Mailing List Archive

Nessus KB saving filename issue [PATCH]
Hi,

the KB files saved by Nessus 2.2.9 in /var/nessus/users/[user]/kbs (if
save_knowledge_base is enabled in the Nessusrc) are named according to the
hostname of the target being scanned.

This can cause problems if several different targets with different IPs, but
sharing the same hostnames (e.g. load balanced servers) are scanned from one
Nessusd host, as the KB files overwrite each other and so scan results are lost
or potentially mixed up if the KB files are needed for later processing (e.g.
for parsing information out of them or for the "resume scans" Nessus feature).

To address this Richard Moore and I developed the attached patches for Nessus
2.2.9 which change the naming to /var/nessus/users/[user]/kbs/[host]_[ip] to
avoid any ambiguity.


Technical details are as follows:

In nessus-core/nessusd/save_kb.c:

Added function kb_fname_ip(global, hostname, ip) which is a clone of kb_fname
but with added IP argument. kb_fname() was left in but is now unused.

Patched functions in save_kb.c:

save_kb_new
save_kb_close
save_kb_exists
save_kb_restore_backup
save_kb_backup
save_kb_load_kb

Added IP argument to each one and made them call kb_fname_ip with IP arg instead
of kb_fname.

In nessus-core/nessusd/attack.c:

Modified every call to one of the above save_kb functions to give the IP
argument. We retrieve the IP using arg_get_value(hostinfos, "IP") and from the
host_ip variable where available.


We have tested normal scanning using this patch and the KB files are now saved
under the expected filenames, and this is also logged correctly. However we have
not tested any "resume scans" or related functionality where Nessus itself reads
old KB files.

Will the developer team consider this patch for inclusion in the next Nessus 2.2
release and/or Nessus 3?


--
Hubert Seiwert

Internet Security Specialist, Westpoint Ltd
Albion Wharf, 19 Albion Street, Manchester M1 5LN, United Kingdom

Web: www.westpoint.ltd.uk
Tel: +44-161-2371028
Re: Nessus KB saving filename issue [PATCH] [ In reply to ]
Hi Hubert,


On Jan 16, 2007, at 1:54 PM, Hubert Seiwert wrote:

> Hi,
>
> the KB files saved by Nessus 2.2.9 in /var/nessus/users/[user]/kbs (if
> save_knowledge_base is enabled in the Nessusrc) are named according
> to the
> hostname of the target being scanned.
>
> This can cause problems if several different targets with different
> IPs, but
> sharing the same hostnames (e.g. load balanced servers) are scanned
> from one
> Nessusd host, as the KB files overwrite each other and so scan
> results are lost
> or potentially mixed up if the KB files are needed for later
> processing (e.g.
> for parsing information out of them or for the "resume scans"
> Nessus feature).
>
> To address this Richard Moore and I developed the attached patches
> for Nessus
> 2.2.9 which change the naming to /var/nessus/users/[user]/kbs/[host]
> _[ip] to
> avoid any ambiguity.


Thanks for your patch ! I'll review it and include it in Nessus 2.2.10.



-- Renaud


_______________________________________________
Nessus-devel mailing list
Nessus-devel@list.nessus.org
http://mail.nessus.org/mailman/listinfo/nessus-devel