On Mon, Mar 15, 2004 at 09:40:48AM -0500, McCarthy, Daniel J Mr NSS-P/SETA wrote:
> 1. I have started to create custom policies from the .nessusrc. When
> running nessus-update-plugin, how can the new plugins be tracked for
> placement into the custom policies?
Provided your policies aren't too complicated, my update-nessusrc script
might prove useful for this. It's a Perl script that lets you enable
plugins in a configuration file by category, family, risk factor, and/or
plugin id. For example, let's say you have a custom policy for mail
servers in which you wish to fingerprint mail servers using plugin
#11421 and test them for vulnerabilities in the "SMTP problems" family.
Once you create a special config file for this (call it .nessusrc-smtp),
you'd keep it updated with the command:
update-nessusrc -i 11421 -f "SMTP problems" .nessusrc-smtp
This would ensure that plugins in the desired family are enabled and all
others, except for #11421, are disabled.
> 2. Is there, or can there be a way to search all plugin families and
> identify only plugins for specific device types . For example: If I
> want to scan for vulnerabilities on routers is or can there be a way
> to sort or search for the router checks?
I don't believe there's a general way of doing this. Depending on your
query, you may be able to simply use the plugin category or family. If
that's not an option, though, I suspect you need to resort to searching
various descriptive fields, especially name and description.
> 3. Is there a common criteria for the Nessus severity ratings and is
> or can there be a way to sort vulnerabilities based on the risk level
> assigned?
As I understand it, risk factors may be assigned by each plugin's
author(s) so what one author might regard as a critical risk another
might consider high risk. Further, they're not standardized, as this
frequency distribution of risk factors in the current plugin set should
illustrate:
Critical 18
From None to High 1
High 912
High (If UseLogin is enabled, and locally) 1
High (Local) / None (remote with no account) 5
High (local) / None (remote) 1
High (locally) 1
High if your configuration file is not well set up 1
Low 322
Low (Windows NT, Windows 2000) / High (Windows 2003) 1
Low (if you are not using Kerberos) or High (if kerberos is 1
Low (remotely) / High (locally) 1
Low to High 1
Low to High, depending on the function of the web site 1
Low/Medium 15
Low/None 1
Medium 322
Medium / High (depending on the sensitivity of your web 1
Medium [remote] / High [local]. 1
Medium if not running snmp - because someone could enable 1
Medium/High 19
Medium/Low 3
Medium/Serious 2
Moderate 3
None 40
None / High 3
None / Medium 1
Serious 349
Serious / Low 1
Very low / none 1
n/a 15
Still, if you want to work with risk factors, you can. My
update-nessusrc script allows you to enable plugins based on the risk
factor (specified as a Perl regular expression).
And another of my scripts (describe-nessus-plugin, see
<http://www.tifaware.com/perl/describe-nessus-plugin>) lets you report
the risk factor for plugins you specify on the commandline. With that
and a relatively simple filter, you could generate plenty of interesting
output; eg, a CSV file wiht plugin id, name, risk level, etc for import
to Excel
Hope this helps,
George
--
[EMAIL PROTECTED]
pgp00000.pgp
Description: PGP signature
_______________________________________________ Nessus mailing list [EMAIL PROTECTED] http://mail.nessus.org/mailman/listinfo/nessus
