Download Data Source Configuration Guide for McAfee Network Security

Survey
yes no Was this document useful for you?
   Thank you for your participation!

* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project

page
1
page
2
page
3
page
4
page
5
page
6
page
7
page
8
page
9
page
10
page
11
page
12
page
13
page
14
page
15
page
16
page
17
page
18
page
19
Document related concepts

Zero-configuration networking wikipedia , lookup

Network tap wikipedia , lookup

Airborne Networking wikipedia , lookup

Computer security wikipedia , lookup

IEEE 1355 wikipedia , lookup

Cracking of wireless networks wikipedia , lookup

UniPro protocol stack wikipedia , lookup

Transcript 
McAfee Enterprise Security Manager
Data Source Configuration Guide
Data Source:
McAfee Network Security Manager
October 5, 2016
The information contained in this document is confidential and proprietary.
Please do not redistribute without permission.
McAfee Network Security Manager
Page 1 of 19
Table of Contents
1
Introduction
3
2
Prerequisites
3
3
Differences in Configuration Options
3
4
McAfee Network Security Manager Configuration
4.1 NSM 8.x Syslog Configuration
4.1.1 Firewall Access Events
4.1.2 Quarantine Access Events
4.1.3 IPS Event
4.1.4 Faults > Syslog
4.1.5 User Activity > Syslog
4.2 Enable McAfee receiver to connect to the NSM database
4
4
4
4
4
4
5
6
5
McAfee Enterprise Security Manager Configuration
5.1 Add NSM as a Device within McAfee ESM
5.2 McAfee ESM Data Source Configuration for Syslog delivery
5.3 McAfee ESM Data Source Configuration for SQL collection
7
7
10
11
6
Syslog Event to McAfee Field Mappings
6.1 Log Format
6.2 Log Sample
6.3 Mappings
12
12
12
13
7
SQL Query Event to McAfee Field Mappings
7.1 Log Format
7.2 Log Sample
7.3 Mappings
14
14
14
14
8
McAfee Network Security Manager Integration
8.1 Add an IP address to a Blacklist
15
15
9
Appendix A - Generic Syslog Configuration Details
17
10
Appendix B - Troubleshooting
19
The information contained in this document is confidential and proprietary.
Please do not redistribute without permission.
McAfee Network Security Manager
Page 2 of 19
1 Introduction
McAfee Network Security Manager (NSM) can be added as a Device on McAfee Enterprise
Security Manager (ESM) or as a Data Source on a McAfee Event Receiver. This guide details how
to configure McAfee Network Security Manager 7.1.3.5 and above to integrate with the ESM as a
Device, or to send data in the proper format to the Receiver while added as a Data Source via
syslog or SQL Pull. This guide also covers initiating Quarantine (Blacklist) Actions from within
ESM.
2 Prerequisites

McAfee Network Security Manager 7.1.3.5 and above.

For adding NSM as a Data Source via syslog, McAfee Enterprise Security Manager Version
9.1.0 and above.

For adding NSM as a Data Source via SQL Pull, or adding as a Device, McAfee Enterprise
Security Manager Version 9.1.2 and above.
In order to configure each device, appropriate administrative level access is required to perform
the necessary changes documented below.
3 Differences in Configuration Options
Additional ESM features are available when Network Security Manager is configured as a device
in the ESM. The following table lists the major differences in features available for each
configuration.
NSM connected as a Device
NSM listed in the ESM device tree as a device.
Examine IPS policies directly from within ESM
Initiate Quarantine (Blacklist) Actions directly, or
as an Automated Response to a security event
Additional views included to assist with NSM
events
IPS sensors and associated interfaces are listed
as child data sources under the NSM device
NSM connected as a Data Source (Syslog/SQL)
NSM listed in the ESM device tree as a data
source
N/A
N/A
N/A
N/A
The information contained in this document is confidential and proprietary.
Please do not redistribute without permission.
McAfee Network Security Manager
Page 3 of 19
4 McAfee Network Security Manager Configuration
4.1 NSM 8.x Syslog Configuration
This step only applies to the Data Source configuration option via syslog. This will be required in
order to enable sending syslog messages to the ESM.
1.
2.
3.
4.
4.1.1
a.
b.
c.
d.
e.
4.1.2
a.
b.
c.
d.
4.1.3
a.
b.
c.
d.
e.
4.1.4
a.
b.
c.
d.
e.
Log into the management interface as an administrator.
Click on the Manage icon on the dashboard.
In the resource tree click on the root node (usually “My Company”).
Select Setup > Notification.
Firewall Access Events
Enable Syslog Notifications:
Yes
Server Name or IP Address:
<IP/Hostname of your Receiver>
Port:
514
Message Body:
System Default
Default message:
$SENSOR_NAME$ matched $ALERT_DIRECTION$ ACL rule
($ACL_POLICY$/#$ACL_RULE_NUMBER$) $SOURCE_IP$ ->
$DESTINATION_IP$:$DESTINATION_PORT$ ($APPLICATION_PROTOCOL$/$APPLICATION$)
= $ACL_ACTION$
Quarantine Access Events
Enable Syslog Notifications:
Server Name or IP Address:
Port:
Message Boy:
Yes
<IP/Hostname of your Receiver>
514
System Default
IPS Event
Enable Syslog Notifications:
Yes
Server Name or IP Address:
<IP/Hostname of your Receiver>
Port:
514
Message Body:
System Default
Default message:
$IV_SENSOR_NAME$ detected $IV_DIRECTION$ attack $IV_ATTACK_NAME$ (severity
= $IV_ATTACK_SEVERITY$). $IV_SOURCE_IP$:$IV_SOURCE_PORT$ ->
$IV_DESTINATION_IP$:$IV_DESTINATION_PORT$ (result = $IV_RESULT_STATUS$)
Faults > Syslog
Enable Syslog Notifications:
Yes
Server Name or IP Address:
<IP/Hostname of your Receiver>
Port:
514
Message Body:
System Default
Default message:
Fault : $IV_OWNER_NAME$: $IV_DESCRIPTION$
The information contained in this document is confidential and proprietary.
Please do not redistribute without permission.
McAfee Network Security Manager
Page 4 of 19
4.1.5
a.
b.
c.
d.
e.
User Activity > Syslog
Enable Syslog Notifications:
Yes
Server Name or IP Address:
<IP/Hostname of your Receiver>
Port:
514
Message Body:
System Default
Default message:
$IV_AUDIT_ACTION$ $IV_AUDIT_RESULT$ at $IV_AUDIT_TIME$
The information contained in this document is confidential and proprietary.
Please do not redistribute without permission.
McAfee Network Security Manager
Page 5 of 19
4.2 Enable McAfee receiver to connect to the NSM database
This step applies to both the device configuration option, and as a Data Source using the SQL
Pull option. McAfee Receiver requires a MySQL user account on NSM in order to remotely query
events. The following steps outline how to create a user account with read only privileges on the
NSM database.
Login to the NSM MySQL database and create a user that can connect remotely to the NSM
from the ESM receiver. This user will be required to be granted SELECT permissions on the
database.
Enter the following commands within a command prompt or in a tool such as MySQL
Workbench, where ‘user_name’ is the desired username, ‘user_name_password’ is the password
for the newly created user, and ‘receiver_ip_address’ is the IP address of the Receiver that will
be connecting to the NSM.

Run the following command to create the user and set the privileges:
GRANT SELECT ON lf.* TO 'user_name'@'receiver_ip_address' IDENTIFIED BY
'user_name_password' WITH GRANT OPTION;

Run the following command to apply the privilege changes without
restarting the MySQL database:
FLUSH PRIVILEGES;
Once the user has been created with the correct permissions, you will be able to setup the data
source or device on the ESM as shown in following sections.
The information contained in this document is confidential and proprietary.
Please do not redistribute without permission.
McAfee Network Security Manager
Page 6 of 19
5 McAfee Enterprise Security Manager Configuration
5.1 Add NSM as a Device within McAfee ESM
After successfully logging into the McAfee ESM console, follow these steps to add NSM as a
device:
1. In the System Navigation Tree, select the Local ESM node or a group to which you wish to
add the device.
2. Click on the Add Device icon (
) in the Actions Toolbar. The Add Device Wizard opens.
3. Select Network Security Manager (v7.1.3.5 or newer) and click Next. The second dialog of
the Add Device Wizard will open.
The information contained in this document is confidential and proprietary.
Please do not redistribute without permission.
McAfee Network Security Manager
Page 7 of 19
4. Enter a name that is unique for this group for the NSM device within the Device Name field
and click Next. The third dialog of the Add Device Wizard opens.
5. Select the Receiver with which this device will be associated.
6. Enter the credentials to log into the NSM device's web interface/API.
7. Click Connect to verify that that the ESM is able to communicate with NSM with the given
data.
8. If the connection was successful, click Next to continue. The fourth dialog of the Add Device
Wizard opens.
9. Enter the database IP address.
10. Enter the database port number.
11. Enter the database username and password created previously in section 4.2.
The information contained in this document is confidential and proprietary.
Please do not redistribute without permission.
McAfee Network Security Manager
Page 8 of 19
12. Enter “lf” into the Database Name field.
13. Click Connect to verify that that the ESM is able to communicate with the NSM database.
14. If the connection was successful, click Next. The ESM will test device communication and
report on the status of the connection. You will be able to directly launch the Properties
dialog upon successfully keying the device.
The information contained in this document is confidential and proprietary.
Please do not redistribute without permission.
McAfee Network Security Manager
Page 9 of 19
5.2 McAfee ESM Data Source Configuration for Syslog delivery
After successfully logging into the McAfee ESM console the data source will need to be added
to a McAfee Receiver in the ESM hierarchy.
1.
2.
3.
4.
Select the desired McAfee Event Receiver.
Click the Properties icon.
From the Receiver Properties listing, select Data Sources.
Click Add.
OR
1. Select the desired McAfee Event Receiver.
2. Click the Add Data Source icon.
Data Source Screen Settings
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
11.
12.
Data Source Vendor – McAfee
Data Source Model – Network Security Manager
Data Format – Default
Data Retrieval – Default
Enabled: Parsing/Logging/SNMP Trap – Parsing
Name – Name of data source
IP Address/Hostname – The IP address and host name associated with the data source
device.
Syslog Relay – None
Mask – 32
Require Syslog TLS – Enable to require the Receiver to communicate over TLS.
Support Generic Syslog – Do nothing
Time Zone – Time zone of data being sent.
The information contained in this document is confidential and proprietary.
Please do not redistribute without permission.
McAfee Network Security Manager
Page 10 of 19
5.3 McAfee ESM Data Source Configuration for SQL collection
After successfully logging into the McAfee ESM console the data source will need to be added
to a McAfee Receiver in the ESM hierarchy.
1.
2.
3.
4.
Select the desired McAfee Event Receiver.
Click the Properties icon.
From the Receiver Properties listing, select Data Sources.
Click Add.
OR
1. Select the desired McAfee Event Receiver.
2. Click the Add Data Source icon.
Data Source Screen Settings
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
11.
12.
Data Source Vendor – McAfee
Data Source Model – Network Security Manager – SQL Pull (ASP)
Data Format – Default
Data Retrieval – SQL (Default)
Enabled: Parsing/Logging/SNMP Trap – Parsing
Name – Name of data source
IP Address/Hostname – The IP address and host name associated with the data source
device.
User Name – <Enter the database username created previously in section 4.2>
Password – < Enter the database password created previously in section 4.2>
Port – <Default is 3306>
Database Name – <Default is lf>
Version – <Version of NSM>
Note – Refer to Appendix A for details on the Data Source Screen options
The information contained in this document is confidential and proprietary.
Please do not redistribute without permission.
McAfee Network Security Manager
Page 11 of 19
6 Syslog Event to McAfee Field Mappings
6.1 Log Format
The expected format for this device is as follows:
<SyslogForarderType>:|SENSOR_ALERT_UUID|ALERT_TYPE|ATTACK_TIME|ATTACK_NAME|ATT
ACK_ID|ATTACK_SEVERITY|ATTACK_SIGNATURE|ATTACK_CONFIDENCE|ADMIN_DOMAIN|SENSOR_
NAME|INTERFACE|SOURCE_IP|SOURCE_PORT|DESTINATION_IP|DESTINATION_PORT|CATEGORY|
SUB_CATEGORY|DIRECTION|RESULT_STATUS|DETECTION_MECHANISM|APPLICATION_PROTOCOL|
NETWORK_PROTOCOL|RELEVANCE|QUARANTINE_END_TIME|MCAFEE_NAC_FORWARDED_STATUS|MCA
FEE_NAC_MANAGED_STATUS|MCAFEE_NAC_ERROR_STATUS|MCAFEE_NAC_ACTION_STATUS|SENSOR
_CLUSTER_MEMBER|ALERT_ID|ATTACK_COUNT|VLAN_ID|LAYER_7_DATA|VLAN_ID|PROTECTION_
CATEGORY|SOURCE_VM_NAME|TARGET_VM_NAME|SOURCE_VM_ESX_NAME|TARGET_VM_ESX_NAME|P
ROXY_SERVER_IP|
6.2 Log Sample
This is a sample of a log from the Network Security Manager device.
Oct 14 10:24:36 SyslogAlertForwarder: |1234567891234567891|Signature|2014-1014 10:24:32 EST|"P2P: BitTorrent Meta-Info
Retrieving"|0x32c020a0|Medium|catch-most|Low|Exmaple|SENSR600A|3A3B|192.0.2.1|24680|192.0.2.2|42356|PolicyViolation|restrictedapplication|Inbound|Blocked|signature|N/A|udp|
The information contained in this document is confidential and proprietary.
Please do not redistribute without permission.
McAfee Network Security Manager
Page 12 of 19
6.3 Mappings
The table below shows the mappings between the data source and McAfee ESM fields.
Log Fields
McAfee ESM Fields
ATTACK_TIME
First Time, Last Time
ATTACK_NAME
Rule Message
ATTACK_ID
Signature ID
ATTACK_SEVERITY
Severity
ADMIN_DOMAIN
Domain
SENSOR_NAME
Host
INTERFACE
Interface
SOURCE_IP
Source IP
SOURCE_PORT
Source Port
DESTINATION_IP
Destination IP
DESTINATION_PORT
Destination Port
CATEGORY
Category
SUB_CATEGORY
Application
DIRECTION
Direction
RESULT_STATUS
Action
NETWORK_PROTOCOL
Protocol
The information contained in this document is confidential and proprietary.
Please do not redistribute without permission.
McAfee Network Security Manager
Page 13 of 19
7 SQL Query Event to McAfee Field Mappings
7.1 Log Format
The expected format for this device is as follows:
creationTime="<Date_Time>" alertType="<Alert_Type>" category="<Category>"
subCategory="<Sub_Category>" detectionMethod="<Detection_Method>"
attackId="<Attack_ID>" attackIdRef="<Attack_ID_Reference>"
attackName="<Attack_Name>" severity="<Severity>" alertCount="<Alert_Count>"
sourceIPAddr="<Source_IP>" sourcePort="<Source_Port>"
targetIPAddr="<Target_IP>" targetPort="<Target_Port>"
sourceUserId="<Source_User_ID>" destinationUserId="<Dest_User_ID>"
layer7="<Layer_7_Details>"
7.2 Log Sample
This is a sample of a log from the Network Security Manager device after SQL pull.
creationTime="2012-06-22 19:37:01" alertType="Signature" category="Exploit"
subCategory="Buffer Overflow" detectionMethod="Signature" attackId="4255775"
attackIdRef="0x40f01f00" attackName="IRC: mIRC Userhost Buffer Overflow"
severity="7" alertCount="1" sourceIPAddr="6FA2A653" sourcePort="6667"
targetIPAddr="550D1EC1" targetPort="1041" sourceUserId="0"
destinationUserId="0" layer7=""
7.3 Mappings
The table below shows the mappings between the data source and McAfee ESM fields.
Log Fields
McAfee ESM Fields
creationTime
First Time, Last Time
alerttype
Object_Type
category + subcategory
Subject
detectionMethod
Method
attackId
Signature ID (Standard NSM Signatures Only)
attackIdRef
Message_ID
attackIdRef
Event Class
attackName
Rule Message
severity
Severity
alertCount
Event Count
sourceIPAddr
Source IP
sourcePort
Source Port
targetIPAddr
Destination IP
targetPort
Destination Port
sourceUserId
Source User
The information contained in this document is confidential and proprietary.
Please do not redistribute without permission.
McAfee Network Security Manager
Page 14 of 19
destinationUserId
Destination User
result
Action
appName
Application
8 McAfee Network Security Manager Integration
McAfee Enterprise Security Manager supports the ability to Initiate Quarantine (Blacklist) Actions
directly, or as an Automated Response to a security event. This integration assumes that NSM
has been added as a device.
8.1 Add an IP address to a Blacklist
After successfully adding NSM as a device and viewing events, specified IP addresses can be
blacklisted.
1. Within a view, locate an event with an IP to be blacklisted. Once the event, or IP address,
has been selected, click on the Menu button for that view’s pane, located in the upper-left
corner.
2. Select Actions > Blacklist <IP Address>. In most instances, both the source IP and
destination IP will be listed as choices to blacklist. Select the desired IP address.
The information contained in this document is confidential and proprietary.
Please do not redistribute without permission.
McAfee Network Security Manager
Page 15 of 19
3. Within the Device List window, select the desired NSM sensor to apply the blacklist setting.
Click OK.
4. Select the duration that the IP will be blacklisted for, along with a description. Click OK.
Note: This process can also be automated through the creation of a watchlist.
The information contained in this document is confidential and proprietary.
Please do not redistribute without permission.
McAfee Network Security Manager
Page 16 of 19
9 Appendix A - Generic Syslog Configuration Details
There are different options available when configuring a new data source. When some options
are selected, additional parameters may appear. Most of these parameters are examined in
more detail below. This section outlines the general options available in the Add Data Source
configuration screen.
1. Use System Profiles – System Profiles are a way to use settings that are repetitive in
nature, without having to enter the information each time. An example is WMI
credentials, which are necessary to retrieve Windows Event Logs if WMI is the chosen
mechanism.
2. Data Source Vendor – List of all supported vendors.
3. Data Source Model – List of supported products for a vendor.
4. Data Format – The expected format of the received / collected data. Options are
“Default”, “CEF”, and “MEF”. This should generally be left as Default for supported data
sources, and is intended to be used for custom data sources.
Note – If CEF is selected, the generic CEF parsing rule will be enabled and rolled into
policy for that data source. If selected on supported CEF data sources, the generic
parsing rule may override existing parsing rules that are designed to parse data source
specific details. This will result in degraded reporting for the specific data source.
5. Data Retrieval – The expected collection method used by the Receiver to collect the
data. The default is generally syslog. It is expected that this option will be changed to
match the needs in a specific user’s environment. The data will need to remain in the
expected format, otherwise the parsing rules may not parse the events.
6. Enabled: Parsing/Logging/SNMP Trap – Parsing enables the data source to pass events
to the parser. Logging enables the data source to pass raw event data to the Enterprise
Log Manager (ELM). SNMP enables reception of SNMP traps for select data sources. If
none of the options are checked, the settings are saved to the ESM, but effectively
disables the data source. The default is generally Parsing.
7. Name – This is the name that will appear in the Logical Device Groupings tree and the
filter lists.
8. IP Address/Hostname – The IP address and host name associated with the data source
device.
9. Syslog Relay – Allows data to be collected via relays with the option to group events
under specific data sources based on syslog header details. Enable syslog relay on relay
sources such as Syslog-NG.
10. Mask – Allows a mask to be applied to an IP address so that a range of IP addresses can
be accepted.
11. Require Syslog TLS – Enable to require the receiver to communicate over TLS.
12. Support Generic Syslog – Allows users to select one of the following options: Parse
generic syslog, Log unknown syslog event, or Do nothing. These options control how
the ESM handles unparsed logs. Parse generic syslog will create an event for every
unique unparsed log collected. Log unknown will create a single generic event and
increment the count for every unparsed log. Do nothing will ignore unparsed logs. The
Parse generic syslog option should be used sparingly as it can negatively impact the
performance of the Receiver and ESM in cases where there is a high incoming rate of
unparsed logs. It is recommended that the Log unknown option be used if unparsed
The information contained in this document is confidential and proprietary.
Please do not redistribute without permission.
McAfee Network Security Manager
Page 17 of 19
events need to be reported in ESM, otherwise it is recommended to leave the setting as
Do nothing.
13. Time Zone – This should be set based on the time zone used in the log data. Generally,
it is the time zone where the actual data source is located.
14. Interface – Opens the receiver interface settings to associate ports with streams of
information.
15. Advanced – Opens advanced settings for the data source.
The information contained in this document is confidential and proprietary.
Please do not redistribute without permission.
McAfee Network Security Manager
Page 18 of 19
10 Appendix B - Troubleshooting
If a data source is not receiving events, verify that the data source settings have been written
out and that policy has been rolled out to the Receiver.
If there are errors saying events are being discarded because the Last Time value is more than
one hour in the future, or the values are incorrect, the Time Zone settings for the data source or
ESM may need to be adjusted.
When creating custom ASP rules, the Key and Value table located within the Parsing tab will
display potential field mappings based on the log text entered in the Sample Log Data section.
None of the data from the Key and Value table is populated by default. Actual field assignments
are set within the Field Assignment tab by dragging and dropping the key onto the desired
field.
When analyzing parsed event details, fields on the Custom Types tab will not be present if the
data intended to be captured for that specific field is absent from the received logs.
The information contained in this document is confidential and proprietary.
Please do not redistribute without permission.
McAfee Network Security Manager
Page 19 of 19
Related documents
tg5
tg5
Intrusion Prevention System (IPS)
Intrusion Prevention System (IPS)
McAfee Database User Identifier
McAfee Database User Identifier
Network Security Manager - Harris
Network Security Manager - Harris
Forest Service Research Natural Areas
Forest Service Research Natural Areas
Not All Database Security Solutions Are Created Equal
Not All Database Security Solutions Are Created Equal
New World Order - Institute for Robotic Process Automation
New World Order - Institute for Robotic Process Automation
the Application Form
the Application Form
Hardening Databases
Hardening Databases
Advertising Personal Selling Any Paid Form of Nonpersonal
Advertising Personal Selling Any Paid Form of Nonpersonal
Output Power vs. Receiver Gain
Output Power vs. Receiver Gain
Chapter 1 Glossary - Fundamentals of Business Communication 2012
Chapter 1 Glossary - Fundamentals of Business Communication 2012
Artificial Intelligence for Human-Robot Interaction: Papers from the
Artificial Intelligence for Human-Robot Interaction: Papers from the
McAfee Agent 5.0.5 - knowledge.mcafee.com
McAfee Agent 5.0.5 - knowledge.mcafee.com