Adding Custom Vulnerability Checks with QRDI

Easily add custom vulnerabilities (QIDs) using Qualys Remote Detection Interface (QRDI) and execute them by launching Vulnerability Management (VM) scans via the Qualys Cloud Platform UI and API.

 

Download our user guide to help you get started

Custom Vulnerability Checks with QRDI  PDF Icon

 

How to add a QRDI LUA Library

Save time when creating QRDI vulnerabilities by creating a LUA Library with common functions that you'll use across multiple QRDI vulnerabilities. This way you can refer to the library file from each QRDI vulnerability instead of writing the same function over and over again.

Each subscription can have only one LUA Library. Go to KnowledgeBase > New > QRDI > QRDI LUA Library. Upload a .lua or .txt file. Set the library status to Published to start using it. Click here to learn more

How to add a QRDI Vulnerability

Go to VM/VMDR > KnowledgeBase > New > QRDI > QRDI Vulnerability.

For each QRDI vulnerability you'll provide:

- vulnerability settings similar to Qualys provided vulnerability (i.e. QID, title, severity, threat, impact, solution, mappings)

- QRDI definition, in valid JSON format, that describes the logic of the vulnerability detection. Simple HTTP and TCP requests are supported. Note that we do not follow HTTP redirects.

- Lua function library shared by all QRDI detections. This allows customers to write Lua functions which can be referenced by JSON documents to implement certain parts of a detection, e.g. to calculate buffer content to be sent, or to implement custom parsing rules. Click here to learn more

Recommended scan workflow

1) Add QRDI vulnerabilities in Debug mode (add debug_level: with logging level 100, 200, 300 or 400 to top level JSON object).

2) Launch scans on QRDI vulnerabilities (Debug mode enabled).

3) Review scan results and confirm your vulnerability detections are performing as expected.

4) Edit QRDI vulnerabilities and disable Debug mode.

5) Launch scans on QRDI vulnerabilities (Debug mode disabled).

QRDI detection results

- The output of a QRDI vulnerability detection is similar to any Qualys provided vulnerability detection, i.e. QID instances appear in scan reports, API output, asset information etc. in the same way.

- When a debugging level is set for a QRDI QID, the detected Vulnerability/Information Gathered in the Scan Results is not processed and added to host history/trend info. The detection Result and Debug data will appear in the Scan Results report and Scan-based Scan report, but will not be present in Host-based Scan Report. Further, any ticketing rules for a QRDI QID (if they exist) are not triggered, when a QRDI has debugging enabled.

Common questions

What is the format for adding vendor reference ID in the Additional Mapping section?

Vendor reference ID is released by the vendor in regards to the vulnerability. Add the reference ID of the vendor and the URL link to the vendor's website.

[{"reference":"Vendor reference ID","url":"Link to the the vendor's website"}]

For example,

[{"reference":"Vendor1","url":"http://www.qualys.com"}]

How many QRDI vulnerabilities can I add?

You can add a maximum of 20,000 QRDI vulnerabilities to your subscription.

Assigning QIDs to QRDI vulnerabilities

You'll assign a QID within the range 410001-430000. When creating a new QRDI vulnerability, you'll notice that the QID field is pre-populated with the next available QID. You can keep this or modify it as long as the new QID is within the allowed range and not already in use.

Can I edit a QRDI vulnerability?

Sure you can edit most settings once defined including the QRDI definition (i.e. JSON document). These settings can't be changed: the QID, the category QRDI, and the vulnerability type if it's Information Gathered.

Can I remove a QRDI vulnerability?

No it's not possible to remove/delete the QID for QRDI vulnerabilities once it's added to your subscription. We recommend you disable the vulnerability if you do not want scans to execute it during scans.

Is there support to enable/disable QRDI vulnerabilities?

Yes, you can enable/disable a QRDI vulnerability just like a Qualys provided vulnerability by editing the vulnerability settings.

Good to Know - When a vulnerability is disabled and it is included in the scan settings (i.e. option profile), it will be scanned like any other vulnerability and it will appear grayed out in scan results and reports.