Symantec Event Collector for McAfee Secure Web Gateway version 3.6 Quick Reference

Symantec Event Collector for McAfee Secure Web Gateway version 3.6 Quick Reference

Symantec Event Collector for McAfee Secure Web Gateway Quick Reference The software described in this book is furnished under a license agreement and may be used only in accordance with the terms of the agreement. Documentation version 4.0 Legal Notice Copyright 2007 Symantec Corporation. All rights reserved. Symantec, the Symantec logo, LiveUpdate, Symantec AntiVirus, and Symantec Security Response are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners. Microsoft, Windows, and Window 2000 are trademarks or registered trademarks of Microsoft Corporation. This product includes software that was developed by the Apache Software Foundation. Other brands and product names mentioned in this manual may be trademarks or registered trademarks of their respective companies and are hereby acknowledged. The product described in this document is distributed under licenses restricting its use, copying, distribution, and decompilation/reverse engineering. No part of this document may be reproduced in any form by any means without prior written authorization of Symantec Corporation and its licensors, if any. THE DOCUMENTATION IS PROVIDED "AS IS" AND ALL EXPRESS OR IMPLIED CONDITIONS, REPRESENTATIONS AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT, ARE DISCLAIMED, EXCEPT TO THE EXTENT THAT SUCH DISCLAIMERS ARE HELD TO BE LEGALLY INVALID. SYMANTEC CORPORATION SHALL NOT BE LIABLE FOR INCIDENTAL OR CONSEQUENTIAL DAMAGES IN CONNECTION WITH THE FURNISHING, PERFORMANCE, OR USE OF THIS DOCUMENTATION. THE INFORMATION CONTAINED IN THIS DOCUMENTATION IS SUBJECT TO CHANGE WITHOUT NOTICE. The Licensed Software and Documentation are deemed to be commercial computer software as defined in FAR 12.212 and subject to restricted rights as defined in FAR Section 52.227-19 "Commercial Computer Software - Restricted Rights" and DFARS 227.7202, "Rights in Commercial Computer Software or Commercial Computer Software Documentation", as applicable, and any successor regulations. Any use, modification, reproduction release, performance, display or disclosure of the Licensed Software and Documentation by the U.S. Government shall be solely in accordance with the terms of this Agreement.

Symantec Corporation 20330 Stevens Creek Blvd. Cupertino, CA 95014 USA http://www.symantec.com

Technical Support Symantec Technical Support maintains support centers globally. Technical Support s primary role is to respond to specific queries about product feature and function, installation, and configuration. The Technical Support group also authors content for our online Knowledge Base. The Technical Support group works collaboratively with the other functional areas within Symantec to answer your questions in a timely fashion. For example, the Technical Support group works with Product Engineering and Symantec Security Response to provide alerting services and virus definition updates. Symantec s maintenance offerings include the following: A range of support options that give you the flexibility to select the right amount of service for any size organization A telephone and web-based support that provides rapid response and up-to-the-minute information Upgrade insurance that delivers automatic software upgrade protection Global support that is available 24 hours a day, 7 days a week worldwide. Support is provided in a variety of languages for those customers that are enrolled in the Platinum Support program Advanced features, including Technical Account Management For information about Symantec s Maintenance Programs, you can visit our Web site at the following URL: www.symantec.com/techsupp/ Contacting Technical Support Select your country or language under Global Support. The specific features that are available may vary based on the level of maintenance that was purchased and the specific product that you are using. Customers with a current maintenance agreement may access Technical Support information at the following URL: www.symantec.com/techsupp/ Select your region or language under Global Support. Before contacting Technical Support, make sure you have satisfied the system requirements that are listed in your product documentation. Also, you should be at the computer on which the problem occurred, in case it is necessary to recreate the problem.

When you contact Technical Support, please have the following information available: Product release level Hardware information Available memory, disk space, and NIC information Operating system Version and patch level Network topology Licensing and registration Customer service Router, gateway, and IP address information Problem description: Error messages and log files Troubleshooting that was performed before contacting Symantec Recent software configuration changes and network changes If your Symantec product requires registration or a license key, access our technical support Web page at the following URL: www.symantec.com/techsupp/ Select your region or language under Global Support, and then select the Licensing and Registration page. Customer service information is available at the following URL: www.symantec.com/techsupp/ Select your country or language under Global Support. Customer Service is available to assist with the following types of issues: Questions regarding product licensing or serialization Product registration updates such as address or name changes General product information (features, language availability, local dealers) Latest information about product updates and upgrades about upgrade insurance and maintenance contracts about the Symantec Value License Program

Advice about Symantec's technical support options Nontechnical presales questions Maintenance agreement resources Additional Enterprise services Issues that are related to CD-ROMs or manuals If you want to contact Symantec regarding an existing maintenance agreement, please contact the maintenance agreement administration team for your region as follows: Asia-Pacific and Japan: contractsadmin@symantec.com Europe, Middle-East, and Africa: semea@symantec.com North America and Latin America: supportsolutions@symantec.com Symantec offers a comprehensive set of services that allow you to maximize your investment in Symantec products and to develop your knowledge, expertise, and global insight, which enable you to manage your business risks proactively. Enterprise services that are available include the following: Symantec Early Warning Solutions These solutions provide early warning of cyber attacks, comprehensive threat analysis, and countermeasures to prevent attacks before they occur. Managed Security Services Consulting Services Educational Services These services remove the burden of managing and monitoring security devices and events, ensuring rapid response to real threats. Symantec Consulting Services provide on-site technical expertise from Symantec and its trusted partners. Symantec Consulting Services offer a variety of prepackaged and customizable options that include assessment, design, implementation, monitoring and management capabilities, each focused on establishing and maintaining the integrity and availability of your IT resources. Educational Services provide a full array of technical training, security education, security certification, and awareness communication programs.

To access more information about Enterprise services, please visit our Web site at the following URL: www.symantec.com Select your country or language from the site index.

Contents Technical Support Chapter 1 Chapter 2 Introducing Symantec Event Collector for McAfee Secure Web Gateway About this Quick Reference... 11 Compatibility requirements... 12 System requirements for the collector machine... 12 Preinstallation requirements for McAfee Secure Web Gateway Event Collector... 12 Configuring your security product to work with the collector... 12 Configuring McAfee Secure Web Gateway to work with the collector... 12 About syslog event forwarding... 13 About the installation sequence for McAfee Secure Web Gateway Event Collector... 13 Sensor configuration for McAfee Secure Web Gateway Event Collector... 13 Sensor settings for McAfee Secure Web Gateway Event Collector... 14 About LiveUpdate... 14 Implementation notes Implementation notes for McAfee Secure Web Gateway Event Collector... 15 Product ID... 15 Method of data collection... 15 Event mapping for Manager version 4.0X... 15 Index

10 Contents

Chapter 1 Introducing Symantec Event Collector for McAfee Secure Web Gateway This chapter includes the following topics: About this Quick Reference Compatibility requirements Preinstallation requirements for McAfee Secure Web Gateway Event Collector Configuring your security product to work with the collector About the installation sequence for McAfee Secure Web Gateway Event Collector Sensor configuration for McAfee Secure Web Gateway Event Collector About LiveUpdate About this Quick Reference This quick reference includes information that is specific to Symantec Event Collector for McAfee Secure Web Gateway. For detailed information on how to install and configure event collectors, please see the Symantec Event Collectors Integration Guide.

12 Introducing Symantec Event Collector for McAfee Secure Web Gateway Compatibility requirements Compatibility requirements The collector is compatible with specific versions of the security product and is compatible with certain operating systems. System requirements for the collector machine The machine on which you install the collector must meet the following minimum system requirements: Intel Pentium -compatible 133-MHz processor (up to and including Xeon -class) 512 MB minimum, 1 GB of memory recommended for the Agent 35 MB of hard disk space for collector program files 95 MB of hard disk space to accommodate the Agent, JRE, and the collector TCP/IP connection to a network with a fixed IP address Preinstallation requirements for McAfee Secure Web Gateway Event Collector There are no preinstallation requirements. Configuring your security product to work with the collector After you have installed the necessary collector components, you must configure McAfee Secure Web Gateway so that the event information is available to the collector. For detailed information on configuring McAfee Secure Web Gateway, see your security product documentation. Configuring McAfee Secure Web Gateway to work with the collector Using the configuration tools that are provided with McAfee Secure Web Gateway, you must enable off-box syslog logging. See your product documentation for more information.

Introducing Symantec Event Collector for McAfee Secure Web Gateway About the installation sequence for McAfee Secure Web Gateway Event Collector 13 About syslog event forwarding If you forward events to a standard syslog server, you may consider using a syslog forwarder on that server, rather than changing the settings on your security device. A syslog forwarder can receive and forward events to both Manager and your existing syslog server. About the installation sequence for McAfee Secure Web Gateway Event Collector The collector installation sequence is generally as follows: Register the Symantec Package (SIP) Note: The SSIM Client console should be closed before registering the SIP. Install the Agent Install the collector component For more information, see the Symantec Event Collectors Integration Guide. Sensor configuration for McAfee Secure Web Gateway Event Collector The collector uses a sensor that must be configured to receive security events. After the sensor is configured, the settings must be distributed to the collectors on the target computers. Whether or not you can use the default configuration depends on the following condition: This collector is not preinstalled on the appliance. The default configuration may be used. The collector includes the following features: Raw events Sensor statistics Importing and exporting of sensor settings, and filtering and aggregation rules Global updating of sensor settings For more information, see the Symantec Event Collectors Integration Guide.

14 Introducing Symantec Event Collector for McAfee Secure Web Gateway About LiveUpdate Sensor settings for McAfee Secure Web Gateway Event Collector About LiveUpdate The collector uses a syslog sensor. The sensor has the following properties: Protocol Specify UDP or TCP. UDP is the syslog standard protocol, and is faster than TCP; however, UDP provides few error recovery services and there is no guarantee that events are delivered. TCP, while slower than UDP, guarantees event delivery by establishing a connection. Host Names Specify IP addresses or names of the host computers that are being monitored by the collector. Specify Any (or *) to allow any host to send events to the Symantec Event Collector, or specify multiple host names separated by a comma or semicolon. Port Number Specify a port number. For TCP protocol, the port number must be between 1025 and 65535. For UDP protocol, the port number must be between 514 and 65535. Multiple collectors can share a single port for UDP messages. The host name setting (host name of the monitored machines) for each of the collectors must be unique. Provide a port number. The standard port for syslog is 514. The default port is set to 10514. The port number that is specified must be an unused port on the collector machine. LiveUpdate is not supported on this collector.

Chapter 2 Implementation notes This chapter includes the following topics: Implementation notes for McAfee Secure Web Gateway Event Collector Implementation notes for McAfee Secure Web Gateway Event Collector This section describes the implementation details for the McAfee Secure Web Gateway Event Collector. Product ID The product ID for Symantec Event Collector for McAfee Secure Web Gateway is: 3254. Method of data collection The collector uses a Syslog sensor to collect events. Event mapping for Manager version 4.0X The collector uses the following event class schema: symc_data_scan symc_data_virus_incident

16 Implementation notes Implementation notes for McAfee Secure Web Gateway Event Collector Antivirus event Oct 25 10:33:32 156.71.247.60 : Application=http, Event='An Anti Virus Engine detection has occurred', status='the content was categorized as a Potentially Unwanted Program', source=(156.71.247.33), msgid=5416_c2a2aada_640b_11db_8dbb_0013724db023, virusname=cookie-doubleclick (unwanted program), filename=test.doc Table 2-1 Antivirus event Manager schema Manager field name EventClassName category_id data_dest_host McAfee SecureWeb Gateway field name Comment Always passed as symc_data_virus_incident for antivirus events. Always passed as 30007606 for antivirus events. data_info msgid Stored in temporary variable temp_msgid during translation. data_name filename Stored in temporary variable temp_event_desc during translation. symc_data_virus_ incident data_rule_reason virusname Stored in temporary variable temp_event_desc during translation. data_source_host source Stored in temporary variable temp_source during translation. data_status_id status Determined in ses_processor according to what is reported in the status field by McAfee. data_type_id application Stored in temporary variable temp_application during translation. event_desc event, status This field is a combination of McAfee s Event and status fields in the syslog message. event_dt Mapped from the timestamp portion of

Implementation notes Implementation notes for McAfee Secure Web Gateway Event Collector 17 Table 2-1 Antivirus event (continued) Manager schema Manager field name event_id machine machine_ip severity McAfee SecureWeb Gateway field name Comment Always passed as 122000 for antivirus incidents. Always passed as 2 for antivirus incidents. Data scan event Oct 25 10:33:32 156.71.247.60 : Application=http, Event='Actions due to scan', status='content cleaned due to policy. Modified E-mail delivered to the original recipients(s)', source=(156.71.247.33), msgid=5416_c2a2aada_640b_11db_8dbb_0013724db023, convid=5416_c2a2abd4_640b_11db_8dbb_0013724db023, relay=216.73.87.52 Table 2-2 Data scan event Manager schema Manager field name EventClassName category_id event_dt event_id machine machine_ip McAfee SecureWeb Gateway field name Comment Always passed as symc_data_scan for Data Scan events. Always passed as 30007606 for Data Scan events. Mapped from the timestamp portion of Always passed as 112051 for Data Scan incidents.

18 Implementation notes Implementation notes for McAfee Secure Web Gateway Event Collector Table 2-2 Data scan event (continued) Manager schema Manager field name severity McAfee SecureWeb Gateway field name Comment Always passed as 2 for Data Scan incidents. Antivirus definition update (Succeeded) event Oct 25 17:22:34 156.71.247.61 av-update[10378]: installed DATs 4881 OK Table 2-3 Antivirus definition update succeeded event Manager schema Manager field name EventClassName category_id curr_version event_dt event_id machine machine_ip severity McAfee SecureWeb Gateway field name Comment Always passed as symc_defupdate for Update Succeeded events. Always passed as 30007601 for Data Scan events. The DAT version is passed. Mapped from the timestamp portion of Always passed as 92004 for Update Succeeded incidents. Always passed as 1 Update Suceeded events. Antivirus definition update informational event Oct 25 17:16:24 156.71.247.60 av-update[6144]: require newdats.zip, ver 4881 (have 4880), size 8736243, md5 c78f884ef44d32ad454c6f27c4b74951: /pub/antivirus/datfiles/4.x/ scm-4881.zip

Implementation notes Implementation notes for McAfee Secure Web Gateway Event Collector 19 Table 2-4 Antivirus definition update informational event Manager schema Manager field name EventClassName category_id event_dt event_id machine machine_ip severity McAfee SecureWeb Gateway field name Comment Always passed as for al Update events. Always passed as 30007601 for al Update events. Mapped from the timestamp portion of Always passed as 2022000 for al Update incidents. Always passed as 1 al Update events. Spam event Nov 30 22:36:42 10.4.32.171 : Application=smtp, Event='An Anti Spam classification has been made', status='the content was categorized as spam', From=<tester@ssimanet.com>, to=<fredvictim@rgene.local.com>, source=tostada.qalab.corp.symantec.com(10.4.32.115), msgid=6a88_0284e33c_80dd_11db_8bc6_0013723027cd, spamscore=18.9, spamthreshold=5, spamrules='forged_ol_w_missingmime=2.3, FORGED_HOTMAIL_RCVD2=2, FORGED_OUTLOOK_TAGS=2, OE_HAS_X_PRIORITY_BEFORE_TO=2, HTML_W_SPACES=1.7, FORGED_OUTLOOK_TAGS_W_RATWARE_MS_HASH=1.5, MSGID_OUTLOOK_INVALID=1.4, DATE_IN_PAST_96_XX=1.2, HEADER_HAS_LC_MSGID=1, RATWARE_MS_HASH=1, SAVINGS=1, SUBJ_HAS_UNIQ_ID=0.7, SUBJ_HAS_SPACES=0.6, MIME_BASE64_LATIN=0.5'

20 Implementation notes Implementation notes for McAfee Secure Web Gateway Event Collector Table 2-5 Spam event Manager schema Manager field name EventClassName category_id data_dest_host McAfee SecureWeb Gateway field name Comment Always passed as for antivirus events. Always passed as 30007606 for Spam events. data_info msgid Stored in temporary variable temp_msgid during translation. data_recipients To Stored in temporary variable temp_recipients during translation. data_sender From Stored in temporary variable temp_sender during translation. data_source_host source Stored in temporary variable temp_source during translation. data_status_id status Determined in ses_processor according to what is reported in the status field by McAfee. data_type_id application Stored in temporary variable temp_application during translation. event_desc event, status This field is a combination of McAfee s Event and status fields in the syslog message. event_dt Mapped from the timestamp portion of event_id Always passed as 132001 for Spam incidents. machine machine_ip severity Always passed as 2 for Spam incidents.

Implementation notes Implementation notes for McAfee Secure Web Gateway Event Collector 21 SES-Processor rules For ALL events: The machine field is populated with machine_ip. The "status" field is pulled from the event_desc field and stored in a temp variable temp_status. Removing temporary fields. For antivirus events: The data_status_id is set to blocked by default if the temp_status contains the phrases Unwanted Program or The content was categorized as uncleanable content. event_desc gets the phrase stored in the Event field. The value of the application field (protocol used) on the right of the equals sign gets pulled. The value of the virus name on the right of the equals sign gets pulled and gets assigned to field data_rule_reason. The value of the file affected by the virus on the right of the equals sign gets pulled and gets assigned to field data_name. Assigning data_dest_host with machine_ip value. Populating the data_info field with McAfee s ms_gid field. Populating the data_type_id with the temp_application (protocol used). Populating the data_source_host in the event the temp_source was an IP only. Populating the data_source_house in the event the temp_source was an IP and a host name. For Data Scan events: event_desc gets the phrase stored in the Event field. Pulling content that is to the right of the equals sign in the temp_convid field. Pulling content that is to the right of the equals sign in the temp_relay field. For antivirus definition update events: Pulling the DAT number and assigning it to curr_version.

22 Implementation notes Implementation notes for McAfee Secure Web Gateway Event Collector

Index C compatibility requirements 12 configuring McAfee Secure Web Gateway 12 sensor 13 I implementation notes 15 installation 13 L LiveUpdate 14 M mapping 15 McAfee Secure Web Gateway configuration 12 P preinstallation requirements 12 R requirements compatibility 12 preinstallation 12 system 12 S sensor configuration 13 syslog event forwarding 13 system requirements 12