On December 12, Fortinet reported on a heap-based buffer overflow...
But sometimes you can encounter a Sensor which will not send full data information
For example:
We will take Imperva ScureSphere WAF as an example:
IBM knowledge Center :
http://www-01.ibm.com/support/knowledgecenter/SS42VS_7.2.5/com.ibm.dsm.doc/t_DSM_guide_Securesphere
Which explains how to configure the imperva to send syslogs toward qradar machine by just configuring action set to use this format for Qradar to understand the incoming logs :
LEEF:1.0|Imperva|SecureSphere |${SecureSphereVersion}| ${Alert.alertType} ${Alert.immediateAction} |Alert ID=${Alert.dn} |devTimeFormat=[see note]|devTime=${Alert.createTime} |Alert type=${Alert.alertType}|
src=${Alert.sourceIp} |usrName=${Alert.username}|Application name=${Alert.applicationName}
|Service name=${Alert.serviceName}|Alert Description=${Alert.description} |Severity=${Alert.severity}|Simulation Mode=${Alert.simulationMode} |Immediate Action=${Alert.immediateAction}
This format its doesn’t show full information data :
I would like to get as much raw data as possible , in a case i have only access to Qradar in IR .
Instead of using basic Qradar format i have used RSA \ ARCSIGHT Format which will provide with more data .
%IMPERVA-Imperva,alert#=$!{Alert.dn},event#=$!{Event.dn},createTime=$!{Alert.createTime},updateTime=$! {Alert.lastUpdateTime},alertSev=$!{Alert.severity},group=$!{Alert.serverGroupName},ruleName=”$! {Alert.alertMetadata.alertName}”,evntDesc=”$!{Alert.description}”,category=$!{Alert.alertType}, disposition=$!{Alert.immediateAction},eventType=$!{Event.eventType},proto=$!{Event.sourceInfo. ipProtocol},srcPort=$!{Event.sourceInfo.sourcePort},srcIP=$!{Event.sourceInfo.sourceIp},dstPort=$! {Event.destInfo.serverPort},dstIP=$!{Event.destInfo.serverIp},policyName=”$!{Rule.parent.displayName}” ,occurrences=$!{Alert.aggregationInfo.occurrences},httpHost=$!{Event.struct.httpRequest.url.host}, webMethod=$!{Event.struct.httpRequest.url.method},url=”$!{Event.struct.httpRequest.url.path}”, webQuery=”$!{Event.struct.httpRequest.url.queryString}”,soapAction=$!{Event.struct.httpRequest. soapAction.soapAction},resultCode=$!{Event.struct.httpResponse.responseCode},sessionID=$! {Event.struct.webCorrelationInfo.sessionId},username=$!{Alert.username},addUsername=$! {Event.struct.user.additionalUser},responseTime=$!{Event.struct.responseTime},responseSize=$! {Event.struct.responseSize},direction=$!{Event.struct.networkDirection},dbUsername=$! {Event.struct.rawUser.rawUser},queryGroup=$!{Event.struct.queryGroup.queryGroup},application=”$! {Event.struct.application.application}”,srcHost=$!{Event.struct.host.host},osUsername=$! {Event.struct.osUser.osUser},schemaName=$!{Event.struct.databases.schemaName},dbName=$! {Event.struct.databases.databaseName},hdrName=$!{Event.struct.httpRequest.headers.name},action=”$! {Event.struct.query.parsedQuery}”
Upon receiving the new format you can notice all the raw data is featured but, (there always a but ) the out of the box rules will show just fine , but when you write your own rules they will not show on ruleName but instead in evntDesc, meaing you will display custom rules instead of the rule name.
We solve this issue with using XML-DSM :
We can see we have different event names , using the XML we can check for more than one match and tell the Parser to take the group we are interested in like in raw one.
<pattern id=”EventName1″>ruleName\=\'(Custom\sViolation)\’\,evntDesc\=\'(.+?)\’\,</pattern>
<pattern id=”EventName2″>(Multiple\sSQL\sInjection)</pattern>
<pattern id=”EventName3″>ruleName\=\'(.+?)\’\,</pattern>
<pattern id=”EventCategory”>category\=(.*?)\,</pattern>
<pattern id=”SourceIp”>srcIP\=(.*?)\,</pattern>
<pattern id=”SourcePort”>srcPort\=(.*?)\,</pattern>
<pattern id=”DestinationIp”>dstIP\=(.*?)\,</pattern>
<pattern id=”DestinationPort”>dstPort\=(.*?)\,</pattern>
<matcher order=”1″ enable-substitutions=”false” capture-group=”2″ pattern-id=”EventName1″ field=”EventName”/>
<matcher order=”2″ enable-substitutions=”false” capture-group=”1″ pattern-id=”EventName2″ field=”EventName”/>
<matcher order=”3″ enable-substitutions=”false” capture-group=”1″ pattern-id=”EventName3″ field=”EventName”/>
XML ready for Qradar download here
On December 12, Fortinet reported on a heap-based buffer overflow...
לא משנה כמה חזקה ההגנה שלנו תהיה, לפעמים דברים ישתבשו...
This video link has expired. Please contact Michelle at [email protected]...