Skip to content

[tenable_sc] Fix an indefinite pagination bug by adding explicit pagination termination conditions. #3961

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
andrewkroh merged 3 commits into from
Aug 16, 2022
Merged

[tenable_sc] Fix an indefinite pagination bug by adding explicit pagination termination conditions. #3961

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
e6ee17f
Add termination condition in pagination
vinit-chauhan Aug 5, 2022
6bbb10c
Update the change log file
vinit-chauhan Aug 5, 2022
8a8598f
Update packages/tenable_sc/changelog.yml
vinit-chauhan Aug 16, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion packages/tenable_sc/_dev/build/docs/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,7 @@ The Tenable.sc integration collects and parses data from the [Tenable.sc](https:

## Compatibility

This module has been tested against `Tenable.sc version 5.18`
This module has been tested against `Tenable.sc version 5.22`.

## Requirements

Expand Down
5 changes: 5 additions & 0 deletions packages/tenable_sc/changelog.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,4 +1,9 @@
# newer versions go on top
- version: "1.4.1"
changes:
- description: Fix an indefinite pagination bug by adding explicit pagination termination conditions. In Agent versions >= 8.2.0 pagination termination was never happening.
type: bugfix
link: https://github.com/elastic/integrations/pull/3961
- version: "1.4.0"
changes:
- description: Update package to ECS 8.4.0
Expand Down
20 changes: 10 additions & 10 deletions packages/tenable_sc/data_stream/asset/agent/stream/httpjson.yml.hbs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -16,8 +16,8 @@ request.transforms:
# Follow Tenable's format: https://developer.tenable.com/docs/user-agent-header
# NOTE: The "Build" version must be kept in sync with this package's version.
target: header.User-Agent
value: '[[userAgent "Integration/1.0 (Elastic; Tenable.sc; Build/1.1.0)"]]'
- set:
value: '[[userAgent "Integration/1.0 (Elastic; Tenable.sc; Build/1.4.1)"]]'
- set:
target: body.query.tool
value: 'sumip'
- append:
Expand All @@ -35,32 +35,32 @@ request.transforms:
"value": "[[(now (parseDuration "-{{initial_interval}}")).Unix]]-[[(now).Unix]]"
}
value_type: json
- set:
- set:
target: body.query.type
value: 'vuln'
- set:
- set:
target: body.sourceType
value: 'cumulative'
- set:
- set:
target: body.startOffset
value: 0
- set:
- set:
target: body.endOffset
value: {{batch_size}}
- set:
- set:
target: body.type
value: 'vuln'
- set:
target: header.x-apikey
value: 'accesskey={{access_key}}; secretkey={{secret_key}}'
response.split:
target: body.response.results
response.pagination:
response.pagination:
- set:
target: body.startOffset
value: '[[toInt .last_response.body.response.endOffset]]'
value: '[[if (ne (toInt .last_response.body.response.returnedRecords) 0)]][[toInt .last_response.body.response.endOffset]][[else]][[.last_response.terminate_pagination]][[end]]'
fail_on_template_error: true
- set:
- set:
target: body.endOffset
value: '[[add (toInt .last_response.body.response.endOffset) {{batch_size}}]]'
fail_on_template_error: true
Expand Down
16 changes: 8 additions & 8 deletions packages/tenable_sc/data_stream/asset/sample_event.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,8 +1,8 @@
{
"@timestamp": "2022-02-14T16:30:33.654Z",
"@timestamp": "2022-08-05T07:41:25.259Z",
"agent": {
"ephemeral_id": "2bf50bac-f76f-4c1a-b758-e2f62bffd73d",
"id": "ecf3f02f-66cb-4b07-8a38-d84956c78dcc",
"ephemeral_id": "08f233b0-4102-4a26-a631-e3339f030cdb",
"id": "652f8609-1989-4515-8c01-c16c9e892066",
"name": "docker-fleet-agent",
"type": "filebeat",
"version": "8.2.0"
Expand All @@ -13,19 +13,19 @@
"type": "logs"
},
"ecs": {
"version": "8.3.0"
"version": "8.4.0"
},
"elastic_agent": {
"id": "ecf3f02f-66cb-4b07-8a38-d84956c78dcc",
"snapshot": true,
"id": "652f8609-1989-4515-8c01-c16c9e892066",
"snapshot": false,
"version": "8.2.0"
},
"event": {
"agent_id_status": "verified",
"category": "host",
"created": "2022-02-14T16:30:33.654Z",
"created": "2022-08-05T07:41:25.259Z",
"dataset": "tenable_sc.asset",
"ingested": "2022-02-14T16:30:37Z",
"ingested": "2022-08-05T07:41:28Z",
"kind": "state",
"original": "{\"biosGUID\":\"9e8c4d43-982b-4405-a76c-d56c1d6cf117\",\"dnsName\":\"rnkmigauv2l8zeyf.example\",\"hostUniqueness\":\"repositoryID,ip,dnsName\",\"ip\":\"0.0.228.153\",\"lastAuthRun\":\"\",\"lastUnauthRun\":\"\",\"macAddress\":\"00:00:00:47:05:0d\",\"mcafeeGUID\":\"\",\"netbiosName\":\"UNKNOWN\\\\RNKMIGAUV2L8ZEYF.EXAMPLE\",\"osCPE\":\"cpe:/o:microsoft:windows_10:::x64-home\",\"pluginSet\":\"201901281542\",\"policyName\":\"Basic Agent Scan\",\"repository\":{\"dataFormat\":\"IPv4\",\"description\":\"\",\"id\":\"2\",\"name\":\"Staged-Large\",\"sciID\":\"1\"},\"score\":\"307\",\"severityCritical\":\"6\",\"severityHigh\":\"4\",\"severityInfo\":\"131\",\"severityLow\":\"0\",\"severityMedium\":\"9\",\"total\":\"150\",\"tpmID\":\"\",\"uniqueness\":\"repositoryID,ip,dnsName\",\"uuid\":\"4add65d0-27fc-491c-91ba-3f498a61f49e\"}",
"type": "info"
Expand Down
14 changes: 7 additions & 7 deletions packages/tenable_sc/data_stream/plugin/agent/stream/httpjson.yml.hbs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -16,8 +16,8 @@ request.transforms:
# Follow Tenable's format: https://developer.tenable.com/docs/user-agent-header
# NOTE: The "Build" version must be kept in sync with this package's version.
target: header.User-Agent
value: '[[userAgent "Integration/1.0 (Elastic; Tenable.sc; Build/1.1.0)"]]'
- set:
value: '[[userAgent "Integration/1.0 (Elastic; Tenable.sc; Build/1.4.1)"]]'
- set:
target: url.params.fields
value: id,name,description,family,type,copyright,version,sourceFile,dependencies,requiredPorts,requiredUDPPorts,cpe,srcPort,dstPort,protocol,riskFactor,solution,seeAlso,synopsis,checkType,exploitEase,exploitAvailable,exploitFrameworks,cvssVector,cvssVectorBF,baseScore,temporalScore,cvssV3Vector,cvssV3VectorBF,cvssV3BaseScore,cvssV3TemporalScore,vprScore,vprContext,stigSeverity,pluginPubDate,pluginModDate,patchPubDate,patchModDate,vulnPubDate,modifiedTime,md5,xrefs
- set:
Expand All @@ -39,18 +39,18 @@ request.transforms:
- set:
target: url.params.sortDirection
value: ASC
- set:
- set:
target: url.params.startOffset
value: 0
- set:
- set:
target: url.params.endOffset
value: {{batch_size}}
response.pagination:
response.pagination:
- set:
target: url.params.startOffset
value: '[[toInt (.last_response.url.params.Get "endOffset")]]'
value: '[[if (ne (len .last_response.body.response) 0)]][[toInt (.last_response.url.params.Get "endOffset")]][[else]][[.last_response.terminate_pagination]][[end]]'
fail_on_template_error: true
- set:
- set:
target: url.params.endOffset
value: '[[add (toInt (.last_response.url.params.Get "endOffset")) {{batch_size}}]]'
fail_on_template_error: true
Expand Down
14 changes: 7 additions & 7 deletions packages/tenable_sc/data_stream/plugin/sample_event.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,8 +1,8 @@
{
"@timestamp": "2021-09-27T01:33:53.000Z",
"agent": {
"ephemeral_id": "a8c9d489-b7e1-486f-b50e-7b2cba60651a",
"id": "ecf3f02f-66cb-4b07-8a38-d84956c78dcc",
"ephemeral_id": "a3549a4b-827d-45b3-b9a0-f4a74879ed47",
"id": "652f8609-1989-4515-8c01-c16c9e892066",
"name": "docker-fleet-agent",
"type": "filebeat",
"version": "8.2.0"
Expand All @@ -13,18 +13,18 @@
"type": "logs"
},
"ecs": {
"version": "8.3.0"
"version": "8.4.0"
},
"elastic_agent": {
"id": "ecf3f02f-66cb-4b07-8a38-d84956c78dcc",
"snapshot": true,
"id": "652f8609-1989-4515-8c01-c16c9e892066",
"snapshot": false,
"version": "8.2.0"
},
"event": {
"agent_id_status": "verified",
"created": "2022-02-14T16:31:46.081Z",
"created": "2022-08-05T07:42:26.483Z",
"dataset": "tenable_sc.plugin",
"ingested": "2022-02-14T16:31:49Z",
"ingested": "2022-08-05T07:42:29Z",
"kind": "event",
"original": "{\"baseScore\":\"7.8\",\"checkType\":\"remote\",\"copyright\":\"This script is Copyright (C) 2003-2020 John Lampe\",\"cpe\":\"\",\"cvssV3BaseScore\":null,\"cvssV3TemporalScore\":null,\"cvssV3Vector\":\"\",\"cvssV3VectorBF\":\"0\",\"cvssVector\":\"AV:N/AC:L/Au:N/C:N/I:N/A:C/E:U/RL:OF/RC:C\",\"cvssVectorBF\":\"2164920932\",\"dependencies\":\"find_service1.nasl,http_version.nasl,www_fingerprinting_hmap.nasl\",\"description\":\"Microsoft IIS, running Frontpage extensions, is vulnerable to a remote denial of service attack usually called the 'malformed web submission' vulnerability. An attacker, exploiting this vulnerability, will be able to render the service unusable.\\n\\nIf this machine serves a business-critical function, there could be an impact to the business.\",\"dstPort\":null,\"exploitAvailable\":\"false\",\"exploitEase\":\"No known exploits are available\",\"exploitFrameworks\":\"\",\"family\":{\"id\":\"11\",\"name\":\"Web Servers\",\"type\":\"active\"},\"id\":\"10585\",\"md5\":\"38b2147401eb5c3a15af52182682f345\",\"modifiedTime\":\"1632706433\",\"name\":\"Microsoft IIS Frontpage Server Extensions (FPSE) Malformed Form DoS\",\"patchModDate\":\"-1\",\"patchPubDate\":\"-1\",\"pluginModDate\":\"1591963200\",\"pluginPubDate\":\"1058875200\",\"protocol\":\"\",\"requiredPorts\":\"\",\"requiredUDPPorts\":\"\",\"riskFactor\":\"High\",\"seeAlso\":\"https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2000/ms00-100\",\"solution\":\"Microsoft has released a set of patches for IIS 4.0 and 5.0.\",\"sourceFile\":\"IIS_frontpage_DOS_2.nasl\",\"srcPort\":null,\"stigSeverity\":null,\"synopsis\":\"The remote web server is vulnerable to a denial of service\",\"temporalScore\":\"5.8\",\"type\":\"active\",\"version\":\"1.28\",\"vprContext\":\"[{\\\"id\\\":\\\"age_of_vuln\\\",\\\"name\\\":\\\"Vulnerability Age\\\",\\\"type\\\":\\\"string\\\",\\\"value\\\":\\\"730 days +\\\"},{\\\"id\\\":\\\"cvssV3_impactScore\\\",\\\"name\\\":\\\"CVSS v3 Impact Score\\\",\\\"type\\\":\\\"number\\\",\\\"value\\\":3.6000000000000001},{\\\"id\\\":\\\"exploit_code_maturity\\\",\\\"name\\\":\\\"Exploit Code Maturity\\\",\\\"type\\\":\\\"string\\\",\\\"value\\\":\\\"Unproven\\\"},{\\\"id\\\":\\\"product_coverage\\\",\\\"name\\\":\\\"Product Coverage\\\",\\\"type\\\":\\\"string\\\",\\\"value\\\":\\\"Low\\\"},{\\\"id\\\":\\\"threat_intensity_last_28\\\",\\\"name\\\":\\\"Threat Intensity\\\",\\\"type\\\":\\\"string\\\",\\\"value\\\":\\\"Very Low\\\"},{\\\"id\\\":\\\"threat_recency\\\",\\\"name\\\":\\\"Threat Recency\\\",\\\"type\\\":\\\"string\\\",\\\"value\\\":\\\"\\u003e 365 days\\\"},{\\\"id\\\":\\\"threat_sources_last_28\\\",\\\"name\\\":\\\"Threat Sources\\\",\\\"type\\\":\\\"string\\\",\\\"value\\\":\\\"No recorded events\\\"}]\",\"vprScore\":\"4.4\",\"vulnPubDate\":\"977486400\",\"xrefs\":\"CVE:CVE-2001-0096, BID:2144, MSFT:MS00-100, MSKB:280322\"}",
"type": "info"
Expand Down
24 changes: 12 additions & 12 deletions packages/tenable_sc/data_stream/vulnerability/agent/stream/httpjson.yml.hbs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -16,8 +16,8 @@ request.transforms:
# Follow Tenable's format: https://developer.tenable.com/docs/user-agent-header
# NOTE: The "Build" version must be kept in sync with this package's version.
target: header.User-Agent
value: '[[userAgent "Integration/1.0 (Elastic; Tenable.sc; Build/1.1.0)"]]'
- set:
value: '[[userAgent "Integration/1.0 (Elastic; Tenable.sc; Build/1.4.1)"]]'
- set:
target: body.query.tool
value: 'vulndetails'
- append:
Expand All @@ -35,38 +35,38 @@ request.transforms:
"value": "[[(now (parseDuration "-{{initial_interval}}")).Unix]]-[[(now).Unix]]"
}
value_type: json
- set:
- set:
target: body.query.type
value: 'vuln'
- set:
- set:
target: body.startOffset
value: 0
- set:
- set:
target: body.endOffset
value: {{batch_size}}
- set:
- set:
target: body.sourceType
value: 'cumulative'
- set:
- set:
target: body.sortField
value: 'lastSeen'
- set:
- set:
target: body.sort_direction
value: 'ASC'
- set:
- set:
target: body.type
value: 'vuln'
- set:
target: header.x-apikey
value: 'accesskey={{access_key}}; secretkey={{secret_key}}'
response.split:
target: body.response.results
response.pagination:
response.pagination:
- set:
target: body.startOffset
value: '[[toInt .last_response.body.response.endOffset]]'
value: '[[if (ne (toInt .last_response.body.response.returnedRecords) 0)]][[toInt .last_response.body.response.endOffset]][[else]][[.last_response.terminate_pagination]][[end]]'
fail_on_template_error: true
- set:
- set:
target: body.endOffset
value: '[[add (toInt .last_response.body.response.endOffset) {{batch_size}}]]'
fail_on_template_error: true
Expand Down
14 changes: 7 additions & 7 deletions packages/tenable_sc/data_stream/vulnerability/sample_event.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,8 +1,8 @@
{
"@timestamp": "2021-09-25T16:08:45.000Z",
"agent": {
"ephemeral_id": "e54df727-cc1b-4dcf-8dd5-6d4c93723135",
"id": "ecf3f02f-66cb-4b07-8a38-d84956c78dcc",
"ephemeral_id": "cf27b2ee-f5a5-4903-8cb5-dd438e02fbf1",
"id": "652f8609-1989-4515-8c01-c16c9e892066",
"name": "docker-fleet-agent",
"type": "filebeat",
"version": "8.2.0"
Expand All @@ -13,19 +13,19 @@
"type": "logs"
},
"ecs": {
"version": "8.3.0"
"version": "8.4.0"
},
"elastic_agent": {
"id": "ecf3f02f-66cb-4b07-8a38-d84956c78dcc",
"snapshot": true,
"id": "652f8609-1989-4515-8c01-c16c9e892066",
"snapshot": false,
"version": "8.2.0"
},
"event": {
"agent_id_status": "verified",
"category": "threat",
"created": "2022-02-14T16:32:52.226Z",
"created": "2022-08-05T07:43:39.730Z",
"dataset": "tenable_sc.vulnerability",
"ingested": "2022-02-14T16:32:55Z",
"ingested": "2022-08-05T07:43:43Z",
"kind": "event",
"original": "{\"acceptRisk\":\"0\",\"baseScore\":\"0.0\",\"bid\":\"\",\"checkType\":\"remote\",\"cpe\":\"\",\"cve\":\"CVE-1999-0524\",\"cvssV3BaseScore\":\"0.0\",\"cvssV3TemporalScore\":\"\",\"cvssV3Vector\":\"AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N\",\"cvssVector\":\"AV:L/AC:L/Au:N/C:N/I:N/A:N\",\"description\":\"The remote host answers to an ICMP timestamp request. This allows an attacker to know the date that is set on the targeted machine, which may assist an unauthenticated, remote attacker in defeating time-based authentication protocols.\\n\\nTimestamps returned from machines running Windows Vista / 7 / 2008 / 2008 R2 are deliberately incorrect, but usually within 1000 seconds of the actual system time.\",\"dnsName\":\"_gateway.lxd\",\"exploitAvailable\":\"No\",\"exploitEase\":\"\",\"exploitFrameworks\":\"\",\"family\":{\"id\":\"30\",\"name\":\"General\",\"type\":\"active\"},\"firstSeen\":\"1551284872\",\"hasBeenMitigated\":\"0\",\"hostUniqueness\":\"repositoryID,ip,dnsName\",\"ip\":\"10.238.64.1\",\"ips\":\"10.238.64.1\",\"lastSeen\":\"1632586125\",\"macAddress\":\"00:16:3e:a1:12:f7\",\"netbiosName\":\"\",\"operatingSystem\":\"Linux Kernel 2.6\",\"patchPubDate\":\"-1\",\"pluginID\":\"10114\",\"pluginInfo\":\"10114 (0/1) ICMP Timestamp Request Remote Date Disclosure\",\"pluginModDate\":\"1570190400\",\"pluginName\":\"ICMP Timestamp Request Remote Date Disclosure\",\"pluginPubDate\":\"933508800\",\"pluginText\":\"\\u003cplugin_output\\u003eThe remote clock is synchronized with the local clock.\\n\\u003c/plugin_output\\u003e\",\"port\":\"0\",\"protocol\":\"ICMP\",\"recastRisk\":\"0\",\"repository\":{\"dataFormat\":\"IPv4\",\"description\":\"\",\"id\":\"1\",\"name\":\"Live\",\"sciID\":\"1\"},\"riskFactor\":\"None\",\"seeAlso\":\"\",\"severity\":{\"description\":\"Informative\",\"id\":\"0\",\"name\":\"Info\"},\"solution\":\"Filter out the ICMP timestamp requests (13), and the outgoing ICMP timestamp replies (14).\",\"stigSeverity\":\"\",\"synopsis\":\"It is possible to determine the exact time set on the remote host.\",\"temporalScore\":\"\",\"uniqueness\":\"repositoryID,ip,dnsName\",\"uuid\":\"\",\"version\":\"1.48\",\"vprContext\":\"[{\\\"id\\\":\\\"age_of_vuln\\\",\\\"name\\\":\\\"Vulnerability Age\\\",\\\"type\\\":\\\"string\\\",\\\"value\\\":\\\"730 days +\\\"},{\\\"id\\\":\\\"cvssV3_impactScore\\\",\\\"name\\\":\\\"CVSS v3 Impact Score\\\",\\\"type\\\":\\\"number\\\",\\\"value\\\":0},{\\\"id\\\":\\\"exploit_code_maturity\\\",\\\"name\\\":\\\"Exploit Code Maturity\\\",\\\"type\\\":\\\"string\\\",\\\"value\\\":\\\"Unproven\\\"},{\\\"id\\\":\\\"product_coverage\\\",\\\"name\\\":\\\"Product Coverage\\\",\\\"type\\\":\\\"string\\\",\\\"value\\\":\\\"Very High\\\"},{\\\"id\\\":\\\"threat_intensity_last_28\\\",\\\"name\\\":\\\"Threat Intensity\\\",\\\"type\\\":\\\"string\\\",\\\"value\\\":\\\"Very Low\\\"},{\\\"id\\\":\\\"threat_recency\\\",\\\"name\\\":\\\"Threat Recency\\\",\\\"type\\\":\\\"string\\\",\\\"value\\\":\\\"No recorded events\\\"},{\\\"id\\\":\\\"threat_sources_last_28\\\",\\\"name\\\":\\\"Threat Sources\\\",\\\"type\\\":\\\"string\\\",\\\"value\\\":\\\"No recorded events\\\"}]\",\"vprScore\":\"0.8\",\"vulnPubDate\":\"788961600\",\"xref\":\"CWE #200\"}",
"type": "info"
Expand Down
Loading