No update but there is another add-on you're welcome to use (no idea if it supports v6 either though) but it is from Splunk, https://splunkbase.splunk.com/app/1710/#/overview

Small update: We do have a developer now actively working on this.

Hi, it's been 3 months since the last comment on this, so I wanted to ask if there has been any progress.

I've spent the last week trying to get "Nessus Data Importer" (TA-nessus_json) to work. Our indexers are running Splunk 6.0.x on Windows, but this app app only works on 6.2.x or higher on Linux so I can't directly index the data. As a workaround I modified the Python scripts to save the data as CSV instead of JSON, then moved the CSV files to a UF running on Windows to index them.

Unfortunately the Hurricane Labs app is looking for fields that do not exist in the data... for example, one of the searches on the "Nessus Overview" dashboard begins with:

tag=vulnerability tag=report report_id=* severity=* NOT severity=informational

The field "severity" does not exist in the data so this search can never return a result. Some records have a field called "stig_severity", but this does not appear to be the same thing.

Can you provide a mapping of the old fields to the new ones? If I have this, at least I can update the searches so that they actually work.

Thanks!

Hi, sorry the Nessus Data Importer isn't our app, so I'm not sure how the fields in that app would map to ours. I believe we are in beta testing of the Nessus 6.x support, so we should hopefully have an updated app soon. I will verify with the developer and see if we can release an EA version for people to start testing.

Hi, thanks for the quick response.

The field names are determined by the Nessus API, not the "Nessus Data Importer" app. Here is a list of the fields I am seeing. The most common fields are at the top, the rarest nearer the bottom. I was just asking if you could provide a list mapping these fields to the fields that are expected by the Hurricane Labs app. It would also be extremely helpful if you could identify any fields that the HL app is expecting which are not in this list.

description
fname
hid
host-fqdn
host-ip
hostname
host_end
host_id
host_start
mac-address
netbios-name
operating-system
plugin_id
plugin_modification_date
plugin_name
plugin_publication_date
plugin_type
risk_factor
ScanName
scan_id
scan_status
script_version
see_also
solution
synopsis
uuid
agent
bid
cve
osvdb
xref
cpe
cvss_base_score
cvss_temporal_score
cvss_temporal_vector
cvss_vector
exploitability_ease
exploit_available
vuln_publication_date
edb-id
exploit_framework_metasploit
icsa
metasploit_name
cert
cwe
patch_publication_date
iavb
msft
secunia
stig_severity
canvas_package
exploited_by_malware
exploit_framework_canvas
exploit_framework_core
iava
in_the_news
unsupported_by_vendor
exploited_by_nessus
hp
cert-cc
cisco-bug-id
cisco-sa
default_account
owasp

Thanks, this is awesome! But, I've hit a snag. Our Nessus scanners are running on Windows with the Universal Forwarder installed. It doesn't have Python. Do I have to install it? Or can this be run on another server, remotely accessing the Nessus API?

It might work on Windows if you install Python, but this app has only been tested on Linux. Our support for that would be limited as well. It definitely can be run on another server, though, as long as that server has connectivity to your Nessus scanner over its web port (usually 8834).

By the way, shortly after uploading to Splunkbase, I noticed a small bug that can cause one of the scripted inputs to fail. I recommend you download 1.0.4 if you already downloaded 1.0.3.

Really appreciate your quick responses. I've installed the app on a Linux box running a heavy forwarder. I added the host name and API keys to the nessus.conf file, and enabled the input, but I get a lot of errors in splunkd.log.

Should this work on any version of Splunk 6.x? Or does it require a more recent version, such as 6.2.x? Our indexers are 6.0.5 (no chance of upgrading soon), and for compatibility I've installed the same version of the HF on my Linux box.

I will try again with the 1.0.4 to see if it fixes this. If it does, apologies... 🙂

Here are the errors from splunkd.log:

ERROR:root:code for hash md5 was not found.
Traceback (most recent call last):
  File "/opt/splunk/lib/python2.7/hashlib.py", line 139, in <module>
    globals()[__func_name] = __get_hash(__func_name)
  File "/opt/splunk/lib/python2.7/hashlib.py", line 91, in __get_builtin_constructor
    raise ValueError('unsupported hash type ' + name)
ValueError: unsupported hash type md5
ERROR:root:code for hash sha1 was not found.
Traceback (most recent call last):
  File "/opt/splunk/lib/python2.7/hashlib.py", line 139, in <module>
    globals()[__func_name] = __get_hash(__func_name)
  File "/opt/splunk/lib/python2.7/hashlib.py", line 91, in __get_builtin_constructor
    raise ValueError('unsupported hash type ' + name)
ValueError: unsupported hash type sha1
ERROR:root:code for hash sha224 was not found.
Traceback (most recent call last):
  File "/opt/splunk/lib/python2.7/hashlib.py", line 139, in <module>
    globals()[__func_name] = __get_hash(__func_name)
  File "/opt/splunk/lib/python2.7/hashlib.py", line 91, in __get_builtin_constructor
    raise ValueError('unsupported hash type ' + name)
ValueError: unsupported hash type sha224
ERROR:root:code for hash sha256 was not found.
Traceback (most recent call last):
  File "/opt/splunk/lib/python2.7/hashlib.py", line 139, in <module>
    globals()[__func_name] = __get_hash(__func_name)
  File "/opt/splunk/lib/python2.7/hashlib.py", line 91, in __get_builtin_constructor
    raise ValueError('unsupported hash type ' + name)
ValueError: unsupported hash type sha256
ERROR:root:code for hash sha384 was not found.
Traceback (most recent call last):
  File "/opt/splunk/lib/python2.7/hashlib.py", line 139, in <module>
    globals()[__func_name] = __get_hash(__func_name)
  File "/opt/splunk/lib/python2.7/hashlib.py", line 91, in __get_builtin_constructor
    raise ValueError('unsupported hash type ' + name)
ValueError: unsupported hash type sha384
ERROR:root:code for hash sha512 was not found.
Traceback (most recent call last):
  File "/opt/splunk/lib/python2.7/hashlib.py", line 139, in <module>
    globals()[__func_name] = __get_hash(__func_name)
  File "/opt/splunk/lib/python2.7/hashlib.py", line 91, in __get_builtin_constructor
    raise ValueError('unsupported hash type ' + name)
ValueError: unsupported hash type sha512
Traceback (most recent call last):
  File "./scans.py", line 4, in <module>
    from nessus import NessusApi
  File "/opt/splunk/etc/apps/TA-nessus/bin/nessus/__init__.py", line 4, in <module>
    import requests
  File "/opt/splunk/etc/apps/TA-nessus/bin/requests/__init__.py", line 58, in <module>
    from . import utils
  File "/opt/splunk/etc/apps/TA-nessus/bin/requests/utils.py", line 25, in <module>
    from .compat import parse_http_list as _parse_list_header
  File "/opt/splunk/etc/apps/TA-nessus/bin/requests/compat.py", line 7, in <module>
    from .packages import chardet
  File "/opt/splunk/etc/apps/TA-nessus/bin/requests/packages/__init__.py", line 3, in <module>
    from . import urllib3
  File "/opt/splunk/etc/apps/TA-nessus/bin/requests/packages/urllib3/__init__.py", line 16, in <module>
    from .connectionpool import (
  File "/opt/splunk/etc/apps/TA-nessus/bin/requests/packages/urllib3/connectionpool.py", line 33, in <module>
    from .connection import (
  File "/opt/splunk/etc/apps/TA-nessus/bin/requests/packages/urllib3/connection.py", line 41, in <module>
    from .util import (
  File "/opt/splunk/etc/apps/TA-nessus/bin/requests/packages/urllib3/util.py", line 11, in <module>
    from hashlib import md5, sha1
ImportError: cannot import name md5

This appears to be a result of a missing OpenSSL package. Can you verify that OpenSSL is installed?

edit: Package should be called libssl1_0_0
edit2: Actually libssl can be found in the openssl-dev package (openssl-devel on CentOS)

Looks like we have 1.0.1e.

[root@----------- Desktop]# rpm -qa | grep ssl
python-backports-ssl_match_hostname-3.4.0.2-4.el7.noarch
openssl-devel-1.0.1e-42.el7.9.x86_64
openssl-libs-1.0.1e-42.el7.9.x86_64
openssl-1.0.1e-42.el7.9.x86_64
[root@----------- Desktop]# yum list installed |  grep ssl
openssl.x86_64                         1:1.0.1e-42.el7.9               @updates 
openssl-devel.x86_64                   1:1.0.1e-42.el7.9               @updates 
openssl-libs.x86_64                    1:1.0.1e-42.el7.9               @updates 
python-backports-ssl_match_hostname.noarch

This is fantastic! I've never gotten such responsive support before!

Would you mind if we continued this over e-mail? It appears this comment chain has gotten so long that replies are no longer displaying.

cschmidt@hurricanelabs.com

I reinstalled all three packages (openssl, openssl-devel, openssl-libs) just in case there were any files missing or corrupted. Restarted Splunk, then ran the script again, but still get the same errors in splunkd.log. Is it possible I might need to restart Linux? Really appreciate any other help you might be able to provide.

Try installing openssl-devel

yum install openssl-devel

Checked with YUM also. Sorry, still pretty new to Linux.

[root@----------- Desktop]# yum list installed |  grep ssl
openssl.x86_64                         1:1.0.1e-42.el7.9               @updates 
openssl-devel.x86_64                   1:1.0.1e-42.el7.9               @updates 
openssl-libs.x86_64                    1:1.0.1e-42.el7.9               @updates
python-backports-ssl_match_hostname.noarch

Hello, we just uploaded a beta release of our Nessus add-on that adds support for Nessus 6. Feel free to try it out and let us know if you have any issues! https://splunkbase.splunk.com/app/1860/

As for your most recent question about fields required by our Vulnerability Management app, I'm looking into it now. I'll get back to you as soon as possible.

Hello, has there been any update on this issue? We have just installed Nessus 6 on CentOS and are trying to setup a universal forwarder with the TA-Nessus add-on, without success. This was based on an assumption that the new TA does support the Nessus 6 API, so I was disappointed to discover that it does not (as of April 27 2015).