隨著網際網路的普及與不斷被發現的安全弱點，網路主機遭受攻擊的風險也愈來愈高。若沒有良好的防護，很容易就會成為駭客的練習目標。除了防火牆的被動防護，弱點掃瞄器也可以幫助我們了解資訊系統及網路的弱點，以著手進行防護，有效提升資訊安全。
Nessus 即是一套提供弱點檢測功能的開放程式碼的免費軟體。Nessus 提供強大與容易使用的掃瞄功能，並由藉由 plugin 中的訊息提供詳細的掃瞄結果報告。如同許多免費或共享軟體般，Nessus 也是一套英語的軟體，因此，Nessus 所提供的也是英語的掃瞄結果報告。對於不是以英語為母語的使用者而言，解讀大量的英語檢測報告將會耗去大量的時間。
本研究主要是依據使用者的需求，發展一個針對 Nessus 弱點掃瞄器的中文化系統，提供中文化的掃瞄結果報告。在本研究中，我們設計一個擷取訊息的機制，自動將 Nessus 網站上 plugin 的訊息輸入及更新到弱點資料庫中。另外設計一個翻譯的系統，讓翻譯人員能對弱點資料庫中的訊息進行翻譯。最後再以翻譯後的訊息取代掃瞄報告中的英語內容，成為中文的掃瞄結果報告。
本研究提出以上設計並實地建置出 Nessus 弱點掃瞄器的中文化系統，試圖減少翻譯及測試的人力與時間的浪費，並將 plugin 與弱點資料庫更新自動化，以及減少 Nessus 中文化的程式修改。

With the popularization of Internet, and the vulnerabilities found continuously, network hosts meet more and more risks of being attacked. If we don’t secure them well, they will become the targets of the hackers. In addition to the protection of firewalls, vulnerability scanners can also help us to find out the weekness of our network hosts.
Nessus is an open source freeware which has the capability of vulnerability assessment. Nessus has very powerful scanning ability and is very easy to use. Nessus provides detailed result reports from the messages in the plugins. However, like many other freeware and software, Nessus is an English software. For this reason, Nessus provides English result reports. For those who do not use English as their first language, it costs a lot of time to read a lot of English result reports.
In this research, we develop a localizational system of the Nessus scanner and provide the result reports in users’ local language. We develop an automatic mechanism to extract the messages and infomations in the plugins, and put them into the vulnerability databases. We also develop two subsystems, one of them makes translators translates the message in the vulnerability database into their local language, and the other replaces the English result with those translated messages.
This research proposes the design above and actually implements a localizational system of the Nessus scanner. It attempts to reduce the time and labor consumption while translating, automate the update process of vulnerability database, and avoid the modification of source code as possible.

第一章 緒論 1
第一節 背景說明 1
第二節 研究動機 3
第三節 研究步驟 5
第二章 相關研究 8
第一節 弱點掃瞄器 8
第二節 Nessus 弱點掃描器 10
第三節 NASL – Nessus Attack Script Language 13
第四節 NTP – Nessus Transfer Protocol 18
第三章 系統設計 20
第一節 系統規劃 20
第二節 訊息擷取及更新機制設計 21
第三節 翻譯系統 29
第四節 Nessus 用戶端系統 31
第五節 資料庫結構 35
第四章 系統建置與驗證 37
第一節 系統建置 37
第二節 系統整合測試 42
第五章 結論 43
第一節 結論 43
第二節 未來發展 44
參考文獻 45
附錄 47

[1] Internet Software Consortium, “Internet Domain Survey“, http://www.isc.org/ds/
[2] CERT/CC, “CERT/CC Statistics 1988-2003”, http://www.cert.org/stats/cert_stats.html
[3] 劉其堅, “多型性弱點資料庫設計與對應缺陷運用程式產生器製作”, 2000
[4] Renaud Deraison, Nessus, http://www.nessus.org/
[5] 台灣電腦網路危機處理暨協調中心, http://www.cert.org.tw/
[6] 國家資通安全會報技術服務中心, http://www.icst.org.tw/
[7] 國家電腦事件處理中心, http://www.twncert.org.tw/
[8] 賽門鐵克, http://www.symantec.com.tw/
[9] 趨勢科技, http://www.trendmicro.com/tw/
[10] Ed Skoudis. “Vulnerability-Scanning Tools”, Prentice Hall PTR, September 2001.
[11] SARA, http://www-arc.com/sara/
[12] Retina, http://www.eeye.com/html/
[13] NeWT, http://www.tenablesecurity.com/newt.html
[14] X-scan, http://www.xfocus.org/
[15] 吳啟常, “弱點掃描器之攻擊程式碼自動化”, 2003
[16] Greg Brooks. “Nessus-Get on Board.” SANS Information Security Reading Room. URL http://rr.sans.org/audit/nessus2.php, February 15, 2001
[17] Common Vulnerability and Exposures, CVE. http://cve.mitre.org/
[18] Giovanni Vigna, Steven Eckmannn, Richard Kemmerer. “Attack Langauges.” Reliable Software Group Department of Computer Science University of California Santa Barbara, CA 93106
[19] Renaud Deraison. “The Nessus Attack Scripting Language Reference Guide.” http://www.nessus.org
[20] Michel Arboi. “The NASL2 reference manual”, http://www.nessus.org
[21] Renaud Deraison. “Nessus Transfer Protocol White Paper”, August 2002.
[22] Mick Bauer. “Checking Your Work with Scanners, Part II: Nessus.”
[23] Renaud Deraison, Jordan Hrycaj. “Nessus: the free network security scanner.” Novemeber 2000
[24] Robert A. Martin. “Managing Vulnerabilities in Networked Systems.”, The MITRE Corp. November 2002.
[25] Matt Bishop. “Vulnerabilities Analysis.”, Department of Computer Science University of California at Davis One shields Ave. Davis, CA 95616-8562
[26] Adrien de Beaupre. “Know yourself: Vulnerability Assessments.”, SANS Information Security Reading Room. http://rr.sans.org/audit/know.php
[27] Jeff Forristal, Greg Shipley. “Vulnerability Assessment Scanners”, January 2001
[28] TWCERT/CC, “Home Network Security”
[29] NessusWI, http://sourcesup.cru.fr/nessuswi/
[30] NessusPHP, http://enterprise.bidmc.harvard.edu/pub/nessus-php/