IBM Support

QRadar: Troubleshooting NeXpose Rapid7 Scanners

Troubleshooting


Problem

We have had users report issues around setting up and using Nexpose Rapid7 scanners, and were asking for methods to verify their configuration. Here are the most common issues and test methods to be used in verifying your Rapid7 configuration.

Resolving The Problem

Nexpose Site Id
In the QRadar Edit Scanner configuration screen, the field Nexpose Site Id requires a numeric value. Many users use the Site Name as shown in the Site Listing section of the Nexpose. This will result in the following error in the qradar.log file:

Apr  7 10:53:01 172.16.x.x [vis0.vis] [Thread-7] com.q1labs.vis.scanners.rapid7_nexpose.NexposeModule: [WARN] [NOT:0000004000][172.16.x.x/- -] [-/- -]invalid site id, must be an integer


When you see this, you'll need to log in to your Rapid7 manager and locate the siteid. The siteid is circled in the bottom status bar in the image below.


Error code:3

We have seen issues with Error Code:3 being displayed when a non-standard port for the Rapid7 API is being used. The default port is 3780, however can be changed to 443 to access this without a port. We recommend for integration with QRadar that the default port be used, as our integration will not try to connect on additional ports.

Oct  4 13:00:21 127.0.0.1  [vis0.vis] [pool-3-thread-1] com.q1labs.vis.scanners.rapid7_nexpose.NexposeModule: [ERROR] [NOT:0000003000][10.20.x.x/- -] [-/- -]No output from the API. Error code:3"
Oct  4 13:00:21 127.0.0.1  [vis0.vis] [pool-3-thread-1] com.q1labs.vis.scanners.rapid7_nexpose.NexposeModule: [ERROR] [NOT:0000003000][10.20.x.x/- -] [-/- -]Failed to run Nexpose scanner. Error: 3 [192.168.1.2/32:1-2048]"

 

Invalid Password
The next common issue is an incorrect password. This usually shows up in the log file with the following error:

Apr  2 12:05:17 172.16.x.x [vis0.vis] [Thread-18] ComponentOutput: [ERROR] [NOT:0000003000][172.16.x.x/- -] [-/- -]ErrorStream nexpose_scan: <message>Authorization required for API access</message>
Apr  2 12:05:17 172.16.x.x [vis0.vis] [Thread-18] ComponentOutput: [ERROR] [NOT:0000003000][172.16.x.x/- -] [-/- -]ErrorStream nexpose_scan: <stacktrace>com.rapid7.net.http.HTTPException: Authorization required for API access

The quickest way to verify you have the proper credentials, is to log in to the web interface of your Rapid7 scanner system. This is done by going to https://[your.scanner.ip]:3780/, and logging in with the credentials provided to you by your Rapid7 administrator for use with QRadar. If you cannot log in there, then QRadar will not be able to either.

If you are able to log in to the web interface, but QRadar still cannot connect, you might want to manually attempt using the script that QRadar uses to pull data.

Note: This functionality might not work in future releases of the Rapid7 scanner, but does as of 6.3.0/6.3.1 with the 6.0.2 release of the scanner.

[root@csd9 ~]# rpm -qa | grep Rapid7
VIS-6.3-Rapid7Nexpose-6.0-2
[root@csd9 ~]#

To test the command line utility, cd /opt/qradar/bin and run the command q1_nexpose.pl with the options for the Rapid7 scanner ip, userid, siteid, output file and 0. When you hit enter, it will sit waiting for you to enter the Rapid7 password.

q1_nexpose.pl [rapid7 server ip] [userid] [siteid] [outputfile] 0

[root@csd6 ~]# cd /opt/qradar/bin
[root@csd6 bin]# ./q1_nexpose.pl 172.16.x.x nxadmin 1 /tmp/nexpose.xml 0

Caching expired.
[root@csd6 bin]# ls -la /tmp/nexpose.xml 
-rw-r--r-- 1 root root 12977 Apr  8 14:15 /tmp/nexpose.xml
[root@csd6 bin]# head /tmp/nexpose.xml 
^172.16.x.x^embedded^tcp 0:CVE-1999-0524,tcp 22,tcp 53,udp 53,tcp 111,udp 111,udp 32771,tcp 47101,^
^172.16.x.x^embedded^tcp 0:CVE-1999-0524,tcp 22,tcp 53,udp 53,tcp 111,udp 111,udp 32771,tcp 54865,^
^172.16.x.x^JUNOS 8.5^tcp 0:CVE-1999-0524,tcp 22,tcp 23,tcp 80,udp 161,tcp 830,^
^172.16.x.x^Linux 2.6.9^tcp 22,tcp 80,tcp 443,tcp 514,tcp 10000,^
^172.16.x.x^Linux 2.6.18)^tcp 22,tcp 10000,^
^172.16.x.x^Linux 2.6.18)^tcp 22,tcp 80,tcp 443,tcp 514,tcp 10000,^
^172.16.x.x^Windows Server 2008 SP2^tcp 135,udp 137,tcp 139,tcp 445,tcp 3389,tcp 49152,tcp 49153,tcp 49154,tcp 49155,tcp 49156,tcp 50000,^
^172.16.75.100^Windows Server 2003, Enterprise Edition SP2^tcp 0:CVE-1999-0524:CVE-1999-0909:CVE-1999-0510:BID-646:CVE-1999-0875:BID-578:CVE-2008-0015,^
^172.16.x.x^Linux 2.6.18^tcp 0:BID-10183:CVE-2004-0230:CVE-1999-0524,tcp 22,tcp 5988,tcp 5989,^
^172.16.x.x^Linux 2.6.18^tcp 0:BID-10183:CVE-2004-0230:CVE-1999-0524,tcp 22,tcp 5988,tcp 5989,^
[root@csd6 bin]#

 

If you do not have the proper password, the output will probably look as follows:

[root@csd6 bin]# ./q1_nexpose.pl 172.16.x.x nxadmin 1 /tmp/nexpose.xml 0
badpassword
Caching file not present. Requesting data again.
<LoginResponse success="0">
<Failure>
<Exception>
<message>Authorization required for API access</message>
<stacktrace>com.rapid7.net.http.HTTPException: Authorization required for API access
        at com.rapid7.nexpose.nsc.http.proglets.api.LoginRequestHandler.validateRequest(Unknown Source)
</stacktrace>
</Exception>
</Failure>
</LoginResponse>
[root@csd6 bin]#

 



Where do you find more information?

 



[{"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Component":"Integrations - 3rd Party","Platform":[{"code":"PF016","label":"Linux"}],"Version":"7.1;7.2","Edition":"Enterprise","Line of Business":{"code":"LOB24","label":"Security Software"}}]

Historical Number

1100

Document Information

Modified date:
30 August 2018

UID

swg21622916