cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Rapid7 NeXpose Connect Version 1.6.2 for Sourcefire ver. 5.2.x

3088
Views
0
Helpful
12
Comments

Updated connector for pulling Rapid7 vulnerability information into the Sourcefire Host Map. Tested with Sourcefire version 5.2. This is an update from the V1.5 version.

Comments
bshores01
Community Member

The Rapid7_connector.pl running on Windows (Nexpose server) fails to connect to the Defense Center.  Error: SFPkcs12:  Unable to get certificate.  I put the pkcs12 file in the same location as the script.  I also imported it into the certificate store but I still can’t get the connector to send information to Defense Center.    Any help would be appreciated.

dohurd
Cisco Employee

Did this ever get resolved?

alanleong
Community Member

Has there been any updates to the script? This script doesn't seem to work with Nexpose 6 and throws out java errors.

Steven Chimes
Cisco Employee

I've seen Java errors in 2 instance (both are easily fixable):

  1. The Nexpose Security Console is not initialized. You can verify the Security Console is up and running by logging into it via a web browser.
  2. If the user_id, password, site_id in the Nexpose.yaml file are not correct. Double check the following steps on page 5 of the connector documentation in the zip file:
6. Create a user in Nexpose with access to the asset group(s) or site(s) you would like to integrate into SourceFire.

7. A YAML configuration file must be provided with information to make the connection with the Nexpose scanner. A template for this file is provided as part of the Rapid7 Connector package located in 'InputPlugins/Nexpose.yaml'. For more information on the contents of the YAML package please see the "YAML File Description" section below.

8. Edit the /InputPlugins/Nexpose.yaml file to include the userid, password, and IP address of the Nexpose Security Console.

9. Also necessary in the YAML file is a site_id or asset_id of the assets you wish to transfer. This can be obtained by browsing to the site or asset group in the Console and looking at the query string in the browsers address bar. You can choose an asset group comprised of multiple sites, if more than one site is desired.
tak6285
Beginner

Hi dohurd,

Does this connector support Firepower 6.x? Or is there newer version of Rapid 7 connector that is available for donwload?

b00gymann
Beginner

I have the same question as tak, I am running Firepower 6.2.2.1 and am looking to integrate with Nexpose vulnerability data.

Lachlan
Beginner

 I have been attempting to get this to work with 6.2.2 as well. So far I've found:

 

The port may need to be changed on this line depending on your Nexpose config:

$nexposeurl = 'https://' . $data->{nexpose_console} . ':3780/api/1.1/xml';

If you are using a leaf domain in FMC, you'll need to specify it at the start of the CSV file. This can be achieved by modifying this line:

my $csv_buffer = "SetSource,NeXpose Scan Report\n";

 

eg.

my $csv_buffer = "SetDomain,Global \\ Test-domain\nSetSource,NeXpose Scan Report\n";

This will add "SetDomain,Global \ Test-domain" to the start of the CSV file created

 

Lastly, I missed the requirement to enable the add_host parameter in Nexpose.yaml. This was causing errors on the import as the host did not exist in the FMC DB. 

 

dfurfarohh
Beginner

I am having an issue with this. Using the Rapid7 Insight VM and Firepower 6.2.3.13. I have a CA signed cert that is valid and working for the web page, but getting this error: SSL connect attempt failed error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed at /usr/share/perl5/LWP/PRotocol/http.pm line 47

 

I created a SAN cert with a local CA according to the Rapid7 InsightVM guide and assigned to the host. IE trusts the cert with no issue but Firefox and Chrome have errors.

AntmanX
Beginner

I know that @Lachlan said you may need to change the Nexpose IP; based on your environment but I was wondering if the default IP for connecting to the SF device was working for anyone?  I have enabled the 'REST API' but when I nmap the device, I only see the following ports open:  TCP/22, TCP/111, UDP/111, UDP/123, TCP 443, TCP/3306 and some high value ports between 11000-47000.  I know that the script wants to connect over port TCP/8307 (which fails to communicate) but was not exactly sure which port to use; or if my SF configuration is setup properly.  I tried changing the port to 443 (Since REST commonly communicates over that port) but after the script running for around 3 hours, it failed and did not transfer any data.

 

I seem to have everything working properly, I just need to make sure that I am communicating properly to the SF device.

 

Thank you for your help

rick11
Beginner

Hello,

is there any updated version? or how to integrate?

AntmanX
Beginner

@rick11   I personally never got this integration to work using this script.  I ended up turning to the Nexpose-SourceFire Ruby Gem to get the integration to work.  

 

Unfortunately, the gem has been decommissioned so I had to modify how the Ruby Script 'Generates the Nexpose Report' but other than that, the gem still manipulates the Nexpose data and connects to SourceFire with no issues.

 

If you would like more information on this, please let me know.  I actually worked on it for quite some time since my Ruby knowledge is more of a Novice level but I am able to import Nexpose Vulnerabilities and Host Information into SourceFire at least once a week for my entire environment.

 

Hope this helps

rick11
Beginner


 Hi @AntmanX , I have also limited knowledge of Ruby, if you can advice how to use the script it will help a lot , thank you!