topic I am very glad the supporting in Network Security

Tenable Security Center to Sourcefire Firesight vulnerability connector

nathig001 — Tue, 12 Mar 2019 13:01:11 GMT

I am looking for a guide on how to connect Sourcefire to Nessus Security Center to pull in vulnerability data and then change our recommended IPS signatures based on the data imported. I see there were some old connectors in the forums and also a Perl script that seems to not work anymore. Any help on this would be fantastic!

sorry if this is a dumb

dohurd — Fri, 20 May 2016 16:34:36 GMT

sorry if this is a dumb question but did you look at this connector?

https://supportforums.cisco.com/document/12261131/tenable-connector-and-docs-v30

I am very glad the supporting

nathig001 — Tue, 19 Jul 2016 20:56:47 GMT

I am very glad the supporting documentation is written so well for this.... It states exactly where I need to upload the file to get this to run, and what options I need to add to get them connection.

Sarcasm aside I could not get this to work in our environment. Any other tips or suggestions?

I'm assuming you're talking

dohurd — Tue, 19 Jul 2016 22:02:50 GMT

I'm assuming you're talking about the readme file in the .zip with the connector. I do not have any other documentation. Tell me exactly where you get stuck and I can have a few sales engineers comment. We're usually able to get this stuff working.

I am trying to create a third

nathig001 — Tue, 19 Jul 2016 22:26:53 GMT

I am trying to create a third-party mapping that will import Nesses scan results to help cut down on the number of signatures that we use in or environment based on Firesight so we can reduce false positives. How do I import the Nessus Scan Database results to help correlate the signatures that can be removed from our environment based on the systems we have. Is this possible to do. Where do I go to connect the systems together? Does Firesight log into Tenable Security Center with a username and password to pull the data? Do I connect it to a repository of Nessus? I have been told to go to policy>application detectors>third-party mappings by a Cisco engineer, but I don't see where to input credentials to pull in the found vulnerabilities in the environment based on ip address, DNS name, etc.

I see the connector tool is here with the .zip file and you rename it to tar.gz, but trying to import that data does not work and am getting a wrong file type error. Is the link of the connector what I need to pull in the Tenable Security Center results?

First let me help you through

Moses Hernandez — Wed, 20 Jul 2016 19:33:08 GMT

First let me help you through some of your questions. The systems are connected together through the included perl script in the zip file. It's done through a shell script in the CLI. The actual script is what logs into both. It uses HTTPS Restful API on the Tenable Side and we provide a client/server authentication through certificates. The engineer was referring to preferring of third party scans over the internal database.

Yes, in the link that dohurd provided it does come with one of the better README files I have seen on the host input option. There a few things to think about when you do this.

Second is, we do have a setting in the Firepower Manager that is a preference on using the third party scans for Firesight or to use the built in passive vulnerability database. The reason you may want to use the passive vulnerability database and err on being too exact is that if you leverage an active scan option and the scan report is dated you could find systems that had been hardened and are now vulnerable. Maybe that system was put into production without the patch having been implemented. Just something to think about as you work within the system.

Lastly, installation guidance. In order to get a 6.X version to work I'll give you the walk through, the 5.X version menu structure is slightly different but the submenus are more or less the same.

In 6.X you would navigate over to System -> Integration -> Host Input Client and generate a new certificate for your host input client. Keep this and if you did it with a password keep both, you will need it.

Next take this tarball and extract it, depending on your system you could maybe choose to do this on your security center system. If you do you will need to read through the requirements of the various perl modules that you will need. If you are using ubuntu, this should help:

# sudo apt-get install liblwp-protocol-https-perl libio-socket-ssl-perl libhttp-cookies-perl libnet-ip-perl libyaml-libyaml-perl libnet-ssleay-perl

Now I recommend copying everything (zip file, pkcs12 file which is your host input certificate) and all into a directory on a host.

Once it is all there, extract the zip file. You will need to edit the included .yml file. Use a text editor an edit InputPlugins/SecurityCenter.yaml, the instructions are pretty clear on this in the README file.

If you want to test if the connector is working for your build of security center run the following command:

perl ./SecurityCenter.pl -c test.csv

If the csv file is build correctly then you should have a good dataset. From this point it is probably recommended to use crontab -e to set a job to execute this file on a semi regular basis to keep the system fresh.

Once you do this go over to the Firepower Manager under Analysis -> Third Party Vulnerabilities and should see data filled in correlating CVE information.

Happy to help,
Moses

Here is the error I am

nathig001 — Tue, 02 Aug 2016 22:46:45 GMT

Here is the error I am getting when trying to run the script.

:~/SecurityCenter$ ./SecurityCenter.pl -c=Output.csv -pl=InputPlugins/SecurityCenter.yaml
keys on reference is experimental at InputPlugins/SecurityCenter.pm line 384.
keys on reference is experimental at InputPlugins/SecurityCenter.pm line 385.
keys on reference is experimental at InputPlugins/SecurityCenter.pm line 386.
Use of uninitialized value in lc at SFHostInputAgent.pm line 203.
Thu Jul 28 15:16:02 2016 [INFO] SecurityCenter JSON Vulnerability Processing Starting
Thu Jul 28 15:16:02 2016 [INFO] Server: infoseccenter
Thu Jul 28 15:16:02 2016 [ERROR] SecurityCenter Vulnerability Request Failed 500 Can't connect to infoseccenter:443 (certificate verify failed)

Request failed!!
500 Can't connect to infoseccenter:443 (certificate verify failed)
Error : Can't use string ("1") as a SCALAR ref while "strict refs" in use at SFHostInputAgent.pm line 318.

What if we don't have the

nathig001 — Tue, 02 Aug 2016 22:47:19 GMT

This item has been deleted by the supreme commander.

Did you ever find a solution

DHCBT — Thu, 03 Nov 2016 19:17:49 GMT

Did you ever find a solution to your problem?

Hi - was there ever a

Christopher Bell — Mon, 27 Mar 2017 13:49:11 GMT

Hi - was there ever a resolution to this? I'm essentially trying to do the same thing, but there isn't a whole lot of documentation on this.

The connector only works with

nathig001 — Mon, 27 Mar 2017 14:17:20 GMT

The connector only works with older versions of both Security Center and Firesight. unless something has changed recently that I am not aware of on the new Tenable.io it will not work. This would be a feature that is nice to have, but since it doesn't work and both Cisco and Tenable have poor documentation, I don't think it will be going anywhere anytime soon.

This was a feature pitched to

Christopher Bell — Mon, 27 Mar 2017 14:20:17 GMT

This was a feature pitched to us when purchasing both Tenable Security Center and Cisco's SourceFire solution so I will be sorely disappointed if it's not working. Tenable actually has a public marketing doc pitching this solution as viable.

https://www.tenable.com/sites/drupal.dmz.tenablesecurity.com/files/alliance-partner-pdf/Tenable-Sourcefire%20Solution%20Brief.pdf

Like you, I'm frustrated. Whenever I contact either company directly for support I'm pointed back to the other one.

We purchased both products

nathig001 — Mon, 27 Mar 2017 14:25:09 GMT

We purchased both products before knowing they were advertised as being able to share data. I had the same experience and it took over two months and a lot of wasted time to find out that they are not really supported from either company. If you were sold that both could connect and share data it is unfortunate both parties were not up front in telling you the correct information. They went so far as to the main programmers of the application and came back with it is not supported anymore. I also showed Cisco and Tenable the same document saying that they are being advertised as sharing data, but both parties seemed flabbergasted that it was possible.

Christopher, let me at least

dohurd — Mon, 27 Mar 2017 14:36:11 GMT

Christopher, let me at least end the finger-pointing stuff.

You're correct that this is supposed to work. It has worked for over 10 years. I'm not the definitive technical authority on this feature but I can tell you that similar issues have recently been reported by two other parties that I am aware and with different vulnerability technologies being used. It points to a bug in the code that leverages the 3rd party vuln set. I've asked a friend in support to make sure the issue is escalated to development.

I cannot provide any guidance on time frame. I encourage you to keep the SR case number open with TAC and feel free to reach out to me at dohurd@cisco.com

Doug

I'm going to give Doug the

Christopher Bell — Mon, 27 Mar 2017 19:08:07 GMT

I'm going to give Doug the benefit of the doubt here and see if he can steer me in the right direction. It seems completely ludicrous that the only posture tool that FMC has access to is NMAP. Other than using something like Tenable Security Center (or one of it's competitors) the only other way to get relevant and up to date posture information about resources is to update it manually in FMC - and that's not plausible if you have more than a few forward facing servers.

Hi Doug - sent you an email

Christopher Bell — Wed, 29 Mar 2017 11:25:40 GMT

Hi Doug - sent you an email Monday.

Contact with Cisco and

Tue, 08 Aug 2017 00:33:05 GMT

Contact with Cisco and Tenable resulted in same results as above.

Cisco... SecurityCenter is using a new API - Restful API( HTTP oriented calls). perl script(creates a CSV file- DIFF file) is for the old version --not Restful API

Tenable.... We stopped supporting the old API nearly 3 years ago.

My perception--- SF is more proprietary and the developers are not working on this feature any longer.

Cisco has made no efforts to use the Restful API to address this.

No one at Cisco Professional services seems to want to tackle this.

Yes even after Cisco had acquired SF the word was yes this is a supported feature. As with most users I see, this is not a supported feature.

If anyone gets this working let the forum know.

Cisco Support is hoping to

Christopher Bell — Wed, 09 Aug 2017 19:21:54 GMT

Cisco Support is hoping to have a connector finished by the end of August, I've been pushing really hard on my Tenable and Cisco reps and hopefully there is positive movement now. I would suggest you do the same if you have a horse in this race. Call your Tenable rep and contact your Cisco rep and start aggravating the crap out of them until you start to see progress. I won't name any of mine here, but they are at least talking to each other and me and telling me they have an "August" timeline for completion.

Re: Cisco Support is hoping to

jbradbury — Wed, 01 Nov 2017 13:28:15 GMT

Did they end up making this happen?

Re: Christopher, let me at least

jaime.pedraza — Tue, 19 Feb 2019 05:30:47 GMT

Hello Doug,

I need to do this integration with FMC 6.2.3. Do you know if there is more info actually or the RESTFUL API is already working?

Regards,

James