IBM Support

QRadar: Nessus 6 Scanner Support FAQ

Question & Answer


Question

The FAQ page discusses what administrators need to know about QRadar scan support for Tenable Nessus version 6.

Answer

Quick links




Do my existing Nessus (XMLRPC) scanners configured in QRadar work with Nessus 6.x?


No, scanners added to QRadar for Nessus 5.x will use the XMLRPC API for live scan or completed report imports. The XMLRPC API is not available for Nessus 6.x appliances, so administrators must configure a new scanner in QRadar specifically for Nessus 6.x to use the JSON API. A live scan and completed scan report import is available for the JSON API in QRadar.



Do I need to import new certificates for my Nessus 6.x scanners?


Possibly. The upgrade from Nessus 5 to Nessus 6 should not require administrators to import a new certificate. If QRadar properly collected results from Nessus 5 then existing certificates should still be valid after upgrading to Nessus 6. However, if an administrator made changes to the appliance, the certificates expired, or created a new certificate, then QRadar appliances must import a new certificate with the changes to communicate properly.

The managed host configured in QRadar must be the appliance to run the getcert.sh script. For more information, see the QRadar & Nessus: Certificate requirements section.


About Nessus 6 scanner configurations


To collect scan data from Nessus 6, you must add a new scanner to QRadar that uses the JSON API to retrieve data. QRadar has two JSON options for collecting scan data from Nessus version 6. Administrators who want to collect Nessus 6 data must use the JSON API scan options as XML-RPC is not an available options with Nessus 6.x.

    • Scheduled Live Scan - JSON API - This scan option allows QRadar to use the Nessus JSON API to start a pre-configured scan. To start a live scan from QRadar, you must specify the scan name, policy name for the live scan data you want to retrieve, and the scanner name if more than one scanner is configured on the appliance.

      As the live scan runs, QRadar updates the percentage complete in the scan status. After the live scan completes, QRadar retrieves the scan results and updates the vulnerability assessment information for your assets.
    • Scheduled Completed Report Import - JSON API - For Nessus v6 only. This scan option allows QRadar to connect to your Nessus server and download data from any completed reports that match the report name and report age filters.


QRadar & Nessus: Certificate requirements


Before you add a Nessus scanner to QRadar, a server certificate is required on the QRadar appliance to successfully make HTTPS connections to collect data. Since this is a new scanner, the administrator must import a certificate for the Nessus scanner in QRadar.

To make this process easier for administrators, the QRadar appliance has a script that can be run to import the .pem file from the Nessus appliance and copies the certificate to the /opt/qradar/conf/trustedcertificates directory. The script converts the .pem certificate from the Nessus appliance to a .crt certificate that is usable by QRadar. When the QRadar administrator runs the getcert.sh script, they must specify the IP or hostname of the Nessus appliance and the port the administrator has configured the scanner appliance to listen on, which on Nessus 6 appliances is port 8834.


Before importing a certificate
Administrators must run the getcert.sh script from the QRadar managed host that imports the Nessus scan data. If this is not the Console, then administrators need to SSH to the appropriate QRadar appliance and run the getcert.sh script. This ensures that the certificate is imported to the proper QRadar appliance. Administrators must repeat this process for each new scanner configured on the QRadar appliance.



Procedure
    1. Using SSH, log in to the QRadar Console as the root user.
    2. Optional. Using SSH, log in to the QRadar managed host that is importing the scan data as the root user.
    3. Navigate to the following directory: /opt/qradar/bin
    4. Type the following command to import the Nessus certificate: ./getcert.sh <IP or Hostname> 8834

      For example: ./getcert.sh 8.8.8.8 8834

      The script imports the .crt file that contains the IP or hostname of the scanner and the port. For example: /opt/qradar/conf/trusted_certificates/8.8.8.8_8834.crt.

    5. Repeat this process for each QRadar managed host that imports Nessus scan data.

    Results

    The Nessus pem file is converted to a .crt and added to /opt/qradar/conf/trustedcertificates on the QRadar appliance. Administrators can now add the Nessus scanner to QRadar, then schedule a scan to import the data.


Adding a Nessus 6 'Scheduled Live Scan - JSON API' to QRadar


The live scan option allows administrators to use the JSON API to communicate with the Nessus 6 appliance and start a pre-configured scan on the Nessus appliance. The administrator must provide the 'Scan Name', the 'Policy Name', and the proper credentials to start the Nessus scan remotely. As the scan is in progress on the Nessus appliance, status information is provided back to the QRadar administrator with the percentage complete. After the scan completes (100%), the JSON API is used to retrieve the completed scan results and the vulnerability and asset data added to QRadar.

Note: Administrators must first import the Nessus certificate before attempting to start a scheduled scan in QRadar, otherwise the scan will not complete.



    Figure 1: Screen capture of the Scheduled Live Scan - JSON API scanner configuration options.

Procedure
    1. Click the Admin tab.
    2. Click the VA Scanners icon.
    3. Click Add.
    4. In the Scanner Name field, type a name to identify your Nessus scanner.
    5. From the Managed Host list, select the managed host from your QRadar deployment that manages the scanner import.
      Note: The appliance you select in the Managed Host list is the QRadar appliance that the administrator must run the getcert.sh command from.
    6. From the Type list, select Nessus Scanner.
    7. From the Collection Type list, select Scheduled Live Scan - JSON API.
      Note: If you are configuring a Nessus 5 scanner, see the 'XMLRPC API Live Scan' options in the QRadar Vulnerability Guide. The JSON API is only for communicating with Nessus 6.x version scanners.
    8. In the Hostname field, type the IP address or hostname of the Nessus server.
    9. In the Port field, Type the port number the Nessus server. The default API port value is 8834.
    10. In the Username field, type the user name to access Nessus server.
    11. In the Password field, type the password to access Nessus server. Your Nessus server password must not contain the exclamation mark (!) character or authentication failures can occur.
    12. In the Scan Name field, type the name of the scan you want displayed when the live scan runs on the Nessus server.
      If this field is blank, the API attempts to start a live scan with the name 'QRadar Scan'. This field does not support the ampersand (&) character.
    13. In the Policy Name field, type the name of a policy on your Nessus server to start a live scan. The policy must exist on the Nessus server when the system attempts to start the scan. If the policy does not exist, then an error is displayed in the Status column. It is common for systems to have custom policy names, but several default policy names are included.

      For example, External Network Scan, Internal Network Scan, Web App Tests, Prepare for PCI DSS audits are default policy names.
    14. In the Scanner Name field, specify the name of the Nessus scanner to run the scan. If there are multiple Nessus scanners available in the deployment, then this field is required to identify which Nessus scanner will run the live scan.
    15. In the CIDR Ranges field, type and add a list of CIDR addresses that you want QRadar to import from the live scan. The Browse button can be used to select from the network list.
    16. Click Save.

      What to do next
      Administrators need to add a scan schedule to define the start of the Nessus live scan, the ports being scanned, the priority, and define if this is a one-time scan or if the scan repeats on a defined schedule.


Adding a Nessus 6 'Scheduled Completed Report Import - JSON API' scan to QRadar


A scheduled result import retrieves completed Nessus scan reports that are stored on the Nessus version 6 appliance. QRadar connects to the location of your scan reports using the JSON API and imports completed scan report files from the remote directory using a regular expression or maximum report age to filter for your reports to be imported.


    Figure 2: Screen capture of the 'Scheduled Completed Report Import - JSON API' scanner configuration options.

Procedure
    1. Click the Admin tab.
    2. Click the VA Scanners icon.
    3. Click Add.
    4. In the Scanner Name field, type a name to identify your Nessus scanner.
    5. From the Managed Host list, select the managed host from your QRadar deployment that manages the scanner import.
      Note: The appliance you select in the Managed Host list is the QRadar appliance that the administrator must run the getcert.sh command from.
    6. From the Type list, select Nessus Scanner.
    7. From the Collection Type list, select Scheduled Completed Report Import - JSON API.
      Note: If you are configuring a Nessus 5 scanner, see the 'XMLRPC Completed Report Import' options in the QRadar Vulnerability Guide. The JSON API is only for communicating with Nessus 6.x version scanners.
    8. In the Hostname field, type the IP address or hostname of the Nessus server.
    9. In the Port field, Type the port number the Nessus server. The default API port value is 8834.
    10. In the Username field, type the user name to access Nessus server.
    11. In the Password field, type the password to access Nessus server. Your Nessus server password must not contain the exclamation mark (!) character or authentication failures can occur.
    12. In the Report Name Pattern field, type a regular expression (regex) required to filter the list of files specified on the Nessus server. All matching files are included in the processing. By default, the Report Name Pattern field contains .* as the regex pattern. The .* pattern imports all result files from the remote appliance.
    13. In the Max Reports Age (Days) field, type the maximum file age for your scan results file. Files that are older than the specified days and time stamp on the report file are excluded when the schedule scan starts. The default value is 7 days.
    14. In the CIDR Ranges field, type and add a list of CIDR addresses that you want QRadar to import from the live scan. The Browse button can be used to select from the network list.
    15. Click Save.

      What to do next
      Administrators need to add a scan schedule to define the start of the Nessus completed scan import, the ports being scanned, the priority, and define if this is a one-time scan or if the scan repeats on a defined schedule.

[{"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Component":"VA Scanners","Platform":[{"code":"PF016","label":"Linux"}],"Version":"7.1;7.2","Edition":"","Line of Business":{"code":"LOB24","label":"Security Software"}}]

Document Information

Modified date:
10 May 2019

UID

swg21700982