How to build corporate security? Enterprise security vulnerability notification engine. Today, most enterprises are using vulnerability scanning + vulnerability notification, there are two problems as follows:
1. There is a "long-term scanning cycle, scanning library update is not timely," and so on, while scanning the report there are numerous interference items, resulting in the leakage of the report about equal to "loopholes piling up information", may not really useful few, and Let Party A operation and maintenance personnel find useful information, it is unusually time-consuming and labor-intensive.
2. Security vendor's vulnerability notice is "only notice, the specific impact of that server, operation and maintenance themselves to find it."
From the above two points of pain, we come up with a combination of the two uses: through a variety of methods to collect all the current server middleware, databases and other versions, and then through the asset list to match the corresponding server operation and maintenance personnel mailbox, and finally to Reliable security vendor vulnerability notice website caught the latest vulnerability information and the impact of the scope, as long as the "current version" is in the "affected version" within the scope of the immediate e-mail alert.
0 × 01 overall framework
The whole is divided into input, main engine and output three parts.
1. Input section:
a) version of the probe: for each application server version of the probe scan, scan the area is not easy to manually check the version and enter
b) Crawler: Select multiple security vendors to crawl daily (or higher frequency) vulnerabilities through their vulnerability bulletin website
2. The main engine part:
a) Python: really easy to use
b) Database: Make "Application-IP-Version - Administrator" table
c) Version comparison: to determine whether there is a security issue by comparing the vulnerability scope & current application version
d) Latest Vulnerability Alerts: Scheduled tasks run (once daily or more frequently) to automatically discover the latest security vulnerabilities
3. Output section:
According to the mapping between "application-IP-version-administrator", the corresponding application vulnerability is automatically sent to the corresponding operation and maintenance administrator to implement more accurate automatic vulnerability notification & new vulnerability warning.
0 × 02 input part
There are many ways to achieve the automatic scanning version, such as Nessus, manufacturers of the leakage and so on, due to the application version of the update frequency is low, frequent update vulnerabilities, so monthly scan can be more accurately obtain the current Detected server running on the application version. Also need to create a "application-IP-version - administrator" correspondence, in order to find the latest vulnerability notification to the responsible person for the appropriate application.
2.1 make "application - IP-version" correspondence table (table named apps)
First of all, you need to locate the location of the "version information", you can find out through the missing excel host report, only in the "scan report - vulnerability information sheet - return information column" may contain version information Specified sheet + specified column, using regular access to information such as [Microsoft-IIS / 8.5]
Here will be used pyexcel_xls, the module can read excel table information, as follows.
# Read out the vulnerability information sheet from excel
vulList = xls_data [u 'Vulnerability Information']
# Set a de-weighted collection, store the current IP app and version
currentIPApps = set ()
# Read from the second line
for i in range (1, len (vulList), 1):
# Take excel column 4 of the vulnerability description and the 14th column version information
#print vulList [i]
name = vulList [i] [3]
try:
version = vulList [i] [13]
if "/" in version:
if ("[" in version) and ("]" in version):
version_tmp = re.findall ("\ [(\ w +. * / \ d +. *)]", version)
After the adoption of fine-grained regular and various exotic content exclusion, get the current version of the information, such as nginx 1.8.1, stored in the database to be used.
Each scan will have a large number of host report generation (as shown below)
At this point you need to iterate through all the files in the directory one by one:
def GetFileList (dir, fileList):
newDir = dir
if os.path.isfile (dir):
fileList.append (dir.decode ('gbk'))
elif os.path.isdir (dir):
for s in os.listdir (dir):
# If you need to ignore some folders, use the following code
# if s == "xxx":
# continue
newDir = os.path.join (dir, s)
GetFileList (newDir, fileList)
return fileList
So through the directory traversal + Excel traversal, the application - IP-version correspondence to get.
2.2 Improve the "application-IP-version - the relationship between the administrator table"
With the above table is not enough, even if there are loopholes in the notice, can not be automatically implemented to people, is empty talk. So to IP-administrator correspondence to join in.
At this point we need to have an information system asset list, which should include at least "IP-administrator" (below)
And then according to each traversal scan results output IP address in the directory as a query, the asset table query, the administrator name will be added to the "apps" table in the corresponding position, the production is completed as shown below, asset input Partially completed.
2.3 Vulnerability Bulletin website reptiles
The purpose of the crawler: catch all application name vulnerability information & influence range.
Example crawler: Green League loopholes announcement reptiles