01-06-2009 11:56 AM
I am trying to get Symantec v10 to export its logs to MARS so I can get virus alerts but I am having issues. I have followed the instruction guide for Symantec integration 9http://cisco.com/en/US/docs/security/security_management/cs-mars/6.0/device/configuration/guide/chSymantecAv.html) and I am getting the traps when I test it. However, when I put a keylogger on a machine and do a scan with Symantec, the log shows up in MARS like this:
SNMPv2-SMI::enterprises.343.2.5.1.1 10.101.102.204 SNMPv2-SMI::enterprises.343.2.5.1.1.12.0 "VRCUTIL" SNMPv2-SMI::enterprises.343.2.5.1.1.8.0 1231270892 SNMPv2-SMI::enterprises.343.2.5.1.1.9.0 0 SNMPv2-SMI::enterprises.343.2.5.1.1.10.0 "Intel Alert Management System II" SNMPv2-SMI::enterprises.343.2.5.1.1.11.0 "41 6C 65 72 74 3A 20 3C 41 6C 65 72 74 20 4E 61 6D 65 20 3E 0D 0A 43 6F 6D 70 75 74 65 72 3A 20 3C 43 6F 6D 70 75 74 65 72 20 4E 61 6D 65 20 3E 0D 0A 44 61 74 65 3A 20 3C 44 61 74 65 20 3E 0D 0A 54 69 6D 65 3A 20 3C 54 69 6D 65 20 3E 0D 0A 41 63 74 69 6F 6E 3A 20 3C 41 63 74 75 61 6C 20 41 63 74 69 6F 6E 20 3E 0D 0A 44 65 73 63 72 69 70 74 69 6F 6E 3A 20 3C 44 65 73 63 72 69 70 74 69 6F 6E 20 3E " SNMPv2-SMI::enterprises.343.2.5.1.1.7.0 63 SNMPv2-SMI::enterprises.343.2.5.1.1.13.0 0
Does anyone know what the issue is? It is supposed to be getting parsed but the information looks like SNMP data, not actual log data.
01-11-2009 07:12 PM
I've setup SAVCE 10 to report to MARS using the same setup outlined in the linked documentation. I've been getting events without any issues so far, and I can't say that I recall having to deviate to make any of it work. I also can't find any events that I've received that match the one you've posted. Following is a raw event reported as a risk being reparied:
enterprises.343.2.5.1.1.11.0 "Alert: Risk Repaired..Computer: Workstation..Date: 12/29/2008..Time: 10:03:20 AM..Severity: Warning..Source: Symantec AntiVirus Corporate Edition..Risk Name: Trojan Horse..Logger: Forward from client:Auto-Protect..File Path: C:\\Documents and Settings\\username\\Local Settings\\Temporary Internet Files\\Content.IE5\\2Z5OOIXS\\to[1].htm..User: username..Corrective Actions: 0" SNMPv2-SMI::enterprises.343.2.5.1.1.7.0 8 SNMPv2-SMI::enterprises.343.2.5.1.1.13.0 0
I'm using 6.01 but I don't believe the version should make any difference 6.0+ If the proper events are selected in AMS on the SAV server, perhaps the wrong application is assigned to the reporting device in MARS.
01-12-2009 05:51 AM
I tested the traps coming from Symantec this morning and they are working fine. I sent them to a different trap server I have and this is what the trap showed:
sysUpTime=12 days 22 hours 11 minutes 50.05 seconds
snmpTrapOID=Intel-Common-MIB:ld-alarms.0.6
ld-alarms.12.0=server anem
ld-alarms.8.0=1231767784
ld-alarms.9.0=0
ld-alarms.10.0=Intel Alert Management System II
ld-alarms.11.0=Alert: Virus Found
Computer: workstation
Date: 1/12/2009
Time: 7:43:04 AM
Action: Quarantine
Severity: Critical
Source: Symantec AntiVirus Corporate Edition
File Path: C:\Documents and Settings\username\Desktop\ipscanner\RevelationV2.zip
Logger: Forward from server:Manual
Requested Action: Quarantine
User: SYSTEM
Virus:
severity=16
ld-alarms.13.0=0
experimental.1057.1=10.101.102.204
snmpTrapEnterprise=Intel-Common-MIB:ld-alarms
However, the raw message in MARS shows this:
SNMPv2-SMI::enterprises.343.2.5.1.1 10.101.102.204 SNMPv2-SMI::enterprises.343.2.5.1.1.12.0 "VRCUTIL" SNMPv2-SMI::enterprises.343.2.5.1.1.8.0 1231767784 SNMPv2-SMI::enterprises.343.2.5.1.1.9.0 0 SNMPv2-SMI::enterprises.343.2.5.1.1.10.0 "Intel Alert Management System II" SNMPv2-SMI::enterprises.343.2.5.1.1.11.0 "41 6C 65 72 74 3A 20 56 69 72 75 73 20 46 6F 75 6E 64 0D 0A 43 6F 6D 70 75 74 65 72 3A 20 56 52 43 2D 57 45 42 53 31 0D 0A 44 61 74 65 3A 20 31 2F 31 32 2F 32 30 30 39 0D 0A 54 69 6D 65 3A 20 37 3A 34 33 3A 30 34 20 41 4D 0D 0A 41 63 74 69 6F 6E 3A 20 51 75 61 72 61 6E 74 69 6E 65 0D 0A 53 65 76 65 72 69 74 79 3A 20 43 72 69 74 69 63 61 6C 0D 0A 53 6F 75 72 63 65 3A 20 53 79 6D 61 6E 74 65 63 20 41 6E 74 69 56 69 72 75 73 20 43 6F 72 70 6F 72 61 74 65 20 45 64 69 74 69 6F 6E 0D 0A 46 69 6C 65 20 50 61 74 68 3A 20 43 3A 5C 44 6F 63 75 6D 65 6E 74 73 20 61 6E 64 20 53 65 74 74 69 6E 67 73 5C 70 61 74 72 69 63 6B 2E 77 69 6C 6C 69 61 6D 73 6F 6E 5C 44 65 73 6B 74 6F 70 5C 69 70 73 63 61 6E 6E 65 72 5C 52 65 76 65 6C 61 74 69 6F 6E 56 32 2E 7A 69 70 0D 0A 4C 6F 67 67 65 72 3A 20 46 6F 72 77 61 72 64 20 66 72 6F 6D 20 73 65 72 76 65 72 3A 4D 61 6E 75 61 6C 0D 0A 52 65 71 75 65 73 74 65 64 20 41 63 74 69 6F 6E 3A 20 51 75 61 72 61 6E 74 69 6E 65 0D 0A 55 73 65 72 3A 20 53 59 53 54 45 4D 20 0D 0A 56 69 72 75 73 3A 20 " SNMPv2-SMI::enterprises.343.2.5.1.1.7.0 16 SNMPv2-SMI::enterprises.343.2.5.1.1.13.0 0
I have verified that Symantec 10.x is selected in MARS as the application.
01-12-2009 07:41 AM
Could you try the eicar test and see what type of event (if any) is logged in MARS? Perhaps the test message generated by the AMS console is just not classified in MARS.
01-12-2009 10:05 AM
I have a password recovery program that gets flagged by Symantec that I use to test. I just run a manual scan on the directory where the program is located and it gets flagged in Symatec as a hacktool.
I have tried the test message as well from Symantec but it still doesnt come through MARS correctly. When MARS receives any message from Symantec, it shows as a unknown device event type.
01-12-2009 12:21 PM
The only thing that stands out to me, is your SNMP trap has different information in it than the one I posted. I suspect either the SNMP trap created on the AMS is not exactly like the documentation or something else along the path is malforming the SNMP packets.
Would it be possible to post some screenshots of your config?
01-14-2009 06:41 AM
I read a key piece of the documentation that I missed the first time.
"For MARS Appliance models 25, 55, 110, 210, and GC2, do not include a CR/LF (Enter key) in the action message. "
I had carriage returns in my AMS message config. I took them out and used spaces and now the message shows up like a real message.
enterprises.343.2.5.1.1.11.0 "Alert: Virus Found Computer: VRC-WEBS1 Date: 1/14/2009 Time: 8:28:23 AMÂ Action: Quarantine Description:
The one thing that isnt happening is the message is still not being parsed. It is showing up as an Unknown Device Event Type. I will attach my config in Symantec. It looks right based on the guide. The guide shows that these fields need to be listed first.
â¢Alert:
â¢Computer:
â¢Date:
â¢Time:
â¢Action:
And I do have Symantec 10.x and 9.x listed as an application for the server in MARS.
01-14-2009 06:41 AM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide