If you use Tenable’s excellent Nessus vulnerability scanner, you’re probably familiar with the “Plugin Output” payload in their default reports. Many plugins aggregate findings in this payload and it’s sometimes convenient to parse them out.
For example, the current log4j Nessus plugins aggregate many vulnerable jar/ear/war/zip files in what I call a “path group” which is a series of key : value pairs grouped together and separated by newlines:
This finding aggregation can be incredibly inconvenient for remediators, people creating reports, security folks documenting risk, etc as they need to manually review the multiline payload.
I wrote this data transformation script in ruby that:
- Ingests the Tenable CSV report
- Adds a new row in the CSV for each path group
- Applies the parsed key : value pairs to new CSV columns in the resulting report making it much easier to get at the finding data and track per path
The new columns are prefixed by “dt_” (data transformation) seen below:
To run, simply pipe the tenable CSV report into the script and redirect the output to a new CSV file like this:
$ cat /tmp/foo.csv | ./log4jTenableDT.rb > afterDT.csv
skipped a path group because there was no path found. be sure to check your output.
skipped a path group because there was no path found. be sure to check your output.
Note the warning messages. The script will drop payload data that do not smell like “path groups.” I’ve intentionally abstained from using gems for ease of use and to maximize portability. See script for deeper configuration details.
Download it here:
log4j tenable data transformation script
Tested on Linux and mac. Please let me know if there are any problems on windows.