Applicable to Entuity v22.0 GA upwards
To enable/disable a CPE Mapping Group
To edit/delete a CPE Mapping Group
To add a CPE Mapping Rule to a group
To change the group to which a CPE Mapping Rule belongs
To change the scan order of groups and rules
Introduction:
From the CPE Mapping Rules tab under the Vulnerability Monitoring page, you can specify and manage Mapping Rules and groups that are used to automatically discover potential/candidate CPEs (so long as vulnerability monitoring is enabled).
CPE Mapping Rules map and/or transform the values of Entuity's polled device attributes into specified CPE attributes. These CPE attributes are then used to generate potential CPEs, and the results found in the local CPE Dictionary are then assigned to the revelant device(s) as Unresolved Candidate CPEs. Please see this article for help and information on resolving unresolved CPE candidates via the Device Management tab under the Vulnerability Monitoring page.
You can put CPE Mapping Rules into CPE Mapping Groups, which provide overruling filters to all rules within it. All rules belonging to a group will only be used against a device if the parent group's conditions/filters are met. For example, if you wanted to apply rules to Cisco devices, you might create a group where only devices with the manufacturer containing 'Cisco' were accepted.
The order of groups and rules in the table determines the order in which the rules are performed during a vulnerability monitoring scan.
This tab is applicable to both servers and configuration sets (see the Multi-server configuration section below).
The CPE Mapping Rules tab displays a table listing current system and user defined CPE Mapping Rules. The table displays the following information:
Column | Description |
---|---|
Name | rule name. |
Type |
either System Rule or User Defined Rule. System Rules cannot be edited, but you can duplicate them and so edit the copy. You can also enable/disable them, and add/move between/delete from groups. |
Description | description of the mapping action. |
Enabled | if the Mapping Rule is enabled. |
CPE Mapping Rule structure:
CPE Mapping Rules have the following structure:
- Name
-
Conditions/filters:
CPE Mapping Conditions are device filters that define which devices the rule's actions apply to. Conditions are not mandatory for a CPE Mapping Rule - if a rule does not have a condition, its actions will therefore be applied globally (to all devices on the network with vulnerability monitoring enabled), or to all devices that satisfy the parent Mapping Group's conditions.
-
Actions:
CPE Mapping Actions are used to generate potential value(s) for a single CPE attribute, as defined by the CPE v2.3 Naming Specification. This includes the following potential attributes: part, vendor, product, version, update, edition, language, sw_edition, target_sw, target_hw, other. There are two types of action: Mapping actions and Transformation actions.
CPE Mapping Rule types:
There are two types of CPE Mapping Rule:
System rule:
These are CPE Mapping Rules included with Entuity by default. System rules cannot be edited, but you can enable/disable them, add them to/move them between/delete them from Mapping Groups, and duplicate them (the duplicates being considered 'user defined rules' and therefore may be edited). Please find below the four types of system rule:
-
DEFAULT MODEL - enabled by default, a global rule that includes the following actions:
- replace all instances of " " with "-" in the device's model attribute value, and map result to CPE model.
- replace all instances of " " with "_" in the device's model attribute value, and map result to CPE model.
- split device's model attribute value by " " and map new string(s) to CPE model.
e.g., if your device has model = "Net-SNMP Agent 5.1", the actions will create the following permutations (respectively):
- "*net-snmp-agent-5.1*"
- "*net-snmp_agent_5.1*"
- "*net-snmp*", "*agent*", "*5.1*"
When checking against valid entries in the local CPE Dictionary, model = "*net-snmp*" from action #3 will be identified as a valid option.
-
DEFAULT VENDOR - enabled by default, a global rule that indicates the following actions:
- replace all instances of " " with "-" in the device's manufacturer attribute value, and map result to CPE vendor.
- replace all instances of " " with "_" in the device's manufacturer attribute value, and map result to CPE vendor.
- split device's manufacturer attribute value by " " and map new string(s) to CPE vendor.
e.g., if your device has manufacturer = "Dell Computer Corporation", the actions will create the following permutations (respectively):
- "*dell-computer-corporation*"
- "*dell_computer_corporation*"
- "*dell*", "*computer*", "*corporation*"
When checking against valid entries in the local CPE Dictionary, vendor = "dell" from action #3 will be identified as a valid option.
-
DEFAULT VERSION - enabed by default, a global rule that includes the following actions:
- replace all instances of " " with "-" and escape all brackets in the device's version attribute value, and map result to CPE version.
- replace all instances of " " with "_" and escape all brackets in the device's version attribute value, and map result to CPE version.
- replace all instances of " " with "." and escape all brackets in the device's version attribute value, and map result to CPE version.
- split device's version attribute value by " " and escape all brackets, then map new string(s) to CPE version.
- split device's version attribute value by "," and escape all brackets, then map new string(s) to CPE version.
e.g., if your device has version = "12.1(14)EA1", the actions will create the following (valid) option for CPE version = "*12.1\(14\)EA1*"
- NULL VERSION - disabled by default, a global rule that includes the following action:
- Assign "-" to CPE version.
User defined rule:
These are CPE Mapping Rules that you have added/edited. You can configure CPE Mapping Rules that more accurately, appropriately and extensively fit your network's needs. These therefore take priority over system rules during vulnerability monitoring scans (see the section below on changing the scan order of groups and rules).
To add a CPE Mapping Rule:
- Navigate to the CPE Mapping Rules tab of the Vulnerability Monitoring page. Click Add Rule at the top of the tab (or via the Overflow Menu or right-click Context Menu).
- The Add CPE Mapping Rule form will open on the right of the window.
Details
- Name - specify a name for the Mapping Rule. This must be unique.
Mapping Conditions
- Apply Filter - specify whether to apply a filter to the rule. If enabled, the Operator Type field will appear, from which you can choose either Logically ORed Filters or Logically ANDed Filters.
- Click Add Filter to open the Add New Filter form, wherein you can specify the filter via Filter Attribute and Filter Type.
Click Done to save your filter. You can add as many filters as you wish.
Mapping Actions
- Click Add Action to open the Add CPE Mapping Action form. From this form, you can add an Action Type of either Mapping or Transformation.
-
Mapping:
A mapping action will assign the inputted value to the selected CPE attribute. Select an attribute from the CPE Attribute dropdown field, and specify a CPE Attribute Value. This should be a single value.
- In the above example, the vendor will be assigned to 'cisco', populating a CPE e.g. 'cpe:2.3:*:cico:*:*:*:*:*:*:*:*:*'.
- In the above example, the vendor will be assigned to 'cisco', populating a CPE e.g. 'cpe:2.3:*:cico:*:*:*:*:*:*:*:*:*'.
-
Transformation:
Transformation actions will transform the value of a specified device attribute, and assign it to the selected CPE attribute. By default, transformation actions will trim whitespace, and transform the string to lower case before perfoming the specified transformations. Transformations are performed in order, and you may reorder them.
- In the above example, the transformation action generates values for the version by transforming the 'devVersion' device attribute (this being the device's attribute).
- Three additional transformations have been added via Add Transformation. Click this to open the Add CPE Mapping Transformation form, from which you can add three types of transformation:
-
Replace All - replaces all instances of the Replace Match string with the Replace With string.
In this example, all instances of '(' will be replaced with '\(', e.g. a device attribute value '14.3(EA)1' will become '14.3\(EA)1'.
-
Capture Regex - captures/trims the device attribute value to only the first match of the regular expression
In this example, it will capture only the first 3 characters, e.g. if the device attribute value was '14.3(EA)1', it will become '14.'.
-
Split By - splits the device attribute value by the string defined in Split By.
In this example, the value will be split by ','. e.g. if the device attribute value was 'hello, world', it will be split into two values: 'hello' and 'world'.
-
Replace All - replaces all instances of the Replace Match string with the Replace With string.
-
Mapping:
- Click Done to save your mapping.
Add to Group
- If you wish to add a rule to a group, click Select Group to open the Add to Group form. Select from the groups you have created. It is not necessary for a CPE Mapping Rule to belong to a group.
Once you have specified the parameters of your rule, click Done to save your changes, otherwise click Cancel. Once saved, the new CPE Mapping Rule will appear in the table under the CPE Mapping Rules tab.
To add a CPE Mapping Group:
- Navigate to the CPE Mapping Rules tab of the Vulnerability Monitoring page. Click Add Group at the top of the tab (or via the Overflow Menu or right-click Context Menu).
- The Create CPE Mapping Group form will open on the right of the page.
Details
- Name - specify a name for the group. This must be unique.
Entry Conditions
- Operator Type - specify either Logically ORed Filters or Logically ANDed Filters.
- Click Add Filter to open the Add New Filter form, from where you can specify the filter to be added by Filter Attribute (e.g. 'Manufacturer') and Filter Type (e.g. '=').
Once you have specified the parameters of your group, click Done to save your changes, otherwise click Cancel. Once saved, the group will appear in the table under the CPE Mapping Rules tab with a folder icon beside its name to differentiate it from the CPE Mapping Rules.
Once you have added CPE Mapping Rules to a group, they will be listed beneath the group in the table. In the below example, 'Test Rule 1' and 'Test Rule 2' are in the group 'Test Group', but 'Test Rule Without Group' is not in the group 'Test 2'.
To enable/disable a CPE Mapping Group:
CPE Mapping Groups are enabled by default. If a group
To manually enable/disable groups, select the group in the table and click Enable Group / Disable Group from the Overflow Menu or right-click Context Menu.
To edit/delete a CPE Mapping Group
To manually enable/disable groups, select the group in the table and click Edit Group / Delete Group from the Overflow Menu or right-click Context Menu.
Edit Group: The Edit CPE Mapping form provides the same fields as the Create CPE Mapping form above. Through this form you can also change the group to which a rule belongs.
Delete Group: Deleting a group does not delete the child rules within it, but will automatically disable those child rules. When deleting a group, a deletion confirmation dialog will appear.
To add a CPE Mapping Rule to a group:
You can specify the group membership of a CPE Mapping Rule when creating it, or you can select the group from the table under the CPE Mapping Rules tab and click Add Rule to Group from the Overflow Menu or right-click Context Menu. This will open the Add CPE Mapping Rule to Group form, which is the same as the Create CPE Mapping form above but with the Select Group field automatically populated.
To change the group to which a CPE Mapping Rule belongs:
- From table under the CPE Mapping Rules tab, select the CPE Mapping Rule that you wish to change and click Edit Rule via the Overflow Menu or right-click Context Menu.
- In the Select Group field, specify the new group to which you wish to move this group.
- Click Done to save your change, otherwise click Cancel. The table will update to display the rule below its new parent group.
To change the scan order of groups and rules:
The order of groups and rules in the table determines the order in which the rules are performed during a vulnerability monitoring scan.
There are two order options:
-
Top Level Order
- Sub Level Order
If a group is ordered above a rule that is not in a group, then the rules within that group will be executed before the rule that is not in a group, e.g. if an order is as follows:
- Separate Rule
- Group
- Group Rule 1
- Group Rule 2
- Group Rule 3
- Another Separate Rule
Then the execution of CPE Mapping Rules will be as follows:
- Separate Rule
- Group Rule 1
- Group Rule 2
- Group 3
- Another Separate Rule
Top Level Order:
This changes the scan order of groups and rules that are not groups.
- From the CPE Mapping Rules tab, click Change Top Level Order at the top of the tab (or via the Overflow Flow Menu or right-click Context Menu).
- This will open the Change Top Level Order form on the right of the page.
- Drag the groups/rules into your preferred order, and click Done in the top right, otherwise click Cancel. The vulnerability monitoring scan will execute in this new order.
Sub Level Order:
This changes the scan order of CPE Mapping Rules within a specified group.
- From the CPE Mapping Rules tab, select one or more CPE Mapping Rules that are in the same group, and click Change Sub Level Order at the top of the tab (or via the Overflow Flow Menu or right-click Context Menu).
- The Change Sub Level Order form will open on the right.
- Drag the rules into your preferred order, and click Done in the top right, otherwise click Cancel. The vulnerability monitoring scan will execute within this group in this new order.
Multi-server configuration:
If you have a multi-server configuration, you can sync CPE Mapping Rules across multiple servers using configuration sets. Use the server/config set dropdown field in the top left to specify the server or configuration set to which you wish to apply the CPE Mapping Rules.
Please see this article for further help and information on managing server configuration sets.
Comments
0 comments
Please sign in to leave a comment.