Professional Documents
Culture Documents
Release 4.7.4.5335
July 10, 2009
ArcSight Confidential
Page ii
ArcSight Confidential
Contents
SmartConnector Release 4.7.4.5335 ...............................................................................................1 Important Note for Versions of ArcSight Manager Prior to 3.5 SP3..................................................1 To Apply This Release..............................................................................................................1 New Connectors ...........................................................................................................................1 Connectors with New Device Versions Supported ..............................................................................1 SmartConnector Enhancements......................................................................................................2 Connector End-of-Life Notices ........................................................................................................2 Issues Closed ..............................................................................................................................3 Available Beta Support..................................................................................................................4 Beta SmartConnectors.............................................................................................................4 Scanner FlexConnectors...........................................................................................................5 Known Issues or Limitations ..........................................................................................................5 New and Updated SmartConnector Documentation............................................................................7
Page iii
New Connectors
SmartConnector for Solaris Basic Security Module Syslog Device Version Supported 10
ArcSight Confidential
SmartConnector Enhancements
In each SmartConnector release, updates and enhancements are made to the field mappings for individual SmartConnectors. If you use any of the SmartConnectors listed in the "Issues Closed" section of these release notes, be aware that installing the updated SmartConnector can impact your created content. ArcSight advises you to verify your content before deploying the SmartConnector into your production environment. FIPS Compliance Under the Information Technology Management Reform Act (Public Law 104-106), the Secretary of Commerce approves standards and guidelines that are developed by the National Institute of Standards and Technology (NIST) for Federal computer systems. These standards and guidelines are issued by NIST as Federal Information Processing Standards (FIPS) for government-wide use. ArcSight has added support for SmartConnector installation in FIPS-compliant mode. See the connectors under New and Updated SmartConnector Documentation for a list of connectors with this new support. McAfee ePolicy Orchestrator DB Added support for HIPS, Rogue System Detection, and MA events. See the SmartConnector Configuration Guide for specific products and versions now supported. Microsoft DHCP File Added support for processing of multiple log files. Symantec Endpoint Protection DB Added support for Network Access Control events.
Page 2
ArcSight Confidential
Check Point Firewall-1 4.1 OPSEC This connector has reached end of life and has been removed from SmartConnector builds. Cisco PIX/ASA/FWSM Syslog Support for version 5.x has been removed.
Issues Closed
SmartConnector for All SmartConnectors Number 58006 Description Entries in the name resolver cache normally are refreshed after the Time To Live (TTL), but if that refresh is substantially delayed, the normal algorithm disregards the cached value after double the TTL. There is a new property (name.resolver.cache.no.ttl) that can be set in agent.properties. When this property is set to true, the name resolver cache entries will continue to be used indefinitely. Previously, aggregation could cause memory issues and a null pointer exception. This problem has been fixed. When s-ip was populated with an IP address (s-ip can contain an IP or a web URL) and the connector did the resolution, a device was created for what was a target host. This resulted in a device being created for every website or host accessed through the Blue Coat proxy, causing issues with managers and databases. This problem has been fixed. Previous problems with URL and URI field resolution have been fixed. Updated severity mappings for the Check Point AD connector. See the SmartConnector for Check Point FW-1/VPN-1 OPSEC NG Configuration Guide for detailed mapping information. The ESM Manager previously threw an exception due to a long additional data name sent from the connector. The connector has been modified to fix this problem. An exception was thrown when a comma appeared where only integers were expected. The parser has been updated to fix this problem. The connector no longer creates assets with blank Host Name fields. The parser has been updated to fix problems that previously caused a fatal exception at connector startup. When running connectors for both McAfee ePO DB and McAfee HIPS DB that pull events from the same database, some event duplication previously occurred. The McAfee HIPS DB connectors no longer collect anti-virus events. The McAfee ePolicy Orchestrator DB connector now collects HIPS events. See the SmartConnector Configuration Guides for more information. Previously, the connector set the Device Receipt Time year to 1970 for MessageGate events without a date | time. This problem has been fixed. SID translation for security events 538, 540, and 576 previously did not occur. This problem has been fixed. Previously, SID translation failed when the SID contained double hyphens. This problem has been fixed.
56959 55963
56813
Fortinet FortiGate Syslog Rapid7 NeXpose XML File IBM Lotus Domino DB McAfee ePolicy Orchestrator DB McAfee HIPS DB McAfee HIPS Multiple DB
MessageGate Syslog
56767
53335 54480
Page 3
ArcSight Confidential
Description The connector now continues to map correctly, even when the 'Reason' field is missing from the raw event for security event 529. Workstation Name and Source Address fields are now mapped correctly for security event 537 events. Mapping problems for security event 565 have been fixed. Implemented SID re-translation and multi-threaded SID translation. The parser has been updated to accommodate previously unparsed events. The connector was not verifying connection with all configured databases during connector configuration. This problem has been fixed. Previously, when the connector was configured to connect to multiple databases, it connected only to the last configured database. This problem has been fixed. The following mappings have been updated: Allowed or Blocked is mapped to Device Action HOST_NAME is mapped to Device Custom String 2 LOCATION_NAME is mapped to Device Custom String 5.
56811 58319
58363
57004
57393 50148
A parser problem discovered with Security Risk Found (Heuristic Scan) events has been fixed. The parser has been modified to parse multiple OS occurrences.
Beta SmartConnectors
SmartConnector for Lancope SMC Web Services This SmartConnector obtains flows, probes, and host snapshots from Lancope StealthWatch Management Console (SMC) and can, optionally, generate ArcSight events. Lancope SMC version 5.8 is supported.
SmartConnector Release 4.7.4.5335 Release Notes Page 4
ArcSight Confidential
Scanner FlexConnectors ArcSight FlexConnector Developer's Guide for complete information on Scanner FlexConnector beta support for the following: ArcSight FlexConnector for Scanner DB ArcSight FlexConnector for Scanner Text Reports ArcSight FlexConnector for Scanner XML Reports
On Windows: 1. 2. In the ARCSIGHT_HOME\jre6\lib directory, create a sub-directory called endorsed with read, write, and execute permissions. Copy the ARCSIGHT_HOME\lib\agent\saaj.jar file to the sub-directory called endorsed, which you created in step 1.
Aruba Mobility Controller Syslog Due to Aruba product limitations, the Aruba Networks Mobility Controller syslog messages can only be processed by the syslog daemon connector, not by the syslog pipe or syslog file connector. The SmartConnector processes the security events only. Cisco CiscoWorks The ArcSight SmartConnector for CiscoWorks Syslog supports a limited set of syslog messages originating from a specific CiscoWorks component. Full CiscoWorks syslog support will be certified in an upcoming SmartConnector release. Cisco NetFlow File The connector currently listens to all traffic on the specified port rather than by individual IP address. This issue is being addressed and will be fixed in a future SmartConnector release. DB SmartConnectors on Windows Server 2003 R2 Enterprise x64 that use ODBC System DSN We have found that the JDBC/ODBC bridge driver "sun.jdbc.odbc.JdbcOdbcDriver" does not work with the ODBC System data sources created using Control Panel -> Administrative Tools -> Data Sources (ODBC) on the Windows Server 2003 R2 64-bit platform. To use this driver, create ODBC System data sources using the executable at c:\Windows\SysWOW64\odbcad32.exe. This opens up the same type of graphical user interface as the Control Panel -> Administrative Tools -> Data Sources (ODBC), but it creates the Data sources using the 32-bit drivers.
Page 5
ArcSight Confidential
IBM Lotus Domino DB ArcSight has identified a potential problem with the IBM Domino ODBC driver that can cause data duplication when using ArcSights SmartConnector for IBM Lotus Domino DB. We have been able to reproduce a customer issue in which the Domino connector can inadvertently send duplicate data to the ArcSight ESM Manager or ArcSight Logger. This SmartConnector uses IBMs Domino ODBC driver to retrieve data from the Domino server; ArcSight has traced the issue to an incorrect result set returned by this ODBC driver. Based upon our lab testing, the issue may be related to large log.nsf files (a file size of 1.6Gb in our lab, but size might depend upon Dominos server hardware). This cause for this data duplication issue has not yet been confirmed with IBM, but we are currently seeking their assistance. In our lab, once the log was cleaned up, reducing its size in the process, the problem disappeared and IBMs Domino ODBC driver started returning correct result sets. Until we receive further information from IBM regarding this issue, customers are advised to periodically monitor the data sent by the connector and, in particular, the size of the log.nsf file to make sure it does not grow too large. The SmartConnector for IBM Lotus Domino SNMP has been developed for situations in which this known issue occurs. Lancope SMC Web Services Beta ArcSight Lancope SMC Web Services connector logs the inaccurate message Failed to execute command in agent.log and also sends an internal ArcSight event for this, even when the command is successfully executed and receives the response from the connector. This is only a case of inaccurate logging of an inaccurate internal event and has no impact on the connector's command response and event generating capabilities. Microsoft ISA Multiple Server File The SmartConnector for Microsoft ISA Multiple Server cannot be run as a service when it is run remotely. Microsoft Windows Event Log Unified The following known limitations exist for the current release of this connector: In some cases, the description of specific Windows events may not be captured into individual ArcSight event fields. When this happens, the missing information is captured in the Raw Event field and the agent log displays a warning that it has received an unmatched number of keys and values for a particular Windows event ID. This can be addressed by a parser fix. See the "Troubleshooting" section for an example of how to resolve these key values. SID translation is supported on a best-effort basis, but there may be a few instances when SIDs cannot be successfully translated. This could happen due to network issues, the host could be busy and may not respond, or the SID could be unresolvable, which results in the connector being unable to translate the SID. The connector attempts to translate all the SIDs by default. If the first translation attempt fails, the connector retries three times. If translation still fails, SID translation can be enabled in multi-threaded mode by setting the parameter sidguidtranslationmultithreaded to true. See "Troubleshooting" or "Advanced Common Configuration Parameters for SID Translation" for more configuration information. GUID translation is not currently supported.
Solsoft Version Support The Solsoft CounterAct SmartConnector may not work with Solsoft version 7.0.2 and later versions. As of connector release 4.7.1.5233, a newer version of Apache AXIS library is being used for the web services client. This could affect the operation of the SmartConnector for Solsoft CounterAct, which used an older version of the Apache AXIS library. The workaround for this problem is to rename the library file named all-axis-libs.jar under lib/agent/axis to another name (for example, all-axis-libs.jar.bak). Symantec Endpoint Protection Syslog For some Network Thread Detection events, there may be none, one, or multiple sets of IP information for the same host. Currently, for such events, the host name and IP address is not mapped to the destination host name and address fields; the entire network information is mapped to the message field. Sub-parsing and mapping of these events to the appropriate fields will be available in a future SmartConnector release.
Page 6
ArcSight Confidential
ArcSight Confidential
Solaris Basic Security Module Syslog New configuration guide for new connector. Includes global update to installation procedure for FIPS support. Sun ONE Web Access Server Updated mapping information and global update to installation procedure for FIPS support. Symantec Endpoint Protection DB Support added for Network Access Control events. Global update to installation procedure for FIPS support. Reference added for JDBC driver Connector Appliance upload information. The following configuration guides have been updated for FIPS support and to have a new reference to the ArcSight Connector Appliance Administrator's Guide for JDBC driver upload instructions. SmartConnectors using Microsoft SQL Server 2005 JDBC drivers with encryption enabled cannot be installed in FIPS-compliant mode. ActivCard AAA Server DB Application Security AppDetective DB eEye REM Security Management Console eEye Retina Network Security Scanner (DSN-Based) Harris STAT Scanner DB IBM/ISS ICEcap Manager DB IBM/ISS Internet Scanner DB IBM/ISS RealSecure DB IBM/ISS Site Protector DB Intrusion SecureNet Provider DB Lumension PatchLink Scanner DB McAfee Desktop Firewall DB McAfee ePO Asset Scanner DB McAfee Host Intrusion Prevention DB McAfee Host Intrusion Prevention Multiple DB Microsoft Audit Collection System DB Microsoft Operations Manager DB Microsoft SQL Server Audit DB (Legacy) Microsoft SQL Server Multiple Instance Audit DB NetIQ Security Manager DB Quest InTrust for Windows DB Symantec Critical System Protection DB Symantec ManHunt DB Trend Micro Asset Scanner DB Trend Micro Control Manager NG DB The following configuration guides have been updated to add a link to installation information for FIPS compliant connectors. AirDefense Enterprise Syslog Apache HTTP Server Access Log Apache HTTP Server Error Log Apache HTTP Server Syslog
Page 8
ArcSight Confidential
Arbor Networks Peakflow Syslog ArcSight Common Event Format Syslog ArcSight Common Event Format File ArcSight Logger Streaming Connector Aruba Mobility Controller Syslog BEA WebLogic Server File Blue Coat Proxy SG Syslog Bro IDS File CA eTrust SiteMinder File CA Top Secret for z/OS File Check Point Firewall-1 SAM Check Pont Firewall-1 SNMP Check Point FW-1/VPN-1 OPSEC NG (Legacy) Cisco Catalyst OS Syslog Cisco CiscoWorks Syslog Cisco IDS RDEP Cisco IPS SDEE Cisco IronPort Email Security File Cisco IronPort Email Security Syslog Cisco IronPort Web Security File Cisco Mobility Services Engine Syslog Cisco PIX SNMP Cisco Router Syslog Cisco Secure ACS File Cisco Secure ACS Syslog Cisco Secure IDS Post Office Cisco Security Agent File eEye Retina Network Security Scanner DB eEye Retina Network Security Scanner (RTD5) DB Enterasys Dragon Export Tool File Enterasys Dragon Server SNMP F-Secure Anti-Virus File Fortinet Fortigate Syslog HoneyD Syslog HP OpenVMS File HP ProCurve Ethernet Switch SNMP HP-UX Audit File IBM AIX Audit File IBM AS/400 Audit Journal File IBM DB2 UDB Audit File IBM Lotus Domino DB IBM Lotus Domino SNMP IBM Lotus Domino Web Server File IBM NVAS for z/OS File
Page 9
ArcSight Confidential
IBM NVAS Session for z/OS File IBM RACF for z/OS File IBM SDSF System Log for z/OS File IBM System Log for z/OS File IBM Tivoli Access Manager File IBM Tivoli Access Manager XML File IBM WebSphere File IDMEF XML File Ingrian DataSecure Syslog Intersect Alliance SNARE for Windows Syslog Intrusion Computer Misuse Detection System File Intrusion SecureNet Provider SNMP iPolicy Intrusion Prevention Firewall Syslog ISC BIND Syslog ISC DHCP Syslog Juniper M Series Routers Syslog Juniper NetScreen OS Syslog Juniper NetScreen Security Manager Syslog Juniper NetScreen SSL VPN Syslog Juniper Steel-Belted Radius File Lancope StealthWatch Syslog Lucent Brick Managed Services File Lumeta IPsonar File Mazu Profiler DB Mazu Profiler V3 DB McAfee Antivirus VirusScan File McAfee Entercept API McAfee Entercept DB McAfee IntruShield DB McAfee Secure Internet Gateway Syslog MessageGate Syslog Microsoft Auditing Collection System Microsoft Exchange Message Tracking Log File Microsoft IAS File Microsoft IIS Multiple Server File Microsoft IIS Multiple Site File Microsoft IIS Syslog Microsoft ISA Multiple Server File Microsoft ISA Server File Microsoft ISA Server 2004 File Mirage CounterPoint Syslog Nagios Syslog nCircle Scanner SNMP nCircle Scanner XML2 File
Page 10
ArcSight Confidential
Network Appliance NetCache File Newbury WiFi WatchDog Syslog NFR Central Management and Sentivist Servers File NFR Central Management Server File NFR Host Intrusion Detection DB NIKSUN NetDetector Syslog NitroSecurity IPS Syslog Nmap XML File Nortel Contivity Switch Syslog Novell Nsure Audit DB Oblix NetPoint File Oracle Audit DB Oracle Audit Syslog Oracle SYSDBA Audit Syslog OVAL XML File PureSight Content Filter DB QoSient ARGUS Radware DefensePro Syslog RSA ACE Server Syslog SaberNet NTSyslog Syslog SANA Primary Response SNMP SAINT Vulnerability Scanner SAP Audit File SAP Real-Time Audit File SAP Real-Time Multiple Folder Audit File Secure Computing Gauntlet Syslog Secure Computing IronMail Syslog Secure Computing SafeWord Premier Access File Secure Computing Sidewinder Syslog Securify SecurVantage SNMP Sendmail Syslog Snort DB Snort File Snort IDS (Barnyard) File Snort Multiple File Solaris Basic Security Module File SonicWALL Firewall Syslog Sourcefire Defense Center eStreamer Sourcefire/Snort Sensor Syslog Squid Proxy Server File Stonesoft StoneGate Firewall Syslog Sun ONE Directory Multiple Server File Sun ONE Directory Server File Sybari Antigen for Microsoft Exchange DB
Page 11
ArcSight Confidential
Sybase Adaptive Server Enterprise DB Symantec AntiVirus Corporate Edition File and Multiple File Symantec Endpoint Protection Syslog Symantec Enterprise Firewall File Symantec Enterprise Firewall SNMP Symantec Enterprise Security Manager DB Symantec ESM Reporting DB Symantec Gateway Security/Enterprise Firewall File Symantec Gateway Security/Enterprise Firewall NG File Symantec Intruder Alert File Symantec Intruder Alert SNMP Symantec Mail Security Syslog Symantec ManHunt Syslog Symantec NetRecon NRD File Symantec Network Security Syslog Symantec SESA DB Tenable Nessus NSR File Tenable Nessus XML File Tenable Nessus XML for Windows TippingPoint UnityOne Syslog TopLayer Attack Mitigator Syslog Tripwire Enterprise Syslog Tripwire Manager File Type80 SMA_RT Syslog Unix Login/Logout VarySys PacketAlarm Syslog Visionael Security Audit DB Vontu CEF Syslog Vormetric CoreGuard Syslog Websense Web Security Suite SNMP Webwasher CSM File
Page 12