Skip to content ↓ | Skip to navigation ↓

One of the biggest problems with deploying multiple security solutions is bringing them together in a meaningful way. By combining data between solutions we can deliver higher level context that allows us to make more informed decisions about actions we can take to reduce risk in the environment. Security data without action is essentially useless.

This article outlines a method of inserting Tripwire IP360 scores into Tripwire Enterprise (TE). The first question I’m usually asked when discussing this is ‘Why?’. Why would you want to get vulnerability scores into TE?

The answer is that it provides context to the asset that we’re monitoring. In my previous article here I referenced this around using context to provide a level of dynamic monitoring. The more context you can provide to an asset the better. This allows far more efficiency within the solution as well slicing reports in a more useful manner.

This example integration takes the vulnerability score of an asset from Tripwire IP360 and converts it to ‘High’, ‘Medium’ or ‘Low’ and tags the equivalent asset within TE’s Asset View. Asset View has limitations on the number of tags that can be applied overall. The current limit is around 4000 but this can be raised or lowered with other settings.

However, I typically wouldn’t expect this to be a limit that anyone is going to approach any time soon. Given the (almost) infinite scores that IP360 can create, using them directly would be impossible and, probably, pointless.

The methods I used are not the only that can be performed, but I found this to be fairly easy to implement. You will need access to the following technology:

  • Tripwire Enterprise v8.3 – May work on older versions, but hasn’t been tested.
  • TECommander – Tripwire Enterprise SOAP CLI. Documentation is included in how to set this up. Please contact a Tripwire representative if you wish to have a copy.
  • Python 3.x – This will be our primary scripting language for integration
  • Text editor – For editing .py files

The method outlined here has 4 basic phases:

  1. Export list of IPs from Tripwire Enterprise
  2. Look up IPs found via IP360 API
  3. Tag assets in TE Asset View
  4. Automate the process

The implementation is simple and will all be run from a single Python script that will be run periodically. The majority of this article will cover off the key components of the Python script. So, let’s look at the various steps involved:

1. Obtaining our list of IP addresses from TE

The easiest method of doing this is to create a report in TE with a unique name and then use TECommander to export that report for use. You will need to set the following options on that report:

  • Create a new report of type ‘Device Inventory’ in a folder of choice. Ensure it has a unique name
  • On the ‘Criteria->General’ tab. Ensure that the ‘Display IP Addresses’ option is checked
  • On the ‘Nodes’ tab choose ‘Root Node Group->Smart Node Groups->System Tag Sets->Operating System’. We don’t want all the databases, directory servers in this instance as the vulnerability score will only be attached to the IP
  • Click ‘OK’ to save the report

Once this has been done then we can start our Python script and do all the fun work of actually extracting them. To allow us to make use of the command line we will need to use something like the below:

Import subprocess<TECOMMANDER SYNTAX>)

The syntax for TECommander should be something like:

<path to tecommander.bin/sh> report –s <teserver> -u <username> -p <password> -F XML –T <Unique name of report created above> -o <outputfilename>

NOTE: There is a user name and password here. If you wish to obfuscate these then I would recommend creating global variables to store them both and pass them into your script. I’ll discuss how to do this later in the blog

Now we need to read the contents of the file into memory and start parsing the data to create a simple list of IPs and OIDs (an OID is a unique identifier for an asset within Tripwire Enterprise.)

You can use any method of accessing the information from this XML file, but I’ve always failed to get the XML searching working to my satisfaction (I’m new to the python scripting scene) so I’ve just made use of regex to pull what I need out of the data. It may not be the most efficient, but I know it works.

Example code below (assuming file has been read into strtemp):

Import re
  strTemp = strTemp.replace("\n", "") # Remove line breaks so we can regex stuff
  strSections = re.findall(r'<ReportSection\s.*?/ReportSection>',strTemp)
  lstTEAssets = []
  for section in strSections[:-1]: # Last section is summary data only
    strRegex = r'<OID>.*?</OID>'
    strOID = re.findall(strRegex, section)[0][5:-6]
    strRegex = r'name="inUseIpAddress.*?</S'
    strIP = re.findall(strRegex, section)[0][22:-3]
    lstAsset = [strOID, strIP]

This gives us an array containing the information we need from TE; IP address and OID (for use later)

2. Access IP360 API to get vulnerability score and create tagging file

Firstly, create a couple of helper functions that we’ll make use of later (credit: Andrew Bowman @ Tripwire)

def get_object_info(vne, session_cookie, object_id):
  """retrieves info for an object instance given a reference to the object"""
  result =, object_id, 'getAttributes', {});
  return result
def get_object_by_attr(vne, session_cookie, object_type, attr, val):
  """search based on the object_type, attreter and value. Treats ID values as numeric and other values as strings"""
  if attr == 'id':
    query_string = "%s = %s" % (attr, val)
    query_string = "%s = '%s'" % (attr, val)
  results =, object_type, 'search', {'query' : query_string})
  return results

Now we need to actually connect to the API appropriately. We’ll make use of the xmlrpc class to do this:

import xmlrpc.client
vne = xmlrpc.client.ServerProxy(vne_url)
session_cookie = vne.login(api_version, 0, vne_user, vne_pass)

Again, there is a username and password in here. I’d recommend that you only pass that as a variable through a global variable in TE to make sure that no passwords are stored in plain text.

Now we need to do the following:

  1. Find the latest vulnerability score for the asset in question
  2. Assess that score and assign a High, Medium or Low ranking to it
  3. Create a tagging string for that asset for use later

In the example below, I’m using Global Variables sent from TE to define my High, Medium and Low thresholds. You can see them as intMedium and intHigh. This is so that when all this is put together I only ever need to make changes within TE rather than alter the script.

I’m also creating an untag/tag command for each asset as well. I don’t want any asset to have multiple tags with regard to vulnerability. It can only be High, Medium OR Low.

strOutput = ""
  for asset in lstTEAssets:
    strIP = asset[1]
    strOID = asset[0]
    print("Checking IP360 for vulnerability information on %s" % strIP)
    host = get_object_by_attr(vne,session_cookie,'class.Host','ipAddress',strIP)
    if len(host) == 0:
      print(" Didn't find %s in IP360" % strIP)
      strOutput = strOutput + 'avuntagasset -s localhost -u ' + strUserName + ' -p ' + strPassword + ' -q -n ' + strOID + r' -S "IP360 Vulnerability Status"' + '\n'
      print(" Found %s instance(s) of %s in IP360" % (len(host),strIP))
      print(" Latest scan was at hostID: %s" % host[len(host)-1])
      hostInfo = get_object_info(vne,session_cookie,host[len(host)-1])
      print(" Vulnerability score at that point was: %s" % hostInfo['hostScore'])
      intScore = int(hostInfo['hostScore'])
      if intScore < intMedium:
        print(" %s has a Low vulnerability risk (%s)" % (strIP,intScore))
        strRisk = 'Low'
      elif intScore >= intMedium and intScore < intHigh:
        print(" %s has a Medium vulnerability risk (%s)" % (strIP,intScore))
        strRisk = 'Medium'
        print(" %s has a High vulnerability risk (%s)" % (strIP,intScore))
        strRisk = 'High'
      strOutput = strOutput + 'avtagasset -s localhost -u ' + strUserName + ' -p ' + strPassword + ' -q -Y -n ' + strOID + r' -S "IP360 Vulnerability Status" -T ' + strRisk + '\n'
fileOutput = open(strOutputFile,'w')

NOTE: I am making use of class.Host above, not PersistentHost. There are many reasons behind this, but the principle one is that it is easier to process. The last scan result will hold the information I am interested in and it doesn’t really matter whether this has been through DHT or not. I’m also aware that TE tends to hold only the critical assets of the network so they do tend to be statically IP’d.

I’m also creating an output file (strOutputFile) and dumping the strOutput content into it. This is a list of tecommander commands that I can use in the next step to actually tag the asset in TE.

3. Tag assets in TE Asset View

Now the easy bit! Just call tecommander with the filename above (strOutputFile)

<path to tecommander.bin/sh> + ‘ @‘ + strOutputFile

4. Automate the process

To automate this process is fairly simple, but I would recommend that you think about the Global Variables in TE that you would like to send through to the script. In my instance I sent the following:

  • Path to tecommander
  • Medium Threshold of IP360 vulnerability score
  • High Threshold of IP360 vulnerability score
  • Tecommander username
  • Tecommander password
  • IP360 API URL
  • IP360 API username
  • IP360 API password

Then create a ‘Command Output Capture Rule’ (COCR) that contains the following as a command:

python "$(TECom_Path)" $(IP360_Medium) $(IP360_High) $(TECom_User) $(TECom_Pass) $(IP360_API_URL) $(IP360_API_User) $(IP360_API_Pass)
  • NOTE: Python needs to be in the standard executable path and any arguments sent that contain spaces should be quoted
  • NOTE2: Ensure you’re using password type variables in TE to ensure that nothing is kept in clear text

Last stage is to create a Baseline Task in TE to run every day (or at a frequency to taste). This Baseline Task should point at the COCR created above.

And you’re done!

Any questions, please don’t hesitate to ask in the comments.


Related Articles:



picCheck out Tripwire SecureScan™, a free, cloud-based vulnerability management service  for up to 100 Internet Protocol (IP) addresses on internal networks. This new tool makes vulnerability management easily accessible to small and medium-sized businesses that may not have the resources for enterprise-grade security technology – and it detects the Heartbleed vulnerability.


picThe Executive’s Guide to the Top 20 Critical Security Controls

Tripwire has compiled an e-book, titled The Executive’s Guide to the Top 20 Critical Security Controls: Key Takeaways and Improvement Opportunities, which is available for download [registration form required].


Title image courtesy of ShutterStock