Title : Websense 7.7.3 up to 7.7.8 Parser Overrides, map.properties and categorization files
By : Dany Cossette
Date : 2014-10-10
This is my websense parser overrides, categorizer and map.properties files.
I can be reached on protect724 as DanyK7
2014-09-18 Modified map.0.properties following notification from Websense:
During September 17-19, 2014, the category ‘Supplements and Unregulated Compounds’
will change its name to ‘Nutrition’. The category will provide coverage for
websites dedicated to the topic of nutrition, including: supplements, vitamins,
dieting, and the like.
2014-09-19 Modified map.0.properties to add new categorie from 220 to 228.
Corrected category 201 description.
2014-10-10 Now fully tested under Websense 7.7.8 - no changes were required
Me and my employer are furnishing this item "as is". We do not provide any warranty of the item whatsoever, whether express, implied, or statutory, including, but not limited to, any warranty of merchantability or fitness for a particular purpose or any warranty that the contents of the item will be error-free.
In no respect shall we incur any liability for any damages, including, but limited to, direct, indirect, special, or consequential damages arising out of, resulting from, or any way connected to the use of the item, whether or not based upon warranty, contract, tort, or otherwise; whether or not injury was sustained by persons or property or otherwise; and whether or not loss was sustained from, or arose out of, the results of, the item, or any services that may be provided by me and my employer.
If you do not agree with this disclaimer, just don't use any information provided.
(However, if you do agree with the disclaimer and you do use it, and find error, please share !)
See readme file in the doc for more details
Dany this content is excellent! I shoehorned a number of Websense SIEM integration documents myself but you have knocked it out of the park. I am very impressed with how thorough this is.
Thanks, so far I know that a4 other cie is using this parser, which btw also works fine with Websense 7.7.8.
Theses 4 companies and me have also colluded to add our "vote", with websense support, for some new features, related to CEF integration, that would be usefull for all of us.
Should you decide to use this parser recipe, and would be interested, I could send you the feature requests we've opened if you send me a private message with your coordinate.
We believe Websense could produce an even better CEF integration, and the best way is to regroup our voices.
I would recommend to NOT configure websense to use TCP to send it syslog messages towards a smart or any other syslog server.
We experience a failure in Websense. Overall, all the websense devices were trying to establish in excess of 400 TCP connections per minutessecond... Causing major CLOSE_WAIT and eventually catastrophic failure because no FD were left on the destination system.
While I definitively dont like the "unreliable" in UDP, it simply can't cause any problem like that.
Just tought someone might me interested,
Now installing and testing with Websense 8.1
Will update this package should there be any changes.
Our planned Websense 8.1 install will implement:
1. The CEF syslog UDP parser FlexConnector as described in this post
2. A new (for us) SNMP Smart/Flex to get Websense's alerts (e.g. subscription expired, Log space full, master database download failed)
I also noticed that Websense has ignored all feature requests made to improve CEF implementation, including support of syslog for system alerts, instead of supporting only SNMP and emails.
Anyone got the SNMP part working for system alerts ?
Also a Websense customer here. Don't expect much out of feature requests. If you aren't a large enough company they just kind of ignore them.
Actually we just hit a major snag: SIEM integration in websense 8.1, the function that allow sending syslog messages to ArcSight is still there but we cannot get a single message out the triton server. No error messages either.
Are you on 8.1 ? Anyone else got thru Websense 8.1 ?
We run 7.8.4 in our prod environment and 8.0 in a test. Are you trying to use the SIEM Integration menu in Triton to configure?
If so we have never had success with that in the past. We use syslog straight from each appliance for the web traffic portion.
The only thing extra we had to do was write a custom flex to parse the categories. The rest worked with no issues.
We were on 7.8.x in the past and using the SIEM integration menu in Triton.
Never had a problem, all was good until we installed new appliances with 8.1 and went into a pilot..
The config for the SIEM was unchanged so we tought it was a no brainer.
We tought we had a smoking gun with this:
But no the multiplexer was installed and running.
We are waiting from Websense support about this issue. Will post results here.
What config/file do you have to change to get the audit directly from each appliance without going with the SIEM integration menu ?