cancel
Showing results for 
Search instead for 
Did you mean: 
Login & Join the DevCentral Connects Group to watch the Recorded LiveStream (May 12) on Basic iControl Security - show notes included.
MichaelatF5
F5 Employee
F5 Employee

It is important to understand while reading this, I am not an ASM SME...

The goal was to create a simple conversion of the Nessus Vulnerability Scan reports to import into ASM. The first step was figuring out what the scan results needed to look like.

So I exported the generic schema from ASM (13.0), which translates to:

<?xml version="1.0" ?>
<scanner_vulnerabilities>
 <vulnerability>
  <attack_type></attack_type>
  <name></name>
  <url></url>
  <parameter></parameter>
  <cookie></cookie>
  <threat></threat>
  <score></score>
  <severity></severity>
  <status></status>
  <opened></opened>
 </vulnerability>
</scanner_vulnerabilities>

That seems pretty simple, but thats a lot of attack types to map to some logic, so for now I will leave it generic.

The next step is to get a vulnerability scan of a vulnerable web application. I wont go into how to use Nessus here, but one of the export options is a ".nessus" which is just an XML file. There is actually too much data in this file, but you can leave it as is. If you want to read it you can remove the <Policy> sections because all we want are the Reports.  For this test, I ran a scan against google-gruyere.appspot.com, which is an unsecured app available to the internet.  Dont do this from AWS or someone will come looking for you, ask me how I know...

Example of results:

 <?xml version="1.0" ?>
<NessusClientData_v2>
  <Report name="ASMv2" xmlns:cm="http://www.nessus.org/cm">
    <ReportHost name="google-gruyere.appspot.com">
      <HostProperties>
        <tag name="HOST_END">Tue Aug 29 14:08:04 2017</tag>
        <tag name="LastUnauthenticatedResults">1504015684</tag>
        <tag name="Credentialed_Scan">false</tag>
        <tag name="policy-used">Advanced Scan</tag>
        <tag name="patch-summary-total-cves">16</tag>
        <tag name="cpe">cpe:/o:linux:linux_kernel</tag>
        <tag name="os">linux</tag>
        <tag name="cpe-2">cpe:/o:linux:linux_kernel:2.6</tag>
        <tag name="cpe-1">cpe:/o:linux:linux_kernel:2.4</tag>
        <tag name="cpe-0">cpe:/o:linux:linux_kernel:2.2</tag>
        <tag name="system-type">general-purpose</tag>
        <tag name="operating-system">Linux Kernel 2.2
Linux Kernel 2.4
Linux Kernel 2.6</tag>
        <tag name="traceroute-hop-0">?</tag>
        <tag name="host-ip">172.217.3.212</tag>
        <tag name="host-fqdn">google-gruyere.appspot.com</tag>
        <tag name="HOST_START">Tue Aug 29 13:21:20 2017</tag>
      </HostProperties>
      <ReportItem pluginFamily="CGI abuses" pluginID="39470" pluginName="CGI Generic Tests Timeout" port="443" protocol="tcp" severity="0" svc_name="www">
        <description>Some generic CGI tests ran out of time during the scan. The results may be incomplete.</description>
        <fname>torture_cgi_timeout.nasl</fname>
        <plugin_modification_date>2016/09/21</plugin_modification_date>
        <plugin_name>CGI Generic Tests Timeout</plugin_name>
        <plugin_publication_date>2009/06/19</plugin_publication_date>
        <plugin_type>summary</plugin_type>
        <risk_factor>None</risk_factor>
        <script_version>$Revision: 1.13 $</script_version>
        <solution>Consider increasing the 'maximum run time (minutes)' preference for the 'Web Applications Settings' in order to prevent the CGI scanning from timing out. Less ambitious 
  options could also be used, such as :
  - Test more that one parameter at a time per form :
    'Test all combinations of parameters' is much slower     than 'Test random pairs of parameters' or 'Test all     pairs of parameters (slow)'.
  - 'Stop after one flaw is found per web server (fastest)'     under 'Do not stop after the first flaw is found per web     page' is quicker than 'Look for all flaws (slowest)'.
  - In the Settings/Advanced menu, try reducing the value     for 'Max number of concurrent TCP sessions per host' or     'Max simultaneous checks per host'.</solution>
        <synopsis>Some generic CGI attacks ran out of time.</synopsis>
        <plugin_output>The following tests timed out without finding any flaw :
- XSS (on HTTP headers)
- blind SQL injection
- local file inclusion
- blind SQL injection (time based)
- unseen parameters
- directory traversal (extended test)
- directory traversal
- arbitrary command execution
- SQL injection (on HTTP headers)
- SQL injection

</plugin_output>
      </ReportItem> 

 

So far so good... Some of this will be a mess, but we can take a stab at it...

So lets mash it all together!

0151T000003d756QAA.png

So how to tie it all together? There are some tools to help, online, I used to have on for Windows but I dont remember what its called, but I have a MAC now, so...

xsltproc ASM_Nessus.xsl Nessus_Scan.xml > ASM_Import.xml

 

FYI, for Windows users... https://www.microsoft.com/en-us/download/details.aspx?id=21714

Which gives me a pretty file to import to ASM. Its too big to post as text, but it looks like this:

 0151T000003d757QAA.png

Alright, so the final test, lets import to ASM...

0151T000003d758QAA.png

Nice!

It could use some work around Attack Type mapping and Parameter mapping, but it looks like it works.

Well, thats as far as I got, I hope it helps someone. Now take it and run!

XSLT can be found on github:  https://github.com/Mikej81/NessusGenericASMSchema

Comments
Harry1
Nimbostratus
Nimbostratus

Hi Michael,

 

do I need to edit something in imported ASM generic scanner file which is in .xsd extension? because when I am merging both file([root@f5labv13:Active:Standalone] tmp xsltproc generic_scanner.xsd Main_Authenticated_Vulnerability_Scan_sr4pxu.nessus >ASM_Import1.xml , generic scanner and Nessus xml, getting error like: compilation error: file generic_scanner.xsd line 2 element schema )

 

MichaelatF5
F5 Employee
F5 Employee

Some character encoding may have gotten messed up on the post. Did you download the XSLT from github and try that?

 

Also, which version of TMOS are you running?

 

Harry1
Nimbostratus
Nimbostratus

I am using version 13. for xslt, I tried direct from bigip appliance itself. will it not work?

 

MichaelatF5
F5 Employee
F5 Employee

With this solution, you don't need the XSD from the BIG-IP, just the XSLT and the Nessus output. The XSLT is built around the ASM Generic Schema, so you don't need that part anymore. XSLT: https://github.com/Mikej81/NessusGenericASMSchema

 

So basically:

 

xsltproc XSLT_FILE SCAN_RESULTS_XML > FILE_TO_IMPORT_XML

 

Harry1
Nimbostratus
Nimbostratus

Hi Michael,

 

I tried but still it showing "Vulnerabilities file doesn't contain Vulnerabilities Found And Verified By Generic Scanner" while importing the output xml on ASM.

 

MichaelatF5
F5 Employee
F5 Employee

Explain what you are doing...

 

You ran Nessus and exported the result in Nessus format? Which version of Nessus are you running?

 

You renamed the Nessus file to XML?

 

You downloaded the XSLT and ran it against the renamed Nessus xml?

 

Post a sample of the output so we can see what it looks like.

 

MichaelatF5
F5 Employee
F5 Employee

I recently added a bunch of vulnerability mappings to the XSLT, feel free to check out the git and add more: https://github.com/Mikej81/f5-asm-nessusgeneric

 

Killian_Chopine
Nimbostratus
Nimbostratus

Hello Michael,

 

I have been following your steps but I still get an error : "Vulnerabilities file doesn't contain Vulnerabilities Found And Verified By Generic Scanner" I'm using Nessus 6 and BIG-IP 11.5.4

 

The XML file to import looks good after using your script but I can't figure why ASM doesn't recognize him as a valid file. Have you any idea for this issue ?

 

Thanks

 

MichaelatF5
F5 Employee
F5 Employee

Killian, are you using the most recent XSL posted on github? I also included a sample scan result from DVWA, and the output file.

 

Its possible there may be a character that is causing an escape issue. If we can find what it is we can add an option to ignore escapes or we can look at replacing the string.

 

Killian_Chopine
Nimbostratus
Nimbostratus

Yeah, I'm using the most recent XSL posted on github. I've tried the sample scan result from DVWA and it's working. I'll take a look inside the scan result and try to find a character that might be causing an issue.

 

MichaelatF5
F5 Employee
F5 Employee

Try running your output through an escape validator, i.e., https://www.freeformatter.com/xml-escape.html

 

Couldn't hurt, then we could add some code to the xslt to make sure we transform properly in the future.

 

Or, you could try search-removing "disable-output-escaping="yes"" and see if that works, I thought I was making things prettier, but maybe it breaks it for you...

 

Killian_Chopine
Nimbostratus
Nimbostratus

Thanks you, it's working perfectly now. I removed the "disable-output-escaping=yes" part and I was able to import inside BigIP !

 

MichaelatF5
F5 Employee
F5 Employee

Awesome, ill remove that from the XSL on github.

 

Mohanad
Cirrostratus
Cirrostratus

I Have scanned the server and download the report ext .nessus and renamed it to .xml and tried to convert from XML to XSL but I couldn't use the online tools gives me errors, then I have downloaded msxsl.exe but I don't know the command to convert, I googled it but no luck with me, can anyone tell what is the command to convert the file? thank you so much

 

Mohanad
Cirrostratus
Cirrostratus
MichaelatF5
F5 Employee
F5 Employee

Mohanad, have you tried this: https://www.stylusstudio.com/SSDN/upload/msxsl.doc

 

Mohanad
Cirrostratus
Cirrostratus

hello Michael ,

 

please correct me if im woring

 

1) downloaded nessus2asm.xsl

 

2) downloaded Nessus scan

 

3) i used the /

 

4) Generic Scanner : import > (Vulnerabilities file doesn't contain Vulnerabilities Found And Verified By Generic Scanner)

 

scanner_vulnerabilities xmlns:foo="http://www.foo.org/"; xmlns:bar="' target="_blank" rel="nofollow">http://www.bar.org">; Other Application Attacks Nessus Scan Information Information about this scan :

 

Nessus version : 7.0.1 Plugin feed version : 201801180515 Scanner edition used : Nessus Scan type : Normal Scan policy used : HQ scan Scanner IP : 192.168.168.200 Port scanner(s) : wmi_netstat Port range : 1-65535 Thorough tests : yes Experimental tests : no Paranoia level : 1 Report verbosity : 1 Safe checks : yes Optimize the test : yes

 

ahmed91_235350
Nimbostratus
Nimbostratus

Worked fine for me .. thanks for this amazing effort

 

as a recap (I work on Windows)

 

  1. export nessus file - change the extension to xml, remove anything between and
  2. download the https://github.com/Mikej81/f5-asm-generic/blob/master/nessus/nessus2asm.xsl -- don't change anything
  3. download https://www.microsoft.com/en-us/download/details.aspx?id=21714, unzip to any partition and copy both xml/xsl files to the same folder
  4. cd to path of the folder then run the following command !!consider change name between [ ]

     

    msxsl [outputfromnessus].xml [formdownloadedfromgithub].xsl -o [outputtonessus].xml
  5. take the output file and import it to nessus

again amazing work from you Michael J ​F5

 

gbbaus_104974
Historic F5 Account

@Mohanad

 

In your 'outputs file' (ie the one to be imported into ASM). Are any of the "URL" values blank?

 

You may be trying to import a HOST scan, and not a 'Web App' scan ?

 

As a test, even though a 'Host Scan' isnt appropriate for a Web App Firewall, enter a dummy url between the tags in the scan you are trying to import and see if the import error goes away.

 

Amol_Amberkar
F5 Employee
F5 Employee

Has anyone tested with QVM / Qradar VM?

Version history
Last update:
‎11-Sep-2017 05:41
Updated by:
Contributors