Adding an eEye REM SNMP Scan

To use CVE identifiers and descriptions, you must copy the audits.xml file from your eEye REM scanner to the managed host responsible for listening for SNMP data. If your managed host is in a distributed deployment, you must copy the audits.xml to the Console first and SSH the file to /opt/qradar/conf/audits.xml on the managed host. The default location of audits.xml on the eEye scanner is %ProgramFiles(x86)%\eEye Digital Security\Retina CS\Applications\RetinaManager\Database\audits.xml.

To receive the most up-to-date CVE information, periodically update JSA with the latest audits.xml file.

You can add a scanner to collect vulnerability data over SNMP from eEye REM or CS Retina scanners.

Click the Admin tab.
Click the VA Scanners icon.
Click Add.
In the Scanner Name field, type a name to identify your SecureScout server.
From the Managed Host list, select an option that is based on one of the following platforms:
- On the JSA Console, select the managed host that is responsible for communicating with the scanner device.
From the Type list, select eEye REM Scanner.
From the Import Type list, select SNMP.
In the Base Directory field, type a location to store the temporary files that contain the eEye REM scan data.
The default directory is /store/tmp/vis/eEye/.
In the Cache Size field, type the number of transactions you want to store in the cache before the SNMP data is written to the temporary file. The default is 40.
The default value is 40 transactions.
In the Retention Period field, type the time period, in days, that the system stores scan information.
If a scan schedule did not import data before the retention period expires, the scan information from the cache is deleted.
Select the Use Vulnerability Data check box to correlate eEye vulnerabilities to Common Vulnerabilities and Exposures (CVE) identifiers and description information.
In the Vulnerability Data File field, type the directory path to the eEye audits.xml file.
In the Listen Port field, type the port number that is used to monitor for incoming SNMP vulnerability information from your eEye REM scanner.
The default port is 1162.
In the Source Host field, type the IP address of the eEye scanner.
From the SNMP Version list, select the SNMP protocol version.
The default protocol is SNMPv2.
In the Community String field, type the SNMP community string for the SNMPv2 protocol, for example, Public.
From the Authentication Protocol list, select the algorithm to authenticate SNMPv3 traps.
In the Authentication Password field, type the password that you want to use to authenticate SNMPv3 communication.
The password must include a minimum of 8 characters.
From the Encryption Protocol list, select the SNMPv3 decryption algorithm.
In the Encryption Password field, type the password to decrypt SNMPv3 traps.
To configure a CIDR range for your scanner:
1. Type the CIDR range for the scan or click Browse to select a CIDR range from the network list.
2. Click Add.
Click Save.
On the Admin tab, click Deploy Changes.

Select one of the following options:

If you do not use SNMPv3 or use low-level SNMP encryption, you are now ready to create a scan schedule. See Scheduling a Vulnerability Scan.
If your SNMPv3 configuration uses AES192 or AES256 encryption, you must install the unrestricted Java cryptography extension on each Console or managed host that receives SNMPv3 traps. See Installing the Java Cryptography Extension on JSA.

Adding an eEye REM SNMP Scan

Related Documentation