I looked a briefly to the source too and it is very similar to the Nexpose Integration with Sourcefire script and with some modifications it could work but i am not allowed to test this since the Sourcefire platform is in production, i am only allowed to use solutions that are documented to work so there is minimal risk of disrupting the service. As recommended by Greenbone i contacted Sourcefire support to see if they have and can supply the script. The xml to csv part is already done by the Sourcefire report format that as i stated in the first post is working. Thanks for the help Eero if i am successful with the support team i will report so others can benefit.
> No dia 18/08/2016, às 17:42, Eero Volotinen <[email protected]> escreveu: > > I looked the source and it looks very simple xml to csv converter & uploader. > It might be possible to add basic support to openvas BUT I don't have access > to any sourcefire dc for testing.. > > Eero > > > 18.8.2016 4.04 ip. "Eero Volotinen" <[email protected] > <mailto:[email protected]>> kirjoitti: > I think connector might be based on same source. I think it works with > openvas with some modifications, if sourcefire dc api is still same. (source > code is from year 2014?) > > -- > Eero > > 2016-08-18 14:05 GMT+03:00 Fábio Fernandes <[email protected] > <mailto:[email protected]>>: > Thanks for the tip. This script seems similar to the one used by Rapid7 to > integrate Nexpose with Sourcefire. Meanwhile i have contacted Greenbone > technical sales and they informed me that i should contact Cisco regarding > the connector. > >> No dia 17/08/2016, às 16:36, Eero Volotinen <[email protected] >> <mailto:[email protected]>> escreveu: >> >> If your company is willing to pay, it should be simple to port this nessus >> opensource connector to openvas.. >> >> https://supportforums.cisco.com/document/12305426/nessus-report-upload-tool-host-input-api >> >> <https://supportforums.cisco.com/document/12305426/nessus-report-upload-tool-host-input-api> >> >> Eero >> >> 2016-08-17 17:18 GMT+03:00 Fábio Fernandes <[email protected] >> <mailto:[email protected]>>: >> I think there is no documentation for OpenVAS in the site they advice to use >> the Greenbone Security Manual. >> Is the lack of the program greenbone_sourcefire_connector a reason to submit >> a bug report? >> >>> No dia 17/08/2016, às 15:15, Eero Volotinen <[email protected] >>> <mailto:[email protected]>> escreveu: >>> >>> You are free to submit fixes to documentation ;) >>> >>> Eero >>> >>> 2016-08-17 16:39 GMT+03:00 Fábio Fernandes <[email protected] >>> <mailto:[email protected]>>: >>> It would be nice that they mentioned what works and what does not on the >>> free version. I spent a lot of time for nothing probably :( . >>> It would be nice if someone with the Greenbone paid version could confirm >>> that the connector exists or the greenbone_sourcefire_connector program. >>> >>>> No dia 17/08/2016, às 14:03, Eero Volotinen <[email protected] >>>> <mailto:[email protected]>> escreveu: >>>> >>>> I think that is normal way that opensource works. You usually need to pay >>>> for more advanced features like this ;) >>>> >>>> Eero >>>> >>>> 2016-08-17 16:01 GMT+03:00 Fábio Fernandes <[email protected] >>>> <mailto:[email protected]>>: >>>> That is what i think too. But its strange that it appears in the free >>>> version and in the INSTALL file of the free version it looks like they use >>>> the same version but leave some internal components out or maybe they >>>> forgot to put it there because it is an feature not used normally by first >>>> time users. Anyway it would be nice if someone with the Greenbone paid >>>> version could confirm this. >>>> >>>>> No dia 17/08/2016, às 12:22, Eero Volotinen <[email protected] >>>>> <mailto:[email protected]>> escreveu: >>>>> >>>>> I think it's only available on commercial greenbone version. >>>>> >>>>> So, you should buy greenbone to get connector >>>>> >>>>> -- >>>>> Eero >>>>> >>>>> 2016-08-17 13:55 GMT+03:00 Fábio Fernandes <[email protected] >>>>> <mailto:[email protected]>>: >>>>> Strange. If you go to OpenVAS menu Configurations->Alerts and create a >>>>> new Alert you see an option that says Sourcefire Connector and the >>>>> configuration fields for it maybe it is not fully implemented. >>>>> Another strange thing as i said in the first post is that in the INSTALL >>>>> file in the OpenVAS Manager source code it says that it has a Sourcefire >>>>> Connector but in order for it to work it needs a program that i cannot >>>>> find anywhere. >>>>> >>>>> … >>>>> Prerequisites for Sourcefire Connector alert: >>>>> * A program in the PATH called greenbone_sourcefire_connector that takes >>>>> args >>>>> IP, port, PKCS12 file and report file in Sourcefire format. >>>>> … >>>>> >>>>> I would like to find this program as i think it is the only thing i need >>>>> to get it working. >>>>> >>>>>> No dia 17/08/2016, às 08:07, Eero Volotinen <[email protected] >>>>>> <mailto:[email protected]>> escreveu: >>>>>> >>>>>> Well. there is no sourcefire connector for openvas. Only supported >>>>>> format is sourcefire report that you can manually import to sourcefire >>>>>> system. >>>>>> >>>>>> ref: >>>>>> https://svn.wald.intevation.org/svn/openvas/trunk/openvas-manager/report_formats/sourcefire/generate >>>>>> >>>>>> <https://svn.wald.intevation.org/svn/openvas/trunk/openvas-manager/report_formats/sourcefire/generate> >>>>>> (source) >>>>>> >>>>>> Eero >>>>>> >>>>>> 2016-08-17 5:50 GMT+03:00 Fábio Fernandes <[email protected] >>>>>> <mailto:[email protected]>>: >>>>>> I think it is supported because it has an specific alert for it and >>>>>> Greenbone appliances use the same version that is available. If it was >>>>>> not supported why there would be an alert for it and why the connector >>>>>> was mentioned in the INSTALL file? >>>>>> >>>>>> > I think it is not supported on openvas. >>>>>> > >>>>>> > Eero >>>>>> > >>>>>> > >>>>>> > 16.8.2016 7.59 ip. "Fábio Fernandes" <[email protected] >>>>>> > <mailto:[email protected]>> kirjoitti: >>>>>> > I have been trying to integrate OpenVAS with Sourcefire for sometime >>>>>> > now without success. I have seen in this threads >>>>>> > http://lists.wald.intevation.org/pipermail/openvas-discuss/2012-October/004602.html >>>>>> > >>>>>> > <http://lists.wald.intevation.org/pipermail/openvas-discuss/2012-October/004602.html>, >>>>>> > >>>>>> > http://lists.wald.intevation.org/pipermail/openvas-discuss/2012-December/004771.html >>>>>> > >>>>>> > <http://lists.wald.intevation.org/pipermail/openvas-discuss/2012-December/004771.html> >>>>>> > that when we import the Sourcefire report format from >>>>>> > http://greenbone.net/technology/report_formats.de.html >>>>>> > <http://greenbone.net/technology/report_formats.de.html> it returns an >>>>>> > HTTP 500 error. I have solved this issue by downloading the source >>>>>> > code and retrieving the sourcefire report format files and change them >>>>>> > to support gpg signatures that OpenVAS 8 uses. Next i generated gpg >>>>>> > keys in the OpenVAS homedir and imported the files >>>>>> > create_report_import, sourcefire.xsl, and generate to the OpenVAS >>>>>> > machine and ran create_report_import. That generated the correct >>>>>> > sourcefire.xml that i imported to OpenVAS GSA without error and then i >>>>>> > changed the status to active. After that i scanned a target and saved >>>>>> > the report in Sourcefire format and it was correct. (I tested this in >>>>>> > Ubuntu, Kali, and CentOS versions and for some reason there seems to >>>>>> > be a bug in the CentOS version because the report saved is empty with >>>>>> > 0KB but it works for the other versions) After that i tested the >>>>>> > connection from the OpenVAS machine to the Sourcefire DC 8307 port and >>>>>> > it was open, generated the pkcs12 file in the Sourcefire DC for >>>>>> > Openvas with the correct IP, created the respective Alert with the >>>>>> > Sourcefire IP and the pkcs12 certificate file. Ran a scan and nothing >>>>>> > happened, even listening with tcpdump there was no connection made and >>>>>> > the OpenVAS Manager log (raised to level 128) presented the following >>>>>> > lines : >>>>>> > >>>>>> > event task:MESSAGE:2016-08-16 16h17.09 UTC:23869: Status of task >>>>>> > cyberwatch (b243b1b7-da5c-40fd-b047-59b3ce3fe38b) has changed to >>>>>> > Requested >>>>>> > event task:MESSAGE:2016-08-16 16h17.09 UTC:23869: Task >>>>>> > b243b1b7-da5c-40fd-b047-59b3ce3fe38b has been requested to start by >>>>>> > admin >>>>>> > event task:MESSAGE:2016-08-16 16h17.12 UTC:23871: Status of task >>>>>> > cyberwatch (b243b1b7-da5c-40fd-b047-59b3ce3fe38b) has changed to >>>>>> > Running >>>>>> > event task:MESSAGE:2016-08-16 16h57.39 UTC:23871: Status of task >>>>>> > cyberwatch (b243b1b7-da5c-40fd-b047-59b3ce3fe38b) has changed to Done >>>>>> > event alert:MESSAGE:2016-08-16 16h57.39 UTC:23871: The alert for task >>>>>> > cyberwatch was triggered (Event: Task status changed to 'Done', >>>>>> > Condition: Always) >>>>>> > >>>>>> > . After that i investigated what happens when an alert is executed and >>>>>> > found out this in the INSTALL file in the OpenVAS Manager source code: >>>>>> > >>>>>> > Prerequisites for Sourcefire Connector alert: >>>>>> > * A program in the PATH called greenbone_sourcefire_connector that >>>>>> > takes args >>>>>> > IP, port, PKCS12 file and report file in Sourcefire format. >>>>>> > >>>>>> > And then found that the Sourcefire alert script is called by the >>>>>> > OpenVAS Manager and this script present in the installation (path: >>>>>> > /usr/share/openvas/openvasmd/global_alert_methods/) executes the >>>>>> > greenbone_sourcefire_connector program from PATH. >>>>>> > I could not find this greenbone_sourcefire_connector program in any of >>>>>> > the OpenVAS versions that i installed or even on the Internet. Does >>>>>> > someone have this file or it only exists in the Greenbone Appliances >>>>>> > as their manual show how to configure this functionality. Can anybody >>>>>> > help me with this please? >>>>>> > >>>>>> > >>>>>> > _______________________________________________ >>>>>> > Openvas-discuss mailing list >>>>>> > [email protected] >>>>>> > <mailto:[email protected]> >>>>>> > https://lists.wald.intevation.org/cgi-bin/mailman/listinfo/openvas-discuss >>>>>> > >>>>>> > <https://lists.wald.intevation.org/cgi-bin/mailman/listinfo/openvas-discuss> >>>>>> >>>>>> >>>>> >>>>> >>>> >>>> >>> >>> >> >> > >
_______________________________________________ Openvas-discuss mailing list [email protected] https://lists.wald.intevation.org/cgi-bin/mailman/listinfo/openvas-discuss
