09. 11. 2020 Franco Federico Log-SIEM, NetEye

CVE – Common Vulnerabilities and Exposures in NetEye

The Common Vulnerabilities and Exposures (CVE) system provides a reference method for publicly known information security vulnerabilities and exposures. The National Cybersecurity FFRDC, operated by the MITRE Corporation, maintains the system with funding from the National Cyber Security Division of the United States Department of Homeland Security. The system was officially launched for the public in September 1999.

The Security Content Automation Protocol uses CVE, and CVE IDs are listed on MITRE’s system as well as in the US National Vulnerability Database. The CVE site can be found at https://cve.mitre.org/.

Since we have NetEye SIEM, I’d like to collect CVE issues in NetEye.

With Inventory 2.7, OCS released the CVE Reporting feature, and this version is included in the latest version of NetEye. By enabling this feature, OCS Inventory can automatically query a CVE-search server for vulnerabilities that may apply to your inventoried software.

This is great news for us. But first, a warning: CVE Reporting is a feature for informational purposes only. OCS Inventory does not guarantee the accuracy of the information provided. However, this is a good starting point.

I have NetEye 4.14 for test purposes, so I dumped an OCS DB to test this feature. Here we have the following situation:

In order to use the CVE Reporting feature, it’s recommended to install a CVE-search server, which you can do by following its documentation.

We installed a CVE-search server on a separate server and we set it up following the documentation. When done, we have to configure CVE Reporting by setting the VULN_CVESEARCH_HOST:

Then we launch the php cron_cve.php command to initialize CVE reporting. During execution we can view the log of the CVE-search server and see what OCS is searching:

On NetEye we see this message while php cron_cve.php runs:

At the end of the run we can explore CVE reporting. The results can be found by clicking on Inventory – CVE-Reporting:

The CVSS value shows the level of danger of each vulnerability. What is CVSS?

CVSS stands for the Common Vulnerability Scoring System, a vulnerability scoring system designed to provide an open and standardized method for rating IT vulnerabilities. CVSS helps organizations prioritize and coordinate a joint response to security vulnerabilities by communicating the base, temporal and environmental properties of a vulnerability. For additional information on CVSS v2, please see http://www.first.org/cvss and http://nvd.nist.gov/cvss.cfm?calculator&adv&version=2

CVSS is composed of three metric groups: Base, Temporal, and Environmental, each consisting of a set of metrics.

  • Base Metrics are for qualities intrinsic to a vulnerability
  • Temporal Metrics are for characteristics that evolve over the lifetime of a vulnerability
  • Environmental Metrics are for vulnerabilities that depend on a particular implementation or environment

A numerical score is generated for each of these metric groups. A vector string (or simply “vector” in CVSSv2), represents the values of all the metrics as a block of text.

Scores range from 0 to 10, with 10 being the most severe. Here’s an example of a 10 score:

To conclude, we now have within NetEye a report that shows all the vulnerabilities found by comparing the CVE database and the software installed on our assets.

Starting from a particular CVE vulnerability, we can also navigate until we find a list of servers/clients impacted:

Franco Federico

Franco Federico

Hi, I’m Franco and I was born in Monza. Over the last 20 years I worked for IBM in various roles. I started as a customer service representative (help desk operator), then I was promoted to Windows expert. In 2004 I changed again and was promoted to consultant, business analyst, then Java developer, and finally technical support and system integrator for Enterprise Content Management (FileNet). Several years ago I became fascinated by the Open Source world, the GNU\Linux operating system, and security in general. And so in the last 4 years during my free time I studied security systems and computer networks in order to extend my knowledge. I came across several open source technologies including the Elastic stack (formerly ELK), and started to explore them and other similar ones like Grafana, Greylog, Snort, Grok, etc. I like to script in Python, too. In addition to studying in my free time I dedicate myself to my family (especially my little daughter) and I like walking, reading, dancing and making pizza for friends and relatives.

Author

Franco Federico

Hi, I’m Franco and I was born in Monza. Over the last 20 years I worked for IBM in various roles. I started as a customer service representative (help desk operator), then I was promoted to Windows expert. In 2004 I changed again and was promoted to consultant, business analyst, then Java developer, and finally technical support and system integrator for Enterprise Content Management (FileNet). Several years ago I became fascinated by the Open Source world, the GNU\Linux operating system, and security in general. And so in the last 4 years during my free time I studied security systems and computer networks in order to extend my knowledge. I came across several open source technologies including the Elastic stack (formerly ELK), and started to explore them and other similar ones like Grafana, Greylog, Snort, Grok, etc. I like to script in Python, too. In addition to studying in my free time I dedicate myself to my family (especially my little daughter) and I like walking, reading, dancing and making pizza for friends and relatives.

Leave a Reply

Your email address will not be published.

Archive