-
Notifications
You must be signed in to change notification settings - Fork 1
MongoDB
Vanilla Nessus vulnerability is very good at providing you a point in time view of vulnerability scan data. It's not very good at looking at this data over time. Nessus-analyzer attempts to solve this by sending data to MongoDB.
To use the "send to MongoDB" features you need to configure your config.yaml
file. A config.yaml.example
files is provided as a starting point.
# Configure database environments
# Required fields are: server, port, database, collection
development:
server: devmongo
port: 27017
database: nessus
collection: scans
production:
server: mongo
port: 27017
database: nessus
collection: scans
On the command line you can use the --mongo <database>
flag to specify one of the databases defined in config.yaml
. Optionally, you can tag the scan data with one or more tags. Syntax is --tag tag1,tag2,tag3
. Tags need to be separated by commas, with no spaces.
MongoDB is a NoSQL database that enforces no document structure. Documents are stored as JSON objects. For Ruby, this means that we use hashes. Our structure is a scan holds many hosts that have embedded events. Our MongoDB collection (I recommend calling this "scans") holds documents that represent hosts. These host documents have an array of embedded documents that represent scan events.
Yes. Nessus events are generated by plugins. One plugin may generate multiple events. Trying to reference event data from scan data is difficult (and I'm not sure it's worth the effort) because I can't find any documentation on what makes an event unique . If you have an idea on how to do this let me know.
MongoDB has excellent documentation on queries. Also, we have some example queries that may help get you started. If you're putting any meaningful amount of data into MongoDB you are going to want to create some indexes. Here are some ideas to get you started.
$ ./nessus-analyzer.rb -f report.nessus -d development -t web,dev
Sends data from the report.nessus
file to the development
database and tag it with web
and dev
tags.
It has a Ruby driver. The docs are great. We already had one at work.