How to Read a Nessus Report
A Nessus vulnerability scan report can be delivered in these formats:
- HTML (default)
- CSV (used in spreadsheets, databases)
The HTML and PDF formats appear very similar, and can contain multiple chapters:
- Hosts Summary
- Vulnerabilities by Host
- Vulnerabilities by Plugin
When you receive a report that you have requested, the first page of interest is the Table of Contents. This is the first page of an HTML report, or the second page of a PDF report. This document will use examples from an HTML report.
These second and third sections are duplicates when just one device is scanned (such as this example) but become useful when a set of devices is scanned.
What's a Plugin?
A plugin is analogous to the virus definitions that are added and updated regularly to a virus protection program on a personal computer. They are different because they include what sort of output to expect when an active port on a server is given a certain input. The result will indicate whether there could be a weakness to hacking activities. The result does not indicate that hacking has taken place. A system administrator would need to investigate further to find evidence of an actual breach.
Click on an IP address listed under the Host Summary. The information shows the risk level associated with each scanner plugin. There is a legend at the beginning of the display for the color assignments. In the example there were 4 medium-risk and 1 low-risk vulnerabilities found. In addition, 16 plugins reported information that a system administrator will be interested in. Each plugin ID is a link that leads to a definition on the Tenable Nessus website.
As the title of the section suggests, this is a summary.
Vulnerabilities by Host
Click on an IP Address listed under Vulnerabilities By Host. The information about that host will displayed in two sections. The top section has information about that particular host, including the time the scan was performed on the specific host. The second section is a list of the plugins, organized by the port used for the scan activities. Activities not closely related to a specific port are listed under port 0/TCP.
Each of the plugin names can be clicked to expand the display to view in-depth information related to that plugin. Information shown includes a synopsis of the plugin's purpose, a description of what actions are performed (sometimes including links to additional generic information), the risk factor, dates pertinent to the plugin itself, an enumeration of ports involved (if applicable) and results or conclusions that are drawn from the output of the plugin activities on that specific device. Particularly important in cases where a vulnerability exists is the Solution.
Vulnerabilities By Plugin
This is a re-ordering of the same results presented in the Vulnerabilities by Hosts section. If you have a large set of hosts scanned and are interested in a specific result for the set, click on the plug-in name. The information displayed is almost the same as that in the By Hosts section, but includes a list of hosts to which it applies and results associated with each.
This is “comma separated values”. Each line consists of every field's value for each host in the report. It isn't particularly human-readable, but if you should really want the data in this format, it is available by request.
Information on all the plugins can be read on the Tenable Nessus website. A lot of the other links you might investigate on that site are more applicable to the administrator of a Nessus installation rather than a system administrator who wants to use a vulnerability scan to improve security on the machines in their charge. Many times Google is the best source for information on the meaning of terms like “CVE” and “Bugtraq” that show up in scan reports.