ArcSight Pro Tip #5 - Creating events with Python

Sorry for the delay my friends, but I am back with another ArcSight pro tip!

The following tip is extremely handy for testing new content and all kinds of fun stuff, by using Python the scripting language that comes installed by default on every Linux OS you can easily send manually created events in CEF and send them via Syslog to ArcSight connectors on the fly.  You can even send events from a file!

Copy the following file onto a Linux machine or just paste it into VIM or nano and modify the CEF line to fit any combination you want.  If you curious how CEF formatting works there is documentation for that.

Here is the sample python code to get you going, simply run it like this:  ./sendevent.py 192.168.11.50

#!/usr/bin/env python

# Send fake alerts into ESM via CEF/Syslog

# gregcmartin at gmail.com

#

import socket

import sys

import time

if (len(sys.argv) > 1):

    dest = sys.argv[1]

else:

    print 'Usage: sendcef.py <connecter ip> \n'

    print 'ex. ./sendcef.py 127.0.0.1 \n'

    sys.exit()

def syslog(message, level=5, facility=3, host='localhost', port=8514):

        sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)

        data = '<%d>%s' % (level facility*8, message)

        sock.sendto(data, (host, port))

        sock.close()

while True:

  print 'Sending event...'

        f = open('replay.cef', 'r')

        f.readlines()

        for line in f:

            cef = line

     #cef = """CEF:0|Cisco|ASA|1.0|100|accept|1|src=10.140.10.213 dst=109.226.104.135 dport=80 proto=tcp"""

            print cef

     syslog(cef, host=dest)

            time.sleep(1)

And the following is the replay file:

CEF:0|Cisco|ASA|1.0|100|accept|1|src=10.140.10.213 dst=109.226.104.135 dport=80 proto=tcp

CEF:0|Cisco|ASA|1.0|100|accept|1|src=10.140.10.213 dst=109.226.104.135 dport=80 proto=tcp

CEF:0|Cisco|ASA|1.0|100|accept|1|src=10.140.10.213 dst=109.226.104.135 dport=80 proto=tcp

CEF:0|Cisco|ASA|1.0|100|accept|1|src=10.140.10.213 dst=109.226.104.135 dport=80 proto=tcp

CEF:0|Cisco|ASA|1.0|100|accept|1|src=10.140.10.213 dst=109.226.104.135 dport=80 proto=tcp

CEF:0|Cisco|ASA|1.0|100|accept|1|src=10.140.10.213 dst=109.226.104.135 dport=80 proto=tcp

CEF:0|Cisco|ASA|1.0|100|accept|1|src=10.140.10.213 dst=109.226.104.145 dport=80 proto=tcp

CEF:0|Cisco|ASA|1.0|100|accept|1|src=10.140.10.213 dst=109.226.104.135 dport=80 proto=tcp

CEF:0|Cisco|ASA|1.0|100|accept|1|src=10.140.10.213 dst=109.226.104.139 dport=80 proto=tcp

CEF:0|Cisco|ASA|1.0|100|accept|1|src=10.140.10.213 dst=109.226.104.135 dport=80 proto=tcp

CEF:0|Cisco|ASA|1.0|100|accept|1|src=10.140.10.213 dst=109.226.104.135 dport=80 proto=tcp

CEF:0|Cisco|ASA|1.0|100|accept|1|src=10.140.10.213 dst=109.226.104.135 dport=80 proto=tcp

CEF:0|Cisco|ASA|1.0|100|accept|1|src=10.140.10.213 dst=109.226.104.135 dport=80 proto=tcp

CEF:0|Cisco|ASA|1.0|100|accept|1|src=10.140.10.213 dst=109.226.104.135 dport=80 proto=tcp

CEF:0|Cisco|ASA|1.0|100|accept|1|src=10.140.10.213 dst=109.226.104.135 dport=80 proto=tcp

CEF:0|Cisco|ASA|1.0|100|accept|1|src=10.140.10.213 dst=109.226.104.138 dport=80 proto=tcp

CEF:0|Cisco|ASA|1.0|100|accept|1|src=10.140.10.213 dst=109.226.104.135 dport=80 proto=tcp

CEF:0|Cisco|ASA|1.0|100|accept|1|src=10.140.10.213 dst=109.226.104.135 dport=80 proto=tcp

CEF:0|Cisco|ASA|1.0|100|accept|1|src=10.140.10.213 dst=109.226.104.135 dport=80 proto=tcp

CEF:0|Cisco|ASA|1.0|100|accept|1|src=10.140.10.213 dst=109.226.104.135 dport=80 proto=tcp

CEF:0|Cisco|ASA|1.0|100|accept|1|src=10.140.10.213 dst=109.226.104.137 dport=80 proto=tcp

CEF:0|Cisco|ASA|1.0|100|accept|1|src=10.140.10.213 dst=109.226.104.135 dport=80 proto=tcp

CEF:0|Cisco|ASA|1.0|100|accept|1|src=10.140.10.213 dst=109.226.104.135 dport=80 proto=tcp

CEF:0|Cisco|ASA|1.0|100|accept|1|src=10.140.10.213 dst=109.226.104.136 dport=80 proto=tcp

CEF:0|Cisco|ASA|1.0|100|accept|1|src=10.140.10.213 dst=109.226.104.136 dport=80 proto=tcp

CEF:0|Cisco|ASA|1.0|100|accept|1|src=10.140.10.213 dst=109.226.104.135 dport=80 proto=tcp

CEF:0|Cisco|ASA|1.0|100|accept|1|src=10.140.10.213 dst=109.226.104.135 dport=80 proto=tcp

CEF:0|Cisco|ASA|1.0|100|accept|1|src=10.140.10.213 dst=109.226.104.135 dport=80 proto=tcp

CEF:0|Cisco|ASA|1.0|100|accept|1|src=10.140.10.213 dst=109.226.104.135 dport=80 proto=tcp

CEF:0|Cisco|ASA|1.0|100|accept|1|src=10.140.10.213 dst=109.226.104.135 dport=80 proto=tcp

CEF:0|Cisco|ASA|1.0|100|accept|1|src=10.140.10.213 dst=109.226.104.135 dport=80 proto=tcp

CEF:0|Cisco|ASA|1.0|100|accept|1|src=10.140.10.213 dst=109.226.104.145 dport=80 proto=tcp

CEF:0|Cisco|ASA|1.0|100|accept|1|src=10.140.10.213 dst=109.226.104.135 dport=80 proto=tcp

CEF:0|Cisco|ASA|1.0|100|accept|1|src=10.140.10.213 dst=109.226.104.139 dport=80 proto=tcp

CEF:0|Cisco|ASA|1.0|100|accept|1|src=10.140.10.213 dst=109.226.104.135 dport=80 proto=tcp

CEF:0|Cisco|ASA|1.0|100|accept|1|src=10.140.10.213 dst=109.226.104.135 dport=80 proto=tcp

CEF:0|Cisco|ASA|1.0|100|accept|1|src=10.140.10.213 dst=109.226.104.135 dport=80 proto=tcp

CEF:0|Cisco|ASA|1.0|100|accept|1|src=10.140.10.213 dst=109.226.104.135 dport=80 proto=tcp

That should get you started sending your own fake events to ArcSight for testing new content.

Happy Hacking,

Greg