you open any of the issues that don’t appear in the report you will see that they don’t have an associated CVSSv2 score. Nessus doesn’t assign one to these type of issues. When a field exists in your Plugin Manager template but is not available in the source file, we fall back to provide a n/a (i.e. not available) value. Like this:


#[CVSSv2]#
n/a

This means that we could adjust the filter in our Word template to capture all this findings in the report:

This will match all those informational entries which will now be included in the final report:

Guide contents

  1. The result

  2. Mini-intro to the Plugin Manager

  3. A summary of issues affecting each host

  4. Detailed information

  5. Summary of issues

  6. Why are only 4 issues exported?

Download resources

Our users can download the resources used in this guide here.