cancel
Showing results for 
Search instead for 
Did you mean: 
ishaqparacha
Level 7

Nexpose Integration with McAfee ESM

I am trying to integrate nexpose with McAfee ESM using the configuration guide provided on Rapid7 website

https://community.rapid7.com/docs/DOC-2647

I have noticed that this guide is for old version of ESM 9.x , but i am using ESM 10.0

I am adding the following in configuration under add a child data source menu

data source = generic
data source module = advanced syslog parser

data format = default
data retrieval  = default (syslog)
IP

DNS

Mask = 0
Support generic syslog = advanced syslog parser
rule assignement = rapid7 nexpoe

encoding = none

I added source after doing this configuration , but the nexpose data source is showing yellow flag (inactive state)
I run the scan on nexpose and configured alerts for all events but no alert was recieved on mcafee esm, checked the network connectivity it was ok between the systems

how should i troubleshoot this ?

I also found that i can add VA source through asset manager but that is the second option for us.

0 Kudos
8 Replies
sssyyy
Level 12

Re: Nexpose Integration with McAfee ESM

I use VA source option with scheduled retrieval, works great for me.

ishaqparacha
Level 7

Re: Nexpose Integration with McAfee ESM

Adding nexpose as a VA source using asset manager , but when testing connection its failed with following error
Error: Command has timed out (ER68)

I selected Rapid7 Nexpose as a VA source , give the IP / Username and Password of nexpose web console administrator and selected weekly schedule

Priority is set to 1 and port is by default set to 3780

Checked network connectivity from SIEM to Nexpose server on port 3780 it is connecting

0 Kudos
sssyyy
Level 12

Re: Nexpose Integration with McAfee ESM

Timed out??? Maybe check your Nexpose console is up and on port 3780? and verify the ERC can get through to the Nexpose console, check using telnet.

0 Kudos
ishaqparacha
Level 7

Re: Nexpose Integration with McAfee ESM

I checked ERC was not whitelisted in nexpose , now its connecting

I have configured to fetch VA data to daily basis but on last retrieval there is none, The time which needs to be set in Daily schedule is the user time of SIEM ?

0 Kudos
ishaqparacha
Level 7

Re: Nexpose Integration with McAfee ESM

Thanks for the suggestion, through asset manager VA now i am getting the vulnerability data showing in the vulnerability summary dashboard.

0 Kudos
diehard_007
Level 7

Re: Nexpose Integration with McAfee ESM

I had to add each scanner as a datasource as well as the console.  You should get scan status events (i.e. scan started, scan finished) from the console datasource and vulnerabilities found events from each of the scanners. 

To troubleshoot, ssh to the receiver configured in the Nexpose alerts syslog server.  Run "tcpdump -nni host <IP address console> or host <IP address scanner>"  and start a Nexpose scan.  If you don't see any traffic then the problem is with your Nexpose config.  Otherwise, you should see events in your Nexpose datasources.

0 Kudos
ishaqparacha
Level 7

Re: Nexpose Integration with McAfee ESM

What do you mean add each scanner as a datasource ? previously i added nexpose as a single data source and marked start stop and vulnerability data in nexpose but couldnt get any event in esm and nexpose reciever was marked as incative plus i also tried tcpdump from esc/erc to the nexpose server and there was incoming data but it was not visible in esm

0 Kudos
diehard_007
Level 7

Re: Nexpose Integration with McAfee ESM

Start/stop of scans events  come from the server that the Nexpose console is installed on.  Vulnerability events will come from the Nexpose scanners configured for the site scan so you have add each external scanner as a datasource if you want to see vulnerability data as events.  If you aren't using external scanners then the one datasource is enough.

For fetching VA data, I had large scans that were timing out before all of the results were downloaded.  I had to change the timeout value in /etc/NitroGuard/vathirdparty.conf on the receiver to fix the problem.

0 Kudos