Vulnmine uses simple Machine Learning to mine Microsoft's SCCM host and software inventory data for vulnerable 3rd-party software.
NIST's NVD vulnerability feeds are pulled in on a daily basis to determine the latest vulnerabilities to search for.
There is a public container with test data ready for use on Docker Hub: lorgor/vulnmine
To download and run the Vulnmine container:
docker run -it --rm lorgor/vulnmine bash
python vulnmine/__main__.py -a 'all'
Here are the possible options when starting Vulnmine:
vulnmine.py [-h] [--version] [-l Logging] [-a Action] [-y Years] [-w Workdir]
Parameter | Use |
---|---|
-h | Help information |
-help | |
-l | Set desired verbosity for logging: |
--loglevel | debug info warning error critical |
-a | Desired action to perform: |
--action | rd_sccm_hosts: Read SCCM host data |
rd_sccm_sft: Read SCCM software data | |
rd_cpe: Download / input NIST CPE Vendor-Product dictionary | |
rd_cve: Download / input NIST CVE Vulnerability feed data | |
match_vendors: | |
Match vendors from SCCM "Add-Remove" registry data to NVD CPE data | |
match_sft: | |
Match software from SCCM "Add-Remove"registry data to NVD CPE data | |
upd_hosts_vulns: Determine vulnerabilities for each host in SCCM | |
output_stats: Output the results | |
all: Run all the above in sequence | |
-y | Number of years to download. There is one CVE feed file for each year's data. |
--years | |
-w | Specifies work directory |
--workdir |
If no parameters are specified, then Vulnmine runs in production mode:
- The main vulnmine.py starts and sets up an endless schedule loop.
- The loop fires once daily by default.
- Each day Vulnmine:
- Reads the SCCM inventory data files (UTF16 csv format) in the its CSV directory.
- Downloads updated NVD feed files.
- Processes the SCCM and NVD data.
- Produces output JSON files into the same csv directory.
Vulnmine can be configured using .INI files. (This uses the standard python ConfigParser library.)
The default .INI file is in vulnmine/vulnmine_data/vulnmine_defaults.ini.
Users can override default values. Vulnmine looks for the following file: data/vulnmine.ini.
Here is an example:
[User]
# Section must start with "[User]"
# Override Plugin default values
# ===================================
# Plugins will load from "data/my_plugins"
Plugins: data/my_plugins/
# Turn off plugin function completely
Activate_plugins: No
Vulnmine is on Github: https://github.com/ubisoftinc/vulnmine
The docs directory has the full Vulnmine documentation.