Firmware: 4.2
Collector: File Collector
To collect vulnerability data from a Tenable Nessus vulnerability scanner, you can either:
Manually import the results of a single Nessus scan (see Manual Import of Nessus Scan Results), or
Define a schedule for import of Nessus scan results (see Automating Import of Nessus Scan Results).
With the steps below, you first export the results of a Nessus report to a .nessus file, and then save the file in a directory available to TLC. Although TLC supports multiple formats for this file, Tripwire recommends the .nessus v2 format.
To export and save the .nessus file, complete the following steps in the Nessus User Interface:
| 1. | From the menu bar, click Reports. |
| 2. | Select the report to be exported. To select multiple reports, use the SHIFT key or CTRL key. |
| 3. | Click Download. |
| 4. | In the Download Report dialog, select the .nessus format and click Submit. |
| 5. | Save the file to a directory accessible by TLC. |
|
Next |
If you are performing initial configuration of your TLC environment, see Configuring your TLC Environment. Otherwise, see Adding a Monitored Asset for a new Log Source. |
|---|
With the steps below, you can automate the process for importing vulnerability data from a Tenable Nessus vulnerability scanner.
To configure the Nessus scanner, complete the following steps on the Nessus host system:
| 1. | Create a directory (known as the Results Directory) in which Nessus will save your scan results in a .nessus file (a.k.a., the Results File). |
| 2. | Add the following files to the Results Directory: |
The Nessus Plugins XML file
A new text file (known as the Targets File)
|
Note |
TLC uses the Plugins XML file to process scan results with the .nessus v1 format. |
|---|
| 3. | In the Targets File, add the IP addresses of the hosts to be scanned by the Nessus scanner. (Enter each IP address on a separate line.) |
| 4. | Create a batch file containing the following command: |
<nessus_install_dir>\nessus-client -q <host_name> <port> <username> <password>
<targets_file> <results_file> -T nessus
where <nessus_install_dir> is the full path to the Nessus installation directory,
<host_name> is the IP address or host name of the Nessus host system,
<port> is the port on the Nessus host system to be used for communication with TLC,
<username> and <password> are the login credentials of the Nessus user account with which TLC will access the Nessus scanner,
<targets_file> is the full path to the Targets File, and
<results_file> is the full path and name of the Results File (for example, C:\Results\results.nessus). The name of the Results File is up to your discretion, but it must include the .nessus extension.
| 5. | In the Nessus User Interface, create a scheduled task to run the batch file. |
When the scheduled task triggers the batch file, Nessus will scan the hosts in the Targets File and save the scan results in the Results File in the Results Directory.
To install and configure the SSH server, complete the following steps on the TLC Manager:
| 1. | Install the SSH server, and configure the server to listen for communications from your Nessus scanner on port 22.. For instructions, see your SSH server's user documentation. |
|
Caution |
In Step 3. Create Monitored Assets for the Nessus Vulnerability Scanner , you will add the File Collector to the Manager (if needed). When the File Collector is added to a Manager, TLC installs an SSH server on the Manager host system. To prevent conflicts between the two SSH servers, once the File Collector has been added to your Manager, you should change the Manager collection port field in the File Collector tab of the Manager's properties dialog to a port other than 22 (see Tabs in the Manager dialog). |
|---|
| 2. | Create an SSH user account with read permission to the Results Directory created in Step 1. Configure the Nessus Vulnerability Scanner. |
| 3. | Map a folder in the root path to the Results Directory. For example, if the Results Directory path is C:\Results\, you could map a virtual mount path of /Nessus. |
| 4. | Save your work and re-start the SSH server. |
To create your Nessus Assets, complete the following steps in the TLC Console:
| 1. | If needed, add and enable the File Collector in the Installed Modules tab of your TLC Manager (see Table 41). |
| 2. | Create a Monitored Asset for the Nessus system, as described in Configuring a Monitored Asset with a File Collector. At minimum, complete the following steps in the Monitored Asset's properties dialog: |
| a. | In the Output Destinations tab, add an Event Database with an Input Type of File - Nessus. |
| b. | In the Schedule tab, define a schedule for the collection of scan results. |
In the File Collection tab Table 56):
| a. | Select SFTP as the download method. |
| b. | In the 'File server' field, enter the Nessus scanner's IP address. |
| c. | In the Port field, enter the Nessus port to be used for communication with TLC. |
| d. | In the Username and Password fields, enter the login credentials for the SSH user account created in Step 2. Install and Configure an SSH Server on the TLC Manager. |
| e. | In the 'Log-file path' field, enter the paths to 1) the .nessus file and 2) the Nessus Plugins XML file in the Results Directory on the Nessus host system (see Step 1. Configure the Nessus Vulnerability Scanner). (Enter each path on a separate line.) |
| 3. | Create a Monitored Asset for each system in the Targets File created in Step 1. Configure the Nessus Vulnerability Scanner. At minimum, assign the Correlation Engine as an Output Destination in the Output Destinations tab of each Monitored Asset. |
| 4. | Push updates to the Manager (see Pushing Updates to your Managers). |
|
Next |
If you are performing initial configuration of your TLC environment, see Configuring your TLC Environment. |
|---|