1 Reply Latest reply on Jun 15, 2010 8:04 PM by AlaXul

    Integration between NSP 6 and MVM 6.8

    msimard

      I try to integrate MVM3000 version 6.8 in the NSP NSM version 6.0.3.4. The ability to launch scan from the NSM is working, but the relevance is not. :

       

      There is a lot of scan data in the foundstone database related to the alarm that i got in the NSM.

      On example is : A lotus notes server get a high alert for SMTP microsoft mime decoding. The relevance is showing unknown.

       

      when i look in the ems.log here is what i got :

       

      2010-06-08 14:46:58,359 INFO  [ajp-127.0.0.1-8009-4] com.intruvert.fs.dao.FSDBConnectionManager - Start importing vulnerability data from FoundStone database
      2010-06-08 14:46:58,359 INFO  [ajp-127.0.0.1-8009-4] com.intruvert.fs.dao.FSDBConnectionManager - Last Import Time is 2010-06-08 14:43:16.0
      2010-06-08 14:46:58,405 INFO  [ajp-127.0.0.1-8009-4] com.intruvert.fs.dao.FSDBConnectionManager - FSDBConnectionManager:getConnection()Got connection to the database...
      2010-06-08 14:46:58,405 INFO  [ajp-127.0.0.1-8009-4] com.intruvert.fs.dao.FSDBConnectionManager -  callProcedure() : Procedure Name { call ismScan_GetHostVulnData(?) }
      2010-06-08 14:46:58,405 INFO  [ajp-127.0.0.1-8009-4] com.intruvert.fs.dao.FSDBConnectionManager - callProcedure(String,Connection, params[1]){ call ismScan_GetHostVulnData(?) }
      2010-06-08 14:46:58,405 INFO  [ajp-127.0.0.1-8009-4] com.intruvert.fs.dao.FSDBConnectionManager -  params[1] 2010-06-08 14:43:16.0
      2010-06-08 14:46:58,421 INFO  [ajp-127.0.0.1-8009-4] com.intruvert.fs.dao.FSDBConnectionManager - Scheduled import of vulnerability data was successful
      2010-06-08 14:46:58,421 INFO  [ajp-127.0.0.1-8009-4] com.intruvert.fs.servicedelegate.FSServiceDelegate -  FoundStone Vulnerability data imported for 0 Hosts
      2010-06-08 14:46:58,421 INFO  [ajp-127.0.0.1-8009-4] com.intruvert.fs.servicedelegate.FSServiceDelegate - No vulnerability records found for inport from FoundStone database
      2010-06-08 14:47:01,030 INFO  [Thread-106] iv.acm.nio.SSLChannel - Unwrapping:
      Status = OK HandshakeStatus = NOT_HANDSHAKING
      bytesConsumed = 297 bytesProduced = 276
      2010-06-08 14:47:01,030 INFO  [Thread-106] iv.acm.nio.SSLChannel - Unwrapping:
      Status = OK HandshakeStatus = NOT_HANDSHAKING
      bytesConsumed = 285 bytesProduced = 264
      2010-06-08 14:47:01,030 INFO  [pool-3-thread-41] iv.acm.serverhandler - ACM server (localsession=9) loads no incident from DB initially.
      2010-06-08 14:47:01,405 INFO  [Thread-106] iv.acm.nio.SSLChannel - Unwrapping:
      Status = OK HandshakeStatus = NOT_HANDSHAKING
      bytesConsumed = 289 bytesProduced = 268
      2010-06-08 14:47:01,405 INFO  [Thread-106] iv.acm.nio.SSLChannel - Unwrapping:
      Status = OK HandshakeStatus = NOT_HANDSHAKING
      bytesConsumed = 289 bytesProduced = 268

       

      So the communication between the two look good, but it cant get any info from the foundstone database..

       

      Any idea ? Has anyone seen this ?

       

      thanks.

        • 1. Re: Integration between NSP 6 and MVM 6.8

          "Microsoft mime decoding" is an exploit designed to take advantage of a flaw in Outlook. The receiving host IP would typically be the mail server or mail gateway device.  These hosts would not suffer from this vulnerability and therefore relevance would not be appropriate.  Also, looking at your ems,log, it appears as though you are not importing any scan data.  You should verify that scan names are spelled correctly, I believe caps matters.

           

          Regards,