05-20-2016 09:28 AM - edited 03-12-2019 06:01 AM
I am looking for a guide on how to connect Sourcefire to Nessus Security Center to pull in vulnerability data and then change our recommended IPS signatures based on the data imported. I see there were some old connectors in the forums and also a Perl script that seems to not work anymore. Any help on this would be fantastic!
05-20-2016 09:34 AM
sorry if this is a dumb question but did you look at this connector?
https://supportforums.cisco.com/document/12261131/tenable-connector-and-docs-v30
07-19-2016 01:56 PM
I am very glad the supporting documentation is written so well for this.... It states exactly where I need to upload the file to get this to run, and what options I need to add to get them connection.
Sarcasm aside I could not get this to work in our environment. Any other tips or suggestions?
07-19-2016 03:02 PM
I'm assuming you're talking about the readme file in the .zip with the connector. I do not have any other documentation. Tell me exactly where you get stuck and I can have a few sales engineers comment. We're usually able to get this stuff working.
07-19-2016 03:26 PM
I am trying to create a third-party mapping that will import Nesses scan results to help cut down on the number of signatures that we use in or environment based on Firesight so we can reduce false positives. How do I import the Nessus Scan Database results to help correlate the signatures that can be removed from our environment based on the systems we have. Is this possible to do. Where do I go to connect the systems together? Does Firesight log into Tenable Security Center with a username and password to pull the data? Do I connect it to a repository of Nessus? I have been told to go to policy>application detectors>third-party mappings by a Cisco engineer, but I don't see where to input credentials to pull in the found vulnerabilities in the environment based on ip address, DNS name, etc.
I see the connector tool is here with the .zip file and you rename it to tar.gz, but trying to import that data does not work and am getting a wrong file type error. Is the link of the connector what I need to pull in the Tenable Security Center results?
07-20-2016 12:33 PM
First let me help you through some of your questions. The systems are connected together through the included perl script in the zip file. It's done through a shell script in the CLI. The actual script is what logs into both. It uses HTTPS Restful API on the Tenable Side and we provide a client/server authentication through certificates. The engineer was referring to preferring of third party scans over the internal database.
Yes, in the link that dohurd provided it does come with one of the better README files I have seen on the host input option. There a few things to think about when you do this.
Second is, we do have a setting in the Firepower Manager that is a preference on using the third party scans for Firesight or to use the built in passive vulnerability database. The reason you may want to use the passive vulnerability database and err on being too exact is that if you leverage an active scan option and the scan report is dated you could find systems that had been hardened and are now vulnerable. Maybe that system was put into production without the patch having been implemented. Just something to think about as you work within the system.
Lastly, installation guidance. In order to get a 6.X version to work I'll give you the walk through, the 5.X version menu structure is slightly different but the submenus are more or less the same.
In 6.X you would navigate over to System -> Integration -> Host Input Client and generate a new certificate for your host input client. Keep this and if you did it with a password keep both, you will need it.
Next take this tarball and extract it, depending on your system you could maybe choose to do this on your security center system. If you do you will need to read through the requirements of the various perl modules that you will need. If you are using ubuntu, this should help:
# sudo apt-get install liblwp-protocol-https-perl libio-socket-ssl-perl libhttp-cookies-perl libnet-ip-perl libyaml-libyaml-perl libnet-ssleay-perl
Now I recommend copying everything (zip file, pkcs12 file which is your host input certificate) and all into a directory on a host.
Once it is all there, extract the zip file. You will need to edit the included .yml file. Use a text editor an edit InputPlugins/SecurityCenter.yaml, the instructions are pretty clear on this in the README file.
If you want to test if the connector is working for your build of security center run the following command:
perl ./SecurityCenter.pl -c test.csv
If the csv file is build correctly then you should have a good dataset. From this point it is probably recommended to use crontab -e to set a job to execute this file on a semi regular basis to keep the system fresh.
Once you do this go over to the Firepower Manager under Analysis -> Third Party Vulnerabilities and should see data filled in correlating CVE information.
Happy to help,
Moses
08-02-2016 03:46 PM
Here is the error I am getting when trying to run the script.
:~/SecurityCenter$ ./SecurityCenter.pl -c=Output.csv -pl=InputPlugins/SecurityCenter.yaml
keys on reference is experimental at InputPlugins/SecurityCenter.pm line 384.
keys on reference is experimental at InputPlugins/SecurityCenter.pm line 385.
keys on reference is experimental at InputPlugins/SecurityCenter.pm line 386.
Use of uninitialized value in lc at SFHostInputAgent.pm line 203.
Thu Jul 28 15:16:02 2016 [INFO] SecurityCenter JSON Vulnerability Processing Starting
Thu Jul 28 15:16:02 2016 [INFO] Server: infoseccenter
Thu Jul 28 15:16:02 2016 [ERROR] SecurityCenter Vulnerability Request Failed 500 Can't connect to infoseccenter:443 (certificate verify failed)
Request failed!!
500 Can't connect to infoseccenter:443 (certificate verify failed)
Error : Can't use string ("1") as a SCALAR ref while "strict refs" in use at SFHostInputAgent.pm line 318.
11-03-2016 12:17 PM
Did you ever find a solution to your problem?
08-07-2017 05:33 PM
Contact with Cisco and Tenable resulted in same results as above.
Cisco... SecurityCenter is using a new API - Restful API( HTTP oriented calls). perl script(creates a CSV file- DIFF file) is for the old version --not Restful API
Tenable.... We stopped supporting the old API nearly 3 years ago.
My perception--- SF is more proprietary and the developers are not working on this feature any longer.
Cisco has made no efforts to use the Restful API to address this.
No one at Cisco Professional services seems to want to tackle this.
Yes even after Cisco had acquired SF the word was yes this is a supported feature. As with most users I see, this is not a supported feature.
If anyone gets this working let the forum know.
08-09-2017 12:21 PM
Cisco Support is hoping to have a connector finished by the end of August, I've been pushing really hard on my Tenable and Cisco reps and hopefully there is positive movement now. I would suggest you do the same if you have a horse in this race. Call your Tenable rep and contact your Cisco rep and start aggravating the crap out of them until you start to see progress. I won't name any of mine here, but they are at least talking to each other and me and telling me they have an "August" timeline for completion.
11-01-2017 06:28 AM
Did they end up making this happen?
03-27-2017 06:49 AM
Hi - was there ever a resolution to this? I'm essentially trying to do the same thing, but there isn't a whole lot of documentation on this.
03-27-2017 07:17 AM
The connector only works with older versions of both Security Center and Firesight. unless something has changed recently that I am not aware of on the new Tenable.io it will not work. This would be a feature that is nice to have, but since it doesn't work and both Cisco and Tenable have poor documentation, I don't think it will be going anywhere anytime soon.
03-27-2017 07:20 AM
This was a feature pitched to us when purchasing both Tenable Security Center and Cisco's SourceFire solution so I will be sorely disappointed if it's not working. Tenable actually has a public marketing doc pitching this solution as viable.
https://www.tenable.com/sites/drupal.dmz.tenablesecurity.com/files/alliance-partner-pdf/Tenable-Sourcefire%20Solution%20Brief.pdf
Like you, I'm frustrated. Whenever I contact either company directly for support I'm pointed back to the other one.
03-27-2017 07:25 AM
We purchased both products before knowing they were advertised as being able to share data. I had the same experience and it took over two months and a lot of wasted time to find out that they are not really supported
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide