Welcome Serena Central users! CLICK HERE
The migration of the Serena Central community is currently underway. Be sure to read THIS MESSAGE to get your new login set up to access your account.
Highlighted
Honored Contributor.. DanyK7 Honored Contributor..
Honored Contributor..
1777 views

PROTECT724-WEBSENSE773-7.7.8-PARSER.zip

=================================================================================

Title : Websense 7.7.3 up to 7.7.8 Parser Overrides, map.properties and categorization files

By    : Dany Cossette

Date  : 2014-10-10

This is my websense parser overrides, categorizer and map.properties files.

I can be reached on protect724 as DanyK7

CHANGELOG:

2014-09-18 Modified map.0.properties following notification from Websense:

           During September 17-19, 2014, the category ‘Supplements and Unregulated Compounds’

           will change its name to ‘Nutrition’. The category will provide coverage for

           websites dedicated to the topic of nutrition, including: supplements, vitamins,

           dieting, and the like.

2014-09-19 Modified map.0.properties to add new categorie from 220 to 228.

           Corrected category 201 description.

2014-10-10 Now fully tested under Websense 7.7.8 - no changes were required

=================================================================================

=================================================================================

DISCLAIMER

=================================================================================

Me and my employer are furnishing this item "as is". We do not provide any warranty of the item whatsoever, whether express, implied, or statutory, including, but not limited to, any warranty of merchantability or fitness for a particular purpose or any warranty that the contents of the item will be error-free.

In no respect shall we incur any liability for any damages, including, but limited to, direct, indirect, special, or consequential damages arising out of, resulting from, or any way connected to the use of the item, whether or not based upon warranty, contract, tort, or otherwise; whether or not injury was sustained by persons or property or otherwise; and whether or not loss was sustained from, or arose out of, the results of, the item, or any services that may be provided by me and my employer.

If you do not agree with this disclaimer, just don't use any information provided.

(However, if you do agree with the disclaimer and you do use it, and find error, please share !)

See readme file in the doc for more details

8 Replies
seniorj@bennett Absent Member.
Absent Member.

Re: PROTECT724-WEBSENSE773-7.7.8-PARSER.zip

Dany this content is excellent! I shoehorned a number of Websense SIEM integration documents myself but you have knocked it out of the park.  I am very impressed with how thorough this is.

0 Likes
Reply
Honored Contributor.. DanyK7 Honored Contributor..
Honored Contributor..

Re: PROTECT724-WEBSENSE773-7.7.8-PARSER.zip

Thanks, so far I know that a4 other cie is using this parser, which btw also works fine with Websense 7.7.8.

Theses 4 companies and me have also colluded to add our "vote", with websense support, for some new features, related to CEF integration, that would be usefull for all of us.

Should you decide to use this parser recipe, and would be interested, I could send you the feature requests we've opened if you send me a private message with your coordinate.

We believe Websense could produce an even better CEF integration, and the best way is to regroup our voices.


0 Likes
Reply
Honored Contributor.. DanyK7 Honored Contributor..
Honored Contributor..

Re: PROTECT724-WEBSENSE773-7.7.8-PARSER.zip

Hi

I would recommend to NOT configure websense to use TCP to send it syslog messages towards a smart or any other syslog server.

We experience a failure in Websense. Overall, all the websense devices were trying to establish in excess of 400 TCP connections per minutessecond... Causing major CLOSE_WAIT and eventually catastrophic failure because no FD were left on the destination system.

While I definitively dont like the "unreliable" in UDP, it simply can't cause any problem like that.

Just tought someone might me interested,

Dany

0 Likes
Reply
Honored Contributor.. DanyK7 Honored Contributor..
Honored Contributor..

Re: PROTECT724-WEBSENSE773-7.7.8-PARSER.zip

Now installing and testing with Websense 8.1

Will update this package should there be any changes.

Our planned Websense 8.1 install will implement:

1. The CEF syslog UDP parser FlexConnector as described in this post

2. A new (for us) SNMP Smart/Flex to get Websense's alerts (e.g. subscription expired, Log space full, master database download failed)

I also noticed that Websense has ignored all feature requests made to improve CEF implementation, including support of syslog for system alerts, instead of supporting only SNMP and emails.

Anyone got the SNMP part working for system alerts ?

0 Likes
Reply
Outstanding Contributor.. andrew.dalbor Outstanding Contributor..
Outstanding Contributor..

Re: PROTECT724-WEBSENSE773-7.7.8-PARSER.zip

Also a Websense customer here.  Don't expect much out of feature requests. If you aren't a large enough company they just kind of ignore them.

0 Likes
Reply
Honored Contributor.. DanyK7 Honored Contributor..
Honored Contributor..

Re: PROTECT724-WEBSENSE773-7.7.8-PARSER.zip

Thanks Andrew

Actually we just hit a major snag: SIEM integration in websense 8.1, the function that allow sending syslog messages to ArcSight is still there but we cannot get a single message out the triton server. No error messages either.

Are you on 8.1 ? Anyone else got thru Websense 8.1 ?

0 Likes
Reply
Outstanding Contributor.. andrew.dalbor Outstanding Contributor..
Outstanding Contributor..

Re: PROTECT724-WEBSENSE773-7.7.8-PARSER.zip

Hey Danny,

We run 7.8.4 in our prod environment and 8.0 in a test.  Are you trying to use the SIEM Integration menu in Triton to configure?

If so we have never had success with that in the past.  We use syslog straight from each appliance for the web traffic portion.

The only thing extra we had to do was write a custom flex to parse the categories.  The rest worked with no issues.

0 Likes
Reply
Honored Contributor.. DanyK7 Honored Contributor..
Honored Contributor..

Re: PROTECT724-WEBSENSE773-7.7.8-PARSER.zip

We were on 7.8.x in the past and using the SIEM integration menu in Triton.

Never had a problem, all was good until we installed new appliances with 8.1 and went into a pilot..

The config for the SIEM was unchanged so we tought it was a no brainer.

We tought we had a smoking gun with this:

https://www.websense.com/content/support/library/web/v81/triton_web_help/ts_start_mux.aspx

But no the multiplexer was installed and running.

We are waiting from Websense support about this issue. Will post results here.

What config/file do you have to change to get the audit directly from each appliance without going with the SIEM integration menu ?

0 Likes
Reply
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.