Strange. If you go to OpenVAS menu Configurations->Alerts and create a new Alert you see an option that says Sourcefire Connector and the configuration fields for it maybe it is not fully implemented. Another strange thing as i said in the first post is that in the INSTALL file in the OpenVAS Manager source code it says that it has a Sourcefire Connector but in order for it to work it needs a program that i cannot find anywhere.
… Prerequisites for Sourcefire Connector alert: * A program in the PATH called greenbone_sourcefire_connector that takes args IP, port, PKCS12 file and report file in Sourcefire format. … I would like to find this program as i think it is the only thing i need to get it working. > No dia 17/08/2016, às 08:07, Eero Volotinen <eero.voloti...@iki.fi> escreveu: > > Well. there is no sourcefire connector for openvas. Only supported format is > sourcefire report that you can manually import to sourcefire system. > > ref: > https://svn.wald.intevation.org/svn/openvas/trunk/openvas-manager/report_formats/sourcefire/generate > > <https://svn.wald.intevation.org/svn/openvas/trunk/openvas-manager/report_formats/sourcefire/generate> > (source) > > Eero > > 2016-08-17 5:50 GMT+03:00 Fábio Fernandes <fabiogfernan...@gmail.com > <mailto:fabiogfernan...@gmail.com>>: > I think it is supported because it has an specific alert for it and Greenbone > appliances use the same version that is available. If it was not supported > why there would be an alert for it and why the connector was mentioned in the > INSTALL file? > > > I think it is not supported on openvas. > > > > Eero > > > > > > 16.8.2016 7.59 ip. "Fábio Fernandes" <fabiogfernan...@gmail.com > > <mailto:fabiogfernan...@gmail.com>> kirjoitti: > > I have been trying to integrate OpenVAS with Sourcefire for sometime now > > without success. I have seen in this threads > > http://lists.wald.intevation.org/pipermail/openvas-discuss/2012-October/004602.html > > > > <http://lists.wald.intevation.org/pipermail/openvas-discuss/2012-October/004602.html>, > > > > http://lists.wald.intevation.org/pipermail/openvas-discuss/2012-December/004771.html > > > > <http://lists.wald.intevation.org/pipermail/openvas-discuss/2012-December/004771.html> > > that when we import the Sourcefire report format from > > http://greenbone.net/technology/report_formats.de.html > > <http://greenbone.net/technology/report_formats.de.html> it returns an HTTP > > 500 error. I have solved this issue by downloading the source code and > > retrieving the sourcefire report format files and change them to support > > gpg signatures that OpenVAS 8 uses. Next i generated gpg keys in the > > OpenVAS homedir and imported the files create_report_import, > > sourcefire.xsl, and generate to the OpenVAS machine and ran > > create_report_import. That generated the correct sourcefire.xml that i > > imported to OpenVAS GSA without error and then i changed the status to > > active. After that i scanned a target and saved the report in Sourcefire > > format and it was correct. (I tested this in Ubuntu, Kali, and CentOS > > versions and for some reason there seems to be a bug in the CentOS version > > because the report saved is empty with 0KB but it works for the other > > versions) After that i tested the connection from the OpenVAS machine to > > the Sourcefire DC 8307 port and it was open, generated the pkcs12 file in > > the Sourcefire DC for Openvas with the correct IP, created the respective > > Alert with the Sourcefire IP and the pkcs12 certificate file. Ran a scan > > and nothing happened, even listening with tcpdump there was no connection > > made and the OpenVAS Manager log (raised to level 128) presented the > > following lines : > > > > event task:MESSAGE:2016-08-16 16h17.09 UTC:23869: Status of task cyberwatch > > (b243b1b7-da5c-40fd-b047-59b3ce3fe38b) has changed to Requested > > event task:MESSAGE:2016-08-16 16h17.09 UTC:23869: Task > > b243b1b7-da5c-40fd-b047-59b3ce3fe38b has been requested to start by admin > > event task:MESSAGE:2016-08-16 16h17.12 UTC:23871: Status of task cyberwatch > > (b243b1b7-da5c-40fd-b047-59b3ce3fe38b) has changed to Running > > event task:MESSAGE:2016-08-16 16h57.39 UTC:23871: Status of task cyberwatch > > (b243b1b7-da5c-40fd-b047-59b3ce3fe38b) has changed to Done > > event alert:MESSAGE:2016-08-16 16h57.39 UTC:23871: The alert for task > > cyberwatch was triggered (Event: Task status changed to 'Done', Condition: > > Always) > > > > . After that i investigated what happens when an alert is executed and > > found out this in the INSTALL file in the OpenVAS Manager source code: > > > > Prerequisites for Sourcefire Connector alert: > > * A program in the PATH called greenbone_sourcefire_connector that takes > > args > > IP, port, PKCS12 file and report file in Sourcefire format. > > > > And then found that the Sourcefire alert script is called by the OpenVAS > > Manager and this script present in the installation (path: > > /usr/share/openvas/openvasmd/global_alert_methods/) executes the > > greenbone_sourcefire_connector program from PATH. > > I could not find this greenbone_sourcefire_connector program in any of the > > OpenVAS versions that i installed or even on the Internet. Does someone > > have this file or it only exists in the Greenbone Appliances as their > > manual show how to configure this functionality. Can anybody help me with > > this please? > > > > > > _______________________________________________ > > Openvas-discuss mailing list > > Openvas-discuss@wald.intevation.org > > <mailto:Openvas-discuss@wald.intevation.org> > > https://lists.wald.intevation.org/cgi-bin/mailman/listinfo/openvas-discuss > > <https://lists.wald.intevation.org/cgi-bin/mailman/listinfo/openvas-discuss> > >
_______________________________________________ Openvas-discuss mailing list Openvas-discuss@wald.intevation.org https://lists.wald.intevation.org/cgi-bin/mailman/listinfo/openvas-discuss
