You can add a scanner to collect vulnerability data over SNMP from eEye REM or CS Retina
scanners.
Before you begin
To use CVE identifiers and descriptions, you must copy the audits.xml
file from your eEye REM scanner to the managed host responsible for listening for SNMP data. If
your managed host is in a distributed deployment, you must copy the
audits.xml to the Console first and SSH the file to
/opt/qradar/conf/audits.xml on the managed host. The default location of
audits.xml on the eEye scanner is %ProgramFiles(x86)%\eEye
Digital Security\Retina CS\Applications\RetinaManager\Database\audits.xml.To
receive the most up-to-date CVE information, periodically update QRadar® with the latest
audits.xml file.
Procedure
- Click the Admin tab.
- Click the VA Scanners icon.
- Click Add.
- In the Scanner Name field, type
a name to identify your SecureScout server.
-
From the Managed Host list, select an option that is based on one of the
following platforms:
- On the QRadar
Console, select the
managed host that is responsible for communicating with the scanner device.
- On QRadar on Cloud, if the scanner is
hosted in the cloud, the QRadar Console can be
used as the managed host. Otherwise, select the data gateway that is responsible for communicating
with the scanner device.
- From the Type list, select eEye
REM Scanner.
- From the Import Type list, select SNMP.
- In the Base Directory field, type
a location to store the temporary files that contain the eEye REM
scan data.
The default directory is /store/tmp/vis/eEye/.
- In the Cache Size field, type the
number of transactions you want to store in the cache before the SNMP
data is written to the temporary file. The default is 40.
The
default value is 40 transactions.
-
In the Retention Period field, type the time period, in days, that
the system stores scan information.
If a scan schedule did not import data before the retention period expires, the scan
information from the cache is deleted.
- Select the Use Vulnerability Data check
box to correlate eEye vulnerabilities to Common Vulnerabilities and
Exposures (CVE) identifiers and description information.
.
- In the Vulnerability Data File field,
type the directory path to the eEye audits.xml file.
- In the Listen Port field, type the
port number that is used to monitor for incoming SNMP vulnerability
information from your eEye REM scanner.
The default port
is 1162.
- In the Source Host field, type the
IP address of the eEye scanner.
- From the SNMP Version list, select
the SNMP protocol version.
The default protocol is SNMPv2.
-
In the Community String field, type the SNMP community string
for the SNMPv2 protocol, for example, Public.
-
From the Authentication Protocol list, select the algorithm to
authenticate SNMPv3 traps.
-
In the Authentication Password field, type the password that you
want to use to authenticate SNMPv3 communication.
The password must include a minimum of 8 characters.
-
From the Encryption Protocol list, select the SNMPv3 decryption
algorithm.
-
In the Encryption Password field, type the password to decrypt
SNMPv3 traps.
- To configure a CIDR range for your scanner:
-
Type the CIDR range for the scan or click Browse to select a CIDR
range from the network list.
- Click Add.
- Click Save.
- On the Admin tab, click Deploy
Changes.
What to do next
Select one of the following options: