SourceFire Defense Center Security Intelligence Events to External Syslog server

Similar Messages

• Cisco ISE and external syslog server

  Hi Security Experts,
  We are starting with deploying cisco ISE (Identity Services Engine) in our network. We have allocated 250GB space for (Admin+Monitor) ISE node.
  I want to know if we can send the logs from monitoring node to external syslog server after a defined time interval.
  For example, logs which are more than 10 days old should be sent to external syslog server. So basically our monitoring node will have logs which are at the max 9 days old. Is it possible? Could you point me to some doc which explains configuration of the same?
  Thanks,
  Kashish

  No this isnt possible via syslog. What you are looking for is database purging, so that the monitoring database is purged after a specific time interval. Here is a guide that will help shed some light on this:
  http://www.cisco.com/en/US/docs/security/ise/1.1/user_guide/ise_mnt.html#wp1054328
  Tarik Admani
  *Please rate helpful posts*

• Is it possible to configure AIP-SSM sensor to forward events to a syslog server

  I have found documentation that describes how to configure SNMP and e-mail notifications using IME, but can't seem to find anything pertaining to syslog.  Any suggestions would be greatly appreciated.  Thanks.

  The sensor OS does not support sending syslog messages.
  You are limited to sending events via SDEE, SNMP and Email (as you have already discovered in your reading).
  - Bob

• Tenable Security Center connector for Defense Center

  I am trying to use the Tenable Security Center connector to provide vulnerability data to our Defense Center.
  I am trying to use it on a CentOS 6.5 host. All the requisite perl modules installed are installed.
  When trying to run the script it gives this results:
  # ./SecurityCenter.pl -server XXX.XXX.XXX.XXX
  Error loading plugin 'SecurityCenter': Type of arg 1 to keys must be hash (not hash element) at InputPlugins/SecurityCenter.pm line 383, near "})"
  Type of arg 1 to keys must be hash (not hash element) at InputPlugins/SecurityCenter.pm line 384, near "})"
  Type of arg 1 to keys must be hash (not hash element) at InputPlugins/SecurityCenter.pm line 385, near "})"
  Compilation failed in require at (eval 26) line 1.
  The instructions do not indicate that SecurityCenter.pm is supposed to be altered in any way, so I'm not sure how to approach this.

  Thanks for the hint - my script would not run either until I made the above changes. Now I have another, possibly related, problem. I have access to vulnerability data for thousands of systems in Security Center, however only a few hundred systems are getting imported into SourceFire.
  After the script runs, it prints the line "SecurityCenter JSON Vulnerability Request Identified 3,717 unique vulnerabilities on 345 systems". I traced that statement to this:
  scalar keys(%{vulns})
  I'm assuming the keys are the individual systems?
  Has anyone run into this problem?
  EDIT:  I get two [INFO] messages when running the script.
  -- Use of uninitialized value $ceiling in numeric gt (>) at InputPlugins/SecurityCenter.pm line 310.
  -- Use of uninitialized value in length at SFHostInputAgent.pm line 439.

• SourceFire - Adding a License to the Defense Center v 4.10

  1. Using Defense center Web portal login with Admin access
  2. Select Operations > System Settings, Click Add New License. The Add License page appears.
  3. Copy the license from the email, paste it into the License field, and click Submit License.
  -- DD (Sourcefire Acquisition Business Analyst)

  v4.10 will not be available on Cisco global pricelist.
  -Merv Reyes
  Licensing PM

• SourceFire - Adding a License to the Defense Center

  To add a license: 
  1. Using Defense center Web portal login with Admin access
  2. Select System > Licenses, Click Add New License. The Add License page appears.
  3. Copy the license from the email, paste it into the License field, and click Submit License. 
  -- DD (Sourcefire Acquisition Business Analyst)

  What's messed up is that they don't tell you that you can't past in the whole thing. 
  You only paste in the test from the "beginning of the Block to the last ==" at the end of the block.
  Trying to paste it all in as you might do in other Cisco licenses will give an error.
  Hope this helps.

• Sourcefire - How can I look up all installed licenses from a Defense Center

  I need to know how I can lookup all installed licenses from a Defense Center.

  Hi Merv,
  Please find the steps in the recording.
  Streaming recording link:
  https://cisco.webex.com/cisco/ldr.php?RCID=314b3eef8b9ee7be3039f73ff844d04d
  Download recording link:
  https://cisco.webex.com/cisco/lsr.php?RCID=3a66d50b27425e7ea51ac0754e210902

• Checking blacklist IP in Security Intelligence Feed

  Hi Everyone,
  I read that Security Intelligence Feed download IPs that have bad reputation from Sourcefire cloud.
  But when I click on Security intelligence feeds I see no IP address.
  Does anyone can please tell me where I can find blacklist IP's ?
  Regards
  MAhesh

  The security intelligence data is considered proprietary and so the content of those lists is not made public.

• I wanted to know if others were having difficulties getting All Day Events appear in the Notification Center in iOS 7.   Currently my Calendar in the notification center will show events that are at certain times, but they will not display All Day Events.

  I wanted to know if others were having difficulties getting All Day Events appear in the Notification Center in iOS 7.
  Currently my Calendar in the notification center will show events that are at certain times, but they will not display All Day Events.

  Have you looked at the previous discussions listed on the right side of this page under the heading "More Like This"?

• Solaris 10 with Trusted Extensions - Security Audit Events [short] Descript

  {color:#000000}I know that the security audit events and classes in Solaris 10 have changed when viewing these files: audit_class, audit_event, and audit_control with that of the same files for TSOL8. In order to perform an accurate and acceptable review of the audit events, I need to find either a file or document that provides a short description for each of the audit events within each audit class. Can anyone point me in the right direction or a URL? I have tried to search through the Sun docs and have not yielded any results. {color}

  been there, done that
  The problem is a function of your network definitions. The non-global zones do not have an IP address to match for your global zonename. The error message results from the system established default of the DISPLAY variable failing (DISPLAY=globalzonename:0.0).
  To confirm this, login to the global zone as root and "zlogin -S" to the non-global zone. Once there, the command "netstat -r" should show the IP address of the global zone instead of the expected global zonename. (combine this with a look at your output for "ifconfig -a" within the same non-global zones) Another command you should fail with will be the "getent hosts galaxy". Anyway, if you manually set your DISPLAY variable to the "IP Address" of the globalzonename and execute a "dtterm" ... it should work fine.
  If it does not violate a security policy, I suggest you add the IP address of the global zone to either the /etc/inet/hosts or /etc/inet/ipnodes file within each non-global zone.

• Security Monitor Events display incorrect time

  I have a time issue between a 4240 sensor (5.0) and Security Monitor (2.1). The events in the sensor are correct but 7 hours off in Security Monitor, even though the VMS server understands the correct time (knows there are events in the last hour) but will not display them. After doing some research, it looks as though we needed to load CSCOids2.1.0-sol_SecMon_2_1_Service_Pack_1-6.tar right? Well I did, ran the perl script, everthing was successful. CiscoWorks shows the patch as being applied. Reloaded VMS and the sensor, and still I have what seems like a UTC problem (UTC offset always =0 yet time zone=arizona). Any suggestions?
  Thanks!

  Is the correct offset configured on the sensor?
  Execute "show conf" and verify the value for the timezone offset. Remember that this is in minutes and not hours. If the timezone diffence is 7 hours then the value on the sensor should be 7hours*60minutes=420minutes.
  Also use "show events" on the sensor to look at a few alerts on the sensor itself. It will report both the UTC/GMT time and the Local time. Verify that the offset between the 2 is correct on the sensor. (be sure to account for summertime/daylight savings time)

• PS2010 Report Center Security (subscribe to a report)

  I don't see where I can manipulate the Report Center security, but I've noticed that people with the "Team Member" role cannot subscribe to reports. (Actions > Subscribe)  The option is grayed out.
  Any ideas?

  Kevin,
  1) The "Subscribe" option is only available if you are talking about SSRS Reports.
  2) Standard BI Center in PS2010 does not come with SSRS reports. SO I am presuming you have Reporting Services implemented in SharePoint Integrated Mode.
  In this scenario, the Team members group (Microsoft Project Server) is mapped to SharePoint Group  Readers (Microsoft Project Server), which is why they cannot create subscriptions. The only was I see out of this is to break the inheritance
  of permissions of BI Center from PWA and add users manually to at least Contribute Level, if you really need to the self-subscription option. Alternatively, you could just set up a subscription as an admin for the users I believe.
  Prasanna Adavi,PMP,MCTS,MCITP,MCT TWitter: @prasannaadavi Blog: http://www.prasannaadavi.com

• Flash Player 11.7.700.224 and Total Defense Internet Security Suite

  I'm using flash player 11.7.700.224.  I've uninstalled it (there were no old versions) and reinstalled it many times.  Movies won't load in YouTube unless I put https in front of the address.  I've done everything Adobe suggests doing with caches, etc.  Also, Internet Explorer 10 keeps crashing when I try to use it.  I've read in one place that the problem is with Total Defense Internet Security Suite (version 7).  Anyone have any suggestions?

  When I did what you suggested, the videos start to load -- I see about 3 seconds or so and then I get a
  "video player error" message on a black screen.  I tried 5 different videos with the same result; some played a few seconds longer than the others.  I also upgraded to Firefox 22, but that seemed to have no effect on anything with this.

• How to write to windows event logs from determinations-server under IIS

  This is just an FYI technical bit of information I wish someone had shared with me before I started trying to write OPA errors to the windows event log... Most problems writing to the windows event log from log4net occur because of permissions. Some problems are because determinations-server does not have permissions to create some registry entries. Some problems cannot be resolved unless specific registry entry permissions are actually changed. We had very little consistency with the needed changes across our servers, but some combination of the following would always get the logging to the windows event log working.
  To see log4net errors as log4net attempts to utilize the windows event log, temporarily add the following to the web.config:
  <appSettings>
  <!-- uncomment the following line to send diagnostic messages about the log configuration file to the debug trace.
  Debug trace can be seen when attached to IIS in a debugger, or it can be redirected to a file, see
  http://logging.apache.org/log4net/release/faq.html in the section "How do I enable log4net internal debugging?" -->
  <add key="log4net.Internal.Debug" value="true"/>
  </appSettings>
  <system.diagnostics>
  <trace autoflush="true">
  <listeners>
  <add
  name="textWriterTraceListener"
  type="System.Diagnostics.TextWriterTraceListener"
  initializeData="logs/InfoDSLog.txt" />
  </listeners>
  </trace>
  </system.diagnostics>
  To add an appender for the windows event viewer, try the following in the log4net.xml:
  <appender name="EventLogAppender" type="log4net.Appender.EventLogAppender" >
  <param name="ApplicationName" value="OPA" />
  <param name="LogName" value="OPA" />
  <param name="Threshold" value="all" />
  <layout type="log4net.Layout.PatternLayout">
  <conversionPattern value="%date [%thread] %-5level %logger [%property{NDC}] - %message%newline" />
  </layout>
  <filter type="log4net.Filter.LevelRangeFilter">
  <levelMin value="WARN" />
  <levelMax value="FATAL" />
  </filter>
  </appender>
  <root>
  <level value="warn"/>
  <appender-ref ref="EventLogAppender"/>
  </root>
  To put the OPA logs under the Application Event Log group, try this:
  Create an event source under the Application event log in Registry Editor. To do this, follow these steps:
  1.     Click Start, and then click Run.
  2.     In the Open text box, type regedit.
  3.     Locate the following registry subkey:
  HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Application
  4.     Right-click the Application subkey, point to New, and then click Key.
  5.     Type OPA for the key name.
  6.     Close Registry Editor.
  To put the OPA logs under a custom OPA Event Log group (as in the demo appender above), try this:
  Create an event log in Registry Editor. To do this, follow these steps:
  1.     Click Start, and then click Run.
  2.     In the Open text box, type regedit.
  3.     Locate the following registry subkey:
  HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog
  4.     Right-click the eventlog subkey, point to New, and then click Key.
  5.     Type OPA for the key name.
  6.     Right-click the new OPA key and add a new DWORD called "MaxSize" and set it to "1400000" which is about 20 Meg in order to keep the log file from getting too large.
  7.     The next steps either help or sometimes cause an error, but you can try these next few steps... If you get an error about a source already existing, then you can delete the key.
  8.     Right-click the OPA subkey, point to New, and then click Key.
  9.     Type OPA for the key name.
  10.     Close Registry Editor.
  You might need to change permissions so OPA can write to the event log in Registry Editor.  If you get permission errors, try following these steps:
  1.     Click Start, and then click Run.
  2.     In the Open text box, type regedit.
  3.     Locate the following registry subkey:
  HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog
  4.     Right-click the EventLog key, select Permissions.
  5.     In the dialog that pops up, click Add...
  6.     Click Advanced...
  7.     Click Locations... and select the current machine by name.
  8.     Click Find Now
  9.     Select both the Network user and IIS_IUSERS user and click OK and OK again. (We never did figure out which of those two users was the one that fixed our permission problem.)
  10.     Change the Network user to have Full Control
  11.     Click Apply and OK
  To verify OPA Logging to the windows event logs from Determinations-Server:
  Go to the IIS determinations-server application within Server Manager.
  Under Manage Application -> Browse Application click the http link to pull up the local "Available Services" web page that show the wsdl endpoints.
  Select the /determinations-server/server/soap.asmx?wsdl link
  Go to the URL and remove the "?wsdl" from the end of the url and refresh. This will throw the following error into the logs:
  ERROR Oracle.Determinations.Server.DSServlet [(null)] - Invalid get request: /determinations-server/server/soap.asmx
  That error should show up in the windows event log, OR you can get a message explaining why security stopped you in "logs/InfoDSLog.txt" if you used the web.config settings from above.
  http://msdn.microsoft.com/en-us/library/windows/desktop/aa363648(v=vs.85).aspx
  Edited by: Paul Fowler on Feb 21, 2013 9:45 AM

  Thanks for sharing this information Paul.

• Transfer Excel file to external FTP server via PGP

  Hi SDN!
  I have build an scheduled report to generated an Excel-file from an internal table and saved it in the database. Now my task is to upload it to an external FTP Server of a partner company. The File contains sensible data and shall be encrypted via PGP.
  How can i upload to an external FTP server and before that, encrypt the file with PGP? I appreciate any help and look forward to reward some great posts.
  Thanks for your help!
  Edited by: Steffen Wieprecht on Aug 7, 2008 1:00 PM

  I found a solution myself, maybe someone is interrested:
  I installed a WS FTP Professional on a Server.
  Onto this server I wrote the files that have to be ftp-uploaded into one specific folder.
  A Perl Script in the scheduled tasks of the machine checks if a new file is in the folder and starts the upload.
  In WS FTP the site upload is defined with all PGP Keys so they are store secure.
  This solution can be used by any programming language that is able to write files in the upload folder.
  Best Regards,
  Steffen