Hmm, well that was pretty dumb of CISCO/FireSight engineers.  Plus, I can confirm that prior to v 5.x of the FireSight, the DetectionEngineName did in fact get passed through..that's how we used to map things--and still do on v4 Firesight appliances.  We've implemented map files like you suggested on the connectors registered to the v5 DCs, but since about 3 of us manage 30+ Defense Centers with hundreds of SF sensors (daily additions and removals) talking to 4 different SIEM setups, I'm looking for ways to automate things so we don't have to do so much manual work keeping the mappings correct.  I'm working on an alternate solution based on map files.  It involves a cronjob running on the DCs which pull the DetectionEngineName and DetectionEngineID from the SQL DB, then runs a script that re-arranges it and adds in the correct map.x.properties heading and finally scp's it to the /user/agent/map/ directory of the corresponding Arcsight connector.  I was hoping a solution would be found using the parser over-ride since that's a bit simpler.  Thanks for all your help!

Sound like a neat solution... Just be careful about your support agreements with Cisco if you go modifying things on the DC at the O/S level... you don't want to void your support contracts on your DC's with customisations etc :-(

FireSIGHT DC's do have a "DB access" channel via TCP/1500 and TCP/2000 for read-only access to the DB.  You could automate the query that way and not risk voiding your support contract :)

Now that I've completed my mapfile script, I thought I'd share the basic commands.  Anyone can mod them to suit their mapping needs.  Instead of going through the hassle of enabling raw events, looking through the contents of the META 123 files in ArcSight, you can just query the Defense Center DB for the ID and Name.  The command below even organizes them into the map.x.properties format that ArcSight uses.  In my case, I must run this as root.  This script pulls out the ID and sensor name, then uses sort, uniq and awk to format it into a "1,<sensor_name>" format needed for map files.  There's lots of other fields you can pull out of the DC db as well, but this was all I needed.  Enjoy.

mysql -padmin sfsnort -e "select s.id,s.name from de_cache_de_config de left outer join sensor s on de.from_sensor = s.uid order by de.id" | sort | uniq | awk '{print $1","$2}' | grep -v '^[a-zA-Z]'

Note: I use "event.deviceExternalId,set.event.deviceOutboundInterface" as the header for my map files to map the sensor name to "OutboundInterface".  I just picked that field cause it's available and not auto-written over by other connectors down-stream.

Very nice and elegant solution.  I like it! :)

Thanks for sharing...

Hi dohurd,

Is there an official hosting place for the FireSIGHT CEF forwarder? I'm just wondering if this is the latest release.

One other key detail I am seeking are the base system requirements for running this forwarder:

• Physical hardware requirements (e.g. CPU, memory, disk space reqs)
• Software (e.g. Windows/Linux with Perl?)

Regards,

Richard Kent

Is it quite confusing. According to TAC, this is the place the script is officially hosted. However, there is a newer version hosted by HPE here;

https://www.protect724.hpe.com/docs/DOC-13807

James,

TAC is wrong.  The is not maintained officially by Cisco.  Anyone is free to make any changes or enhancements that they wish however.  I cannot rule out that there are other versions being floated around.

Its likely that in April or May at the latest a brand new estreamer client with CEF output will be available and it will be vastly improved and also handle packet data unlike the current version.  There may also be a support option available to customers.  This is TBD however.

If you want to get on the phone and discuss I can give you some more insight.

doug (dohurd@cisco.com) or 240.498.2488 (Mobile)

It makes perfect sense now, thank you.

Hi

new estreamer client with CEF  now are available?

I try to to integrate FMC 6.1 with ArcSight. 

It is our plan to have a pretty solid beta available later in June.  We're about a month behind but it is coming.

Doug

Ok, i have a question.

If i try to use cef_forwarder-master-d35283bd625ed63e215680d2381ddcef55f2c121.zip download from HPE (its correct or not?) and if run cef_agent,pl script i have error:

C:\Strawberry\cef_forwarder-master>cef_agent.pl
POSIX::setsid not implemented on this architecture at C:\Strawberry\cef_forwarder-master\cef_agent.p
l line 983.

you now what is this?

OS  client - Windows 2008r2 

perl - Strawberry
This is perl 5, version 24, subversion 1 (v5.24.1) built for MSWin32-x64-multi-thread

I'm going to ask an expert to weigh in on this. I don't have dev skills to answer.

I've attached the latest version but I think its probably the same one you reference.

ok. thanks

I think this error has occurred because i try run script on Windows Server but this script for unix systems.

OK.  We may have a windows version later this summer. Not a promise but we're looking at it.

dohurd,

Hows the new windows version coming along?