9 Replies Latest reply on Jun 22, 2016 8:21 PM by moorej1

    NeXpose & McAfee ESM ???

    moorej1

      Hi All,

      Need personal/business experience with NeXpose and Intel Mcafee SIEM.

       

      Specifically referring to this:

      https://www.rapid7.com/docs/Rapid7-Nexpose-McAfeeESM-Solution-Brief.pdf

       

      what value do you get?

      what does it solve?

      Who uses it?

      why do they use it?

       

      ALL experience and comments welcome.

      -Jesse

        • 1. Re: NeXpose & McAfee ESM ???
          Peter M

          Moved to SIEM for better responses.

          ---

          Peter

          Moderator

          • 2. Re: NeXpose & McAfee ESM ???
            jbmwk75

            We have never had luck getting anything useful from Rapid7. The notes I gathered in conversations with pro services is:

             

            Whatever account SIEM uses to communicate with the Rapid7 scanner has to be an admin. It looks for site scan reports. If we aren’t doing site scan reports, then nothing will be returned.

             

            If you get this to work, I would like to see your setup. Thanks!

            • 3. Re: NeXpose & McAfee ESM ???
              leigh.tomkinson

              Here is the Integration Guide for Nexpose into Mcafee ESM

              • 4. Re: NeXpose & McAfee ESM ???
                penoffd

                The Nexpose integration guide is pretty confusing if you're on 9.6, as there is no data source for "syslog", Rapid7 or Nexpose.  You have to use the data source "generic".

                 

                Not sure if this is the case as well on earlier versions.

                • 5. Re: NeXpose & McAfee ESM ???
                  3no

                  NeXpose is not a source, to add it you have to click on the "Asset Manager" icon :

                  NeXpose.png

                  Then go to the "Vulnerability Assessment" tab and configure your scanner :

                  Sans titre.png

                   

                  I use OpenVas myself, but still I think you'll get the same level of information.

                   

                  Adding a vulnerability scanner will give you access to some reports that were empty until now (Asset, Threat and Risk).

                  It also give you a better "SEVERITY" score, that is more close to the reality.

                  And the last (but not least) if you're doing some CyberSecurity or Incident Response, you can create a correlation rule like this :

                     -  IF

                            this asset is vulnerable to a specific attack

                     - AND

                            the IPS/Firewall have seen this kind of event (NOT dropped)

                     - THEN

                            generate an alarm. 

                   

                  Hope this helped and sorry for my English.

                  • 6. Re: NeXpose & McAfee ESM ???
                    syed_rizvi

                    Please note that you may see API authentication errors when adding Rapid7 Nexpose 6.2 or later as Vulnerability Assessment source.  The problem is due to code change in Nexpose. At this point, we are hoping MR1 will resolve this issue.

                     

                    Furthermore, the attached integration guide in previous messages will not give you the asset scoring that can be used in a meaningful way.

                    • 7. Re: NeXpose & McAfee ESM ???
                      derek.perri

                      I am having this same issue we are unable to integrate via the Nexpose (v6.3) API using valid credentials. We see a McAfee ESM error stating the server requires authorization when we are using the correct credentials. Nexpose has errors in it's logs stating the creds are incorrect. I suspect the ESM is passing the creds incorrectly. Is there any update from McAfee to when this will work? P.S. Other major SIEM vendors have issues with the new release of Nexpose as well.

                      • 8. Re: NeXpose & McAfee ESM ???
                        moorej1

                        Auth.log info from NeXpose below:

                        Unable to determine login module for user, defaulting to XML. org.springframework.jdbc.BadSqlGrammarException: PreparedStatementCallback; bad SQL grammar [SELECT u.user_id, u.user_login, u.user_name, u.user_email, u.user_disabled, u.authsrc_id, u.def_silo_id, a.module, a.source, u.super_user_ind, array((SELECT silo_id FROM REDACTED.silo_user_brg WHERE user_id = u.user_id)) AS silos

                        FROM REDACTED.users u

                          JOIN REDACTED.auth_source a USING (authsrc_id)

                          WHERE u.user_login = ?]; nested exception is org.postgresql.util.PSQLException: ERROR: permission denied for relation users

                          at org.springframework.jdbc.support.SQLStateSQLExceptionTranslator.doTranslate(SQL StateSQLExceptionTranslator.java:99) ~[spring-jdbc-4.2.4.RELEASE.jar:4.2.4.RELEASE]

                         

                         

                        So it appears that Rapid7 has changed their DBSchema and the SQL command that they gave McAfee no longer works.

                         

                        Found this article on GRANTing permissions on tables:

                        postgresql - Permission denied for relation - Stack Overflow

                        • 9. Re: NeXpose & McAfee ESM ???
                          moorej1

                          I Stand corrected. looks like we're are affected by an existing defect where a session login fails when the user is already logged in. Check access.log