Hi,
the KB files saved by Nessus 2.2.9 in /var/nessus/users/[user]/kbs (if
save_knowledge_base is enabled in the Nessusrc) are named according to the
hostname of the target being scanned.
This can cause problems if several different targets with different IPs, but
sharing the same hostnames (e.g. load balanced servers) are scanned from one
Nessusd host, as the KB files overwrite each other and so scan results are lost
or potentially mixed up if the KB files are needed for later processing (e.g.
for parsing information out of them or for the "resume scans" Nessus feature).
To address this Richard Moore and I developed the attached patches for Nessus
2.2.9 which change the naming to /var/nessus/users/[user]/kbs/[host]_[ip] to
avoid any ambiguity.
Technical details are as follows:
In nessus-core/nessusd/save_kb.c:
Added function kb_fname_ip(global, hostname, ip) which is a clone of kb_fname
but with added IP argument. kb_fname() was left in but is now unused.
Patched functions in save_kb.c:
save_kb_new
save_kb_close
save_kb_exists
save_kb_restore_backup
save_kb_backup
save_kb_load_kb
Added IP argument to each one and made them call kb_fname_ip with IP arg instead
of kb_fname.
In nessus-core/nessusd/attack.c:
Modified every call to one of the above save_kb functions to give the IP
argument. We retrieve the IP using arg_get_value(hostinfos, "IP") and from the
host_ip variable where available.
We have tested normal scanning using this patch and the KB files are now saved
under the expected filenames, and this is also logged correctly. However we have
not tested any "resume scans" or related functionality where Nessus itself reads
old KB files.
Will the developer team consider this patch for inclusion in the next Nessus 2.2
release and/or Nessus 3?
--
Hubert Seiwert
Internet Security Specialist, Westpoint Ltd
Albion Wharf, 19 Albion Street, Manchester M1 5LN, United Kingdom
Web: www.westpoint.ltd.uk
Tel: +44-161-2371028
the KB files saved by Nessus 2.2.9 in /var/nessus/users/[user]/kbs (if
save_knowledge_base is enabled in the Nessusrc) are named according to the
hostname of the target being scanned.
This can cause problems if several different targets with different IPs, but
sharing the same hostnames (e.g. load balanced servers) are scanned from one
Nessusd host, as the KB files overwrite each other and so scan results are lost
or potentially mixed up if the KB files are needed for later processing (e.g.
for parsing information out of them or for the "resume scans" Nessus feature).
To address this Richard Moore and I developed the attached patches for Nessus
2.2.9 which change the naming to /var/nessus/users/[user]/kbs/[host]_[ip] to
avoid any ambiguity.
Technical details are as follows:
In nessus-core/nessusd/save_kb.c:
Added function kb_fname_ip(global, hostname, ip) which is a clone of kb_fname
but with added IP argument. kb_fname() was left in but is now unused.
Patched functions in save_kb.c:
save_kb_new
save_kb_close
save_kb_exists
save_kb_restore_backup
save_kb_backup
save_kb_load_kb
Added IP argument to each one and made them call kb_fname_ip with IP arg instead
of kb_fname.
In nessus-core/nessusd/attack.c:
Modified every call to one of the above save_kb functions to give the IP
argument. We retrieve the IP using arg_get_value(hostinfos, "IP") and from the
host_ip variable where available.
We have tested normal scanning using this patch and the KB files are now saved
under the expected filenames, and this is also logged correctly. However we have
not tested any "resume scans" or related functionality where Nessus itself reads
old KB files.
Will the developer team consider this patch for inclusion in the next Nessus 2.2
release and/or Nessus 3?
--
Hubert Seiwert
Internet Security Specialist, Westpoint Ltd
Albion Wharf, 19 Albion Street, Manchester M1 5LN, United Kingdom
Web: www.westpoint.ltd.uk
Tel: +44-161-2371028