Updated connector for pulling Rapid7 vulnerability information into the Sourcefire Host Map. Tested with Sourcefire version 5.2. This is an update from the V1.5 version.
The Rapid7_connector.pl running on Windows (Nexpose server) fails to connect to the Defense Center. Error: SFPkcs12: Unable to get certificate. I put the pkcs12 file in the same location as the script. I also imported it into the certificate store but I still can’t get the connector to send information to Defense Center. Any help would be appreciated.
I've seen Java errors in 2 instance (both are easily fixable):
The Nexpose Security Console is not initialized. You can verify the Security Console is up and running by logging into it via a web browser.
If the user_id, password, site_id in the Nexpose.yaml file are not correct. Double check the following steps on page 5 of the connector documentation in the zip file:
6. Create a user in Nexpose with access to the asset group(s) or site(s) you would like to integrate into SourceFire.
7. A YAML configuration file must be provided with information to make the connection with the Nexpose scanner. A template for this file is provided as part of the Rapid7 Connector package located in 'InputPlugins/Nexpose.yaml'. For more information on the contents of the YAML package please see the "YAML File Description" section below.
8. Edit the /InputPlugins/Nexpose.yaml file to include the userid, password, and IP address of the Nexpose Security Console.
9. Also necessary in the YAML file is a site_id or asset_id of the assets you wish to transfer. This can be obtained by browsing to the site or asset group in the Console and looking at the query string in the browsers address bar. You can choose an asset group comprised of multiple sites, if more than one site is desired.
If you are using a leaf domain in FMC, you'll need to specify it at the start of the CSV file. This can be achieved by modifying this line:
my $csv_buffer = "SetSource,NeXpose Scan Report\n";
eg.
my $csv_buffer = "SetDomain,Global \\ Test-domain\nSetSource,NeXpose Scan Report\n";
This will add "SetDomain,Global \ Test-domain" to the start of the CSV file created
Lastly, I missed the requirement to enable the add_host parameter in Nexpose.yaml. This was causing errors on the import as the host did not exist in the FMC DB.
I am having an issue with this. Using the Rapid7 Insight VM and Firepower 6.2.3.13. I have a CA signed cert that is valid and working for the web page, but getting this error: SSL connect attempt failed error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed at /usr/share/perl5/LWP/PRotocol/http.pm line 47
I created a SAN cert with a local CA according to the Rapid7 InsightVM guide and assigned to the host. IE trusts the cert with no issue but Firefox and Chrome have errors.
I know that @Lachlan said you may need to change the Nexpose IP; based on your environment but I was wondering if the default IP for connecting to the SF device was working for anyone? I have enabled the 'REST API' but when I nmap the device, I only see the following ports open: TCP/22, TCP/111, UDP/111, UDP/123, TCP 443, TCP/3306 and some high value ports between 11000-47000. I know that the script wants to connect over port TCP/8307 (which fails to communicate) but was not exactly sure which port to use; or if my SF configuration is setup properly. I tried changing the port to 443 (Since REST commonly communicates over that port) but after the script running for around 3 hours, it failed and did not transfer any data.
I seem to have everything working properly, I just need to make sure that I am communicating properly to the SF device.
@rick11 I personally never got this integration to work using this script. I ended up turning to the Nexpose-SourceFire Ruby Gem to get the integration to work.
Unfortunately, the gem has been decommissioned so I had to modify how the Ruby Script 'Generates the Nexpose Report' but other than that, the gem still manipulates the Nexpose data and connects to SourceFire with no issues.
If you would like more information on this, please let me know. I actually worked on it for quite some time since my Ruby knowledge is more of a Novice level but I am able to import Nexpose Vulnerabilities and Host Information into SourceFire at least once a week for my entire environment.
Hi @AntmanX , I have also limited knowledge of Ruby, if you can advice how to use the script it will help a lot , thank you!
Getting Started
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:
