In order for Nessus version 5.2.1 to output CSV files in the proper format for Splunk 5.0.3 with the Nessus In Splunk version 1.3 app installed.
These were the changes made to version 0.9 (commit 2531a71a527b0ee754eeb5659acb6fcfa8046ec3) of the repo located here: https://github.com/gcattani/simple-nessus.git
diff –git a/simple-nessus.pl b/simple-nessus.pl
old mode 100644
new mode 100755
index b3e0c4e..ff656b3
— a/simple-nessus.pl
+++ b/simple-nessus.pl
@@ -9,7 +9,7 @@
use strict;
use warnings;
–
+use Switch;
use Getopt::Long;
use XML::Simple;
@@ -17,7 +17,7 @@ use XML::Simple;
##### Defaults
# Must-have
-my $sev_in = “L”;
+my $sev_in = “N”; # None or 0
my $output = “O”;
my $v1 = ”;
my $v2 = ”;
@@ -34,7 +34,7 @@ GetOptions (
“output=s” => \$output,
“v1” => \$v1,
“v2” => \$v2,
– “ports” => \$show_ports,
+ “ports” => \$show_ports,
help => sub { helper(); }
) or die &helper();
@@ -50,7 +50,7 @@ if ($output eq “T”) {
# Checks for $show_ports
if ($show_ports){
– print CSV “host;vulnerability;port\n”;
+ print CSV “PluginID,CVE,CVSS,Risk,Host,Protocol,Port,Name,Synopsis,Description,Solution,Plugin_Output\n”;
} else {
print CSV “host;vulnerability\n”;
}
@@ -84,9 +84,7 @@ if($v1){
my $report_item = $host->{ReportItem};
foreach my $item ( @$report_item ){
– if ( $item->{severity} >= $severity ) {
– &print_vuln($output, $host->{HostName}, $item->{pluginName}, $item->{port});
– }
+ &print_vuln($output, $host->{HostName}, $item->{pluginName}, $item->{port});
}
} # End of Main Loop V1
@@ -118,7 +116,7 @@ if ($v2){
foreach my $item ( @$report_item ){
if ( $item->{severity} >= $severity ) {
– &print_vuln($output, $properties->{“host-ip”}, $item->{pluginName}, $item->{port});
+ &print_vuln($output, $item->{pluginID},$item->{severity},$properties->{“host-ip”},$item->{port}, $item->{pluginName}, $it
}
}
@@ -179,9 +177,13 @@ sub print_host(){
# print_vuln(output, host-ip, vulnerability, port);
sub print_vuln(){
my $print_check = $_[0]; # $output
– my $host_ip = $_[1];
– my $host_vuln = $_[2];
– my $host_port = $_[3];
+ my $plugin_id = $_[1]; # pluginID
+ my $severity_id = $_[2]; # severity
+ my $host_ip = $_[3]; # host-ip
+ my $host_port = $_[4]; # port
+ my $plugin_name = $_[5]; # pluginName
+ my $host_vuln = $_[6]; # data
+ my $severity_code = “None”;
if ($print_check eq “O”) {
@@ -210,7 +212,14 @@ sub print_vuln(){
} elsif($print_check eq “C”) {
if ($show_ports) {
– print CSV “$host_ip;$host_vuln;”,check_port($host_port),”\n”;
+ switch ($severity_id) {
+ case 0 { $severity_code=”None”; }
+ case 1 { $severity_code=”Low”; }
+ case 2 { $severity_code=”Medium”; }
+ case 3 { $severity_code=”High”; }
+ case 4 { $severity_code=”Critical”; }
+ }
+ print CSV “$plugin_id,,,$severity_code,$host_ip,,” . check_port($host_port) . “,$plugin_name,,$host_vuln,,\n”;
} else {
print CSV “$host_ip;$host_vuln\n”;
}
@@ -226,7 +235,10 @@ sub print_vuln(){
sub sev_calc(){
my $sev_str = $_[0];
– if ($sev_str eq “L”) {
+ if ($sev_str eq “N”) {
+ return 0;
+
+ } elsif ($sev_str eq “L”) {
return 1;
} elsif ($sev_str eq “M”) {
@@ -234,6 +246,10 @@ sub sev_calc(){
} elsif ($sev_str eq “H”) {
return 3;
+
+ } elsif ($sev_str eq “C”) {
+ return 4;
+
} else {
die helper(); # This should never happen
@@ -264,4 +280,4 @@ sub check_port(){
sub helper(){
print “\nSimple Nessus 0.9\nUsage: ./simple-nessus.pl {DOT-NESSUS-FILE} {VERSION} [SEVERITY] [OUTPUT] [OPTIONAL]\n\nVERSION:\n -v1 .nessus v1 f
exit;
-}
\ No newline at end of file
+}
