.notus files

immauss · April 4, 2024, 10:55am

I see the guide for creating NASL scripts for NVTs here, but have not been able to find any documentation for the format or creation of “.notus” files. Could you please provide a link to any documentation that would be helpful?

Thanks,
Scott

bricks · April 4, 2024, 11:44am

Hi,

I am not aware of any public documentation about the notus files. They are generated automatically by a pipeline from various sources. But just take a look at the files. The JSON is easy to understand.

immauss · April 4, 2024, 12:16pm

@bricks Thanks.

I was doing that, then noticed the notus-scanner readme.md refers to the “.notus format” as “open and part of the documentation”. I looked through all of the documentation I could find with no luck, and thought I would ask.

immauss · April 15, 2024, 8:48pm

@bricks
So I managed to create all the right files in /var/lib/notus/products & /var/lib/notus/advisories (or at least I thought I had) After some trial and error, in the initial fields with OS version names, product name, etc … I went from:

No advisories for OS-release ....

To:

2024-04-15 20:41:18,641 notus-scanner: INFO: (notus.scanner.scanner) Start to identify vulnerable packages for 172.19.0.2 (None)
2024-04-15 20:41:18,648 notus-scanner: INFO: (notus.scanner.scanner) Total number of vulnerable packages -> 96

When I saw this in the logs, I started to celebrate!!

But then I looked in the report in gsa, and there is nothing about the vulnerable packages in the report?

Is there another piece I’m missing?

Thanks,
Scott

immauss · April 15, 2024, 9:54pm

BTW … Scan of “REALLY” old debian image, the logs from notus look the same, and the vulnerable packages are in the report. I think this confirms the mosquito and the rest of the general config are working, so I must be missing something in my .notus files.

Thanks,
Scottt

immauss · April 18, 2024, 9:25am

OK … So the initial problem was formatting. I had some bad characters in some descriptions.
Now, the results are showing up in the scan, but the only information from the advisory that is showing up are the CVSS scores. The details/insight/title/summary etc … do not show up in the report. I suspected this might be because those OIDs need to imported into the database. So I triggered a feed sync to trigger the database update. This of course promptly deleted the files I had created. ( they were not the only copies of course… ) There is an option to have a “private” directory marked for the feedsync, but it was not clear how that private folder should be setup to hold notus files. (I’m fairly certain it is only for NVTs ??? ) So I made the files immutable, and triggered the feedsync. This had no change. I also tried using ‘’’ gvmd --rebuild ‘’', but that had no effect either.

I thought maybe there was problem with formatting or bad characters again, so I replace ALL of the advisories with a known good advisory from an existing notus feed. ( except the OID), thinking that would tell me if I had a formatting problem, but instead I had the exact same result. Only the OID and the CVSS score ( now all exactly the same) showed in the report. The information from the product file about package version installed and version required for update was always there, just not the details from the advisory.

Any ideas on where I can look next ? Is there some piece of ‘glue’ i need to apply that ties the notus feed data into the report generation?

immauss · April 19, 2024, 7:24am

Well, it looks like I just didn’t give gvmd long enough to process the new files after the feed sync. That was the key. Now I just need to make sure I properly clean up all of the fields and remove control characters and formatting etc …