I am trying to integrate nexpose with McAfee ESM using the configuration guide provided on Rapid7 website
I have noticed that this guide is for old version of ESM 9.x , but i am using ESM 10.0
I am adding the following in configuration under add a child data source menu
data source = generic
data source module = advanced syslog parser
data format = default
data retrieval = default (syslog)
Mask = 0
Support generic syslog = advanced syslog parser
rule assignement = rapid7 nexpoe
encoding = none
I added source after doing this configuration , but the nexpose data source is showing yellow flag (inactive state)
I run the scan on nexpose and configured alerts for all events but no alert was recieved on mcafee esm, checked the network connectivity it was ok between the systems
how should i troubleshoot this ?
I also found that i can add VA source through asset manager but that is the second option for us.
Adding nexpose as a VA source using asset manager , but when testing connection its failed with following error
Error: Command has timed out (ER68)
I selected Rapid7 Nexpose as a VA source , give the IP / Username and Password of nexpose web console administrator and selected weekly schedule
Priority is set to 1 and port is by default set to 3780
Checked network connectivity from SIEM to Nexpose server on port 3780 it is connecting
I checked ERC was not whitelisted in nexpose , now its connecting
I have configured to fetch VA data to daily basis but on last retrieval there is none, The time which needs to be set in Daily schedule is the user time of SIEM ?
I had to add each scanner as a datasource as well as the console. You should get scan status events (i.e. scan started, scan finished) from the console datasource and vulnerabilities found events from each of the scanners.
To troubleshoot, ssh to the receiver configured in the Nexpose alerts syslog server. Run "tcpdump -nni host <IP address console> or host <IP address scanner>" and start a Nexpose scan. If you don't see any traffic then the problem is with your Nexpose config. Otherwise, you should see events in your Nexpose datasources.
What do you mean add each scanner as a datasource ? previously i added nexpose as a single data source and marked start stop and vulnerability data in nexpose but couldnt get any event in esm and nexpose reciever was marked as incative plus i also tried tcpdump from esc/erc to the nexpose server and there was incoming data but it was not visible in esm
Start/stop of scans events come from the server that the Nexpose console is installed on. Vulnerability events will come from the Nexpose scanners configured for the site scan so you have add each external scanner as a datasource if you want to see vulnerability data as events. If you aren't using external scanners then the one datasource is enough.
For fetching VA data, I had large scans that were timing out before all of the results were downloaded. I had to change the timeout value in /etc/NitroGuard/vathirdparty.conf on the receiver to fix the problem.