Skip to content

Latest commit

 

History

History
82 lines (68 loc) · 4.65 KB

transcoder.rst

File metadata and controls

82 lines (68 loc) · 4.65 KB
Raw

This is a transcoder that reads OpenVAS XML reports and produces EDXML containing OpenVAS findings, OpenVAS scans, OpenVAS test failures, OpenVAS test listings, detected applications, detected open port listings, detected operating systems, discovered SSL certificates and discovered router listings.

The transcoder enables automatic correlation of:

  • Openvas scans to computers (using OpenVAS scans)
  • Openvas findings to computers (using OpenVAS findings)
  • Openvas findings to OpenVAS scans (using OpenVAS findings)
  • Certificates to organizations (using discovered SSL certificates)
  • Certificates to computers (using discovered SSL certificates)

The transcoder enhances concept mining by expanding knowledge about:

Openvas findings:Discovering new HTTP resource locators, OpenVAS detection plugin IDs, QoD types, QoD values, impact descriptions, issue details, plugin families, plugin names, solution types, threat levels and vulnerability severities
Openvas scans:Discovering new OpenVAS scan IDs, finding counts, scan names and scanned host counts
Certificates:Discovering new "valid from" timestamps, "valid until" timestamps, Common Names, DNS names, Distinguished Names, certificate fingerprints and wildcard host names
Computers:Discovering new CPE URIs, DNS names, IPv4 addresses, IPv6 addresses, TCP/IP network ports and open TCP/IP ports
Organizations:Discovering new Common Names, DNS names, Distinguished Names, cities, country codes, e-mail addresses, organization names, regions and unit names
Vulnerabilities:Discovering new BID numbers, CVE numbers, CVSS base scores, CVSS base vectors and vulnerability severities

The transcoder identifies: - OpenVAS findings as vulnerabilities (using OpenVAS findings) - computers as network routers - computers as vulnerability scanners

The transcoder provides names for Distinguished Names and OIDs.

The transcoder identifies cities as being part of a region, plugin names as being part of a plugin family, regions as being part of a country code and unit names as being part of a organization name.

The output can be auto-correlated with third party data sources that share any of the concepts and object types generated by this transcoder. These are listed below.

Concepts

  • document.deed.certificate.pk-certificate (certificate)
  • entity.abstraction.attribute.state.condition.danger.vulnerability (vulnerability)
  • entity.abstraction.group.social-group.organization (organization)
  • entity.abstraction.psychological-feature.event.act.activity.work.investigation.examination.scan.openvas-scan (OpenVAS scan)
  • entity.abstraction.psychological-feature.event.act.discovery.finding.openvas-finding (OpenVAS finding)
  • entity.physical-entity.object.whole.artifact.instrumentality.device.machine.computer (computer)
  • entity.physical-entity.object.whole.artifact.instrumentality.device.machine.computer.router (network router)
  • entity.physical-entity.object.whole.artifact.instrumentality.device.machine.computer.vulnerability-scanner (vulnerability scanner)

Object Types

  • computing.cpe.uri (CPE URI)
  • computing.crypto.certificate.cn (Common Name)
  • computing.crypto.certificate.dn (Distinguished Name)
  • computing.crypto.certificate.fingerprint.sha1 (certificate fingerprint)
  • computing.email.address (e-mail address)
  • computing.identifier.oid (OID)
  • computing.identifier.uuid (UUID)
  • computing.networking.host.dns-name (DNS name)
  • computing.networking.host.dns-name.wildcard (wildcard host name)
  • computing.networking.host.ipv4 (IPv4 address)
  • computing.networking.host.ipv6 (IPv6 address)
  • computing.networking.host.port (TCP/IP network port)
  • computing.networking.http.resource (HTTP resource locator)
  • computing.security.cvss.score (CVSS base score)
  • computing.security.cvss.vector (CVSS base vector)
  • computing.security.vulnerability.bid (BID number)
  • computing.security.vulnerability.cve (CVE number)
  • count.big (count)
  • datetime (time stamp)
  • geo.location.city.name (city)
  • geo.location.country.iso3166-1-alpha2 (country code)
  • geo.location.region.name (region)
  • org.openvas.error-message (error message)
  • org.openvas.nvt.family (plugin family)
  • org.openvas.nvt.name (plugin name)
  • org.openvas.result.detection.quality (QoD value)
  • org.openvas.result.detection.type (QoD type)
  • org.openvas.result.impact (impact description)
  • org.openvas.result.insight (issue detail)
  • org.openvas.result.severity (vulnerability severity)
  • org.openvas.result.solution-type (solution type)
  • org.openvas.result.threat (threat level)
  • org.openvas.scan.name (scan name)
  • organization.name (organization name)
  • organization.unit.name (unit name)