Wednesday, 5 October 2016

Fixing ArcSight event categorisation mapping for snort on Security Onion

Isn't that title a mouthful! Clearly have been away doing things I can't share unfortunately but I was tinkering around my lab today and managed to provide a fix for this issue.. so here it is. The problem? Well if you use ArcSight combined with Snort you will see that although some of the rules are categorised as they should be, the new stuff (which is clearly most important nowadays) like ET rules the pulled pork provides, are not... which is a total bummer if you are a sane person and therefor are using categorisation to correlate NIDS events... long story short (should have said that 10 mins ago!).

You might ask.. how did ArcSight and Security Onion connect with one another? Well check out this previous blogpost it might be old but it still applies to the new version. If on the other hand you already done that here we go.

Method 1 (recommended for smaller data-sets, mentioned for reference)
In our connector box we will go to the directory below and we will create another directory using the small-letter version of the device vendor we need.

/opt/arcsight/ArcSightSmartConnectors-<connector-name>/current/user/agent/aup/acp/categorizer/current/

In our case events are feeding in as Snort so our directory will be snort. In this directory we will create a csv file in the same mentality using the device product of the events we want to categorise. In our case snort again. If your device product or vendor has spaces they need to be replaced by underscores (_).

That file will have a header defining what each field is and then under that target values as such:

snort.csv
event.deviceEventClassId,set.event.categoryObject,set.event.categoryDeviceGroup,set.event.categorySignificance,set.event.categoryOutcome
[1:2016778],/Network,/IDS/Network,/Normal,/Attempt


which means when the "getter" event.deviceEventClassId matches [1:2016778], it will sett the following fields with the values defined.

Save your file, restart the connector and it should work (ArcSight-gods willing)

Method 2 (that's the one you want!)
This method is based on a mapping file in the connector again, which seems to be able to take regex  in the "getter" field something that the previous method was not willing to (tried and failed!). The file we need to create lives in the following directory and we will need to increment its filename based on the existing ones.

/opt/arcsight/ArcSightSmartConnectors-<connector-name>/current/user/agent/map

if in your case you see map.0.properties only you can create map.1.properties and so on..

The following is the content of map.2.properties that worked for my setup of security-onion, if you want to change categories or techniques be my guest :) this is simply what works for my setup..

map.2.properties
regex.event.deviceEventCategory,set.event.categoryObject,set.event.categoryDeviceGroup,set.event.categorySignificance,set.event.categoryTechnique
Attempted Administrator Privilege Gain,/Network,/IDS/Network,/Normal,/Information Leak/Unauthorized Access
Attempted Denial of Service,/Network,/IDS/Network,/Normal,/DoS
Attempted Information Leak,/Network,/IDS/Network,/Normal,/Information Leak
Attempted User Privilege Gain,/Network,/IDS/Network,/Normal,/Information Leak/Unauthorized Access
Potentially Bad Traffic,/Network,/IDS/Network,/Normal,/Traffic Anomaly
Known client side exploit attempt,/Network,/IDS/Network,/Normal,/Exploit
Attempt to login by a default username and password,/Network,/IDS/Network,/Normal,/Brute Force
Detection of a Denial of Service Attack,/Network,/IDS/Network,/Normal,/DoS
Known malicious file or file based exploit,/Network,/IDS/Network,/Normal,/Exploit
Generic ICMP event,/Network,/IDS/Network,/Normal,/DoS
Inappropriate Content was Detected,/Network,/IDS/Network,/Normal,/Code
SCORE! Get the lotion!,/Network,/IDS/Network,/Normal,/Policy
Known malware command and control traffic,/Network,/IDS/Host,/Compromise,
Misc activity,/Network,/IDS/Network,/Normal,/Policy
Misc Attack,/Network,/IDS/Network,/Normal,/Exploit
Detection of a Network Scan,/Network,/IDS/Network,/Normal,/Scan/Port
Detection of a non-standard protocol or event,/Network,/IDS/Network,/Normal,/Traffic Anomaly
Potential Corporate Privacy Violation,/Network,/IDS/Network,/Normal,/Policy
Generic Protocol Command Decode,/Network,/IDS/Network,/Normal,/Exploit
Decode of an RPC Query,/Network,/IDS/Network,/Normal,/Exploit
Senstive Data,/Network,/IDS/Network,/Normal,/Information Leak
Executable code was detected,/Network,/IDS/Network,/Normal,/Code
A suspicious string was detected,/Network,/IDS/Network,/Normal,/Code
Successful Administrator Privilege Gain,/Network,/IDS/Network,/Normal,/Information Leak/Unauthorized Access
Denial of Service,/Network,/IDS/Network,/Normal,/DoS
Large Scale Information Leak,/Network,/IDS/Network,/Normal,/Information Leak
Information Leak,/Network,/IDS/Network,/Normal,/Information Leak
Successful User Privilege Gain,/Network,/IDS/Network,/Normal,/Information Leak/Unauthorized Access
A suspicious filename was detected,/Network,/IDS/Network,/Normal,/Exploit
An attempted login using a suspicious username was detected,/Network,/IDS/Network,/Normal,/Brute Force
A system call was detected,/Network,/IDS/Network,/Normal,/Exploit
A Network Trojan was detected,/Network,/IDS/Host,/Compromise,
Unsuccessful User Privilege Gain,/Network,/IDS/Network,/Normal,/Information Leak/Unauthorized Access
A client was using an unusual port,/Network,/IDS/Network,/Normal,/Traffic Anomaly
access to a potentially vulnerable web application,/Network,/IDS/Network,/Normal,/Code
Web Application Attack,/Network,/IDS/Network,/Normal,/Code


As previously mentioned, restart the connector and it should work like a charm. The source of information for the above list was taken from /etc/nsm/rules/classification.config which conveniently gives us the information we needed in this case.

Thanks for reading :) 

No comments:

Post a Comment