Adding a SAINT Security Suite vulnerability scanner in QRadar
QRadar® uses the SAINT API to collect and import scan reports from your SAINT Security Suite appliance.
Before you begin
Procedure
- Log in to the QRadar Console.
- Click the Admin tab.
- Click the VA Scanners icon, and then click Add.
- In the Scanner Name field, type a name to identify your SAINT Security Suite scanner.
-
From the Managed Host list, select an option that is based on one of the
following platforms:
- On the QRadar Console, select the managed host that is responsible for communicating with the scanner device.
- On QRadar on Cloud, if the scanner is hosted in the cloud, the QRadar Console can be used as the managed host. Otherwise, select the data gateway that is responsible for communicating with the scanner device.
- From the Type list, select Saint Security Suite Scanner.
- In the API Hostname field, type the IP address or the host name for the SAINT API.
- In the API Port field, type the SAINT API port number. For more information about the API port, go to Obtaining the SAINT API port number .
- In the API Token field, type the SAINT API token. For more information about the SAINT API token, go to Obtaining the SAINT API token.
-
From the Scan Type list, select one of the following scan type
options:
Option Description Live Scan QRadar creates and runs a new scan on the SAINT Security Suite appliance. After the scan completes, QRadar collects and imports a scan report from the SAINT Security Suite appliance. Report Only QRadar collects and imports scan reports for all scans that are already on the SAINT Security Suite appliance that match the following requirements.- The scan is not older than the age specified in the Max Report Age field.
- The scan level of the scan matches the specified Scan Level.
- The target map of the scan has at least one IP address in common with the CIDR range.
This option does not start new scans on the SAINT Security Suite appliance. To collect accurate results, ensure that relevant, regularly run scans are scheduled on the SAINT Security Suite appliance.
-
From the Scan Level list, select a scan level that you want to use from
the following options.
Note: On the SAINT Security Suite appliance and in SAINT Security Suite documentation, scan levels are referred to as scan policies. For more information OVAL/SCAP scans, go to the SAINT Security Suite documentation website (my.saintcorporation.com/resources/documentation/help/saint8_help/saint_help.html). From the navigation pane, click User Guide > SCAP.
Scan level Description Normal SAINT collects information to get the general character of a host and establishes the operating system type and, if possible, the software release version.
Heavy/Vulnerability Scan The Heavy/Vulnerability scan level is also known as the heavy policy. SAINT looks for services that are listening on TCP or UDP ports. Any services that are detected are scanned for any known vulnerabilities. This scan includes SAINT's entire set of vulnerability checks, and is the scan policy that SAINT suggests you use in most situations.
Discovery SAINT scans the targets and determines which targets have live hosts. This scan level only completes the minimum scanning that is required to identify live hosts. Therefore, the Discovery scan is not very intrusive.
Port Scan SAINT identifies services that are listening on TCP or UDP ports.
Web Crawl SAINT detects web directories on the targets by scanning ports for web services, and then finds directories by following HTML links, starting from the home page.
SQL/XSS SAINT looks for SQL injection and cross-site scripting vulnerabilities on web servers. Both generic tests are included. SAINT finds HTML forms and tests all parameters for SQL injection and cross-site scripting, and then checks for known SQL injection and cross-site scripting vulnerabilities.
Windows Patch SAINT looks for missing Windows patches. Most of the checks for Windows patches require Windows domain authentication.
Content Search SAINT searches files on Windows and Linux®/Mac targets for credit card numbers, social security numbers, or any other patterns that are specified. Authentication is needed. If you are scanning a Linux/Mac target, SSH must be enabled.
PCI SAINT scans the targets by using all vulnerability checks that are relevant for Payment Card Industry and Data Security Standard (PCI DSS) compliance.
Anti-virus Information Information is collected about installed AV software, such as last scan date, enabled, definition file dates, and other information that is useful for auditing requirement 5 of the PCI DSS. Information is also collected for Windows versions for many of the AV software products, such as McAfee, Symantec, AVG, F-Secure, MS Forefront, and Trend Micro. Authentication is needed. Facts that contain the string '(Master)' indicate that an anti-virus server, manager, or admin is installed on the target.
FISMA SAINT scans the targets by using all vulnerability checks that are relevant for Federal Information Security Management Act (FISMA) compliance.
Authentication Test SAINT authenticates against the targets by using the credentials that are specified when adding a vulnerability scanner.
Win Password Guess Completes password guess checks against Windows targets by using the password guess and password dictionary configuration options. Authentication is suggested for SAINT to enumerate accounts.
Microsoft Patch Tuesday Checks for the last published Microsoft patch Tuesday vulnerabilities on the second Tuesday of each month. This scan level and associated content are usually updated by SAINTexpress by noon on Wednesday.
Web Scan (OWASP Top 10) Checks for vulnerabilities in web servers and web applications, such as SQL injection, cross-site scripting, unpatched web server software, weak SSL ciphers, and other OWASP Top 10 vulnerabilities. It also enables file content checks. Authentication might be necessary for some of the checks that are included.
IAVA (Maps CVEs to IAVA codes) SAINT scans the targets by using all vulnerability checks that are relevant for Information Assurance Vulnerability Alert (IAVA) compliance.
OS Password Guess Includes all SAINT password guess features that are designed to guess the operating system password. This policy includes checks for default FTP passwords, and dictionary-based password guesses through Telnet, SSH, and FTP. Authentication is suggested to ensure user account enumeration.
NERC CIP SAINT scans the targets by using all vulnerability checks that are relevant for North American Electric Reliability Corporation and Critical Infrastructure Protection (NERC CIP) compliance.
Software Inventory Generates a list of software that is installed on Windows targets. Authentication is needed. The software list is generated by enumerating the uninstall key in the Windows registry. Only software that was registered with the operating system during installation is included. Software that was placed on the system without running an installer program is usually omitted. Registered software that was incorrectly removed from the system might be included in the list after removal.
HIPAA SAINT scans the targets by using all vulnerability checks that are relevant for Health Insurance Portability and Accountability Act (HIPAA) compliance.
SOX SAINT scans the targets by using all vulnerability checks that are relevant for Sarbanes-Oxley Act (SOX) compliance.
Mobile Device The Mobile Device scan level queries Active Directory servers for information about mobile devices that use Exchange ActiveSync, and then uses that information to suggest vulnerabilities on those devices. The devices are listed in the scan results as separate targets even though those targets are not scanned.
For this scan level to succeed, OpenLDAP must be installed on the scanning host, and the scan must run with Windows domain administrator credentials. For more information about Authentication, go to the SAINT Security Suite documentation website - Step 4 – Authentication (my.saintcorporation.com/resources/documentation/help/saint8_help/scan.html#Step_4__Authentication).
The target list must include at least one Active Directory server, and the SSL certificate for that Active Directory server is installed and configured on the scanning host. For more information about Windows Targets, go to SAINT Security Suite documentation website - Authenticating to Windows Targets. (my.saintcorporation.com/resources/documentation/help/saint8_help/scan.html#Windows_Targets)
Network Device Checks for vulnerabilities in routers, switches, and other networking devices.
OVAL Scan Runs an OVAL/SCAP scan. For more information about OVAL/SCAP scans, go to the SAINT Security Suite documentation website (my.saintcorporation.com/resources/documentation/help/saint8_help/saint_help.html). From the navigation pane, click User Guide > Using SAINT > SCAP.
For more information about SAINT scan parameters, go to the SAINT Security Suite documentation website (my.saintcorporation.com/resources/documentation/help/saint8_help/saint_help.html) and complete the following steps. From the navigation pane, click User Guide > SCAN > Jobs Tab.
- If you selected OVAL Scan from the Scan Level list, type the name of the scan policy that you want to use in the OVAL Scan Policy Name field. OVAL/SCAP scans are types of scans that are based on benchmarks that are collected from authoritative sources.
-
If you selected Live Scan for the scan type, provide the scan target
credentials that are used to authenticate targets during scans. From the Scan Target
Credentials Type list, select one of the following options for the credentials that you
want to use:
Note: Scan Target credentials are ignored when Report Only is selected for the scan type.
Option Description None Do not use any credentials. HTTP Basic Use credentials for basic HTTP credentials. Linux/Unix/Mac (SSH) Use credentials for connecting to a Linux, UNIX, or Mac server through SSH. Microsoft SQL Server Use credentials for connecting to a Microsoft SQL Server database. Oracle Uses credentials for connecting to an Oracle database. Windows Admin Use credentials of an administrator account on a Windows server. Windows non-Admin Use credentials of a non-administrator account on a Windows server. MySQL Use credentials for connecting to a MySQL database. SNMPv3 Use SNMPv3 credentials. -
If you selected any of the options, except for the None option from the
Scan Target Credentials Type list, configure the following parameters for the
Scan Target Credentials that you selected:
Parameter Value Scan Target Credentials Username The user name for the scan target credential that you selected. Scan Target Credentials Password The password for the scan target credential that you selected. - Optional: If you selected Linux/Unix/Mac (SSH) from the Scan Target Credentials Type list, specify the SSH Private Key.
- Optional: If you selected Oracle from the Scan Target Credentials Type list, you can specify an Oracle Service ID (SID) of an Oracle database instance by typing it in the Oracle SID field.
- Optional:
If you selected SNMPv3 from the Scan Target Credentials
Type list, complete the following steps:
-
Select one of the following checksum algorithm options from the SNMP Password
Protocol list:
Option Description SHA Select this option for the password that you typed in the Scan Target Credentials Password field to use the SHA protocol. MD5 Select this option for the password that you typed in the Scan Target Credentials Password field to use the MD5 protocol. - Optional:
You can specify an SNMP passphrase by typing it in the SNMP Passphrase
field.
If you specified an SNMP Passphrase, select one of the following options from the SNMP Passphrase Protocol list:
Option Description DES Select this option for the passphrase that you typed in the SNMP Passphrase field to use the DES protocol. AES Select this option for the passphrase that you typed in the SNMP Passphrase field to use the AES protocol.
-
Select one of the following checksum algorithm options from the SNMP Password
Protocol list:
- If you selected Report Only from the Scan Type list, type the maximum age of scan reports that you want to import in the Max Report Age field.
-
Configure CIDR ranges for the scanner:
- In the CIDR Ranges field, type the CIDR range for the scan or click Browse to select a CIDR range from the network list.
- Click Add.
- Click Save.