Highlighted
Absent Member.
Absent Member.
461 views

Problem with Scanner DB

Dear,

I have problem with correct configuration of FlexConnector Scanner DB, which could read database with vulnerabilities and put into ESM. Generally I understand conception of this connector (theoretically), but no events generate after start.

First query should give ID for further queries, but in log i found line "Procesing job for ID [xxx]" and nothing happens. After few seconds I can see only generic logstatus infos.

Let me add, that I wrote Scanner XML connector for the same data (FOR XML query in SQL) and everything works fine - vulnerabilities, assets and events was generated in ESM.

Below you can find scanner and agent properties.

agents.maxAgents=1

agents[0].JDBCDriver=net.sourceforge.jtds.jdbc.Driver

agents[0].configfolder=

agents[0].database=Default

agents[0].dbcpcachestatements=false

agents[0].dbcpcheckouttimeout=600

agents[0].dbcpidletimeout=300

agents[0].dbcpmaxcheckout=-1

agents[0].dbcpmaxconn=5

agents[0].dbcpreap=300

agents[0].dbcprowprefetch=-1

agents[0].destination.count=1

agents[0].destination[0].agentid=###

agents[0].destination[0].failover.count=0

agents[0].destination[0].params=###

agents[0].destination[0].type=loggersecure

agents[0].deviceconnectionalertinterval=60000

agents[0].enabled=true

agents[0].entityid=###

agents[0].fcp.version=0

agents[0].id=###

agents[0].initretrysleeptime=60000

agents[0].jdbcquerytimeout=-1

agents[0].jdbctimeout=240000

agents[0].loopingenabled=false

agents[0].mode=Automatic

agents[0].password=###

agents[0].passwordchangeingcharactersets=UPPERCASE\=ABCDEFGHIJKLMNOPQRSTUVWXYZ,LOWERCASE\=abcdefghijklmnopqrstuvwxyz,NUMBER\=01234567890,SPECIAL\=+-\!@\#$%&*()

agents[0].passwordchangingcharactersetdelimiter=,

agents[0].passwordchangingenabled=false

agents[0].passwordchanginginterval=86400

agents[0].passwordchanginglength=16

agents[0].passwordchangingtemplate=UPPERCASE,NUMBER,SPECIAL,UPPERCASE|LOWERCASE|NUMBER,UPPERCASE|LOWERCASE|NUMBER|SPECIAL

agents[0].persistenceinterval=0

agents[0].preservedstatecount=10

agents[0].preservedstateinterval=30000

agents[0].preservestate=false

agents[0].rotationtimeout=30000

agents[0].sleeptime=5000

agents[0].startatid=0

agents[0].type=sdkscannerdatabase

agents[0].url=###

agents[0].useconnectionpool=true

agents[0].user=###

agents[0].usescannerspecificassetlocation=false

remote.management.ssl.organizational.unit=###

############################################################################

version.id=1

version.order=1

query=\

SELECT \

idVulnerabilityOccurrence,dateImport,pluginName,idStatus,idcve \

FROM \

dbo.ViewOpenNotNoneVulnerabilityOccurrenceData v1 \

LEFT JOIN dbo.ViewPluginVersionCveList v2 on v1.idPluginVersion=v2.idPluginVersion \

WHERE idVulnerabilityOccurrence>=? AND idcve is not null

scanjob.column.names=idVulnerabilityOccurrence,dateImport

scanjob.column.types=Integer,TimeStamp

scanjob.jobid.column.index=1

timestamp.field=dateImport

uniqueid.fields=idVulnerabilityOccurrence

event.name=pluginName

event.endTime=dateImport

event.deviceVendor=__getVendor("TEST")

event.deviceProduct=__stringConstant("TEST")

use.ip=false

extra.queries.count=1

last.data.query.index=1

host.query.index=1

extraevent[0].name=/scanner/device/vulnerability/aggregated

extra.queries[0].query= \

SELECT \

        idVulnerabilityOccurrence,dateImport,pluginName,riskFactor,idcve \

FROM \

        dbo.ViewOpenNotNoneVulnerabilityOccurrenceData v1 \

        LEFT JOIN dbo.ViewPluginVersionCveList v2 on v1.idPluginVersion=v2.idPluginVersion \

        WHERE idVulnerabilityOccurrence>? \

extra.queries[0].event.name=pluginName

extra.queries[0].event.deviceSeverity=riskFactor

extra.queries[0].severity.map.high.if.deviceSeverity=High

extra.queries[0].severity.map.medium.if.deviceSeverity=Medium

extra.queries[0].severity.map.low.if.deviceSeverity=Low

extra.queries[0].event.categoryTechnique=__stringConstant("/scanner/device/vulnerability")

#extra.queries[0].event.deviceEventClassId=__concatenate("PluginName=",pluginName,"Risk=",riskFactor,"%CVE=",idcve)

extra.queries[1].name=HostList

extra.queries[1].query= \

SELECT \

        idVulnerabilityOccurrence,dateImport,assetName,idcve \

FROM \

        dbo.ViewOpenNotNoneVulnerabilityOccurrenceData v1 \

        LEFT JOIN dbo.ViewPluginVersionCveList v2 on v1.idPluginVersion=v2.idPluginVersion \

WHERE idVulnerabilityOccurrence>?

extra.queries[1].event.destinationAddress=assetName

extra.queries[1].event.destinationHostName=assetName

############################################################################

Many thanks for help!

Labels (1)
0 Likes
4 Replies
Highlighted
Absent Member.
Absent Member.

Refresh - maybe someone know how to do this connector?

0 Likes
Highlighted
Absent Member.
Absent Member.

I have similar problem. I am trying to get Retina eEye scanner data from MS sql db. Queries -- Hosts, OS, Port  and ScanID as PK but no events shows up or Assets are not updating.

0 Likes
Highlighted
Vice Admiral Vice Admiral
Vice Admiral

Hi all,

Is this question still actual for you?

Regards,

Alexander

0 Likes
Highlighted
Vice Admiral Vice Admiral
Vice Admiral

It's necessary to fix:

extra.queries.count=2

last.data.query.index=1

host.query.index=1

Maybe this advice will help someone.

Regards,

Alexander

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.