I am running 6.0.3 MARS, Data Package Version: 32, Signature Version: 396. We have recently stood up a Enterasys Dragon 7.2.3.
I followed the instructions for adding the device type for a Dragon 6.x device and with some differences on the Enterasys side I am able to push syslog messages from the Enterasys Dragon Network IDS to CS-MARS. The messages are received and when I query against the reporting device I get all the raw messages but they are categorized as Unknown Device Event Type for all of them.
I went into Management->Device Type Managemwent and under Dragon NDIS 6.X I see all the Device Event Types that match (for the most part) with the Dragon Signature Names when I click in to Edit Parser. However, when I click a specific Event Type there are no positions/keys/values etc.
I edited and added my own Key-Value regex's and cut/paste the Raw Message into the Test I am able to parse out all the relevant Values. But Still, MARS does not recognize any raw messages as a specific Device Event Type.
Does anybody have any insight on how I can parse/map the Dragon 7.x raw messages to a MARS device event type?
Should I create a new device and device types from scratch? Or are there updated device packages out there?
Has anyone successfully integrated Dragon 7.x to CS-MARS?
Here is a sample raw message
<183>alarmtool: 09:14:03 2009-04-29 SigName=DNS:CACHE-POISON-ATTEMPT from Sensor=XXXX-VS0 SrcIP=1XX.1XX.1XX.2XX DstIP=1XX.1XX.3.4X SrcPort=53 DstPort=3929 Protocol=17
I can provide my custom device type pattern/parse if needed, but the test works against it parsing all the relevant values. Additionally I can change the format of the syslog message from the Alarmtool within Dragon if needed. But I am not certain how MARS determines the device event type for pre-defined devices.
Thanks in advance!
Ray