icon/x Created with Sketch.

Splunk Cookie Policy

We use our own and third-party cookies to provide you with a great online experience. We also use these cookies to improve our products and services, support our marketing campaigns, and advertise to you on our website and other websites. Some cookies may continue to collect information after you have left our website. Learn more (including how to update your settings) here.
Accept Cookie Policy

Accept License Agreements

This app is provided by a third party and your right to use the app is in accordance with the license provided by that third-party licensor. Splunk is not responsible for any third-party apps and does not provide any warranty or support. If you have any questions, complaints or claims with respect to this app, please contact the licensor directly.

Thank You

Downloading Nessus Data Importer
SHA256 checksum (nessus-data-importer_15.tgz) 689809f2c7fa898f232ca06c5a659ea860ee364e3eb03be2673daf8a1b335b46 SHA256 checksum (nessus-data-importer_14.tgz) b7e37eee6461177932ea38915a32583257e11a8fe625881a825c915b0fa63f20 SHA256 checksum (nessus-data-importer_13.tgz) fa582ea2218b7b203480dc293af315e05d5d9869f42c328e11c19cf07da4a47b SHA256 checksum (nessus-data-importer_12.tgz) 1eefc2d76944ab44c79502b12a8af274bf46c7e7ea52b43daaf90246b3ceeb38
To install your download
For instructions specific to your download, click the Details tab after closing this window.

Flag As Inappropriate

Nessus Data Importer

This app has been archived. Learn more about app archiving.
Admins: Please read about Splunk Enterprise 8.0 and the Python 2.7 end-of-life changes and impact on apps and upgradeshere.
Overview
Details
This add-on imports an extensive amount of host vulnerability information from a tenable nessus scanner that can be used to perform in depth analysis and add value to your vulnerability management process.

NESSUS DATA IMPORTER

  • Author: Alain Morgado
  • Author: Kevin Kurzawa
  • Add-on Type: Add-on for Nessus
  • Add-on Name: TA-nessus_json
  • Add-on Version: 1.5
  • Vendor Product(s): Nessus 6.3.5 - 6.4 API
  • Splunk Platform(s): 6.x (not tested on any other versions)
  • Splunk CIM Compatible: Yes

**If you have used a previous version of this TA and have an existing "hid_history" file , make sure this file is not overwritten if you wish to keep the historical record of scans imported. The same file should be used by the version you are upgrading to and should exist inside the "bin" directory from which the scripts are run.

Version 1.5

import process will begin importing new scans immediately rather than iterating over every historical scan. If you have a large history of imported scans , you should see some significant improvements.
changed stanzas in transforms.conf and lookup file names to non-generic names
*added/modified eventtypes.conf and tags.conf for Enterprise security compatibility.

CONTENTS

  • Prerequisites
  • Description
  • Installation
  • Configuration
  • Importing Data
  • Definitions
  • Contact Info and Future Enhancements
  • Other Information

PREREQUISITES

  1. Splunk running on Linux OS (does not currently run on Splunk installations on Microsoft)
  2. Tenable Nessus scanner 6.x
  3. Python 2.7 on Splunk indexer
  4. Python "requests" module on Splunk indexer
  5. This is included in this TA under the "bin" directory for more info on requests see http://docs.python-requests.org/en/latest/user/install/.

DESCRIPTION

The Add-on for Nessus allows a Splunk administrator to ingest Nessus vulnerability information directly from the Nessus product using an API.

This provides the index- and search-time functions for the vulnerability data by converting the output of Nessus web API calls into JSON documents via a python scripted input.

By default, this TA will create files and place them in the $SPLUNK_HOME/etc/apps/TA-nessus_json/drop directory. Once this creation process is completed, they will be moved to the $SPLUNK_HOME/etc/apps/TA-nessus_json/pickup directory. A monitor stanza in the inputs.conf file will then acquire the Nessus JSON data from the pickup directory.

INSTALLATION

The add-on needs to be installed on the indexer and the searchhead if in a distributed environment. In non-distributed environments, the indexer and searchhead are the same device and will only need to be installed at this central point.

GUI Installation:

  1. Download the app from Splunkbase
  2. From the Splunk web interface, click on App -> Manage Apps to open the Apps Management page in Manager
  3. Click the "Install app from file" button, locate the downloaded file, and click "Upload"

Command Line Installation:

  1. Download the app from Splunkbase
  2. Uncompress the tar file and move the entire app folder to the $SPLUNK_HOME/etc/apps location
  3. Restart the Splunk service/process (using either the UI (Settings/Server Controls/Restart Splunk) or by command line ($SPLUNK_HOME/bin/splunk restart))

NOTE: There have been issues with installing this TA via a deployment server. It is recommended that this TA be installed directly and not via a deployment server. Solutions are being researched.

CONFIGURATION

These items should be configured in order for this TA to function properly:

  1. URL of Nessus API
  2. Account Credentials for Nessus API or preferably the API keys (please see Nessus documentation for version 6.4+ on generating keys)
  3. Scan IDs to import (OPTIONAL)
  4. Scheduling (OPTIONAL)

Note: All references to indexer or searchhead are made assuming there is a distributed environment. If Splunk is not configured in a distributed environment and the indexer and searchhead are one device, refer to these references as simply your one Splunk instance.

1. URL of Nessus API

  1. Open a terminal connection to the indexer
  2. Edit the file $SPLUNK_HOME/etc/apps/TA-nessus_json/bin/nessus2splunkjson.py
  3. Find the "url" line (number 12) referencing the URL of the Nessus scanner and replace the example with your Nessus host and port

2. Account Credentials for Nessus API

  1. Open a terminal connection to the indexer
  2. Edit the file $SPLUNK_HOME/etc/apps/TA-nessus_json/bin/nessus2splunkjson.py
  3. Find lines 18 and 19 referencing the username and password for an account on the Nessus scanner and replace the examples with an account on the Nessus service. Beginning with Nessus version 6.4, you may use API keys to login instead of hardcoding a username and password for an account into the script, these can be entered on the "accessKey" and "secretKey" lines (49 and 50, respectively). Please see Nessus documentation for version 6.4+ on how to generate these access keys.

Note: The Nessus account used must have read access to the scans that will be imported via the API. If using a version of Nessus that allows for multiple accounts, the specified account must be explicitly given read access to each scan.

3. Scan IDs to Import (OPTIONAL)

Note: The default configuration will import ALL scans. Follow these steps to limit the scans to only those specified.

Note: The default configuration will import ALL scans. Follow these steps to limit the scans to only those specified.

  1. Open a terminal connection to the indexer
  2. Edit the file $SPLUNK_HOME/etc/apps/TA-nessus_json/bin/getscanID.py
  3. Make the same adjustments to this script for the URL ("url" on line 12), username (line 18), and password (line 19) that were made in the previous two steps to nessus2splunkjson.py Preferably commencing with Nessus version 6.4, you may use API keys to log in lui of a username and password, these can be entered on lines 14 and 15. Please see Nessus documentation for version 6.4+ on how to generate access keys.
  4. From the terminal, execute $SPLUNK_HOME/etc/apps/TA-nessus_json/bin/getscanID.sh (this will create a file with the name "getscanID_(timestamp).log")
  5. Open the newly created file to see a list of detected scan names and associated IDs
  6. Open $SPLUNK_HOME/etc/apps/TA-nessus_json/bin/nessus2splunkjson.py for editing
  7. Copy the desired scan IDs for importing and place them into a comma-separated list on the "sa" line (number 27)
  8. Uncomment the "sa" line (number 27)
  9. Comment out the "sa" line on (line number 242)

4. Scheduling (OPTIONAL)

By default, the script needs to be run manually. To have it execute automatically, see the ScriptSetup page on the Splunk Docs for instructions on how to set this up.
http://docs.splunk.com/Documentation/Splunk/6.2.3/AdvancedDev/ScriptSetup

IMPORTING DATA

  1. Open a terminal connection to the indexer
  2. Execute $SPLUNK_HOME/etc/apps/TA-nessus_json/bin/nessus2splunkjson.sh
  3. Watch in amazement as the script outputs its status
  4. Results of the scan will be written to $SPLUNK_HOME/etc/apps/TA-nessus_json/bin/nessus2splunkjson_results_(timestamp).log
  5. If problems are encountered (such as Nessus connection issues), errors will be written to $SPLUNK_HOME/etc/apps/TA-nessus_json/bin/nessus2splunkjson_errors_(timestamp).log

Note on Historical IDs: This script keeps track of the historical IDs (in the the hid_history file) that have been processed so that duplication does not occur and subsequent imports are more efficient. All scans that have been specified will be marked for import, including each historical ID within the scan. If the status of the historical ID is running, it will be skipped. All other statuses will attempt to import. However, some aborted and pending scans may not have any host data and thus no data will be imported.

Note on Indexes: This script will import data to the default Splunk index. Changes can be made to this in inputs.conf.

DEFINITIONS

  • HID = Historical ID is an instance of a specific Nessus scan
  • PID = Nessus plugin ID
  • SID = Scan ID is a numerical reference to a Nessus scan name

CONTACT INFO AND FUTURE ENHANCEMENTS

Feature requests, bug reports, complaints, blatant praise, and support questions (provided on a best effort basis only) can be sent to splunk@almorga.com

Potential future enhancements:

  • Create a scheduled lookup table for plugin "descriptions" in order to reduce data ingress
  • Front-end GUI
  • Switch to uuid historical record instead of hid
  • Remove iterating through completed HID and just process the difference or new scans since last run
  • Sorting scan name from getscanID script
  • Microsoft windows version
  • Make it fast like Speedy Gonzales

OTHER INFORMATION

Some of the python functions for the Nessus API base code come from, and are based on, examples shared by AverageSecurityGuy at https://github.com/averagesecurityguy/Nessus6.

Note that Nessus is the property and registered trademark of Tenable Network Security. This add-on is not written, endorsed or supported by, or affiliated with, Tenable Network Security in any way.

Test this on a non-production instance first. Pay attention to disk space and ingestion.

Release Notes

Version 1.5
Sept. 23, 2015

-import process will begin importing new scans immediately rather than iterating over every historical scan. If you have a large history of imported scans , you should see some significant improvements in speed.
-changed stanzas in transforms.conf and lookup file names to non-generic names
-added/modified eventtypes.conf and tags.conf for Enterprise security compatibility.

Version 1.4
Sept. 9, 2015

-fixed missing "logs" directory

Version 1.3
Aug. 5, 2015

- separate "log" directory for script output
- login via api keys (Nessus 6.4+)
- fixed bug where a "running" scan would be marked as imported although it was running
- please go through README for additional information

Version 1.2
May 17, 2015

updated readme.

201
Installs
1,974
Downloads
Share Subscribe LOGIN TO DOWNLOAD

Subscribe Share

AppInspect Tooling

Splunk AppInspect evaluates Splunk apps against a set of Splunk-defined criteria to assess the validity and security of an app package and components.

Are you a developer?

As a Splunkbase app developer, you will have access to all Splunk development resources and receive a 10GB license to build an app that will help solve use cases for customers all over the world. Splunkbase has 1000+ apps and add-ons from Splunk, our partners and our community. Find an app or add-on for most any data source and user need, or simply create your own with help from our developer portal.

Follow Us:
Splunk, Splunk>,Turn Data Into Doing, Data-to-Everything, and D2E are trademarks or registered trademarks of Splunk Inc. in the United States and other countries. All other brand names,product names,or trademarks belong to their respective owners.