Survey
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
McAfee Enterprise Security Manager Data Source Configuration Guide Data Source: McAfee Network Security Manager October 5, 2016 The information contained in this document is confidential and proprietary. Please do not redistribute without permission. McAfee Network Security Manager Page 1 of 19 Table of Contents 1 Introduction 3 2 Prerequisites 3 3 Differences in Configuration Options 3 4 McAfee Network Security Manager Configuration 4.1 NSM 8.x Syslog Configuration 4.1.1 Firewall Access Events 4.1.2 Quarantine Access Events 4.1.3 IPS Event 4.1.4 Faults > Syslog 4.1.5 User Activity > Syslog 4.2 Enable McAfee receiver to connect to the NSM database 4 4 4 4 4 4 5 6 5 McAfee Enterprise Security Manager Configuration 5.1 Add NSM as a Device within McAfee ESM 5.2 McAfee ESM Data Source Configuration for Syslog delivery 5.3 McAfee ESM Data Source Configuration for SQL collection 7 7 10 11 6 Syslog Event to McAfee Field Mappings 6.1 Log Format 6.2 Log Sample 6.3 Mappings 12 12 12 13 7 SQL Query Event to McAfee Field Mappings 7.1 Log Format 7.2 Log Sample 7.3 Mappings 14 14 14 14 8 McAfee Network Security Manager Integration 8.1 Add an IP address to a Blacklist 15 15 9 Appendix A - Generic Syslog Configuration Details 17 10 Appendix B - Troubleshooting 19 The information contained in this document is confidential and proprietary. Please do not redistribute without permission. McAfee Network Security Manager Page 2 of 19 1 Introduction McAfee Network Security Manager (NSM) can be added as a Device on McAfee Enterprise Security Manager (ESM) or as a Data Source on a McAfee Event Receiver. This guide details how to configure McAfee Network Security Manager 7.1.3.5 and above to integrate with the ESM as a Device, or to send data in the proper format to the Receiver while added as a Data Source via syslog or SQL Pull. This guide also covers initiating Quarantine (Blacklist) Actions from within ESM. 2 Prerequisites McAfee Network Security Manager 7.1.3.5 and above. For adding NSM as a Data Source via syslog, McAfee Enterprise Security Manager Version 9.1.0 and above. For adding NSM as a Data Source via SQL Pull, or adding as a Device, McAfee Enterprise Security Manager Version 9.1.2 and above. In order to configure each device, appropriate administrative level access is required to perform the necessary changes documented below. 3 Differences in Configuration Options Additional ESM features are available when Network Security Manager is configured as a device in the ESM. The following table lists the major differences in features available for each configuration. NSM connected as a Device NSM listed in the ESM device tree as a device. Examine IPS policies directly from within ESM Initiate Quarantine (Blacklist) Actions directly, or as an Automated Response to a security event Additional views included to assist with NSM events IPS sensors and associated interfaces are listed as child data sources under the NSM device NSM connected as a Data Source (Syslog/SQL) NSM listed in the ESM device tree as a data source N/A N/A N/A N/A The information contained in this document is confidential and proprietary. Please do not redistribute without permission. McAfee Network Security Manager Page 3 of 19 4 McAfee Network Security Manager Configuration 4.1 NSM 8.x Syslog Configuration This step only applies to the Data Source configuration option via syslog. This will be required in order to enable sending syslog messages to the ESM. 1. 2. 3. 4. 4.1.1 a. b. c. d. e. 4.1.2 a. b. c. d. 4.1.3 a. b. c. d. e. 4.1.4 a. b. c. d. e. Log into the management interface as an administrator. Click on the Manage icon on the dashboard. In the resource tree click on the root node (usually “My Company”). Select Setup > Notification. Firewall Access Events Enable Syslog Notifications: Yes Server Name or IP Address: <IP/Hostname of your Receiver> Port: 514 Message Body: System Default Default message: $SENSOR_NAME$ matched $ALERT_DIRECTION$ ACL rule ($ACL_POLICY$/#$ACL_RULE_NUMBER$) $SOURCE_IP$ -> $DESTINATION_IP$:$DESTINATION_PORT$ ($APPLICATION_PROTOCOL$/$APPLICATION$) = $ACL_ACTION$ Quarantine Access Events Enable Syslog Notifications: Server Name or IP Address: Port: Message Boy: Yes <IP/Hostname of your Receiver> 514 System Default IPS Event Enable Syslog Notifications: Yes Server Name or IP Address: <IP/Hostname of your Receiver> Port: 514 Message Body: System Default Default message: $IV_SENSOR_NAME$ detected $IV_DIRECTION$ attack $IV_ATTACK_NAME$ (severity = $IV_ATTACK_SEVERITY$). $IV_SOURCE_IP$:$IV_SOURCE_PORT$ -> $IV_DESTINATION_IP$:$IV_DESTINATION_PORT$ (result = $IV_RESULT_STATUS$) Faults > Syslog Enable Syslog Notifications: Yes Server Name or IP Address: <IP/Hostname of your Receiver> Port: 514 Message Body: System Default Default message: Fault : $IV_OWNER_NAME$: $IV_DESCRIPTION$ The information contained in this document is confidential and proprietary. Please do not redistribute without permission. McAfee Network Security Manager Page 4 of 19 4.1.5 a. b. c. d. e. User Activity > Syslog Enable Syslog Notifications: Yes Server Name or IP Address: <IP/Hostname of your Receiver> Port: 514 Message Body: System Default Default message: $IV_AUDIT_ACTION$ $IV_AUDIT_RESULT$ at $IV_AUDIT_TIME$ The information contained in this document is confidential and proprietary. Please do not redistribute without permission. McAfee Network Security Manager Page 5 of 19 4.2 Enable McAfee receiver to connect to the NSM database This step applies to both the device configuration option, and as a Data Source using the SQL Pull option. McAfee Receiver requires a MySQL user account on NSM in order to remotely query events. The following steps outline how to create a user account with read only privileges on the NSM database. Login to the NSM MySQL database and create a user that can connect remotely to the NSM from the ESM receiver. This user will be required to be granted SELECT permissions on the database. Enter the following commands within a command prompt or in a tool such as MySQL Workbench, where ‘user_name’ is the desired username, ‘user_name_password’ is the password for the newly created user, and ‘receiver_ip_address’ is the IP address of the Receiver that will be connecting to the NSM. Run the following command to create the user and set the privileges: GRANT SELECT ON lf.* TO 'user_name'@'receiver_ip_address' IDENTIFIED BY 'user_name_password' WITH GRANT OPTION; Run the following command to apply the privilege changes without restarting the MySQL database: FLUSH PRIVILEGES; Once the user has been created with the correct permissions, you will be able to setup the data source or device on the ESM as shown in following sections. The information contained in this document is confidential and proprietary. Please do not redistribute without permission. McAfee Network Security Manager Page 6 of 19 5 McAfee Enterprise Security Manager Configuration 5.1 Add NSM as a Device within McAfee ESM After successfully logging into the McAfee ESM console, follow these steps to add NSM as a device: 1. In the System Navigation Tree, select the Local ESM node or a group to which you wish to add the device. 2. Click on the Add Device icon ( ) in the Actions Toolbar. The Add Device Wizard opens. 3. Select Network Security Manager (v7.1.3.5 or newer) and click Next. The second dialog of the Add Device Wizard will open. The information contained in this document is confidential and proprietary. Please do not redistribute without permission. McAfee Network Security Manager Page 7 of 19 4. Enter a name that is unique for this group for the NSM device within the Device Name field and click Next. The third dialog of the Add Device Wizard opens. 5. Select the Receiver with which this device will be associated. 6. Enter the credentials to log into the NSM device's web interface/API. 7. Click Connect to verify that that the ESM is able to communicate with NSM with the given data. 8. If the connection was successful, click Next to continue. The fourth dialog of the Add Device Wizard opens. 9. Enter the database IP address. 10. Enter the database port number. 11. Enter the database username and password created previously in section 4.2. The information contained in this document is confidential and proprietary. Please do not redistribute without permission. McAfee Network Security Manager Page 8 of 19 12. Enter “lf” into the Database Name field. 13. Click Connect to verify that that the ESM is able to communicate with the NSM database. 14. If the connection was successful, click Next. The ESM will test device communication and report on the status of the connection. You will be able to directly launch the Properties dialog upon successfully keying the device. The information contained in this document is confidential and proprietary. Please do not redistribute without permission. McAfee Network Security Manager Page 9 of 19 5.2 McAfee ESM Data Source Configuration for Syslog delivery After successfully logging into the McAfee ESM console the data source will need to be added to a McAfee Receiver in the ESM hierarchy. 1. 2. 3. 4. Select the desired McAfee Event Receiver. Click the Properties icon. From the Receiver Properties listing, select Data Sources. Click Add. OR 1. Select the desired McAfee Event Receiver. 2. Click the Add Data Source icon. Data Source Screen Settings 1. 2. 3. 4. 5. 6. 7. 8. 9. 10. 11. 12. Data Source Vendor – McAfee Data Source Model – Network Security Manager Data Format – Default Data Retrieval – Default Enabled: Parsing/Logging/SNMP Trap – Parsing Name – Name of data source IP Address/Hostname – The IP address and host name associated with the data source device. Syslog Relay – None Mask – 32 Require Syslog TLS – Enable to require the Receiver to communicate over TLS. Support Generic Syslog – Do nothing Time Zone – Time zone of data being sent. The information contained in this document is confidential and proprietary. Please do not redistribute without permission. McAfee Network Security Manager Page 10 of 19 5.3 McAfee ESM Data Source Configuration for SQL collection After successfully logging into the McAfee ESM console the data source will need to be added to a McAfee Receiver in the ESM hierarchy. 1. 2. 3. 4. Select the desired McAfee Event Receiver. Click the Properties icon. From the Receiver Properties listing, select Data Sources. Click Add. OR 1. Select the desired McAfee Event Receiver. 2. Click the Add Data Source icon. Data Source Screen Settings 1. 2. 3. 4. 5. 6. 7. 8. 9. 10. 11. 12. Data Source Vendor – McAfee Data Source Model – Network Security Manager – SQL Pull (ASP) Data Format – Default Data Retrieval – SQL (Default) Enabled: Parsing/Logging/SNMP Trap – Parsing Name – Name of data source IP Address/Hostname – The IP address and host name associated with the data source device. User Name – <Enter the database username created previously in section 4.2> Password – < Enter the database password created previously in section 4.2> Port – <Default is 3306> Database Name – <Default is lf> Version – <Version of NSM> Note – Refer to Appendix A for details on the Data Source Screen options The information contained in this document is confidential and proprietary. Please do not redistribute without permission. McAfee Network Security Manager Page 11 of 19 6 Syslog Event to McAfee Field Mappings 6.1 Log Format The expected format for this device is as follows: <SyslogForarderType>:|SENSOR_ALERT_UUID|ALERT_TYPE|ATTACK_TIME|ATTACK_NAME|ATT ACK_ID|ATTACK_SEVERITY|ATTACK_SIGNATURE|ATTACK_CONFIDENCE|ADMIN_DOMAIN|SENSOR_ NAME|INTERFACE|SOURCE_IP|SOURCE_PORT|DESTINATION_IP|DESTINATION_PORT|CATEGORY| SUB_CATEGORY|DIRECTION|RESULT_STATUS|DETECTION_MECHANISM|APPLICATION_PROTOCOL| NETWORK_PROTOCOL|RELEVANCE|QUARANTINE_END_TIME|MCAFEE_NAC_FORWARDED_STATUS|MCA FEE_NAC_MANAGED_STATUS|MCAFEE_NAC_ERROR_STATUS|MCAFEE_NAC_ACTION_STATUS|SENSOR _CLUSTER_MEMBER|ALERT_ID|ATTACK_COUNT|VLAN_ID|LAYER_7_DATA|VLAN_ID|PROTECTION_ CATEGORY|SOURCE_VM_NAME|TARGET_VM_NAME|SOURCE_VM_ESX_NAME|TARGET_VM_ESX_NAME|P ROXY_SERVER_IP| 6.2 Log Sample This is a sample of a log from the Network Security Manager device. Oct 14 10:24:36 SyslogAlertForwarder: |1234567891234567891|Signature|2014-1014 10:24:32 EST|"P2P: BitTorrent Meta-Info Retrieving"|0x32c020a0|Medium|catch-most|Low|Exmaple|SENSR600A|3A3B|192.0.2.1|24680|192.0.2.2|42356|PolicyViolation|restrictedapplication|Inbound|Blocked|signature|N/A|udp| The information contained in this document is confidential and proprietary. Please do not redistribute without permission. McAfee Network Security Manager Page 12 of 19 6.3 Mappings The table below shows the mappings between the data source and McAfee ESM fields. Log Fields McAfee ESM Fields ATTACK_TIME First Time, Last Time ATTACK_NAME Rule Message ATTACK_ID Signature ID ATTACK_SEVERITY Severity ADMIN_DOMAIN Domain SENSOR_NAME Host INTERFACE Interface SOURCE_IP Source IP SOURCE_PORT Source Port DESTINATION_IP Destination IP DESTINATION_PORT Destination Port CATEGORY Category SUB_CATEGORY Application DIRECTION Direction RESULT_STATUS Action NETWORK_PROTOCOL Protocol The information contained in this document is confidential and proprietary. Please do not redistribute without permission. McAfee Network Security Manager Page 13 of 19 7 SQL Query Event to McAfee Field Mappings 7.1 Log Format The expected format for this device is as follows: creationTime="<Date_Time>" alertType="<Alert_Type>" category="<Category>" subCategory="<Sub_Category>" detectionMethod="<Detection_Method>" attackId="<Attack_ID>" attackIdRef="<Attack_ID_Reference>" attackName="<Attack_Name>" severity="<Severity>" alertCount="<Alert_Count>" sourceIPAddr="<Source_IP>" sourcePort="<Source_Port>" targetIPAddr="<Target_IP>" targetPort="<Target_Port>" sourceUserId="<Source_User_ID>" destinationUserId="<Dest_User_ID>" layer7="<Layer_7_Details>" 7.2 Log Sample This is a sample of a log from the Network Security Manager device after SQL pull. creationTime="2012-06-22 19:37:01" alertType="Signature" category="Exploit" subCategory="Buffer Overflow" detectionMethod="Signature" attackId="4255775" attackIdRef="0x40f01f00" attackName="IRC: mIRC Userhost Buffer Overflow" severity="7" alertCount="1" sourceIPAddr="6FA2A653" sourcePort="6667" targetIPAddr="550D1EC1" targetPort="1041" sourceUserId="0" destinationUserId="0" layer7="" 7.3 Mappings The table below shows the mappings between the data source and McAfee ESM fields. Log Fields McAfee ESM Fields creationTime First Time, Last Time alerttype Object_Type category + subcategory Subject detectionMethod Method attackId Signature ID (Standard NSM Signatures Only) attackIdRef Message_ID attackIdRef Event Class attackName Rule Message severity Severity alertCount Event Count sourceIPAddr Source IP sourcePort Source Port targetIPAddr Destination IP targetPort Destination Port sourceUserId Source User The information contained in this document is confidential and proprietary. Please do not redistribute without permission. McAfee Network Security Manager Page 14 of 19 destinationUserId Destination User result Action appName Application 8 McAfee Network Security Manager Integration McAfee Enterprise Security Manager supports the ability to Initiate Quarantine (Blacklist) Actions directly, or as an Automated Response to a security event. This integration assumes that NSM has been added as a device. 8.1 Add an IP address to a Blacklist After successfully adding NSM as a device and viewing events, specified IP addresses can be blacklisted. 1. Within a view, locate an event with an IP to be blacklisted. Once the event, or IP address, has been selected, click on the Menu button for that view’s pane, located in the upper-left corner. 2. Select Actions > Blacklist <IP Address>. In most instances, both the source IP and destination IP will be listed as choices to blacklist. Select the desired IP address. The information contained in this document is confidential and proprietary. Please do not redistribute without permission. McAfee Network Security Manager Page 15 of 19 3. Within the Device List window, select the desired NSM sensor to apply the blacklist setting. Click OK. 4. Select the duration that the IP will be blacklisted for, along with a description. Click OK. Note: This process can also be automated through the creation of a watchlist. The information contained in this document is confidential and proprietary. Please do not redistribute without permission. McAfee Network Security Manager Page 16 of 19 9 Appendix A - Generic Syslog Configuration Details There are different options available when configuring a new data source. When some options are selected, additional parameters may appear. Most of these parameters are examined in more detail below. This section outlines the general options available in the Add Data Source configuration screen. 1. Use System Profiles – System Profiles are a way to use settings that are repetitive in nature, without having to enter the information each time. An example is WMI credentials, which are necessary to retrieve Windows Event Logs if WMI is the chosen mechanism. 2. Data Source Vendor – List of all supported vendors. 3. Data Source Model – List of supported products for a vendor. 4. Data Format – The expected format of the received / collected data. Options are “Default”, “CEF”, and “MEF”. This should generally be left as Default for supported data sources, and is intended to be used for custom data sources. Note – If CEF is selected, the generic CEF parsing rule will be enabled and rolled into policy for that data source. If selected on supported CEF data sources, the generic parsing rule may override existing parsing rules that are designed to parse data source specific details. This will result in degraded reporting for the specific data source. 5. Data Retrieval – The expected collection method used by the Receiver to collect the data. The default is generally syslog. It is expected that this option will be changed to match the needs in a specific user’s environment. The data will need to remain in the expected format, otherwise the parsing rules may not parse the events. 6. Enabled: Parsing/Logging/SNMP Trap – Parsing enables the data source to pass events to the parser. Logging enables the data source to pass raw event data to the Enterprise Log Manager (ELM). SNMP enables reception of SNMP traps for select data sources. If none of the options are checked, the settings are saved to the ESM, but effectively disables the data source. The default is generally Parsing. 7. Name – This is the name that will appear in the Logical Device Groupings tree and the filter lists. 8. IP Address/Hostname – The IP address and host name associated with the data source device. 9. Syslog Relay – Allows data to be collected via relays with the option to group events under specific data sources based on syslog header details. Enable syslog relay on relay sources such as Syslog-NG. 10. Mask – Allows a mask to be applied to an IP address so that a range of IP addresses can be accepted. 11. Require Syslog TLS – Enable to require the receiver to communicate over TLS. 12. Support Generic Syslog – Allows users to select one of the following options: Parse generic syslog, Log unknown syslog event, or Do nothing. These options control how the ESM handles unparsed logs. Parse generic syslog will create an event for every unique unparsed log collected. Log unknown will create a single generic event and increment the count for every unparsed log. Do nothing will ignore unparsed logs. The Parse generic syslog option should be used sparingly as it can negatively impact the performance of the Receiver and ESM in cases where there is a high incoming rate of unparsed logs. It is recommended that the Log unknown option be used if unparsed The information contained in this document is confidential and proprietary. Please do not redistribute without permission. McAfee Network Security Manager Page 17 of 19 events need to be reported in ESM, otherwise it is recommended to leave the setting as Do nothing. 13. Time Zone – This should be set based on the time zone used in the log data. Generally, it is the time zone where the actual data source is located. 14. Interface – Opens the receiver interface settings to associate ports with streams of information. 15. Advanced – Opens advanced settings for the data source. The information contained in this document is confidential and proprietary. Please do not redistribute without permission. McAfee Network Security Manager Page 18 of 19 10 Appendix B - Troubleshooting If a data source is not receiving events, verify that the data source settings have been written out and that policy has been rolled out to the Receiver. If there are errors saying events are being discarded because the Last Time value is more than one hour in the future, or the values are incorrect, the Time Zone settings for the data source or ESM may need to be adjusted. When creating custom ASP rules, the Key and Value table located within the Parsing tab will display potential field mappings based on the log text entered in the Sample Log Data section. None of the data from the Key and Value table is populated by default. Actual field assignments are set within the Field Assignment tab by dragging and dropping the key onto the desired field. When analyzing parsed event details, fields on the Custom Types tab will not be present if the data intended to be captured for that specific field is absent from the received logs. The information contained in this document is confidential and proprietary. Please do not redistribute without permission. McAfee Network Security Manager Page 19 of 19