Juniper SECURITY THREAT RESPONSE MANAGER 2008.2 - CONFIGURING DSMS REV 1 Manual
  1. Manuals
  2. Brands
  3. Juniper Manuals
  4. Software
  5. SECURITY THREAT RESPONSE MANAGER 2008.2 - CATEGORY OFFENSE INVESTIGATION GUIDE REV...
  6. Manual
Juniper SECURITY THREAT RESPONSE MANAGER 2008.2 - CONFIGURING DSMS REV 1 Manual

Juniper SECURITY THREAT RESPONSE MANAGER 2008.2 - CONFIGURING DSMS REV 1 Manual

Configuring dsms
Hide thumbs Also See for SECURITY THREAT RESPONSE MANAGER 2008.2 - CONFIGURING DSMS REV 1:
Table of Contents

Advertisement

Quick Links

Download this manual See also: Administration Manual
Security Threat Response Manager
Configuring DSMs
Release 2008.2
Juniper Networks, Inc.
1194 North Mathilda Avenue
Sunnyvale, CA 94089
USA
408-745-2000
www.juniper.net
Part Number: 530-025608-01, Revision 1

Advertisement

Table of Contents
loading
Need help?

Need help?

Do you have a question about the SECURITY THREAT RESPONSE MANAGER 2008.2 - CONFIGURING DSMS REV 1 and is the answer not in the manual?

Questions and answers

Related Manuals for Juniper SECURITY THREAT RESPONSE MANAGER 2008.2 - CONFIGURING DSMS REV 1

Summary of Contents for Juniper SECURITY THREAT RESPONSE MANAGER 2008.2 - CONFIGURING DSMS REV 1

  • Page 1 Security Threat Response Manager Configuring DSMs Release 2008.2 Juniper Networks, Inc. 1194 North Mathilda Avenue Sunnyvale, CA 94089 408-745-2000 www.juniper.net Part Number: 530-025608-01, Revision 1...
  • Page 2 Juniper Networks or their respective owners. All specifications are subject to change without notice. Juniper Networks assumes no responsibility for any inaccuracies in this document or for any obligation to update information in this document. Juniper Networks reserves the right to change, modify, transfer, or otherwise revise this publication without notice.

  • Page 3: Table Of Contents

    About This Guide 1 Overview 3 3Com 8800 Series Switch 5 Ambiron TrustWave ipAngel 7 Apache HTTP Server 9 Apple Mac OS X 11 Array Network SSL VPN 13 F5 Networks BigIP 15 Blue Coat SG 17 Check Point FireWall-1 19 Check Point Provider-1 25 Cisco ACS 29 Cisco ASA 31...
  • Page 4 IBM Proventia Management SiteProtector 75 ISS Proventia 77 Juniper DX Application Acceleration Platform 79 Juniper EX-Series Ethernet Switch 81 Juniper NetScreen IDP 83 Juniper Networks Secure Access 85 Juniper Infranet Controller 89 Juniper NetScreen Firewall 91 Juniper NSM 93 Juniper Router 95...
  • Page 5 McAfee Intrushield 105 McAfee ePolicy Orchestrator 107 MetaInfo MetaIP 109 Microsoft Exchange Server 111 Microsoft DHCP Server 113 Microsoft IAS Server 115 Microsoft IIS 117 Microsoft SQL Server 119 Microsoft Windows Security Event Log 121 Niksun 123 Nokia Firewall 125 Nortel ARN 129 Nortel Application Switch 131 Nortel Contivity 5000 133...
  • Page 6 ProFTPd 159 Samhain 161 Secure Computing Sidewinder 165 Sun Solaris 167 Sun Solaris DHCP 169 SonicWALL 171 Sun Solaris Sendmail 173 Sourcefire Intrusion Sensor 175 Squid Web Proxy 177 Symantec SGS 179 Symantec System Center 181 Symark PowerBroker 183 Tipping Point Intrusion Prevention System 185 TippingPoint X505/X506 Device 187 TopLayer 189 Trend Micro InterScan VirusWall 191...
  • Page 7 Information that alerts you to potential personal injury. Technical You can access technical documentation, technical notes, and release notes Documentation directly from the Juniper networks Support Web site at http:// www.juniper.net/support Documentation We encourage you to provide feedback, comments, and suggestions so that we Feedback can improve the documentation.
  • Page 8 BOUT UIDE Requesting • Open a support case using the Case Management link at Support or call 1-888-314-JTAC (from the United States, http://www.juniper.net/support/ Canada, or Mexico) or 1-408-745-9500 (from elsewhere). Configuring DSMs...
  • Page 9 VERVIEW You can configure STRM or STRM Log Management to log and correlate events received from external sources such as security equipment (for example, firewalls), and network equipment (for example, switches and routers). Device Support Modules (DSMs) allows you to integrate STRM or STRM Log Management with these external devices.
  • Page 11 8800 S ERIES WITCH A STRM 3Com 8800 Series Switch DSM accepts events using syslog. STRM records all relevant status and network condition events. Before configuring a 3Com 8800 Series Switch device in STRM, you must configure your device to send syslog events to STRM.

  • Page 13: Ambiron Trustwave Ipangel

    MBIRON RUST NGEL A STRM Ambiron TrustWave ipAngel DSM accepts events using syslog. STRM records all Snort-based events from the ipAngel console. Before you configure STRM to integrate with ipAngel, you must forward your cache and access logs to your STRM system. For information on forwarding device logs to STRM, see your vendor documentation.

  • Page 15: Apache Http Server

    HTTP S PACHE ERVER A STRM Apache HTTP Server DSM accepts Apache events using syslog. You can integrate Apache versions 1.3 and above with STRM. STRM records all relevant HTTP status events. Note: The procedure in this section applies to Apache DSMs operating on a Unix/Linux platforms only.
  • Page 16 HTTP S PACHE ERVER Restart syslog: Step 6 /etc/init.d/syslog restart Restart Apache. Step 7 You are now ready to configure the sensor device within the STRM interface. To configure STRM to receive events from an Apache device, you must select the Open Source Apache Webserver option from the Sensor Device Type drop-down list box.
  • Page 17 OS X PPLE A STRM Apple Mac OS X DSM accepts events using syslog. STRM records all relevant firewall, web server access, web server error, privilege escalation, and informational events. Before you configure STRM to integrate with Mac OS X, you must: Log in as a root user.
  • Page 19 SSL VPN RRAY ETWORK The STRM Array Networks SSL VPN DSM collects events from an ArrayVPN appliance using syslog. For details of configuring ArrayVPN appliances for remote syslog, please consult Array Networks documentation. Once you configure syslog to forward events to STRM, you are now ready to configure the sensor device within the STRM interface.

  • Page 21: F5 Networks Bigip

    F5 N ETWORKS The STRM F5 Networks BigIP DSM collects events from a BigIP load balancer using syslog. For details on configuring remote syslog with the BigIP switch, please consult the vendor documentation. Once you configure syslog to forward events to STRM, you are now ready to configure the sensor device within the STRM interface.

  • Page 23: Blue Coat Sg

    A STRM Blue Coat SG DSM accepts syslog events from a Blue Coat SG Appliance. STRM records all relevant and available information from the event. Before configuring a Blue Coat SG device in STRM, you must configure your device to send syslog to STRM. For more information regarding your Blue Coat SG Appliance, see your vendor documentation.
  • Page 24 Note: The Format tab allows you to create a format to use for your log facilities. Although several log formats ship with the SGOS software, STRM requires that the streaming log format use the default ELFF log format. Make sure the Multiple-valued header policy option is set to Log last header. Click Step 10 Click Apply.

  • Page 25: Check Point Firewall-1

    HECK OINT You can configure STRM to integrate with a Check Point FireWall-1 device using one of the following methods: Integrating Check Point FireWall-1 Using Syslog • Integrating CheckPoint FireWall-1 Using OPSEC • Note: Depending on your Operating System, the procedures for the Check Point FireWall-1 device may vary.
  • Page 26 HECK OINT $FWDIR/bin/fw log -ftn | /usr/bin/logger -p local3.info > /dev/null 2>&1 & Save and close the file. Step 5 Open the syslog.conf file. Step 6 Add the following line: Step 7 < >.< > < >< >@< > facility priority host Where:...
  • Page 27 Integrating CheckPoint FireWall-1 Using OPSEC Integrating This section describes how to ensure that the STRM Check Point FireWall-1 DSM CheckPoint accepts FireWall-1 events using Open Platform for Security (OPSEC). FireWall-1 Using Note: The method used for integrating Check Point Firewall-1 into STRM using OPSEC OPSEC is dependent on the version of STRM you are running.
  • Page 28 HECK OINT Select Close. To create the OPSEC connection: Step 2 Select Manage > Servers and OPSEC applications > New > OPSEC Application Properties. Enter the appropriate information in the Name and Comment (optional) text fields. Note: The name you enter must be different than the name entered in Step 1 c. From the Host drop-down list box, select the host object you created in Step From Application Properties drop-down list box, select User Defined as the...
  • Page 29 Verifying or Changing the OPSEC Communications Configuration # The VPN-1/FireWall-1 default settings are: sam_server auth_port sam_server port 18183 lea_server auth_port 18184 lea_server port ela_server auth_port 18187 ela_server port cpmi_server auth_port 18190 uaa_server auth_port 19191 uaa_server port Change the default lea_server auth_port from to another port number.
  • Page 30 HECK OINT Save and close the file. Step 6 Start the firewall services by entering the following command: Step 7 cpstart You are now ready to configure the sensor device within the STRM interface. To configure STRM to receive events from an Check Point Firewall-1 device using OPSEC, select CheckPoint Firewall-1 from the Sensor Device Type drop-down list box.

  • Page 31: Check Point Provider-1

    HECK OINT ROVIDER You can configure STRM to integrate with a Check Point Provider-1 device using one of the following methods: Integrating Check Point Provider-1 Using Syslog • Integrating Check Point Provider-1 Using OPSEC • Note: Depending on your Operating System, the procedures for the Check Point Provider-1 device may vary.
  • Page 32 HECK OINT ROVIDER You are now ready to configure the sensor device within the STRM interface. To configure STRM to receive events from an Check Point Provider-1 device using syslog, choose one of the following options: • If you are using STRM 6.0, select CheckPoint Firewall-1 Devices via Syslog from the Sensor Device Type drop-down list box.
  • Page 33 Integrating Check Point Provider-1 Using OPSEC To create the OPSEC connection, select Manage > Servers and OPSEC Step 5 Applications New > OPSEC Application Properties. Enter the Name and optional Comment. Step 6 Note: The name you enter must be different than the name entered in Step From the Host drop-down menu, select the STRM host object that you just Step 7...

  • Page 35: Cisco Acs

    ISCO A STRM Cisco Access Control Server (ACS) DSM accepts syslog ACS events using one of the following options: • A server using the STRM Adaptive Log Exporter (Cisco ACS software version 3.x or later). For more information on the Adaptive Log Exporter, see the STRM Adaptive Log Exporter Users Guide.
  • Page 36 ISCO Configuring DSMs Guide...

  • Page 37: Cisco Asa

    ISCO You can integrate a Cisco Adaptive Security Appliance (ASA) with STRM. A Cisco ASA DSM accepts events using syslog. STRM records all relevant events. Before you configure STRM to integrate with a CSA server, you must forward all device logs to your STRM system. For more information on forwarding logs to STRM, see your vendor documentation.

  • Page 39: Cisco Catos For Catalyst Switches

    ISCO ATALYST WITCHES A STRM Cisco CatOS for Catalyst Switches DSM accepts events using syslog. STRM records all relevant device events. Before configuring a Cisco CatOS device in STRM, you must configure your device to send syslog events to STRM. To configure the device to send syslog events to STRM: Log in to the Cisco CatOS interface and enter privileged EXEC mode.

  • Page 41: Cisco Csa

    ISCO You can integrate a Cisco Security Agent (CSA) server with STRM. A CSA DSM accepts events using syslog, and SNMPv2. You can integrate CSA versions 4.x and 5.x with STRM. STRM records all relevant events. Before you configure STRM to integrate with a CSA server, you must: Open the CSA interface and select Security Agents.

  • Page 43: Cisco Fwsm

    FWSM ISCO You can integrate Cisco Firewall Service Module (FWSM) version 2.2 with STRM. A STRM FWSM DSM accepts FWSM events using syslog. STRM records all relevant Cisco FWSM events. Before you configure STRM to integrate with Cisco FWSM, you must configure Cisco FWSM to forward logs to STRM: Using a Console connection, telnet, or SSH, log in to the Cisco FWSM.

  • Page 45: Cisco Ids/Ips

    IDS/IPS ISCO You can integrate a Cisco IDS/IPS server version 5.x and 6.x with STRM. A Cisco IDS/IPS DSM polls the Cisco IDS/IPS events using the Security Device Event Exchange (SDEE) protocol. SDEE specifies the message format and the protocol used to communicate the events generated by security devices.

  • Page 47: Cisco Nac Device

    NAC D ISCO EVICE A STRM Cisco NAC DSM accepts events using syslog. STRM records all relevant audit, error, and failure events as well as quarantine and infected system events. Before configuring a Cisco NAC device in STRM, you must configure your device to send syslog events to STRM.

  • Page 49: Cisco Ios

    ISCO You can integrate a Cisco IOS 12.2, 12.5 and above with STRM. A Cisco IOS DSM accepts Cisco IOS events using syslog. STRM records all relevant events. Note: Make sure all Access Control Lists (ACLs) are set to LOG. Before you configure STRM to integrate with a Cisco IOS server, you must: Log in to the router in privileged-exec mode and switch to configuration mode.
  • Page 50 ISCO Services Router. For more information on configuring sensor devices, see the Managing Sensor Devices Guide. For more information regarding your Cisco IOS, see your Cisco IOS documentation. Configuring DSMs Guide...

  • Page 51: Cisco Pix

    ISCO You can integrate Cisco Pix versions 5.x and 6.3 with STRM. A Cisco Pix DSM accepts Cisco Pix events using syslog. STRM records all relevant Cisco Pix events. Before you configure STRM to integrate with Cisco Pix, you must configure Cisco Pix to forward logs to STRM using the following command: logging host <interface>...
  • Page 52 ISCO You are now ready to configure the sensor device within the STRM interface. To configure STRM to receive events from a Cisco PIX device, you must select the Cisco PIX Firewall option from the Sensor Device Type drop-down list box. For more information on configuring sensor devices, see the Managing Sensor Devices Guide.

  • Page 53: Cisco Vpn 3000 Concentrator

    VPN 3000 C ISCO ONCENTRATOR A STRM Cisco VPN 3000 Concentrator DSM accepts Cisco VPN Concentrator events using syslog. You can integrate Original VPN 3000 Concentrator versions VPN 3005 and L.1.7.H with STRM. STRM records all relevant events. Before you configure STRM to integrate with a Cisco VPN concentrator, you must: Log in to the Cisco VPN 3000 Concentrator interface.

  • Page 55: Cyberguard Firewall/Vpn Appliance

    /VPN YBER UARD IREWALL PPLIANCE A STRM CyberGuard Firewall VPN Appliance DSM accepts CyberGuard events using syslog. STRM records all relevant CyberGuard events. STRM supports the CyberGuard KS series of appliances. Before you configure STRM to integrate with a CyberGuard device, you must: Log in to the CyberGuard interface.

  • Page 57: Enterasys Dragon

    (right-click) and select Add Alarm Tool Policy. The Add Alarm Tool Policy window appears. In the Add Alarm Tool Policy field, enter the policy name Juniper Networks. Click OK. In the menu tree, select the newly created Juniper Networks policy.
  • Page 58 - Type — Select Real Time. - Event Group — Select the newly created Event Group, Dragon-Events (see Step - Notification Rule — Select the check box for the Juniper Networks-Rule. Click Ok. Click Commit. Navigate to the Enterprise View.
  • Page 59 Select the newly created Juniper Networks policy. Click OK. Step 11 In the Enterprise menu, use the right mouse button (right-click) and select Deploy. Step 12 You are now ready to configure the sensor device and SNMP within STRM . For information on configuring SNMP in STRM, see the Managing Sensor Devices Guide.

  • Page 61: Enterasys Matrix Router

    NTERASYS ATRIX OUTER A STRM Enterasys Matrix Router DSM accepts Enterasys Matrix events using SNMPv1, SNMPv2, SNMPv3, and syslog. You can integrate Enterasys Matrix Router version 3.5 with STRM. STRM records all SNMP events and syslog login, logout, and login failed events. Before you configure STRM to integrate with Enterasys Matrix, you must: Log in to the switch/router as a privileged user.

  • Page 63: Enterasys Matrix N-Series

    NTERASYS ATRIX ERIES A STRM Enterasys Matrix N-Series DSM accepts N-Series events using syslog. STRM records all relevant Matrix N3, N5, N7, and N Standalone device events. Before you configure STRM to integrate with a Matrix N-Series, you must: Log in to the switch/router. Step 1 Enter the following command: Step 2...
  • Page 64 NTERASYS ATRIX ERIES For example, enter the command below if you wish to enable a syslog server configuration for the following: • Index — 1 IP address: 134.141.89.113 • Facility: local4 • • Severity: Level 3 on port 514 set logging server 1 ip-addr 134.141.89.113 facility local4 severity 3 port 514 state enable For more information on configuring the Matrix N-Series, consult your vendor documentation.
  • Page 65 XTREME ETWORKS XTREME A STRM ExtremeWare DSM accepts Extreme events using syslog. STRM records all relevant events. Before you configure STRM to integrate with an ExtremeWare device, you must configure syslog within your Extreme device. You are now ready to configure the sensor device within the STRM interface. To configure STRM to receive events from your ExtremeWare device, choose one of the following options: If you are using STRM 6.0, select ExtremeWare from the Sensor Device Type...

  • Page 67: Forescout Counteract

    COUT OUNTER A STRM ForeScout CounterACT DSM accepts CounterACT events using syslog. STRM records all relevant and available information from the event. Before configuring a CounterACT device in STRM, you must configure your device to send syslog to your STRM installation. For more information on configuring your CounterACT device, consult your vendor documentation.

  • Page 69: Fortinet Fortigate

    ORTINET ORTI A STRM Fortinet FortiGate DSM accepts FortiGate IPS/Firewall events using syslog. STRM records all relevant events. Before you configure STRM to integrate with the device, you must configure syslog within your FortiGate device. For more information on configuring a Fortinet FortiGate device, see your vendor documentation.

  • Page 71: Generic Authorization Server

    ENERIC UTHORIZATION ERVER A STRM generic authorization server DSM accepts events using syslog. STRM records all relevant events. Before you configure STRM to integrate with generic authorization server, you must: Forward all authentication server logs to your STRM system. Step 1 Note: For information on forwarding authentication server logs to STRM, see your generic authorization server vendor documentation.
  • Page 72 ENERIC UTHORIZATION ERVER Review the file to determine a pattern for successful login: Step 5 For example, if your authentication server generates the following log message for accepted packets: Jun 27 12:11:21 expo sshd[19926]: Accepted password for root from 10.100.100.109 port 1727 ssh2 The pattern for successful login is Accepted password Add the following entry to the file:...
  • Page 73 Review the file to determine a pattern, if present, for source IP address and source Step 10 port. For example, if your authentication server generates the following log message: Jun 27 12:11:21 expo sshd[19926]: Accepted password for root from 10.100.100.109 port 1727 ssh2 The pattern for source IP address is and the pattern for source port is from...

  • Page 75: Generic Firewall

    ENERIC IREWALL A STRM generic firewall server DSM accepts events using syslog. STRM records all relevant events. Before you configure STRM to integrate with generic firewall, you must: Forward all firewall logs to your STRM system. Step 1 Note: For information on forwarding firewall logs from your generic firewall to STRM, see your firewall vendor documentation.
  • Page 76 ENERIC IREWALL For example, if your device generates the following log messages for accepted packets: Aug. 5, 2005 08:30:00 Packet accepted. Source IP: 192.168.1.1 Source Port: 80 Destination IP: 192.168.1.2 Destination Port: 80 Protocol: tcp The pattern for accepted packets is Packet accepted Add the following to the file: Step 6...
  • Page 77 destination_port_pattern=<destination port pattern> protocol_pattern=<protocol pattern> Where <source ip pattern>, <source port pattern>, <destination , and ip pattern>, <destination port pattern> <protocol pattern> are the corresponding patterns identified in Step Note: Patterns are case insensitive and you can add multiple patterns. For multiple patterns, separate using a # symbol.
  • Page 79 IBM AIX 5L A STRM IBM AIX 5L DSM accepts events using syslog. STRM records all relevant login, logoff, session opened, session closed, and accepted/failed password events. Note: If you are using syslog on a Unix host, we recommend that you upgrade the standard syslog to a more recent version, such as, syslog-ng.
  • Page 80 IBM AIX 5L You are now ready to configure the sensor device within the STRM interface. To configure STRM to receive events from an IBM AIX 5L server, you must select the IBM AIX Server option from the Sensor Device Type drop-down list box. For more information on configuring sensor devices, see the Managing Sensor Devices Guide.

  • Page 81: Ibm Proventia Management Siteprotector

    IBM P ROVENTIA ANAGEMENT ROTECTOR A STRM IBM Proventia Management SiteProtector DSM accepts SiteProtector events by polling the SiteProtector database allowing STRM to record the relevant events. You can integrate SiteProtector version 2.0 with STRM. Before you configure STRM to integrate with SiteProtector, you should create a database user account and password.
  • Page 82 IBM P ROVENTIA ANAGEMENT ROTECTOR Password: <Password> Polling Interval: <Default Interval> Click Save. Step 6 For more information on configuring protocols, see Configuring Protocols in the Managing Sensor Devices Guide. From the Administration Console, click the SIM Configuration tab. Step 7 The SIM Configuration panel appears.

  • Page 83: Iss Proventia

    ISS P ROVENTIA A STRM ISS Proventia DSM accepts ISS Proventia events using SNMP. STRM records all relevant events. You can integrate ISS Proventia version M10 v2.1_2004.1122_15.13.53 with STRM. Before you configure STRM to integrate with ISS Proventia, you must: In the Proventia Manager interface navigation pane, expand the System node.

  • Page 85: Juniper Dx Application Acceleration Platform

    DX A UNIPER PPLICATION CCELERATION LATFORM The Juniper DX Application Acceleration Platforms off-load core networking and I/O responsibilities from web and application servers to improve the performance of web-based applications, increasing productivity of local, remote, and mobile users. A STRM Juniper DX Application Acceleration Platform DSM accepts events using syslog.

  • Page 87: Juniper Ex-Series Ethernet Switch

    EX-S UNIPER ERIES THERNET WITCH A STRM Juniper EX-Series Ethernet Switch DSM accepts events using syslog. The STRM Juniper EX-Series Ethernet Switch DSM supports all Juniper EX-Series Ethernet Switches running JunOS 9.0. Before you configure STRM to integrate with a Juniper EX-Series Ethernet Switch, you must forward syslog to your STRM system.
  • Page 88 EX-S UNIPER ERIES THERNET WITCH Option Description kernel Kernel log-prefix Prefix for all logging to this host match Regular expression for lines to be logged Packet Forwarding Engine user User processes For example: set system syslog host 10.77.12.12 firewall info Configures the Juniper EX-Series Ethernet Switch to send info messages from firewall filtering systems to your STRM system.

  • Page 89: Juniper Netscreen Idp

    UNIPER CREEN A STRM NetScreen IDP DSM accepts NetScreen IDP events using syslog. STRM records all relevant NetScreen IDP events. To integrate STRM with a Juniper NetScreen IDP device, you must: Configuring the IDP Sensor • Configuring STRM to Collect IDP Events •...
  • Page 90 Configuring STRM to To configure STRM to receive events from a NetScreen IDP device, select the Collect Syslog from Juniper Networks Intrusion Detection and Prevention (IDP) option from the an IDP Device Sensor Device Type drop-down list box. For more information on configuring devices, see the Managing Sensor Devices Guide.

  • Page 91: Juniper Networks Secure Access

    • Syslog. See Using Syslog Format. • Using WELF:WELF To integrate a Juniper Networks Secure Access device with STRM using the Format WELF:WELF format: Log in to your Juniper device administration interface: Step 1 https://10.xx.xx.xx/admin Configure syslog server information for events: Step 2 If a WELF:WELF file is configured, go to Step e.
  • Page 92 UNIPER ETWORKS ECURE CCESS Configure syslog server information for user access: Step 3 If a WELF:WELF file is configured, go to Step e. Otherwise, go to Step b. From the left panel, select System > Log/Monitoring > User Access > Filter. The Filter menu appears.
  • Page 93 You are now ready to configure the sensor device within the STRM interface. To configure STRM to receive events from Juniper Networks Secure Access device, select Juniper Networks Secure Access (SA) SSL VPN from the Sensor Device Type drop-down list box.
  • Page 94 ETWORKS ECURE CCESS select Juniper Networks Secure Access (SA) SSL VPN from the Sensor Device Type drop-down list box. For more information on configuring sensor devices, see the Managing Sensor Devices Guide. For more information regarding your Juniper device, see your vendor documentation.

  • Page 95: Juniper Infranet Controller

    • If you are using STRM 6.0, select Juniper InfranetController from the Sensor Device Type drop-down list box. If you are using STRM 6.0.1 and above, select Juniper Networks Infranet • Controller from the Sensor Device Type drop-down list box.
  • Page 97 STRM you are using: • Select NetScreen Firewall Appliance from the Sensor Device Type drop-down list box. Select Juniper Networks NetScreen Firewall from the Sensor Device Type • drop-down list box. For more information on configuring sensor devices, see the Managing Sensor Devices Guide.

  • Page 99: Juniper Netscreen Firewall

    UNIPER The STRM Juniper NSM DSM accepts Juniper SSG Appliance events using syslog. All other devices supported by Juniper NSM, such as Juniper IDP or Juniper NetScreen Firewall, should be forwarded to STRM. For more information on advanced filtering of NSM logs, see your NSM documentation. To integrate a Juniper NSM device with STRM, you must STRM: •...
  • Page 100 Step 2 To configure STRM to receive events from a Juniper NSM device, you must select the Juniper Networks NetScreen-Security Manager (NSM) option from the Sensor Device Type drop-down list box. For more information on configuring devices, see the Managing Sensor Devices Guide.

  • Page 101: Juniper Router

    UNIPER OUTER A STRM Juniper Router DSM accepts events using syslog. STRM records all valid syslog events.The STRM Juniper Router DSM supports all Juniper devices running JunOS. Before you configure STRM to integrate with a Juniper Router, you must forward your syslog logs to your STRM system. To configure the routing platform to log system messages to STRM: Log into your Juniper platform using SSH.
  • Page 102 You are now ready to configure the sensor device within the STRM interface. To configure STRM to receive events from Juniper Router, you must select the Juniper Networks Routing Platform, Juniper M-Series Multiservice Edge Routing, Juniper MX-Series Ethernet Services Router, or Juniper T-Series Core Platform option (depending on your Juniper platform) from the Sensor Device Type drop-down list box.
  • Page 103 RADUIS UNIPER TEEL ELTED A STRM Juniper Steel-Belted RADIUS DSM accepts syslog events from a client running the STRM Adaptive Log Exporter utility. STRM records all successful and unsuccessful login attempts. For more information on configuring your Steel-Belted Radius server consult your vendor documentation. To integrate a Juniper Steel-Belted RADIUS DSM with STRM: Configure the STRM Adaptive Log Exporter utility for Juniper Steel-Belted Radius.

  • Page 105: Linux Dhcp

    DHCP INUX A STRM Linux DHCP Server DSM accepts DHCP events using syslog. STRM records all relevant events from a Linux DHCP Server. Before you configure STRM to integrate with a Linux DHCP Server, you must configure syslog within the server.

  • Page 107: Linux Iptables

    INUX TABLES A STRM Linux IPtables DSM accepts events using syslog. STRM records all relevant Accept, Drop, or Reject events. You can integrate IPTables version 2.4 with STRM. Before you configure STRM to integrate with IPtables, you must: Open the file.
  • Page 108 INUX TABLES Note: The trailing space is required before the closing quotation mark. Save and exit the file. Step 7 Restart IPtables: Step 8 /etc/init.d/iptables restart Open the file. Step 9 syslog.conf Add the following line: Step 10 kern.<log level><TAB><TAB>@<STRM ip> Where: is the previously set log level.

  • Page 109: Linux Login Messages

    STRM records all relevant login, logoff, session opened, session closed, and accepted/failed password events. Note: If you are using syslog on a Unix host, Juniper Networks recommends that you upgrade the standard syslog to a more recent version, such as, syslog-ng.

  • Page 111: Mcafee Intrushield

    NTRUSHIELD A STRM McAfee Intrushield DSM accepts events using syslog. You can integrate McAfee Intrushield versions 4.x with STRM. STRM records all relevant events. Before you configure STRM to integrate with a McAfee Intrushield device, you must: Log in to the McAfee Intrushield Manager. Step 1 Click Configure in dashboard.

  • Page 113: Mcafee Epolicy Orchestrator

    FEE E OLICY RCHESTRATOR A STRM McAfee ePolicy Orchestrator (ePO) DSM accepts events using Java Database Connectivity (JDBC) or Simple Network Management Protocol (SNMPv1, SNMPv2, and SNMPv3). STRM records all relevant ePO events from JDBC. Thus, using this protocol is the preferred method. This document includes information on configuring STRM to access the ePO database using the JDBC protocol.
  • Page 114 FEE E OLICY RCHESTRATOR You are now ready to configure the sensor device within the STRM interface. To configure STRM to receive events from a McAfee ePolicy Orchestrator device, select the McAfee ePolicy Orchestrator option from the Sensor Device Type drop-down list box.

  • Page 115: Metainfo Metaip

    A STRM MetaInfo MetaIP DSM accepts MetaIP events using syslog. STRM records all relevant and available information from the event. Before configuring a MetaIP device in STRM, you must configure your device to send syslog to STRM. For more information regarding your MetaInfo MetaIP device, see your vendor documentation.

  • Page 117: Microsoft Exchange Server

    ICROSOFT XCHANGE ERVER A STRM Microsoft Exchange Server DSM accepts Exchange mail and security events using three log formats: • NCSA • • Before you configure STRM to integrate with the Microsoft Exchange Server DSM, you must: In the IIS Manager menu tree, expand Local Computer. Step 1 Expand Websites.
  • Page 118 ICROSOFT XCHANGE ERVER For more information on configuring devices, see the Managing Sensor Devices Guide. For more information regarding your server, see your vendor documentation. Configuring DSMs Guide...

  • Page 119: Microsoft Dhcp Server

    DHCP S ICROSOFT ERVER A STRM Microsoft DHCP Server DSM accepts DHCP events using the STRM Adaptive Log Exporter. You can integrate Windows DHCP Server versions 2000/2003 with STRM using the Adaptive Log Exporter Windows DHCP devices. For more information on the Adaptive Log Exporter, see the STRM Adaptive Log Exporter Users Guide.

  • Page 121: Microsoft Ias Server

    IAS S ICROSOFT ERVER A STRM Microsoft IAS Server DSM accepts RADIUS events using syslog. You can integrate Windows 2000/2003 Server IAS logs with STRM using the STRM Adaptive Log Exporter. For more information on the Adaptive Log Exporter, see the Adaptive Log Exporter Users Guide.
  • Page 123 ICROSOFT You can integrate a Microsoft Internet Information Services (IIS) 5.x or 6.x server with STRM. A STRM IIS DSM accepts IIS server events using syslog. STRM records all HTTP status code events. Before you configure STRM to integrate with an IIS server, you must: Open the IIS console.
  • Page 124 ICROSOFT In the Log Directory field enter the IIS file location: Step 9 \%SystemRoot%\System32\LogFiles\ Note: By default Snare for IIS is configured to look for logs in C:\WINNT\System32\LogFiles\. For Destination, select Syslog. Step 10 For Delimiter, select TAB. Step 11 Select the Display IIS Header Information check box.

  • Page 125: Microsoft Sql Server

    SQL S ICROSOFT ERVER A STRM Microsoft SQL Server DSM accepts Exchange mail and security events using syslog. You can integrate Microsoft SQL Server 2000/2005 with STRM using the Adaptive Log Exporter. For more information on the Adaptive Log Exporter, see the Adaptive Log Exporter Users Guide.

  • Page 127: Microsoft Windows Security Event Log

    ICROSOFT INDOWS ECURITY VENT A STRM Microsoft Windows Security Event Log DSM accepts events using syslog from relevant authentication and authorization events. You can integrate Window server versions 2000/XP with STRM using one of the following methods: Use the STRM Adaptive Log Exporter. For more information on the Adaptive •...
  • Page 128 ICROSOFT INDOWS ECURITY VENT Configuring DSMs Guide...

  • Page 129: Niksun

    IKSUN A STRM Niksun DSM accepts Niksun events using syslog. STRM records all relevant Niksun events. You can integrate NetDetector/NetVCR2005, version 3.2.1sp1_2 with STRM. Before you configure STRM to integrate with a Niksun device, you must configure syslog within your Niksun device. For more information on configuring Niksun, consult your Niksun documentation.

  • Page 131: Nokia Firewall

    OKIA IREWALL A STRM Nokia Firewall DSM accepts events using the following methods: Integrating Nokia Firewall Using Syslog • Integrating Nokia Firewall Using OPSEC • You can integrate Nokia Firewall version NG AI R55 with STRM. Integrating Nokia This method ensures the STRM Nokia Firewall DSM accepts Nokia events using Firewall Using syslog.
  • Page 132 OKIA IREWALL You are now ready to configure the sensor device within the STRM interface. To configure STRM to receive events from an Nokia Firewall device using syslog, choose one of the following options: • If you are using STRM 6.0, select CheckPoint Firewall-1 Devices via Syslog from the Sensor Device Type drop-down list box.
  • Page 133 Integrating Nokia Firewall Using OPSEC From the Host drop-down menu, select the STRM host object that you created. Step 7 From Application Properties, select User Defined as the Vendor Type. Step 8 From Client Entries, select LEA. Step 9 Select Communication and enter an activation key to configure the Secure Step 10 Internal Communication (SIC) certificate.

  • Page 135: Nortel Arn

    ORTEL A STRM Nortel ARN DSM accepts Nortel ARN events using syslog. STRM records all relevant events. Before you configure STRM to integrate with a Nortel ARN device, you must: Open Site Manager. Step 1 In the tools menu, select Configuration Manager > Dynamic. Step 2 In the Configuration Manager window, select Platform >...

  • Page 137: Nortel Application Switch

    ORTEL PPLICATION WITCH Nortel Application Switches integrate routing and switching by forwarding traffic at layer 2 speed using layer 4-7 information. A STRM Nortel Application Switch DSM accepts events using syslog. STRM records all relevant status and network condition events. Before configuring a Nortel Application Switch device in STRM, you must configure your device to send syslog events to STRM.
  • Page 138 ORTEL PPLICATION WITCH 2: Critical — Indicates that the condition of the system is critical. • • 3: Error — Indicates that the system has errors that should be corrected. 4: Warning — Indicates that the system is issuing a warning. •...

  • Page 139: Nortel Contivity Firewall/Vpn

    5000 ORTEL ONTIVITY A STRM Nortel Contivity DSM accepts Contivity events using syslog. STRM records all relevant Contivity events. You can integrate Nortel Contivity Firewall/VPN version 5000 V04_85.160 with STRM. Before you configure STRM to integrate with a Contivity device, you must configure syslog within your Contivity device.
  • Page 141 /VPN ORTEL ONTIVITY IREWALL A STRM Nortel Contivity DSM accepts Nortel Contivity events using syslog. STRM records all relevant events. Before you configure STRM to integrate with a Nortel Contivity device, you must: Log in to the Nortel Contivity interface. Step 1 From the menu, select Admin >...
  • Page 143 5100 ORTEL WITCHED IREWALL A STRM Nortel Switched Firewall 5100 DSM accepts Check Point FireWall-1 events from a Check Point SmartCenter Server, which is managed by the Nortel Switched Firewall. STRM records all relevant events. Before configuring a Nortel Switched Firewall device in STRM, you must configure your Check Point SmartCenter Server to send events to STRM.
  • Page 144 5100 ORTEL WITCHED IREWALL is a Syslog facility, for example, local3. <facility> is a Syslog priority, for example, info. <priority> For example: $FWDIR/bin/fw log -ftn | /usr/bin/logger -p local3.info > /dev/null 2>&1 & Save and exit the file. Step 5 Open the syslog.conf file and add the following: Step 6 <...
  • Page 145 Integrating Nortel Switched Firewall Using OPSEC Integrating Nortel This method ensures the STRM Nortel Switched Firewall 5100 DSM accepts Switched Firewall CheckPoint FireWall-1 events using OPSEC. To enable Nortel Switched Firewall Using OPSEC and STRM integration, you must: Reconfigure Check Point SmartCenter Server. See Reconfiguring Check Point Step 1 SmartCenter...
  • Page 146 5100 ORTEL WITCHED IREWALL Click OK and then click Close. Step 11 To install the Security Policy on your firewall, select Policy > Install > OK. Step 12 Configuring DSMs Guide...
  • Page 147 6000 ORTEL WITCHED IREWALL A STRM Nortel Switched Firewall 6000 DSM accepts Check Point FireWall-1 events from a Check Point SmartCenter Server, which is managed by the Nortel Switched Firewall. STRM records all relevant events. Before configuring a Nortel Switched Firewall device in STRM, you must configure your Check Point SmartCenter Server to send events to STRM.
  • Page 148 6000 ORTEL WITCHED IREWALL is a Syslog facility, for example, local3. <facility> is a Syslog priority, for example, info. <priority> For example: $FWDIR/bin/fw log -ftn | /usr/bin/logger -p local3.info > /dev/null 2>&1 & Save and exit the file. Step 5 Open the syslog.conf file and add the following: Step 6 <...
  • Page 149 Integrating Nortel Switched Firewall Using OPSEC Integrating Nortel This method ensures the STRM Nortel Switched Firewall 6000 DSM accepts Switched Firewall CheckPoint FireWall-1 events using OPSEC. To enable Nortel Switched Firewall Using OPSEC and STRM 6.0 integration, you must: Reconfigure Check Point SmartCenter Server. See Reconfiguring Check Point Step 1 SmartCenter...
  • Page 150 6000 ORTEL WITCHED IREWALL Click OK and then click Close. Step 11 To install the Security Policy on your firewall, select Policy > Install > OK. Step 12 Configuring DSMs Guide...

  • Page 151: Nortel Vpn Gateway

    VPN G ORTEL ATEWAY A STRM Nortel VPN Gateway DSM accepts events using syslog. STRM records all relevant operating system (OS), system control, traffic processing, startup, configuration reload, AAA, and IPsec events. Before configuring a Nortel VPN Gateway device in STRM, you must configure your device to send syslog events to STRM.

  • Page 153: Openbsd

    A STRM OpenBSD DSM accepts events using syslog. STRM records all relevant informational, authentication, and system level events. Before you configure STRM to integrate with OpenBSD, you must: Log in as a root user. Step 1 Open the file. Step 2 /etc/syslog.conf Add the following line to the top of the file.

  • Page 155: Open Source Snort

    SNORT OURCE A STRM Open Source SNORT DSM accepts SNORT events using syslog. You can integrate SNORT version 2.x with STRM. STRM records all relevant SNORT events. Note: The below procedure applies to a system operating Red Hat Enterprise. The procedures below may vary for other operating systems.
  • Page 156 SNORT OURCE Restart syslog: Step 12 /etc/init.d/syslog restart You are now ready to configure the sensor device within the STRM interface. To configure STRM to receive events from a SNORT device, you must select the Snort Open Source IDS option from the Sensor Device Type drop-down list box. For more information on configuring sensor devices, see the Managing Sensor Devices Guide.
  • Page 157 RACLE UDIT ECORDS Oracle databases track auditing events, such as, user login and logouts, permission changes, table creation, and deletion and database inserts. STRM can collect these events for correlation and reporting purposes through the use of the Oracle Audit DSM. For more, see your Oracle documentation. Note: Oracle provides two modes of audit logs.
  • Page 158 RACLE UDIT ECORDS *.audit_trail=’DB’ Make sure the below entry is configured for syslog: *.audit_trail=’os’ *.audit_syslog_level=’local0.info’ You must make sure the syslog daemon on the Oracle host is configured to forward the audit log to STRM. For systems running Red Hat Enterprise, the following line in the file will effect the forwarding: /etc/syslog.conf...
  • Page 159 Table 65-2 Configuring Sensor Device Parameters Oracle v9i or 10g Release 1 Oracle v10g Release 2 and Parameter Name Values v11g Values Database Name For all supported versions of Oracle, the Database Name must be the exact service name used by the Oracle listener. You can view the available service names by running the following command on the Oracle host: lsnrctl status Note: Make sure that database user that STRM will use to query events from the...

  • Page 161: Oracle Db Listener

    All of the relevant information is retained. To install and configure the Perl script: Access the Juniper Networks Support Web site: Step 1 http://www.juniper.net/support Click the Management Software link and log in. Go to the Security Threat Response Manager link.
  • Page 162 DB L RACLE ISTENER Table 66-1 Command Parameters (continued) Parameters Description Specifies the command line used to tail the log file (monitors any new output from the listener). The log file may be different across versions of the Oracle database; some examples are provided below: Oracle 9i: <install_directory>/product/9.2/network/log /listener.log...
  • Page 163 You are now ready to configure the Oracle Database Listener within STRM. To configure the protocol, select syslog from the Protocol drop-down list box. To configure the sensor device, select Oracle Database Listener from the Sensor Device Type drop-down list box and enter in the Device Hostname/IP field the address specified using the –H option in Step For more information on configuring sensor devices, see the Managing Sensor...

  • Page 165: Proftpd

    FTPd STRM can collect events from a ProFTP server through syslog. By default, ProFTPd logs authentication related messages to the local syslog using the auth (or authpriv) facility. All other logging is done using the daemon facility. To log ProFTPd messages to STRM, use the SyslogFacility directive to change the default facility.

  • Page 167: Samhain

    AMHAIN The Samhain Host-Based Intrusion Detection System (HIDS) monitors changes to files on the system. The Samhain DSM supports Samhain version 2.4 when used for File Integrity Monitoring (FIM). You can configure the Samhain DSM to accept one of the following log types: •...
  • Page 168 AMHAIN Restart syslog: Step 8 /etc/init.d/syslog restart Samhain sends logs using syslog to STRM. You are now ready to configure Samhain DSM within the STRM interface. To configure STRM to receive events from Samhain, select Samhain from the Sensor Device Type drop-down list box. Using JDBC You can configure Samhain to send log alerts to a database.
  • Page 169 Using JDBC is the database password specified in the samhainrc <Samhain SetDBPassword> file. Click Save. Step 6 You are now ready to configure Samhain DSM. To configure STRM to receive events from Samhain, select Samhain from the Sensor Device Type drop-down list box.
  • Page 171 ECURE OMPUTING IDEWINDER A STRM Sidewinder DSM accepts Sidewinder events using syslog. STRM records and processes all Sidewinder events. Before you configure STRM to integrate with a Sidewinder device, you must configure syslog within your Sidewinder device. For more information on configuring Sidewinder, see your vendor documentation. Note: When configuring the Sidewinder device to forward syslog to STRM, make sure that the logs are exported in sef format.

  • Page 173: Sun Solaris

    OLARIS A STRM Sun Solaris DSM accepts Solaris authentication events using syslog. You can integrate Solaris version 5.8 with STRM. STRM records all relevant events. Before you configure STRM to integrate with a Solaris server, you must: Log in as root user. Step 1 Open the file.

  • Page 175: Sun Solaris Dhcp

    DHCP OLARIS A STRM Sun Solaris DHCP DSM accepts Solaris DHCP events using syslog. STRM records all relevant events. Before you configure STRM to integrate with Solaris DHCP, you must: Log in as root. Step 1 Open the file. Step 2 /etc/default/dhcp Enable logging of DHCP transactions to syslog by adding the following line: Step 3...
  • Page 176 DHCP OLARIS For more information on configuring sensor devices, see the Managing Sensor Devices Guide. For more information regarding Solaris, see your vendor documentation. Configuring DSMs Guide...

  • Page 177: Sonicwall

    WALL ONIC A STRM SonicWALL UTM/Firewall/VPN Appliance DSM accepts events using syslog. STRM records all relevant events from SonicOS software. Before you configure STRM to integrate with a SonicWALL UTM/Firewall/VPN device, you must configure syslog within the appliance. For more information on configuring SonicWall, see your vendor documentation.

  • Page 179: Sun Solaris Sendmail

    OLARIS ENDMAIL A STRM Sun Solaris Sendmail DSM accepts Solaris authentication events using syslog. You can integrate Solaris Sendmail version 2.x with STRM. STRM records all relevant events. Before you configure STRM to integrate with Solaris Sendmail, you must: Log in as root user. Step 1 Open the file.

  • Page 181: Sourcefire Intrusion Sensor

    OURCEFIRE NTRUSION ENSOR A STRM Sourcefire Intrusion Sensor DSM accepts Sourcefire events using syslog. You can integrate Sourcefire versions IS 500, 2.x, and 3.x with STRM. STRM records all relevant Sourcefire events. Before you configure STRM to integrate with a Sourcefire device, you must: Log in to your Sourcefire interface.

  • Page 183: Squid Web Proxy

    QUID ROXY A STRM Squid Web Proxy DSM accepts events using syslog. STRM records all cache and access log events. Before you configure STRM to integrate with Squid Web Proxy, you must forward your cache and access logs to STRM. To configure Squid to forward your logs using syslog: Log into the Squid device.
  • Page 184 QUID ROXY Add the following line to send the logs to the STRM system: Step 7 <prioirty>.<facility> @<STRM_IP_address> Where: < > is the priority of your Squid messages priority < > is the facility of your Squid messages facility < >...

  • Page 185: Symantec Sgs

    YMANTEC A STRMr Symantec Gateway Security (SGS) Appliance DSM accepts SGS events using syslog. STRMr records all relevant events from SGS. Before you configure STRMr to integrate with an SGS, you must configure syslog within your SGS appliance. For more information on Symantec SGS, see your vendor documentation.

  • Page 187: Symantec System Center

    YMANTEC YSTEM ENTER A STRM Symantec System Center (SSC) DSM retrieves events from a SSC database using a custom STRM view. STRM records all SSC events. You must configure the SSC database with a user that has read and write privileges for the custom STRM view, which reports the correct information to STRM.
  • Page 188 YMANTEC YSTEM ENTER For information on configuring the JDBC protocol, see the Managing Sensor Devices Guide. In the STRM interface, configure the sensor device. Step 3 To configure STRM to receive events from a SSC device, you must select the Symantec System Center option from the Sensor Device Type drop-down list box.

  • Page 189: Symark Powerbroker

    (TCP) logs to STRM before you configure STRM to integrate with PowerBroker. To configure Symark PowerBroker to forward syslog to STRM: Access the Juniper Networks Support Web site: Step 1 http://www.juniper.net/support Click the Management Software link and log in. Go to the Security Threat Response Manager link.
  • Page 190 YMARK OWER ROKER Table 78-1 Command Parameters (continued) Parameters Description Specify the receiving syslog host (the Event Collector host name or IP address being used to receive the logs). Specify the TCP port to be used for sending events. If nothing is specified, 514 is used. Specify the host name or IP address for the syslog header of all sent events.

  • Page 191: Tipping Point Intrusion Prevention System

    IPPING OINT NTRUSION REVENTION YSTEM A STRM Tipping Point Intrusion Prevention System (IPS) DSM accepts Tipping Point events using syslog. STRM records all relevant events. Before you configure STRM to integrate with Tipping Point, you must: Configure the necessary notification contacts. See Configuring the Notification •...
  • Page 192 IPPING OINT NTRUSION REVENTION YSTEM Configuring an To configure an action set: Action Set Log in to the Tipping Point system. Step 1 From the LSM menu, select IPS > Action Sets. Step 2 The IPS Profile - Action Sets window appears. Click Create Action Set.

  • Page 193: Tippingpoint X505/X506 Device

    X505/X506 D IPPING OINT EVICE A STRM TippingPoint X505/X506 DSM accepts events using syslog. All information logged by the DSM can be delivered to a STRM server. Before configuring a TippingPoint X505/X506 device in STRM, you must configure your TippingPoint device to send syslog events to STRM. To configure the device to send system, audit, VPN, and firewall session log events to STRM: Log into the Tipping Point X505/X506 device.

  • Page 195: Toplayer

    AYER A STRM Top Layer IPS DSM accepts Top Layer IPS events using syslog. STRM records and processes Top Layer events. Before you configure STRM to integrate with a Top Layer device, you must configure syslog within your Top Layer IPS device.

  • Page 197: Trend Micro Interscan Viruswall

    REND ICRO NTER IRUS A STRM Trend Micro InterScan VirusWall DSM accepts events using syslog. You can integrate InterScan VirusWall logs with STRM using the STRM Adaptive Log Exporter. For more information on the Adaptive Log Exporter, see the Adaptive Log Exporter Users Guide.

  • Page 199: Tripwire

    RIPWIRE A STRM Tripwire DSM accepts resource additions, removal, and modification events using syslog. You can integrate Tripwire version 5.2 with STRM. Before you configure STRM to integrate with Tripwire, you must: Log in to the Tripwire interface. Step 1 On the left-side of the window, click Actions.

  • Page 201: Universal Dsm

    NIVERSAL STRM collects and correlates events from network infrastructure and security devices. Once the events are collected and before the correlation can begin, the individual events from these devices must be properly parsed to determine the event name, IP addresses, protocol, and ports. For common network devices (such as, NetScreen Firewalls) predefined DSMs have been engineered into STRM to properly parse all event messages from the respective devices.
  • Page 202 NIVERSAL You can use a regular expression calculator to verify that a regular expression search pattern functions properly against the event string being parsed. You can down load a commonly used freeware Windows-based regular expression calculator from: http://www.silveragesoftware.com/rxl.html. Using Device If you are running STRM 6.1.2 or above, we recommend that you use device Extensions extensions to associate a Universal DSM to devices.
  • Page 203 Universal DSM Example Table 84-1 Example of Messages Firewall Accept Record Firewall Deny Record Destination Port 6080 1026 Protocol (not available) (not available) User Name John Doe (not available) Mac Address 00:01:23:45:67:89 (not available) Once the available data fields have been visually isolated, build individual regular expressions capable of searching and parsing the specific event messages to extract the necessary data field information.
  • Page 204 NIVERSAL Click Match. Step 5 The regular expression calculator begins to process the search pattern against the sample text. If the search pattern is successful, the text is highlighted and the result field includes the term Success, as shown below. Note: The orange highlights mark the white space while the blue highlights contain the exact data to be returned from inside the parentheses.
  • Page 205 Universal DSM Example The table below details the regular expression to successfully search and parse the event message for the UNIX Firewall used in this example. Table 84-2 Regular Expressions Firewall Accept Firewall Deny Record Record Regular Expressions Event Name pass block \s(pass)\s &...
  • Page 206 NIVERSAL Building the Once the collection of regular expressions is complete, you must build the Universal DSM XML file. genericDSM.xml Configuration File To build a Universal DSM XML file: Log in to the STRM Event Collector, using SSH. Step 1 Change the directory: Step 2 cd /opt/qradar/conf...
  • Page 207 Building the Universal DSM XML Configuration File - <Field Name="Source Mac Address"> <Patterns /> </Field> - <Field Name="Destination Mac Address"> <Patterns /> </Field> - <Field Name="Netbios Name"> <Patterns /> </Field> - <Field Name="Group Name"> <Patterns /> </Field> - <Field Name="Severity"> <Patterns />...
  • Page 208 NIVERSAL Capturing groups are numbered by counting their opening parentheses from left • to right. In the expression , for example, there are four such ((A)(B(C))) groups: ((A)(B(C))) (B(C)) Group zero always stands for the entire expression. Capturing groups are so named because, during a match, each subsequence •...
  • Page 209 Building the Universal DSM XML Configuration File </Field> - <Field Name="Destination IP"> - <Patterns> <Pattern Group="1" Order="1">\>\s(\d+\.\d+\.\d+\.\d+)\.</Pattern> </Patterns> </Field> - <Field Name="Destination Port"> - <Patterns> <Pattern Group="1" Order="1">\.(\d+)\:\s</Pattern> </Patterns> </Field> - <Field Name="Source IP Pre NAT"> <Patterns /> </Field> - <Field Name="Source Port Pre NAT"> <Patterns />...
  • Page 210 [0-9a-fA-F][:\-][0-9a-fA-F][0-9a-fA-F])</Pattern> </Patterns> </Field> - <Field Name="Destination Mac Address"> <Patterns /> </Field> </Fields> </DSM> Note: For additional information regarding regular expressions, go to: http://java.sun.com/j2se/1.5.0/docs/api/java/util/regex/Pattern.html Once you complete the Pattern Group for each field, configure the Order Step 6 parameter. The Order setting determines the precedence of patterns within a particular Pattern set.
  • Page 211 Configuring the Universal DSM within STRM In the Tests and Filters area: Step 8 From the first drop-down list box, select the Device attribute. From the second drop-down list box, select the Equals modifier to use for the search. From the Device Group drop-down list box, select Other group. From the Device drop-down list box, select the new Universal DSM device.

  • Page 213: Vericept Content 360 Dsm

    360 DSM ERICEPT ONTENT A STRM Vericept Content 360 DSM accepts Vericept events using syslog. STRM records all relevant and available information from the event. Before configuring a Vericept device in STRM, you must configure your device to send syslog to STRM. For more information on configuring your Vericept device, consult your vendor documentation.

  • Page 215: Supported Dsms

    UPPORTED Table 86-1 provides information on the DSMs STRM supports. Note: For the latest DSM information and documentation, please see the Juniper Networks Support web site. Table 86-1 Supported DSMs STRM Versions Events Recorded For More Manufacturer DSM Supported Accepted Events Option in STRM Information...

  • Page 216: Array Network Ssl Vpn

    Table 86-1 Supported DSMs (continued) STRM Versions Events Recorded For More Manufacturer DSM Supported Accepted Events Option in STRM Information Array Network SSL VPN ArraySP v7.3 Syslog All relevant In STRM 6.0: www.array events ArrayNetworks networks.net SSL VPN In STRM 6.0.1 and above: Array Networks SSL VPN Access...
  • Page 217 Table 86-1 Supported DSMs (continued) STRM Versions Events Recorded For More Manufacturer DSM Supported Accepted Events Option in STRM Information OPSEC using NG, FP1, FP2, OPSEC All relevant In STRM 6.0: www.checkpoint. Leapipe FP3, AI R54, events CheckPoint AI R55, NGX FireWall-1 Devices via Syslog...
  • Page 218 Table 86-1 Supported DSMs (continued) STRM Versions Events Recorded For More Manufacturer DSM Supported Accepted Events Option in STRM Information Firewall v2.1 and Syslog All relevant In STRM 6.0: www.cisco.com/ Service above events Cisco FWSM public/support/tac Module In STRM 6.0.1 (FWSM) documentation.ht and above:...

  • Page 219: Extreme Networks Extremeware

    Table 86-1 Supported DSMs (continued) STRM Versions Events Recorded For More Manufacturer DSM Supported Accepted Events Option in STRM Information Security v4.x and 5.x SNMP All relevant In STRM 6.0: www.cisco.com/ Agent events Cisco CSA public/support/tac In STRM 6.0.1 documentation.ht and above: Cisco Security Agent (CSA)
  • Page 220 Table 86-1 Supported DSMs (continued) STRM Versions Events Recorded For More Manufacturer DSM Supported Accepted Events Option in STRM Information F5 Networks BigIP v4.5, v9.x Syslog All relevant F5 Networks www.f5.com events BigIP ForeScout CounterACT Syslog All relevant Forescout www.forescout.co events CounterACT Fortinet...
  • Page 221 Syslog All relevant In STRM 6.0: www.juniper.net Network Access events Juniper SA Series SSL/VPN In STRM 6.0.1 and above: Juniper Networks Secure Access (SA) SSL VPN Syslog All relevant Juniper DX www.juniper.net status and Application network Acceleration condition...
  • Page 222 2007.1r2 to Syslog All relevant In STRM 6.0: www.juniper.net 2007.2r2 NetScreen Juniper NSM NSM events In STRM 6.0.1 and above: Juniper Networks NetScreen- Security Manager (NSM) RouterNetFlo v7.0 to v8.5 Syslog All relevant In STRM 6.0: www.juniper.net events Juniper Router In STRM 6.0.1...
  • Page 223 Table 86-1 Supported DSMs (continued) STRM Versions Events Recorded For More Manufacturer DSM Supported Accepted Events Option in STRM Information McAfee Intrushield v2.1.x and Syslog All relevant McAfee www.mcafee.com above SNMPv1 events IntruShield SNMPv2 Network IPS SNMPv3 Appliance ePolicy v3.5 - v4.0 SNMP All relevant McAfee ePolicy...

  • Page 224: Oracle Audit Records

    Table 86-1 Supported DSMs (continued) STRM Versions Events Recorded For More Manufacturer DSM Supported Accepted Events Option in STRM Information VPN-1 NG FP1, FP2, Syslog All relevant In STRM 6.0: www.nokia.com FP3, AI R54, events CheckPoint AI R55, NGX FireWall-1 on IPSO v3.8 Devices via and above...
  • Page 225 Table 86-1 Supported DSMs (continued) STRM Versions Events Recorded For More Manufacturer DSM Supported Accepted Events Option in STRM Information Database v9i, v10g, and Syslog All relevant Oracle Database www.oracle.com Listener v11g Oracle Listener events ProFTPd v1.2.x, v1.3.x Syslog All relevant ProFTPD Server www.proftpd.org events Samhain...
  • Page 226 Table 86-1 Supported DSMs (continued) STRM Versions Events Recorded For More Manufacturer DSM Supported Accepted Events Option in STRM Information Solaris v2.x Syslog All relevant In STRM 6.0: www.sun.com Sendmail events Solaris Sendmail In STRM 6.0.1 and above: Solaris Operating System Sendmail Logs Squid...
  • Page 227 Table 86-1 Supported DSMs (continued) STRM Versions Events Recorded For More Manufacturer DSM Supported Accepted Events Option in STRM Information TopLayer IPS 5500 v4.1 and Syslog All relevant In STRM 6.0: www.toplayer.co above events TopLayerIPS In STRM 6.0.1 and above: Top Layer Intrusion Prevention...
  • Page 228 Configuring DSMs Guide...

This manual is also suitable for:

Security threat response manager

Table of Contents