Nessus requests

[Surreal]

I am doing a test on our servers at work. I have been using Nessus to do traditional vulnerability scans and my question is this:

I want to view the actual requests, in raw format that nessus makes when testing for vulnerabilities. Can the requests be found somewhere so that the actual requests can be viewed?

Thanks!

[SirDice]

You should be able to look into the rules that make a nessus test. I can't tell you where they are but I'm sure it's in the documentation.

If you want to see the 'real' traffic (ip packets et al) why not hook up a sniffer? Ethereal wil do very well.

[thread_killer]

Well, it's a bit of a kluge, because I don't know how to do it in Nessus, or if it can be done even, but have you thought about putting something like ethereal downstream of your nessus server so you can examine the packets? I would think either creating a span port (if your switches will support that) or dropping the nessus server on an old hub that you having lying around and putting the ethereal machine on it, (the hub) would give you everything you wanted.


edit----damn, sir dice posted while I was typing. Yeah, what he said.

[sweet_angel]

Or if using *nix you can fire up "ngrep" while nessus scanning your server, I've done it two month ago..you will see the real traffic too..

[mark_boyle2002]

www.majorgeeks.com has a pile of exploit scanners and admin tools to help you in your quest.

[steve.milner]

in RH9 the test are in /usr/lib/nessus/plugins and are written in nasl

This will tell you about nasl http://www.nessus.org/doc/nasl2_reference.pdf and from that you should be able to work out whatthe tests are doing (& probably get them to dump input/otput) to files.

HTH

[Surreal]

I am indeed using linux. That grep command sounds interesting. What did the command look like?

[draziw]

Most linux's have tcpdump or similar... or, at least, the RPMs are fairly accessible from your vendor/distro.

[meloncholy]

We've had to do this in the past as well. Like 4 or 5 people already said. The "best" way would be a sniffer. Any sniffer will do, just write the output to a file then go back and look at all the traffic. This is good way to prove you ran certian tests, and did not run others (Some clients don't want you running certian tests).

[sweet_angel]

Originally posted here by Surreal
I am indeed using linux. That grep command sounds interesting. What did the command look like?

"grep" and "ngrep" they are differents:

Code:

NAME
       grep,  egrep,  fgrep, zgrep, zegrep, zfgrep, bzgrep, bzegrep, bzfgrep -
       print lines matching a pattern

SYNOPSIS
       grep [options] PATTERN [FILE...]
       grep [options] [-e PATTERN | -f FILE] [FILE...]

DESCRIPTION
       grep searches the named input FILEs (or standard input if no files  are
       named, or the file name - is given) for lines containing a match to the
       given PATTERN.  By default, grep prints the matching lines.

       In addition, two variant programs egrep and fgrep are available.  egrep
       is  the  same  as grep -E.  fgrep is the same as grep -F.  zgrep is the
       same as grep -Z.  zegrep is the same as grep -EZ.  zfgrep is  the  same
       as grep -FZ.
etc

Code:

SYNOPSIS
       ngrep <-hXViwqpevxlDtT> <-IO pcap_dump > < -n num > < -d dev > < -A num
       > < -s snaplen > < match expression > < bpf filter >


DESCRIPTION
       ngrep strives to provide most of GNU grep's common  features,  applying
       them  to the network layer.  ngrep is a pcap-aware tool that will allow
       you to specify extended regular expressions to match against data  pay-
       loads  of  packets.   It  currently recognizes TCP, UDP and ICMP across
       Ethernet, PPP, SLIP, FDDI and null interfaces, and understands bpf fil-
       ter  logic  in  the  same fashion as more common packet sniffing tools,
       such as tcpdump(8) and snoop(1).
etc

So you need to have "ngrep" install on your box and read the manual first..for ngrep and you will know what the command is..