Fetch CVE data and use them in your processes

Robert Ullrich22. Aug 2018 | ConsultingCyber SecurityUse cases

As you may have noticed, OTRS Group has launched “STORM powered by OTRS” in the last year, which is used in IT security departments and companies for long time due to the well documented code of OTRS and a huge background in the CERT area. One of the key facts of STORM are the special consultants with a military / IT Security background for several years.

One of the features of “STORM powered by OTRS” is the information floater which was described here. To display information, this information floater is sufficient, but what will happen if you have to work with these data in a (process) ticket?

In part 1 of this small blog article series, I will show you how to request additional information for a CVE from CIRCL. I’m calling this web service CIRCLCVEConnector.

I’m using “STORM powered by OTRS” with the OTRS Feature Add-On “OTRSTicketInvoker”.

In addition we need some dynamic fields in OTRS:

  • CVENumber – Text – used to specify the CVE number
  • WSCVEID – Text – the received CVE ID from CIRCL
  • WSCVESummary – TextArea – a short summary which is part of every CVE
  • WSCVEReferences – TextArea – references for the CVE
  • WSCVEVulnerableConfigurations – TextArea – vulnerable configurations for the CVE
  • WSCVSS – Text – the CVSS score of the CVE
  • WSCWE – Text – Common Weakness Enumeration of the CVE
  • WSCapec – Text – Common Attach Pattern Enumeration and Classification for the CVE
  • WSPacketStorm – TextArea – packetstormsecurity.com reference
  • WSRefmap – TextArea – some more references
  • WSPublished – Text – the date when the CVE was published
  • WSModified – Text – the last modification date of the CVE
  • WSAllCVEInformationReceived – Text – A trigger for a later use case ;-)

Configuring the CIRCLCVEConnector in STORM

As always we need a new web service in STORM. Call it “CIRCLCVEConnector”:

CIRCLCVEConnector General config

A new invoker is needed:

CIRCLCVEConnector Invoker config 1

As you can see I removed everything, except the dynamic field “CVENumber” from my outgoing request data, because I want to keep my payload small.

The next point is the XSLT mapping for our outgoing request and incoming response data:

Outgoing XSLT mapping:

CIRCLCVEConnector Outgoing XSLT

Incoming XSLT mapping:

 

CIRCLCVEConnector Incoming XSLTHere’s the complete XSL stylesheet:

<?xml version="1.0" encoding="UTF-8"?>
<xsl:stylesheet version="1.0"
xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
xmlns:date="http://exslt.org/dates-and-times"
extension-element-prefixes="date">
<xsl:output method="xml" encoding="utf-8" indent="yes"/>
<xsl:variable name="id" select="//RootElement/id "/>
<xsl:variable name="summary" select="//RootElement/summary"/>
<xsl:variable name="references" select="//references"/>
<xsl:variable name="vulnerable_configurations" select="//vulnerable_configuration"/>
<xsl:variable name="cvss" select="//cvss"/>
<xsl:variable name="cwe" select="//cwe"/>
<xsl:variable name="capec" select="//capec"/>
<xsl:variable name="packetstorm" select="//packetstorm"/>
<xsl:variable name="refmap" select="//refmap"/>
<xsl:variable name="published" select="//RootElement/Published"/>
<xsl:variable name="modified" select="//RootElement/Modified"/>

<xsl:template match="RootElement">
<xsl:copy>
<Ticket>
<DynamicField>
<Name>WSCVEID</Name>
<Value><xsl:value-of select="$id"/></Value>
</DynamicField>
<xsl:choose>
<xsl:when test="$summary = ''"></xsl:when>
<xsl:otherwise>
<DynamicField>
<Name>WSCVESummary</Name>
<Value><xsl:value-of select="$summary"/></Value>
</DynamicField>
</xsl:otherwise>
</xsl:choose>
<xsl:choose>
<xsl:when test="$references = ''"></xsl:when>
<xsl:otherwise>
<DynamicField>
<Name>WSCVEReferences</Name>
<Value>
<xsl:for-each select="$references">
<xsl:value-of select="."/><xsl:text>&#xA;</xsl:text></xsl:for-each></Value>
</DynamicField>
</xsl:otherwise>
</xsl:choose>
<xsl:choose>
<xsl:when test="$vulnerable_configurations = ''"></xsl:when>
<xsl:otherwise>
<DynamicField>
<Name>WSCVEVulnerableConfigurations</Name>
<Value>
<xsl:for-each select="$vulnerable_configurations">
<xsl:value-of select="id"/><xsl:text>&#xA;</xsl:text>
</xsl:for-each>
</Value>
</DynamicField>
</xsl:otherwise>
</xsl:choose>
<xsl:choose>
<xsl:when test="$cvss = ''"></xsl:when>
<xsl:otherwise>
<DynamicField>
<Name>WSCVSS</Name>
<Value>
<xsl:value-of select="$cvss"/>
</Value>
</DynamicField>
</xsl:otherwise>
</xsl:choose>
<xsl:choose>
<xsl:when test="$cwe = ''"></xsl:when>
<xsl:otherwise>
<DynamicField>
<Name>WSCWE</Name>
<Value>
<xsl:value-of select="$cwe"/>
</Value>
</DynamicField>
</xsl:otherwise>
</xsl:choose>
<xsl:choose>
<xsl:when test="$capec = ''"></xsl:when>
<xsl:otherwise>
<DynamicField>
<Name>WSCapec</Name>
<Value>
<xsl:for-each select="$capec">
<xsl:value-of select="name"/><xsl:text>&#xA;</xsl:text>
</xsl:for-each>
</Value>
</DynamicField>
</xsl:otherwise>
</xsl:choose>
<xsl:choose>
<xsl:when test="$capec = ''"></xsl:when>
<xsl:otherwise>
<DynamicField>
<Name>WSPacketStorm</Name>
<Value>
<xsl:for-each select="$packetstorm">
Title: <xsl:value-of select="title"/>
Source: <xsl:value-of select="data_source"/>
ID: <xsl:value-of select="id"/>
Last seen: <xsl:value-of select="last_seen"/>>
Published: <xsl:value-of select="published"/>
Reporter: <xsl:value-of select="reporter"/>
Source: <xsl:value-of select="source"/>
</xsl:for-each>
</Value>
</DynamicField>
</xsl:otherwise>
</xsl:choose>
<xsl:choose>
<xsl:when test="$refmap = ''"></xsl:when>
<xsl:otherwise>
<DynamicField>
<Name>WSRefmap</Name>
<Value>
<xsl:for-each select="refmap">
Title: <xsl:value-of select="title"/>
Source: <xsl:value-of select="data_source"/>
ID: <xsl:value-of select="id"/>
Last seen: <xsl:value-of select="last_seen"/>>
Published: <xsl:value-of select="published"/>
Reporter: <xsl:value-of select="reporter"/>
Source: <xsl:value-of select="source"/>
</xsl:for-each>
</Value>
</DynamicField>
</xsl:otherwise>
</xsl:choose>
<xsl:choose>
<xsl:when test="$published = ''"></xsl:when>
<xsl:otherwise>
<DynamicField>
<Name>WSPublished</Name>
<Value>
<xsl:value-of select="$published"/>
</Value>
</DynamicField>
</xsl:otherwise>
</xsl:choose>
<xsl:choose>
<xsl:when test="$modified = ''"></xsl:when>
<xsl:otherwise>
<DynamicField>
<Name>WSModified</Name>
<Value>
<xsl:value-of select="$modified"/>
</Value>
</DynamicField>
</xsl:otherwise>
</xsl:choose>
<DynamicField>
<Name>WSAllCVEInformationReceived</Name>
<Value>Yes</Value>
</DynamicField>
</Ticket>
</xsl:copy>
</xsl:template>
</xsl:stylesheet>

 

We should define the dynamic fields “WSCVEID, WSCVESummary, WSCVEReferences, WSCVEVulnerableConfigurations, WSCVSS, WSCWE, WSCapec, WSPacketStorm, WSRefmap, WSPublished, WSModified, WSAllCVEInformationReceived” as ticket dynamic fields in the web service, to store the CIRCLE CVE response. The last point for the invoker is the used event trigger. I’m using the event “TicketDynamicFieldUpdate_CVENumber”, because it makes most sense in my scenario:

CIRCLCVEConnector Invoker config 2

Next point is to configure the network transport. It’s an easy job:

CIRCLCVEConnector Transport

The used endpoint is “https://cve.circl.lu“, the controller mapping “/api/cve/:CVE” and the request method is “GET”. You’ll also find this information in the https://cve.circl.lu/api/.

Testing the CIRCLCVEConnector

Depending on your configured event trigger for the invoker, use a valid CVE number in the dynamic field “CVENumber”. You should now see something similar in the web service debug log:

CIRCLCVEConnector Debug

In the ticket history, we can now see that the response values are stored in the dynamic fields:

CIRCLCVEConnector History

More information about the CIRCL API

Please go to the following website, if you need more information: https://cve.circl.lu/api/.



	

Your email address will not be published. Required fields are marked *

This site uses cookies. By continuing to use the site, you agree to the use of cookies. More information

The cookie settings on this website are set to "allow cookies" to give you the best browsing experience possible. If you continue to use this website without changing your cookie settings or you click "Accept" below then you are consenting to this.

Close