Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.

Populating Assets with Nessus

Created: 07 Jan 2009 • Updated: 22 May 2010 | 5 comments

Hi,

 

i"m trying to populate the assets table using the Nessus scanner. The agent is installed on the server running Nessus (the scan engine as well as the client) and events show up on the SSIM. I have activated the auto populate checkbox for the networks I scan and activated the rule to create assets from the scans.

 

My remaining problem is that each time the asset table entry of the machine running the agent is updated with the services found in the scan instead of creating a new asset object.

 

Does someone have a clue what is going wrong?

 

Any tips are highly welcome

 

Christian 

Comments 5 CommentsJump to latest comment

Laurent_c's picture

Hi,

 

I think this is normal behaviour, each time a nessus scan is imported it will overwrite your asset. If you don't want a specific asset to be overwritten you can use the lock on it. (see the padlock icon)

 

Hope this was your issue?

 

Laurent

Message Edited by Laurent_c on 01-07-2009 08:42 AM
ChristianHutter's picture

Hi Laurent, 

 

thanks for replying. I agree that a new nessus scan should update the asset information, but thats not my problem.

 

Let my try to explain again. Lets say I run the agent which collects and sends the nessus scan results on machine A and submit the scan of machine B. Now instead of creating a new asset for machine B the asset entry representing machine A is updated. If I have a look on the events created from the nessus scan this is logical as the event has the source address of machine A. Still this is not the behavior i would expect when submitting info for machine B  

MegL's picture

This is probably because it can't resolve the IP address properly.  We have a new Nessus collector coming into Beta testing this month which helps address this issue.  Please contact your Symantec representative about becoming a beta tester.

ChristianHutter's picture

Ok I will do that. 

 

Thank you

 

 Christian 

PSINVA's picture

What's Nessus client are you using to produce the NBE formated report required by the SSIM Collector?  I've recently discovered 2 issues with the NessusWX client for Windows.
1) The exported NBE report does not format the events in NBE format
2) The "host_start" and "host_stop" do not exist in the resulting report

Issue #1 will cause the problem you are discribing where the asset being populated will be the machine IP of the collector instead of the scanned host

Issue #2 will cause the vulnerability list for an asset to be continually appended to instead of being cleared between scans.

If you are using the NessusWX client for windows, I recommend switching to the new Nessus Windows Client.  If you download Nessus 3.2.1.1 for Windows from Nessus.org, it contains the Nessus Windwos Client.  Just uncheck the Nessus scanner during the install if you only want the Windows client.