Skip navigation
All Places > Products > RSA NetWitness Platform > Blog > 2016 > September > 05

The official Rapid 7 Nexpose Guide seemed unfortunately to be short of a few details (Rapid7 NeXpose Event Source Configuration Guide ) so I described how I integrated the Windows version of Rapid 7 Nexpose into Security Analytics.

 

I was using Nexpose 5.17.1 on a Windows 2008 Server.

The screenshots have been taken from Security Analytics 10.6.1

 

This document assumes that the reader is familiar with installing the SFTP Agent and setting it up.

 

  1. On your Nexpose Server ,create a CSV Report in Nexpose using the "Basic Vulnerability Check Results (CSV) Template)
  2. This will output a CSV Report of the scan. However, the problem is that the file will be gz compressed and this is not compatible when sending it to the Log Collector. As a result we will uncompress it using 7-zip. Install 7-Zip on your server (http://www.7-zip.org/download.html )
  3.  Still on your Nexpose Server create a directory called NexposeScripts and populate it with the contents of NexposeScripts.zip that is attached to this document. Run a scheduled task in Windows to run the batch file Nexpose.bat every 5 minutes.
  4. On the Nexpose Server install the RSA SFTP Agent and use the attached sftagent.conf to process the nexpose log messages. 
  5. On the LogCollector copy the file rapid7.xml to /etc/netwitness/ng/logcollection/content/collection/file and restart the logcollector service.
  6. On the log decoder make a directory called /etc/netwitness/ng/envision/etc/devices/rapid7 and copy the files /v20_rapid7msg.xml and rapid7.ini into this directory.
  7. Restart the logdcoder

 

The parser makes use of the vuln_ref reference key so make sure that in your table-map-custom.xml file you have the line

<mapping envisionName="vuln_ref" nwName="vuln.ref" flags="None" format="Text"/>

 

If everything is correctly setup then you should see a new rapid7 device type, with Threat Category, Threat Description and also the Vuln Ref key populated with CVE numbers.

 

 

Note by default, the Script Nexpose.bat will leave the reports reports.csv.gz in the original directory. If you want them to be deleted after processing then add the line highlighted in bold below to the c:\nexposescripts\nexpose.bat

 

cscript nexpose-audits.vbs
cscript nexpose-authevents.vbs
cscript nexpose-nscevents.vbs
cd "C:\Program Files\rapid7\nexpose\nsc\htroot\reports"
for /R %%f in (report.csv.gz) do "c:\program files\7-Zip\7z.exe" e -y "%%f"
for /R %%f in (report.csv.gz) do del /q "%%f"

Seems there is a possibility that a CA gave away duplicate certs for a GitHub domain

 

http://thehackernews.com/2016/08/github-ssl-certificate.html

 

Could SA NetWitness help locate if any Certificates were signed by the potentially offending CA and see if this could impact your organization ?

 

Let's see ...

 

Using this post to enable full indexing on the appropriate ssl.* metakeys you could search for the CA name (in this case WoSign)

https://community.rsa.com/community/products/netwitness/blog/2016/08/30/ssl-and-netwitness

 

ssl.ca = WoSign

or if the CA name isnt exactly WoSign we could use this query to locate similar names and then tune the drill approriately

ssl.ca contains 'WoSign'

 

Then you could see all the domains (alias.host) that the certificate was used as part of the communication and see if you might be affected.  You might also want to focus on outbound traffic (your users connecting to a GitHub domain with a cert signed by WoSign could be something to investigate)

 

From what I can see with my browser, Digicert should be the CA for GitHub

digicert ca

 

Taking this one step further, I also found there was a new function that has been spun up to track how many certs have been created for each domain.  Why not create a Context Menu plugin for RSA NW to query one of these certificate transparency sites so that analysts could get additional details about the domain and certs without sharepoint + copy + paste +copy + paste

 

https://www.google.com/transparencyreport/https/ct/#domain=www.mozilla.org&incl_exp=true&incl_sub=true

 

So here is the context menu item that functions on the ssl.ca, ssl.subject and alias.host metakeys

 

certificate transparency

 

{
    "displayName": "Google SSL Cert Transparency Check",
    "cssClasses": [
        "ssl.ca",
        "ssl-ca",
        "ssl.subject",
        "ssl-subject",
        "alias.host",
        "alias-host"
    ],
    "description": "",
    "type": "UAP.common.contextmenu.actions.URLContextAction",
    "version": "1",
    "modules": [
        "investigation"
    ],
    "local": "false",
    "groupName": "externalLookupGroup",
    "urlFormat": "https://www.google.com/transparencyreport/https/ct/#domain={0}&incl_exp=true&incl_sub=true",
    "disabled": "",
    "id": "GoogleSSLCERTCHECK",
    "moduleClasses": [
        "UAP.investigation.navigate.view.NavigationPanel",
        "UAP.investigation.events.view.EventGrid"
    ],
    "openInNewTab": "true",
    "order": ""
}

Filter Blog

By date: By tag: