Skip to content

Nessus vulnerability scanner - XML format

Download our example file here: example_nessus_report.nessus

Defaults

Data formatting

Nessus provides a PDF Document describing all the XML fields. We rewrite these field to Calliope data.

Policy

Policy contains a lot of information about which plugins, preferences and settings were used doing the run. We store all this information in a container named Policies: {PolicyName}. That container will then have results with all the settings.

  • Preferences: The content is stored as a new XML file attached to the generated results
  • FamilySelection: The content is stored as a new XML file attached to the generated results
  • IndividualPluginSelection: The content is stored as a new XML file attached to the generated results

Report

A report is stored as a container with the title set to the name:

  • name: Title of the container
  • ReportHost: Saved as a new subcontainer

ReportHost

  • name: Generally this is the domain the security scan ran on. This is saved as container title.
  • HostProperties: Will be stored in a container named Properties of {ReportHost.name}
  • ReportItem:
    • Smart enabled: Will be grouped by PluginName and each ReportItem will be a result inside that container.
    • Fallback: Every reportItem will be a new container with the results in that container.

HostProperties

HostProperties is a list of tags describing certain environment settings on the tested domain.

Tag

  • HOST_END: Used to determine the date that the test was run.
  • HOST_START: In combination with HOST_END this will set a duration for the container.
  • All other tags are stored as a result with {tag.name}: {tag.content}.

ReportItem

Attributes:

  • severity: This is used for the status of the result
    • 0: The status of a result will be informational
    • > 0: The status of a result will be failed
  • All attributes: Used in the description

Elements:

  • port: If value is not 0 it will be user in the title of the result.
  • protocol: If value is not tcp it will be used in the title of the result.
  • synopsis: Used as the title of the result.
  • plugin_output:
    • If the output is only 1 line of text, it will be used in the result title.
    • The content is also used in the exception_description field of the result.
  • description: Used in the result description.
  • risk_factor: Used in the description.
  • solution: Used in the description.
  • see_also: Used in the description.
  • All other sub-elements are added to the json_data attribute.