Seccubus

Easy Automated vulnerability scanning and reporting

Seccubus effectively reduces the analysis time for subsequent scans of the same infrastructure by only reporting delta findings.

Why?

Anyone who has ever used Nessus or OpenVAS will be familiar with one of their biggest drawbacks. They a very valuable tools, but unfortunately it is also very noisy. The time needed to report on the findings of a scan will often be two or three times the time needed to do the actual scan. Seccubus was created in order to more effectively analyze the results of regular vulnerability scans of the same infrastructure.

How does it work?

Seccubus runs vulnerability scans at regular intervals and compares the findings of the last scan with the findings of the previous scan. The delta of this scan is presented in a web GUI when findings can be easily marked as either real findings or non-issues. Non issues get ignored until they change. This causes a dramatically reduction a analysis time.

This post will describe step by step how to configure Skipfish for Seccubus.

You can grab the latest release of Skipfish here:

https://code.google.com/p/skipfish/downloads/list

Before you compile the Skipfish src we need to edit 2 files so Skipfish can be used in Seccubus.
In my current setup the Seccubus files are located in /opt/seccubus and I’m going to install the Skipfish in the /opt

Edit the Skipfish config file located in the src/config.h of Skipfish and add the full path where you want use the Skipfish:

/* Default paths to runtime files: */

#define ASSETS_DIR                             “/opt/skipfish/assets”
#define DEF_WORDLIST                        “/opt/skipfish/skipfish.wl”

/* Default signature file */
#define SIG_FILE                                   “/opt/skipfish/signatures/signatures.conf”

Now make the Skipfish installation and when it’s compiled copy the skipfish dir to /opt
The last file we need to edit is the /opt/skipfish/signatures/signatures.conf and add the path prefix:

#############################################
##
## Master signature file.
### The mime signatures warn about server responses that have an interesting
# mime. For example anything that is presented as php-source will likely
# be interesting
include /opt/skipfish/signatures/mime.sigs

# The files signature will use the content to determine if a response
# is an interesting file. For example, a SVN file.
include /opt/skipfish/signatures/files.sigs

# The messages signatures look for interesting server messages. Most
# are based on errors, such as caused by incorrect SQL queries or PHP
# execution failures.
include /opt/skipfish/signatures/messages.sigs

# The apps signatures will help to find pages and applications who’s
# functionality is a security risk by default. For example, phpinfo()
# pages that leak information or CMS admin interfaces.
include /opt/skipfish/signatures/apps.sigs

# Context signatures are linked to injection tests. They look for strings
# that are relevant to the current injection test and help to highlight
# potential vulnerabilities.
include /opt/skipfish/signatures/context.sigs

Skipfish is now installed and ready to use in Seccubus.

It appears that in the last release there was a small hiccup with the severity rating and is now fixed.
This version has one new big feature, it implements the Skipfish Web-application scanner.

21-01-2014 – 2.5 – Scanner addon Skipfish
============================================
You can download the latest version from GitHub

Key new features
———————————-
Added Skipfish Web-application scanner to Seccubus scanner tools

Bugs fixed (tickets closed):
—————————-
#94 – Fix severity number

It appears that in my last release I broken Seccubus in a horrible way. When you updated a finding, the screen wasn’t automatically updated anymore.

This version has one feature, it restores the functionality that I broken.

 

I’m sorry, here are some ‘kroketten’ to make up for it… ;)

The case of the missing kroket, a CC SA image by Photocapy

You can download the latest version from GitHub

Release notes:

19-12-20134 - 2.4 - Screen updates, restored
============================================

Key new features / issues resolved
----------------------------------
A bug that broke the automatic updating of the GUI mast fixed

Bugs fixed (tickets closed):
----------------------------
#97 - Screen refresh doesn't work anywhere (basically)

Just after the performance release of version 2.2 we bring you Seccubus version 2.3 which improves on v2.2 in three important ways.

  • Version 2.2 introduced some bugs in the sorting of host fields and these bug have been removed
  • Version 2.x had a database connection stability issue which is fixes
  • Version 2.3 allows you to run Nmap and Nikto scans on remote hosts in addition to the local host

You can download the release from GitHub.

Here are the release notes:

19-10-2013 - 2.3 - Improved stability, Nmap and Nikto on remote hosts
=====================================================================

Key new features / issues resolved
----------------------------------
Seccubus now checks the state of the DBI handle before performing queries
Improved handling of Nessus 5.2 file format
Fixed some issues related to the new backend filters

Bugs fixed (tickets closed):
----------------------------
* #62 - Would like to be able to run Nmap/Nikto/SSLyze scans on a remote host
* #84 - Nessus critical findings got severity 0
* #87 - Hostname ordering was weird because of wildards for hostnames
* #88 - '*' is not selected in filters when no filter is given
* #89 - Scans fail to import due to database timeouts
* #90 - Hostnames are not sorted in filters, IP addresses are
* OBS build script now echos link to OBS project

I’m proud to announce the release of Seccubus 2.2 which fixes issue with Nessus 5.2.1 and later, unicode in .nessus files and brings a major performance increase.

This release can be downloaded from Github

Release notes:

15-10-2013 - 2.2 - Nessus 5.2.1, unicode and performance
========================================================

Key new features / issues resolved
----------------------------------
* Major performance increase by moving processing of sttus buttons and filters to backend
* Resolved an issue that cause incomptibility with Nessus API version 5.2.1 (Thanks Trelor)
* Resolved an issue around encoding of Unicode chracters in Nessus output
* Added shell script to execute crontab job only on a certain day
* Added shell script to execute crontab job only on a weeknumber that can be devided by a certain number
* Correct application of Apache license is now part of the unit tests
* Resolved some caching issues with IE

Bugs fixed (tickets closed):
----------------------------
* Issue #48 - Filters need to be processed in backend, not front end
* Issue #50 - Notification table not displayed on edit scan
* Issue #56 - IVIL conversion shell call needs qoutes around filename
* Issue #64 - New scan dialog shows 'new workspace' in title
* Issue #65 - Each CGI response header now invalidates caching
* Issue #66 - Username field too small
* Issue #72 - Apache license isn't applied correctly
* Issue #75 - Typo: datatbase in ConfigTest.pl
* Issue #77 - Seccubus incompatible with Nessus API 5.2.1
* Issue #78 - Unicode in nessus file breaks ivil import
* Issue #86 - getFilters API
* Updated dependancies in RPM

Today we release Seccubus 2.1 a bugfix release for the 2.0 version of Seccubus.

You can download it here

Release notes:

 

02-02-2012 - 2.1 - Bugfix release
=================================

Key new features / issues resolved
----------------------------------
* Bugfixes

Bigs fixed (tickets closed):
----------------------------
* Issue #50 & #51 - Scan notifications are not listed and cannot be editted
* Issue #52 - When running do-can with nmap as user seccubus with --sudo, chown on tmp files fails.
* Issue #53 - Broken path in debian package
* Issue #55 - Notifications table creates double header in certain cases

Seccubus V2 works with the following scanners:
* Nessus 4.x and 5.x (professional and home feed)
* OpenVAS
* Nikto
* NMap
* SSLyze

For more information visit www.seccubus.com

22-01-2012 - 2.0 - The Alt-S version
====================================

Key new features / issues resolved
----------------------------------

* Email notifications when a scan starts and a scan ends
* Scan create and edit dialog now display default parameters
* do-scan now has a --no-delete option to preserve temporary files
* SSLyze support

Bigs fixed (tickets closed):
----------------------------
* Issue #9 - Missing Hosts File in Nmap Scan
* Issue #14 - Permit --nodelete option on do-scan
* Issue #26 - Update installation instructions
* Issue #27 - Email Reporting
* Issue #32 - RPM: Files in /opt/Seccubus/www/seccubus/json have no exec permissions
* Issue #33 - User permission issues not reported correctly
* Issue #34 - $HOSTS vs @HOSTS confusion
* Issue #35 - -p vs --pw (OpenVAS)
* Issue #39 - SeccubusScans exports uninitilized VERSION
* Issue #42 - Nessus help (and scan?) not consistent with regards to the use of -p
* Issue #43 - Sudo option missing from NMAP scanner help (web)

 

Alt-S logo

On Tuesday the 22nd of January we plan to release the first non-alpha, non-beta version of Seccubus with the appropriate version number 2.0 on the Alt-S conference in The Hague

The participants to my workshop will be among the first to use this new version.

Highlights:

 

 

  • Email notifications when a scan starts and a scan ends
  • Scan create and edit dialog now display default parameters

 

 

This release will also signify the end-of-life of the Seccubus 1.x branch.

 

11-10-2012 - 2.0.beta6 - The final Beta
=======================================

New features / Issues resolved
------------------------------
* Sourcecode repository is now  GitHub (https://github.com/schubergphilis/Seccubus_v2/issues/6) in stead of  SourceForge
* Build is now automated using a Jenkins server at Schuberg Philis including
  the creation of RPMs and Debian packages via OpenSuse build services
* Fixed a few bugs

Bigs fixed (tickets closed):
----------------------------
* #7  - Import error on scan results from OpenVAS 3.0.1
* #7  - Error converting OpenVAS .nbe to IVIL
* #11 - ConfigTest is more verbose when it fails due to a missing config file
* #12 - Installation error with tarball
* #15 - Ungroup Compliance Scans
* #16 - More gracefull error handling when Nikto doesn't find a config
* #17 - File ~/scanners/Nikto/scan has no execute permission
* ##  - Fixed a broken symlink in the development environment
* #23 - Nessus xmlRPC port can now be selected
* #25 - Fixed tarball installation error
* #29 - JMVC framework updated to version 3.2.2

The last few days I’ve moved the Seccubus sources, binary downloads and open tickets from SourceForge to GitHub.

Seccubs can Now be found here (and v1 here)

Why?

There are three reasons why I moved to GitHub:

 

How?

The migration wasn’t too bad. For the source code migration I used the git2svn tool and this guide. For the Trac tickets I decided to do a manual migration.

What’s next?

Business as usual.

 

Copyright © 2009 Schuberg Philis.

All Rights Reserved.