Common Event Format Configuration Guide. NIKSUN NetDetector-NetVCR Date: Wednesday, May 30, 2012

Size: px

Start display at page:

Download "Common Event Format Configuration Guide. NIKSUN NetDetector-NetVCR Date: Wednesday, May 30, 2012"

Donald Thornton
5 years ago
Views:

1 Common Event Format Configuration Guide NIKSUN NetDetector-NetVCR Date: Wednesday, May 30,

2 CEF Connector Configuration Guide This document is provided for informational purposes only, and the information herein is subject to change without notice. Please report any errors herein to HP. HP does not provide any warranties covering this information and specifically disclaims any liability in connection with this document. CEF Certified: The event format complies with the requirements of the HP ArcSight Common Event Format. The HP ArcSight CEF connector will be able to process the events correctly and the events will be available for use within HP s ArcSight product. In addition, the event content has been deemed to be in accordance with standard SmartConnector requirements. The events will be sufficiently categorized to be used in correlation rules, reports and dashboards as a proof-of-concept (POC) of the joint solution NIKSUN NetDetector - NetVCR May 7, 2012 Revision History Date Description 05/07/ /09/2012 First edition of this Configuration Guide. Certified by HP ArcSight CEF Connector Support Information when an issue is outside of the ArcSight team s ability In some cases the ArcSight customer service team is unable to help with issues that lie within the configuration itself in which case, the certified vendor should be contacted for assistance: NIKSUN Customer Support Phone: - USA: UK: Japan: Germany: France: support@niksun.com Customers can either NIKSUN Support (support@niksun.com) or call the support numbers listed above. 2

3 NIKSUN NetDetector-NetVCR Configuration Guide This guide provides the details necessary to configure the Common Event Format (CEF) Connector for syslog event collection on an Appliance or NetOmni so that events can be displayed and worked on in the ArcSight system. Overview The syslog events which go out of the Appliance will go in CEF so that ArcSight can parse and display it in its console for further analysis. Before beginning you will need to know the IP Address of the ArcSight server. Configuration On the Appliance, select Configuration > Alarms to access the Alarm properties GUI, on NetOmni select Central Manager > Alarms, and then select the appropriate alarm type (Anomaly, NetSLM, etc.) so you can input the ArcSight s server IP address on the NIKSUN s Appliance. (if the alarm already exists, use Edit; if the alarm does not exist, use Add). The IP Address should be added under the Notifications tab in the Common Event Format field. Click Update when finished. Figure 1: Alarm Properties 3

4 This screen shot displays adding the ArcSight server for Signature IDS. Figure 2: Signature IDS 4

Screen Shot Events For a list of events and other important information, the customer must be a registered customer at: http://supportnet.niksun.

5 Screen Shot Events For a list of events and other important information, the customer must be a registered customer at: Device Event Mapping to ArcSight Data Fields Information contained within vendor-specific event definitions is sent to the ArcSight SmartConnector, and then mapped to an ArcSight data field. The following table lists the mappings from ArcSight data fields to the supported vendor-specific event definitions. 5

6 NIKSUN NetDetector-NetVCR Connector Field Mappings Table 1: CEF Connector Field Mappings Header Fields Field Name Definition Signature IDS Example Anomaly/NetSLM Example CEF:Version Version of CEF Format CEF:0 CEF:0 Device Vendor device vendor NIKSUN Incorporated NIKSUN Incorporated Device Product product name NetDetector-NetVCR NetDetector-NetVCR Device Version release version _ _8 Signature ID Name Severity Extension Fields Unique identifier per event type Human-readable and understandable description of event 0 to 10, where 10 indicates most important [1: ] Anomaly:Unauthorized DNS Server:26 stftp p_header Buffer Overflow Attempt 6 8 Unauthorized DNS Server Field Name Definition Signature IDS Example Anomaly/NetSLM end The time at which the activity related to the event ended. Milliseconds since epoch dvc IP address of the device dvchost hostname of the device appliance.lab.niksun.com appliance.lab.niksun.com deviceinboundinterface cat src dst Interface on which the packet or data entered the device. Represents the category assigned by the originating device Identifies the source that an event refers to in an IP network Identifies the destination that an event refers to in an IP network FTP_Dataset_pcap NIKSUN-EXPLOIT em1 Spoofs spt Source Port

7 dpt Destination Port proto msg request Custom Fields Strings Identifies the Layer-4 protocol used. An arbitrary message giving more details about the event. In the case of HTTP request, this field contains the URL accessed. TCP Not Used Not Used cs1label Category Not Used cs1 NIKSUN-EXPLOIT cs2label Classification Not Used cs2 misc-attack cs4label Layer Layer cs4 TCP udp cs5label user configured filter Filter Filter cs5 port 21 or port 22 port 53 cs6label timestamp in seconds Timestamp Timestamp udp [2 repeats] Number of Packets(udp) transmitted for a host pair: 1 Name>/ngen/main.jsp?head less\=false&openingscreen\ =Analysis&recorder\=<App lianceiporhostname>&ifac e\=<interface>&endtime\= <EndTime>&startTime\=< StartTime>&filterExp\=<Fi lter>&layer\=<layer>&dat atype1\=byte&template\=d ynamic_analysis cs Numbers cn1label Generator ID Not Used cn1 1 cn2label Signature ID Not Used cn cn3label Revision ID Not Used cn3 1 Floating Points cfp1label Not Used Monitoring Interval 7

8 cfp1 60 cfp2label Not Used Threshold cfp2 30 cfp3label Not Used Breached Value cfp3 90 8

Common Event Format Configuration Guide. Barracuda Networks Barracuda Web Application Firewall Date: Wednesday, February 01, 2017

Common Event Format Configuration Guide Barracuda Networks Barracuda Web Application Firewall Date: Wednesday, February 01, 2017 1 CEF Connector Configuration Guide This document is provided for informational