Knowledge Base

Ask A Question

Questions

0

Ruby script help for Dymanic Asset Groups based on subnet ranges

I will admit I am pretty new to Nexpose and Ruby and trying to run a script for creating a dymanic asset group based on a network mapping file. I found a script that looks like it should do it but I am getting an error in Ruby. I feel like I am missing something small here. The input file will be a cvs file that is pretty large (1000's of rows) and is just a breakdown of locations based on CIDR notation and the name of the group that I want it to be in. Example input file (CVS): 10.1.2.0/24 DAG1 10.2.200.0/24 DAG2 10.1.15.0/24 DAG1 10.33.0.0/16 DAG3 10.1.223.0/24 DAG1 10.22.2.0/24 DAG2 Results I would expect is a Dymanic Asset Group with the Name and all the collective CIDR's get added to the site. DAG1 contains 10.1.2.0/24, 10.1.15.0/24, 10.1.223.0/24 DAG2 contains 10.2.200.0/24, 10.22.2.0/24 DAG3 contains 10.33.0.0/16 Script that I have been working with, I addressed other ruby errors but seem to be stuck now. #ruby 2.3.1 require 'nexpose' #4.0.4 require 'csv' require 'highline/import' #1.7.8 require 'netaddr' #1.5.1 include Nexpose include NetAddr #Default value: insert host ip in ' ' @host = '127.0.0.1' #Prompt user for username and password def get_username(prompt = 'username: ') ask(prompt) { |query| query.echo = true } end @user = get_username def get_password(prompt = 'Password: ') ask(prompt) { |query| query.echo = true } end @password = get_password #log in to Nexpose nsc = Connection.new(@host, @user, @password) nsc.login #parse data from csv CSV.foreach("network.csv", headers: true) do |row| ip = CIDR.create(row['subnet']) criterion = Criterion.new(Search::Field::IP_RANGE, Search::Operator::IN, [ip.first, ip.last] ) criteria = Criteria.new(criterion) dag = DynamicAssetGroup.new(row['site_code'], criteria) dag.save(nsc) end nsc.logout exit Here is the result when running the script... user@server:/opt/rapid7/scripts$ sudo ruby 20180122-Rapid7DAGLocationAutomation.rb username: nexpose admin Password: password 20180122-Rapid7DAGLocationAutomation.rb:31:in `block in <main>': uninitialized constant CIDR (NameError) from /usr/lib/ruby/2.3.0/csv.rb:1748:in `each' from /usr/lib/ruby/2.3.0/csv.rb:1131:in `block in foreach' from /usr/lib/ruby/2.3.0/csv.rb:1282:in `open' from /usr/lib/ruby/2.3.0/csv.rb:1130:in `foreach' from 20180122-Rapid7DAGLocationAutomation.rb:30:in `<main>' user@server:/opt/rapid7/scripts$

Posted by Tom Sikma 10 months ago

2
ANSWERED

InsightVM / Nexpose: Setting Up and Troubleshooting LDAP Authentication

It can be a bit tricky setting up LDAP authentication with Nexpose, so I’ve created this discussion to cover some known issues / limitations with LDAP configuration and Nexpose and provide a few common configurations and troubleshooting steps. When setting up LDAP authentication with Nexpose, it is important to remember that you need to use the exact DNS hostname in the ‘server name’ field. We are eventually looking at allowing a round robin host name, but this functionality is not in the product yet and I would say this is the source of most of the LDAP cases that are opened with support. If you are unsure of the dns hostname you should be using, you can either locate it via nslookup, or alternatively you can download a free tool called Softerra LDAP Browser to verify it. Configuring Softerra is relatively easy and you basically just need to: 1. create a new profile 2. put in the host name (ie. example.rapid7.com) 3. bind as the currently logged on user 4. hit next then finish Once it is setup, you want to use the dnsHostName value for the Server name field. If for some reason you do not see this value, you can also run a csv export and find it there. Once you have verified you have the correct dns hostname (and are not attempting to use a round robin name for the server name field), here are some common configurations you can use to get LDAP authentication working. ###Typical LDAP Configuration (Global Catalog): Enable authentication source needs to be checked. Name can be whatever Server name needs to be the exact dns hostname for their AD server Server Port – 3269 (or you can choose port 3268 and uncheck SSL) Require secure communications SSl - checked Permitted authentication methods - blank Follow LDAP referrals - unchecked LDAP search base - blank Click AD global catalog ###Alternate LDAP Configuration (Regular AD) Enable authentication source needs to be checked. Name can be whatever Server name needs to be the exact dns hostname for their AD server Server Port – 636 (or you can choose port 389 and uncheck SSL) Require secure communications SSl - checked Permitted authentication methods - blank Follow LDAP referrals - unchecked LDAP search base - blank Click AD Once you have finished setting this up (Under Administration > Console > Administer > Authentication), the last thing you need to do is set up the user profiles. To do this you just need to go to Administration > Users > Create and then select the LDAP authentication source you just created from the drop-down and then enter the username and full name values as they appear in your Active Directory. If you still run into issues one of the most helpful logs is the auth.log since you can actually see the login failure in that log and usually get an LDAP error code.

Posted by Rahul Chaturvedi 10 months ago