Enterasys Dragon 7.x to CS-MARS 6.0.3 issues

Unanswered Question
Apr 29th, 2009
User Badges:

I am running 6.0.3 MARS, Data Package Version: 32, Signature Version: 396. We have recently stood up a Enterasys Dragon 7.2.3.


I followed the instructions for adding the device type for a Dragon 6.x device and with some differences on the Enterasys side I am able to push syslog messages from the Enterasys Dragon Network IDS to CS-MARS. The messages are received and when I query against the reporting device I get all the raw messages but they are categorized as Unknown Device Event Type for all of them.


I went into Management->Device Type Managemwent and under Dragon NDIS 6.X I see all the Device Event Types that match (for the most part) with the Dragon Signature Names when I click in to Edit Parser. However, when I click a specific Event Type there are no positions/keys/values etc.


I edited and added my own Key-Value regex's and cut/paste the Raw Message into the Test I am able to parse out all the relevant Values. But Still, MARS does not recognize any raw messages as a specific Device Event Type.


Does anybody have any insight on how I can parse/map the Dragon 7.x raw messages to a MARS device event type?


Should I create a new device and device types from scratch? Or are there updated device packages out there?


Has anyone successfully integrated Dragon 7.x to CS-MARS?


Here is a sample raw message

<183>alarmtool: 09:14:03 2009-04-29 SigName=DNS:CACHE-POISON-ATTEMPT from Sensor=XXXX-VS0 SrcIP=1XX.1XX.1XX.2XX DstIP=1XX.1XX.3.4X SrcPort=53 DstPort=3929 Protocol=17


I can provide my custom device type pattern/parse if needed, but the test works against it parsing all the relevant values. Additionally I can change the format of the syslog message from the Alarmtool within Dragon if needed. But I am not certain how MARS determines the device event type for pre-defined devices.


Thanks in advance!


Ray


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.

Actions

This Discussion