cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Former Member
Not applicable
Report Inappropriate Content
Message 1 of 10
‎05-29-2017 01:00 AM

Nexpose Integration with McAfee ESM

I am trying to integrate nexpose with McAfee ESM using the configuration guide provided on Rapid7 website

https://community.rapid7.com/docs/DOC-2647

I have noticed that this guide is for old version of ESM 9.x , but i am using ESM 10.0

I am adding the following in configuration under add a child data source menu

data source = generic
data source module = advanced syslog parser

data format = default
data retrieval  = default (syslog)
IP

DNS

Mask = 0
Support generic syslog = advanced syslog parser
rule assignement = rapid7 nexpoe

encoding = none

I added source after doing this configuration , but the nexpose data source is showing yellow flag (inactive state)
I run the scan on nexpose and configured alerts for all events but no alert was recieved on mcafee esm, checked the network connectivity it was ok between the systems

how should i troubleshoot this ?

I also found that i can add VA source through asset manager but that is the second option for us.

0 Kudos
Reply
9 Replies
sssyyy
Reliable Contributor
Reliable Contributor
Report Inappropriate Content
Message 2 of 10
‎05-29-2017 01:46 PM

Re: Nexpose Integration with McAfee ESM

I use VA source option with scheduled retrieval, works great for me.

Reply
Former Member
Not applicable
Report Inappropriate Content
Message 3 of 10
‎06-01-2017 04:22 AM

Re: Nexpose Integration with McAfee ESM

Adding nexpose as a VA source using asset manager , but when testing connection its failed with following error
Error: Command has timed out (ER68)

I selected Rapid7 Nexpose as a VA source , give the IP / Username and Password of nexpose web console administrator and selected weekly schedule

Priority is set to 1 and port is by default set to 3780

Checked network connectivity from SIEM to Nexpose server on port 3780 it is connecting

0 Kudos
Reply
sssyyy
Reliable Contributor
Reliable Contributor
Report Inappropriate Content
Message 4 of 10
‎06-01-2017 03:00 PM

Re: Nexpose Integration with McAfee ESM

Timed out??? Maybe check your Nexpose console is up and on port 3780? and verify the ERC can get through to the Nexpose console, check using telnet.

0 Kudos
Reply
Former Member
Not applicable
Report Inappropriate Content
Message 5 of 10
‎06-02-2017 04:16 AM

Re: Nexpose Integration with McAfee ESM

I checked ERC was not whitelisted in nexpose , now its connecting

I have configured to fetch VA data to daily basis but on last retrieval there is none, The time which needs to be set in Daily schedule is the user time of SIEM ?

0 Kudos
Reply
bharath_k
Level 7
Report Inappropriate Content
Message 6 of 10
‎07-10-2018 03:32 AM

Re: Nexpose Integration with McAfee ESM

Hi, 

Would you be able to let me know how to whitelist the ERC IP on Rapid 7? 

TIA.

0 Kudos
Reply
Former Member
Not applicable
Report Inappropriate Content
Message 7 of 10
‎06-05-2017 11:09 PM

Re: Nexpose Integration with McAfee ESM

Thanks for the suggestion, through asset manager VA now i am getting the vulnerability data showing in the vulnerability summary dashboard.

0 Kudos
Reply
diehard_007
Level 7
Report Inappropriate Content
Message 8 of 10
‎06-05-2017 10:05 AM

Re: Nexpose Integration with McAfee ESM

I had to add each scanner as a datasource as well as the console.  You should get scan status events (i.e. scan started, scan finished) from the console datasource and vulnerabilities found events from each of the scanners. 

To troubleshoot, ssh to the receiver configured in the Nexpose alerts syslog server.  Run "tcpdump -nni host <IP address console> or host <IP address scanner>"  and start a Nexpose scan.  If you don't see any traffic then the problem is with your Nexpose config.  Otherwise, you should see events in your Nexpose datasources.

0 Kudos
Reply
Former Member
Not applicable
Report Inappropriate Content
Message 9 of 10
‎06-05-2017 11:13 PM

Re: Nexpose Integration with McAfee ESM

What do you mean add each scanner as a datasource ? previously i added nexpose as a single data source and marked start stop and vulnerability data in nexpose but couldnt get any event in esm and nexpose reciever was marked as incative plus i also tried tcpdump from esc/erc to the nexpose server and there was incoming data but it was not visible in esm

0 Kudos
Reply
diehard_007
Level 7
Report Inappropriate Content
Message 10 of 10
‎06-06-2017 09:15 AM

Re: Nexpose Integration with McAfee ESM

Start/stop of scans events  come from the server that the Nexpose console is installed on.  Vulnerability events will come from the Nexpose scanners configured for the site scan so you have add each external scanner as a datasource if you want to see vulnerability data as events.  If you aren't using external scanners then the one datasource is enough.

For fetching VA data, I had large scans that were timing out before all of the results were downloaded.  I had to change the timeout value in /etc/NitroGuard/vathirdparty.conf on the receiver to fix the problem.

0 Kudos
Reply
You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community


Corporate Headquarters
6220 America Center Drive
San Jose, CA 95002 USA

Consumer Support   |   Enterprise Support   |   McAfee.com for Enterprise

Legal   |   Privacy   |   Copyright © 2021 Musarubra US LLC