Cisco eNcore: Sample logs

koshyk — Wed, 15 Nov 2017 16:31:44 GMT

First of all, thanks @douglashurd for creating the app.
I had two questions regarding the app

Any chance to put samples directory within the app with different samples of eStreamer sourcetypes? to be used for eventgen etc.
Can Cisco estreamer devices send the similar data via syslog ? (i.e push to splunk, rather than Splunk pulling them)

Re: Cisco eNcore: Sample logs

douglashurd — Tue, 06 Feb 2018 18:41:56 GMT

You should be able to send Intrusion events and connection events right off the sensor in syslog. Cisco TAC can explain the configuration steps for this.

Re: Cisco eNcore: Sample logs

koshyk — Thu, 15 Mar 2018 15:47:37 GMT

thanks @douglashurd.
any chance, can you please update some sample events in your app to be used for eventgen etc.?

Re: Cisco eNcore: Sample logs

douglashurd — Mon, 26 Mar 2018 23:13:00 GMT

Unfortunately I cannot tell you what changes are added since the 5.4 schema was explained here:

Discovery Event:

" Configuration:

Discovery Event syslog alerts can be configured under Policies > Actions > Alerts by selecting the Discovery Event Alerts tab, selecting the syslog alert you would like use and selecting the types of events that should generate an alert.
" Schema:

SFIMS: <- From "" at -> IP Address: Port: Service: Confidence:
" Example:

SFIMS: <*- New TCP Port From "X.X.X.X" at Tue Feb 24 18:59:45 2015 UTC -*> IP Address: X.X.X.X Port: 6370 Service: HTTP Apache Confidence: 50

Intrusion Event:

" Configuration:

To enable Intrusion Event sysloggin first go to Policies > Intrusion > Intrusion Policy and edit the policy referenced by the Access Control Policy. Click on Advanced Settings and select enabled. Then, click edit and input your sylog server configuration.
" Schema:

SFIMS: [ ()][][::] "" [Classification: ] User: , Application: , Client: , App Protocol: Interface Ingress: , Interface Egress: , Security Zone Ingress:, Security Zone Egress: , [Priority: ] {} : -> :
" Example:

SFIMS: [Primary Detection Engine (9882464a-3c3d-11e3-875b-c166af9fa6c0)][Default Security Over Connectivity][1:17392:6] "INDICATOR-SHELLCODE JavaScript var shellcode" [Classification: Executable Code was Detected] User: Unknown, Application: Unknown, Client: Internet Explorer, App Protocol: HTTP Interface Ingress: s1p1, Interface Egress: s1p2, Security Zone Ingress: Internal, Security Zone Egress: External, [Priority: 1] {TCP} xxx.xx.xx.xx:80 -> xxx.xxx.x.x:1113

Connection Event:

" Configuration:

To configure connection event syslogging edit an Access Control Policy, and edit each rule that you would like connection event syslogging for, check syslog for the "Send Connection Events to:" section, and select your Syslog alert configuration.
" Schema:

5.3.X
: [ ()][] Connection Type: , User:, Client:, Application Protocol: , Web App: , Firewall Rule Name: , Firewall Rule Action: , Firewall Rule Reasons:, URL Category: , URL_Reputation: , URL: , Interface Ingress:, Interface Egress:, Security Zone Ingress:, Security Zone Egress:, Security Intelligence Matching IP:, Security Intelligence Category: , {} : ->:

5.4.X
: [ ()][] Connection Type: , User:, Client:, Application Protocol: , Web App: , Firewall Rule Name: , Firewall Rule Action: , Firewall Rule Reasons:, URL Category: , URL_Reputation: , URL: , Interface Ingress:, Interface Egress:, Security Zone Ingress:, Security Zone Egress:, Security Intelligence Matching IP:, Security Intelligence Category: ,Client Version: , Number of File Events: , Number of IPS Events: , TCP Flags: , NetBIOS Domain:, Initiator Packets: , Responder Packets: , Initiator Bytes:, Responder Bytes: , Context:, SSL Rule Name: , SSL Flow Status: , SSL Cipher Suite: , SSL Certificate:, SSL Subject CN: , SSL Subject Country: , SSL Subject OU: , SSL Subject Org:, SSL Issuer CN: , SSL Issuer Country:, SSL Issuer OU:, SSL Issuer Org:, SSL Valid Start Date:, SSL Valid End Date:, SSL Version: , SSL Server Certificate Status: , SSL Actual Action:, SSL Expected Action:, SSL Server Name: , SSL URL Category: , SSL Session ID:, SSL Ticket Id:, {} : ->:

NOTE: The SSL Fields will be in all connections regardless of whether SSL was used in the connection.
"

Example:

sn54 54DC: [Primary Detection Engine (2c0f417e-bb63-11e4-90aa-a536b3757dce)][Default Access Control] Connection Type: Start, User: Unknown, Client: SSL client, Application Protocol: HTTPS, Web App: Cisco, Access Control Rule Name: catchall, Access Control Rule Action: Allow, Access Control Rule Reasons: Unknown, URL Category: Business and Economy, URL Reputation: Well known, URL:https://nourl.cisco.com, Interface Ingress: eth1, Interface Egress: eth1, Security Zone Ingress: Internal, Security Zone Egress: Internal, Security Intelligence Matching IP: None, Security Intelligence Category: None, Client Version: (null), Number of File Events: 0, Number of IPS Events: 0, TCP Flags: 0x0, NetBIOS Domain: (null), Initiator Packets: 3, Responder Packets: 1, Initiator Bytes: 727, Responder Bytes: 74, Context: Unknown, SSL Rule Name: N/A, SSL Flow Status: N/A, SSL Cipher Suite: N/A, SSL Certificate: 0000000000000000000000000000000000000000, SSL Subject CN: N/A, SSL Subject Country: N/A, SSL Subject OU: N/A, SSL Subject Org: N/A, SSL Issuer CN: N/A, SSL Issuer Country: N/A, SSL Issuer OU: N/A, SSL Issuer Org: N/A, SSL Valid Start Date: N/A, SSL Valid End Date: N/A, SSL Version: N/A, SSL Server Certificate Status: N/A, SSL Actual Action: N/A, SSL Expected Action: N/A, SSL Server Name: (null), SSL URL Category: N/A, SSL Session ID: 0000000000000000000000000000000000000000000000000000000000000000, SSL Ticket Id: 0000000000000000000000000000000000000000, {TCP} X.X.X.X:49205 -> X.X.X.X:443

Health Monitor Event:

" Configuration:

To configure health monitor syslogging, go to Health > Health Monitor Alerts, select the severities and modules you would like to alert on, name the alert and save.
" Schema:
: HMNOTIFY: (): Severity: :
" Example:

dc54 DC54: HMNOTIFY: License Monitor (Sensor dc54.example.com): Severity: warning: Violations due to licenses expiring within 90 days: USER used count will exceed total by 2 licenses.

Correlation Event:

" Configuration:

To configure correlation event syslogging, navigate to Policies > Correlation edit the correlation policy configured, click on the responses icon for the rule you would like syslog alerts from, and select your syslog alert action.
" Schema:

: Correlation Event: / at

" Example:

dc54 DC54: Correlation Event: Test Correlation Rule/Test Correlation Policy at Tue Sep 15 13:05:52 2015 UTCConnection Type: FireSIGHT X.X.X.X:45652 (unknown) -> X.X.X.X:443 (united states) (tcp)

Impact Alert:

" Configuration:

To configure impact alert syslogging go to Policies > Actions > Alerts, select Impact Flag Alerts, select your syslog alerting mechanism and the impact flags you would like to alert on.
" Schema:
: [::] "" [Impact:] From "" at UTC [Classification: ] [Priority: ] {} ->

" Example:

dc54 DC54: [1:1000000:1] "Ping Test Rule" [Impact: Unknown] From "X.X.X.X" at Tue Sep 15 13:41:52 2015 UTC [Classification: Misc Activity] [Priority: 3] {icmp} X.X.X.X->X.X.X.X

Network Malware Event:

" Configuration:

To configure network malware event syslogging, navigate to Policies > Actions > Alerts, select Advanced Malware Protection Alerts, select your syslog alerting mechanism, and select the types of events you want alerts for.
" Schema:
: <- Network Based Malware From "" at UTC -> Sha256: Disposition: Threat name: Addresses:

" Example:

dc54 DC54: <*- Network Based Malware From "X.X.X.X" at Tue Sep 15 14:32:47 2015 UTC -*> Sha256: 00b32c3428362e39e4df2a0c3e0950947c147781fdd3d2ffd0bf5f96989bb002 Disposition: Malware Threat name: W32.Zombies.NotAVirus IP Addresses: X.X.X.X<-X.X.X.X

Audit Log Event:

" Configuration:
To configure audit log event syslogging, navigate to System > Local > System Policy > Audit Log Settings, select the
appropriate settings for your environment, click the Save Policy and Exit button, and reapply the System Policy.

" Schema:
ids.cgi: : user@IP, ,

" Example:

 Oct 13 13:54:32 X.X.X.X ids.cgi: Sourcefire3D: admin@X.X.X.X, Policies > Intrusion > Intrusion Policy, Page View

Re: Cisco eNcore: Sample logs

koshyk — Thu, 29 Mar 2018 14:01:43 GMT

thanks again for your help.

Re: Cisco eNcore: Sample logs

douglashurd — Wed, 22 May 2019 14:51:18 GMT

There is a detailed document on the syslog output. Do you have it?

If you want it please email me dohurd@cisco.com and I'll attach. I cannot attach it here.

Doug

topic Re: Cisco eNcore: Sample logs in All Apps and Add-ons

Cisco eNcore: Sample logs

Re: Cisco eNcore: Sample logs

Re: Cisco eNcore: Sample logs

Re: Cisco eNcore: Sample logs

Re: Cisco eNcore: Sample logs

Re: Cisco eNcore: Sample logs