Generic Firewall - Juniper SECURITY THREAT RESPONSE MANAGER 2008.2 - CONFIGURING DSMS REV 1 Manual

29
Step 1
Step 2
Step 3
Step 4
Step 5
G
ENERIC
A STRM generic firewall server DSM accepts events using syslog. STRM records
all relevant events. Before you configure STRM to integrate with generic firewall,
you must:
Forward all firewall logs to your STRM system.
Note: For information on forwarding firewall logs from your generic firewall to
STRM, see your firewall vendor documentation.
Open the following file:
/opt/qradar/conf/genericFirewall.conf
Note: Make sure you copy this file to systems hosting the Event Collector and the
Console.
Restart the Tomcat server:
service tomcat restart
A message appears indicating that the Tomcat server has restarted.
Enable or disable regular expressions in your patterns by setting the
regex_enabled property accordingly. By default, regular expressions are disabled.
For example:
regex_enabled=false
When you set the regex_enabled property to false, the system generates regular
expressions (regex's) based on the tags you entered while attempting to retrieve
the corresponding data values from the logs.
When you set the regex_enabled property to true, you can define custom regex's
to control patterns. These regex are directly applied to the logs and the first
captured group is returned. When defining custom regex patterns, you must
adhere to regex rules, as defined by the Java programming language. For more
information, see the following web site:
http://java.sun.com/docs/books/tutorial/extra/regex/
To integrate a generic firewall with STRM, make sure you specify the classes
directly instead of using the predefined classes. For example, the digit class
becomes
(/\d/) /[0-9]/
expression to use the primitive qualifiers
Review the file to determine a pattern for accepted packets.
Configuring DSMs Guide
F
IREWALL
. Also, instead of using numeric qualifiers, re-write the
(/?/,/*/ and /+/)
.