I have been trying to integrate OpenVAS with Sourcefire for sometime now without success. I have seen in this threads http://lists.wald.intevation.org/pipermail/openvas-discuss/2012-October/004602.html <http://lists.wald.intevation.org/pipermail/openvas-discuss/2012-October/004602.html>, http://lists.wald.intevation.org/pipermail/openvas-discuss/2012-December/004771.html <http://lists.wald.intevation.org/pipermail/openvas-discuss/2012-December/004771.html> that when we import the Sourcefire report format from http://greenbone.net/technology/report_formats.de.html <http://greenbone.net/technology/report_formats.de.html> it returns an HTTP 500 error. I have solved this issue by downloading the source code and retrieving the sourcefire report format files and change them to support gpg signatures that OpenVAS 8 uses. Next i generated gpg keys in the OpenVAS homedir and imported the files create_report_import, sourcefire.xsl, and generate to the OpenVAS machine and ran create_report_import. That generated the correct sourcefire.xml that i imported to OpenVAS GSA without error and then i changed the status to active. After that i scanned a target and saved the report in Sourcefire format and it was correct. (I tested this in Ubuntu, Kali, and CentOS versions and for some reason there seems to be a bug in the CentOS version because the report saved is empty with 0KB but it works for the other versions) After that i tested the connection from the OpenVAS machine to the Sourcefire DC 8307 port and it was open, generated the pkcs12 file in the Sourcefire DC for Openvas with the correct IP, created the respective Alert with the Sourcefire IP and the pkcs12 certificate file. Ran a scan and nothing happened, even listening with tcpdump there was no connection made and the OpenVAS Manager log (raised to level 128) presented the following lines :
event task:MESSAGE:2016-08-16 16h17.09 UTC:23869: Status of task cyberwatch (b243b1b7-da5c-40fd-b047-59b3ce3fe38b) has changed to Requested event task:MESSAGE:2016-08-16 16h17.09 UTC:23869: Task b243b1b7-da5c-40fd-b047-59b3ce3fe38b has been requested to start by admin event task:MESSAGE:2016-08-16 16h17.12 UTC:23871: Status of task cyberwatch (b243b1b7-da5c-40fd-b047-59b3ce3fe38b) has changed to Running event task:MESSAGE:2016-08-16 16h57.39 UTC:23871: Status of task cyberwatch (b243b1b7-da5c-40fd-b047-59b3ce3fe38b) has changed to Done event alert:MESSAGE:2016-08-16 16h57.39 UTC:23871: The alert for task cyberwatch was triggered (Event: Task status changed to 'Done', Condition: Always) . After that i investigated what happens when an alert is executed and found out this in the INSTALL file in the OpenVAS Manager source code: Prerequisites for Sourcefire Connector alert: * A program in the PATH called greenbone_sourcefire_connector that takes args IP, port, PKCS12 file and report file in Sourcefire format. And then found that the Sourcefire alert script is called by the OpenVAS Manager and this script present in the installation (path: /usr/share/openvas/openvasmd/global_alert_methods/) executes the greenbone_sourcefire_connector program from PATH. I could not find this greenbone_sourcefire_connector program in any of the OpenVAS versions that i installed or even on the Internet. Does someone have this file or it only exists in the Greenbone Appliances as their manual show how to configure this functionality. Can anybody help me with this please?
_______________________________________________ Openvas-discuss mailing list [email protected] https://lists.wald.intevation.org/cgi-bin/mailman/listinfo/openvas-discuss
