All Apps and Add-ons

Cisco eNcore: Sample logs

koshyk
Super Champion

First of all, thanks @douglashurd for creating the app.
I had two questions regarding the app

  1. Any chance to put samples directory within the app with different samples of eStreamer sourcetypes? to be used for eventgen etc.
  2. Can Cisco estreamer devices send the similar data via syslog ? (i.e push to splunk, rather than Splunk pulling them)
0 Karma
1 Solution

douglashurd
Builder

You should be able to send Intrusion events and connection events right off the sensor in syslog. Cisco TAC can explain the configuration steps for this.

View solution in original post

douglashurd
Builder

There is a detailed document on the syslog output. Do you have it?

If you want it please email me dohurd@cisco.com and I'll attach. I cannot attach it here.

Doug

0 Karma

douglashurd
Builder

You should be able to send Intrusion events and connection events right off the sensor in syslog. Cisco TAC can explain the configuration steps for this.

koshyk
Super Champion

thanks @douglashurd.
any chance, can you please update some sample events in your app to be used for eventgen etc.?

0 Karma

douglashurd
Builder

Unfortunately I cannot tell you what changes are added since the 5.4 schema was explained here:

Discovery Event:

" Configuration:

Discovery Event syslog alerts can be configured under Policies > Actions > Alerts by selecting the Discovery Event Alerts tab, selecting the syslog alert you would like use and selecting the types of events that should generate an alert.
" Schema:

SFIMS: <- From "" at -> IP Address: Port: Service: Confidence:
" Example:

SFIMS: <*- New TCP Port From "X.X.X.X" at Tue Feb 24 18:59:45 2015 UTC -*> IP Address: X.X.X.X Port: 6370 Service: HTTP Apache Confidence: 50

Intrusion Event:

" Configuration:

To enable Intrusion Event sysloggin first go to Policies > Intrusion > Intrusion Policy and edit the policy referenced by the Access Control Policy. Click on Advanced Settings and select enabled. Then, click edit and input your sylog server configuration.
" Schema:

SFIMS: [ ()][][::] "" [Classification: ] User: , Application: , Client: , App Protocol: Interface Ingress: , Interface Egress: , Security Zone Ingress:, Security Zone Egress: , [Priority: ] {} : -> :
" Example:

SFIMS: [Primary Detection Engine (9882464a-3c3d-11e3-875b-c166af9fa6c0)][Default Security Over Connectivity][1:17392:6] "INDICATOR-SHELLCODE JavaScript var shellcode" [Classification: Executable Code was Detected] User: Unknown, Application: Unknown, Client: Internet Explorer, App Protocol: HTTP Interface Ingress: s1p1, Interface Egress: s1p2, Security Zone Ingress: Internal, Security Zone Egress: External, [Priority: 1] {TCP} xxx.xx.xx.xx:80 -> xxx.xxx.x.x:1113 

Connection Event:

" Configuration:

To configure connection event syslogging edit an Access Control Policy, and edit each rule that you would like connection event syslogging for, check syslog for the "Send Connection Events to:" section, and select your Syslog alert configuration.
" Schema:

5.3.X
: [ ()][] Connection Type: , User:, Client:, Application Protocol: , Web App: , Firewall Rule Name: , Firewall Rule Action: , Firewall Rule Reasons:, URL Category: , URL_Reputation: , URL: , Interface Ingress:, Interface Egress:, Security Zone Ingress:, Security Zone Egress:, Security Intelligence Matching IP:, Security Intelligence Category: , {} : ->:

5.4.X
: [ ()][] Connection Type: , User:, Client:, Application Protocol: , Web App: , Firewall Rule Name: , Firewall Rule Action: , Firewall Rule Reasons:, URL Category: , URL_Reputation: , URL: , Interface Ingress:, Interface Egress:, Security Zone Ingress:, Security Zone Egress:, Security Intelligence Matching IP:, Security Intelligence Category: ,Client Version: , Number of File Events: , Number of IPS Events: , TCP Flags: , NetBIOS Domain:, Initiator Packets: , Responder Packets: , Initiator Bytes:, Responder Bytes: , Context:, SSL Rule Name: , SSL Flow Status: , SSL Cipher Suite: , SSL Certificate:, SSL Subject CN: , SSL Subject Country: , SSL Subject OU: , SSL Subject Org:, SSL Issuer CN: , SSL Issuer Country:, SSL Issuer OU:, SSL Issuer Org:, SSL Valid Start Date:, SSL Valid End Date:, SSL Version: , SSL Server Certificate Status: , SSL Actual Action:, SSL Expected Action:, SSL Server Name: , SSL URL Category: , SSL Session ID:, SSL Ticket Id:, {} : ->:

NOTE: The SSL Fields will be in all connections regardless of whether SSL was used in the connection.
"

Example:

sn54 54DC: [Primary Detection Engine (2c0f417e-bb63-11e4-90aa-a536b3757dce)][Default Access Control] Connection Type: Start, User: Unknown, Client: SSL client, Application Protocol: HTTPS, Web App: Cisco, Access Control Rule Name: catchall, Access Control Rule Action: Allow, Access Control Rule Reasons: Unknown, URL Category: Business and Economy, URL Reputation: Well known, URL:https://nourl.cisco.com, Interface Ingress: eth1, Interface Egress: eth1, Security Zone Ingress: Internal, Security Zone Egress: Internal, Security Intelligence Matching IP: None, Security Intelligence Category: None, Client Version: (null), Number of File Events: 0, Number of IPS Events: 0, TCP Flags: 0x0, NetBIOS Domain: (null), Initiator Packets: 3, Responder Packets: 1, Initiator Bytes: 727, Responder Bytes: 74, Context: Unknown, SSL Rule Name: N/A, SSL Flow Status: N/A, SSL Cipher Suite: N/A, SSL Certificate: 0000000000000000000000000000000000000000, SSL Subject CN: N/A, SSL Subject Country: N/A, SSL Subject OU: N/A, SSL Subject Org: N/A, SSL Issuer CN: N/A, SSL Issuer Country: N/A, SSL Issuer OU: N/A, SSL Issuer Org: N/A, SSL Valid Start Date: N/A, SSL Valid End Date: N/A, SSL Version: N/A, SSL Server Certificate Status: N/A, SSL Actual Action: N/A, SSL Expected Action: N/A, SSL Server Name: (null), SSL URL Category: N/A, SSL Session ID: 0000000000000000000000000000000000000000000000000000000000000000, SSL Ticket Id: 0000000000000000000000000000000000000000, {TCP} X.X.X.X:49205 -> X.X.X.X:443

Health Monitor Event:

" Configuration:

To configure health monitor syslogging, go to Health > Health Monitor Alerts, select the severities and modules you would like to alert on, name the alert and save.
" Schema:
: HMNOTIFY: (): Severity: :
" Example:

dc54 DC54: HMNOTIFY: License Monitor (Sensor dc54.example.com): Severity: warning: Violations due to licenses expiring within 90 days: USER used count will exceed total by 2 licenses.

Correlation Event:

" Configuration:

To configure correlation event syslogging, navigate to Policies > Correlation edit the correlation policy configured, click on the responses icon for the rule you would like syslog alerts from, and select your syslog alert action.
" Schema:

: Correlation Event: / at

" Example:

dc54 DC54: Correlation Event: Test Correlation Rule/Test Correlation Policy at Tue Sep 15 13:05:52 2015 UTCConnection Type: FireSIGHT X.X.X.X:45652 (unknown) -> X.X.X.X:443 (united states) (tcp)

Impact Alert:

" Configuration:

To configure impact alert syslogging go to Policies > Actions > Alerts, select Impact Flag Alerts, select your syslog alerting mechanism and the impact flags you would like to alert on.
" Schema:
: [::] "" [Impact:] From "" at UTC [Classification: ] [Priority: ] {} ->

" Example:

dc54 DC54: [1:1000000:1] "Ping Test Rule" [Impact: Unknown] From "X.X.X.X" at Tue Sep 15 13:41:52 2015 UTC [Classification: Misc Activity] [Priority: 3] {icmp} X.X.X.X->X.X.X.X

Network Malware Event:

" Configuration:

To configure network malware event syslogging, navigate to Policies > Actions > Alerts, select Advanced Malware Protection Alerts, select your syslog alerting mechanism, and select the types of events you want alerts for.
" Schema:
: <- Network Based Malware From "" at UTC -> Sha256: Disposition: Threat name: Addresses:

" Example:

dc54 DC54: <*- Network Based Malware From "X.X.X.X" at Tue Sep 15 14:32:47 2015 UTC -*> Sha256: 00b32c3428362e39e4df2a0c3e0950947c147781fdd3d2ffd0bf5f96989bb002 Disposition: Malware Threat name: W32.Zombies.NotAVirus IP Addresses: X.X.X.X<-X.X.X.X

Audit Log Event:

" Configuration:
To configure audit log event syslogging, navigate to System > Local > System Policy > Audit Log Settings, select the
appropriate settings for your environment, click the Save Policy and Exit button, and reapply the System Policy.

" Schema:
ids.cgi: : user@IP, ,

" Example:

 Oct 13 13:54:32 X.X.X.X ids.cgi: Sourcefire3D: admin@X.X.X.X, Policies > Intrusion > Intrusion Policy, Page View

koshyk
Super Champion

thanks again for your help.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...