Welcome Serena Central users! CLICK HERE
The migration of the Serena Central community is currently underway. Be sure to read THIS MESSAGE to get your new login set up to access your account.
Highlighted
Acclaimed Contributor.. Volker Michels Acclaimed Contributor..
Acclaimed Contributor..
1162 views

Sourcefire Management Console eStreamer

Jump to solution

Hello ArcSight Community,

we are getting events from Sourcefire via a super connector from another ESM installation and I have two questions to thos topic because I was not able to find the right informations:

1. Payload

Does someone have experience if it is possible to get the payload via the super connector or do we have to use the Sourcefire smart connector?

2. Signature Lookup

I'm trying to find out how to make a signature lookup for Sourcefire events.

I know that we have to use the Device Event Class ID but the format is like [1:326] and if I search on the Snort page the link looks like: http://www.snort.org/search/sid/326 (that was the only thing I found).

Thanks in advance, Volker

Labels (2)
0 Likes
Reply
1 Solution

Accepted Solutions
Todd Absent Member.
Absent Member.

Re: Sourcefire Management Console eStreamer

Jump to solution

Here are some answers to your questions:

1)  Yes, the Sourcefire connector is required to do payload lookups.  There is also an option from the Sourcefire connector to send the payload with each event.  We use this and have found it effective to create reports for certain events since I can search through and extract from the payload information such as the domain a botnet tried to connect to.  If you send the payload from the Sourcefire connector to the manager then the super connector should be able to forward this to another system as it is just contained in DeviceCustomString1.

2)  We have been using the following URL for sig lookups.  I pass the Device Event Class ID to a script which pulls out the proper format and forwards to an URL request:

http://snortid.com/snortid.asp?QueryId=

UPDATE:

On our 4.0 system I had to use a script to properly format the request for this URL, however, on our 5.0 system I am using an integration command to call the following:

http://snortid.com/snortid.asp?QueryId=${deviceEventClassId}

View solution in original post

0 Likes
Reply
4 Replies
Todd Absent Member.
Absent Member.

Re: Sourcefire Management Console eStreamer

Jump to solution

Here are some answers to your questions:

1)  Yes, the Sourcefire connector is required to do payload lookups.  There is also an option from the Sourcefire connector to send the payload with each event.  We use this and have found it effective to create reports for certain events since I can search through and extract from the payload information such as the domain a botnet tried to connect to.  If you send the payload from the Sourcefire connector to the manager then the super connector should be able to forward this to another system as it is just contained in DeviceCustomString1.

2)  We have been using the following URL for sig lookups.  I pass the Device Event Class ID to a script which pulls out the proper format and forwards to an URL request:

http://snortid.com/snortid.asp?QueryId=

UPDATE:

On our 4.0 system I had to use a script to properly format the request for this URL, however, on our 5.0 system I am using an integration command to call the following:

http://snortid.com/snortid.asp?QueryId=${deviceEventClassId}

View solution in original post

0 Likes
Reply
Acclaimed Contributor.. Volker Michels Acclaimed Contributor..
Acclaimed Contributor..

Re: Sourcefire Management Console eStreamer

Jump to solution

Hello Todd,

many thanks for the fast response, this answeres I expected and will help us for further steps.

Volker

0 Likes
Reply
Acclaimed Contributor.. Volker Michels Acclaimed Contributor..
Acclaimed Contributor..

Re: Sourcefire Management Console eStreamer

Jump to solution

Hello,

I can confirm that the integration command

http://snortid.com/snortid.asp?QueryId=${deviceEventClassId}

also works for 4.5 SP1

Volker

0 Likes
Reply
DeniseSwilley Super Contributor.
Super Contributor.

Re: Sourcefire Management Console eStreamer

Jump to solution

This also works for the reference pages.  Vi the file $ARCSIGHTHOME/config/server/agentURLMapping.csv with the following...

sourcefire,sourcefire_management_console_estreamer,http://snortid.com/snortid.asp?QueryId=$deviceEventClassId

You don't need all the indexing and such because even if you enter the [ xxxxx ] it will work the same.

D

0 Likes
Reply
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.