I've been beefing up the security of my home network recently. If you were to ask me why, I could
rattle out a few good excuses, such as "it's good to maintain good computer hygiene, especially at
home" or "as a fan of CTF's, I'm concerned that I'll accidentally pick up something nasty which
will own my network". Oooo, hey, here's a good one: "to be a good red teamer, you have to know how
blue teams operate". Those excuses are all well and good; to be honest, though, the real reason I'm
messing around with defensive security nowadays is that it's just fun as hell.
Today's debauchery had to do with Nessus. Nessus is a tool that's used during security assessments
to map out the vulnerabilities of systems running on a target network; however, it can be and is also used
by blue teams to sweep their networks looking for any unpatched issues so that they can fix them
before they get owned.
Little known fact for people outside the security community: you can run Nessus for free on your
home network (with some limitations -- notably, you can only scan up to 16 hosts). So, I set one up
on my network and have it scanning my systems every day. It does whine about my self-signed certs
and a number of issues that would be problematic in a business context but are arguably acceptable
at home; the griping is well worth it when I get that occasional e-mail notification that tells me
which systems are vulnerable to the latest discovered attack.
As useful as e-mail notifications are, I thought that I could do one better. I have a graylog server
whose job is to collect log information from the plethora of devices I've got living on my network,
and I've been working to centralize that information so that I can correlate attacks (highly useful
on a home network, as you can imagine... Like I said, I'm doing this for the lulz). Thought I'd
share the love.
The Nessus API
Nessus has a nice RESTful API, which is documented here: https://cloud.tenable.com/api. With a
little python, extracting the latest scan results is trivial:
The code is (hopefully) self-explanatory: connect to your Nessus instance, grab the list of scans
that you've set up. For each scan, iterate through the found hosts and extract any low, medium, high,
or critical vulnerabilities. Finally, print out the host name (IP address), plugin name, and
severity level. I stuck to those three pieces of information, namely because I don't want to flood
my logging system with too much information; I want to keep it readable. All of the info is readily
available on the Nessus server, the idea here is to be able to correlate and identify new threats.
Logging Nessus data to graylog
Once we've extracted the vulnerabilities from Nessus, all that's left to do is push them to graylog.
To achieve this, I used graypy (https://pypi.python.org/pypi/graypy) to push the information, after
setting up a UDP GELF input:
While this does the trick, I'm not particulary happy with this yet. I think it would probably be
better to set the severity of the log entry to match that of the Nessus severity. Another thing that
would make sense is to set the source to be that of the Nessus host. The trick to achieving this
probably lies in customizing the formatter of the log. I played around with this a little bit, but
haven't quite figured this out yet.
Setting up graylog alerts
Once you have vulnerability scans logged, you can leverage graylog's threshold notifications to
alert you by e-mail when new alerts come up. In the long term, I think there's room for improvement;
for instance, one could track not just the plugin names with python but the scan details from scan
to scan, and report on differences, providing much more detail on what's changed.