Easily add custom vulnerabilities (QIDs) using Qualys Remote Detection Interface (QRDI) and execute them by launching Vulnerability Management (VM) scans via the Qualys Cloud Platform UI and API.
Download our user guide to help you get started
Save time when creating QRDI vulnerabilities by creating a LUA Library with common functions that you'll use across multiple QRDI vulnerabilities. This way you can refer to the library file from each QRDI vulnerability instead of writing the same function over and over again.
Each subscription can have only one LUA Library. Go to KnowledgeBase > New > QRDI > QRDI LUA Library. Upload a .lua or .txt file. Set the library status to Published to start using it. Click here to learn more
Go to VM/VMDR > KnowledgeBase > New > QRDI > QRDI Vulnerability.
For each QRDI vulnerability you'll provide:
- vulnerability settings similar to Qualys provided vulnerability (i.e. QID, title, severity, threat, impact, solution, mappings)
- QRDI definition, in valid JSON format, that describes the logic of the vulnerability detection. Simple HTTP and TCP requests are supported. Note that we do not follow HTTP redirects.
- Lua function library shared by all QRDI detections. This allows customers to write Lua functions which can be referenced by JSON documents to implement certain parts of a detection, e.g. to calculate buffer content to be sent, or to implement custom parsing rules. Click here to learn more
1) Add QRDI vulnerabilities in Debug mode (add debug_level: with logging level 100, 200, 300 or 400 to top level JSON object).
2) Launch scans on QRDI vulnerabilities (Debug mode enabled).
3) Review scan results and confirm your vulnerability detections are performing as expected.
4) Edit QRDI vulnerabilities and disable Debug mode.
5) Launch scans on QRDI vulnerabilities (Debug mode disabled).
- The output of a QRDI vulnerability detection is similar to any Qualys provided vulnerability detection, i.e. QID instances appear in scan reports, API output, asset information etc. in the same way.
- When a debugging level is set for a QRDI QID, the detected Vulnerability/Information Gathered in the Scan Results is not processed and added to host history/trend info. The detection Result and Debug data will appear in the Scan Results report and Scan-based Scan report, but will not be present in Host-based Scan Report. Further, any ticketing rules for a QRDI QID (if they exist) are not triggered, when a QRDI has debugging enabled.
Vendor reference ID is released by the vendor in regards to the vulnerability. Add the reference ID of the vendor and the URL link to the vendor's website.
[{"reference":"Vendor reference ID","url":"Link to the the vendor's website"}]
For example,
[{"reference":"Vendor1","url":"http://www.qualys.com"}]
You can add a maximum of 20,000 QRDI vulnerabilities to your subscription.
You'll assign a QID within the range 410001-430000. When creating a new QRDI vulnerability, you'll notice that the QID field is pre-populated with the next available QID. You can keep this or modify it as long as the new QID is within the allowed range and not already in use.
Sure you can edit most settings once defined including the QRDI definition (i.e. JSON document). These settings can't be changed: the QID, the category QRDI, and the vulnerability type if it's Information Gathered.
No it's not possible to remove/delete the QID for QRDI vulnerabilities once it's added to your subscription. We recommend you disable the vulnerability if you do not want scans to execute it during scans.
Yes, you can enable/disable a QRDI vulnerability just like a Qualys provided vulnerability by editing the vulnerability settings.
Good to Know - When a vulnerability is disabled and it is included in the scan settings (i.e. option profile), it will be scanned like any other vulnerability and it will appear grayed out in scan results and reports.