I have already wrote earlier how to automatically retrieve data from the Vulners.com vulnerability database: if you need objects of some particular type, it’s better use Collection API, if you want to get different types of objects using advanced queries, your choice is Search API v.3.
But what if we want to get, not all the objects, but only new or modified ones in a some date range? How can we do it in Vulners?
Each object in Vulners (vulnerability, patch, bulletin, etc.) has a publication date, and modification date. You can see it if you open some Vulners object in json format, for example CVE-2017-6301:
It may seem like NGFW topic is not really related to vulnerability assessment and vulnerability management. In fact, correlation of security events in traffic with vulnerability scan data sometimes may give very interesting results. For example, if we have a Windows desktop host with critical vulnerabilities, it won’t be a big surprise to detect some botnet activity related to this host. Fixing of this hosts should be a high priority task. Moreover, Palo Alto NGFW now supports signatures for vulnerability detection, like Tenable PVS. It’s pretty logical: if you are already searching something in the network traffic, why not to look also for vulnerable software versions in the packet headers?
At the “Monitoring” tab of Palo Alto NGFW GUI web-interface you can see a flow of security events, produced by Palo Alto security rules, standard or custom. With PA query language you may easily filter this events. It is also possible to produce reports. However, the standard reports Palo Alto are not very informative and only represent some statistics of attacks without any additional information. Much more interesting reports you can make using Palo Alto API.
Small bash script to automate the work with Qrator Radar public API. The idea is to get autonomous system (AS) number of the organization by it’s name and retrieve all related IPv4 Prefixes. Why you may need it? To be sure, for example, that you scan all the hosts of organization available from the Internet for vulnerability management, penetration testing or bug bounty activity. For smaller organizations that don’t have own AS that obviously will not work.
I don’t say that it is a rocket science or something, but maybe someone will need to automate Tenable Support portal routine, and here will be a script, which can be used. My own case was to get expiration date for purchased and trial Tenable products. To know in advance when and what products should be bought and updated.
It turned out that getting this data from deployed products via APIs is not as trivial as it sounds, but I will write about this topic next time.
This post will be about API of F-Secure Radar. API become a crucial feature when you have to scan a range of thousands hosts and you can’t just add it in one Vulnerability Scanning task. As I mentioned earlier in “F-Secure Radar Vulnerability Management solution” Vulnerability Scanning in Radar is for known active IPs only, for ranges – Discovery Scans. Basically, in F-Secure Radar there is always one vulnerability scan for one host. Unusual concept, but it have some advantages. And it’s quite convenient when you work with Radar via API.
So, my plan for this post is to get active IPs from discovery scan report, create vulnerability scans, run them and get reports. All using API.
To use API you need to get API key at “F-Secure Radar -> Settings -> My profile”.
To check that API is working we may send a request:
This is my personal blog. The opinions expressed here are my own and not of my employer. All product names, logos, and brands are property of their respective owners. All company, product and service names used here for identification purposes only. Use of these names, logos, and brands does not imply endorsement. You can freely use materials of this site, but it would be nice if you place a link on https://avleonov.com and send message about it at firstname.lastname@example.org or contact me any other way.