Sign In with your
Trend Micro Account
Need Help?
Need More Help?

Create a technical support case if you need further support.

ArcSight Connector and PCAP retrieval issues.

    • Updated:
    • 17 Jul 2017
    • Product/Version:
    • TippingPoint SMS All
    • TippingPoint Virtual SMS
    • Platform:
Summary
An affected ArcSight Connector is unable to retrieve packet capture traces (PCAPs) for TippingPoint events from an affected SMS while using ArcSight CEF for the syslog format.
Details
Public

Background: There are two separate issues with the ArcSight Connector retrieving data from the SMS.

For customers on SMS v4.1 and earlier:

SMS syslog format "ArcSight CEF" found in SMS 4.1 and earlier, has swapped or missing fields. As such the ArcSight connector, does not receive the expected data.

Work around: In order to correct this issue the ArcSight CEF Format configuration on the SMS needs to be manually modified by adding a "dvchost" entry and modifying the value for the "cs5" field.

Procedure:

1. From the SMS client software navigate to Admin → Server Properties→ Syslog.

2. From the Syslog Formats section select the appropriate Syslog entry (ArcSight CEF Format).

3. Press "Copy" to copy the desired Syslog format. The "Edit" Syslog Format screen displays.

4. Name the new Syslog format.

5. In the "Pattern" window, find the entry "cs5=${deviceName}" and change the entry to "cs5=SMS Name" where "SMS Name" is the simple DNS host name (not FQDN) of the SMS server sending the data to the ArcSight connector.

6. In the "Pattern" window, find the entry "cs5Label=Device Name" and change the entry to "cs5Label=SMS Name".

7. While still in the "Pattern" window, add the entry "dvhost=${deviceName}" to the new format.

8. In the Remote Syslog for Events section, create a new Syslog server, select the newly created Syslog format and point it to the ArcSight Connector

Note: This issue has been corrected with the release of SMS v4.2.0


For customers on SMS v4.2 and higher

The SSLv3 POODLE vulnerability (CVE-2014-3566) resulted in SMS v4.2 disabling SSLv2 and SSLv3 on the secure web interfaces. This specifically affects the ArcSight Connectors as they rely on SSLv2 to handshake HTTPS communications. Their interactions with SMS v4.2 or later, including PCAP retrieval, traffic management, and filter creation, will be rejected.

Work around:

Affected customers should contact the TippingPoint Technical Assistance Center (TAC). TAC will provide Hotfix 101159 and instructions that will relax the SMS security posture to allow for SSLv2 handshakes. The SMS will be modified to allow for "SSLv2Hello" after which the SMS will complete the handshake with TLS. This SMS change will not expose your SMS to the SSLv3 POODLE issues. Any attempts to use or negotiate to SSLv3 communications will continue to be rejected.

ArcSight CEF Format:

The ArcSight CEF format in SMS v4.2 has been updated to include the manual changes indicated for SMS 4.1 and earlier. If you are using a Syslog server with the "Log Type" set to ArcSight CEF format, ensure that you update your selection to ArcSight CEF Format v4.2.

Premium
Internal
Rating:
Category:
Configure; Troubleshoot
Solution Id:
TP000085105
Feedback
Did this article help you?

Thank you for your feedback!

To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.

If you need additional help, you may try to contact the support team. Contact Support


To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.