FortiSIEM Configuring Network Intrusion Protection Systems (IPS)

Configuring Network Intrusion Protection Systems (IPS)

AccelOps supports these intrusion protection systems for discovery and monitoring.

AirTight Networks SpectraGuard

Cisco FireSIGHT

Cisco Intrusion Protection System Configuration

Cylance Protect Endpoint Protection

Cyphort Cortex Endpoint Protection

FireEye Malware Protection System (MPS)

FortiDDoS

Fortinet FortiSandbox Configuration

IBM Internet Security Series Proventia Configuration

Juniper DDoS Secure Configuration

Juniper Networks IDP Series Configuration

McAfee IntruShield Configuration

McAfee Stonesoft IPS

Motorola AirDefense Configuration

Snort Intrusion Protection System Configuration

Sourcefire 3D and Defense Center Configuration

TippingPoint Intrusion Protection System Configuration

AirTight Networks SpectraGuard

What is Discovered and Monitored Configuration

What is Discovered and Monitored

Protocol Information Discovered Metrics Collected Used For
Syslog      

Event Types

In CMDB > Event Types, search for “airtight” in the Device Type column to see the event types associated with this device.

Rules

There are no predefined rules for this device.

Reports

There are no predefined reports for this device.

Configuration

Syslog

AccelOps processes events from this device via syslogs sent by the device. Configure the device to send syslogs to AccelOps as directed in the device’s product documentation, and AccelOps will parse the contents.

For Syslog Server, or the server where the syslogs should be sent, enter the IP address of your AccelOps virtual appliance.

For Port, enter 514.

Make sure that the syslog type is Common Event Format (CEF). The syslog format should be the same as that shown in the example.

Example Syslog

<30><2013.09.09 19:45:16>CEF:0|AirTight|SpectraGuard Enterprise|6.7|5.51.515|Authorized AP operating on non-allowed channel|3|msg=Stop: Authorized AP [AP2.12.c11d] is operating on non-allowed channel. rt=Sep 09 2013 19:45:16 UTC dvc=10.255.1.36 externalId=726574 dmac=58:BF:EA:FA:26:EF cs1Label=TargetDeviceName cs1=AP2.12.c11d cs2Label=SSID cs2=WiFiHiSpeed cs3Label=SecuritySetting cs3=802.11i cn1Label=RSSI_dBm cn1=-50 cn2Label=Channel cn2=149 cs4Label=Location cs4=//FB/FBFL2

Cisco FireSIGHT

This section describes how AccelOps collects logs from Cisco FireSIGHT console.

What is Discovered and Monitored

Event Types

Rules

Reports

Configuration

What is Discovered and Monitored

Protocol Information Discovered Logs Collected Used For
 eStreamer API   Intrusion Events

Malware Events

File Events

Discovery Events

User Activity Events Impact Flag Events

Security Monitoring

Event Types

Intrusion events: PH_DEV_MON_FIREAMP_INTRUSION

[PH_DEV_MON_FIREAMP_INTRUSION]:[eventSeverity]=PHL_CRITICAL,[fileNa me]=phFireAMPAgent.cpp,[lineNumber]=381,[reptDevIpAddr]=10.1.23.177 ,[envSensorId]=6,[snortEventId]=393258,[deviceTime]=1430501705,[eve ntType]=Snort-1,[compEventType]=PH_DEV_MON_FIREAMP_INTRUSION,[ipsGe neratorId]=137,[ipsSignatureId]=2,[ipsClassificationId]=32,[srcIpAd dr]=10.131.10.1,[destIpAddr]=10.131.10.120,[srcIpPort]=34730,[destI pPort]=443,[ipProto]=6,[iocNum]=0,[fireAmpImpactFlag]=7,[fireAmpImp act]=2,[eventAction]=1,[mplsLabel]=0,[hostVLAN]=0,[userId]=3013,[we bAppId]=0,[clientAppId]=1296,[appProtoId]=1122,[fwRule]=133,[ipsPol icyId]=63098,[srcIntfName]=b16c69fc-cd95-11e4-a8b0-b61685955f02,[de stIntfName]=b1a1f900-cd95-11e4-a8b0-b61685955f02,[srcFwZone]=9e3405 2a-9b4f-11e4-9b83-efa88d47586f,[destFwZone]=a7bd89cc-9b4f-11e4-8260 -63a98d47586f,[connEventTime]=1430501705,[connCounter]=371,[srcGeoC ountryCode]=0,[destGeoCountryCode]=0,[phLogDetail]=

Malware events:  PH_DEV_MON_FIREAMP_MALWARE

[PH_DEV_MON_FIREAMP_MALWARE]:[eventSeverity]=PHL_INFO,[fileName]=ph FireAMPAgent.cpp,[lineNumber]=487,[reptDevIpAddr]=10.1.23.177,[envS ensorId]=6,[deviceTime]=1430502934,[srcIpAddr]=10.110.10.73,[destIp Addr]=10.0.112.132,[srcIpPort]=21496,[destIpPort]=80,[ipProto]=6,[f ileName]=CplLnk.exe ,[filePath]=,[fileSize64]=716325,[fileType]=1,[fileTimestamp]=0,[ha shAlgo]=SHA,[hashCode]=f1bfab10090541a2c3e58b4b93c504be8b65cdc82320 9c7f4def24acc38d7fd1 ,[fileDirection]=1,[fireAmpFileAction]=3,[parentFileName]=,[parentF ileHashCode]=,[infoURL]=http://wrl/wrl/CplLnk.exe ,[threatScore]=0,[fireAmpDisposition]=3,[fireAmpRetrospectiveDispos ition]=3,[iocNum]=1,[accessCtlPolicyId]=125870424,[srcGeoCountryCod e]=0,[destGeoCountryCode]=0,[webAppId]=0,[clientAppId]=638,[applica tionId]=676,[connEventTime]=1430502933,[connCounter]=409,[cloudSecI ntelId]=0,[phLogDetail]=

File events: PH_DEV_MON_FIREAMP_FILE

[PH_DEV_MON_FIREAMP_FILE]:[eventSeverity]=PHL_INFO,[fileName]=phFir eAMPAgent.cpp,[lineNumber]=541,[reptDevIpAddr]=10.1.23.177,[envSens orId]=6,[deviceTime]=1430497343,[srcIpAddr]=10.131.15.139,[destIpAd dr]=10.0.112.137,[srcIpPort]=1587,[destIpPort]=80,[ipProto]=6,[file Name]=Locksky.exe

,[hashAlgo]=SHA,[hashCode]=aa999f5d948aa1a731f6717484e1db32abf92fdb

5f1e7ed73ad6f5a21b0737c1,[fileSize64]=60905,[fileDirection]=1,[fire AmpDisposition]=3,[fireAmpSperoDisposition]=4,[fireAmpFileStorageSt atus]=11,[fireAmpFileAnalysisStatus]=0,[threatScore]=0,[fireAmpFile Action]=3,[fileType]=17,[applicationId]=676,[destUserId]=2991,[info

URL]=http://wrl/wrl/Locksky.exe

,[signatureName]=,[accessCtlPolicyId]=125869976,[srcGeoCountryCode] =0,[destGeoCountryCode]=0,[webAppId]=0,[clientAppId]=638,[connCount er]=103,[connEventTime]=1430497343,[phLogDetail]=

Discovery events:

PH_DEV_MON_FIREAMP_DISCOVERY_NETWORK_PROTOCOL

PH_DEV_MON_FIREAMP_DISCOVERY_NETWORK_PROTOCOL]:[eventSeverity]= PHL_INFO,[fileName]=phFireAMPAgent.cpp,[lineNumber]=815,[reptDe vIpAddr]=10.1.23.177,[destIpPort]=2054,[ipProto]=54,[phLogDetai l]=

PH_DEV_MON_FIREAMP_DISCOVERY_OS_FINGERPRINT

There are no predefined rules for this device.

Reports

The following reports are provided

  1. Top Cisco FireAMP Malware Events
  2. Top Cisco FireAMP File Analysis Events
  3. Top Cisco FireAMP Vulnerable Intrusion Events
  4. Top Cisco FireAMP Discovered Login Events
  5. Top Cisco FireAMP Discovered Network Protocol
  6. Top Cisco FireAMP Discovered Client App
  7. Top Cisco FireAMP Discovered OS

Configuration

AccelOps obtains events from Cisco FireSIGHT via eStreamer protocol.

Cisco FireSIGHT Configuration

  1. Logon to Cisco FIRESIGHT console
  2. Go to System > Local > Registration > eStreamer
  3. Click Create Client
    1. Enter IP address and password for AccelOps
    2. Click Save
  4. Select the types of events that should be forwarded to AccelOps
  5. Click Download Certificate and save the certificate to a local file

AccelOps Configuration

  1. Go to Admin > Setup > Credentials
  2. Create a credential
    1. Set Device Type to Cisco FireAMP
    2. Set Access Method to eStreamer
    3. Enter the Password as in Step 3a above
    4. Click Certificate File > Upload and enter the certificate downloaded in Step 5
    5. Click Save
  3. Create an IP range to Credential Association
    1. Enter IP address of the FireSIGHT Console
    2. Enter the credential created in Step 2 above
  4. Click Test Connectivity – AccelOps will start collecting events from the FIRESIGHT console

 

 

 

Cisco Intrusion Protection System Configuration

What is Discovered and Monitored

 

Protocol Information Discovered Metrics Collected Used For
SNMP     Performance and Availability Monitoring
SDEE   Alerts Security Monitoring

Event Types

In CMDB > Event Types, search for “cisco ips” in the Device Type and Description columns to see the event types associated with this device.

Rules

In Analytics > Rules, search for “cisco ips” in the Name column to see the rules associated with this device.

Reports

In Analytics > Reports, search for “cisco ips” in the Name column to see the reports associated with this device.

Configuration

SNMP

  1. Log in to the device manager for your Cisco IPS.
  2. Go to Configuration > Allowed Hosts/Networks.
  3. Click Add.
  4. Enter the IP address of your AccelOps virtual appliance to add it to the access control list, and then click OK.
  5. Go to Configuration > Sensor Management > SNMP > General Configuration.
  6. For Read-Only Community String, enter public.
  7. For Sensor Contact and Sensor Location, enter Unknown.
  8. For Sensor Agent Port, enter 161.
  9. For Sensor Agent Protocol, select udp.

If you need to create an SDEE account for AccelOps to use, go to Configuration > Users and Add a new administrator. Sample XML-Formatted Alert

<os idSource=”unknown” type=”unknown” relevance=”relevant”></os>          </victim>

<victim>

<addr locality=”OUT”>171.66.255.87</addr>            <os idSource=”unknown” type=”unknown” relevance=”relevant”></os>          </victim>

<victim>

<addr locality=”OUT”>171.66.255.86</addr>            <os idSource=”unknown” type=”unknown” relevance=”relevant”></os>          </victim>

<victim>

<addr locality=”OUT”>171.66.255.84</addr>            <os idSource=”unknown” type=”unknown” relevance=”relevant”></os>          </victim>

<victim>

<addr locality=”OUT”>171.66.255.85</addr>            <os idSource=”unknown” type=”unknown” relevance=”relevant”></os>         </victim>

<victim>

<addr locality=”OUT”>171.66.255.82</addr>            <os idSource=”unknown” type=”unknown” relevance=”relevant”></os>         </victim>

</attack>

</participants>

 

Cylance Protect Endpoint Protection

What is Discovered and Monitored Configuration

What is Discovered and Monitored

Protocol Information Discovered Metrics Collected Used For
 Syslog   End point malware alerts Security Monitoring

Event Types

In CMDB > Event Types, search for “cylance” in the Device Type column to see the event types associated with this device.

Rules

There are no predefined rules for this device.

Reports

There are no predefined reports for this device.

Configuration

Syslog

AccelOps processes events from this device via CEF formatted syslog sent by the device. Configure the device to send syslog to AccelOps as directed in the device’s product documentation, and AccelOps will parse the contents.

Example Syslog

Cyphort Cortex Endpoint Protection

What is Discovered and Monitored Configuration

What is Discovered and Monitored

Protocol Information Discovered Metrics Collected Used For
 Syslog   End point malware alerts Security Monitoring

Event Types

In CMDB > Event Types, search for “cyphort” in the Device Type column to see the event types associated with this device.

Rules

There are no predefined rules for this device.

Reports

There are no predefined reports for this device.

Configuration

Syslog

AccelOps processes events from this device via CEF formatted syslog sent by the device. Configure the device to send syslog to AccelOps as directed in the device’s product documentation, and AccelOps will parse the contents.

Example Syslog

FireEye Malware Protection System (MPS)

What is Discovered and Monitored Configuration

What is Discovered and Monitored

Protocol Information Discovered Metrics Collected Used For
 Syslog      

Event Types

In CMDB > Event Types, search for “fireeye mps” in the Device Type column to see the event types associated with this device.

Rules

There are no predefined rules for this device.

Reports

There are no predefined reports for this device.

Configuration

Syslog

AccelOps processes events from this device via syslogs sent by the device. Configure the device to send syslogs to AccelOps as directed in the device’s product documentation, and AccelOps will parse the contents.

For Syslog Server, or the server where the syslogs should be sent, enter the IP address of your AccelOps virtual appliance.

For Port, enter 514.

Make sure that the syslog type is Common Event Format (CEF). The syslog format should be the same as that shown in the example. Example Syslog

<164>fenotify-45640.alert:

CEF:0|FireEye|MPS|6.0.0.62528|MC|malware-callback|9|rt=Apr 16 2012 15:54:41 src=192.168.26.142 spt=0 smac=00:14:f1:90:c8:01 dst=2.2.2.2 dpt=80 dmac=00:10:db:ff:50:00 cn1Label=vlan cn1=202 cn2Label=sid cn2=33335390 cs1Label=sname cs1=Trojan.Gen.MFC cs4Label=link cs4=https://10.10.10.10/event_stream/events_for_bot?ev_id\=45640 cs5Label=ccName cs5=3.3.3.3 cn3Label=ccPort cn3=80 proto=tcp cs6Label=ccChannel cs6= shost=abc.org <http://abc.org> dvchost=ALAXFEYE01 dvc=10.10.10.10 externalId=45640

FortiDDoS

What is Discovered and Monitored

Configuration

What is Discovered and Monitored

Protocol Information Discovered Information Collected Used For
 Syslog Host Name, Access IP,

Vendor/Model

Over 150 event types to include Protocol Anomaly, Traffic Volume Anomaly, DoS Attacks, Security

Monitoring

Event Types

In CMDB > Event Types, search for “FortiDDoS” to see the event types associated with this device.

Rules

There are many IPS correlation rules for this device under Rules > Security > Exploits

Reports

There are many reports for this device under Reports > Function > Security

Configuration

Syslog

FortiSIEM processes FortiDDoS events via syslog. Configure FortiDDoS to send syslog to FortiSIEM as directed in the device’s product documentation.

Example Syslog

Jan 10 16:01:50 172.30.84.114 devid=FI400B3913000032 date=2015-01-23 time=17:42:00 type=attack SPP=1 evecode=1 evesubcode=8 dir=0 protocol=1 sIP=0.0.0.0 dIP=0.0.0.0 dropCount=312

devid=FI800B3913000055 date=2017-01-27 time=18:24:00 tz=PST type=attack spp=0 evecode=2 evesubcode=61 description=”Excessive Concurrent Connections Per Source flood” dir=1 sip=24.0.0.2 dip=24.255.0.253 subnet_name=default dropcount=40249 facility=Local0 level=Notice

Fortinet FortiSandbox Configuration

What is Discovered and Monitored Configuration

What is Discovered and Monitored

Protocol Information Discovered Metrics Collected Used For
 SNMP Host Name, OS, version, Hardware CPU, Memory, Disk, Interface utilization Performance Monitoring
Syslog   Malware found/cleaned, Botnet, Malware URL, System

Events

Log Management, Security Compliance,

SIEM

HTTP(S) Threat feed – Malware URL, Malware

Hash

  Log Management, Security Compliance,

SIEM

Event Types

In CMDB > Event Types, search for “fortisandbox-” to see the event types associated with this device.

Rules

In CMDB > Rules, search for “fortisandbox-” to see the rules associated with this device.

Also, basic availability rules in CMDB > Rules> Availability > Network and performance rules in CMDB > Rules> Performance > Network also trigger

Reports

In CMDB > Reports, search for “fortisandbox-” to see the rules associated with this device.

Configuration

Syslog

AccelOps processes events from this device via syslogs sent by the device. Configure the device to send syslogs to AccelOps as directed in the device’s product documentation, and AccelOps will parse the contents.

For Syslog Server, or the server where the syslogs should be sent, enter the IP address of your AccelOps virtual appliance.

For Port, enter 514.

Make sure that the syslog format is the same as that shown in the example.

Example Syslog

Oct 12 14:35:12 172.16.69.142

devname=turnoff-2016-10-11-18-46-05-172.16.69.142

device_id=FSA3KE3A13000011 logid=0106000001 type=event subtype=system pri=debug user=system ui=system action= status=success  reason=none letype=9 msg=”Malware package: urlrel version 2.88897 successfully released, total 1000″

<14>2016-08-19T06:48:51 devhost=turnoff-2016-08-15-19-24-55-172.16.69.55 devid=FSA35D0000000006 tzone=-25200 tz=PDT  date=2016-08-19 time=06:48:51 logid=0106000001 type=event subtype=system level=information user=admin ui=GUI action=update status=success reason=none letype=9 msg=”Remote log server was successfully added”

IBM Internet Security Series Proventia Configuration

What is Discovered and Monitored

Configure IBM/ISS Proventia Appliances to Send SNMP Notifications to IBM/ISS SiteProtector Management Console

Define AccelOps as a Response Object for SNMP Traps

Define a Response Rule to Forward SNMP Traps to AccelOps

What is Discovered and Monitored

Protocol Information Discovered Metrics Collected Used For
 SNMP Traps      

Event Types

In CMDB > Event Types, search for “proventia” in the Device Type and Description column to see the event types associated with this device.

Rules

There are no predefined rules for this device.

Reports

There are no predefined reports for this device.

Configuration

SNMP Trap

AccelOps receives SNMP traps from IBM/ISS Proventia IPS appliances that are sent by IBM/ISS SiteProtector Management Console. You need to first configure IBM/ISS Proventia to send alerts to IBM/ISS SiteProtector, then configure IBM/ISS SiteProtector to send those alerts as SNMP traps to AccelOps.

Configure IBM/ISS Proventia Appliances to Send SNMP Notifications to IBM/ISS SiteProtector Management Console

  1. Log in to the IBM Proventia IPS web interface.
  2. Click Manage System Settings > SiteProtector Management.
  3. Click and select Register withSiteProtector.
  4. Click and select Local Settings Override SiteProtector Group Settings.
  5. Specify the Group, Heartbeat Interval, and Logging Level.
  6. Configure these settings:
Setting Description
Authentication

Level

Use the default first-time trust
Agent

Manager

Name

Enter the Agent Manager name exactly as it appears in SiteProtector. This setting is case-sensitive.
Agent

Manager

Address

Enter the Agent Manager’s IP address
Agent

Manager Port

Use the default value 3995
User Name If the appliance has to log into an account access the Agent Manager, enter the user name for that account here
User

Password

Click Set Password, enter and confirm the password, and then click OK.
Use Proxy

Settings

If the appliance has to go through a proxy to access the Agent Manager, select the Use Proxy Settings option, and then enter the Proxy Server Address and Proxy Server Port.

Define AccelOps as a Response Object for SNMP Traps

  1. Log in to IBM SiteProtector console.
  2. Go to Grouping > Site Management > Central Responses > Edit settings.
  3. Select Response Objects > SNMP.
  4. Click Add.
  5. Enter a Name for your AccelOps virtual appliance.
  6. For Manager, enter the IP address of your virtual appliance.
  7. For Community, enter public.
  8. Click OK.

Define a Response Rule to Forward SNMP Traps to AccelOps

  1. Go to Response Rules.
  2. Click Add.
  3. Select Enabled.
  4. Enter a Name and Comment for the response rule.
  5. In the Responses tab, select SNMP.
  6. Select Enabled for the response object that represents your AccelOps virtual appliance.
  7. Click OK.

Sample SNMP trap

2013-02-07 16:52:18 100.0.0.218(via UDP: [192.168.64.218]:55545) TRAP,

SNMP v1, community public SNMPv2-SMI::enterprises.2499 Enterprise

Specific Trap (4) Uptime: 0:00:00.15 SNMPv2-SMI::enterprises.2499.1.1.2.1.1.1.1.1 = STRING:

“SiteProtector_Central_Response (Response1)”

SNMPv2-SMI::enterprises.2499.1.1.2.1.1.1.1.2 = STRING: “16:52:18

2013-02-07” SNMPv2-SMI::enterprises.2499.1.1.2.1.1.1.1.3 = STRING: “6”

SNMPv2-SMI::enterprises.2499.1.1.2.1.1.1.1.4 = STRING: “100.0.0.216”

SNMPv2-SMI::enterprises.2499.1.1.2.1.1.1.1.5 = STRING: “100.0.0.218”

SNMPv2-SMI::enterprises.2499.1.1.2.1.1.1.1.6 = “”

SNMPv2-SMI::enterprises.2499.1.1.2.1.1.1.1.7 = “”

SNMPv2-SMI::enterprises.2499.1.1.2.1.1.1.1.8 = STRING: “48879”

SNMPv2-SMI::enterprises.2499.1.1.2.1.1.1.1.9 = STRING: “80” SNMPv2-SMI::enterprises.2499.1.1.2.1.1.1.1.10 = STRING:

“DISPLAY=WithoutRaw:0,BLOCK=Default:0″ SNMPv2-SMI::enterprises.2499.1.1.2.1.1.1.1.11 = STRING: ” SensorName:

IBM-IPS ObjectName: 80 DestinationAddress: 100.0.0.218 AlertName:

HTTP_OracleAdmin_Web_Interface AlertTarget: 100.0.0.218 AlertCount: 1 VulnStatus: Simulated block (blocking not enabled) AlertDateTime:

16:52:17 2013-02-07 ObjectType: Target Port SourceAddress: 100.0.0.216

SensorAddress: 192.168.64.15″

Juniper DDoS Secure Configuration
What is Discovered and Monitored
Protocol Information Discovered Metrics Collected Used For
 Syslog   DDoS Alerts Security Monitoring

Event Types

In CMDB > Event Types, search for “juniper ddos” in the Device Type and Description columns to see the event types associated with this device.

Juniper-DDoS-Secure-WorstOffender

Juniper-DDoS-Secure-Blacklisted

Juniper-DDoS-Secure-Generic

Rules

There are no predefined rules for this device.

Reports

There are no predefined reports for this device.

Configuration

Configure the device to send syslog to AccelOps. Make sure that the event matches the format specified below.

Juniper Networks IDP Series Configuration

What is Discovered and Monitored

Event Types

Rules

Reports

Configuration

Syslog

Example Syslog from NSM

What is Discovered and Monitored
Protocol Information Discovered Metrics Collected Used For
 Syslog      

Event Types

In CMDB > Event Types, search for “juniper_idp” in the Device Type column to see the event types associated with this device.

Rules

There are no predefined rules for this device.

Reports

There are no predefined reports for this device.

Configuration

Syslog

AccelOps processes events from this device via syslogs sent by the device. Configure the device to send syslogs to AccelOps as directed in the device’s product documentation, and AccelOps will parse the contents.

For Syslog Server, or the server where the syslogs should be sent, enter the IP address of your AccelOps virtual appliance.

For Port, enter 514.

Make sure that the syslog type is Common Event Format (CEF). The syslog format should be the same as that shown in the example.

Example Syslog from NSM

<25>Oct 11 14:29:27 10.146.68.68 20101011, 58420089, 2010/10/11

18:29:25, 2010/10/11 18:33:12, global.IDP, 1631, par-real-idp200, 10.146.68.73, traffic, udp port scan in progress, (NULL), (NULL), 161.178.223.221, 0, 0.0.0.0, 0, (NULL), (NULL), 10.248.8.110, 0, 0.0.0.0, 0, udp, global.IDP, 1631, Metro IDP IP / Port Scan Policy, traffic anomalies, 2, accepted, info, yes, ‘interface=eth3’, (NULL), (NULL), (NULL), 0, 0, 0, 0, 0, 0, 0, 0, no, 25, Not

McAfee IntruShield Configuration

What is Discovered and Monitored

Event Types

Rules

Reports

Configuration

Syslog

Sample Parsed Syslog Message

What is Discovered and Monitored
Protocol Information Discovered Metrics Collected Used For
 Syslog      

Event Types

There are no event types defined specifically for this device.

Rules

There are no predefined rules for this device.

Reports

There are no predefined reports for this device.

Configuration

Syslog

AccelOps handles custom syslog messages from McAfee Intrushield.

  1. Log in to McAfee Intrushield Manager.
  2. Create a customer syslog format with these fields:
    1. AttackName
    2. AttackTime
    3. AttackSeverity
    4. SourceIp
    5. SourcePort
    6. DestinationIp
    7. DestinationPort
    8. AlertId
    9. AlertType
    10. AttackId
    11. AttackSignature
    12. AttackConfidence
    13. AdminDomain
    14. SensorName:ASCDCIPS01
    15. Interface
    16. Category
    17. SubCategory
    18. Direction
    19. ResultStatus
    20. DetectionMechanism
    21. ApplicationProtocol
    22. NetworkProtocol
    23. Relevance
  3. Set the message format as a sequence of Attribute:Value pairs as in this example.

AttackName:$IV_ATTACK_NAME$,AttackTime:$IV_ATTACK_TIME$,AttackSever ity::$IV_ATTACK_SEVERITY$,SourceIp:$IV_SOURCE_IP$,SourcePort:$IV_SO URCE_PORT$,

DestinationIp:$IV_DESTINATION_IP$,DistinationPort:$IV_DESTINATION_P ORT$,AlertId:$IV_ALERT_ID$,AlertType:$IV_ALERT_TYPE$,AttackId$IV_AT

TACK_ID$,

AttackSignature:$IV_ATTACK_SIGNATURE$,AttackConfidence:$IV_ATTACK_C ONFIDENCE$,AdminDomain:$IV_ADMIN_DOMAIN$,SensorName:$IV_SENSOR_NAME

$,

Interface:$IV_INTERFACE$,Category:$IV_CATEGORY$,SubCategory:$IV_SUB _CATEGORY$,Direction:$IV_DIRECTION$,ResultStatus:$IV_RESULT_STATUS$

,

DetectionMechanism:$IV_DETECTION_MECHANISM$,ApplicationProtocol:$IV _APPLICATION_PROTOCOL$,NetworkProtocol:$IV_NETWORK_PROTOCOL$,Releva nce:$IV_RELEVANCE$

  1. Set AccelOps as the syslog recipient.

Sample Parsed Syslog Message

Mar 24 16:23:18 SyslogAlertForwarder: AttackName:Invalid Packets detected,AttackTime:2009-03-24 16:23:17 EDT,AttackSeverity:Low,SourceIp:127.255.106.236,

SourcePort:N/A,DestinationIp:127.255.106.252,DistinationPort:N/A,AlertId :5260607647261334188,AlertType:Signature,AttackId:0x00009300,AttackSigna ture:N/A, AttackConfidence:N/A,AdminDomain:ASC,SensorName:ASCDCIPS01,Interface:1A-

1B,Category:Exploit,SubCategory:protocol-violation,Direction:Outbound, ResultStatus:May be successful,DetectionMechanism:signature,ApplicationProtocol:N/A,NetworkP rotocol:N/A,Relevance:N/A,HostIsolationEndTime:N/A

McAfee Stonesoft IPS

What is Discovered and Monitored Configuration

What is Discovered and Monitored
Protocol Information Discovered Metrics Collected Used For
 Syslog   Network IPS alerts Security Monitoring

Event Types

In CMDB > Event Types, search for “stonesoft” in the Device Type column to see the event types associated with this device.

Rules

There are no predefined rules for this device.

Reports

There are no predefined reports for this device.

Configuration

Syslog

AccelOps processes events from this device via CEF formatted syslog sent by the device. Configure the device to send syslog to AccelOps as directed in the device’s product documentation, and AccelOps will parse the contents.

Example Syslog

<6>CEF:0|McAfee|IPS|5.4.3|70018|Connection_Allowed|0|spt=123 deviceExternalId=STP-NY-FOO01 node 1 dmac=84:B2:61:DC:E1:31 dst=169.132.200.3 cat=System Situations app=NTP (UDP) rt=Apr 08 2016 00:26:13 deviceFacility=Inspection act=Allow deviceOutboundInterface=Interface #5 deviceInboundInterface=Interface #4 proto=17 dpt=123 src=10.64.9.3 dvc=12.17.2.17 dvchost=12.17.2.17 smac=78:DA:6E:0D:FF:C0 cs1Label=RuleId cs1=2097152.6

Motorola AirDefense Configuration
What is Discovered and Monitored
Protocol Information Discovered Metrics Collected Used For
 Syslog   Wireless IDS logs Security Monitoring

Event Types

About 37 event types covering various Wireless attack scenarios – search for them by entering “Motorola-AirDefense” in CMDB > EventType.

Rules

There are no predefined rules for this device.

Reports

There are no predefined reports for this device.

Configuration

Configure the device to send logs to AccelOps. Make sure that the format is as follows.

Snort Intrusion Protection System Configuration

What is Discovered and Monitored

Example Parsed Snort Syslog

Supported Databases and Snort Database Schemas

SNMP Access to the Database Server

Debugging Snort Database Connectivity

Examples of Snort IPS Events Pulled over JDBC

Viewing Snort Packet Payloads in Reports

Exporting Snort IPS Packets as a PCAP File  Settings for Access Credentials

What is Discovered and Monitored
Protocol Information Discovered Metrics

Collected

Used

For

 Syslog      
 JDBC Generic information: signature ID, signature name, sensor ID, event occur time, signature priority TCP: packet header, including source IP address, destination IP address, Source Port, Destination

Port, TCP Sequence Number, TCP Ack Number, TCP Offset, TCP Reserved, TCP Flags, TCP

Window size, TCP Checksum, tTCP Urgent Pointer; and  packet payload

UDP: packet header, including source IP address, destination IP address, Source Port, Destination Port, UDP Length,  checksum; and  packet payload

ICMP: packet header, including source IP address, destination IP address, ICMP Type, ICMP Code, Checksum, ICMP ID, Sequence Number; and  packet payload

   
SNMP (for access to the database server hosting the Snort database)      

Event Types

In CMDB > Event Types, search for “snort_ips” in the Device Type column to see the event types associated with this device.

Rules

There are no predefined rules for this device.

There are no predefined reports for this device.

Configuration

Syslog

Collecting event information from Snort via syslog has two drawbacks:

  1. It is not reliable because it is sent over UDP.
  2. Information content is limited because of UDP packet size limit.

For these reasons, you should consider using JDBC to collect event information from Snort.

These instructions illustrate how to configure Snort on Linux to send syslogs to AccelOps. For further information, you should consult the Snort product documentation.

  1. Log in to your Linux server where Snort is installed.
  2. Navigate to and open the file /etc/snort/snort.conf.
  3. Modify alert_syslog to use a local log facility.
  4. Navigate to and open the file /etc/syslog.conf.
  5. Add a redirector to send syslogs to AccelOps.

 

  1. Restart the Snort daemon.

Example Parsed Snort Syslog

<161>snort[2242]: [1:206:9] BACKDOOR DeepThroat 3.1 CD ROM Open Client

Request [Classification: Misc activity] [Priority: 3]: {UDP}

192.168.19.1:6555 -> 172.16.2.5:514 <161>snort[5774]: [1:1560:6] WEB-MISC /doc/ access [Classification:

access to a potentially vulnerable web application] [Priority: 2]: {TCP} 192.168.20.53:41218 -> 192.168.0.26:80 <161>snort[5774]: [1:466:4] ICMP L3retriever Ping [Classification:

Attempted Information Leak] [Priority: 2]: {ICMP} 192.168.20.49 ->

192.168.0.10

<161>snort[5774]: [1:1417:9] SNMP request udp [Classification: Attempted

Information Leak] [Priority: 2]: {UDP} 192.168.20.40:1061 ->

192.168.20.2:161

JDBC

Supported Databases and Snort Database Schemas

When using JDBC to collect IPS information from Snort, AccelOps can capture a full packet that is detailed enough to recreate the packet via a PCAP file.

AccelOps supports collecting Snort event information over JDBC these database types:

Oracle

MS SQL

MySql

PostgreSQL

AccelOps supports Snort database schema 107 or higher.

SNMP Access to the Database Server

You will need to set up an SNMP access credential for the server that hosts the Snort database. See the topics under Database Server Configuration for information on setting up SNMP for communication with AccelOps for several common types of database servers.

Once you have set up SNMP on your database server, you can configure AccelOps to communicate with your device by following the instructions in Setting Access Credentials for Device Discovery, and then initiate discovery of the device as described in the topics in Discovering Infrastructure.

Debugging Snort Database Connectivity

Snort IPS alert are pulled over JDBC by a Java agent, which has to join multiple database tables to create the events. An internal log file is created for each pull.

At most 1000 database records (IPS Alerts) are pulled at a time. If AccelOps finds more than 1000 new records, then it begins to fall behind and this log is created.

Examples of Snort IPS Events Pulled over JDBC

UDP Event

<134>Feb 25 14:27:56 10.1.2.36 java: [Snort-1417]:[eventSeverity]=PHL_INFO,[relayDevIpAddr]=10.1.2.36,[ipsSen sorId]=1,[snortEventId]=10343430,[sensorHostname]=10.1.2.36,[signatureId ]=1417,[eventName]=SNMP request udp,[eventSeverity]=2,[eventTime]=2012-11-07 17:56:51.0,[srcIpAddr]=10.1.2.245,[destIpAddr]=10.1.2.36,[ipVersion]=4,[ ipHeaderLength]=5,[tos]=0,[ipTotalLength]=75,[ipId]=0,[ipFlags]=0,[ipFra gOffset]=0,[ipTtl]=64,[ipProto]=17,[ipChecksum]=8584,[srcIpPort]=35876,[ destIpPort]=161,[udpLen]=55,[checksum]=39621,[dataPayload]=302D020101040 67075626C6963A520…

TCP Event

<134>Aug 08 09:30:59 10.1.20.51 java: [Snort-1000001]:[eventSeverity]=PHL_INFO,[hostIpAddr]=10.1.20.51,[sensor

Id]=1,[eventId]=17897184,[signatureId]=1000001,[signatureName]=Snort

Alert [1:1000001:0],[signaturePri]=null,[eventTime]=2012-08-08

09:26:24.0,[srcIpAddr]=10.1.2.99,[destIpAddr]=10.1.20.51,[srcIpPort]=523

14,[destIpPort]=80,[seqNum]=967675661,[tcpAckNum]=3996354107,[tcpOffset] =5,[tcpReserved]=0,[tcpFlags]=24,[tcpWin]=16695,[checksum]=57367,[tcpUrg entPointer]=0,[dataPayload]=474554202F66617669636F6E2E69636F204…

Viewing Snort Packet Payloads in Reports

 

AccelOps creates an event for each IPS alert in Snort database. You can view the full payload packet associated with a Snort event when you run a report.

  1. Set up a structured historical search.
  2. Set these conditions, where Reporting IP is an IP belonging to the Snort Application group.
Attribute Operator Value
Reporting IP IN Applications: Network IPS App
  1. For Display Fields, include Data Payload.

When you run the query, Data Payload will be one one of the display columns.

  1. When the query runs, select an event, and the data payload will display at the bottom of the search results in a byte-by-byte ethereal/wireshark format.

 

Exporting Snort IPS Packets as a PCAP File

After running a report, click the Export button and choose the PCAP option.

Settings for Access Credentials

 

 

Sourcefire 3D and Defense Center Configuration

What is Discovered and Monitored

Event Types

Rules

Reports

Configuration

Syslog

Sample Syslogs from SourceFire3D IPS

Sample Syslogs from SourceFire DefenseCenter

What is Discovered and Monitored
Protocol Information Discovered Metrics Collected Used For
 Syslog      

Event Types

In CMDB > Event Types, search for “sourcefire” in the Description column to see the event types associated with this device.

Rules

There are no predefined rules for this device.

Reports

There are no predefined reports for this device.

Configuration

Syslog

AccelOps handles SourceFire alerts via syslog either from IPS appliances themselves or from DefenseCenter. Events are classified as Snort event types.

Simply configure SourceFire appliances or DefenseCenter to send syslogs to AccelOps as directed in the device’s product documentation, and AccelOps will parse the contents.

For Syslog Server, or the server where the syslogs should be sent, enter the IP address of your AccelOps virtual appliance.

For Port, enter 514.

Make sure that the syslog type is Common Event Format (CEF). The syslog format should be the same as that shown in the example.

Sample Syslogs from SourceFire3D IPS

Sample Syslogs from SourceFire DefenseCenter

TippingPoint Intrusion Protection System Configuration
What is Discovered and Monitored
Protocol Information Discovered Metrics Collected Used For
 SNMP   CPU, memory, Interface utilization Performance and Availability Monitoring
 Syslog   IPS Alerts Security Monitoring

Event Types

In CMDB > Event Types, search for “tippingpoint” in the Device Type and Description columns to see the event types associated with this device.

Rules

There are no predefined rules for this device.

Reports

There are no predefined reports for this device.

Configuration

 SNMP

  1. Log in to the TippingPoint appliance or the SMS Console.
  2. Go to System > Configuration > SMS/NMS.
  3. For SMS Authorized IP Address/CIDR, make sure any is entered.
  4. Select Enabled for SNMP V2.
  5. For NMS Community String, enter public.
  6. Click Apply.

Syslog

  1. Log in to the TippingPoint appliance or the SMS Console.
  2. Go to System > Configuration > Syslog Servers.
  3. Under System Log, enter the IP Address of the AccelOps virtual appliance.
  4. Select Enable syslog offload for System Log.
  5. Under Aud Log, enter the IP Address of the AccelOps virtual appliance.
  6. Select Enable syslog offload for Audit Log.
  7. Click Apply.

Configure the Syslog Forwarding Policy (Filter Notification Forwarding)

The filter log can be configured to generate events related to specific traffic on network segments that need to pass through the device. This log includes three categories of events.

Event

Category

Description
Alert Alert events indicate that the IPS has detected suspicious activity in the packet, but still permits the packet to pass through (specific settings are controlled by administrator profile)
Block Block events are malicious packets not permitted to pass
P2P Refers to peer-to-peer traffic events

In addition, filter events contain a UUID, which is a unique numerical identifier that correlates with the exact security threat defined by Tipping Point Digital Vaccine Files. The Accelops Virtual Appliance will correlate these with authoritative databases of security threats.

  1. Go to IPS > Action Sets.
  2. Click Permit + Notify.
  3. Under Contacts, click Remote Syslog.
  4. Under Remote Syslog Information, enter the IP Address of the Accelops virtual appliance.
  5. Make sure the Port is set to 514.
  6. Make sure Delimiter is set to tab, comma, or semicolon.
  7. Click Add to Table Below.

You should now see the IP address of the Accelops virtual appliance appear as an entry in the Remote Syslogs table.

Sample parsed syslog messages


Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

This entry was posted in Administration Guides, FortiSIEM on by .

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.