All Apps and Add-ons

Splunk Add-on for Tenable: Support for Nessus Professional v7?

Communicator

This week Nessus Professional v7 was announced:
Announcing Nessus Professional v7
Changes are listed here:
What's new in Nessus Pro?

Most notably for me is the following change:
"The ability to manage scans via API and CLI has been removed in v7. Automated scanning is better served by the API in our Tenable.io solution. All Nessus Pro scanning operations must be done through the user interface."

The Splunk Add-on for Tenable utilizes the REST API.
So will the Splunk Add-on for Tenable not work with Nessus Professional v7?
Are there any plans to support v7?

Communicator

A couple of days ago Nessus 7.0.2 was released.
The release notes for 7.0.2 specify: Reinstate API functions related to integrations.

I just tested the Splunk add-on: Apparently it is working again.

Perhaps Tenable faced too much backlash when disabling the API, so they changed their decision.
Unfortunately, I cannot find any official word from Tenable as to whether the API is fully back now.

Engager

I upgraded to Nessus v7 and I have not received a single scan result via the Splunk add-on for Tenable. So I would say at this point it is broke. However reading the Nessus documentation on v7 it reads as follows: (please note the sentence in bold). So I currently have a ticket in with Splunk and they are looking in to this issue.

Access to the API for scanning is removed. Nessus Professional is designed to perform scan functions through the UI only. The scan API capabilities will remain operational through December 31, 2018, provided that users do not opt in to the v7 features. We recognize that many users export the scan data to create their own reports, so we have retained those capabilities in all versions of Nessus Professional, including v7. The scan API capabilities removed in Nessus Professional v7 are available in Tenable.io Vulnerability Management for those seeking additional automation and management capabilities.

Ultra Champion

If your on v7 I don’t think you can reasonably expect the Splunk add on to work, since it’s not listed as supported. I think tenable must be under significant pressure to revise or reverse this decision in light of people actively exploring competitor products as a direct result of this recent change.

0 Karma

Explorer

As far as I can tell there will not be any support without Tenable.io. I upgraded a test server to v7 and it will not feed scan data. I also manually tested the RESTful APIs and they now return "API not available". It really isn't anything anyone but Tenable can do at this point for that integration. The REST APIs are gone and there is no real way to interface with Nessus Pro at this point. I could be wrong and maybe someone has a creative solution but as I see it there is only manual download from Nessus and manual upload to Splunk. It has been a complete disappointment as we just changed to Nessus three months ago for its integration with Splunk.

0 Karma

Communicator

I feel quite dissapointed too. We don't want to use Tenable.io since it's cloud-based. We also don't want to buy SecurityCenter. Tenable did not accounce that they were going to remove the API from SecurityCenter. But who knows if that will change.
The only option is see now is to use the Nessus web interface. I'm thinking of writing a script to automatically log into the Nessus web interface and automatically export als scans as csv. However, I can barely find any documentation on that. Can anyone confirm whether the following lines work with Nessus v7 for listing all scans?

curl -s -k -X POST -H 'Content-Type: application/json' -d '{"username":"test","password":"test"}' https://scanner:8834/session
curl -s -k -X GET -H 'X-Cookie: token=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX' https://scanner:8834/scans

The obvious drawback is we have to invest time for writing and testing such a script. Also, Tenable is removing multi-user support in v7. Having clear text admin passwords in scripts for a security product is really ironic.

0 Karma

Explorer

Ya so couple thoughts:
1. There are definitely a number of organizations that will be scrambling to navigate this. I wouldnt be surprised if there are other companies that step up to fill the void Nessus is leaving or some "hacked together" ways of automating a feed in to splunk without the RESTful API
2. Your curls are utilizing the RESTful API still so that wont get you anywhere in terms of pulling the data from Nessus. Also if you do want to play with their API interface I'd recommend looking at Postman (the chrome app) but again that is kind of a waste of time since the only useful ones now are disabled.
3. I'm going to be exploring workarounds. a couple thoughts i've had and not yet tested are either using something like AutoIT to automate the act of manually downloading the .CSV file and then something else picks that up periodically or they did introduce emailing scan results with v7. you can send this to a shared mailbox that then downloads the csv and imports into splunk. I'll try to remember to post back here as my testing goes along.

0 Karma

Communicator

I have just tested these curl commands on Nessus v7. They do work. I believe it's the same functionality as when you log into the Nessus web interface by hand using a web browser. (The Nessus REST API utilizes access keys and secret keys. This is different from authentication with a username and a password.)
I haven't considered emailing the scan results upon scan completion. That sounds like an interesting workaround.

0 Karma

Explorer

So yes sorry I was not clear. Not all the RESTful APIs are disabled, the ones that matter to the Splunk app (the ones that pull the scan details) are however disabled. And it is the RESTful API not the authentication method (username/password vs key) that is the issue/what is disabled. If you run https://ip:8834/scans/scan# (e.g. https://10.10.10.10:8834/scans/3) you will get back an error of "API is not available" regardless of the authentication method. Again in order to do something like you are kind of thinking where you are basically scripting someone actually logging in and pulling a report you would need to use something like AutoIT which simulates key presses/screen interactions.

0 Karma

Communicator

You are right. I receive "API is not available" when pulling the scan details like this:
curl -s -k -X GET -H 'X-Cookie: token=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX' https://scanner:8834/scans/87

0 Karma

Explorer

So just ran a test with the email route. Looks like the report does give a good amount of information: pluginID, CVE, CVSS, Risk, Host, Protocol, Port, Name, Synopsis, Description, Solution, See Also, Plugin output. Depending on how robust your Splunk dashboards were this could provide the critical information you would want to report on anyway. I'll keep posting findings on here as i go along

0 Karma

Communicator

Yes, Nessus v7 can email the scan results as csv. Splunk can easily handle csv files. It's nice that the csv file contains the plugin output. The plugin output is currently missing in the Splunk Add-on for Tenable. So that is a nice improvement.
Now I have the following idea: I configure Nessus to send the reports to test@localhost. Then I install an SMTP server (like postfix) on the same system. This SMTP server should save the attachments into a certain directory. Now I also install a Splunk universal forwarder to monitor that directory for csv files.

0 Karma

Ultra Champion

I think Security Center will stay 'as-is' (functionality wise).
Tenable.io was developed in response to the "it's too expensive" from smaller organisations when faced with the bill for SC. Conversely, if you have many thousands of endpoints, .io has an eyewateringly high pricetag.
Security consultants/testers need only the scanner, so that remains the cheapest option if your scanning lots of hosts, and using it manually.

I think the changes are to pidgin hole users into one of these categories, and they have realised that many orgs are scripting the 'cheap' option to avoid buying the enterprise solutions. especially those of us who are using third party systems like Splunk to monitor, trigger and report on scans. They are fine with that if you are paying for SC/IO but not so happy if your doing it with the comparatively cheap pro.

Explorer

Ya that is exactly what is going on. Its a pretty smart play if we are being honest with ourselves. Frustrating none the less. Especially considering we just switched to Nessus Pro 3 months ago and told them we want Splunk integration and they said "sure fine" while sitting on the fact it would be taken from us before the end of the year.

0 Karma