cancel
Showing results for 
Search instead for 
Did you mean: 

Nexpose Integration with McAfee ESM

I am trying to integrate nexpose with McAfee ESM using the configuration guide provided on Rapid7 website

https://community.rapid7.com/docs/DOC-2647

I have noticed that this guide is for old version of ESM 9.x , but i am using ESM 10.0

I am adding the following in configuration under add a child data source menu

data source = generic
data source module = advanced syslog parser

data format = default
data retrieval  = default (syslog)
IP

DNS

Mask = 0
Support generic syslog = advanced syslog parser
rule assignement = rapid7 nexpoe

encoding = none

I added source after doing this configuration , but the nexpose data source is showing yellow flag (inactive state)
I run the scan on nexpose and configured alerts for all events but no alert was recieved on mcafee esm, checked the network connectivity it was ok between the systems

how should i troubleshoot this ?

I also found that i can add VA source through asset manager but that is the second option for us.

9 Replies
Reliable Contributor sssyyy
Reliable Contributor
Report Inappropriate Content
Message 2 of 10

Re: Nexpose Integration with McAfee ESM

I use VA source option with scheduled retrieval, works great for me.

Re: Nexpose Integration with McAfee ESM

Adding nexpose as a VA source using asset manager , but when testing connection its failed with following error
Error: Command has timed out (ER68)

I selected Rapid7 Nexpose as a VA source , give the IP / Username and Password of nexpose web console administrator and selected weekly schedule

Priority is set to 1 and port is by default set to 3780

Checked network connectivity from SIEM to Nexpose server on port 3780 it is connecting

Reliable Contributor sssyyy
Reliable Contributor
Report Inappropriate Content
Message 4 of 10

Re: Nexpose Integration with McAfee ESM

Timed out??? Maybe check your Nexpose console is up and on port 3780? and verify the ERC can get through to the Nexpose console, check using telnet.

Re: Nexpose Integration with McAfee ESM

I checked ERC was not whitelisted in nexpose , now its connecting

I have configured to fetch VA data to daily basis but on last retrieval there is none, The time which needs to be set in Daily schedule is the user time of SIEM ?

Re: Nexpose Integration with McAfee ESM

Hi, 

Would you be able to let me know how to whitelist the ERC IP on Rapid 7? 

TIA.

Re: Nexpose Integration with McAfee ESM

Thanks for the suggestion, through asset manager VA now i am getting the vulnerability data showing in the vulnerability summary dashboard.

Re: Nexpose Integration with McAfee ESM

I had to add each scanner as a datasource as well as the console.  You should get scan status events (i.e. scan started, scan finished) from the console datasource and vulnerabilities found events from each of the scanners. 

To troubleshoot, ssh to the receiver configured in the Nexpose alerts syslog server.  Run "tcpdump -nni host <IP address console> or host <IP address scanner>"  and start a Nexpose scan.  If you don't see any traffic then the problem is with your Nexpose config.  Otherwise, you should see events in your Nexpose datasources.

Re: Nexpose Integration with McAfee ESM

What do you mean add each scanner as a datasource ? previously i added nexpose as a single data source and marked start stop and vulnerability data in nexpose but couldnt get any event in esm and nexpose reciever was marked as incative plus i also tried tcpdump from esc/erc to the nexpose server and there was incoming data but it was not visible in esm

Re: Nexpose Integration with McAfee ESM

Start/stop of scans events  come from the server that the Nexpose console is installed on.  Vulnerability events will come from the Nexpose scanners configured for the site scan so you have add each external scanner as a datasource if you want to see vulnerability data as events.  If you aren't using external scanners then the one datasource is enough.

For fetching VA data, I had large scans that were timing out before all of the results were downloaded.  I had to change the timeout value in /etc/NitroGuard/vathirdparty.conf on the receiver to fix the problem.

More McAfee Tools to Help You
  • Subscription Service Notification (SNS)
  • How-to: Endpoint Removal Tool
  • Support: Endpoint Security
  • eSupport: Policy Orchestrator
  • Community Help Hub

      New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

    • Find Forum FAQs
    • Learn How to Earn Badges
    • Ask for Help
    Go to Community Help

    Join the Community

      Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

    • Get helpful solutions from McAfee experts.
    • Stay connected to product conversations that matter to you.
    • Participate in product groups led by McAfee employees.
    Join the Community
    Join the Community