Hey everyone,
I wrote this script recently at work. We needed a way
to monitor which Nessus users were scanning what.
This was primarily to monitor any abuses that some of
our users may attempt, i.e. scanning servers outside our
network...
Anyway, I thought it might be useful, enjoy.
Austin
P.S. we have it set as a daily cron job running at 11:55pm;
I also have some Plugin Logging/Notification scripts I
will post soon -- to email you which plugins were updated.
We do ours every four hours.
======================================================
#!/usr/bin/perl
#####################################
# nessus-alert.pl
#
# Austin Gilbert
# 2-7-02
#
# This program searches the nessus
# message log and emails (http enabled)
# a report to a specified contact.
#
######################################
use Mail::Sendmail;
use Time::Local;
use Socket;
$contacts = '[EMAIL PROTECTED]';
$reply_to = '[EMAIL PROTECTED]';
$from = '[EMAIL PROTECTED]';
$smtp_server = 'your-mail-server-here';
$log = '/usr/local/var/nessus/logs/nessusd.messages';
%sessions;
%attacks;
%kb;
%months = ('Jan' => 0, 'Feb' => 1, 'Mar' => 2, 'Apr' => 3, 'May' => 4,
'Jun' => 5,
'Jul' => 6, 'Aug' => 7, 'Sep' => 8, 'Oct' => 9, 'Nov' =>
10, 'Dec' => 11 );
$boundary = "====" . time() . "====";
%mail = (
SMTP => $smtp_server,
from => $from,
'reply-to' => $reply_to,
to => $contacts,
subject => 'Daily Nessus Report',
'content-type' => 'text/html; charset="iso-8859-1"',
);
($sec,$min,$hour,$mday,$mon,$year,$wday,$yday,$isdst) = localtime();
$target = timelocal(0,0,0,$mday,$mon,$year);
open( FILE, "$log" ) or die "Couldn't open file $log\n";
while (<FILE>)
{
if ( $_ =~ /\[(.*)\]\[/)
{
#compare the lines date with the target date.
($sday, $smon, $day, $hours, $year,$extra) = split(/ /,$1);
#if there are two spaces in the date, then we have to cope
with this by
#shifting all the fields by one.
if ($day eq "" )
{
$day = $hours;
$hours = $year;
$year = $extra;
}
($hour, $min, $sec) = split(/:/,$hours);
$test = timelocal( $sec, $min, $hour, $day, $months{$smon},
$year );
if ($test >= $target )
{
if ($_ =~ /user (.*) : session will be saved as
(.*)/ )
{
$session{"$1|$test"} = $2;
}
elsif ( $_ =~ /user (.*) starts .* Target\(s\) :
(.*)/ )
{
$attacks{"$1|$test"} = $2;
}
elsif ( $_ =~ /user (.*) : new KB will be saved as
(.*)/ )
{
$kb{"$1|$test"} = $2;
}
}#end if
}#end if
}#end while
foreach $user (sort( keys (%attacks) ) )
{
@test_lines2 = ( );
@test_lines = split(/,/, $attacks{$user});
foreach $line (@test_lines)
{
if ($line =~ /(\d+)\.(\d+)\.(\d+)\.(\d+)/ )
{
$target = &dns_lookup( $1, $2, $3, $4 );
$line =~ s/(\d+)\.(\d+)\.(\d+)\.(\d+)/$target/;
}###end if
push (@test_lines2, $line);
}###end foreach
#put the dns names back into a list
$attacks{$user} = join(',', @test_lines2);
my ($usr, $test) = split(/\|/, $user);
my $then = scalar localtime($test);
push (@message, "<lh><b>$usr on $then</b></lh>");
push (@message, "<li>Scanned: $attacks{$user} </li><br/>");
push (@message, "<li>Session saved: $sessions{$user}
</li><br/>") unless ($sessions{$user} eq '');
push (@message, "<li>Results saved: $kb{$user} </li><br/>")
unless ($kb{$user} eq '');
push (@message, "<br>");
#print @message,"<br/><br/>";
}
if (defined @message)
{
#if there is a message then send it out. otherwise exit.
my $html = join('', @message);
$mail{body} = <<END_OF_BODY;
<html><head/><body>$html</body></html>
END_OF_BODY
sendmail(%mail) || print "Error: $Mail::Sendmail::error\n";
}
##################################
# dns_lookup
#
# tries to to a dns lookup, if it
# fails, it returns the ip address.
##################################
sub dns_lookup
{
$addr = pack('C4', ( @_[0],@_[1],@_[2],@_[3] ) );
my ($name, $alias, $addrtype, $length, @addrs) =
gethostbyaddr($addr, AF_INET );
if ($name eq '')
{
return "@_[0]" . '.' . "@_[1]" . '.' . "@_[2]" . '.' .
"@_[3]";
}
return $name;
}###end sub dns_lookups
IMPORTANT NOTICE:
This message is intended only for the use of the individual or entity
to which it is addressed and may contain information that is
privileged, confidential and exempt from disclosure under applicable
law. If you have received this message in error, you are hereby
notified that we do not consent to any reading, dissemination,
distribution or copying of this message. If you have received this
communication in error, please notify the sender immediately and
destroy the transmitted information.
