RE: MBSA Results into DB OR Alternative?

["Kevin Shea" <kshea () columbus rr com>]

There are two syntaxes for mbsacli.exe, depending on whether you want to
just run a scan or view the results of a previously run scan. Here's the
full syntax of the mbsacli command:

mbsacli [/c|/i|/r|/d domain] [/n option] [/o file] [/f file] [/qp] [/qe]
[/qr]

Switches you can use include:

/c domain\computer - Scan the computer named in domain\computer. 
/i IP_addr - Scan the computer identified by the IP address provided. 
/r "IP_addr-IP_addr" - Scan the computers in the range of IP addresses
provided. 
/d domain - Scan all computers in the target domain. 
/n option - By default, MBSA performs all scans against the targets. Use /n
to remove specific scans. Valid options are OS, SQL, IIS, Updates, Password.
To omit more than one scan, separate the /n options with a + (plus sign). 
/o file - Specify the name of the file to which to write the results. A
default name is presented above with the syntax "%D% - %C% (%T%)", where %D%
is the domain or workgroup name, %C% is the name of the computer, and %T% is
the date and time of the scan. 
/f file - Write console output to the file specified. 
/qp - Don't display the progress of the current scan. 
/qe - Don't display errors present in the current scan. 
/qr - Don't display the list of reports. 
/s 1 - Suppress security notes. 
/s 2 - Suppress security notes and warnings. 
/nvc - By default, MBSA always checks for a new version of itself when it
runs. Use /nvc to skip this check. 
/baseline-Check only for baseline security updates rather than all updates
(default in GUI). 
/nosum - Do not verify checksums for security updates. Use only if you need
different language versions of patches and need to rename them for a
language supported by MBSA (default in GUI). 
/sus [susserver | susfilename] - Get a list of approved updates from a SUS
server. This option requires the URL of the SUS server and will look for a
file named approveditems.txt. 
/hf - Run in hfnetchk mode. Use "mbsacli -hf /?" for details. This mode
allows you to use the extremely granular scanning and reporting
functionality that was present in the command-line hfnetchk utility. Note
that, unlike straight-up mbsacli, this does not produce XML output. 
The report syntax and switches slightly vary. The report syntax is:

mbsacli [/e] [/l] [/ls] [/lr file] [/ld file] [/unicode] [/hf] [/?]

Switches include: 
/e - Show the errors from the most recently run scan. 
/l - Show a list of all reports that are available for viewing. 
/ls - List the reports available from the most recent scan. Remember that a
report is generated for each system in a scan. 
/lr file - Display the overview of the report named by file. 
/ld file - Display the complete details of the report named by file. 
/Unicode - Output Unicode only. 
/v - Display the reason codes for security updates. 
/hf - Run in hfnetchk mode. Use "mbsacli -hf /?" for details. This mode
allows you to use the extremely granular scanning and reporting
functionality that was present in the command-line hfnetchk utility. Note
that, unlike straight-up mbsacli, this does not produce XML output.

-----Original Message-----
From: O'dorisio, Steve [mailto:Steven.Odorisio () mms gov] 
Sent: Thursday, October 21, 2004 10:27 AM
To: 'security-basics () securityfocus com'
Subject: MBSA Results into DB OR Alternative?

Hello, 
We are consolidating our operational security data storage, and would like
to combine the various sources of data (Nessus, MBSA, logs, etc.) into ONE
location. 

1) Does anyone know how to upload/import MBSA results into a SQL Server/MS
Access DB?  [All attempts so far have been pretty messy]

OR

2) Does anyone have any suggested commercial off-the-shelf or opens source
data repository systems that will allow this type of data aggregation?

In the end, we want to have a full, holistic view of the security events
across platforms and systems AND the ability to assign/track the remediation
of issues.

Any help is much appreciated.

Thanks,
Steve O.