Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 

Adding a Rapid7 NeXpose Scanner Local File Import

 

JSA uses local files to import site vulnerability data from your Rapid7 Nexpose scanner.

Before you add this scanner, a server certificate is required to support HTTPS connections. JSA supports certificates with the following file extensions: .crt, .cert, or .der. To copy a certificate to the /opt/qradar/conf/trusted_certificates directory, choose one of the following options:

  • Manually copy the certificate to the /opt/qradar/conf/trusted_certificates directory by using SCP or SFTP.

  • SSH into the Console or managed host and retrieve the certificate by using the following command: /opt/qradar/bin/getcert.sh <IP or Hostname> <optional port - 443 default>. A certificate is then downloaded from the specified host name or IP and placed into /opt/qradar/conf/trusted_certificates directory in the appropriate format.

Local file imports collect vulnerabilities for a site from a local file that is downloaded. The Rapid7 NeXpose XML file that contains the site and vulnerability information must be copied from your Rapid7 NeXpose appliance to the Console or managed host you specify when the scanner is added to JSA. The destination directory on the managed host must exist before the Rapid7 NeXpose appliance can copy site reports to the managed host. The site files can be copied to the managed host using Secure Copy (SCP) or Secure File Transfer Protocol (SFTP).

The import directory created on the managed host or JSA console must have the appropriate owner and permission set on it for the vis user within JSA. For example, chown -R vis:qradar <import_directory_path> and chmod 755 <import_directory_path> set the owner of the import directory path to vis user with adequate read-write-execute permissions.

Note

Site files that are imported are not deleted from the import folder, but renamed to .processed0. Administrators can create a cron job to delete previously processed site files.

You must use the XML Export or XML Export 2.0 report format for the XML export to JSA.

XML Export is also known as raw XML. The XML export contains an extensive set of scan data with the smallest amount of structure. The XML export scan data must be parsed so that other systems can use the information.

XML Export 2.0 is similar to XML Export, but has more attributes:

  • Asset Risk

  • Exploit Title

  • Site Name

  • Exploit IDs

  • Malware Kit Name(s)

  • Site Importance

  • Exploit Skill Needed

  • PCI Compliance Status

  • Vulnerability Risk

  • Exploit Source Link

  • Scan ID

  • Vulnerability Since

  • Exploit Type

  • Scan Template.

  1. Click Admin > System Configuration.
  2. Click the VA Scanners icon, and then click Add.
  3. Type a Scanner Name to identify your Rapid7 NeXpose scanner.
  4. Select the Managed Host from your JSA deployment that manages the scanner import.
  5. Select Rapid7 Nexpose Scanner from the Type list.
  6. From the Import Type list, select Import Site Data - Local File.
  7. Type the directory path to the XML vulnerability data in the Import Folder field. If you specify an import folder, you must move the vulnerability data from your Rapid7 Nexpose scanner to JSA.
  8. In the Import Name Pattern field, type a regular expression (regex) pattern to determine which Rapid7 Nexpose XML files to include in the scan report. All file names that match the regex pattern are included when the vulnerability scan report is imported. You must use a valid regex pattern in this field. The default value ..*\.xml imports all files from the import folder.
  9. Enter the CIDR range that you want this scanner to consider or click Browse to select a CIDR range from the network list.
  10. Click Save.
  11. On the Admin tab, click Deploy Changes.

You are now ready to create a scan schedule. See Scheduling a Vulnerability Scan.