cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
8390
Views
15
Helpful
20
Replies

Tenable Security Center to Sourcefire Firesight vulnerability connector

nathig001
Level 1
Level 1

I am looking for a guide on how to connect Sourcefire to Nessus Security Center to pull in vulnerability data and then change our recommended IPS signatures based on the data imported. I see there were some old connectors in the forums and also a Perl script that seems to not work anymore. Any help on this would be fantastic!

20 Replies 20

dohurd
Cisco Employee
Cisco Employee

sorry if this is a dumb question but did you look at this connector?

 https://supportforums.cisco.com/document/12261131/tenable-connector-and-docs-v30

I am very glad the supporting documentation is written so well for this.... It states exactly where I need to upload the file to get this to run, and what options I need to add to get them connection. 

Sarcasm aside I could not get this to work in our environment. Any other tips or suggestions?

I'm assuming you're talking about the readme file in the .zip with the connector.  I do not have any other documentation.  Tell me exactly where you get stuck and I can have a few sales engineers comment.  We're usually able to get this stuff working.

I am trying to create a third-party mapping that will import Nesses scan results to help cut down on the number of signatures that we use in or environment based on Firesight so we can reduce false positives. How do I import the Nessus Scan Database results to help correlate the signatures that can be removed from our environment based on the systems we have. Is this possible to do. Where do I go to connect the systems together? Does Firesight log into Tenable Security Center with a username and password to pull the data? Do I connect it to a repository of Nessus? I have been told to go to policy>application detectors>third-party mappings by a Cisco engineer, but I don't see where to input credentials to pull in the found vulnerabilities in the environment based on ip address, DNS name, etc. 

I see the connector tool is here with the .zip file and you rename it to tar.gz, but trying to import that data does not work and am getting a wrong file type error. Is the link of the connector what I need to pull in the Tenable Security Center results?

First let me help you through some of your questions. The systems are connected together through the included perl script in the zip file. It's done through a shell script in the CLI. The actual script is what logs into both. It uses HTTPS Restful API on the Tenable Side and we provide a client/server authentication through certificates. The engineer was referring to preferring of third party scans over the internal database.

Yes, in the link that dohurd provided it does come with one of the better README files I have seen on the host input option. There a few things to think about when you do this.

Second is, we do have a setting in the Firepower Manager that is a preference on using the third party scans for Firesight or to use the built in passive vulnerability database. The reason you may want to use the passive vulnerability database and err on being too exact is that if you leverage an active scan option and the scan report is dated you could find systems that had been hardened and are now vulnerable. Maybe that system was put into production without the patch having been implemented. Just something to think about as you work within the system.

Lastly, installation guidance. In order to get a 6.X version to work I'll give you the walk through, the 5.X version menu structure is slightly different but the submenus are more or less the same.

In 6.X you would navigate over to System -> Integration -> Host Input Client and generate a new certificate for your host input client. Keep this and if you did it with a password keep both, you will need it.

Next take this tarball and extract it, depending on your system you could maybe choose to do this on your security center system. If you do you will need to read through the requirements of the various perl modules that you will need. If you are using ubuntu, this should help:

# sudo apt-get install liblwp-protocol-https-perl libio-socket-ssl-perl libhttp-cookies-perl libnet-ip-perl libyaml-libyaml-perl libnet-ssleay-perl 

Now I recommend copying everything (zip file, pkcs12 file which is your host input certificate) and all into a directory on a host.

Once it is all there, extract the zip file. You will need to edit the included .yml file. Use a text editor an edit InputPlugins/SecurityCenter.yaml, the instructions are pretty clear on this in the README file.

If you want to test if the connector is working for your build of security center run the following command:

perl ./SecurityCenter.pl -c test.csv

If the csv file is build correctly then you should have a good dataset. From this point it is probably recommended to use crontab -e to set a job to execute this file on a semi regular basis to keep the system fresh. 

Once you do this go over to the Firepower Manager under Analysis -> Third Party Vulnerabilities and should see data filled in correlating CVE information. 

Happy to help, 
Moses

Here is the error I am getting when trying to run the script.

:~/SecurityCenter$ ./SecurityCenter.pl -c=Output.csv -pl=InputPlugins/SecurityCenter.yaml
keys on reference is experimental at InputPlugins/SecurityCenter.pm line 384.
keys on reference is experimental at InputPlugins/SecurityCenter.pm line 385.
keys on reference is experimental at InputPlugins/SecurityCenter.pm line 386.
Use of uninitialized value in lc at SFHostInputAgent.pm line 203.
Thu Jul 28 15:16:02 2016 [INFO] SecurityCenter JSON Vulnerability Processing Starting
Thu Jul 28 15:16:02 2016 [INFO] Server: infoseccenter
Thu Jul 28 15:16:02 2016 [ERROR] SecurityCenter Vulnerability Request Failed 500 Can't connect to infoseccenter:443 (certificate verify failed)

Request failed!!
500 Can't connect to infoseccenter:443 (certificate verify failed)
Error : Can't use string ("1") as a SCALAR ref while "strict refs" in use at SFHostInputAgent.pm line 318.

Did you ever find a solution to your problem?

Not applicable

Contact with Cisco and Tenable resulted in same results as above.

Cisco...   SecurityCenter is using a new API - Restful API( HTTP oriented calls).  perl script(creates a CSV file- DIFF file) is for the old version --not Restful API

Tenable.... We stopped supporting the old API nearly 3 years ago.

My perception--- SF is more proprietary and the developers are not working on this feature any longer. 

Cisco has made no efforts to use the Restful API to address this.

No one at Cisco Professional services seems to want to tackle this.

Yes even after Cisco had acquired SF the word was yes this is a supported feature.  As with most users I see, this is not a supported feature.

If anyone gets this working let the forum know.

Cisco Support is hoping to have a connector finished by the end of August, I've been pushing really hard on my Tenable and Cisco reps and hopefully there is positive movement now.  I would suggest you do the same if you have a horse in this race.  Call your Tenable rep and contact your Cisco rep and start aggravating the crap out of them until you start to see progress.  I won't name any of mine here, but they are at least talking to each other and me and telling me they have an "August" timeline for completion. 

If this posts answers your question or is helpful, please consider rating it and/or marking as answered.

Did they end up making this happen?

Hi - was there ever a resolution to this?  I'm essentially trying to do the same thing, but there isn't a whole lot of documentation on this.

If this posts answers your question or is helpful, please consider rating it and/or marking as answered.

The connector only works with older versions of both Security Center and Firesight. unless something has changed recently that I am not aware of on the new Tenable.io it will not work. This would be a feature that is nice to have, but since it doesn't work and both Cisco and Tenable have poor documentation, I don't think it will be going anywhere anytime soon.

This was a feature pitched to us when purchasing both Tenable Security Center and Cisco's SourceFire solution so I will be sorely disappointed if it's not working.  Tenable actually has a public marketing doc pitching this solution as viable. 

https://www.tenable.com/sites/drupal.dmz.tenablesecurity.com/files/alliance-partner-pdf/Tenable-Sourcefire%20Solution%20Brief.pdf

Like you, I'm frustrated.  Whenever I contact either company directly for support I'm pointed back to the other one. 

If this posts answers your question or is helpful, please consider rating it and/or marking as answered.

We purchased both products before knowing they were advertised as being able to share data. I had the same experience and it took over two months and a lot of wasted time to find out that they are not really supported from either company. If you were sold that both could connect and share data it is unfortunate both parties were not up front in telling you the correct information. They went so far as to the main programmers of the application and came back with it is not supported anymore. I also showed Cisco and Tenable the same document saying that they are being advertised as sharing data, but both parties seemed flabbergasted that it was possible. 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: