SIEM Custom Parser. How to create new parsing rules & troubleshoot data sources

Size: px
Start display at page:

Download "SIEM Custom Parser. How to create new parsing rules & troubleshoot data sources"

Transcription

1 SIEM Custom Parser How to create new parsing rules & troubleshoot data sources

2 Contents How to write and troubleshoot a McAfee ESM Custom Parser 4 Outline 4 Prepare what do I need? 5 Create a new data source (Unless you are adding to rule for an existing data source) 6 Create a new rule with the Policy Editor 7 Stage 1 / 4 Categorization, tags, name and description 8 Stage 2 / 4 Parsing 11 Stage 3 / 4 Assign values to event fields 15 Stage 4 / 4 Mapping. Parse date, set normalized action and severity 19 Parsing the date format 19 Normalizing the Action 19 Normalizing the Severity 20 Activate rule 21 Enable the rule 21 Distribute the policy to the receiver 21 More about policies 22 Test the new rule 24 Importing log sample into the data source 24 Displaying logs as they arrive on the receiver 27 Worked Example #1 McAfee Network Security Platform (NSP) 28 Preparation 28 Create a data source 31 Stage 1 / 4 33 Stage 2 / 4 34 Stage 3 / 4 35 Stage 4 / 4 36 Testing 37 How many log messages do we have? 37 Inject some logs 38 Where did those logs go? 39 Tracking down the parsing problem 39 Hints and Tips 44 Troubleshooting the data source 47

3 No logs are appearing on the ESM console 47 Logs are not (yet) being sent from data source 49 Logs are being sent, but to the wrong IP address of the receiver 49 Logs are being sent, but blocked in transit from device to receiver 50 Logs are arriving on the receiver, but nothing displayed on ESM console 50 Double check your data source definition 50 Check that the ESM is automatically polling the receiver to get new logs 52 Sometimes, you may need to re-key the receiver for the ESM to receive events 52 When polling receiver, events receiver, ESM console shows nothing 53 The receiver says events were received, but ESM console is empty 54 Logs appear on ESM console, but not all are parsed 55 You see some events, but they are marked as Unknown event. 56 Appendix A Reference of Normalized IDs 58 Appendix B Reference of custom types 60 Appendix C Reference for Date/Time values 64 Appendix D Regular expressions 66 Commonly used regular expressions 66 Examples 66 Regular expression compatibility 67 Things to avoid with regular expressions 67 Internet References 67 Recommended Reading 67 Appendix E - ASCII codes (useful for hex escapes in regular expressions) 68

4 How to write and troubleshoot a McAfee ESM Custom Parser Document version Comments 1.2 Incorporated feedback from Niall MacCleod, Mike Epplin & Emmett Bresko 1.1 Incorporated feedback from Edem Nyawouame, Boubker Elmouttahid and Scott Taschler 1.0 Initial version by Ian Jones Thanks to Martin DeJongh, Boubker Elmouttahid, Niall MacLeod, Mike Epplin and Dave Karp for the inspiration in Amsterdam Outline What do you do when you have a device that you want to integrate with the SIEM that is not on the supported products list? 1 It might be that McAfee has not yet integrated this vendor s product, or it may be a very old legacy product. Alternatively, you may have written your own application in-house which generates logs that are important to monitor. Finally, you may come across devices that allow the format of their logs to be completely customized by the end customer, such as Apache. We can parse the logs in the default format that the product ships with, but not if a customer has chosen to modify this format. However, this can easily be addressed. This is when the Advanced SYSLOG Parser (ASP) rule comes to your rescue. Here is a brief description of what you need to do: Prepare Categorize Parse Map fields Set Action+Severity Activate rule Test Troubleshoot Get a sample of the logs you wish to parse & the vendor documentation Chose the appropriate category for this type of event in the McAfee taxonomy Using one or more regular expressions, parse the sample log into values Associate each value of the parsed log with a field in the event schema Define the action and severity fields in the event schema based on values Roll out the policy to the receivers that will be parsing incoming logs Send (or upload) logs in the format of rule(s) you have defined - validate If events are not being received, or not parsed 100% correctly For the following process, you will need account privileges to add data sources, and in some cases system administrator privileges, such as to define custom types. 1

5 Prepare what do I need? You will need the following: A sample of the log file that you wish to parse. Get as large a sample as you can. A short sample may be OK to begin with, however the contents of device logs can vary substantially, with some fields being absent on some lines and present on others, or presented in different ways (a hostname in some cases, or an IP address in others), or in different formats, such as an IPv4 or IPv6 address. We ll see in the worked example the kinds of variations that can appear deep into a log file. This is vital in step 2, as we parse the logs into separate fields. Vendor documentation concerning the meaning of each one of the fields. The second step in the process matches the log lines, and breaks them down into the fields that interest us. We need to know the precise meaning of these fields in order to map the values into the right field McAfee Schema (a process called normalization). A tool to test your regular expression While it is possible to do testing of a few lines within the ESM console itself, we recommend you use a graphical tool such as regexr 2. You ll need an internet connection to use this tool or to have installed Adobe Air and installed this tool off-line. For validation of a regular expression (or expressions) against very large log files, we suggest using scripts such as parselogs.py to automate the task. (optional) A powerful text editor Some log files contain both spaces and tabs, or combinations of both. In order to see whether white space is a real space, or a tab, or even two tabs with an empty field between them, such an editor is a powerful friend. We recommend the free tool notepad The excellent testing tool regexr is available here 3 The notepad++ editor s homepage is here

6 Create a new data source (Unless you are adding to rule for an existing data source) To build a totally new SYSLOG data source for the device and rule(s) that we are about to build, select the receiver, then click on the + icon to add a data source. This step is optional if you are writing a rule for an existing data source. In this case, make sure to select the data source when you open the policy editor in the next step. Best practice: Start from the Vendor/Model that implements as much of what you want as possible, then add to those rules. A data source built on a Linux server can profit from the many built-in rules from Vendor:Unix Model: Linux (ASP). A new data source, accepting generic SYSLOG and the ASP parser

7 Create a new rule with the Policy Editor From the ESM console, open the policy editor: Click on the [+] Receiver to expand it and show Advanced Syslog Parsers You can see a list of all the existing Advanced Syslog Parser rules, whether they are enabled or disabled, the severity of the rule, and whether aggregation is on or off for this rule. You can filter these rules, either by tags, or (click on Advanced) Device Type, Name, Severity or Origin. We will create a new Parser rule: A rule can be enabled or disabled in each policy within the policy editor. More on this later when we roll out polices to devices.

8 Stage 1 / 4 Categorization, tags, name and description A. Name the rule. Assign a name making it as descriptive as possible and consistent with other rules in the system and others you have defined. B. Assign tags to the rule. It is a best practice to assign one or more tags one or more categories to which this rule belongs. This helps finding and grouping sets of rules created for a given device or application.

9 You can define new tag categories and new tags within ESM. This is very useful when writing several rules that logically belong together, and for finding sets of rules among the thousands that are provided with the ESM. For example, we can add a new tag called Network Security within the McAfee Category. C. Then set the category (normalized ID) for this rule a key step, as this determines in which views and reports occurrences of events created by this rule will appear, and many correlation rules use this value as one of the conditions. It is very important to select the most relevant value in the taxonomy for the parsing rule, to get the greatest value from the SIEM content. The categories are hierarchical; in the screenshot below, the backdoor category has been selected, which is a subcategory of malware. It is best to make the category of the rule as specific as possible backdoor will match backdoor and also its parent malware, but you can select a top level category if there is no more specific one which is relevant.

10 Refer to Appendix A for more information on the Normalized ID and McAfee taxonomy. D. Rules can be grouped together; this pull-down menu Rule Assignment Type provides a list of vendors to group the parsing rules by, and separate the advanced syslog parser events from other data sources. E. If the log message does not contain a value for the severity, then the event will be assigned the value that is set here (default 25, with a scale of , 1 being the lowest and 100 the highest). F. Finally, give the rule a clear human-readable description. You should give a clear and complete description of the rule, with complementary information to that in the rule name Click Next to move to stage 2 Parsing.

11 Stage 2 / 4 Parsing This is the heart of the log matching process. The original Berkeley SYSLOG had a format where the initial timestamp was followed by the hostname, then a process name with the process ID in square brackets, then the log message, something like Jul 14 13:45:07 mailgw sendmail[1257]: mail message. If your rule will always contain the same process name, you can specify this in the first field, however this is optional. If you know that 100% of all log lines from this data source will contain a given fixed string, then you can specify one (or more) content strings here. This is a pre-filter for optimization only lines that match one of the content string(s) will be considered for matching by the regular expressions below. You need to be absolutely sure that all log lines contains this content string, otherwise it will never be parsed using the regex. If a log does not match the content string(s) in a rule, then the regular expression matching will be skipped, and the next rule that is enabled in the policy will be tested for a match. Then paste in several log lines to work with as samples in the Sample Log Data section. Here are the first 2 lines from the log file used in the screenshot above, and in the worked example we ll see later: <114>Mar 13 19:00:21 SyslogAlertForwarder: i1200 detected Outbound attack HTTP: Cross Site Scripting -ColdFusion Cross Site Scripting Vulnerability (severity = High) : > :80 (result = Inconclusive) <116>Mar 13 19:00:22 SyslogAlertForwarder: i1200 detected Outbound attack HTTP: Microsoft GDI+ TIFF Memory Corruption Vulnerability (severity = Medium) :4690 -> :1090 (result = Inconclusive) If the log data contains the SYSLOG header and you want to match on it (these example lines do contain such a header, with the <114> date and process name always being present) then check the box [ ] Include syslog header in regular expression match.

12 Now enter at least one regular expression: Matching values are highlighted in blue in the log samples, and the parsed values are visible to the right (Regular Expression Matches) corresponding to each pattern within parentheses (the group) in the regular expression. It can be good idea (though not mandatory) to write the regular expression to match the entire log line, in case you need to match additional fields later on. If you need to extract a value, put the pattern in parentheses, like this (\d+) which would extract a value of one or more (the + sign) digits (\d) in other words, an unsigned integer. For a quick reference on common regular expressions, please refer to Appendix D. If you know that your log file may contain upper and lower case letters in some fields, it may be simpler to write the regular expression in one case, and check the box [ ] Case Insensitive. If you check the box [ ] Only use regular expressions for parsing purposes, then the rule will only trigger if the content string matches. Normally the rule will trigger if either the content string or the regular expression matches. If you check the box [ ] Trigger when data doesn t match, then field assignment and mapping tabs will be disabled.

13 A good practice is to build up the regular expression incrementally, checking that each value is parsed out correctly as you go along, and that all your log line samples match check the values highlighted in blue, and be sure to scroll along to check if the regular expression is matching all of the log. Note: Only values that appear within parentheses will be highlighted in blue. The values are denoted in the group columns by regex#.value, so the first matching group of regex 1 is 1.1, the second group of regex1 is 1.2, and the first matching group of regex2 would be 2.1 and so on. Multiple regular expressions are often required when the log format varies as from a certain field onwards or keyword=value pairs are present in the log. Make sure that you know the meaning (from the vendor device documentation) of all the fields within the log; capture the values that are useful for your use cases from this device now or in the future, but don t capture values that you never plan to use. On the other hand, if there is a field that you might use in the future, group it with parentheses, otherwise you will have to redo part of the field mapping phase which comes next if you add a new group (value) in the middle of the existing ones, as that changes their numbering. It is essential to understand the meanings of the fields in order to decide whether to capture their values, and even more important, where to map these values in the next step.

14 The above example shows the use of the regular expression authoring tool directly within the ESM console. Although it s possible to write all your regexes here, it s easier to work with a tool such as regexr or parselogs.py when using a large log example, and a complex log with many fields. Here is an example of regexr in action; start with by pasing in the sample log lines, then build up the regular expression field by field, and verify using the yellow pop-up window as you hold the mouse over the log sample that each group corresponds with the value you wish to extract from the log. Please refer to the worked example to see how useful this can be. Click Next to move to stage 3 Field Assignment.

15 Stage 3 / 4 Assign values to event fields When the parser in stage 2 is able to extract out all the values from the log, select the tab Field Assignment. Drag and drop the values on the right hand side which are those values extracted from the log message - to the expression column next to the Fields in the schema on the left. You can concatenate several fields and string values using simple expressions involving values and strings, such 1.5+ Protocol. For more complicated log file formats, you may have multiple regular expressions. In such cases, a field such as the First Time might come from one of several potential several expressions. ESM allows you to specify the regular expression values in order of preference, so that if one does not match, it will use the value in the second, and if that s empty, the third. Here s an example taken from the CEF parser:

16 If the field you wish to map your value to is not present, click + to add more fields. The list of custom types is displayed: If you do not find a field that fits your purpose, you can define custom types from the ESM properties menu (see below). These custom fields will then be available for you to map the values to when you click on the + button. You will need to be connected with system administrator privileges to define custom types:

17 You can edit an existing custom type, or define a new one: Please refer to Appendix B for a description of the standard custom types. This list may increase from one ESM version to another. As you conclude the mapping of the values to the fields in the ESM schema, be sure to check that two important fields Action and Severity have been mapped to the fields with those names. These are referenced in the final step in defining the parser rule.

18 Click Next to move to stage 4 Mapping.

19 Stage 4 / 4 Mapping. Parse date, set normalized action and severity This is the last step in defining a parser rule. There are three steps: 1. Parsing the date format within the log message 2. Normalizing the Action found in the log message 3. Normalizing the Severity found in the log message to the McAfee scale of Parsing the date format The date/timestamp of the log message can be parsed using the variables defined in these fields. Many standard date/timestamps are recognized automatically by ESM. A full list of the formats used to decode the timestamp is listed in Appendix C. If the log does not contain any information about the duration, or an indication of the end time, it is a best practice to set the event end time to be same time as the start time in the previous mapping section, and thus to use the same string to decode the start time and end time timestamp. Normalizing the Action In the stage 3, Mapping, a value from the log was mapped to the field value Action. This is the place to normalize these action keys onto the Action values used within the McAfee SIEM. The legitimate Action Values are as follows: add, alert,alert-drop, alert-reject, alert-sdrop, block, clean, clean-fail, continue, critical, debug, denied, drop, emergency, error, failure, false positives, health, infected, informational, modify, move, move-fail, notice, pass, quarantine, quarantine-fail, reject, remove, remove-fail, restart, sdrop, start, stop, success, trusted, untrusted, and warning The ESM View Event subtype Summary shows the action value parsed by this step.

20 Normalizing the Severity Vendors measure the severity of the messages in their logs in numerous different ways. Some might use a numeric scale from 1-5, others 1-10, still othes use keywords. This is where you can normalize these variations onto the severity scale used by McAfee which is from , where 1 is the lowest severity and 100 is the highest In the stage 3, Mapping, a value from the log was mapped to the field value Severity. If the log messages contain the keywords Low, Medium and High, these could be mapped onto the values 25, 50 and 75 as follows. If the log does not have a severity key, then the value at the bottom will be used if the severity key is missing.

21 Activate rule In order to activate the new rule, you need to enable it, and then roll out the policy to the receiver that will be parsing the logs. Enable the rule You only need to enable the rule once. Distribute the policy to the receiver Click on the Rollout Policy icon on the top right of the policy editor: If you didn t already save the rule (you put a lot of work into it, you should do!) then you ll be prompted to do so: Finally, you ll be prompted with the list of devices to distribute the policy to:

22 More about policies When you ve defined a parsing rule, it will be present in both the Default policy and the policy for the data source. If we select the policy editor with the receiver selected, we ll just see the Default policy: However, this receiver has four data sources, and clicking the triangle reveals them: Each one of these four data sources has its own policy. Let s compare two policies to see if certain rules are enabled. We ll look for rules related to Linux by selecting Linux in the Name field of the Advanced Filters to the right. Note how the Linux rules (technically, filters whose name contains Linux) are displayed, but are disabled. Now we click on the SecurityOnion policy (which is a Linux distribution for network security monitoring) and we see that the Linux rules are enabled, as this was defined as a Linux data source when it was created:

23 You can see all of the policies by clicking on the policy tree icon on the top left: This gives us: The menu at the top left allows us to create a new policy. This allows us to enable rules on a policy basis, then assign data sources to this policy all data sources will then automatically have the policy applied to the. For example, let s create a new policy Linux and Snort: We can now enable a set of rules (Linux and Snort in this example) then drag and drop data sources to this policy, and they will automatically have the policy applied them. Here, we re looking at the rules enabled for the Linux and Snort policy:

24 Test the new rule Now we have defined the parser rule, and deployed it to the receiver which will be accepting logs from the new devices, it s time to test the rule. You could just enable the device that s sending its logs to the ESM straight away, however it is better to start with a small sample size until you are satisfied the parser rule(s) work as you intend. First, you need to get some sample logs from the device. If you don t already have a sample (such as from a SYSLOG server), then you could direct the device to a syslog server that just writes the logs to a file. If you don t have a syslog server to hand that you can use for this, then any Linux distribution is quickly customized for the task. Remember to enable the r option for Linux based syslog server so they accept incoming logs from the network, as well as just logs originating from applications on the local host, then modify the syslog configuration file (/etc/syslog.conf or equivalent) to write the logs of a certain source to a file, restart the syslog daemon and then generate the logs to this server. Failing that, there is a windows utility that can receive your logs, that is free for small scale use called Kiwi Syslog server 4. Importing log sample into the data source Select the data source you are testing, and click properties: Now select Upload from the Data source properties window (note that this only works for data sources of type syslog): 4

25 After browsing to the log file sample, and selecting it, you should see the following: To initiate the log and flow gathering process manually (it will take place automatically every few minutes by default), click on the Get Events and Flows button: If your data source is only generating events, and no Netflow/sFlow/IPFix flow records, you can uncheck the Flows box before clicking Start:

26

27 Displaying logs as they arrive on the receiver You can display the log data arriving on a given receiver in a streaming format, close to real time as it arrives. Click on the green graph on the right of the receiver icons: The log data can (and should for high volumes) be filtered so you can concentrate on the data source that you re working with. You can also customize which fields you wish to display in the streaming display. Click Start to initiate the streaming display, and Stop to end it. Clicking on a line will show the details of the log you select.

28 Worked Example #1 McAfee Network Security Platform (NSP) The McAfee Network Intrusion Prevention System (NIPS) is known as Network Security Platform (NSP), and the manager as Network Security Manager, NSM. Full integration is provided as standard for the NSM using both SYSLOG and database queries, which has the advantage of consolidating all the logs from all the NSP sensors. This simple example parses the logs directly from the IPS sensor itself, the NSP. Preparation Here are a few sample logs there were captured with netcat listening on udp port 514, so they contain the entire body of the SYSLOG message, including the Facililty/Severity and the header: <114>Mar 13 19:00:21 SyslogAlertForwarder: i1200 detected Outbound attack HTTP: Cross Site Scripting - ColdFusion Cross Site Scripting Vulnerability (severity = High) : > :80 (result = Inconclusive) <117>Mar 13 19:00:25 SyslogAlertForwarder: i1200 detected Outbound attack FTP: Root/Administrator Login Attempt (severity = Low) : > :21 (result = Not Applicable) <118>Mar 13 19:00:25 SyslogAlertForwarder: i1200 detected Outbound attack FTP: USER Command Used (severity = Informational) : > :21 (result = Not Applicable) <118>Mar 13 19:00:25 SyslogAlertForwarder: i1200 detected Outbound attack FTP: USER Command Used (severity = Informational) :3944 -> :21 (result = Not Applicable) <118>Mar 13 19:00:25 SyslogAlertForwarder: i1200 detected Outbound attack NETBIOS-SS: Windows NULL Session (severity = Informational) :1542 -> :139 (result = Not Applicable) <118>Mar 13 19:00:26 SyslogAlertForwarder: i1200 detected Outbound attack FTP: USER Command Used (severity = Informational) : > :21 (result = Not Applicable) <118>Mar 13 19:00:26 SyslogAlertForwarder: i1200 detected Outbound attack FTP: PASS Command Used (severity = Informational) : > :21 (result = Not Applicable) <117>Mar 13 19:00:26 SyslogAlertForwarder: i1200 detected Inbound attack FTP: Invalid FTP Flow (severity = Low) :4484 -> :21 (result = Not Applicable)

29 This is what the bigger sample looks like in Notepad++ note how clicking on a word highlights every occurrence within the log file, which makes it easier to pick up the vendor values for severity, or result while writing the parser: Now let s look at each field in the log in turn, in preparation for creating the parser: <114>Mar 13 19:00:21 SyslogAlertForwarder: i1200 detected Outbound attack HTTP: Cross Site Scripting -ColdFusion Cross Site Scripting Vulnerability (severity = High) : > :80 (result = Inconclusive)

30 In the table below, the retained values, the field, and the regular expression that matches that field are in blue. The regular expressions are written for clarity, rather than the best performance and precision in this example. It s easier to prepare the regular expression interactively in phase 2, using the ESM GUI or the regexr tool. Field Interpretation Keep? Regular Expression <114> SYSLOG facility and severity No. This is not useful, use severity from the log itself <\d+> Mar 13 19:00:21 Date/Timestamp Yes (\w+\s+\d+\s+\d\d:\d\d:\d\d)\s+ Start time SyslogAlertForwarder Probably the process Yes (though value may (\w+):\s+ name turn out to be constant) i1200 Hostname of NPS Yes (\w+)\s Hostname detected detected or blocked Yes (\w+)\s+ Action Outbound Direction of attack with Yes (\w+)\s+ respect to corporate network Direction (custom type) attack No attack\s+ HTTP Protocol of attack Yes (\w+):\s+ Protocol Cross Site Scripting - Description of the attack Yes ([^\(]+)\(severity\s=\s ColdFusion Cross Site Scripting Vulnerability signature Signature High Priority / severity Yes (\w+)\)\.\s+ Severity Source machine Yes (\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}): Source IP address Source port Yes (\d+)\s+->\s+

31 Source port Target machine Yes (\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}): Destination IP Addr 80 Target port Yes (\d+)\s+ Destination port Inconclusive Confidence Yes \(result\s=\s([^)]+)\) Result Finally, this is first version of the regular expression that we have created to match these logs: <\d+>(\w+\s+\d\d\s+\d\d:\d\d:\d\d)\s+(\w+):\s+(\w+)\s(\w+)\s+(\w+)\s+attack\s+(\w+):\s+([^\(]+)\(severity\s= \s(\w+)\)\.\s+(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}):(\d+)\s+- >\s+(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}):(\d+)\s+\(result\s=\s([^)]+)\) Create a data source We will start from scratch, and create a generic Syslog data source, with a type of Advanced Syslog Parser. We want to know if there are any log messages that are not parsed by our rule, so we set Support Generic Syslogs to Log as Unknown Syslog event, as the default action is None, which would ignore unparsed messages.

32 So we ve done the preparation work, and created the groundwork for the parser. Now let s put this into practice:

33 Stage 1 / 4 We will assign the name McAfee Network Security Platform Event Tags : Advanced Syslog Parser (ASP), and Advanced Syslog Parser (ASP), McAfee NSM. This is not quite accurate, as we re matching the logs from the NSP, but it s close enough for this example. Default Normalized ID: Malware: Default Severity:25 (this should be set by the severity in the NSP log) Rule Assignment Type: McAfee Network Security

34 Stage 2 / 4 We will leave the process name blank. All of the log messages contain the fixed string attack, so we ll enter that as a content string to improve performance, as log messages which do not contain this string will not be matched against the regular expression, which is a more computationally expensive process. We enter the regular expression developed above, and paste in some of the sample log lines, and check the box [x] Include syslog header in regular expression match, since it contains the raw message as seen in the payload of the syslog message. We can see the values are parsed out correctly to the right hand side Regular Expression matches.

35 Stage 3 / 4 Here we will map the values from the right hand side to the fields on the left hand side. We add the custom values Sensor name, Direction and Command to the standard fields.

36 Stage 4 / 4 Map the Action key for detected (value from the log) to alert (Action Value = McAfee alert sub-type). If the log is missing the action, then set the Action Value to Informational. Map High to 75, Medium to 50 and Low to 25. Now we click Finish, save the rule, and click rollout to deploy it on the receiver. Now we are ready to test.

37 Testing How many log messages do we have? We have a sample log file for the device we re testing, called nsp3.log. Let s check how many log lines we have: The log sample file nsp3.log contains 515 lines, which is a good size for testing the parser. We start by clicking on the data source Network Security Platform that we created above, and setting the time window to be Current Day: The Dashboard View is empty, as expected. Now we ll send some alerts:

38 Inject some logs The result is not what we expected; we sent 515 log messages, yet there are only 319 received on ESM. Worse still, they are all classified as Unknown event, which means that we have a parsing error. Let s drill down on the events, just to make sure we re getting the right kind of events: When we look at the raw packet, it certainly is a log from the McAfee NSP. Something is going wrong with our parsing.

39 Where did those logs go? Wait a minute the log samples date from March 2013, whereas the current date is 11 th May! Let s enlarge the time window beyond today, to look at all the events, by selecting All at the top right: Aha! We still see hundreds of events classed as unknown event, but we do see lots of events correctly parsed, and we see a peak in events in the event distribution for the month of March. So, the events that were parsed correctly were inserted for the month of March, and by selecting the right time interval, we can see them. Tracking down the parsing problem Now we can account for all our logs, let s address the parsing problem. We know that 319 out of 515 log messages were NOT parsed correctly, leaving only 196 that were parsed correctly. There are a couple of ways to look at this: Firstly, we can use the regexr tool. When we load the regular expression into the tool, and the log sample below, this is what we see:

40 The lines in blue indicate matches, the lines in white indicate log lines that were not parsed correctly. Here s one of those lines: <118>Mar 13 19:00:25 SyslogAlertForwarder: i1200 detected Outbound attack NETBIOS-SS: Windows NULL Session (severity = Informational) :1542 -> :139 (result = Not Applicable) It looks fine but the problem lies in the field following attack NETBIOS-SS contains a hyphen, something we did not account for in the regular expression (\w+) which just matches alphanumeric sequences. No problem, we can extend this easily enough to include the hyphen with ([\w-]+). However, this is not the only problem. Another tool for analyzing what is not matching is the python script parselogs.py. Let s see what happens when we use it to analyze this log sample, called nsp2.log. The regular expression has been saved in the file regexfile for convenience:

41 OK, we confirm that we have 515 lines, and only 196 lines out of 515 were parsed. Not very impressive! If we run the tool with the d option to list all the lines that do not match, we uncover other errors in our regular expression: We can see that in addition to the protocol containing hyphens, the port number can sometimes be N/A rather than a numeric value, and the signature can contain parentheses!

42 Let s address these problems with the regex and run the tool again, after each correction: 1. Protocol containing hyphens (regex changes from (\w+) to ([\w-]+): End Statistics You parsed 203 out of 515 (39%) A little bit better. 2. Allowing the port to be N/A (regex changes from (\d+) to be (N/A \d+) Note that the regular expression alternation symbol has a very low precedence, thus allowing us to avoid extra parentheses End Statistics You parsed 458 out of 515 (88%) Much better! 3. Allowing the signature to contain parentheses (regex changes from ([^\)]+) to (.+), less efficient due to more backtracking, but it captures the troublesome signatures, containing parentheses End Statistics You parsed 469 out of 515 (91%) There are still 46 lines that don t parse correctly. Debug mode shows that lots of lines contain the signaling protocol H.225, so we need to allow for that in the regular expression as well: 4. Protocol containing dots (regex changes from ([\w-]+) to ([\w\.-]+): End Statistics You parsed 505 out of 515 (98%) Nearly there, there only remain 10 lines that don t parse correctly! There are also log lines where the IP Address is missing, and replaced with N/A, like the port number earlier. We need to allow for both possibilities with the alternation, like we did earlier: 5. Allow IP address to be N/A (regex change to (N/A \d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}))

43 Now when we run the parselog.py script, we get a 100% success rate! Now we can take the revised regular expression, and paste it into the Parser: Now when we upload the sample log file, we get a perfect success rate of 515 out of 515:

44 Hints and Tips There are a few things to do to gain time: To avoid getting any other logs from your data source other than those you re testing, either avoid redirecting the SYSLOG messages from that source until you ve tested your parser, or create the data source with a dummy IP address. You can still upload logs for testing, but you won t get any other logs that might confuse the process If you imported (or injected) a lot of logs, and you make an improvement to the parser, it can be hard to see what s going on when you re-import your test sample. There are two things you can either: o Select the line in the Event Summary View, then select Delete or o Delete and re-create the data source. This takes slightly longer.

45 When you wish to find your rule to edit or improve it, a quick way is to click on Advanced in the policy editor, and select the origin to be User Defined: Another way to do this is to define a tag, or tag group, and set this within your rule on the General tab of the rule.

46 Don t re-invent the wheel! Search for existing rules, look at how they work You can search either by name Linux, or selecting the device type of Linux as a filter in the advanced criteria. As of ESM you can double-click a rule to inspect it. If you make changes, you ll be prompted to enter a new name for the rule. Previous versions require that you Copy then Paste the rule, before you can click on the copy to view and edit it. Another way to edit rules. As of ESM 9.2, you can view the entire text of the rule from Tools > Edit ASP Rule Text. This can be useful when you want to review everything in a rule on one screen, or to create several rules which are similar to each other (another way is to copy and paste the original rule and edit it)

47 Troubleshooting the data source No logs are appearing on the ESM console If you believe that the device(s) are sending logs to the receiver (which may be the same address as the ESM in the case of a combo appliance), then the first thing to do is to check if the logs are actually being received by the network interface of the ESM. The most basic way to do this is to run the tcpdump command on the receiver, listening for incoming SYSLOG messages. SYSLOG uses UDP (or TCP) port 514, though it can also use TLS. You can also use the stream viewer within the ESM GUI (version 9.2 or later) to view the log data as seen by the receiver. The following command will display any incoming log messages using SYSLOG on port 514: tcpdump port 514 Here we confirm that we are receiving syslog messages from data sources with IP addresses , 101 and 102. If you are already receiving logs several other data sources, you might be inundated by those messages. You can further filter the tcpdump display only to display the messages coming from the data source you are troubleshooting, using the host IPADDRESS option and the syslog port of 514 within tcpdump. host will match with a source or destination, appropriate for push or pull forms of log collection, src will match just the sender, which is well suited for SYSLOG senders, which work in push mode. tcpdump host and port 514

48 Here we confirm that we are indeed receiving syslog messages from data source To confirm that we re getting the type of log message we are expecting, you can specify that tcpdump display the payload of the log in ASCII text with the A option: tcpdump A src and port 514 Here we can see this data source is a Cisco PIX.

49 On a busy network, the tcpdump process will slow down if are doing DNS resolution of the hostname, which you can disable using tcpdump n followed by the other parameters. If you are not receiving any events on the receiver, investigate the following possible causes: Logs are not (yet) being sent from data source Some devices may require that you restart the syslog daemon before they will send logs (most Linux and Unix OS types). Others may require that you click Apply, or exit the configuration process, or in some extreme cases, that you reboot the device before logs are generated. Many Linux/Unix SYSLOG daemons will determine the facility, severity and SYSLOG destination servers from a configuration file, such as: /etc/syslog.conf /etc/rsyslog.conf # BSD syslog, including Mac OS X # rsyslog /etc/syslog-ng/syslog-ng.conf # SYSLOG-NG The SYSLOG daemon can be forced to re-read the configuration file after you ve changed it with a command like this (for rsyslogd) : kill HUP `cat /var/run/rsyslogd.pid` Mac OS X SYSLOG requires two lengthier commands: sudo launchctl unload /System/Library/LaunchDaemons/com.apple.syslogd.plist sudo launchctl load /System/Library/LaunchDaemons/com.apple.syslogd.plistp Several devices will generate SYSLOG messages over the network only if the SYSLOG facility and severity criteria are met, for example, this Cisco IOS device is configured to send logs at facility local3, and severity warning or higher (more important). Router#config terminal Enter configuration commands, one per line. End with CNTL/Z. Router(config)#logging Router(config)#service timestamps debug datetime localtime show-timezone msec Router (config)#service timestamps log datetime localtime show-timezone msec Router (config)#logging facility local3 Router (config)#logging trap warning Router (config)#end Note that this means that log severities of Notice, Informational and Debug would not be sent. Logs are being sent, but to the wrong IP address of the receiver Double check the IP address of the receiver which the logs will be sent to, and confirm that this is indeed the SYSLOG destination defined on the data source.

50 Logs are being sent, but blocked in transit from device to receiver It may be that logs are being correctly generated by the data source, and to the correct IP address of the receiver, but are being blocked by an intermediate security device such as a router/switch ACL or a firewall. Run the traceroute command from the data source (or another device on the same subnet) and verify each hop for a filter or firewall rule that would block SYSLOG traffic (UDP (or TCP) traffic on port 514 to the receiver). Logs are arriving on the receiver, but nothing displayed on ESM console If you have confirmed above that the logs are definitely arriving on the receiver, investigate the following: Double check your data source definition The receiver is designed to prevent unauthorized data sources from sending logs to the SIEM. A firewall is integrated into the receiver that will drop log messages from any data source that is not explicitly declared on the receiver. This protects the SIEM from potential denial of service from SYSLOG floods and pollution from unauthorized log sources. During the system integration phase, it is possible to configure the receiver in a learning mode, which will create candidate data sources based on all the log information received during the time the receiver is in this learning state. The SIEM analyst can then confirm the valid data sources and types, which will then be created. An alternative method is to prepare a list of valid data sources and import them as text file into the receiver. Confirm that you have declared the right source IP address for the device sending you logs, and that the device vendor and model are correct.

51

52 Check that the ESM is automatically polling the receiver to get new logs Click on the receiver properties, then Events, Flows and Logs. The checkbox Auto Download Events should be checked. Sometimes, you may need to re-key the receiver for the ESM to receive events When the receiver is seeing the logs arrive, the data source is correct, but no log of any sort is being received by the ESM from the receiver, it may be that the receiver and ESM are out of phase, and require their communications channel to be re-established. This is quite common in an ESXi environment during initial setup, due to some limitations in the VMware virtual network switch. This is called re-keying. On the receiver, select the Properties, then Key Management, Key device and enter a new password for encrypted communications channel between the receiver and ESM:

53 When polling receiver, events receiver, ESM console shows nothing One way this is possible is if you are importing (or injecting) logs that were generated in the past (at least, with respect to the time interval that the ESM views are showing). For example, if the ESM console is showing the current day s worth of events: Then you import logs from your test device or test log sample file, and you see some events received: However, the ESM console shows no events. What could be going on?

54 Set the ESM time interval to All Now the ESM console shows all the events for this data source, which will display the historical events you imported outside the time window previously displayed. The receiver says events were received, but ESM console is empty The ESM console is set by default not to refresh the views automatically, so you may have the events waiting to be displayed. You can always force that the views to be updated with the latest events by clicking the green refresh icon: Or you can set the interval at which ESM will refresh the views automatically from options > Views.

55 Logs appear on ESM console, but not all are parsed This can happen when your rule is matching some of the logs, but there are a few where there s a variation that is not matched by the regular expression, or there are logs generated by the device that are in multiple different formats. This usually requires writing a new rule, unless the regular expression in an existing rule can be adapted to When creating a new data source from the basic Advanced Syslog Parser, the window looks like this: Note that the default behavior is Do nothing, which means if the log cannot be parsed, it will be dropped.

56 If you set the default behavior to be Parse as unknown, you will at least see the number of events that were not parsed, and be able to view the raw logs that failed to be parsed, so you may revise an existing rule or add a new one to cope with the new log format. If you set the Support Generic Syslogs to be Parse as generic syslog, then you will apply rudimentary parsing to the incoming log message, and the message will normally appear in the view. This can help troubleshooting in some circumstances, as you can immediately see what s going on, however there are two good reasons not to do this (for other than short periods): 1. Since the parsing is of the basic syslog message, the most you can hope to get is the timestamp, syslog sender, the application name, process ID and the message. There will be not categorization applied ALL messages will be uncategorized 2. This setting can create a lot of Data source rules, which are automatically learned rules based on the first part of the log. Inspecting these can be a good guide for deciding the ASP rules you need to code, but you can quickly accumulate a lot of these rules, which may impact receiver performance. You can however purge these auto-learned rules. You see some events, but they are marked as Unknown event. When we display the event dashboard, we can see the events are getting in by drilling down to the packet details: Selecting the Packet tab (and clicking on the logs that not being matched by one of the parsing rules. if Auto get packet is not checked) will show the log. This is very useful when identifying

57

58 Appendix A Reference of Normalized IDs The normalized ID in the McAfee SIEM is a unique numerical reference into the Taxonomy, and provides the classification of an event. It is very important that each event generated by a rule is categorized with the most appropriate Normalized ID, so that the event will appear in the right dashboards, reports and will trigger the correlation rules provided with the product. The Taxonomy or list of Normalized IDs is available in the Policy editor: Then select Normalization under the Rule Types. The Taxonomy of Normalized IDs in the Policy Editor, showing hierarchy: Authentication > Login > Admin Login It is not currently possible for customers to modify the normalized IDs, however McAfee continues to revise and extend the taxonomy. The powerful Normalized Dashboard View shows the top level category in the taxonomy, followed by the sub-group. This View has been defined so that the normalized sub-group is bound to the Normalized group pane, and the Event summary pane in turn is bound to the events In the screenshot below, the Malware category has been selected, and the normalized sub-group shows event groups categorized as Malware.

59 You can see how these View panes are linked to the Event Taxonomy below: The Taxonomy of Normalized IDs in the Policy Editor, showing the Malware hierarchy

60 Appendix B Reference of custom types The table below lists the names and types of the custom types which are pre-defined with the ESM, and which custom field is associated with the custom type, and whether it is associated with the Event Field or the Flow Field, or in some cases, both. It is very important to note that the Custom Fields can only be used once, but there are several custom types that map to the same custom field. This means that if you select the custom type Confidence (which uses Custom Field 8), then you will not be able to use any other custom type that shares Custom Field 8, such as Cc, Contact_Nickname or Database_Name. You can always define a new custom type that maps to a different Custom Field in the event of a conflict, up to the limit of the number of custom fields available. You can also create sub-fields of a custom field, when a single 8 byte field can be broken down into as many as 8 1-byte fields. Name Data type Event Field Flow Field Access_Resource Random String Custom Field - 21 (Long) None Application String Custom Field - 1 None Application_Layer Signature ID None Custom Field - 4 Application_Protocol String Custom Field - 1 None Authoritative_Answer String Custom Field - 10 None Bcc Random String Custom Field - 9 None Bytes_from_Client Accumulator Value Accumulator Value - non-indexed None Bytes_from_Server Accumulator Value Accumulator Value - non-indexed None Bytes_Received Accumulator Value Accumulator Value - non-indexed None Bytes_Sent Accumulator Value Accumulator Value - non-indexed None Catalog_Name Random String Custom Field - 25 (Long) None Category Random String Custom Field - 21 (Long) None Cc Random String Custom Field - 8 None Client_Version Random String Custom Field - 9 None Command String Custom Field - 2 None Confidence Unsigned Integer Custom Field - 8 None Contact_Name String Custom Field - 6 None Contact_Nickname String Custom Field - 8 None Cookie Random String Custom Field - 9 None Count Accumulator Value Accumulator Value - non-indexed None Creator_Name Random String Custom Field - 24 (Long) None Database_Name String Custom Field - 8 None DB2_Plan_Name Random String Custom Field - 21 (Long) None Delivery_ID Random String Custom Field - 26 (Long) None Description Random String Custom Field - 27 (Long) None Destination User String Custom Field - 6 Custom Field - 1 Destination_Filename Random String Custom Field - 9 None Destination_Hostname Random String Custom Field - 21 (Long) None Destination_UserID Random String Custom Field - 27 (Long) None Destination_Zone Random String Custom Field - 22 (Long) None

61 Device_IP IP Address (v4 and v6) Custom Field - 25 (Long) None Device_Port Unsigned Integer Custom Field - 27 (Long) None Direction String Custom Field - 10 None DNS_Class String Custom Field - 8 None DNS_Name Random String Custom Field - 5 None DNS_Type String Custom Field - 6 None Domain String Custom Field - 3 None Elapsed_Time Accumulator Value Accumulator Value - non-indexed None End_Page Unsigned Integer Custom Field - 9 None Event_Class Random String Custom Field - 21 (Long) None External_Application Random String Custom Field - 25 (Long) None External_DB2_Server Random String Custom Field - 26 (Long) None External_EventID Long Custom (16 byte, indexed) Custom Field - 22 (Long) None External_SubEvent Long Custom (16 byte, indexed) Custom Field - 23 (Long) None File_Hash GUID Custom Field - 27 (Long) None File_Operation String Custom Field - 5 None File_Operation_Succeeded String Custom Field - 6 None File_Type Random String Custom Field - 24 (Long) None Filename Random String Custom Field - 3 None Flow_Flags Unsigned Integer None Custom Field - 1 From Random String Custom Field - 5 None From_Address Random String Custom Field - 24 (Long) None FTP_Command Random String Custom Field - 25 (Long) None Grid_Master_IP IP Address (v4 and v6) Custom Field - 22 (Long) None Hops Unsigned Integer Custom Field - 8 None Host String Custom Field - 4 None HTTP_Layer Signature ID None Custom Field - 5 HTTP_Req_Cookie Random String None Custom Field - 3 HTTP_Req_Host Random String None Custom Field - 5 HTTP_Req_Method Random String None Custom Field - 6 HTTP_Req_Reference Random String None Custom Field - 4 HTTP_Req_URL Random String None Custom Field - 2 HTTP_Resp_Length Unsigned Integer None Custom Field - 5 HTTP_Resp_Status Unsigned Integer None Custom Field - 4 HTTP_Resp_TTFB Unsigned Integer None Custom Field - 6 HTTP_Resp_TTLB Unsigned Integer None Custom Field - 7 HTTP_User_Agent Random String None Custom Field - 7 Interface String Custom Field - 8 None Job_Name Random String Custom Field - 5 None

62 Job_Type Random String Custom Field - 27 (Long) None Language Random String Custom Field - 10 None Local_User_Name Random String Custom Field - 5 None Logical_Unit_Name Random String Custom Field - 24 (Long) None LPAR_DB2_Subsystem Random String Custom Field - 25 (Long) None Mail_ID Random String Custom Field - 21 (Long) None Mainframe_Job_Name Random String Custom Field - 5 None Message_ID Random String Custom Field - 24 (Long) None Message_Text Random String Custom Field - 9 None Method String Custom Field - 5 None Nat_Details Custom Custom Field - 9 Custom Field - 1 NAT_Address IPv4 Addr None NAT_Port Unsigned Integer None NAT_Type Unsigned Integer None Network_Layer Signature ID None Custom Field - 1 NTP_Client_Mode String Custom Field - 5 None NTP_Offset_To_Monitor Unsigned Integer Custom Field - 8 None NTP_Opcode String Custom Field - 10 None NTP_Request String Custom Field - 9 None NTP_Server_Mode String Custom Field - 6 None Num_Copies Unsigned Integer Custom Field - 6 None Object String Custom Field - 5 None Object_Type String Custom Field - 2 None PID Long Custom (16 byte, indexed) Custom Field - 24 (Long) None Policy_Name Random String Custom Field - 23 (Long) None Priority Unsigned Integer Custom Field - 8 None Process_Name Random String Custom Field - 23 (Long) None Query_Response String Custom Field - 9 None Queue_ID String Literal Custom Field - 27 (Long) None Recipient_Count Accumulator Value Accumulator Value - non-indexed None Recipient_ID Random String Custom Field - 23 (Long) None Referer Random String Custom Field - 10 None Request_Type Random String Custom Field - 24 (Long) None Response_Code String Custom Field - 10 None Response Time Custom Custom Field - 10 None Seconds Unsigned Integer None Milliseconds Unsigned Integer None RTMP_Application Random String Custom Field - 9 None Sensor_Name String Custom Field - 8 None

63 Sensor_Type String Custom Field - 10 None Sensor_UUID Random String Custom Field - 9 None Session_Layer String None Custom Field - 3 Signature_Name Random String Custom Field - 24 (Long) None SNMP_Error_Code String Custom Field - 10 None SNMP_Item Random String Custom Field - 6 None SNMP_Item_Type String Custom Field - 8 None SNMP_Operation String Custom Field - 5 None SNMP_Version String Custom Field - 9 None Source_User String Custom Field - 7 None Source_Context Random String Custom Field - 25 (Long) None Source_UserID Random String Custom Field - 26 (Long) None Source_Zone Random String Custom Field - 21 (Long) None Spam_Score Float Custom Field - 8 None SQL_Statement Random String Custom Field - 27 (Long) None Start_Page Unsigned Integer Custom Field - 8 None Step_Count Random String Custom Field - 24 (Long) None Step_Name Random String Custom Field - 25 (Long) None Subject Random String Custom Field - 10 None SWF_URL Random String Custom Field - 5 None Table_Name Random String Custom Field - 27 (Long) None Target_Class Random String Custom Field - 26 (Long) None Target_Context Random String Custom Field - 23 (Long) None TC_URL Random String Custom Field - 6 None Threat_Name Random String Custom Field - 26 (Long) None To Random String Custom Field - 6 None To_Address Random String Custom Field - 25 (Long) None Transport_Layer Signature ID None Custom Field - 2 URL Random String Custom Field - 8 None User_Agent Random String Custom Field - 6 None User_Nickname String Custom Field - 5 None Version Random String Custom Field - 10 None Volume_ID Random String Custom Field - 27 (Long) None

64 Appendix C Reference for Date/Time values Date/Timestamp variable Synonym Meaning Example %a %A Day of the week in the locale s weekday names. Either the abbreviated or full form may be used %b %B, %h Month, in the locale s weekday names. Either the abbreviated or full form may be used Mon, Monday Tue, Tuesday (English locale) Jan, January Feb, February %c Locale s appropriate date and time representation %C Century number (for 2013) %d Day of the month, , 02, 15, 31 %D %e Equivalent of %d / %m / %y 25 / 12 / 2013 %.3f %.6f %.9f Fractional milliseconds Fractional microseconds Fractional nanoseconds %H Hour in 24 hour clock notation. 5, 07, 17 %I Hour in 12 hour clock notation 1, 07, 10 %j Day number of the year , 365 %m Month number (leading zeros OK) 01, 5, 12 %M Minute (leading zeros OK) 05, 7, 33, 59 %n %t White space %p Locale s representation of A.M. or P.M. %r 12 hour clock notation of AM/PM time = %I %M %S %p pm %R Time as %H:%M 23:46 %s Seconds since epoch %S Seconds expressed as (leading zeros OK) 05, 12, 59 %T Time expressed as %H:%M:%S 17:55:18 %U Week number of the year (Sunday = first day of the week) %w Weekday as a decimal 0..6, Sunday =

65 %W Week number of the year (Monday = first day of the week) %x Date in locale s format %X Time in locale s format %y Year within century %Y Year with century %% Replaced with %%

66 Appendix D Regular expressions Commonly used regular expressions Any character that is not a special character (see below) is matched literally. Wildcard. e.g. \<.+\> HTML tag (note that. does not match a newline) Character sets Sets and/or ranges enclosed within square brackets e.g. [0-9] Decimal digits [aeiou] English vowels [a-za-z0-9] Hex digits [^0-9] Anything but a digit [^,] Anything but a comma, Alternation Two alternate regular expressions e.g. Android ios \d+ N/A Quantifiers Zero or more * e.g. [\w-]* Optional hostname One or more + e.g. \s+ At least one white space character Zero or one? e.g. Colou?r British or American spelling Exactly N {N} e.g. \(\d{3}\) US Area code Groups e.g From N to M {N,M} e.g. \d{1,3} 1-3 decimal digits Pattern to be grouped, so can be mapped to McAfee Schema e.g. (\d+) Transaction read (\d+) bytes, wrote (\d+) bytes There are two groups, matching two integers. In classic regular expressions these are \1 and \2, in our Mapping phase (3), these would be 1.1 and 1.2 Shorthand notation ^ (\A) Start of line (string) $ (\Z) End of line (string) \d Digit (alias for [0-9]) \D Anything which is not a digit (alias [^0-9]) \w Word (= [a-za-z0-9_]) \W Anything which is not a word (= [^a-za-z0-9]) \s Whitespace \S Any non-whitespace \n Newline \r Carriage return \t Tab \xhh Hex escape character HH in base 16 Characters you must escape (with a backslash or using the \xhh hex code) if you want to match them literally: ^ $ ( ) [ ] { } < >. * +? \ Examples Integer (\d+) String ( [\ ]* ) or ( [\ ]* ) Hostname Date (e.g. May ) Date (e.g. 14/5/13 or 2013) IPv4 Address IPv6 Address address ([a-za-z0-9-]+(\.[a-za-z0-9-]+)*) (\w+\s+\d\d\s+\d\d\d\d) (\d{1,2}/\d{1,2}/\d\d(\d\d)?) (\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}) (([a-za-z0-9]{1,4}:){1,7} :) ((:[a-za-z0-9]{1,4}){1,7} :)

67 Regular expression compatibility McAfee SIEM regular expressions are PCRE (Perl Compatible Regular Expressions) Things to avoid with regular expressions 1. Avoid using the wildcard. whenever possible, it causes backtracking which impacts performance. Instead, use the most explicit pattern. Two examples: ([^,]*),([^,]*),([^,]*) Read 3 fields in comma separated file (fields with any character that s not a comma, then comma) 2. Take care when using the greedy regular expression operators Use *? Rather than *, +? Rather than + quantifiers to obtain the shortest match 3. Use hex escape sequences with moderation sometimes you have to escape a special character in hex notation, such as the semi-colon within ESM regular expressions (\x3b), however we suggest using the backslash to escape the special characters on the previous page whenever possible for improved legibility. Internet References Regular expression tutorial Wikipedia regular expression Recommended Reading Regular Expression Pocket Reference: Regular Expressions for Perl, Ruby, PHP, Python, C, Java and.net Tony Stubblebine, O Reilly Regular Expressions Cookbook, Jan Goyvaerts & Steven Levithan O Reilly

68 Appendix E - ASCII codes (useful for hex escapes in regular expressions) From

Barracuda Networks Web Application Firewall

Barracuda Networks Web Application Firewall McAfee Enterprise Security Manager Data Source Configuration Guide Data Source: Barracuda Networks Web Application Firewall January 30, 2015 Barracuda Networks Web Application Firewall Page 1 of 10 Important

More information

RSA Authentication Manager

RSA Authentication Manager McAfee Enterprise Security Manager Data Source Configuration Guide Data Source: RSA Authentication Manager February 26, 2015 RSA Authentication Manager Page 1 of 9 Important Note: The information contained

More information

AlienVault. Unified Security Management (USM) 5.x Policy Management Fundamentals

AlienVault. Unified Security Management (USM) 5.x Policy Management Fundamentals AlienVault Unified Security Management (USM) 5.x Policy Management Fundamentals USM 5.x Policy Management Fundamentals Copyright 2015 AlienVault, Inc. All rights reserved. The AlienVault Logo, AlienVault,

More information

Plesk 11 Manual. Fasthosts Customer Support

Plesk 11 Manual. Fasthosts Customer Support Fasthosts Customer Support Plesk 11 Manual This guide covers everything you need to know in order to get started with the Parallels Plesk 11 control panel. Contents Introduction... 3 Before you begin...

More information

HP Device Manager 4.6

HP Device Manager 4.6 Technical white paper HP Device Manager 4.6 Installation and Update Guide Table of contents Overview... 3 HPDM Server preparation... 3 FTP server configuration... 3 Windows Firewall settings... 3 Firewall

More information

Security Correlation Server Quick Installation Guide

Security Correlation Server Quick Installation Guide orrelogtm Security Correlation Server Quick Installation Guide This guide provides brief information on how to install the CorreLog Server system on a Microsoft Windows platform. This information can also

More information

Configuring PA Firewalls for a Layer 3 Deployment

Configuring PA Firewalls for a Layer 3 Deployment Configuring PA Firewalls for a Layer 3 Deployment Configuring PAN Firewalls for a Layer 3 Deployment Configuration Guide January 2009 Introduction The following document provides detailed step-by-step

More information

Intrusion Detection and Prevention: Network and IDS Configuration and Monitoring using Snort

Intrusion Detection and Prevention: Network and IDS Configuration and Monitoring using Snort License Intrusion Detection and Prevention: Network and IDS Configuration and Monitoring using Snort This work by Z. Cliffe Schreuders at Leeds Metropolitan University is licensed under a Creative Commons

More information

IBM Security QRadar SIEM Version 7.1.0 MR1. Log Sources User Guide

IBM Security QRadar SIEM Version 7.1.0 MR1. Log Sources User Guide IBM Security QRadar SIEM Version 7.1.0 MR1 Log Sources User Guide Note: Before using this information and the product that it supports, read the information in Notices and Trademarks on page 108. Copyright

More information

Web Application Firewall

Web Application Firewall Web Application Firewall Getting Started Guide August 3, 2015 Copyright 2014-2015 by Qualys, Inc. All Rights Reserved. Qualys and the Qualys logo are registered trademarks of Qualys, Inc. All other trademarks

More information

Web Application Vulnerability Testing with Nessus

Web Application Vulnerability Testing with Nessus The OWASP Foundation http://www.owasp.org Web Application Vulnerability Testing with Nessus Rïk A. Jones, CISSP rikjones@computer.org Rïk A. Jones Web developer since 1995 (16+ years) Involved with information

More information

A10 Networks Load Balancer

A10 Networks Load Balancer McAfee Enterprise Security Manager Data Source Configuration Guide Data Source: A10 Networks Load Balancer January 26, 2015 A10 Networks Load Balancer Page 1 of 8 Important Note: The information contained

More information

McAfee Enterprise Security Manager 9.3.2

McAfee Enterprise Security Manager 9.3.2 Release Notes McAfee Enterprise Security Manager 9.3.2 Contents About this release New features for 9.3.2 Upgrade instructions for 9.3.2 Find product documentation About this release This document contains

More information

Accellion Secure File Transfer

Accellion Secure File Transfer McAfee Enterprise Security Manager Data Source Configuration Guide Data Source: Accellion Secure File Transfer January 26, 2015 Accellion Secure File Transfer Page 1 of 7 Important Note: The information

More information

Security Correlation Server Quick Installation Guide

Security Correlation Server Quick Installation Guide orrelog Security Correlation Server Quick Installation Guide This guide provides brief information on how to install the CorreLog Server system on a Microsoft Windows platform. This information can also

More information

Chapter 4 Firewall Protection and Content Filtering

Chapter 4 Firewall Protection and Content Filtering Chapter 4 Firewall Protection and Content Filtering The ProSafe VPN Firewall 50 provides you with Web content filtering options such as Block Sites and Keyword Blocking. Parents and network administrators

More information

Knowledge Base Articles

Knowledge Base Articles Knowledge Base Articles 2005 Jalasoft Corp. All rights reserved. TITLE: How to configure and use the Jalasoft Xian Syslog Server. REVISION: Revision : B001-SLR01 Date : 11/30/05 DESCRIPTION: Jalasoft has

More information

Using TestLogServer for Web Security Troubleshooting

Using TestLogServer for Web Security Troubleshooting Using TestLogServer for Web Security Troubleshooting Topic 50330 TestLogServer Web Security Solutions Version 7.7, Updated 19-Sept- 2013 A command-line utility called TestLogServer is included as part

More information

Network Agent Quick Start

Network Agent Quick Start Network Agent Quick Start Topic 50500 Network Agent Quick Start Updated 17-Sep-2013 Applies To: Web Filter, Web Security, Web Security Gateway, and Web Security Gateway Anywhere, v7.7 and 7.8 Websense

More information

Assets, Groups & Networks

Assets, Groups & Networks Complete. Simple. Affordable Copyright 2014 AlienVault. All rights reserved. AlienVault, AlienVault Unified Security Management, AlienVault USM, AlienVault Open Threat Exchange, AlienVault OTX, Open Threat

More information

GlobalSCAPE DMZ Gateway, v1. User Guide

GlobalSCAPE DMZ Gateway, v1. User Guide GlobalSCAPE DMZ Gateway, v1 User Guide GlobalSCAPE, Inc. (GSB) Address: 4500 Lockhill-Selma Road, Suite 150 San Antonio, TX (USA) 78249 Sales: (210) 308-8267 Sales (Toll Free): (800) 290-5054 Technical

More information

SonicWALL GMS Custom Reports

SonicWALL GMS Custom Reports SonicWALL GMS Custom Reports Document Scope This document describes how to configure and use the SonicWALL GMS 6.0 Custom Reports feature. This document contains the following sections: Feature Overview

More information

WebSpy Vantage Ultimate 2.2 Web Module Administrators Guide

WebSpy Vantage Ultimate 2.2 Web Module Administrators Guide WebSpy Vantage Ultimate 2.2 Web Module Administrators Guide This document is intended to help you get started using WebSpy Vantage Ultimate and the Web Module. For more detailed information, please see

More information

Monitoring System Status

Monitoring System Status CHAPTER 14 This chapter describes how to monitor the health and activities of the system. It covers these topics: About Logged Information, page 14-121 Event Logging, page 14-122 Monitoring Performance,

More information

Chapter 9 Monitoring System Performance

Chapter 9 Monitoring System Performance Chapter 9 Monitoring System Performance This chapter describes the full set of system monitoring features of your ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN. You can be alerted to important

More information

DC Agent Troubleshooting

DC Agent Troubleshooting DC Agent Troubleshooting Topic 50320 DC Agent Troubleshooting Web Security Solutions v7.7.x, 7.8.x 27-Mar-2013 This collection includes the following articles to help you troubleshoot DC Agent installation

More information

User Manual. Onsight Management Suite Version 5.1. Another Innovation by Librestream

User Manual. Onsight Management Suite Version 5.1. Another Innovation by Librestream User Manual Onsight Management Suite Version 5.1 Another Innovation by Librestream Doc #: 400075-06 May 2012 Information in this document is subject to change without notice. Reproduction in any manner

More information

HoneyBOT User Guide A Windows based honeypot solution

HoneyBOT User Guide A Windows based honeypot solution HoneyBOT User Guide A Windows based honeypot solution Visit our website at http://www.atomicsoftwaresolutions.com/ Table of Contents What is a Honeypot?...2 How HoneyBOT Works...2 Secure the HoneyBOT Computer...3

More information

Using RADIUS Agent for Transparent User Identification

Using RADIUS Agent for Transparent User Identification Using RADIUS Agent for Transparent User Identification Using RADIUS Agent Web Security Solutions Version 7.7, 7.8 Websense RADIUS Agent works together with the RADIUS server and RADIUS clients in your

More information

Quick Start for Network Agent. 5-Step Quick Start. What is Network Agent?

Quick Start for Network Agent. 5-Step Quick Start. What is Network Agent? What is Network Agent? The Websense Network Agent software component uses sniffer technology to monitor all of the internet traffic on the network machines that you assign to it. Network Agent filters

More information

About this Getting Started Guide. Enabling Log Management... 2 Applying a License... 4 Using Log Management... 5. How to forward logs...

About this Getting Started Guide. Enabling Log Management... 2 Applying a License... 4 Using Log Management... 5. How to forward logs... Connect With Confidence Astaro Log Management Getting Started Guide About this Getting Started Guide To use Astaro Log Management, logs need to be transferred from individual systems to the cloud. This

More information

SimpleFTP. User s Guide. On-Core Software, LLC. 893 Sycamore Ave. Tinton Falls, NJ 07724 United States of America

SimpleFTP. User s Guide. On-Core Software, LLC. 893 Sycamore Ave. Tinton Falls, NJ 07724 United States of America SimpleFTP User s Guide On-Core Software, LLC. 893 Sycamore Ave. Tinton Falls, NJ 07724 United States of America Website: http://www.on-core.com Technical Support: support@on-core.com Information: info@on-core.com

More information

WildFire Reporting. WildFire Administrator s Guide 55. Copyright 2007-2015 Palo Alto Networks

WildFire Reporting. WildFire Administrator s Guide 55. Copyright 2007-2015 Palo Alto Networks WildFire Reporting When malware is discovered on your network, it is important to take quick action to prevent spread of the malware to other systems. To ensure immediate alerts to malware discovered on

More information

How To Industrial Networking

How To Industrial Networking How To Industrial Networking Prepared by: Matt Crites Product: Date: April 2014 Any RAM or SN 6xxx series router Legacy firmware 3.14/4.14 or lower Subject: This document provides a step by step procedure

More information

Volume SYSLOG JUNCTION. User s Guide. User s Guide

Volume SYSLOG JUNCTION. User s Guide. User s Guide Volume 1 SYSLOG JUNCTION User s Guide User s Guide SYSLOG JUNCTION USER S GUIDE Introduction I n simple terms, Syslog junction is a log viewer with graphing capabilities. It can receive syslog messages

More information

Adaptive Log Exporter Users Guide

Adaptive Log Exporter Users Guide IBM Security QRadar Version 7.1.0 (MR1) Note: Before using this information and the product that it supports, read the information in Notices and Trademarks on page page 119. Copyright IBM Corp. 2012,

More information

Load testing with WAPT: Quick Start Guide

Load testing with WAPT: Quick Start Guide Load testing with WAPT: Quick Start Guide This document describes step by step how to create a simple typical test for a web application, execute it and interpret the results. A brief insight is provided

More information

ILTA HANDS ON Securing Windows 7

ILTA HANDS ON Securing Windows 7 Securing Windows 7 8/23/2011 Table of Contents About this lab... 3 About the Laboratory Environment... 4 Lab 1: Restricting Users... 5 Exercise 1. Verify the default rights of users... 5 Exercise 2. Adding

More information

Application Detection

Application Detection The following topics describe Firepower System application detection : Overview:, page 1 Custom Application Detectors, page 7 Viewing or Downloading Detector Details, page 15 Sorting the Detector List,

More information

Application Discovery Manager User s Guide vcenter Application Discovery Manager 6.2.1

Application Discovery Manager User s Guide vcenter Application Discovery Manager 6.2.1 Application Discovery Manager User s Guide vcenter Application Discovery Manager 6.2.1 This document supports the version of each product listed and supports all subsequent versions until the document

More information

Getting Started with Quarantine Manager

Getting Started with Quarantine Manager Getting Started with Quarantine Manager Getting Started with Quarantine Manager The Quarantine Manager application enables the network administrator to quarantine devices to protect the network from attacks.

More information

Quadro Configuration Console User's Guide. Table of Contents. Table of Contents

Quadro Configuration Console User's Guide. Table of Contents. Table of Contents Epygi Technologies Table of Contents Table of Contents About This User s Guide... 3 Introducing the Quadro Configuration Console... 4 Technical Specification... 6 Requirements... 6 System Requirements...

More information

Unifying Information Security. Implementing TLS on the CLEARSWIFT SECURE Email Gateway

Unifying Information Security. Implementing TLS on the CLEARSWIFT SECURE Email Gateway Unifying Information Security Implementing TLS on the CLEARSWIFT SECURE Email Gateway Contents 1 Introduction... 3 2 Understanding TLS... 4 3 Clearswift s Application of TLS... 5 3.1 Opportunistic TLS...

More information

Rsync-enabled NAS Hardware Compatibility List

Rsync-enabled NAS Hardware Compatibility List WHITEPAPER BackupAssist Version 5.1 www.backupassist.com Cortex I.T. Labs 2001-2008 2 Contents Introduction... 3 Hardware Setup Instructions... 3 QNAP TS-409... 3 Netgear ReadyNas NV+... 5 Drobo rev1...

More information

Installation Guide For ChoiceMail Enterprise Edition

Installation Guide For ChoiceMail Enterprise Edition Installation Guide For ChoiceMail Enterprise Edition How to Install ChoiceMail Enterprise On A Server In Front Of Your Company Mail Server August, 2004 Version 2.6x Copyright DigiPortal Software, 2002-2004

More information

Chapter 8 Router and Network Management

Chapter 8 Router and Network Management Chapter 8 Router and Network Management This chapter describes how to use the network management features of your ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN. These features can be found by

More information

LAB THREE STATIC ROUTING

LAB THREE STATIC ROUTING LAB THREE STATIC ROUTING In this lab you will work with four different network topologies. The topology for Parts 1-4 is shown in Figure 3.1. These parts address router configuration on Linux PCs and a

More information

Unified Security Management (USM) 5.2 Vulnerability Assessment Guide

Unified Security Management (USM) 5.2 Vulnerability Assessment Guide AlienVault Unified Security Management (USM) 5.2 Vulnerability Assessment Guide USM 5.2 Vulnerability Assessment Guide, rev 1 Copyright 2015 AlienVault, Inc. All rights reserved. The AlienVault Logo, AlienVault,

More information

Discovery Guide. Secret Server. Table of Contents

Discovery Guide. Secret Server. Table of Contents Secret Server Discovery Guide Table of Contents Introduction... 3 How Discovery Works... 3 Active Directory / Local Windows Accounts... 3 Unix accounts... 3 VMware ESX accounts... 3 Why use Discovery?...

More information

Tharo Systems, Inc. 2866 Nationwide Parkway P.O. Box 798 Brunswick, OH 44212 USA Tel: 330.273.4408 Fax: 330.225.0099

Tharo Systems, Inc. 2866 Nationwide Parkway P.O. Box 798 Brunswick, OH 44212 USA Tel: 330.273.4408 Fax: 330.225.0099 Introduction EASYLABEL 6 has several new features for saving the history of label formats. This history can include information about when label formats were edited and printed. In order to save this history,

More information

CRM Migration Manager 3.1.1 for Microsoft Dynamics CRM. User Guide

CRM Migration Manager 3.1.1 for Microsoft Dynamics CRM. User Guide CRM Migration Manager 3.1.1 for Microsoft Dynamics CRM User Guide Revision D Issued July 2014 Table of Contents About CRM Migration Manager... 4 System Requirements... 5 Operating Systems... 5 Dynamics

More information

User Guide. Version 3.2. Copyright 2002-2009 Snow Software AB. All rights reserved.

User Guide. Version 3.2. Copyright 2002-2009 Snow Software AB. All rights reserved. Version 3.2 User Guide Copyright 2002-2009 Snow Software AB. All rights reserved. This manual and computer program is protected by copyright law and international treaties. Unauthorized reproduction or

More information

Managing Software Updates with System Center 2012 R2 Configuration Manager

Managing Software Updates with System Center 2012 R2 Configuration Manager Managing Software Updates with System Center 2012 R2 Configuration Manager Managing Microsoft Updates with Configuration Manager 2012 R2 This document is for informational purposes only. MICROSOFT MAKES

More information

FREQUENTLY ASKED QUESTIONS

FREQUENTLY ASKED QUESTIONS FREQUENTLY ASKED QUESTIONS Secure Bytes, October 2011 This document is confidential and for the use of a Secure Bytes client only. The information contained herein is the property of Secure Bytes and may

More information

Kiwi SyslogGen. A Freeware Syslog message generator for Windows. by SolarWinds, Inc.

Kiwi SyslogGen. A Freeware Syslog message generator for Windows. by SolarWinds, Inc. Kiwi SyslogGen A Freeware Syslog message generator for Windows by SolarWinds, Inc. Kiwi SyslogGen is a free Windows Syslog message generator which sends Unix type Syslog messages to any PC or Unix Syslog

More information

WhatsUpGold. v12.3.1. NetFlow Monitor User Guide

WhatsUpGold. v12.3.1. NetFlow Monitor User Guide WhatsUpGold v12.3.1 NetFlow Monitor User Guide Contents CHAPTER 1 WhatsUp Gold NetFlow Monitor Overview What is NetFlow?... 1 How does NetFlow Monitor work?... 2 Supported versions... 2 System requirements...

More information

Penetration Testing LAB Setup Guide

Penetration Testing LAB Setup Guide Penetration Testing LAB Setup Guide (External Attacker - Intermediate) By: magikh0e - magikh0e@ihtb.org Last Edit: July 06 2012 This guide assumes a few things... 1. You have read the basic guide of this

More information

MCTS Guide to Microsoft Windows Server 2008 Applications Infrastructure Configuration (Exam # 70-643)

MCTS Guide to Microsoft Windows Server 2008 Applications Infrastructure Configuration (Exam # 70-643) MCTS Guide to Microsoft Windows Server 2008 Applications Infrastructure Configuration (Exam # 70-643) Chapter Six Configuring Windows Server 2008 Web Services, Part 1 Objectives Create and configure Web

More information

DiskPulse DISK CHANGE MONITOR

DiskPulse DISK CHANGE MONITOR DiskPulse DISK CHANGE MONITOR User Manual Version 7.9 Oct 2015 www.diskpulse.com info@flexense.com 1 1 DiskPulse Overview...3 2 DiskPulse Product Versions...5 3 Using Desktop Product Version...6 3.1 Product

More information

Lab 8.4.2 Configuring Access Policies and DMZ Settings

Lab 8.4.2 Configuring Access Policies and DMZ Settings Lab 8.4.2 Configuring Access Policies and DMZ Settings Objectives Log in to a multi-function device and view security settings. Set up Internet access policies based on IP address and application. Set

More information

Chapter 4 Firewall Protection and Content Filtering

Chapter 4 Firewall Protection and Content Filtering Chapter 4 Firewall Protection and Content Filtering This chapter describes how to use the content filtering features of the ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN to protect your network.

More information

F-Secure Messaging Security Gateway. Deployment Guide

F-Secure Messaging Security Gateway. Deployment Guide F-Secure Messaging Security Gateway Deployment Guide TOC F-Secure Messaging Security Gateway Contents Chapter 1: Deploying F-Secure Messaging Security Gateway...3 1.1 The typical product deployment model...4

More information

Installing and Configuring vcloud Connector

Installing and Configuring vcloud Connector Installing and Configuring vcloud Connector vcloud Connector 2.7.0 This document supports the version of each product listed and supports all subsequent versions until the document is replaced by a new

More information

Tunnels and Redirectors

Tunnels and Redirectors Tunnels and Redirectors TUNNELS AND REDIRECTORS...1 Overview... 1 Security Details... 2 Permissions... 2 Starting a Tunnel... 3 Starting a Redirector... 5 HTTP Connect... 8 HTTPS Connect... 10 LabVNC...

More information

LogLogic Microsoft Domain Name System (DNS) Log Configuration Guide

LogLogic Microsoft Domain Name System (DNS) Log Configuration Guide LogLogic Microsoft Domain Name System (DNS) Log Configuration Guide Document Release: September 2011 Part Number: LL600027-00ELS090000 This manual supports LogLogic Microsoft DNS Release 1.0 and later,

More information

HP LeftHand SAN Solutions

HP LeftHand SAN Solutions HP LeftHand SAN Solutions Support Document Applications Notes Best Practices for Using SolarWinds' ORION to Monitor SANiQ Performance Legal Notices Warranty The only warranties for HP products and services

More information

WhatsUpGold. v3.0. WhatsConnected User Guide

WhatsUpGold. v3.0. WhatsConnected User Guide WhatsUpGold v3.0 WhatsConnected User Guide Contents CHAPTER 1 Welcome to WhatsConnected Finding more information and updates... 2 Sending feedback... 3 CHAPTER 2 Installing and Configuring WhatsConnected

More information

Novell ZENworks Asset Management 7.5

Novell ZENworks Asset Management 7.5 Novell ZENworks Asset Management 7.5 w w w. n o v e l l. c o m October 2006 USING THE WEB CONSOLE Table Of Contents Getting Started with ZENworks Asset Management Web Console... 1 How to Get Started...

More information

Managing Software and Configurations

Managing Software and Configurations 55 CHAPTER This chapter describes how to manage the ASASM software and configurations and includes the following sections: Saving the Running Configuration to a TFTP Server, page 55-1 Managing Files, page

More information

The Social Accelerator Setup Guide

The Social Accelerator Setup Guide The Social Accelerator Setup Guide Welcome! Welcome to the Social Accelerator setup guide. This guide covers 2 ways to setup SA. Most likely, you will want to use the easy setup wizard. In that case, you

More information

Sharp Remote Device Manager (SRDM) Server Software Setup Guide

Sharp Remote Device Manager (SRDM) Server Software Setup Guide Sharp Remote Device Manager (SRDM) Server Software Setup Guide This Guide explains how to install the software which is required in order to use Sharp Remote Device Manager (SRDM). SRDM is a web-based

More information

orrelog SQL Table Monitor Adapter Users Manual

orrelog SQL Table Monitor Adapter Users Manual orrelog SQL Table Monitor Adapter Users Manual http://www.correlog.com mailto:info@correlog.com CorreLog, SQL Table Monitor Users Manual Copyright 2008-2015, CorreLog, Inc. All rights reserved. No part

More information

PART 1 CONFIGURATION 1.1 Installing Dashboard Software Dashboardxxx.exe Administration Rights Prerequisite Wizard

PART 1 CONFIGURATION 1.1 Installing Dashboard Software Dashboardxxx.exe Administration Rights Prerequisite Wizard Omega Dashboard 1 PART 1 CONFIGURATION 1.1 Installing Dashboard Software Find the Dashboardxxx.exe in the accompanying CD or on the web. Double click that to install it. The setup process is typical to

More information

This chapter describes how to set up and manage VPN service in Mac OS X Server.

This chapter describes how to set up and manage VPN service in Mac OS X Server. 6 Working with VPN Service 6 This chapter describes how to set up and manage VPN service in Mac OS X Server. By configuring a Virtual Private Network (VPN) on your server you can give users a more secure

More information

AXIGEN Mail Server Reporting Service

AXIGEN Mail Server Reporting Service AXIGEN Mail Server Reporting Service Usage and Configuration The article describes in full details how to properly configure and use the AXIGEN reporting service, as well as the steps for integrating it

More information

Volume AGKSOFT. Wayne Nucleus Back Office Software. Nucleus Guide

Volume AGKSOFT. Wayne Nucleus Back Office Software. Nucleus Guide Volume N AGKSOFT Wayne Nucleus Back Office Software Nucleus Guide Configuring Your Back Office PC The Back Office PC requires 2 network cards to connect to the Nucleus & internet at the same time. On some

More information

Optional Mainserver Setup Instructions for OS X Support

Optional Mainserver Setup Instructions for OS X Support Optional Mainserver Setup Instructions for OS X Support Essentials Friday, November 2, 2012 Summary Some of the exercises in Apple Pro Training Series: OS X Support Essentials require access to a specially

More information

LogLogic Trend Micro OfficeScan Log Configuration Guide

LogLogic Trend Micro OfficeScan Log Configuration Guide LogLogic Trend Micro OfficeScan Log Configuration Guide Document Release: September 2011 Part Number: LL600065-00ELS090000 This manual supports LogLogic Trend Micro OfficeScan Release 1.0 and later, and

More information

Gigabyte Content Management System Console User s Guide. Version: 0.1

Gigabyte Content Management System Console User s Guide. Version: 0.1 Gigabyte Content Management System Console User s Guide Version: 0.1 Table of Contents Using Your Gigabyte Content Management System Console... 2 Gigabyte Content Management System Key Features and Functions...

More information

Cisco CNR and DHCP FAQs for Cable Environment

Cisco CNR and DHCP FAQs for Cable Environment Table of Contents CNR and DHCP FAQs for Cable Environment...1 Questions...1 Introduction...1 Q. How do I access CNR remotely?...1 Q. How do I access CNR remotely if the CNR server is behind a firewall?...2

More information

IBM Security QRadar Vulnerability Manager Version 7.2.1. User Guide

IBM Security QRadar Vulnerability Manager Version 7.2.1. User Guide IBM Security QRadar Vulnerability Manager Version 7.2.1 User Guide Note Before using this information and the product that it supports, read the information in Notices on page 61. Copyright IBM Corporation

More information

E-mail Listeners. E-mail Formats. Free Form. Formatted

E-mail Listeners. E-mail Formats. Free Form. Formatted E-mail Listeners 6 E-mail Formats You use the E-mail Listeners application to receive and process Service Requests and other types of tickets through e-mail in the form of e-mail messages. Using E- mail

More information

HDA Integration Guide. Help Desk Authority 9.0

HDA Integration Guide. Help Desk Authority 9.0 HDA Integration Guide Help Desk Authority 9.0 2011ScriptLogic Corporation ALL RIGHTS RESERVED. ScriptLogic, the ScriptLogic logo and Point,Click,Done! are trademarks and registered trademarks of ScriptLogic

More information

Installation Steps for PAN User-ID Agent

Installation Steps for PAN User-ID Agent Installation Steps for PAN User-ID Agent If you have an Active Directory domain, and would like the Palo Alto Networks firewall to match traffic to particular logged-in users, you can install the PAN User-ID

More information

LogLogic Juniper Networks Intrusion Detection and Prevention (IDP) Log Configuration Guide

LogLogic Juniper Networks Intrusion Detection and Prevention (IDP) Log Configuration Guide LogLogic Juniper Networks Intrusion Detection and Prevention (IDP) Log Configuration Guide Document Release: September 2011 Part Number: LL600015-00ELS090000 This manual supports LogLogic Juniper Networks

More information

ESET Mobile Security Business Edition for Windows Mobile

ESET Mobile Security Business Edition for Windows Mobile ESET Mobile Security Business Edition for Windows Mobile Installation Manual and User Guide Click here to download the most recent version of this document Contents 1. Installation...3 of ESET Mobile Security

More information

Background Deployment 3.1 (1003) Installation and Administration Guide

Background Deployment 3.1 (1003) Installation and Administration Guide Background Deployment 3.1 (1003) Installation and Administration Guide 2010 VoIP Integration March 14, 2011 Table of Contents Product Overview... 3 Personalization... 3 Key Press... 3 Requirements... 4

More information

IBM. Implementing SMTP and POP3 Scenarios with WebSphere Business Integration Connect. Author: Ronan Dalton

IBM. Implementing SMTP and POP3 Scenarios with WebSphere Business Integration Connect. Author: Ronan Dalton IBM Implementing SMTP and POP3 Scenarios with WebSphere Business Integration Connect Author: Ronan Dalton Table of Contents Section 1. Introduction... 2 Section 2. Download, Install and Configure ArGoSoft

More information

Installing and Using the vnios Trial

Installing and Using the vnios Trial Installing and Using the vnios Trial The vnios Trial is a software package designed for efficient evaluation of the Infoblox vnios appliance platform. Providing the complete suite of DNS, DHCP and IPAM

More information

Barracuda Link Balancer Administrator s Guide

Barracuda Link Balancer Administrator s Guide Barracuda Link Balancer Administrator s Guide Version 1.0 Barracuda Networks Inc. 3175 S. Winchester Blvd. Campbell, CA 95008 http://www.barracuda.com Copyright Notice Copyright 2008, Barracuda Networks

More information

Architecture and Data Flow Overview. BlackBerry Enterprise Service 10 721-08877-123 Version: 10.2. Quick Reference

Architecture and Data Flow Overview. BlackBerry Enterprise Service 10 721-08877-123 Version: 10.2. Quick Reference Architecture and Data Flow Overview BlackBerry Enterprise Service 10 721-08877-123 Version: Quick Reference Published: 2013-11-28 SWD-20131128130321045 Contents Key components of BlackBerry Enterprise

More information

Network Connect Performance Logs on MAC OS

Network Connect Performance Logs on MAC OS Network Connect Performance Logs on MAC OS How-to Juniper Networks, Inc. 1 Table of Contents Introduction Part 1: Client Prerequisites... 3 Step 1.1: Packet Sniffer... 3 Step 1.2: Output IPs, Routes, Ping,

More information

SecuraLive ULTIMATE SECURITY

SecuraLive ULTIMATE SECURITY SecuraLive ULTIMATE SECURITY Home Edition for Windows USER GUIDE SecuraLive ULTIMATE SECURITY USER MANUAL Introduction: Welcome to SecuraLive Ultimate Security Home Edition. SecuraLive Ultimate Security

More information

NetIQ. How to guides: AppManager v7.04 Initial Setup for a trial. Haf Saba Attachmate NetIQ. Prepared by. Haf Saba. Senior Technical Consultant

NetIQ. How to guides: AppManager v7.04 Initial Setup for a trial. Haf Saba Attachmate NetIQ. Prepared by. Haf Saba. Senior Technical Consultant How to guides: AppManager v7.04 Initial Setup for a trial By NetIQ Prepared by Haf Saba Senior Technical Consultant Asia Pacific 1 Executive Summary This document will walk you through an initial setup

More information

SonicWALL SSL VPN 3.5: Virtual Assist

SonicWALL SSL VPN 3.5: Virtual Assist SonicWALL SSL VPN 3.5: Virtual Assist Document Scope This document describes how to use the SonicWALL Virtual Assist add-on for SonicWALL SSL VPN security appliances. This document contains the following

More information

Using DC Agent for Transparent User Identification

Using DC Agent for Transparent User Identification Using DC Agent for Transparent User Identification Using DC Agent Web Security Solutions v7.7, 7.8 If your organization uses Microsoft Windows Active Directory, you can use Websense DC Agent to identify

More information

Auditing manual. Archive Manager. Publication Date: November, 2015

Auditing manual. Archive Manager. Publication Date: November, 2015 Archive Manager Publication Date: November, 2015 All Rights Reserved. This software is protected by copyright law and international treaties. Unauthorized reproduction or distribution of this software,

More information

McAfee Network Security Platform Administration Course

McAfee Network Security Platform Administration Course McAfee Network Security Platform Administration Course Intel Security Education Services Administration Course The McAfee Network Security Platform Administration course from McAfee Education Services

More information

F5 Local Traffic Manager

F5 Local Traffic Manager McAfee Enterprise Security Manager Data Source Configuration Guide Data Source: F5 Local Traffic Manager July 22, 2014 F5 Local Traffic Manager Page 1 of 6 Important Note: The information contained in

More information