In trying to use Nessus to test for the MS-Blast worm in a fairly large
scale (over 10,000 machine) environment, I've been thinking about the
best way to use Nessus to discover a particular issue rather than
scanning for all >1700 tests. Right now, I have collected data using
only the following scripts:
* smb_reg_service_pack_NT4/XP/Win2k
* smb_nt_ms03-026
* msrpc_dcom
* smb_msblast
* all other required NASLs such as smb_login, netbios_name_get,
find_service, etc
Based on this information, I have thought about 2 ways to report on
this. These reports would be given to the desktop support group so that
they know the status of the machine before they perform the repair.
These guys can't be given a huge book with a listing of every host that
has a NULL share or Win2k < SP3. So, what about:
1) writing a Perl script to munge the output from these scans to
generate a report. This could be messy and would need to be completely
re-written for each new massive scan that would be done.
2) writing a "wrapper" NASL that would look like this (this is
only pseudo-NASL code)
# Begin pseudo-script
script_dependencies("smb_reg_service_pack_NT4/XP/Win2k",
"smb_nt_ms03-026","msrpc_dcom","smb_msblast");
script_require_keys("SMB/name", "SMB/login");
if (check_vulnerable(msrpc_dcom.nasl)) ||
(check_vulnerable(smb_nt_ms03-026.nasl))
{
if (check_vulnerable(smb_msblast.nasl)
{
security_hole("The machine
"get_kb_item(name:SMB/name)" with userid "get_kb_item(name:SMB/userid)"
and Service Pack "get_kb_item(name:SMB/ServicePack)" is currently
infected with the MS-Blaster virus.");
}
else
{
security_warning("The machine
"get_kb_item(name:SMB/name)" with userid "get_kb_item(name:SMB/userid)"
and Service Pack "get_kb_item(name:SMB/ServicePack)" needs to have the
RPC DCOM overflow patch installed.");
}
}
# End pseudo-script
Thoughts?
--Keith
