vulnmine
vulnmine copied to clipboard
ubisoft
Vulnmine searches for vulnerable hosts using MS SCCM host / software inventory data with NIST NVD Vulnerability feed data.
Vulnmine
Vulnmine uses simple Machine Learning to mine Microsoft's SCCM host and software inventory data for vulnerable 3rd-party software.
NIST's NVD vulnerability feeds are pulled in on a daily basis to determine the latest vulnerabilities to search for.
Running Vulnmine
There is a public container with test data ready for use on Docker Hub: lorgor/vulnmine
To download and run the Vulnmine container:
docker run -it --rm lorgor/vulnmine bash
python vulnmine/__main__.py -a 'all'
Commandline Start Options
Here are the possible options when starting Vulnmine:
vulnmine.py [-h] [--version] [-l Logging] [-a Action] [-y Years] [-w Workdir]
| Parameter | Use |
|---|---|
| -h | Help information |
| -help | |
| -l | Set desired verbosity for logging: |
| --loglevel | debug info warning error critical |
| -a | Desired action to perform: |
| --action | rd_sccm_hosts: Read SCCM host data |
| rd_sccm_sft: Read SCCM software data | |
| rd_cpe: Download / input NIST CPE Vendor-Product dictionary | |
| rd_cve: Download / input NIST CVE Vulnerability feed data | |
| match_vendors: | |
| Match vendors from SCCM "Add-Remove" registry data to NVD CPE data | |
| match_sft: | |
| Match software from SCCM "Add-Remove"registry data to NVD CPE data | |
| upd_hosts_vulns: Determine vulnerabilities for each host in SCCM | |
| output_stats: Output the results | |
| all: Run all the above in sequence | |
| -y | Number of years to download. There is one CVE feed file for each year's data. |
| --years | |
| -w | Specifies work directory |
| --workdir |
Production mode
If no parameters are specified, then Vulnmine runs in production mode:
- The main vulnmine.py starts and sets up an endless schedule loop.
- The loop fires once daily by default.
- Each day Vulnmine:
- Reads the SCCM inventory data files (UTF16 csv format) in the its CSV directory.
- Downloads updated NVD feed files.
- Processes the SCCM and NVD data.
- Produces output JSON files into the same csv directory.
Configuring Vulnmine
Vulnmine can be configured using .INI files. (This uses the standard python ConfigParser library.)
The default .INI file is in vulnmine/vulnmine_data/vulnmine_defaults.ini.
Users can override default values. Vulnmine looks for the following file: data/vulnmine.ini.
Here is an example:
[User]
# Section must start with "[User]"
# Override Plugin default values
# ===================================
# Plugins will load from "data/my_plugins"
Plugins: data/my_plugins/
# Turn off plugin function completely
Activate_plugins: No
Where to get more information
Vulnmine is on Github: https://github.com/ubisoftinc/vulnmine
The docs directory has the full Vulnmine documentation.
ubisoft