Having problems with your account or logging in?
A lot of changes are happening in the community right now. Some may affect you. READ MORE HERE
Highlighted
ruessd Absent Member.
Absent Member.
518 views

Tenable SC3 scan results into ArcSight

I am looking for an automated way to import Nessus scan data into ArcSight. Our Nessus endpoints are on Windows, SC3 on Linux. Since a flex connector does not exist to connect to the SC3 database, how can scan results be automatically saved to a Windows or Linux directory for a connector appliance to poll?

We are running Tenable Security Center 3, ArcSight ESM 4.0, ArcSight Connector Appliance 5.1-C5177.

Thank you,

David Ruess

0 Likes
Reply
5 Replies
deathbywedgie1 Frequent Contributor.
Frequent Contributor.

Re: Tenable SC3 scan results into ArcSight

How does Nessus store its output? (single-line/multi-line text file, CSV report, html, xml...?)

It may be possible to write a folder-following flex connector that monitors the output folder on the server where the report is stored that will pick up the new file every time one is written and then send it to ArcSight.

0 Likes
Reply
Todd Absent Member.
Absent Member.

Re: Tenable SC3 scan results into ArcSight

TSC receives the scan results from the scanners in NSR format which the Nessus connector can read.  We have moved away from TSC but when we had it active one of our Unix engineers wrote a shell script that collected the .nsr files when ther arrived at the TSC manager and copied them into a folder for the Nessus connector to parse.  I don't have access to the script but this shouldn't be very hard to recreate.
0 Likes
Reply
ruessd Absent Member.
Absent Member.

Re: Tenable SC3 scan results into ArcSight

Do you recall what directory the .nsr files are written to? I have been unable to find any .nessus, .nbe or .nsr files on the SC3 server. Thanks!
0 Likes
Reply
Todd Absent Member.
Absent Member.

Re: Tenable SC3 scan results into ArcSight

Sorry but I did not have direct access to the TSC manager or the script that we used and am not sure what directory this was stored in.  I wish I could be of more help...
0 Likes
Reply
Knight Absent Member.
Absent Member.

Answer: Tenable SC3 scan results into ArcSight

Hi,

The tenable security center uses customers for saving the scan results.

This means that you will have the base folder of the security center that should be something like:

     /opt/sc3/customers/

Under this directory you will have the different customers (e.g. groups).

The scans will be saved individually for the different customers in a way that customer 1 has no access to the results of customer 2.

The scan files will be located under the subfolder VDB/<DATE> in the customer directory. In form of a nsr.zip file.


So if you want to import the scan results regularly to the ArcSight:

  1. You have to create an ArcSight nessus nsr file connector that listen to a directory like /home/arcsight/nessus-nsr/
  2. you have to write a script that will check if there is a new nsr.zip file in one of the directories (/opt/sc3/customers/<CustomerID>/VDB/*/*.nsr.zip) and that for a list of the customer ids
  3. if there is a new nsr.zip file copy that one in a temp folder and then extract the content of the nsr.zip file in a folder that a ArcSight nessus nsr file connector (/home/arcsight/nessus-nsr/) listen at.
  4. Create a /home/arcsight/nessus-nsr/*nsr.done file with touch for example.


If you automate the steps 1-4 everything should work.


Clear how I mean it?


0 Likes
Reply
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.