Symantec Logs in MARS

Unanswered Question
Jan 6th, 2009
User Badges:

I am trying to get Symantec v10 to export its logs to MARS so I can get virus alerts but I am having issues. I have followed the instruction guide for Symantec integration 9http://cisco.com/en/US/docs/security/security_management/cs-mars/6.0/device/configuration/guide/chSymantecAv.html) and I am getting the traps when I test it. However, when I put a keylogger on a machine and do a scan with Symantec, the log shows up in MARS like this:


SNMPv2-SMI::enterprises.343.2.5.1.1 10.101.102.204 SNMPv2-SMI::enterprises.343.2.5.1.1.12.0 "VRCUTIL" SNMPv2-SMI::enterprises.343.2.5.1.1.8.0 1231270892 SNMPv2-SMI::enterprises.343.2.5.1.1.9.0 0 SNMPv2-SMI::enterprises.343.2.5.1.1.10.0 "Intel Alert Management System II" SNMPv2-SMI::enterprises.343.2.5.1.1.11.0 "41 6C 65 72 74 3A 20 3C 41 6C 65 72 74 20 4E 61 6D 65 20 3E 0D 0A 43 6F 6D 70 75 74 65 72 3A 20 3C 43 6F 6D 70 75 74 65 72 20 4E 61 6D 65 20 3E 0D 0A 44 61 74 65 3A 20 3C 44 61 74 65 20 3E 0D 0A 54 69 6D 65 3A 20 3C 54 69 6D 65 20 3E 0D 0A 41 63 74 69 6F 6E 3A 20 3C 41 63 74 75 61 6C 20 41 63 74 69 6F 6E 20 3E 0D 0A 44 65 73 63 72 69 70 74 69 6F 6E 3A 20 3C 44 65 73 63 72 69 70 74 69 6F 6E 20 3E " SNMPv2-SMI::enterprises.343.2.5.1.1.7.0 63 SNMPv2-SMI::enterprises.343.2.5.1.1.13.0 0


Does anyone know what the issue is? It is supposed to be getting parsed but the information looks like SNMP data, not actual log data.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
MarcusWise Sun, 01/11/2009 - 19:12
User Badges:

I've setup SAVCE 10 to report to MARS using the same setup outlined in the linked documentation. I've been getting events without any issues so far, and I can't say that I recall having to deviate to make any of it work. I also can't find any events that I've received that match the one you've posted. Following is a raw event reported as a risk being reparied:


enterprises.343.2.5.1.1.11.0 "Alert: Risk Repaired..Computer: Workstation..Date: 12/29/2008..Time: 10:03:20 AM..Severity: Warning..Source: Symantec AntiVirus Corporate Edition..Risk Name: Trojan Horse..Logger: Forward from client:Auto-Protect..File Path: C:\\Documents and Settings\\username\\Local Settings\\Temporary Internet Files\\Content.IE5\\2Z5OOIXS\\to[1].htm..User: username..Corrective Actions: 0" SNMPv2-SMI::enterprises.343.2.5.1.1.7.0 8 SNMPv2-SMI::enterprises.343.2.5.1.1.13.0 0


I'm using 6.01 but I don't believe the version should make any difference 6.0+ If the proper events are selected in AMS on the SAV server, perhaps the wrong application is assigned to the reporting device in MARS.

patwill66_2 Mon, 01/12/2009 - 05:51
User Badges:

I tested the traps coming from Symantec this morning and they are working fine. I sent them to a different trap server I have and this is what the trap showed:


sysUpTime=12 days 22 hours 11 minutes 50.05 seconds

snmpTrapOID=Intel-Common-MIB:ld-alarms.0.6

ld-alarms.12.0=server anem

ld-alarms.8.0=1231767784

ld-alarms.9.0=0

ld-alarms.10.0=Intel Alert Management System II

ld-alarms.11.0=Alert: Virus Found

Computer: workstation

Date: 1/12/2009

Time: 7:43:04 AM

Action: Quarantine

Severity: Critical

Source: Symantec AntiVirus Corporate Edition

File Path: C:\Documents and Settings\username\Desktop\ipscanner\RevelationV2.zip

Logger: Forward from server:Manual

Requested Action: Quarantine

User: SYSTEM

Virus:

severity=16

ld-alarms.13.0=0

experimental.1057.1=10.101.102.204

snmpTrapEnterprise=Intel-Common-MIB:ld-alarms




However, the raw message in MARS shows this:


SNMPv2-SMI::enterprises.343.2.5.1.1 10.101.102.204 SNMPv2-SMI::enterprises.343.2.5.1.1.12.0 "VRCUTIL" SNMPv2-SMI::enterprises.343.2.5.1.1.8.0 1231767784 SNMPv2-SMI::enterprises.343.2.5.1.1.9.0 0 SNMPv2-SMI::enterprises.343.2.5.1.1.10.0 "Intel Alert Management System II" SNMPv2-SMI::enterprises.343.2.5.1.1.11.0 "41 6C 65 72 74 3A 20 56 69 72 75 73 20 46 6F 75 6E 64 0D 0A 43 6F 6D 70 75 74 65 72 3A 20 56 52 43 2D 57 45 42 53 31 0D 0A 44 61 74 65 3A 20 31 2F 31 32 2F 32 30 30 39 0D 0A 54 69 6D 65 3A 20 37 3A 34 33 3A 30 34 20 41 4D 0D 0A 41 63 74 69 6F 6E 3A 20 51 75 61 72 61 6E 74 69 6E 65 0D 0A 53 65 76 65 72 69 74 79 3A 20 43 72 69 74 69 63 61 6C 0D 0A 53 6F 75 72 63 65 3A 20 53 79 6D 61 6E 74 65 63 20 41 6E 74 69 56 69 72 75 73 20 43 6F 72 70 6F 72 61 74 65 20 45 64 69 74 69 6F 6E 0D 0A 46 69 6C 65 20 50 61 74 68 3A 20 43 3A 5C 44 6F 63 75 6D 65 6E 74 73 20 61 6E 64 20 53 65 74 74 69 6E 67 73 5C 70 61 74 72 69 63 6B 2E 77 69 6C 6C 69 61 6D 73 6F 6E 5C 44 65 73 6B 74 6F 70 5C 69 70 73 63 61 6E 6E 65 72 5C 52 65 76 65 6C 61 74 69 6F 6E 56 32 2E 7A 69 70 0D 0A 4C 6F 67 67 65 72 3A 20 46 6F 72 77 61 72 64 20 66 72 6F 6D 20 73 65 72 76 65 72 3A 4D 61 6E 75 61 6C 0D 0A 52 65 71 75 65 73 74 65 64 20 41 63 74 69 6F 6E 3A 20 51 75 61 72 61 6E 74 69 6E 65 0D 0A 55 73 65 72 3A 20 53 59 53 54 45 4D 20 0D 0A 56 69 72 75 73 3A 20 " SNMPv2-SMI::enterprises.343.2.5.1.1.7.0 16 SNMPv2-SMI::enterprises.343.2.5.1.1.13.0 0



I have verified that Symantec 10.x is selected in MARS as the application.

MarcusWise Mon, 01/12/2009 - 07:41
User Badges:

Could you try the eicar test and see what type of event (if any) is logged in MARS? Perhaps the test message generated by the AMS console is just not classified in MARS.

patwill66_2 Mon, 01/12/2009 - 10:05
User Badges:

I have a password recovery program that gets flagged by Symantec that I use to test. I just run a manual scan on the directory where the program is located and it gets flagged in Symatec as a hacktool.


I have tried the test message as well from Symantec but it still doesnt come through MARS correctly. When MARS receives any message from Symantec, it shows as a unknown device event type.

MarcusWise Mon, 01/12/2009 - 12:21
User Badges:

The only thing that stands out to me, is your SNMP trap has different information in it than the one I posted. I suspect either the SNMP trap created on the AMS is not exactly like the documentation or something else along the path is malforming the SNMP packets.


Would it be possible to post some screenshots of your config?

patwill66_2 Wed, 01/14/2009 - 06:41
User Badges:

I read a key piece of the documentation that I missed the first time.


"For MARS Appliance models 25, 55, 110, 210, and GC2, do not include a CR/LF (Enter key) in the action message. "


I had carriage returns in my AMS message config. I took them out and used spaces and now the message shows up like a real message.


enterprises.343.2.5.1.1.11.0 "Alert: Virus Found Computer: VRC-WEBS1 Date: 1/14/2009 Time: 8:28:23 AM­ Action: Quarantine Description: Severity: Critical Source: Symantec AntiVirus Corporate­ Edition File Path: C:\\Documents and Settings\\username\\Desktop\\ipscanner\\RevelationV2­.zip Logger: Forward from server:Manual User: SYSTEM Virus: " SNMPv2-SMI::enterprises.343.2.5.1.1.7.­0 16 SNMPv2-SMI::enterprises.343.2.5.1.1.13.0 0


The one thing that isnt happening is the message is still not being parsed. It is showing up as an Unknown Device Event Type. I will attach my config in Symantec. It looks right based on the guide. The guide shows that these fields need to be listed first.


•Alert:

•Computer:

•Date:

•Time:

•Action:


And I do have Symantec 10.x and 9.x listed as an application for the server in MARS.


Actions

This Discussion