5 Replies Latest reply on Dec 31, 2015 9:37 AM by Regis

    Importing Vulnerability information from Tenable SecurityCenter

    kwharris

      I am currently running ESM version 9.3.2 and I am looking at incorporating vulnerability scan information from Tenable Security Center into ESM.  While I see there is a parser and a mechanism to import Tenable Nessus Scanners, I do not see a parser for the action.  I do not think this is a big problem since the architecture is such that any scan that is initiated from the SC to a remote Nessus scanner is then captured (imported) to the Security Center application.  Effectively and Nessus Enterprise manager.

       

      The question I do have is does anyone have experience with working with the Tenable Nessus Vulnerability Scanner Parser and can provide not only the configuration details, but also the location of either the necessary XML or NBE file format.  Any insight/experience would be greatly appreciated.

        • 1. Re: Importing Vulnerability information from Tenable SecurityCenter
          Regis

          First, my condolences,  as there's no supported way to get there from here.   Yet.

           

          Now the good news:  I felt your pain and escalated to the point that McAfee and Tenable now have a partnership and apparently there is work being done on the nitro team to write a connector against the SC API.

           

          The problem with the XML .Nessus parser is that Tenable's  XML export from Nessus and  the XML export from the SC database differ in one very important way:   the latter lacks values HOST_END tag pair.  This causes the ESM parser to puke.  If you wish to hack it with some scripting, you could  post-process the  nightly nessus v2 xml exports (which you can schedule in SC as a repository export)  and populate the missing field  with a date of your choosing and it might work today with ESM's nessus xml parser.

           

          Specifically,  in a nessus v2 from security center you'll see <tag name="HOST_END"></tag>.  In contrast, an export from Nessus directly, you'll see something like <tag name="HOST_END">Mon Jun  2 11:59:13 2014</tag>

           

          The ESM parser cares about this.

           

          Feel free to contact your sales rep, or if you're  a platinum customer your TAM and inquire about the status of PER 27691 McAFee ESM support for Tenable Security Center using Security Center API .

          • 2. Re: Importing Vulnerability information from Tenable SecurityCenter
            kwharris

            Thank you for your insight and information.

            • 3. Re: Importing Vulnerability information from Tenable SecurityCenter
              btadams

              Were you ever able to successfully import the VA scan data from Tenable Security Center into the SIEM? If so, what configuration did you have to use? Any insight into this would be helpful, as we are receiving the error "no data retrieved". We are using ESM 9.4.2, and Tenable Security Center 4.8.2.

               

              Thanks!

              • 4. Re: Importing Vulnerability information from Tenable SecurityCenter
                scott_lantern

                Has this question been answered for anyone by their support?

                 

                Thank you!

                • 5. Re: Importing Vulnerability information from Tenable SecurityCenter
                  Regis

                  Not to my knowledge.  The latest I recall on this was a mention at FOCUS that was a bit oblique saying to the effect that this relationship may soon get better between Tenable and McAfee?   I didn't press, but boy it'd sure be nice for this to work, especially with MVM finally getting killed and "no, use our [rather awful] vuln manager!"  no longer being in the realm of possibility.

                   

                  One way I have seen it work is to take a nessus v2 export out of security center,  post process that with a script that populated the date field in there that ESM seems to need as I described above,  and then bring that into esm.    But I haven't implemented as I was hoping for a real fix from Intel at some point that'd be less clunky.    But that was over a year ago...