Cisco SourceFire Results Input with InsightVM Input

I was wondering if anyone has used the Cisco SourceFire Scan Results input Extension with InsightVM? Whether it is using the InsightVM Plugin with InsightConnect or using an API script to grab the InsightVM Platform data, I am trying to find the best method to gather the data needed to input into the Cisco SourceFire Plugin.

I have analyzed several outputs from the InsightVM plugin and cannot find one query that will easily grab all of the data needed for the Cisco SourceFire Plugin. One query may have the host information but does not have the CVE IDs needed for the Vulnerabilities and then a Vulnerability Lookup does not provide the Hosts Data. It looks like you could pull a query of the hosts with Vulnerability ID’s but would then have to cycle each one of those ID’s for each host; which seems rather inefficient.

Just trying to get a feel for what others have done and just looking for a little assistance if possible.

Thank you

1 Like

@zyoutz @tyler_schmidtke – Any ideas on Tony’s questions below? I’m sure we have across this plenty when doing InsightVM integrations in the past.

Hi @tony_hamil,

You could try using the Generate AdHoc SQL Report action in the InsightVM plugin to retrieve the data that you need. The following query would likely work:

WITH cves AS (
    SELECT dv.vulnerability_id, csv(dvr.reference) AS cve_ids
    FROM dim_vulnerability dv
             LEFT JOIN dim_vulnerability_reference dvr
                       ON dv.vulnerability_id = dvr.vulnerability_id AND dvr.source = 'CVE'
    GROUP BY dv.vulnerability_id
)
SELECT fa.asset_id AS source_id,
       'InsightVM' as scanner_id,
       dv.vulnerability_id,
       dv.title    as vulnerability_title,
       das.port,
       das.protocol_id,
       dv.description,
       cves.cve_ids
FROM fact_asset fa
         JOIN fact_asset_vulnerability_instance favi USING (asset_id)
         LEFT JOIN dim_asset_service das ON fa.asset_id = das.asset_id AND favi.service_id = das.service_id
         JOIN dim_vulnerability dv USING (vulnerability_id)
         JOIN cves USING (vulnerability_id)
GROUP BY fa.asset_id, dv.vulnerability_id, dv.title, das.port, das.protocol_id, dv.description, cves.cve_ids

From there you could take the content and pass it to the csv plugin’s To Json action to convert it to a list that you could then iterate over. Try the SQL report out in the InsightVM UI and let me know if it gets you the results that you’re looking for.

1 Like

I am going to look at this now… I will report back once I have a been able to test it. Thank you everyone for your assistance.

hmmm… Getting an the Error Code: " Error: The query is invalid.". I will have to look at why this is throwing the error and try to fix it.

EDIT: Just found a post about ‘copying’ and ‘pasting’ SQL code. This appears to have been my problem with the ‘hidden’ characters in the copy text.

Wanted to follow up. Does the query return the data that you were hoping to get?

Tyler,
Thank you for your help. The reason the SQL Query was failing (and I had a feeling this was it) was that I was not on the latest DB version: 11.7 (The mandatory upgrade). The reason this took a bit to get to is that I had to submit to my ‘Change Advisory Board’ so that I could do the update and I tested the query this morning. It appears to work properly.

My only other question about the Cisco FirePower Plugin is that most of this will have to inputted to the plugin via the ‘Bulk Add Scan Result’. The documentation just shows ‘[]scan_result’ so I was wondering if you had a json format that it is looking for? I verified that the CSV to JSON plugin is working properly after the Nexpose Query result but wanted to figure out this last piece. Right now, I only know how to iterate over the Cisco FirePower plugin using a loop to add in all of the Vulnerabilities but I figure that the Bulk upload Action would be more efficient.

Just so you have it, here is a portion of the output from the CSV to JSON plugin:

  {
    "cve_ids": "CVE-2011-3389",
    "description": "    \r<p>       The SSL protocol, as used in certain configurations of Microsoft Windows and browsers such as Microsoft Internet Explorer, Mozilla Firefox, Google Chrome, Opera (and other products negotiating SSL connections) encrypts data by using CBC mode with chained initialization vectors. This potentially allows man-in-the-middle attackers to obtain plaintext HTTP headers via a blockwise chosen-boundary attack (BCBA) on an HTTPS session, in conjunction with JavaScript code that uses (1) the HTML5 WebSocket API, (2) the Java URLConnection API, or (3) the Silverlight WebClient API, aka a &quot;BEAST&quot; attack. By supporting the affected protocols and ciphers, the server is enabling the clients in to being exploited.    </p>  ",
    "port": "3389",
    "protocol_id": "6",
    "scanner_id": "InsightVM",
    "source_id": "18304",
    "vulnerability_id": "71362",
    "vulnerability_title": "TLS/SSL Server is enabling the BEAST attack"
  }
]

The output from the Nexpose Query does not have the ‘IpAddress’ but I figured I would just do a lookup of the “source_id” to get this unless there is something that can be added to the SQL query to make this more efficient?

Thank you again for your help

Here’s an updated query that includes IP and operating system. I think that should get you everything that is required for the Add Scan Result action:

SELECT da.asset_id   AS source_id,
       da.ip_address AS ip_address,
       dos.description AS operating_system,
       'InsightVM'   as scanner_id,
       dv.vulnerability_id,
       dv.title      as vulnerability_title,
       das.port,
       das.protocol_id,
       htmltotext(dv.description) as description,
       csv(dvr.reference) as cve_ids
FROM dim_asset da
         JOIN dim_operating_system dos USING (operating_system_id)
         JOIN fact_asset_vulnerability_instance favi USING (asset_id)
         LEFT JOIN dim_asset_service das ON da.asset_id = das.asset_id AND favi.service_id = das.service_id
         JOIN dim_vulnerability dv USING (vulnerability_id)
         LEFT JOIN dim_vulnerability_reference dvr
                       ON dv.vulnerability_id = dvr.vulnerability_id AND dvr.source = 'CVE'
GROUP BY da.asset_id, da.ip_address, dos.description, dv.vulnerability_id, dv.title, das.port, das.protocol_id,
         dv.description

The data model has lots of good stuff available, in case you’re interested in learning a bit more about it: https://insightvm.help.rapid7.com/docs/understanding-the-reporting-data-model-overview-and-query-design

As for the details of the []scan_result type, there’s a issue with the custom type information being populated in the documentation that we’re looking to get resolved. In the mean time, the details for the custom type can be found here: https://github.com/rapid7/insightconnect-plugins/blob/master/cisco_firepower/plugin.spec.yaml#L95.

Note that the scan_result type uses the result_details type on line 51 of that same file.

With regard to using the Bulk Add Scan Results action, that could be done; but it would be a little trickier because you would need to modify each cve_ids key to convert it to a list inline (or in a new array of results). It may be easiest to pass the array to a Python step, generate the input for the Bulk Add Scan Results action payload, and return that output for passing to the Bulk Add Scan Results input.

Thank you again for all of your help. I have been able to import data into Cisco FirePower using the ICON module after retrieving the results with your SQL Query Report.

I have some background on using the data model but there were a few parts I was a little unsure about. I will definitely look into the ‘Bulk Add Scan Results’ action. At least for now, I know I can get the data in and will optimize it in time.

Once again, thank you for your help

3 Likes

@tyler_schmidtke

So I have been working on the Nexpose to Cisco FirePower integration for a while now and I do have an integration that is working but is extremely inefficient and cannot continue for the size of my network. (On a side note, I added to the SQL Query to grab the Operating System: name, vendor, and version so I would have the exact variables needed for the FirePower Module)

My original thought was to use the SQL Query and grab all scans that occurred the previous day. This would then output all assets and their vulnerabilities to a CSV, which I then converted to JSON using the CSV Plugin. I then manipulated the JSON output using the JSON module and was then able to cycle through each vulnerability to upload them. As you may have guessed, uploading each vulnerability individually takes too long and would not finish by the time the next upload of scans would occur. Also, since we rely quite a bit on the ‘Agent Scans’ to get some of our vulnerabilities, I was trying to pull those in too. However, running a SQL Report on Scans cannot occur on the ‘Agents’ Site. This is going to force me to look at another method of gathering the latest results; probably using a Dynamic Group of some sort.

I then thought about using a Global Artifact to add all the objects to and then use the Global Artifact to Bulk upload to Cisco FirePower. However, currently, you cannot nest an Object inside of another Object with a Global Artifact so I cannot format the Global Artifact properly for the bulk upload.

Finally, against what I like to do, I decided to use Python to pull in the entire Array that is outputted by the CSV-JSON plugin, manipulate the data, and then output it back in an array in the proper format. I was finally able to get this to work (my Python skills are Padawan at best) and have an array of objects ready for the Bulk Upload. However, it is giving me an error saying there is “No IP Address”. I looked at the documentation and tried to mimic what the format should be the best I could but there must be something different with the Bulk Upload that I am not seeing.

Is it possible to give me a ‘Demo JSON’ with the objects and variables in the proper location so I can mimic it for my WF?

Thank you for your help

EDIT:

I found your examples from the github page and I think I know what I am doing wrong. I will let you know once I have tried testing this a few times using your examples in the:
insightconnect-plugins/cisco_firepower/tests/good_tests/ folder.

1 Like

@tyler_schmidtke

Sir,

I setup the Bulk Scan Results Array per your documentation and when I run the Workflow, it just hangs and never Completes or Fails. I was wondering if you could see anything that is wrong with this sample:

[  
  {
    "host": {
      "ip_address": "192.168.1.176",
      "operating_system": {
        "name": "Windows 10 Professional Edition",
        "vendor": "Microsoft",
        "version": "1809"
      }
    },
    "scan_result_details": {
      "bugtraq_ids": [],
      "cve_ids": [
        "CVE-2017-0019"
      ],
      "description": "A remote code execution vulnerability exists in Microsoft Office software when the Office software fails to properly handle objects in memory. An attacker who successfully exploited the vulnerability could run arbitrary code in the context of the current user. If the current user is logged on with administrative user rights, an attacker could take control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.Exploitation of the vulnerability requires that a user open a specially crafted file with an affected version of Microsoft Office software. In an email attack scenario, an attacker could exploit the vulnerability by sending the specially crafted file to the user and convincing the user to open the file. In a web-based attack scenario, an attacker could host a website (or leverage a compromised website that accepts or hosts user-provided content) that contains a specially crafted file designed to exploit the vulnerability. An attacker would have no way to force users to visit the website. Instead, an attacker would have to convince users to click a link, typically by way of an enticement in an email or instant message, and then convince them to open the specially crafted file.Note that where severity is indicated as Critical in the Affected Products table, the Preview Pane is an attack vector.The security update addresses the vulnerability by correcting how Office handles objects in memory.",
      "port": "",
      "protocol_id": "",
      "scanner_id": "InsightVM",
      "source_id": "20449",
      "vulnerability_id": "88362",
      "vulnerability_title": "Microsoft CVE-2017-0019: Microsoft Office Memory Corruption Vulnerability"
    }
  },
  {
    "host": {
      "ip_address": "192.168.1.176",
      "operating_system": {
        "name": "Windows 10 Professional Edition",
        "vendor": "Microsoft",
        "version": "1809"
      }
    },
    "scan_result_details": {
      "bugtraq_ids": [],
      "cve_ids": [
        "CVE-2017-0020"
      ],
      "description": "A remote code execution vulnerability exists in Microsoft Office software when the software fails to properly handle objects in memory. An attacker who successfully exploited the vulnerability could run arbitrary code in the context of the current user. If the current user is logged on with administrative user rights, an attacker could take control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.Exploitation of the vulnerability requires that a user open a specially crafted file with an affected version of Microsoft Office software. In an email attack scenario, an attacker could exploit the vulnerability by sending the specially crafted file to the user and convincing the user to open the file. In a web-based attack scenario, an attacker could host a website (or leverage a compromised website that accepts or hosts user-provided content) that contains a specially crafted file designed to exploit the vulnerability. An attacker would have no way to force users to visit the website. Instead, an attacker would have to convince users to click a link, typically by way of an enticement in an email or instant message, and then convince them to open the specially crafted file.Note that the Preview Pane is not an attack vector for this vulnerability.The security update addresses the vulnerability by correcting how Office handles objects in memory.",
      "port": "",
      "protocol_id": "",
      "scanner_id": "InsightVM",
      "source_id": "20449",
      "vulnerability_id": "88385",
      "vulnerability_title": "Microsoft CVE-2017-0020: Microsoft Office Memory Corruption Vulnerability"
    }
  }
]

I thought maybe I was sending too much data at once so I used the above and manually put it into the Input for the Cisco FirePower module to make sure there were no issues. It is still hanging however, if I do ‘Add Scan Result’ for individual additions, then I have no issues.

Any idea what I am doing wrong?

Thank you

Apologies for the delay! Cisco FirePower itself isn’t something with which I have much experience so I’m trying to see if we have anyone else internally that may be able to assist with this investigating this further.

Thanks for your patience!

Thank you for the update. I will continue to look at things myself too and see if I can figure it out. If I do, I will let you know. Once I have the entire thing done, I will post my WF with details for others who may need this Plugin.

Thank you

@tyler_schmidtke

Sir,

I know this is an old post but I did want to update that I was able to get something working utilizing the old Ruby Gem (with modifications) but I did run into an issue on the IVM side. Is there any way to make the Custom Query Report that you gave me more efficient? Currently, I have to use multiple reports with different assets in them so that the query does not time out. Even a small report with only a handful of systems will take 1-2 hours to run.

Just curious because if I could fix this problem, then my SourceFire-IVM integration would be seamless.

Thank you

Hamil, Tony

Hey @tony_hamil,

I’m assuming you are running this without InsightConnect at this point if you are using the ruby gem?

If you want better performance it might be better to use the database warehouse with InsightVM. Queries would run way faster.

Thanks,

Aniket