I have a folder in my Nessus Manager that I place any deprecated scans. We like to keep old scans for historical purposes. I would like to skip this folder when Splunk makes API calls to pull in the scan data from Nessus.
I understand that the Python script "nessus_data_collector.py" is responsible for pulling in the scan data, but I am not confident enough with my Python skills to make this edit.
Here's the API listing of the folder:
{
"unread_count": 0,
"custom": 0,
"default_tag": 0,
"type": "custom",
"name": "Deprecated",
"id": 69
},
I'd provide the Python script itself, but it's 554 lines long -- I can reply with any specific definitions or classes if needed.
I played around with the script. I believe I got it working to filter out scan results based on the folder id.
In "nessus_data_collector.py" change the "collect_scan_data_of_one_scan" function (starting at line 323) as follows. You need to add four lines:
def _collect_scan_data_of_one_scan(self, sid, scan_info, page_size):
"""
The method to collect events of one scan id.
"""
if "folder_id" in scan_info:
folder_id = scan_info["folder_id"]
if (folder_id == 69):
return 0
hosts = self.ckpt.contents[self.url]["scans"][str(sid)]["hosts"]
count = 0
...
Let me know if it works.
I played around with the script. I believe I got it working to filter out scan results based on the folder id.
In "nessus_data_collector.py" change the "collect_scan_data_of_one_scan" function (starting at line 323) as follows. You need to add four lines:
def _collect_scan_data_of_one_scan(self, sid, scan_info, page_size):
"""
The method to collect events of one scan id.
"""
if "folder_id" in scan_info:
folder_id = scan_info["folder_id"]
if (folder_id == 69):
return 0
hosts = self.ckpt.contents[self.url]["scans"][str(sid)]["hosts"]
count = 0
...
Let me know if it works.
Hi Yunagi,
Thanks for the reply!
According to the logs, the scans in that folder are still being read.
For example a scan in that folder might have the id "77":
2017-12-14 08:16:28,772 INFO pid=666 tid=MainThread file=nessus_rest_client.py:request:88 | Send request: https://nessus.example.com:8834/scans/77
2017-12-14 08:16:31,555 INFO pid=666 tid=MainThread file=nessus_rest_client.py:request:92 | end https://nessus.example.com:8834/scans/77
Can I get the script to stop reaching out for the scans in that folder entirely?
I believe each scan has both as scan id (in your case "77") as well as a folder id (in your case "69").
I just had a look at var/log/splunk/ta_nessus.log. Apparently each scan gets mentioned here even though it gets filtered via our small hack in nessus_data_collector.py.
Can you run a Splunk search to check whether Splunk still indexes scan results from the Deprecated folder? Each event has the field "folder_id", so search for "index=nessus folder_id=69" for the last 24 hours or so.
I made a small update to the code from my original post.
I have confirmed that the scans in that folder are no longer being indexed. Thank you!