I have a custom VA scanner in my organization and I need to correlate the vulnerabilities with the NSM alerts.So I need mapping of NSM signatures and the CVE/CWE/BugtraqID associated with it ? OR if there is any alternative way to do it apart from CVE mapping ??
If you found a solution for this issue, please tell me ! I'd also like to correlate logs from a vulnerability scanner with logs from McAfee NSM.
CVE-IDs seem to be available form McAfee attack encyclopedia, but I'd like to get them on logs. Is it possibe to build a custom MySQL request so we could get all the signature information and CVE IDs, with the attack ID as a key field or something ?
I have looked for this information too and have been unable to find the CVE ID's in the database. I'm assuming they are in the xml column of the iv_attack table. This field seems to be a Java Byte object but I haven't looked to see if it's possible to get data out of it.
If you open one of you IPS Policies and then open an attack definition you will see under the Description tab a section called Reference that contains the NSP ID and CVE ID for the attack, I'm assuming that's what' s contained in the xml column.
There is a Manager API Reference Guide that you can request from McAfee support, but I'm not sure what you can access from the API.
Perhaps some sort of JAXB script to output the xml from that object? Possibly how it's actually being done in the GUI, I wouldn't know about the API, but it could well support retrieving that data.
Sorry it's not much help in this situation, but McAfee ESM (SIEM) makes this fairy easy to do. In fact the native connection to the NSM database only pulls the alerts and none any of the description text from those signatures. You can correlate against results from VA scanners it supports (Nessus for example).