Skip to content

MongoDB

Jump to bottom Edit New page
George Ehrhorn edited this page Jan 2, 2020 · 10 revisions

Vulnerability Scanning Over Time

Vanilla Nessus vulnerability is very good at providing you a point in time view of vulnerability scan data. It's not very good at looking at this data over time. Nessus-analyzer attempts to solve this by sending data to MongoDB.

Configuration

To use the "send to MongoDB" features you need to configure your config.yaml file. A config.yaml.example files is provided as a starting point.

# Configure database environments
# Required fields are: server, port, database, collection

development:
  server:     devmongo
  port:       27017
  database:   nessus
  collection: scans

production:
  server:     mongo
  port:       27017
  database:   nessus
  collection: scans

Sending data to MongoDB

On the command line you can use the --mongo <database> flag to specify one of the databases defined in config.yaml. Optionally, you can tag the scan data with one or more tags. Syntax is --tag tag1,tag2,tag3. Tags need to be separated by commas, with no spaces.

Data Structure

MongoDB is a NoSQL database that enforces no document structure. Documents are stored as JSON objects. For Ruby, this means that we use hashes. Our structure is a scan holds many hosts that have embedded events. Our MongoDB collection (I recommend calling this "scans") holds documents that represent hosts. These host documents have an array of embedded documents that represent scan events.

Doesn't this denormalize my data?

Yes. Nessus events are generated by plugins. One plugin may generate multiple events. Trying to reference event data from scan data is difficult (and I'm not sure it's worth the effort) because I can't find any documentation on what makes an event unique . If you have an idea on how to do this let me know.

Querying Data

MongoDB has excellent documentation on queries. Also, we have some example queries that may help get you started. If you're putting any meaningful amount of data into MongoDB you are going to want to create some indexes. Here are some ideas to get you started.

Example

$ ./nessus-analyzer.rb -f report.nessus -d development -t web,dev

Sends data from the report.nessus file to the development database and tag it with web and dev tags.

Why MongoDB?

It has a Ruby driver. The docs are great. We already had one at work.

Home, James!

Add a custom footer
Add a custom sidebar
Clone this wiki locally