cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
486
Views
0
Helpful
0
Replies

There is an issue with the FMC eStreamer integrated with eNcoreCLI.

Hi.

 

Our customer use he FMC eStreamer integrated with eNcoreCLI

The connection with eNcoreCLI is working properly and event collection is also functioning correctly.

The event format of eNcore is CEF, and the data is transmitted to the syslog server in CEF format.

 

Unfortunately, the packet information in FMC's Analysis > Intrusion Event > Packet and the raw CEF packet data in eNcore are different from each other

There is HTTP Method info the FMC Packet, but eNcoreCLI is not.

 

Could please help us?

I opened cisco tac case.

but, do not was resolved.

They think like eNcoreCLI issue.

 

 

Please see the packet data information below.

  1. This is captured image the syslog server.(from eNcoreCLI transferred.)

Red box is packet data.

YoungminChoi65047_0-1683686284577.png

 

 

  1. This is event the text above. (after cs1= from 2f20 to 0d0a is Hex. Marked in red)

CEF:0|Cisco|Firepower|6.0|PKT:2:1|Packet Data|7|cs1=b'2f20485454502f312e310d0a486f73743a203131322e3136362e3134332e3231300d0a557365722d4167656e743a204d6f7a696c6c612f352e302028636f6d70617469626c653b2043656e737973496e73706563742f312e313b202b68747470733a2f2f61626f75742e63656e7379732e696f2f290d0a4163636570743a202a2f2a0d0a4163636570742d456e636f64696e673a20677a69700d0a0d0a' cs1Label=payload deviceExternalId=2 dvchost=FKR2-NH-FTD2 externalId=652193 rt=1681278046000 start=1681278046000

 

  1. This was translated utf-8 the hex above (Disappear HTTP Method)

(2f20485454502f312e310d0a486f73743a203131322e3136362e3134332e3231300d0a557365722d4167656e743a204d6f7a696c6c612f352e302028636f6d70617469626c653b2043656e737973496e73706563742f312e313b202b68747470733a2f2f61626f75742e63656e7379732e696f2f290d0a4163636570743a202a2f2a0d0a4163636570742d456e636f64696e673a20677a69700d0a0d0a)

 

/ HTTP/1.1..Host: 112.166.143.210..User-Agent: Mozilla/5.0 (compatible; CensysInspect/1.1; +https://about.censys.io/)..Accept: */*..Accept-Encoding: gzip....

 

 

  1. This is captured image the packet of intrusion event at the FMC.

YoungminChoi65047_1-1683686284590.png

 

===================================================================================

eNcore CLI Info

eNcore version: development

Python version: 3.9.16 (main, Dec  8 2022, 00:00:00) \n[GCC 11.3.1 20221121 (Red Hat 11.3.1-4)]

Platform version: Linux-5.14.0-283.el9.x86_64-x86_64-with-glibc2.34

===================================================================================

====================================== 

 

0 Replies 0
Review Cisco Networking for a $25 gift card