Currently we are satisfied with our Sourcefire set up. Our effort was not in vain. Let’s now connect our Sourcefire to the SIEM solution. Briefly, SIEM is an abbreviation of “Security Information and Event Management” and is a system that collects events from many sources and correlate them in order to make smart decisions about security posture of our network. These sources can be almost anything: routers, firewalls, servers or, in our case, NGIPS.
In this blog we will connect to McAfee “Enterprise Security Manager” or ESM. It’s also known as “Nitro Security“. The steps for connecting to other SIEM solutions, as far as Sourcefire is concerned, are identical. As long as these solutions use eStreamer, of course.
I guess that Sourcefire can connect to the ESM two ways, looking from the ESM perspective:
- Syslog datasource
- eStreamer datasource
For Syslog, we need to declare our Sourcefire as a Syslog client which will send events to our ESM, which is Syslog server. Well, in theory, at least. I never received any events from Sourcefire connected this way. Currently, I don’t have time to investigate this, so we will focus on second way.
eStreamer is an API (Application Programming Interface) which allows us to connect to Defense Center and poll information we need to our SIEM. Of course, we could use other SIEM solutions, such as IBM QRadar, as long as they can act as an eStreamer client. We could write our own application that will poll these events. The term API could confuse those without coding experience, so we will look at this term as protocol. It kinda is.
There are two points in eStreamer communication. An eStreamer server, which is in our case Defense Center, and an eStreamer client, which is our SIEM system. First, let’s set up our server.
If we go to “System->Local Registration” we will see a message “No eStreamer Client Defined“. To the left of this message we can see “eStreamer Event Configuration” section. Here we specify what type of events eStreamer server will transmit to clients when they request them. Let’s select the event types as follows and click Save:
Now we define our client by clicking “Create Client” on the top right. We need to give a host name of our ESM and specify a password. When we click Save, what will happen is a certificate will be created with the Common Name or CN that will be what we typed in as a host name and the certificate will be protected with the password we specified. The password is optional. We should see the message “Success. Created client nitro.popravak.local”.
Now we need to download the certificate DC just created and transfer it to the ESM. We click the green down pointing arrow on the right side of the screen, next to the client name we just created:
We save our certificate:
If we were curious, we could import this certificate in our certificate store on our laptop and look at it:
Nothing much. A certificate issued by our Defense Center.
We are done on our DC, so let’s go to the ESM and set it up as a eStreamer client. We begin this process by adding a data source. First we select a receiver this data source will be connected to, then click “Add Data Source” icon. A dialog box opens and we fill it in:
The IP address is the address of our DC and the password is the password we specified to protect our certificate. Now we import the certificate by clicking Upload and selecting our certificate:
After we browsed to our certificate we click Upload again:
This is what we were hoping for. After clicking Close, we need to verify the communication between the ESM and DC. This is achieved by clicking Connect:
And we are done. We must apply our changes to our receiver:
If, for some reason, the connection is unsuccessful, standard troubleshooting options are at the table: is the time correct, can names be resolved, is the port TCP/8302 allowed from client to server, is the certificate password correct and so on.
If the connection is successful, we can now investigate the DC messages from within the ESM:
That’s all for now. Thanks for reading and stay tuned.