Background: There are two separate issues with the ArcSight Connector retrieving data from the SMS.
For customers on SMS v4.1 and earlier:
SMS syslog format "ArcSight CEF" found in SMS 4.1 and earlier, has swapped or missing fields. As such the ArcSight connector, does not receive the expected data.
Work around: In order to correct this issue the ArcSight CEF Format configuration on the SMS needs to be manually modified by adding a "dvchost" entry and modifying the value for the "cs5" field.
Procedure:
- From the SMS client software navigate to Admin → Server Properties→ Syslog.
- From the Syslog Formats section select the appropriate Syslog entry (ArcSight CEF Format).
- Press "Copy" to copy the desired Syslog format. The "Edit" Syslog Format screen displays.
- Name the new Syslog format.
- In the "Pattern" window, find the entry "cs5=${deviceName}" and change the entry to "cs5=SMS Name" where "SMS Name" is the simple DNS host name (not FQDN) of the SMS server sending the data to the ArcSight connector.
- In the "Pattern" window, find the entry "cs5Label=Device Name" and change the entry to "cs5Label=SMS Name".
- While still in the "Pattern" window, add the entry "dvhost=${deviceName}" to the new format.
- In the Remote Syslog for Events section, create a new Syslog server, select the newly created Syslog format and point it to the ArcSight Connector
For customers on SMS v4.2 and higher
The SSLv3 POODLE vulnerability (CVE-2014-3566) resulted in SMS v4.2 disabling SSLv2 and SSLv3 on the secure web interfaces. This specifically affects the ArcSight Connectors as they rely on SSLv2 to handshake HTTPS communications. Their interactions with SMS v4.2 or later, including PCAP retrieval, traffic management, and filter creation, will be rejected.
Work around:
Affected customers should contact the TippingPoint Technical Assistance Center (TAC). TAC will provide Hotfix 101159 and instructions that will relax the SMS security posture to allow for SSLv2 handshakes. The SMS will be modified to allow for "SSLv2Hello" after which the SMS will complete the handshake with TLS. This SMS change will not expose your SMS to the SSLv3 POODLE issues. Any attempts to use or negotiate to SSLv3 communications will continue to be rejected.
ArcSight CEF Format:
The ArcSight CEF format in SMS v4.2 has been updated to include the manual changes indicated for SMS 4.1 and earlier. If you are using a Syslog server with the "Log Type" set to ArcSight CEF format, ensure that you update your selection to ArcSight CEF Format v4.2.