Topic
IC4NOTICE: developerWorks Community will be offline May 29-30, 2015 while we upgrade to the latest version of IBM Connections. For more information, read our upgrade FAQ.
4 replies Latest Post - ‏2013-08-23T15:58:51Z by JasonMelbourne
JasonMelbourne
JasonMelbourne
22 Posts
ACCEPTED ANSWER

Pinned topic Software Inventory

‏2013-08-21T18:43:34Z |

With the changes to the asset database in 7.2 I was wondering if it would be possible now to get the asset information of what is actually installed on systems from our Nessus scans into Qradar.

One of the biggest draw back to qradar is getting vulnerability alerts for software we dont actually have installed on the system due to the vulnerability being associated with an open port when Nessus (which is feeding qradar) knows everything that is actually installed on the system from its credentialed scans. 

Doesnt need to come from Nessus per say, if there is *any* way to get a basic software inventory from a tool like Altiris into Qrdar id love to hear about it.

Alternatively maybe a reference map of sets with...

Asset ID, port, Installed app1, installed app2, installed app3.       Would need a better rule function for accessing the reference map though, if Field1 = (asset id) and Field 2 = (Destination port) and   PHP is contained in  Field 3    then generate an offense. 

Thanks!

Jason

  • dwight s (IBM)
    dwight s (IBM)
    16 Posts
    ACCEPTED ANSWER

    Re: Software Inventory

    ‏2013-08-22T14:56:51Z  in response to JasonMelbourne

    Hi Jason ...

    Hmm.  I don't know if we could use the asset model to filter (reduce) that kind of alerting, based on the fact that qradar would be aware of the apps, as I don't know if we have a rule that would allow for that.  Looking around in the 7.2 rule tests .... no, it doesn't look like we added any rules to take advantage of the new values that may be in the asset model.  

    At the moment, I don't think the asset model also supports an index/inventory of applications installed.  I think at the moment, we are basing the application analysis of each host, from the flow traffic that its generating, though that's not likely specific enough.  I believe what you're looking for, Jason, would be a new feature in the asset model.  I'll go have a chat with some of our developers to see if there's anything like that upcoming, and in the meantime, you may want to consider talking to your sales team about the idea, and log an enhancement request as well, to have qradar support an inventory of installed applications per asset. 

    dwight

    • JasonMelbourne
      JasonMelbourne
      22 Posts
      ACCEPTED ANSWER

      Re: Software Inventory

      ‏2013-08-23T14:33:39Z  in response to dwight s (IBM)

      Very curious to hear what the developers say, I may have a work around though...   I just need to figure out how to do it via CLI

      I can compare software inventory against list of vulnerabilities in qradar and delete vulnerabilities that are not applicable manually.   I can write the logic for that in a simple script, I just need to figure out the delete mechanism.  I assume I could do it with psql. 

      Here is what was logged when I deleted a vulnurability

       /var/log/qradar.log:Aug 23 09:19:05 158.151.176.240 [tomcat] [jason@10.18.155.118 (4615) /console/JSON-RPC/Assets.deleteVulnerabilities Assets.deleteVulnerabilities] com.q1labs.assetprofile.api.AssetProfileService: [INFO] [NOT:0000006000][10.151.176.240/- -] [-/- -]com.q1labs.assetprofile.api.AssetProfileClient created producer for message topic: AssetProfilerAPI

      AssetProfilerAPI?? Interesting!!!!!   Any chance that could let me do the deletes to clean out non applicable vulnerabilities ?? 

      > /var/log/httpd/ssl_access_log:10.16.155.118 - - [23/Aug/2013:09:19:11 -0500] "GET /console/do/assetprofile/AssetDetails?dispatch=viewAssetDetails&assetId=5557&listName=vulnList&vulnsPendingDelete=true&originalTotalRecords=436 HTTP/1.1" 200 7801

       

      Thanks for all your efforts on the forums dwight, it is greatly appreciated!

      Jason

       
  • JasonMelbourne
    JasonMelbourne
    22 Posts
    ACCEPTED ANSWER

    Re: Software Inventory

    ‏2013-08-23T15:28:26Z  in response to JasonMelbourne

    If anyone is also frustrated by vulnerability offenses for software you know isnt actually installed on an asset or that has already been patched, please vote for this to be fixed.

    Request 38404 Software Inventory import to Asset Profile

     

    • JasonMelbourne
      JasonMelbourne
      22 Posts
      ACCEPTED ANSWER

      Re: Software Inventory

      ‏2013-08-23T15:58:51Z  in response to JasonMelbourne

      Er never mind, it wont let me make the request public so others can vote on it.   But does tell me I can share the link of above.. only no one can actually follow it...