Someone ran cef_agent.pl script  on the Windows OS?

Has anyone encountered such a mistake?

c:\Strawberry\cef_forwarder>cef_agent.pl
Can't locate SFStreamer.pm in @INC (you may need to install the SFStreamer module) (@INC contains: C:/Strawberry/perl/site/lib C:/Strawberry/perl/vendor/lib C:/Strawberry/perl/lib) at C:\Strawberry\cef_forwarder\cef_agent.pl line 56.
BEGIN failed--compilation aborted at C:\Strawberry\cef_forwarder\cef_agent.pl line 56.

c:\Strawberry\cef_forwarder

25.07.2017 18:36 <DIR> .
25.07.2017 18:36 <DIR> ..
25.07.2017 18:36 3 569 192.168.0.175_10.pkcs12
25.07.2017 18:54 387 cef.conf
25.07.2017 18:54 53 927 cef_agent.pl
09.03.2016 22:52 311 902 CommonEventFormat.pdf
09.03.2016 22:52 15 383 README.txt
09.03.2016 22:52 2 502 SFPkcs12.pm
09.03.2016 22:52 25 008 SFRecords.pm
09.03.2016 22:52 166 338 SFRNABlocks.pm
09.03.2016 22:52 99 036 SFStreamer.pm

Just a heads up.  A new Firepower-eStreamer-CEF client will be available in August.  Complete re-write in python.  Will work with FMC version 6.x.  Windows is a possibility.  Would you be willing test beta?

 

Hi

I August - the beginning of the month or the end?

Yes of course  . We need CEF client for windows. 

Late August.  Can't promise this date but we will make this available.  Just a matter of time.

Doug

Hello Doug/team,

Can't find the newer version or a place to download it so far!

any update on the release of the eStreamer into a stable official release and if it would be TAC supported?

 

thanks

Mohamed \Lubbad

Doug,

 

What is the status on Firepower to ArcSight rewrite script?

Hi All..

 

Is there any update for FMC version 6.X with Arcsight? 

Anyone got it working? 

 

Thanks in advance. 

 

Is FMC 6.x supported yet please? Specifically obtaining events from multi-domain FMC 6.X whilst maintaining separation between domains (tenants).

If your looking into FireSight 6.X integration to ArcSight, search for eStreamer eNcore. Its a python script that I was able to get working on a RHEL 7 server. The script connects to the FMC and sends the logs in CEF. I followed the operations guide pdf and was able to get the script to pull events from the FMC.

I take it that this will forward fireamp events as well?

There is a very new and much improved connector available.  Please email me at dohurd@cisco.com and I will send you the code.  It collects all of the 6.x event types including packet payload samples and writes them to ESM in CEF format.  Eventually, this concector should be posted on Arcsight's download page but not yet.

 

 

 

One issue i found is that if the malware is network based the virus name "c2=" doesn't show up. It does show up for alerts that are amp for endpoint though. Meaning if you have amp for endpoints connected to your FMC.

Hello,

We have configured eStreamer on our FMC (DC 2000) which is running with 6.2.0.3 version to send log to ArcSight connectors.
On the eStreamer (FMC) we have enabled
Intrusion events
Intrusion event extra data
Malware events
But SIEM engg are not able to map the XFF field from the streams received from FMC.
Looking for help here to identify the xff field in the connector and map it. Will the FMC send the xff data with above options enabled? Or do we need to enable any other option on FMC.

Which version of connector will be able to fetch the xff data from the FMC

I do not currently understand the XFF issue. I’ll do some homework.

Please look here for the latest Firepower 6.x to Arcsight CEF solution.

Version 3.5.3 fixes a major crash issue.
https://github.com/CiscoSecurity/fp-05-firepower-cef-connector-arcsight

Technical issues can be sent to encore-community@cisco.com. We’ll do our best to troubleshoot and fix issues.

Doug