In response to Zate's question:
I scan ~9000 devices in a monthly cycle. I run 1 Nessus scanner on 1.0
GHz PIII under Debian Linux
I deliver monthly reports relating to suspected problems and some next
working day reports about critical problems to relevant departmental
contacts (for multiple departments/network organisational units).
I update Nessus signatures and Nessus if necessary monthly then restart
Nessus server. After adjusting the plugins config I taking a copy or the
relevant .nessusrc file that I will be using for batch scans.
I use my own system to automate scanning written in Perl calling FreeTDS
to access remote MS SQL databases. The scripts are run by cron and
download the next batch of addresses to scan, run the scan then upload
the results to the SQL database (I parse the NBE format output using
Perl). There are some bells-and-whistles such as reporting, locking,
logging and stopping scans that have not completed on time (just in
case) of course.
A table in my SQL database is updated regularly with ARP cache data from
all the switches so that I can focus on devices that have been live
recently on the network. I do not rely on response to ping because many
systems do not respond now (XP firewall). Completely blind scanning
would waste a huge amount of time. Only scanning registered IP addresses
could miss rogue devices. We have an IP device registration database in
which registered devices are classified by type etc. I do not only scan
for registered devices, however, the database allows me to avoid
routinely scanning network infrastructure devices. I can also decide
whether to scan a device depending on how recently I scanned it, whether
to exclude it for some reason, etc. using SQL data. New results for host
are inserted after any old results are deleted. Scan data is purged from
the database if and when it reaches month old.
I have written a VB program that allows me to select Nessus results for
a department or group (or department unknown) from the database (this is
possible because of our IP registration database). I can then select
records on the basis of risk classification, OS version, IP number,
subnet, port, CVE etc. I have a button to make selection of the most
concerning records easy. I can then send an email with attached report
addressed by default to the correct contact. This stage is
semi-automatic so I can review the data and make judgements and include
comments in the email (I don't think Nessus can be used well without
some experience because it might give advice like "disable this..."
without even knowing the context). I use a SQL data driven Excel
spreadsheet to give me an overview report and show which
departments/groups need to be sent a report this month. When records are
emailed out I can flag in the DB which ones have been reported so I
don't repeat myself. Departmental contacts can inform me if they have
concluded that some IP address/Plugin number combination is providing
false-positives that they don't want to see again; I can feed that back
into my DB to modify how data is selected for subsequent reports.
I have some daily scheduled SQL routines that email me about new items
of interest in the data (such as banners saying "drug of choice"), FTP
servers running on unusual port number etc.
(As you see I have done a lot of stuff myself. I think I started doing
some of it before off-the-shelf solutions began to appear. If I was
starting again I would do some things differently i.e. make even more
use of SQL server. Nevertheless, I doubt that anything off-the-shelf
would be as customised or customisable (by me) for my enterprise as what
I now have in place.)
--
Carl Nelson
Distributed Systems Support Section, Computer Centre, University of
Leicester, Leicester, LE1 7RH, U.K.
Tel: +44 (0)116 252 2060, Fax: +44 (0)116 252 5027
________________________________
From: nessus-bounces@list.nessus.org
[mailto:nessus-bounces@list.nessus.org] On Behalf Of Zate Berg
Sent: 09 November 2006 14:14
To: nessus@list.nessus.org
Subject: Nessus in the Enterprise
Good Morning All,
I was wondering if anyone could contact me off the list to
discuss how they have Nessus setup and deployed in a large network. I
am not finding much information on things like reporting and a
centralized web interface.
Mainly looking for info such as
* what you run it on,
* how many scanners you use,
* how you manage user access to the scanners,
* do you use a central Web console of some kind? (does a full
featured one exist?)
* How do you store your reports?
Thanks :)
--
Zate
_______________________________________________
Nessus mailing list
Nessus@list.nessus.org
http://mail.nessus.org/mailman/listinfo/nessus
