Logging Nessus vulnerabilities to graylog

Sat 08 July 2017

I've been beefing up the security of my home network recently. If you were to ask me why, I could rattle out a few good excuses, such as "it's good to maintain good computer hygiene, especially at home" or "as a fan of CTF's, I'm concerned that I'll accidentally pick up something nasty which will own my network". Oooo, hey, here's a good one: "to be a good red teamer, you have to know how blue teams operate". Those excuses are all well and good; to be honest, though, the real reason I'm messing around with defensive security nowadays is that it's just fun as hell.

Today's debauchery had to do with Nessus. Nessus is a tool that's used during security assessments to map out the vulnerabilities of systems running on a target network; however, it can be and is also used by blue teams to sweep their networks looking for any unpatched issues so that they can fix them before they get owned.

Little known fact for people outside the security community: you can run Nessus for free on your home network (with some limitations -- notably, you can only scan up to 16 hosts). So, I set one up on my network and have it scanning my systems every day. It does whine about my self-signed certs and a number of issues that would be problematic in a business context but are arguably acceptable at home; the griping is well worth it when I get that occasional e-mail notification that tells me which systems are vulnerable to the latest discovered attack.

As useful as e-mail notifications are, I thought that I could do one better. I have a graylog server whose job is to collect log information from the plethora of devices I've got living on my network, and I've been working to centralize that information so that I can correlate attacks (highly useful on a home network, as you can imagine... Like I said, I'm doing this for the lulz). Thought I'd share the love.

The Nessus API

Nessus has a nice RESTful API, which is documented here: https://cloud.tenable.com/api. With a little python, extracting the latest scan results is trivial:

The code is (hopefully) self-explanatory: connect to your Nessus instance, grab the list of scans that you've set up. For each scan, iterate through the found hosts and extract any low, medium, high, or critical vulnerabilities. Finally, print out the host name (IP address), plugin name, and severity level. I stuck to those three pieces of information, namely because I don't want to flood my logging system with too much information; I want to keep it readable. All of the info is readily available on the Nessus server, the idea here is to be able to correlate and identify new threats.

Logging Nessus data to graylog

Once we've extracted the vulnerabilities from Nessus, all that's left to do is push them to graylog. To achieve this, I used graypy (https://pypi.python.org/pypi/graypy) to push the information, after setting up a UDP GELF input:

While this does the trick, I'm not particulary happy with this yet. I think it would probably be better to set the severity of the log entry to match that of the Nessus severity. Another thing that would make sense is to set the source to be that of the Nessus host. The trick to achieving this probably lies in customizing the formatter of the log. I played around with this a little bit, but haven't quite figured this out yet.

Setting up graylog alerts

Once you have vulnerability scans logged, you can leverage graylog's threshold notifications to alert you by e-mail when new alerts come up. In the long term, I think there's room for improvement; for instance, one could track not just the plugin names with python but the scan details from scan to scan, and report on differences, providing much more detail on what's changed.

blogroll

social