8 Replies Latest reply on Jun 6, 2017 11:15 AM by diehard_007

    Nexpose Integration with McAfee ESM

    ishaqparacha

      I am trying to integrate nexpose with McAfee ESM using the configuration guide provided on Rapid7 website

       

      https://community.rapid7.com/docs/DOC-2647

       

       

      I have noticed that this guide is for old version of ESM 9.x , but i am using ESM 10.0

       

      I am adding the following in configuration under add a child data source menu

       

      data source = generic
      data source module = advanced syslog parser

      data format = default
      data retrieval  = default (syslog)
      IP

      DNS

      Mask = 0
      Support generic syslog = advanced syslog parser
      rule assignement = rapid7 nexpoe

      encoding = none

       

      I added source after doing this configuration , but the nexpose data source is showing yellow flag (inactive state)
      I run the scan on nexpose and configured alerts for all events but no alert was recieved on mcafee esm, checked the network connectivity it was ok between the systems

       

      how should i troubleshoot this ?

       

      I also found that i can add VA source through asset manager but that is the second option for us.

        • 1. Re: Nexpose Integration with McAfee ESM
          sssyyy

          I use VA source option with scheduled retrieval, works great for me.

          1 of 1 people found this helpful
          • 2. Re: Nexpose Integration with McAfee ESM
            ishaqparacha

            Adding nexpose as a VA source using asset manager , but when testing connection its failed with following error
            Error: Command has timed out (ER68)

             

            I selected Rapid7 Nexpose as a VA source , give the IP / Username and Password of nexpose web console administrator and selected weekly schedule

             

            Priority is set to 1 and port is by default set to 3780

             

            Checked network connectivity from SIEM to Nexpose server on port 3780 it is connecting

            • 3. Re: Nexpose Integration with McAfee ESM
              sssyyy

              Timed out??? Maybe check your Nexpose console is up and on port 3780? and verify the ERC can get through to the Nexpose console, check using telnet.

              1 of 1 people found this helpful
              • 4. Re: Nexpose Integration with McAfee ESM
                ishaqparacha

                I checked ERC was not whitelisted in nexpose , now its connecting

                 

                I have configured to fetch VA data to daily basis but on last retrieval there is none, The time which needs to be set in Daily schedule is the user time of SIEM ?

                • 5. Re: Nexpose Integration with McAfee ESM
                  diehard_007

                  I had to add each scanner as a datasource as well as the console.  You should get scan status events (i.e. scan started, scan finished) from the console datasource and vulnerabilities found events from each of the scanners. 

                   

                  To troubleshoot, ssh to the receiver configured in the Nexpose alerts syslog server.  Run "tcpdump -nni host <IP address console> or host <IP address scanner>"  and start a Nexpose scan.  If you don't see any traffic then the problem is with your Nexpose config.  Otherwise, you should see events in your Nexpose datasources.

                  • 6. Re: Nexpose Integration with McAfee ESM
                    ishaqparacha

                    Thanks for the suggestion, through asset manager VA now i am getting the vulnerability data showing in the vulnerability summary dashboard.

                    • 7. Re: Nexpose Integration with McAfee ESM
                      ishaqparacha

                      What do you mean add each scanner as a datasource ? previously i added nexpose as a single data source and marked start stop and vulnerability data in nexpose but couldnt get any event in esm and nexpose reciever was marked as incative plus i also tried tcpdump from esc/erc to the nexpose server and there was incoming data but it was not visible in esm

                      • 8. Re: Nexpose Integration with McAfee ESM
                        diehard_007

                        Start/stop of scans events  come from the server that the Nexpose console is installed on.  Vulnerability events will come from the Nexpose scanners configured for the site scan so you have add each external scanner as a datasource if you want to see vulnerability data as events.  If you aren't using external scanners then the one datasource is enough.

                         

                        For fetching VA data, I had large scans that were timing out before all of the results were downloaded.  I had to change the timeout value in /etc/NitroGuard/vathirdparty.conf on the receiver to fix the problem.