Symantec Event Collector 4.4 for Nessus Quick Reference

Similar documents
Symantec Backup Exec System Recovery Granular Restore Option User's Guide

Symantec Enterprise Security Manager Modules for Microsoft SQL Server Databases Release Notes. Release 2.1 for Symantec ESM 6.0, 6.1, and 6.5.

Symantec Enterprise Security Manager JRE Vulnerability Fix Update Guide

Symantec Enterprise Vault Technical Note

Symantec Endpoint Protection Integration Component User's Guide. Version 7.0

Symantec Enterprise Security Manager Baseline Policy Manual for CIS Benchmark. For Red Hat Enterprise Linux 5

Veritas Storage Foundation and High Availability Solutions HA and Disaster Recovery Solutions Guide for Microsoft SharePoint Server

Configuring Symantec. device

Configuring Symantec Protection Engine for Network Attached Storage for Hitachi Unified and NAS Platforms

Symantec Enterprise Security Manager Baseline Policy Manual for CIS Benchmark. AIX 5.3 and 6.1

Altiris Client Management Suite 7.1 from Symantec User Guide

Symantec Enterprise Security Manager Baseline Policy Manual for Security Essentials. Solaris 10

Symantec Enterprise Security Manager Modules for IBM DB2 Databases (Windows) User s Guide 3.0. Release for Symantec ESM 6.5.x and 9.

Symantec Network Access Control Linux Agent User Guide

IM: Symantec Security Information Manager Patch 4 Resolved Issues

Symantec Security Information Manager FIPS Operational Mode Guide

Security Content Update Release Notes for CCS 12.x

Symantec System Recovery 2013 R2 Management Solution Administrator's Guide

Symantec Enterprise Security Manager Modules for Oracle Release Notes

Symantec NetBackup Vault Operator's Guide

Symantec Workflow Solution 7.1 MP1 Installation and Configuration Guide

Symantec Enterprise Vault Technical Note

Veritas CommandCentral Enterprise Reporter Release Notes

Altiris Software Management Solution 7.1 from Symantec User Guide

Symantec Enterprise Security Manager IBM DB2 Modules User Guide for Windows and UNIX. Version 4.2

Symantec Enterprise Security Manager IBM DB2 Modules User Guide for Windows and UNIX. Version 4.6

Client Guide for Symantec Endpoint Protection Small Business Edition

Configuring Symantec AntiVirus for BlueArc Storage System

Veritas Storage Foundation and High Availability Solutions Getting Started Guide

Symantec Enterprise Security Manager Agent, Manager, Console Update for Windows Server 2008

Veritas Storage Foundation and High Availability Solutions Getting Started Guide

Veritas Cluster Server Application Note: High Availability for BlackBerry Enterprise Server

Symantec pcanywhere 12.5 SP3 Administrator Guide

Veritas Storage Foundation and High Availability Solutions HA and Disaster Recovery Solutions Guide for Enterprise Vault

Symantec Universal Event Collectors 4.4 for Symantec Security Information Manager 4.7 Implementation Guide

Veritas Storage Foundation and High Availability Solutions Application Note: Support for HP-UX Integrity Virtual Machines

Symantec NetBackup Appliance Fibre Channel Guide

Veritas System Recovery 18 Linux Edition: Quick Installation Guide

Symantec Encryption Management Server and Symantec Data Loss Prevention. Integration Guide

Altiris IT Analytics Solution 7.1 from Symantec User Guide

Symantec ApplicationHA Release Notes

Veritas Cluster Server Library Management Pack Guide for Microsoft System Center Operations Manager 2007

Veritas Desktop and Laptop Option 9.2. Disaster Recovery Scenarios

Symantec NetBackup for Lotus Notes Administrator's Guide. Release 7.6

Veritas Dynamic Multi-Pathing readme

Veritas Operations Manager Storage Insight Add-on for Deep Array Discovery and Mapping 4.0 User's Guide

Veritas System Recovery 18 Management Solution Administrator's Guide

Veritas Desktop and Laptop Option 9.2. High Availability (HA) with DLO

Veritas SaaS Backup for Salesforce

Veritas SaaS Backup for Office 365

PGP Viewer for ios. Administrator s Guide 1.0

Symantec Enterprise Vault Technical Note

Veritas Volume Replicator Web GUI Administrator's Guide

NetBackup Copilot for Oracle Configuration Guide. Release 2.7.1

Altiris PC Transplant 6.8 SP4 from Symantec User Guide

Symantec Endpoint Encryption Full Disk Maintenance Pack Release Notes

Security Content Update Release Notes. Versions: CCS 11.1 and CCS 11.5

Symantec Enterprise Vault

Veritas System Recovery 16 Management Solution Administrator's Guide

Veritas NetBackup for SQLite Administrator's Guide

Veritas NetBackup Copilot for Oracle Configuration Guide. Release 2.7.2

Symantec ServiceDesk 7.1 SP1 Implementation Guide

PGP Viewer for ios. User s Guide 1.0

Wise Mobile Device Package Editor Reference

Symantec PGP Viewer for ios

Symantec NetBackup Deduplication Guide. Release 7.0

Symantec Event Collector for SELinux Integration Guide

Symantec NetBackup OpsCenter Reporting Guide. Release 7.7

Veritas Backup Exec Migration Assistant

Implementation Guide for Symantec Endpoint Protection Small Business Edition

Symantec Encryption Desktop Version 10.2 for Mac OS X Release Notes. About Symantec Encryption Desktop

Symantec NetBackup for Enterprise Vault Agent Administrator's Guide

Veritas Storage Foundation for Oracle Graphical User Interface Guide. 5.0 Maintenance Pack 3

Veritas Disaster Recovery Advisor Release Notes

Symantec LiveUpdate Administrator 2.3 User's Guide

Symantec Enterprise Security Manager Modules for Sybase Adaptive Server Enterprise User s Guide

Veritas Storage Foundation and High Availability Solutions Application Note: Support for HP-UX Integrity Virtual Machines

PGP(TM) Universal Server Version 3.2 Maintenance Pack Release Notes

Security Content Update Release Notes. Versions: CCS 11.1.x and CCS 11.5.x

Symantec Enterprise Vault

Veritas Storage Foundation Add-on for Storage Provisioning User's Guide. 4.0 Release Update 1

PGP Desktop Version 10.2 for Windows Maintenance Pack Release Notes

Symantec ApplicationHA Agent for Microsoft Internet Information Services (IIS) Configuration Guide

Symantec Control Compliance Suite Express Security Content Update for JBoss Enterprise Application Platform 6.3. Release Notes

Symantec Disaster Recovery Advisor Release Notes

Symantec Patch Management Solution for Windows 8.5 powered by Altiris technology User Guide

Symantec Endpoint Protection, Symantec Endpoint Protection Small Business Edition, and Symantec Network Access Control 12.1.

Veritas Storage Foundation and High Availability Solutions Getting Started Guide - Linux

Symantec Enterprise Security Manager Security Update (SU 36) Release Notes

Symantec Control Compliance Suite Express Security Content Update for Microsoft Windows Server 2008 R2 (CIS Benchmark 2.1.

User Guide. We protect more people from more online threats than anyone in the world.

Symantec Control Compliance Suite Getting Started Guide. Version: 11.0

Symantec Enterprise Security Manager Patch Policy Release Notes

Symantec Enterprise Security Manager Patch Policy Release Notes

Symantec Data Loss Prevention System Maintenance Guide. Version 14.0

Veritas NetBackup Appliance Security Guide

Symantec NetBackup for Enterprise Vault Agent Administrator's Guide

Symantec Enterprise Security Manager Patch Policy Release Notes

Symantec ApplicationHA Agent for Microsoft SQL Server 2008 and 2008 R2 Configuration Guide

Symantec Backup Exec System Recovery Manager Implementation Guide

Transcription:

Symantec Event Collector 4.4 for Nessus Quick Reference

Symantec Event Collector for Nessus Quick Reference The software described in this book is furnished under a license agreement and may be used only in accordance with the terms of the agreement. Legal Notice Copyright 2009 Symantec Corporation. All rights reserved. Symantec, the Symantec Logo are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners. This Symantec product may contain third party software for which Symantec is required to provide attribution to the third party ( Third Party Programs ). Some of the Third Party Programs are available under open source or free software licenses. The License Agreement accompanying the Software does not alter any rights or obligations you may have under those open source or free software licenses. Please see the Third Party Legal Notice Appendix to this Documentation or TPIP ReadMe File accompanying this Symantec product for more information on the Third Party Programs. The product described in this document is distributed under licenses restricting its use, copying, distribution, and decompilation/reverse engineering. No part of this document may be reproduced in any form by any means without prior written authorization of Symantec Corporation and its licensors, if any. THE DOCUMENTATION IS PROVIDED "AS IS" AND ALL EXPRESS OR IMPLIED CONDITIONS, REPRESENTATIONS AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT, ARE DISCLAIMED, EXCEPT TO THE EXTENT THAT SUCH DISCLAIMERS ARE HELD TO BE LEGALLY INVALID. SYMANTEC CORPORATION SHALL NOT BE LIABLE FOR INCIDENTAL OR CONSEQUENTIAL DAMAGES IN CONNECTION WITH THE FURNISHING, PERFORMANCE, OR USE OF THIS DOCUMENTATION. THE INFORMATION CONTAINED IN THIS DOCUMENTATION IS SUBJECT TO CHANGE WITHOUT NOTICE. The Licensed Software and Documentation are deemed to be commercial computer software as defined in FAR 12.212 and subject to restricted rights as defined in FAR Section 52.227-19 "Commercial Computer Software - Restricted Rights" and DFARS 227.7202, "Rights in Commercial Computer Software or Commercial Computer Software Documentation", as applicable, and any successor regulations. Any use, modification, reproduction release, performance, display or disclosure of the Licensed Software and Documentation by the U.S. Government shall be solely in accordance with the terms of this Agreement.

Symantec Corporation 20330 Stevens Creek Blvd. Cupertino, CA 95014 http://www.symantec.com Printed in the United States of America. 10 9 8 7 6 5 4 3 2 1

Technical Support Symantec Technical Support maintains support centers globally. Technical Support s primary role is to respond to specific queries about product features and functionality. The Technical Support group also creates content for our online Knowledge Base. The Technical Support group works collaboratively with the other functional areas within Symantec to answer your questions in a timely fashion. For example, the Technical Support group works with Product Engineering and Symantec Security Response to provide alerting services and virus definition updates. Symantec s maintenance offerings include the following: A range of support options that give you the flexibility to select the right amount of service for any size organization Telephone and Web-based support that provides rapid response and up-to-the-minute information Upgrade assurance that delivers automatic software upgrade protection Global support that is available 24 hours a day, 7 days a week Advanced features, including Account Management Services For information about Symantec s Maintenance Programs, you can visit our Web site at the following URL: www.symantec.com/techsupp/ Contacting Technical Support Customers with a current maintenance agreement may access Technical Support information at the following URL: www.symantec.com/techsupp/ Before contacting Technical Support, make sure you have satisfied the system requirements that are listed in your product documentation. Also, you should be at the computer on which the problem occurred, in case it is necessary to replicate the problem. When you contact Technical Support, please have the following information available: Product release level Hardware information Available memory, disk space, and NIC information Operating system

Version and patch level Network topology Licensing and registration Customer service Router, gateway, and IP address information Problem description: Error messages and log files Troubleshooting that was performed before contacting Symantec Recent software configuration changes and network changes If your Symantec product requires registration or a license key, access our technical support Web page at the following URL: www.symantec.com/techsupp/ Customer service information is available at the following URL: www.symantec.com/techsupp/ Customer Service is available to assist with the following types of issues: Questions regarding product licensing or serialization Product registration updates, such as address or name changes General product information (features, language availability, local dealers) Latest information about product updates and upgrades Information about upgrade assurance and maintenance contracts Information about the Symantec Buying Programs Advice about Symantec's technical support options Nontechnical presales questions Issues that are related to CD-ROMs or manuals

Maintenance agreement resources If you want to contact Symantec regarding an existing maintenance agreement, please contact the maintenance agreement administration team for your region as follows: Asia-Pacific and Japan Europe, Middle-East, and Africa North America and Latin America contractsadmin@symantec.com semea@symantec.com supportsolutions@symantec.com Additional enterprise services Symantec offers a comprehensive set of services that allow you to maximize your investment in Symantec products and to develop your knowledge, expertise, and global insight, which enable you to manage your business risks proactively. Enterprise services that are available include the following: Symantec Early Warning Solutions Managed Security Services Consulting Services Educational Services These solutions provide early warning of cyber attacks, comprehensive threat analysis, and countermeasures to prevent attacks before they occur. These services remove the burden of managing and monitoring security devices and events, ensuring rapid response to real threats. Symantec Consulting Services provide on-site technical expertise from Symantec and its trusted partners. Symantec Consulting Services offer a variety of prepackaged and customizable options that include assessment, design, implementation, monitoring, and management capabilities. Each is focused on establishing and maintaining the integrity and availability of your IT resources. Educational Services provide a full array of technical training, security education, security certification, and awareness communication programs. To access more information about Enterprise services, please visit our Web site at the following URL: www.symantec.com Select your country or language from the site index.

Contents Technical Support... 4 Chapter 1 Introducing Symantec Event Collector for Nessus... 9 About this quick reference... 9 Compatibility requirements for the Nessus Event Collector... 10 System requirements for the Nessus Event Collector computer... 10 About the installation sequence for Nessus Event Collector... 11 About configuring Nessus to work with the collector... 12 Sensor properties for Nessus Event Collector... 12 Enabling Assets table population on Symantec Security Information Manager... 13 Running LiveUpdate for collectors... 15 Chapter 2 Implementation notes... 17 Product ID for Nessus Event Collector... 17 Event example... 17 Schema packages... 17 Event mapping for Information Manager... 18 Chapter 3 Event filtering and aggregation... 23 Event filtering and aggregation for the Nessus Event Collector... 23

8 Contents

Chapter 1 Introducing Symantec Event Collector for Nessus This chapter includes the following topics: About this quick reference Compatibility requirements for the Nessus Event Collector System requirements for the Nessus Event Collector computer About the installation sequence for Nessus Event Collector About configuring Nessus to work with the collector Sensor properties for Nessus Event Collector Enabling Assets table population on Symantec Security Information Manager Running LiveUpdate for collectors About this quick reference This quick reference includes information that is specific to Symantec Event Collector for Nessus. General knowledge about installing and configuring collectors is assumed, as well as basic knowledge of Nessus. For detailed information on how to install and configure event collectors, please see the Symantec Event Collectors Integration Guide. For information on Nessus, see your product documentation.

10 Introducing Symantec Event Collector for Nessus Compatibility requirements for the Nessus Event Collector Compatibility requirements for the Nessus Event Collector The collector is compatible with Nessus Vulnerability Scanner 2.x and 3.x. The collector is not compatible with Nessus WX. The collector is also compatible with StillSecure VAM. The collector runs on the following operating systems: Microsoft Windows 2000 with Service Pack 4 or later Microsoft Windows Advanced Server 2000 with Service Pack 4 or later Microsoft Windows Server 2003 Enterprise Edition with Service Pack 1 or later Microsoft Windows Server 2003 Standard Edition with Service Pack 1 or later Windows XP with Service Pack 2 or later Red Hat Enterprise Linux AS 3.0 Red Hat Enterprise Linux AS 4.0 Red Hat Enterprise Linux AS 5.0 Note: You can install version 4.3 collectors on both 32-bit and 64-bit versions of Windows Server 2000/2003. System requirements for the Nessus Event Collector computer Minimum system requirements for a remote collector installation are as follows: Intel Pentium-compatible 133-MHz processor (up to and including Xeon-class) 512 MB minimum, 1 GB of memory recommended for the Symantec Event Agent 35 MB of hard disk space for collector program files 95 MB of hard disk space to accommodate the Symantec Event Agent, the JRE, and the collector TCP/IP connection to a network from a static IP address

Introducing Symantec Event Collector for Nessus About the installation sequence for Nessus Event Collector 11 About the installation sequence for Nessus Event Collector You must install the collector on the same computer on which the Nessus is installed. The collector installation sequence is as follows: Complete the preinstallation requirements. For these procedures, see the Symantec Event Collectors Integration Guide. Close the Symantec Security Information Manager Client console. Register the collector for all off-appliance collector installations. For this procedure see the Symantec Event Collectors Integration Guide Install the Symantec Event Agent on the collector computer. You must install the agent for all remote installations. You must install the Symantec Event Agent on the same computer as Nessus. Symantec Event Agent 4.5.0 build 12 or later is required. Run LiveUpdate on earlier collectors. If you install a 4.3 collector on a computer that has an earlier collector on it, you must first run LiveUpdate on all components of the earlier version of the collector. You must update the earlier collector before you install the 4.3 collector. See Running LiveUpdate for collectors on page 15. Install the collector component. For procedures on how to install the collector on a remote computer or on an appliance, see the Symantec Event Collectors Integration Guide. You must install the collector on the same computer as Nessus. Configure the sensor. See Sensor properties for Nessus Event Collector on page 12. Enable Assets Table population. See Enabling Assets table population on Symantec Security Information Manager on page 13. Run LiveUpdate. See Running LiveUpdate for collectors on page 15. For all procedures that are not covered in the quick reference, see the Symantec Event Collectors Integration Guide.

12 Introducing Symantec Event Collector for Nessus About configuring Nessus to work with the collector About configuring Nessus to work with the collector Using the configuration tools that are provided with Nessus, you must do the following steps: Configure Nessus to save the event data as a log file. Save the log file in NBE format. The Nessus Event Collector works with the NBE log format. The Nessus Client can convert Nessus NBR formatted files to NBE. The user should convert the file to the NBE format before the collector starts. Sensor properties for Nessus Event Collector Table 1-1 shows the sensor properties for the log file sensor. Table 1-1 Log file sensor properties Sensor property Log file directory Description Specify the path to the log file on the security product computer. The default log file directory is C:\nessus. Your installation directory may differ from the default that is provided. Log File Name Specify the name of the log file. Nessus scan results are stored with a new file name (first scan), the same file name as one that already existed, or a different file name. For example, Nessus_scan.nbe for the results of the first scan and Nessus_scan.nbe.1 for the next scan. Reading Mode Specify whether the collector checks for new log files after reaching the end of the current log file or waits for new events to be added to the current log file. Specify Monitor Dynamic Log for the collector to check for a new log file to read. Specify Monitor Single File Log for the collector to wait for new events to be added to the current log file. Specify Monitor Dynamic Log for the collector to check for a new log file to read.

Introducing Symantec Event Collector for Nessus Enabling Assets table population on Symantec Security Information Manager 13 Table 1-1 Log file sensor properties (continued) Sensor property Start Reading From Description Specify Beginning to read the log file from the beginning of the file upon the restart of the collector. Specify End to read the log file from the end of the file upon the restart of the collector. Specify Last Position for the collector to keep track of which line the collector is reading in the log file. If the collector is interrupted and restarted, reading continues from this position. When the collector is started for the first time, the collector reads all events in all files. Last Position is the default value. Note: If the file for which a last position was saved no longer exists, the collector starts reading from the log file with the timestamp that is later than, but nearest to, the file for which the last position was saved. Time Offset Specify a time offset to convert timestamps of all logged events to the time zone of the collector computer. You can use a time offset value if both of the following statements are true: The time zone of the collector computer and the point product are different The timestamps in the point product data are not Coordinated Universal Time (UTC). You can use this property when the log file does not contain time zone information and the collector and the point product computer are in different time zones. Acceptable formats are: +HH, -HH, +HH:MM, and -HH:MM, where HH is the number of hours (-99 to +99), and MM is the number of minutes (0 to 59). The default value is +00:00. For example, if Pacific Standard Time (PST) is the time zone of the collector computer, you can specify -3 to convert incoming events with an Eastern Standard Time (EST) to Pacific Standard Time. You can specify +3 to convert incoming events with a Hawaii-Aleutian Standard Time (HST) standard to Pacific Standard Time. If you enter and distribute an erroneous time zone offset, the collector automatically resets the offset value to the default value of +00:00. An error message is posted in the collector s log. Enabling Assets table population on Symantec Security Information Manager The Assets table provides a centralized list of network assets that Information Manager can use for event correlation and rules processing. You can identify the Confidentiality, Integrity, and Availability (CIA) values for each asset; the applicable policies; the ports that are potentially vulnerable; and the specific vulnerabilities of each asset. You can also associate the host name of an asset with

14 Introducing Symantec Event Collector for Nessus Enabling Assets table population on Symantec Security Information Manager the IP address, as well as with the operating system, the operating system version, and the distinguished name for each system. If you use Information Manager 4.5, you must edit the Asset_Detector.cfg file to add or remove collectors. If you use Information Manager 4.5, you must first apply Information Manager 4.5 with Maintenance Release 2. See To enable Assets table population with Information Manager 4.5 on page 14. If you use Information Manager 4.6, you can use the Information Manager console to add or remove collectors. See To enable Assets table population with Information Manager 4.6 on page 15. The Asset detector discovers assets through the destination_ip field. If the destination_ip is not available, the Asset detector uses the machine_ip field. Information Manager creates new assets in the following ways: If an asset does not exist in the Assets table, Information Manager creates a new asset. The network to which the asset belongs must not be locked (the network may be updated). If an asset already exists in the Assets table (as defined by the IP address), it is automatically updated. For more information on the Assets table, see the Symantec Security Information Manager Administrator's User Guide. To enable Assets table population with Information Manager 4.5 1 Use a secure shell client, such as putty, to connect to the IP address of the Information Manager appliance, and then log in as db2admin. 2 At the command prompt, type the following command: su - 3 Navigate to the following directory: /opt/symantec/simserver/simcm/monitors/ 4 Use a text editor, such as vi, to open and edit the Asset_Detector.cfg file.

Introducing Symantec Event Collector for Nessus Running LiveUpdate for collectors 15 5 To enable Assets table population, add the following line to the Asset_Detector.cfg file: <property name="product_id" value="3122" type="java.lang.integer" Description=""/> The product_id of the collector is 3122. The Description is any descriptive name for the collector. 6 To disable Assets table population for the collector, delete the corresponding line in the Asset_Detector.cfg file. Do not repeat configurations for the same collector. The.cfg file includes a predefined list of enabled default collectors. From the list, you can disable (remove the line) or enable (leave the line in), as necessary. To enable Assets table population with Information Manager 4.6 1 In the Information Manager console, in the left pane, click Rules. 2 In the tree in the middle pane, expand Monitors > System Monitors > Asset Detector. 3 From the Properties tab, to the right of the product grid, click the ellipses (the three dots). 4 In the Property Editor dialog, add or remove collectors. Running LiveUpdate for collectors You can run LiveUpdate to receive collector updates such as support for new events and query updates. For information about running LiveUpdate on internal LiveUpdate servers, see the Symantec LiveUpdate Administrator User's Guide. To run LiveUpdate for a collector installed on a separate computer 1 On the collector computer, navigate to the collector directory as follows: On Windows, the default directory is as follows: C:\Program Files\Symantec\Event Agent\collectors\ On UNIX, the default directory is as follows: /opt/symantec/sesa/agent/collectors/ 2 At a command prompt, do one of following tasks: On Windows, type the following command: runliveupdate.bat On UNIX, as the root user, type the following command:

16 Introducing Symantec Event Collector for Nessus Running LiveUpdate for collectors runliveupdate.sh To verify that LiveUpdate ran successfully for a collector installed on a separate computer 1 On the collector computer, navigate to the collector directory as follows: On Windows, the default directory is as follows: C:\Program Files\Symantec\sesa\Event Agent\collectors\ On UNIX, the default directory is as follows: /opt/symantec/sesa/agent/collectors/ 2 Verify that a file named LiveUpdate-Collector.txt exists. This text file shows the date of the last LiveUpdate and contains information about any defects that were addressed and any enhancements that were added. 3 Navigate to the LiveUpdate directory as follows: On Windows, the default LiveUpdate directory is as follows: C:\Documents and Settings\All Users\Application Data\Symantec\Java LiveUpdate On UNIX, the default LiveUpdate directory is as follows: /opt/symantec/liveupdate 4 To view the liveupdt.log file, do one of the following tasks: On Windows, use a text editor such as Notepad to view the liveupdt.log file. On UNIX, to view the last 100 lines of the liveupdt.log file, type the following command: tail -100 liveupdt.log more The first part of the log is in text format; the second part of the log repeats the information in XML format. If LiveUpdate was unsuccessful, a status message that notes the failure appears at the end of the log file. For example, Status = Failed (return code - 2001).

Chapter 2 Implementation notes This chapter includes the following topics: Product ID for Nessus Event Collector Event example Schema packages Event mapping for Information Manager Product ID for Nessus Event Collector The product ID of the collector is 3122. Event example An example event is as follows: results 169.254.13 169.254.13.11 ssh (22/tcp) 10330 Security Note An ssh server is running on this port The event structure is as follows: output_id scan_id target_ip/hostname target service/port vendor_vuln_id vendor_code description Schema packages The collector uses the following schema packages for event collection: symc_base_class symc_vuln_class

18 Implementation notes Event mapping for Information Manager symc_network_class symc_vuln_audit_class Event mapping for Information Manager Table 2-1 Information Manager field name Bugtraq IDs List Bugtraq ID Category ID Common Vulnerabilities and Exposures Name CVE IDs List CVSS Description Destination Host Name Destination Service Name Device Action EventClassName Event mapping Nessus field name N/A Target host/ip Destination service/port N/A N/A Comment BID list, if it exists BID, if it exists Category Possible values are as follows: 30007601 - Application 30007606 - Security CVE name, if it exists CVE list, if it exists CVSS score Description The destination host name The name may be resolved by DNS lookup from the destination IP address Destination service name Always set to the following value: 1027200 - None Event Class Name Possible values are as follows: symc_system symc_vuln symc_vuln_audit

Implementation notes Event mapping for Information Manager 19 Table 2-1 Information Manager field name Event Date Event Type ID Host MAC IP Destination Address IP Destination Port Logging Device IP Logging Device Name MAC Destination Network Protocol ID Event mapping (continued) Nessus field name N/A Target host/ip Destination service/port Target host/ip Target host/ip Destination service/port Comment The field is populated only for the following events: scan start, scan stop host start host stop For other events, this date is the value of the collector that runs the timestamp Event ID The possible values are as follows: 1082000 - Vulnerability Detected 1082002 - Vulnerability Audit Start 1082003 - Vulnerability Audit End 2012001 - Exposure Detected 2022000 - Generic Base Host MAC address The destination IP address The IP addresss may be resolved by a DNS lookup from the destination host name. IP address destination port The IP address of the computer where the collector runs. The name of the computer where the collector runs. Host MAC address Possible values are as follows: 167100 - UNKNOWN 167101 - ARP 167102 - TCP 167103 - UDP 167104 - ICMP 167105 - IGMP

20 Implementation notes Event mapping for Information Manager Table 2-1 Information Manager field name Operating System Option 1 Option 2 Option 3 Option 4 Option 5 Option 6 Option 7 Option1_type Option2_type Option3_type Option4_type Option5_type Option6_type Option7_type Point Product Version Protocol Proxy Machine Severity ID Source Host Name Event mapping (continued) Nessus field name N/A N/A N/A N/A N/A N/A N/A Destination service/port Target host/ip N/A Target host/ip Comment Host OS Nessus Risk factor, if it exists IP address of the Nessus computer, if it exists Plugin feed version, if it exists Plugin feed version, if it exists Hostname, if it exists FTP Server banner, if it exists The field is set to "ftp", if it exists Risk factor Scanner IP address Plugin feed version Plugin feed version Host name that is resolved by the scanner FTP Server banner Protocol type Nessus scanner version, if it exists Network protocol The field is populated by the destination host Possible values are as follows: 1 - Informational 2 - Warning 3 - Minor 4 - Major Rewritten by Information Manager with the name of the collector computer

Implementation notes Event mapping for Information Manager 21 Table 2-1 Information Manager field name Vendor Signature Vulnerability Certainty ID Vulnerability Detect Type ID Vulnerability Name Vulnerability Vendor ID Event mapping (continued) Nessus field name Vendor ID Vendor Code Comment Nessus numeric code Certainty ID The possible values are the following: 1087103 - Unknown 1087104 - Low 1087105 - Medium 1087106 - High 1087107 - Certain The following is the value for Security Warning or Security Hole events: 1087120 - Vulnerability detected For other events, the following value is used: 1087122 - Exposure Detected A short vulnerability description, if it is available. Vendor naming standard For this collector, the severity field is populated according to the text in the Vendor Naming Standard field, as follows: Table 2-2 TEXT in Vendor Naming Standard field Security Note Security Warning Security Hole Any other text Severity mapping Severity at Information Manager 2 3 4 1

22 Implementation notes Event mapping for Information Manager

Chapter 3 Event filtering and aggregation This chapter includes the following topics: Event filtering and aggregation for the Nessus Event Collector Event filtering and aggregation for the Nessus Event Collector Filtering and aggregation is not recommended for this collector because Nessus data populates the asset table. However, if a specific system must be excluded from asset population, you can create a filter. This type of filtering is done based on the IP Destination Address value, in the Common Events fields in Information Manager. An example filter is IP Destination Address equal to a specific IP address. The Nessus Event Collector does not support event aggregation.

24 Event filtering and aggregation Event filtering and aggregation for the Nessus Event Collector

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback