RAPID7 VAM integration
I have. I am finishing up on a custom DLL that you can use to take a nexpose custom report template and transform it into a fingerprint that enVision can understand. Right now I have a powershell that transforms the Qualysgaurd export from Nexpose into a working import but it doesn't give you any custom attribute options and it doesn't import the services.
I will hopefully be posting the code here soon.
As promised here are the steps and the script. Good luck to all.
Nexpose doesn't not have a default integration option into envision, however you can do an Qualysgaurd export but Nexpose doesn't perform this correctly either.
I have developed a script that will correct the problems that I have found with the qualysgaurd format from Nexpose. This requires a couple of things:
- This requires that you download the scan.dtd file mentioned in the export and save it to %storage%\csd\Collection\vulnerability\%nodename%
- Setup a VAM collection device with false information in envision.
Assuming that you already have the above setup, here are the steps to get this working.
Create a report in Nexpose for the assets you want and use the report type of "Qualysgaurd export". Make sure to select the recent scan.
Save the report onto your local computer. It doesn't matter where, as long as the NexposeFix.ps1 is in the same directory.
Next copy the latest db_CveNormalizationRules.txt from "%storage%\csd\collection\vulnerability\%nodename%\runtime\" to the same folder as the NexposeFix.ps1
Next modify the NexposeFix.ps1 and change the $LogLevel variable to your desired feedback.
Next find the section labeled "Global Variables"
In this section make sure the $enVisionLookupFile is pointing to the newest db_Cve file and that the $NexposeFile has the correct report name that is in the directory from earlier.
Once those are set save the file and run it in powershell.
This will write a file "reportfinal.xml" in the same directory. The script basically replaces the common name that is put into the "number" field by nexpose with the correct qualysgaurd number based on the CVE value and the db_cve lookup file.
Once you have the file stop the "AssetCollector" and "AssetProcessor" services on the LC or ES that you configured the VAM import earlier on.
Once they are stopped create a directory in the ftp_files called "Nexpose". Then copy the "reportfinal.xml" into this directory.
Once the file is copied open a command prompt and go to the %envision%\bin folder and run the following command.
vacollector.exe -v -reportdir=%envision%\ftp_files\nexpose
This will process the xml file and create a FingerPrint.xml asset file for each device you have in the report under %storage%\csd\collection\vulnerability\%nodename%\
Verify that the files are there. Once you have verified open up another cmd window and navigate into %envision%\bin and run the command"
This will then process the xml files. If any fail they should be under the malformed container and should appear as failure messages in the command window.
I would recommend testing this with a couple of assets in a DEV environment first to make sure no other changes need to be made.
TESTED ON envision 4.0 SP3 and Nexpose 4.X running on Unix.
Thank you very much for all.
I was working in same solution but i think my problem is in the first step, I can not configure properly the VAM collection device because I use LS and I have two %nodename% (LC and DS) and I haven't the scan.dtd.
I will work with your solution and I tell you something.
Thank you very much again