Welcome Serena Central users! CLICK HERE
The migration of the Serena Central community is currently underway. Be sure to read THIS MESSAGE to get your new login set up to access your account.
Highlighted
jack Absent Member.
Absent Member.
643 views

SourceFire - lack of certain events in the ESM

I have the latest connector for Sourcefire. Some events are visible in eStreamer there is no ESM. What may be the problem?

Labels (3)
0 Likes
Reply
8 Replies
Established Member.. chrisb1
Established Member..

Re: SourceFire - lack of certain events in the ESM

Have you verified there are no filter-out filters in place on the connector?  If so, check the error logs for the connector for any WARN or ERROR messages.  There may be something funky in the events that's making the connector malfunction. 

0 Likes
Reply
Acclaimed Contributor.. Volker Michels Acclaimed Contributor..
Acclaimed Contributor..

Re: SourceFire - lack of certain events in the ESM

Hello,

we saw something sililar bewteen ESM 4.5.1 and 5.2.0, in ESM 5 we saw suddenly more events then in 4.5.1.

Which version do you have?

Volker

0 Likes
Reply
jack Absent Member.
Absent Member.

Re: SourceFire - lack of certain events in the ESM

We have 4.5.1 ESM.

Do you think that the fault ESM?

Jack

0 Likes
Reply
Acclaimed Contributor.. Volker Michels Acclaimed Contributor..
Acclaimed Contributor..

Re: SourceFire - lack of certain events in the ESM

Hello,

I can't really prove my statement but this is waht we saw / see in our environment, we have definitly more Sourcefire events in the ESM 5 version, maybe it has something to do with the database table model.

Volker

0 Likes
Reply
Established Member.. Loxmo
Established Member..

Re: SourceFire - lack of certain events in the ESM

I just became aware that we have the same situation, and beginning to investigate.

ESM 5.2, and eStreamer connector 5.2.3.6281.0.

Initial thought is that certain SourceFire signatures/events are not understood by the connector.

I'm seeing these events in the connector logs.

[2012-09-13 02:03:44,258][WARN ][default.com.arcsight.agent.sourcefire.api.field.BlobDataBlockParser][parse] Invalid data block type is found.  Expected RNA_DATABLOCK_BLOB and found 1

Jack (or anyone else)  If you solved your issue LET ME KNOW !

0 Likes
Reply
jack Absent Member.
Absent Member.

Re: SourceFire - lack of certain events in the ESM

Hi,

we still have a problem, despite the fact that we already have version 5.1.

Jack

0 Likes
Reply
pyabut Absent Member.
Absent Member.

Re: SourceFire - lack of certain events in the ESM

Same problem here. This is what i received from sourcefire support today

"I have found that Arcsight is not compatible with Sourcefires Version 5.1.0.2 or above. This is due to an inability for Arcsight to "bundle messages".

We are told that Arcsight will not be supporting this version of our software.

You will either need to revert to an earlier version of our software or you will need to find another way to retrieve this data through another SIEM"

Can anybody confirm this on the Arcsight side ?

Thanks,

Paolo

0 Likes
Reply
Established Member.. Loxmo
Established Member..

Re: SourceFire - lack of certain events in the ESM

After getting nowhere, enough time passed that I tried an updated connector.

Version 6.0.4.6719.0 works great!

DL

0 Likes
Reply
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.