Adding a NMap remote result import

A remote results import retrieves completed NMap scan reports over SSH.

1. Click the Admin tab.
2. Click the VA Scanners icon.
3. Click Add.
4. In the Scanner Name field, type a name to identify your NMap scanner.
5. From the Managed Host list, select the managed host from your QRadar deployment that manages the scanner import.
6. From the Type list, select Nessus Scanner.
7. From the Collection Type list, select Remote Results Import.
8. In the Server Hostname field, type the host name or IP address of the remote system that hosts the NMap client. Administrators should host NMap on a UNIX-based system with SSH enabled.
9. Choose one of the following authentication options:

   Option	Description
   Login Username	To authenticate with a user name and password: In the Server Username field, type the user name that is required to access the remote system that hosts the NMap client. In the Login Password field, type the password that is associated with the user name. The password must not contain the ! character. This character might cause authentication failures over SSH. If the scanner is configured to use a password, the SSH scanner server to that connects to QRadar must support password authentication. If it does not, SSH authentication for the scanner fails. Ensure the following line is displayed in your /etc/ssh/sshd_config file: PasswordAuthentication yes. If your scanner server does not use OpenSSH, see the vendor documentation for the scanner configuration information.
   Enable Key Authorization	To authenticate with a key-based authentication file: Select the Enable Key Authentication check box. In the Private Key File field, type the directory path to the key file. The default directory for the key file is /opt/qradar/conf/vis.ssh.key. If a key file does not exist, you must create the vis.ssh.key file. Important: The vis.ssh.key file must have vis qradar ownership. For example, # ls -al /opt/qradar/conf/vis.ssh.key -rw------- 1 vis qradar 1679 Aug 7 06:24 /opt/qradar/conf/vis.ssh.key

10. In the Remote Folder field, type the directory location of the scan result files.

    Linux® example: /home/scans

    Windows example: /c:/zenmap

11. In the Remote File Pattern field, type a regular expression (regex) that is required to filter the list of files that are specified in the remote folder. All matching files are included in the processing.
    The default regex pattern to retrieve NMap results is .*\.xml. The .*\.xml pattern imports all xml result files in remote folder.
    Scan reports imported and processed are not deleted from the remote folder. You should schedule a cron job to delete previously processed scan reports.
12. To configure a CIDR range for your scanner:
    1. In the text field, type the CIDR range that you want this scanner to consider or click Browse to select a CIDR range from the network list.
    2. Click Add.
13. The Enable Strict HostKey Checking option enables the public key of the target host to match an entry in the Host Key list parameter.
    1. In HostKey field, provide Base64 encoded host keys to accept when connecting to the target host. The supported host key type is ssh-rsa. This key can be obtained by running the OpenSSH ssh-keyscan command in Linux or ssh-keyscan.exe in Windows or getting the public key from the target system directly from location like /root/.ssh/known_hosts or /etc/ssh/ssh_host_rsa_key.pub file path. You must use the Base64 hash only and not the hostname or algorithm. For example:

       AAAAB3NzaC1yc2EAAAADAQABAAABAQCkT8TfV0oPWOVihTKKtORG2DQVbbFocUvGct9lN4auSIADp4Ubi\nOzm44k0mIZtMOGfYBTHVzyI6A9nCROLiMrJ00QzwG1IihYwaTqlYbZJ3FSiSY2tz1G2C51SG9OeziDMxcnEY2cHkwGSrGowydz20KPbgzTedOQCp41PafmMlb7TMmJtjU23cfCmPAQQHWIFOLWe1hg3RMtWfj1sE+Fe7Tu+/XZvT4GPSM5YQECXIzXmrhENWo+tIlnCGq01sLNPQ2Fo8qI97uAOm0kx/wkWfJLEj9dsHl7kO6D1x3YESVrr+e\nOc2xDvAStJIb4qCks2CGZDI1I2pivoqjX+JTRL

14. Click Save.
15. On the Admin tab, click Deploy Changes.