cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
710
Views
0
Helpful
1
Replies

Enterasys Dragon 7.x to CS-MARS 6.0.3 issues

redray8
Level 1
Level 1

I am running 6.0.3 MARS, Data Package Version: 32, Signature Version: 396. We have recently stood up a Enterasys Dragon 7.2.3.

I followed the instructions for adding the device type for a Dragon 6.x device and with some differences on the Enterasys side I am able to push syslog messages from the Enterasys Dragon Network IDS to CS-MARS. The messages are received and when I query against the reporting device I get all the raw messages but they are categorized as Unknown Device Event Type for all of them.

I went into Management->Device Type Managemwent and under Dragon NDIS 6.X I see all the Device Event Types that match (for the most part) with the Dragon Signature Names when I click in to Edit Parser. However, when I click a specific Event Type there are no positions/keys/values etc.

I edited and added my own Key-Value regex's and cut/paste the Raw Message into the Test I am able to parse out all the relevant Values. But Still, MARS does not recognize any raw messages as a specific Device Event Type.

Does anybody have any insight on how I can parse/map the Dragon 7.x raw messages to a MARS device event type?

Should I create a new device and device types from scratch? Or are there updated device packages out there?

Has anyone successfully integrated Dragon 7.x to CS-MARS?

Here is a sample raw message

<183>alarmtool: 09:14:03 2009-04-29 SigName=DNS:CACHE-POISON-ATTEMPT from Sensor=XXXX-VS0 SrcIP=1XX.1XX.1XX.2XX DstIP=1XX.1XX.3.4X SrcPort=53 DstPort=3929 Protocol=17

I can provide my custom device type pattern/parse if needed, but the test works against it parsing all the relevant values. Additionally I can change the format of the syslog message from the Alarmtool within Dragon if needed. But I am not certain how MARS determines the device event type for pre-defined devices.

Thanks in advance!

Ray

1 Reply 1

jdenis
Level 1
Level 1

Ray,

can you share your custom Log Parser for Enterasys Dragon 7.x.x?

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: