07-21-2014 12:18 PM - edited 03-08-2019 06:55 PM
Updated connector for pulling Rapid7 vulnerability information into the Sourcefire Host Map. Tested with Sourcefire version 5.2. This is an update from the V1.5 version.
The Rapid7_connector.pl running on Windows (Nexpose server) fails to connect to the Defense Center. Error: SFPkcs12: Unable to get certificate. I put the pkcs12 file in the same location as the script. I also imported it into the certificate store but I still can’t get the connector to send information to Defense Center. Any help would be appreciated.
Did this ever get resolved?
Has there been any updates to the script? This script doesn't seem to work with Nexpose 6 and throws out java errors.
I've seen Java errors in 2 instance (both are easily fixable):
6. Create a user in Nexpose with access to the asset group(s) or site(s) you would like to integrate into SourceFire.
7. A YAML configuration file must be provided with information to make the connection with the Nexpose scanner. A template for this file is provided as part of the Rapid7 Connector package located in 'InputPlugins/Nexpose.yaml'. For more information on the contents of the YAML package please see the "YAML File Description" section below.
8. Edit the /InputPlugins/Nexpose.yaml file to include the userid, password, and IP address of the Nexpose Security Console.
9. Also necessary in the YAML file is a site_id or asset_id of the assets you wish to transfer. This can be obtained by browsing to the site or asset group in the Console and looking at the query string in the browsers address bar. You can choose an asset group comprised of multiple sites, if more than one site is desired.
Hi dohurd,
Does this connector support Firepower 6.x? Or is there newer version of Rapid 7 connector that is available for donwload?
I have the same question as tak, I am running Firepower 6.2.2.1 and am looking to integrate with Nexpose vulnerability data.
I have been attempting to get this to work with 6.2.2 as well. So far I've found:
The port may need to be changed on this line depending on your Nexpose config:
$nexposeurl = 'https://' . $data->{nexpose_console} . ':3780/api/1.1/xml';
If you are using a leaf domain in FMC, you'll need to specify it at the start of the CSV file. This can be achieved by modifying this line:
my $csv_buffer = "SetSource,NeXpose Scan Report\n";
eg.
my $csv_buffer = "SetDomain,Global \\ Test-domain\nSetSource,NeXpose Scan Report\n";
This will add "SetDomain,Global \ Test-domain" to the start of the CSV file created
Lastly, I missed the requirement to enable the add_host parameter in Nexpose.yaml. This was causing errors on the import as the host did not exist in the FMC DB.
I am having an issue with this. Using the Rapid7 Insight VM and Firepower 6.2.3.13. I have a CA signed cert that is valid and working for the web page, but getting this error: SSL connect attempt failed error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed at /usr/share/perl5/LWP/PRotocol/http.pm line 47
I created a SAN cert with a local CA according to the Rapid7 InsightVM guide and assigned to the host. IE trusts the cert with no issue but Firefox and Chrome have errors.
I know that @Lachlan said you may need to change the Nexpose IP; based on your environment but I was wondering if the default IP for connecting to the SF device was working for anyone? I have enabled the 'REST API' but when I nmap the device, I only see the following ports open: TCP/22, TCP/111, UDP/111, UDP/123, TCP 443, TCP/3306 and some high value ports between 11000-47000. I know that the script wants to connect over port TCP/8307 (which fails to communicate) but was not exactly sure which port to use; or if my SF configuration is setup properly. I tried changing the port to 443 (Since REST commonly communicates over that port) but after the script running for around 3 hours, it failed and did not transfer any data.
I seem to have everything working properly, I just need to make sure that I am communicating properly to the SF device.
Thank you for your help
Hello,
is there any updated version? or how to integrate?
@rick11 I personally never got this integration to work using this script. I ended up turning to the Nexpose-SourceFire Ruby Gem to get the integration to work.
Unfortunately, the gem has been decommissioned so I had to modify how the Ruby Script 'Generates the Nexpose Report' but other than that, the gem still manipulates the Nexpose data and connects to SourceFire with no issues.
If you would like more information on this, please let me know. I actually worked on it for quite some time since my Ruby knowledge is more of a Novice level but I am able to import Nexpose Vulnerabilities and Host Information into SourceFire at least once a week for my entire environment.
Hope this helps
Hi @AntmanX , I have also limited knowledge of Ruby, if you can advice how to use the script it will help a lot , thank you!
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: