This is a community project and while you will see contributions from the Deep Security team, there is no official Trend Micro support for this project. The official documentation for the Deep Security APIs is available from the Trend Micro Online Help Centre.
Tutorials, feature-specific help, and other information about Deep Security is available from the Deep Security Help Center.
For Deep Security specific issues, please use the regular Trend Micro support channels. For issues with the code in this repository, please open an issue here on GitHub.
This project shows how users can integrate Deep Security’s intrusion prevention functionality into the vulnerability management flow with Deep Security SOAP APIs. The scripts give the ability to:
-
Make sure the deployment is successful.
- Are Deep Security Agents installed?
- Is the intrusion prevention module turned on?
- Are rules assigned on computers?
-
Obtain the Deep Security Recommendation Scan results.
-
List Deep Security intrusion prevention rules corresponding to Common Vulnerabilities and Exposures (CVEs).
-
Obtain additional Common Vulnerability Scoring System (CVSS) information, including severity, CVSS score, complete vector string, and so on.
-
Integrate with third-party vulnerability scanners.
Also, you can modify the python code to fit your own requirements.
All of the tasks in this repository assume you have a working Deep Security infrastructure. The key component is the Trend Micro Deep Security Manager.
You need enable SOAP API against your Deep Security Manager in advance. Please go to Deep Security Manager: Administration > System Settings > Advanced to enable Deep Security SOAP Web Service API.
Also, current supported versions are Deep Security 10.0 update 5, 11.0 update 1 and any version after 11.2.
In addition to the Deep Security infrastructure, the scripts need python 3.x and pip.
-
Install all dependencies.
pip install -r requirements.txt -
Modify the
config.inifor the environment. -
Change the working directory to <src>
-
Generate
.csvand.xlsxfiles to show the results.python deployment_report.pypython reco_scan_report.pypython vulnerability_report.pypython xlsx_report.py -
Check <results> for the results.
The diagram below shows how these scripts work.
deployment_report.py, reco_scan_report.py, vulnerability_report.py: These scripts leverage ds_utils.py to generate the Intrusion Prevention Deployment Report.csv, Intrusion Prevention Recommendation Scan Report.csv and Intrusion Prevention Vulnerability Report.csv.
xlsx_report.py: This script transforms the .csv files to .xlsx format for readability.
The integration module gets additional CVSS information from NVD.
nvd_downloader.py: This file is responsible for downloading the database with CVE details (zipped JSON files) from the NVD website.
nvd_parser.py: This file is responsible for retrieving the essential fields from NVD.
Here we take Qualys scan results as example. The report_parser.py parses the scan results to json format.
Here is an example. It shows that two potential vulnerabilities (CVE-2016-3115, CVE-2016-10009) are identified in 10.0.0.1, and one vulnerability (CVE-2004-0230) is identified in 10.0.0.2.
{
"10.0.0.1": {
"vul_infos": [
{
"cve_id": "CVE-2016-3115",
"third_party": {
"title": "OpenSSH Xauth Command Injection Vulnerability",
"qid": "38623",
"category": "General remote services",
"protocol": null,
"port": null,
"type": "PRACTICE"
}
},
{
"cve_id": "CVE-2016-10009",
"third_party": {
"title": "OpenSSH 7.4 Not Installed Multiple Vulnerabilities",
"qid": "38692",
"category": "General remote services",
"protocol": null,
"port": null,
"type": "PRACTICE"
}
}
]
},
"10.0.0.2": {
"vul_infos": [
{
"cve_id": "CVE-2016-2183",
"third_party": {
"title": "Birthday attacks against TLS ciphers with 64bit block size vulnerability (Sweet32)",
"qid": "38657",
"category": "General remote services",
"protocol": "tcp",
"port": "3389",
"type": "VULN"
}
}
]
}
}If you want to integrate this project with other vulnerability scanners, you need to convert your scan reuslts to fit this format by either enhancing report_parser.py or implementing your own parser.
In addition, the qid, category and type are specifically for handling Qualys’ scan results. You can remove these attributes if you don't need them.
\---root
|
|---config.ini
|
+---src
| |---deployment_report.py
| |---reco_scan_report.py
| |---vulnerability_report.py
| |---xlsx_report.py
| |
| +---ds_utils
| |---ds_utils.py
| |---nvd_downloader.py
| |---nvd_parser.py
| |---report_parser.py
| |---deployment2xlsx.py
| |---reco_scan2xlsx.py
| |---vulnerability2xlsx.py
|
+---nvd*
|
+---tmp
| |---ips_rules.json
| |---nvd.json
| |---report.json
|
+---vulnerabilities
| |---report.xml
|
+---results*
Files and folders with a star ("*") suffix don't exist in the initial state. These files and folders are created automatically when executing this project.
- config.ini: The configuration file for the scripts
- <src>: The main working directory. All python scripts are located here.
- <ds_utils>: The utilities to generate reports.
- <nvd>: The folder contains the data feeds from NVD.
- <tmp>: The intermidate files are located here.
- <vulnerabilities>: Please put your third-party report into this folder, and save it as report.xml.
- <results>: The final results will be placed in this folder.
Copyright © 2018 Trend Micro Incorporated. All rights reserved.