Adding a NMap remote result import

A remote results import retrieves completed NMap scan reports over SSH.

About this task

Scans must be generated in XML format by using the -oX option on your NMap scanner. After you add your NMap scanner, you must assign a scan schedule to specify the frequency that the vulnerability data is imported from scanner.

Procedure

  1. Click the Admin tab.
  2. Click the VA Scanners icon.
  3. Click Add.
  4. In the Scanner Name field, type a name to identify your NMap scanner.
  5. From the Managed Host list, select the managed host from your QRadar® deployment that manages the scanner import.
  6. From the Type list, select Nessus Scanner.
  7. From the Collection Type list, select Remote Results Import.
  8. In the Server Hostname field, type the host name or IP address of the remote system that hosts the NMap client. Administrators should host NMap on a UNIX-based system with SSH enabled.
  9. Choose one of the following authentication options:
    Option Description
    Login Username
    To authenticate with a user name and password:
    1. In the Server Username field, type the user name that is required to access the remote system that hosts the NMap client.
    2. In the Login Password field, type the password that is associated with the user name.

    The password must not contain the ! character. This character might cause authentication failures over SSH.

    If the scanner is configured to use a password, the SSH scanner server to that connects to QRadar must support password authentication.

    If it does not, SSH authentication for the scanner fails. Ensure the following line is displayed in your /etc/ssh/sshd_config file: PasswordAuthentication yes.

    If your scanner server does not use OpenSSH, see the vendor documentation for the scanner configuration information.
    Enable Key Authorization
    To authenticate with a key-based authentication file:
    1. Select the Enable Key Authentication check box.
    2. In the Private Key File field, type the directory path to the key file.
    The default directory for the key file is /opt/qradar/conf/vis.ssh.key. If a key file does not exist, you must create the vis.ssh.key file.
    Important: The vis.ssh.key file must have vis qradar ownership. For example, 
    # ls -al /opt/qradar/conf/vis.ssh.key
-rw------- 1 vis qradar 1679 Aug  7 06:24 /opt/qradar/conf/vis.ssh.key
  10. In the Remote Folder field, type the directory location of the scan result files.

    Linux® example: /home/scans

    Windows example: /c:/zenmap

  11. In the Remote File Pattern field, type a regular expression (regex) that is required to filter the list of files that are specified in the remote folder. All matching files are included in the processing.
    The default regex pattern to retrieve NMap results is .*\.xml. The .*\.xml pattern imports all xml result files in the remote folder.
    Scan reports imported and processed are not deleted from the remote folder. You should schedule a cron job to delete previously processed scan reports.
  12. To configure a CIDR range for your scanner:
    1. In the text field, type the CIDR range that you want this scanner to consider or click Browse to select a CIDR range from the network list.
    2. Click Add.
  13. Click Save.
  14. On the Admin tab, click Deploy Changes.

What to do next

You are now ready to create a scan schedule. See Scheduling a vulnerability scan.