Category Archives: Topics

Forever “reserved” CVEs

Forever “reserved” CVEs. In this post I would like to provide some links, that you can use to find out necessary information about vulnerability by its CVE ID. I also want to share my amazement, how the method of using the CVE identifiers is changing.

Reserved CVE

Traditionally, CVE was a global identifier that most of vulnerabilities had. Have you found malicious bug in some software? Send a brief description to MITRE and you will receive CVE id. Some time later NIST will analyze this CVE, will add CVSS vector and CPEs and will put a new item to the NVD database. MITRE and NVD CVE databases were really useful source of information.

Continue reading →

Processing Vulners collections using Python

3 Replies

Processing Vulners collections using Python. Vulners collection is a zip archive containing all available objects of some type (e.g. CentOS security bulletins or OpenVAS detection plugins) from the Vulners Knowledge Base. Let’s see how to work with this data using powerful Python scripting language. You can read more about Vulners itself at “Vulners – Google for hacker“.

Vulners Collections and python

All collections are listed at https://vulners.com/#stats:

Vulners Stats

Note a gray icon with black arrow. Press it to download particular vulners collection.

OpenVAS collection link: https://vulners.com/api/v3/archive/collection/?type=openvas

If you need to get all objects for further analysis, you don’t need to make huge amount simmilar Search API requests. You just need to download one file. It’s takes less time and efforts and makes less load on Vulners service.
Continue reading →

F-Secure API for scanning

1 Reply

F-Secure API for scanning. This post will be about API of F-Secure Radar. API become a crucial feature when you have to scan a range of thousands hosts and you can’t just add it in one Vulnerability Scanning task. As I mentioned earlier in “F-Secure Radar Vulnerability Management solution” Vulnerability Scanning in Radar is for known active IPs only, for ranges – Discovery Scans. Basically, in F-Secure Radar there is always one vulnerability scan for one host. Unusual concept, but it have some advantages. And it’s quite convenient when you work with Radar via API.

So, my plan for this post is to get active IPs from discovery scan report, create vulnerability scans, run them and get reports. All using API.

To use API you need to get API key at “F-Secure Radar -> Settings -> My profile”.

F-Secure Radar API key

To check that API is working we may send a request:

GET /v1/Scans/Types HTTP/1.1
Host: api.radar.f-secure.com
Content-Type: application/json; charset=utf-8
UserName: radar_user@corporation.com
APIKey: JDOBH9MV24ZOENMS94QCO8QP

Continue reading →

Nessus API for hosts scanning

7 Replies

Nessus API for hosts scanning. When I was writing earlier about Nessus API (“Retrieving scan results through Nessus API“) I have not mentioned how to create a new vulnerability scan task and launch it fully automatically. I assumed that all vulnerability scan entities was already created and scheduled in GUI, how it is often happens in a real life. However, managing the scans via Nessus API (run, pause, resume, stop) may be also useful, for example, when we need to automatically update vulnerability status of some host. Creating scan policy with API will be still out of scope of this post. We assume, that scan policy already exists.

Nessus API for scan management

API Description is still at https://192.168.56.101:8834/api# (where 192.168.56.101 is the IP address of your Nessus host). How to install Nessus read in “Tenable Nessus: registration, installation, scanning and reporting“.

Continue reading →

Qualys Vulnerability Management GUI and API

8 Replies

Qualys Vulnerability Management GUI and API. It has been a long time since I wrote something about Qualys, but today I will write not just about their free product or service, like SSL Labs, but about the main Cloud Platform.

Qualys VM GUI and API

Qualys pioneered cloud Vulnerability Management. How the cloud VM works? In simple terms, there is a web portal https://qualysguard.qualys.com (or .eu for Europe). You can login there, specify a list of IP addresses you want to check and Qualys server(-s) will scan this hosts and show you a vulnerability report.

Qualys Login

Ok, it’s clear with perimeter, but what if some hosts are only accessible from your internal network? In this case, you need to purchase Qualys network appliance, which will communicate Qualys server (read more at “Using Qualys Virtual Appliance“). You create a scan task on Qualys web portal to scan hosts in your internal network, Qualys server gives an order to appliance to gather information about these hosts and to send it back to the server for analysis. Most of the security analysis is done “in the cloud” by remote Qualys servers. End-user manage VM service either through Qualys web-portal GUI, or API.

Continue reading →

Export anything to Splunk with HTTP Event Collector

15 Replies

Export anything to Splunk with HTTP Event Collector. In a previous post I described how to export Nessus scan reports to Splunk server using standard app. Today let’s see how to export any structured data presented in JSON, including of course Nessus scan reports, to Splunk using HTTP Event Collector.

First of all, we should create new HTTP Event Collector

http://your_splunk_host:8000/en-US/manager/launcher/http-eventcollector

And press “New Token” button

Continue reading →

Tenable SecurityCenter and its API

20 Replies

Tenable SecurityCenter and its API. SecurityCenter is an enterprise level vulnerability management product of Tenable Network Security. As the name implies, the it is designed to be the center of Tenable security infrastructure. SecurityCenter takes data from other Tenable products: Passive Vulnerability Scanner (PVS), Log Correlation Engine (LCE), Nessus, and provides a powerful GUI interface for searching and reporting. Sounds familiar? Well, yes, it is something like SIEM, but with a strong emphasis on Vulnerability Management.

Tenable SecurityCenter 5

I’ve took this screenshot from SC5 video presentation in Spanish.

In this post, I certainly will not fully cover SC functionality and all the features of its API. I just would like to pay tribute to a convenient asset mechanism of SecurityCenter and show very basic operation of SecurityCenter API: retrieving the results of the vulnerability scanning (as I did it for Nessus in “Retrieving scan results through Nessus API“).
Continue reading →

This is my personal blog. The opinions expressed here are my own and not of my employer. All product names, logos, and brands are property of their respective owners. All company, product and service names used here for identification purposes only. Use of these names, logos, and brands does not imply endorsement. You can freely use materials of this site, but it would be nice if you place a link on https://avleonov.com and send message about it at me@avleonov.com or contact me any other way.

Alexander V. Leonov

Vulnerability Management and more

Category Archives: Topics

Forever “reserved” CVEs

Processing Vulners collections using Python

F-Secure API for scanning

Nessus API for hosts scanning

Qualys Vulnerability Management GUI and API

Export anything to Splunk with HTTP Event Collector

Tenable SecurityCenter and its API