Writing Nessus injection plugin - "Connection Reset"
Hello -
I'm working on an injection plugin to import findings in the Nessus XML format (*.nessus). I've got it to a point where it basically works, but I'm running into a problem that seems related to the size of one of the data fields.
Each Nessus finding has a field called "Data", that contains most of the finding data. It's got a brief summary, a Risk Factor, and in some cases tons of data about what was actually found. It ranges in size from a few bites to over 6 kB.
If I try to pull in the whole data field, when I run the injection plugin, it always clocks for a few seconds, and then I get a "Connection Reset" error. However, if I modify my plugin so that it truncates the data field to 50 characters, the injection runs successfully. The findings & assets are created as expected. That's not going to work, though, because I'm throwing away tons of important data.
It seems like I'm hitting a size or memory limit and crashing PHP, but I'm not sure what to do about it. I know that the database and the application front-end will accept large blocks of text; I only have the problem when I'm trying to inject large text fields.
Any suggestions?
Thanks,
Mark
Mark --
Sounds like you are running into a limitation of MySQL. I ran into a similar problem when writing the App Detective plugin. Unfortunately, I could not find a workaround except to truncate the data and include a message. Take a look at this:
http://crucible.openfisma.org/browse/OpenFISMA/trunk/library/Fisma/Injec...
In the current version of OpenFISMA, we have added the ability to track a finding back to the file which it was created from. This will enable a user to go back and see all of the details if a finding is, indeed, truncated.
I'd like to hear more details about your Nessus plugin. How far along are you on the development?? Please let me know if you need more support. I would love to see Nessus support built-in to OpenFISMA!
Cheers,
What is the status of the Nessus plugin? I have just installed OpenFISMA 2.4.2 as I am evaluating it, with the goal of finding a replacement for our existing vulnerability management solution. One of the main things I'm looking for is the ability to import Nessus scan results. Thanks for your help.
Mark,
I got a bit further with this, but then got side-tracked with other things. This was my first attempt at coding in PHP (I know Python and VB), which was the first hurdle. I stepped through most of the code in an interactive shell and weeded out a few run-time errors due to coding mistakes. But I couldn't figure out how to debug the code while it was running inside OpenFisma. I never did eliminate the "Connection reset" error... maybe I do just need to truncate the data and be done with it. If you have any tips on how to debug, that would help! I haven't been able to get the application to log anything.
Nessus also presented some difficulties. The output isn't all that well standardized; it seems like the authors of the individual plugins have a lot of leeway in terms of the output formatting. But I came up with a set of regexps that work with all the plugins I've used; still, there wouldn't really be any guarantee that a new or updated plugin wouldn't break the injection script.
Also, where the AppDetective plugin is designed to work with one application (i.e. one asset in OpenFisma), Nessus scans usually cover all ports on a machine, and can include mutliple machines (possibly multiple "networks" or "systems" in Openfisma terms). I got around this by mapping the IP addresses to networks and systems within the code. But it was kind of counter-intuitive since you have to select a system on the web interface before importing the scan.
When I have some time I'll take another look at this... if I can't figure it out, maybe I'll just post what I've got and somebody else will be able to make something out of it.
Thanks for the reply - good to see some activity in these forums!
(the other) Mark