nessus-csv-parse.pl - parses CSV output from Nessus
Version 1.0 - 9/15/2008
nessus-csv-parse.pl [-h] [-a] [-c] [-d] [-i input file] [-H] [-o output file] [-r HTML header] [-t HTML title]
nessus-csv-parse.pl takes CSV input from a Nessus (http://www.nessus.org) scan and generates HTML, XML, and/or CSV output that is more readable. It requires the user select as least one of the output type options. If no filenames are given, it makes assumptions about what they should be. ARP can be used to get MACs for the IPs given, and an HTML header can be specified to aid the formatting of the HTML output.
Display usage information. You'll get this if you don't specify at least one output type.
Use arp to determine the MAC of an IP
Create a CSV output file
Debug mode - produces a reasonable amount of information about what the program is doing
The input file to use. If none is specified, 'report.csv' is assumed.
Create an HTML output file
The output file name (the proper extension -- .csv or .html -- is added). If no name is specified, 'output' will be used.
The HTML header file to use (so you can make the output pretty)
Title to use in HTML output file. If you specify an HTML header with -r, the argument to -twill be ignored.
Create an XML output file
Ignore vulnerabilities which have a severity of ``none''
The intent for the HTML header file is to allow the user some customization of the HTML output. Specifically, I expect that people will want to use style statements (or references to external style sheets). The header should include the <head> and </head> tags. Here's a list of the classes that appear in the output, for your CSS use:
The generic descripton text.
risk(none|low|medium|high|critical)
Each risk category has a separate class so you can highlight particular levels however you desire.
The host
The MAC
The port and protocol information
The data structure for the XML output is such:
<scan_result nessus_csv_parse-version=$version>
<host>
<ip_addr>ip address</ip_addr>
<mac>mac address</mac>
<vulnerability>
<description>words go here</decription>
<severity>severity</severity>
</vulnerability>
</host>
</scan_result>
The vulnerability element is repeated as needed within host. The host element is repeated as needed within the scan_result element. Your mom. Double your mom.
Why include ARP when Nessus can do you it for you? In my environment, the Vulnerability Scanning Cluser lives on a different subnet, so it can't give me the ARP info. When I run the script locally, though, I can add it in. Since our network mostly uses DHCP (managed by the central campus networking group), matching the IP to the actual machine is nearly impossible unless I have the MAC. I made ARP an option, since some people might not care. Why waste resources when you're just going to discard the information anyway? I also designed it so that it will check the ARP table first. If ARP says ``no, I don't have what you're looking for'', then we ping the target IP address and try again.
You might wonder why I didn't use Net::Arp or Net::Ping. Net::Arp isn't standard with most Perl distributions, and I could do what I needed easily enough. This way, users won't have to install new modules. I didn't use Net::Ping because for a single ping command, it just seemed too heavy.
0 - Success
1 - Can't open the input file
2 - Can't open the HTML header file
3 - Can't open the output file
Getopt::Std
perl(1), ping(8), arp(8)
Ben Cotton, bcotton@purdue.edu
http://web.ics.purdue.edu/~bcotton/nessus
(some code provided by David Crooke)