Which vulnerability tests did Nessus run? How long did it take? Which tests take the most time?

tate@ClearNetSec.com (Tate Hansen) — Tue, 31 Jan 2006 23:41:00 -0700

Here is a quick perl piece I wrote awhile back to answer these questions. My main goal at the time was to find which vulnerability tests were consuming the most time. The script parsers the nessusd.messages file and generates an output which looks like the following (I added color to this sample to emphasize the different components):

[suse] > ./parseNessusdMessages.pl 10

===========================================================
xx.xxx.78.65: completed checks = 2262: Time to complete host scan = 369.65 (0:6:9)
68.785 (%18.608) invision_gallery_st_sql_injection.nasl
55.707 (%15.070) lighttpd_cgi.nasl
49.862 (%13.489) DDI_IIS_Compromised.nasl
47.847 (%12.944) horde_detect.nasl
31.121 (%8.419) rpc_portmap.nasl
30.254 (%8.184) amanda_detect.nasl
18.491 (%5.002) h323_detection.nasl
17.578 (%4.755) dont_print_on_printers.nasl
17.525 (%4.741) basilix_inc_files.nasl
16.554 (%4.478) ventrilo_detect.nasl
16.474 (%4.457) krb_pingpong.nasl
not showing remaining list... (only showing 10)

===========================================================
===========================================================
xx.xxx.217.250: completed checks = 2262: Time to complete host scan = 677.22 (0:11:17)
224.901 (%33.209) office_files.nasl
62.777 (%9.270) sql_injection.nasl
61.661 (%9.105) mozilla_default_perms.nasl
60.220 (%8.892) NetSphere.nasl
55.007 (%8.122) shells.nasl
47.335 (%6.990) mozilla_176.nasl
46.044 (%6.799) bnc_auth_bypass.nasl
45.214 (%6.676) qpopper2.nasl
45.110 (%6.661) squid_dos.nasl
44.425 (%6.560) dont_print_on_printers.nasl
44.394 (%6.555) CA_License_Service_Stack_Overflow.nasl
not showing remaining list... (only showing 10)

===========================================================
===========================================================
xx.xxx.78.6: completed checks = 2350: Time to complete host scan = 647.36 (0:10:47)
163.406 (%25.242) sendmail_ident.nasl
163.162 (%25.204) traceroute.nasl
120.236 (%18.573) nessus_detect.nasl
106.080 (%16.387) ftp_backdoor.nasl
101.724 (%15.714) mozilla_nntp_heap_overflow.nasl
96.309 (%14.877) quote.nasl
74.986 (%11.583) eserv_dir_traversal.nasl
60.184 (%9.297) cfengine_authdiag.nasl
53.321 (%8.237) crlinux_file_reading.nasl
45.546 (%7.036) bnc_auth_bypass.nasl
45.315 (%7.000) ircd_ignition_ircop_vuln2.nasl
not showing remaining list... (only showing 10)

The script parses all the tests found in the nessusd.messages file which were executed (not skipped) and displays the results organized by target IP address. It also sorts and displays in descending order the vulnerability tests which consumed the most time. The parseNessusdMessages.pl takes a single argument which specifies how many vulnerability checks to display per IP address (i.e. in the above example, 10). Few notes:

This works best if you start with a empty nessusd.messages file. Run a nessus scan and after it is complete then you can run the script to generate the output like above.
The nessusd.messages file is not always located in the same spot. You may have to modify the path in the script (likely locations include /opt/nessus/var/nessus/logs/nessusd.messages or /usr/local/var/nessus/logs/nessusd.messages). By default, you need root permission to view the nessusd.messages file. I often just copy the nessusd.messages (using sudo) file to my homedir and change the path in the script to check "~/nessusd.messages".
The 1st column is the number of seconds the vulnerability test took followed by the percentage of overall time (i.e. how long it took to scan the target IP).

So, if you are in the business of tuning your Nessus scanner, then this script may provide you some value.

ClearNet Security: Tag scripts

Which vulnerability tests did Nessus run? How long did it take? Which tests take the most time?