Welcome Serena Central users! CLICK HERE
The migration of the Serena Central community is currently underway. Be sure to read THIS MESSAGE to get your new login set up to access your account.
Anonymous_User Absent Member.
Absent Member.
231 views

Were Sentinel able to receive traffic via SMTP?


Hi All,

I would like to ask if sentinel able to receive (raw log/email) from
security device(s) via SMTP. For example, instead security device(s) is
configured sending logging to sentinel via syslog/snmp. We configure
security device(s) sending alert/logging/email via SMTP to sentinel.
Once alert trigger by security device(s), it send an email to sentinel
and sentinel start to parse/decode it *or* we open port 25 on sentinel
server to listen to any SMTP traffic.

My question here, will sentinel able to receive/parse/decode the traffic
from SMTP, or is there any connector/collector event source for
SMTP(generic as email format can be vary), or there other module in
sentinel can cater this situation. Is there any workaround for this
situation. I have an experience with other SIEM that able to perform
this situation.

security device <--email/port25 (SMTP)-->
sentinel<--parse/decode-->trigger alert

*security device(s)-firewall,ids,ips.....

Thanks


--
hareez_12
------------------------------------------------------------------------
hareez_12's Profile: https://forums.netiq.com/member.php?userid=10292
View this thread: https://forums.netiq.com/showthread.php?t=54113

0 Likes
2 Replies
Knowledge Partner
Knowledge Partner

Re: Were Sentinel able to receive traffic via SMTP?

There is no SMTP connector, but there is a Process connector that you
could use to run something that listens for data via TCP 25 (or whatever
port) and then you could use those data with a collector meant to handle
SMTP. Probably far-easier, you could have Postfix (or another
SMTP-capable service) listen for traffic, then configure it to write all
of those received data to one or more files, and then consume those with
something like the File or Process connector.

One of the strengths of Sentinel is that there are connectors that
basically let you do anything. Creating a connector specifically for
every conceivable protocol is not done, though; I've never worked with a
security device that ONLY integrated via SMTP, so it may be worth
investigating if it supports something more-standard for security events,
like sending them out via syslog, or writing them to a file, or similar.

--
Good luck.

If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below...
0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: Were Sentinel able to receive traffic via SMTP?


ab;260080 Wrote:
> There is no SMTP connector, but there is a Process connector that you
> could use to run something that listens for data via TCP 25 (or
> whatever
> port) and then you could use those data with a collector meant to
> handle
> SMTP. Probably far-easier, you could have Postfix (or another
> SMTP-capable service) listen for traffic, then configure it to write
> all
> of those received data to one or more files, and then consume those
> with
> something like the File or Process connector.
>
> One of the strengths of Sentinel is that there are connectors that
> basically let you do anything. Creating a connector specifically for
> every conceivable protocol is not done, though; I've never worked with
> a
> security device that ONLY integrated via SMTP, so it may be worth
> investigating if it supports something more-standard for security
> events,
> like sending them out via syslog, or writing them to a file, or
> similar.
>
> --
> Good luck.
>
> If you find this post helpful and are logged into the web interface,
> show your appreciation and click on the star below...


Dear ab,

Ok, thanks for the feedback, i will give a shoot on the Process
connector.

Thanks


--
hareez_12
------------------------------------------------------------------------
hareez_12's Profile: https://forums.netiq.com/member.php?userid=10292
View this thread: https://forums.netiq.com/showthread.php?t=54113

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.