Adding a NMap Remote Result Import
A remote results import retrieves completed NMap scan reports over SSH.
Scans must be generated in XML format by using the -oX option on your NMap scanner. After you add your NMap scanner, you must assign a scan schedule to specify the frequency that the vulnerability data is imported from scanner.
- Click the Admin tab.
- Click the VA Scanners icon.
- Click Add.
- In the Scanner Name field, type a name to identify your NMap scanner.
- From the Managed Host list, select the managed host from your JSA deployment that manages the scanner import.
- From the Type list, select Nessus Scanner.
- From the Collection Type list, select Remote Results Import.
- In the Server Hostname field, type the host name or IP address of the remote system that hosts the NMap client. Adminitrators should host NMap on a UNIX-based system with SSH enabled.
- Choose one of the following authentication options:
Option
Description
Login Username
To authenticate with a user name and password:
In the Server Username field, type the user name that is required to access the remote system that hosts NMap client.
In the Login Password field, type the password that is associated with the user name.
The password must not contain the ! character. This character might cause authentication failures over SSH.
If the scanner is configured to use a password, the SSH scanner server to that connects to JSA must support password authentication.
If it does not, SSH authentication for the scanner fails. Ensure the following line is displayed in your /etc/ssh/sshd_config file: PasswordAuthentication yes.
If your scanner server does not use OpenSSH, see the vendor documentation for the scanner configuration information.
Enable Key Authorization
To authenticate with a key-based authentication file:
Select the Enable Key Authentication check box.
In the Private Key File field, type the directory path to the key file.
The default directory for the key file is/opt/qradar/conf/vis.ssh.key. If a key file does not exist, you must create the vis.ssh.key file.
Note:The
vis.ssh.key
file must havevis qradar
ownership.For example:
# ls -al /opt/qradar/conf/vis.ssh.key -rw------- 1 vis qradar 1679 Aug 7 06:24 /opt/qradar/conf/vis.ssh.key
- In the Remote Folder field, type the directory
location of the scan result files.
Linux example: /home/scans
Windows example: /c:/zenmap
- In the Remote File Pattern field, type a regular
expression (regex) that is required to filter the list of files that
are specified in the remote folder. All matching files are included
in the processing.
The default regex pattern to retrieve NMap results is .*\.xml. The .*\.xml pattern imports all xml result files in the remote folder.
Scan reports imported and processed are not deleted from the remote folder. You should schedule a cron job to delete previously processed scan reports.
- To configure a CIDR range for your scanner:
In the text field, type the CIDR range that you want this scanner to consider or click Browse to select a CIDR range from the network list.
Click Add.
- Click Save.
- On the Admin tab, click Deploy Changes.
You are now ready to create a scan schedule. See Scheduling a Vulnerability Scan