Mars 6.0.7 Syslog Requirement for Enterasys Dragon NIDS 7.x

Answered Question
Jul 28th, 2010
User Badges:

Apparently the MARS docs are incorrect when it comes to fashioning a syslog message from a Dragon 7.x NIDS. I formatted the message as requested but MARS keeps displaying "Unknown Device Event". The Event IDs are correct but MARS does not recognize the syslog messages as coming from the Dragon. Does anyone know what the MARS parser is expecting for an Enterasys message? As I said, I used the example in the MARS 6.x Device Configuration Guide and it did not work. One of the MARS guides actually displays what is expected for a Snort message and I was hoping there was such an example for Dragon. Thanks.

Correct Answer by dgrannas about 6 years 7 months ago

You can create a support package from the Dragon 6.x signatures provided by MARS and fashion them for 7.x. I wish I could provide the support package we created but we are not allowed to export it from the customer site. Basically here is what you do:


1. Create your own Device Type for Dragon 7.x. You can define it as an appliance or software but we opted for "appliance".

2. Modify your Dragon ESM to export syslog messages in the following format:

    %DATE% %TIME% SrcIP=%SIP% SrcPort=%SPORT% DstIP=%DIP% DstPort=%DPORT% Protocol=%PROTO% %NAME% %SENSOR%


We tested this with an NMAP scan which resulted in the following syslog message as received by MARS:

<175>alarmtool: 2010-08-11 15:12:22 SrcIP=172.16.1.1 SrcPort=0 DstIP=172.16.1.2 DstPort=0 Protocol=0 TCP-SCAN dragon-VS1


3. Create one Device Event Type using the following parse pattern:


Position    Key Pattern         Parsed Fld                       Value Type             Value Format                            Value Pattern

1              alarmtool:            Device Time                   Time                         %Y-%m-%d %H:%M:%S        \d{4}-\d{1,2}-\d{1,2} \d{1,2}:\d{1,2}:\d{1,2}

2             .+SrcIP\=             Source Address              IPV4 Dotted Quad                                                  (\d{1,3}\.){3}\d{1,3}

3            .+SrcPort\=           Source Port                    Port Number                                                          ((0x[a-fA-F\d]{1,4})|(0\d{1,6})|([1-9]\d{0,4})|0)

4            .+DstIP\=              Destination Address        IPV4 Dotted Quad                                                  (\d{1,3}\.){3}\d{1,3}

5            .+DstPort\=           Destination Port              Port Number                                                          ((0x[a-fA-F\d]{1,4})|(0\d{1,6})|([1-9]\d{0,4})|0)

6            .+Protocol\=          Protocol                         Protocol Number                                                    ((0x[a-fA-F\d]{1,2})|(0\d{1,3})|([1-9]\d{0,2})|0)

7            .+TCP-SCAN         None                             String                                                                    ([\w-]+)\-?[\w-]{3}


4. You can now export a support package that will give you the XML format needed for your new 7.x support package. The XML file will reside in the ZIP file created by the export process.


5. You will now need the Device Event Numbers and Device Event IDs used by the Dragon 6.x signatures. These can be retrieved from within MARS by browsing to the Dragon 6.x NIDS Device Events. Make sure you view ALL of the Events by selecting the "10,000" rows per page option. Now right-click on this page and select "View Source". Save this to a file (Ex. Dragon6_Events.txt).


6. You now have to extract the important data from the file created in step 5. This can be done with a few Linux grep statements and a text editor.

    a. To extract the Device Event Numbers, you can use the following grep script:

        grep '!--' Dragon6_Events.txt | grep -o -P '[0-9]{7,8}\ /?([0-9]{1,5})?' > Cisco_Dragon_Event_Numbers.txt


        NOTE: This file will be used to define the etList section of the XML file.


    b. Extract the Dragon Event IDs and numbers from the Dragon6_Events.txt file:

        grep -B2 '!--' Dragon6_Events.txt > Dragon6_Events_Stripped.txt

      

    c. Use grep or a text editor to remove everything from Dragon6_Events_Stripped.txt except for the Event IDs and numbers.

        When done your file should contain data in the following format:

        SPY:TOPREBATES-CONFIRM

        6503131

        ACROBAT:PDF-EXPLOIT-MALWARE

        6503132

        ...


NOTE: If a Windows text editor was used for any of the edits you will want to run "dos2unix" against the files.


7. Start creating your new support package XML file by:

    a. Open the "data_package.xml" file from the support package created in step 4.

    b. Copy the data up to the "etList" section and paste it into a new "data_package.xml" file.

    c. Use a bash script (see attached "create_etList.sh file) to read the Cisco_Dragon_Event_Numbers.txt file and export the data into a properly formatted "etList" section. Copy the etList section into the new "data_package.xml" file.

    d. Use another bash script (cannot attach it at this time) to read the Dragon6_Events_Stripped.txt file and export the data into a properly formatted "det id" section. Copy the new "det id" section into the new "data_package.xml" file.

    e. Finally, copy the lines after the "det id" section of the original data_package.xml file into the new XML file.


NOTE: This process basically creates a new data_package.xml file containing approximately 4900 device events.


8. Lastly, place the new XML file under a "dsf" directory and place it in a ZIP file. This becomes your new support package.


We successfully imported the ZIP file as a Device Support Package. The import took a while - we went home and the next morning it was successful.


Some items to note are:


1. Make sure there are NO duplicates in the etList section. This can be accomplished by importing the Cisco_Dragon_Event_Numbers.txt dat into Excel and filtering out the duplicates.


2. Make sure all of the "det id" entries have a corresponding etList entry otherwise you'll get a DSF failure when trying to import the Device Support Package.


3. To check the validity of your XML format, load your XML file in Firefox. If there are any errors, Firefox will tell you which line contains the issue. IE did not correctly tell us where errors appeared.


4. I will attach the second bash script when I can get around to re-typing it. It is basically the same script as the one attached except it echoes the lines needed to format the "det id" section. It also contains a switch to process the Event ID text then the Event Number.


Good luck!


Dave Grannas

Senior Consultant

Intelesys Corp.

      


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
jtaliafe Thu, 07/29/2010 - 12:27
User Badges:
  • Cisco Employee,

Hello,


The reason for the unknown device event is because MARS only supports Enterasys Dragon v 6.x as per the following URL:


http://www.cisco.com/en/US/docs/security/security_management/cs-mars/6.0/compatibility/local_controller/dtlc60x.html


There was probably a change between the Dragon 6.x and the Dragon 7.x message format and the MARS is seeing something that is unexpected. The only option would be to create a customer parser for MARS. You can find more information about custom parser creation here:


http://www.cisco.com/en/US/docs/security/security_management/cs-mars/6.0/user/guide/combo/cfgCustm.html#wp656851


You might also check the MARS Package Sharing part of the forum to see if anyone has a Dragon 7 parser that they have created and are using.


Thanks,

jburgett Thu, 07/29/2010 - 19:39
User Badges:

According to the release notes for MARS 6.0.3+, Enterasys signatures for version 6.x and 7.x are supported. This should mean that Dragon NIDS 7.x is supported as you cannot install 7.x signatures on a 6.x NIDS. If there is a way to see the MARS parse patterns for the Enterasys signatures, I can fashion the Dragon syslog message to match it. I'm sure it is simply a matter of the information not be what MARS is expecting.


I have already started creating custom Device Event IDs but there is no way I'm going to create almost 5000 parse patterns when they were supposed to be supported in the first place.

Correct Answer
dgrannas Thu, 08/19/2010 - 11:59
User Badges:

You can create a support package from the Dragon 6.x signatures provided by MARS and fashion them for 7.x. I wish I could provide the support package we created but we are not allowed to export it from the customer site. Basically here is what you do:


1. Create your own Device Type for Dragon 7.x. You can define it as an appliance or software but we opted for "appliance".

2. Modify your Dragon ESM to export syslog messages in the following format:

    %DATE% %TIME% SrcIP=%SIP% SrcPort=%SPORT% DstIP=%DIP% DstPort=%DPORT% Protocol=%PROTO% %NAME% %SENSOR%


We tested this with an NMAP scan which resulted in the following syslog message as received by MARS:

<175>alarmtool: 2010-08-11 15:12:22 SrcIP=172.16.1.1 SrcPort=0 DstIP=172.16.1.2 DstPort=0 Protocol=0 TCP-SCAN dragon-VS1


3. Create one Device Event Type using the following parse pattern:


Position    Key Pattern         Parsed Fld                       Value Type             Value Format                            Value Pattern

1              alarmtool:            Device Time                   Time                         %Y-%m-%d %H:%M:%S        \d{4}-\d{1,2}-\d{1,2} \d{1,2}:\d{1,2}:\d{1,2}

2             .+SrcIP\=             Source Address              IPV4 Dotted Quad                                                  (\d{1,3}\.){3}\d{1,3}

3            .+SrcPort\=           Source Port                    Port Number                                                          ((0x[a-fA-F\d]{1,4})|(0\d{1,6})|([1-9]\d{0,4})|0)

4            .+DstIP\=              Destination Address        IPV4 Dotted Quad                                                  (\d{1,3}\.){3}\d{1,3}

5            .+DstPort\=           Destination Port              Port Number                                                          ((0x[a-fA-F\d]{1,4})|(0\d{1,6})|([1-9]\d{0,4})|0)

6            .+Protocol\=          Protocol                         Protocol Number                                                    ((0x[a-fA-F\d]{1,2})|(0\d{1,3})|([1-9]\d{0,2})|0)

7            .+TCP-SCAN         None                             String                                                                    ([\w-]+)\-?[\w-]{3}


4. You can now export a support package that will give you the XML format needed for your new 7.x support package. The XML file will reside in the ZIP file created by the export process.


5. You will now need the Device Event Numbers and Device Event IDs used by the Dragon 6.x signatures. These can be retrieved from within MARS by browsing to the Dragon 6.x NIDS Device Events. Make sure you view ALL of the Events by selecting the "10,000" rows per page option. Now right-click on this page and select "View Source". Save this to a file (Ex. Dragon6_Events.txt).


6. You now have to extract the important data from the file created in step 5. This can be done with a few Linux grep statements and a text editor.

    a. To extract the Device Event Numbers, you can use the following grep script:

        grep '!--' Dragon6_Events.txt | grep -o -P '[0-9]{7,8}\ /?([0-9]{1,5})?' > Cisco_Dragon_Event_Numbers.txt


        NOTE: This file will be used to define the etList section of the XML file.


    b. Extract the Dragon Event IDs and numbers from the Dragon6_Events.txt file:

        grep -B2 '!--' Dragon6_Events.txt > Dragon6_Events_Stripped.txt

      

    c. Use grep or a text editor to remove everything from Dragon6_Events_Stripped.txt except for the Event IDs and numbers.

        When done your file should contain data in the following format:

        SPY:TOPREBATES-CONFIRM

        6503131

        ACROBAT:PDF-EXPLOIT-MALWARE

        6503132

        ...


NOTE: If a Windows text editor was used for any of the edits you will want to run "dos2unix" against the files.


7. Start creating your new support package XML file by:

    a. Open the "data_package.xml" file from the support package created in step 4.

    b. Copy the data up to the "etList" section and paste it into a new "data_package.xml" file.

    c. Use a bash script (see attached "create_etList.sh file) to read the Cisco_Dragon_Event_Numbers.txt file and export the data into a properly formatted "etList" section. Copy the etList section into the new "data_package.xml" file.

    d. Use another bash script (cannot attach it at this time) to read the Dragon6_Events_Stripped.txt file and export the data into a properly formatted "det id" section. Copy the new "det id" section into the new "data_package.xml" file.

    e. Finally, copy the lines after the "det id" section of the original data_package.xml file into the new XML file.


NOTE: This process basically creates a new data_package.xml file containing approximately 4900 device events.


8. Lastly, place the new XML file under a "dsf" directory and place it in a ZIP file. This becomes your new support package.


We successfully imported the ZIP file as a Device Support Package. The import took a while - we went home and the next morning it was successful.


Some items to note are:


1. Make sure there are NO duplicates in the etList section. This can be accomplished by importing the Cisco_Dragon_Event_Numbers.txt dat into Excel and filtering out the duplicates.


2. Make sure all of the "det id" entries have a corresponding etList entry otherwise you'll get a DSF failure when trying to import the Device Support Package.


3. To check the validity of your XML format, load your XML file in Firefox. If there are any errors, Firefox will tell you which line contains the issue. IE did not correctly tell us where errors appeared.


4. I will attach the second bash script when I can get around to re-typing it. It is basically the same script as the one attached except it echoes the lines needed to format the "det id" section. It also contains a switch to process the Event ID text then the Event Number.


Good luck!


Dave Grannas

Senior Consultant

Intelesys Corp.

      


Actions

This Discussion

Related Content