Comparing nessus output using diff
Nessus is a popular network vulnerability scanner. It can check for a huge number of common application and operating system vulnerabilities and although no longer open source is still free to download and use for most organizations.
Nessus is primarily designed for manual scanning with an operator setting up a scan, letting it run then parsing the results by hand. When you need to regularly scan a network and report on changes, it can take a lot of manual work. Nessus supports several output formats for scan reports but none are particularly easy to parse using automatic tools such as Unix “diff”.
The problem is that Nessus output includes variables such as scan start and end times which are reported as changes by diff. Some plug-ins also place the all-important “risk factor” identifier in different places in the scan results making automated comparison even more difficult.
Various scripts and Per modules exist that attempt to parse Nessus output. Perl module Parse::Nessus::XML is one, but in our testing we found it can’t always handle XML format used by Nessus 3.0. The other perl modules for Nessus output only provided aggregate information, not details. The graphical client NessusWX has a comparision feature, but it can’t be automated.
We finally wound up adapting a perl script to parse NSR file output. The below file is based on work originally posted to the Nessus mailing list by Darren Bounds. Give it a Nessus .nsr file and it will spit out a sorted tab-separated list like so:
Sample output:
10.0.6.106 example.com High submission (587/tcp) 11499 10.0.6.106 example.com High unknown (32781/tcp) 10659 10.0.6.106 example.com Low filenet-pa (32772/udp) 10228 10.0.6.106 example.com Low submission (587/tcp) 11088 10.0.6.106 example.com Medium http (80/tcp) 11267
Only Nessus results labeled “Report” or “Info” and having an identified Risk factor are printed. In other words, only items that need action should appear (the script actually parses some other info from the .nsr file such as CVE nummber, but doesn’t print it. It’s easily modified to include that info if you need it).
The output can be saved between runs then compared using nothing more than the “diff” command. Handy if you want to monitor a network automatically with Nessus and see only the changes.
To use the script, run the command-line Nessus client from cron with the -T parameter to force results to be output to NSR format. For example:
Run the resulting output.nsr file through the parse-nsr.pl script to get a list of vulnerabilities sorted by IP address:
Finally, run diff to compare vulnerabilities.txt with the same output from the previous run to get a concise list of changes:
diff yesterday.txt today.txt 382c401,402 < 205.193.6.94 example.com Medium ftp (21/tcp) 10081 --- > 205.193.6.94 205.193.6.94 High ftp (21/tcp) 10556 > 205.193.6.94 205.193.6.94 Medium ftp (21/tcp) 10081
The script seems to work well with Nessus 3.0. Click the following lnks to view or download the script:
Download: 
parse-nsr.pl (2.7k text file)