tag:blogger.com,1999:blog-6690994337395244641.post6319090000224744326..comments2022-03-30T14:14:56.448-05:00Comments on Paul Melson's Blog: ArcSight / CEF Patch for Snort / BarnyardPaulMhttp://www.blogger.com/profile/02530533566781746778noreply@blogger.comBlogger4125tag:blogger.com,1999:blog-6690994337395244641.post-54287018284183449172008-02-11T10:23:00.000-05:002008-02-11T10:23:00.000-05:00Again, I don't use ArcSight. So I'm not very famil...Again, I don't use ArcSight. So I'm not very familiar with the mechanisms used for it's log collection. My output plugin was more of a tool coming out of some free time, than really to address a need. Syslog is not a very good mechanism for transporting payloads -- there are definitely better ways of doing this. The output plugin is really just a transport for the alarm and not intended to provide a context (just like the standard syslog output plugins in Snort and Barnyard).Colinhttps://www.blogger.com/profile/02091038205070001195noreply@blogger.comtag:blogger.com,1999:blog-6690994337395244641.post-24404354109027254642008-02-11T09:56:00.000-05:002008-02-11T09:56:00.000-05:00The issue of retrieving payload after the fact is ...The issue of retrieving payload after the fact is really two issues. First, storing the payload somewhere and second, retrieving it on demand. An ArcSight tool could be built for retrieval like you describe, but using the CEF-to-syslog Barnyard method doesn't seem to put the payload anywhere you can retrieve it.PaulMhttps://www.blogger.com/profile/02530533566781746778noreply@blogger.comtag:blogger.com,1999:blog-6690994337395244641.post-12607025941428726772008-02-08T05:56:00.000-05:002008-02-08T05:56:00.000-05:00Hmmmm, I agree that lack of payload is the biggest...Hmmmm, I agree that lack of payload is the biggest negative to this solution.... so.....<BR/><BR/>If the Barnyard CEF output had what ArcSight calls the "payload ID" (The eventID that indicates the location of the actual payload or session data in Snort) as a field it probably wouldn't be all that difficult to have an ArcSight Tool written to "right-click" in ArcSight Active Channel and on-demand go and retrieve the payload (via SSH Script) and open it up in Wireshark (if pcap session data) or another tool for further analysis.<BR/><BR/>Just a thought. If I get a chance to play with this perhaps I'll post the actual method of accomplishing this.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-6690994337395244641.post-63701812494188804552008-02-06T01:04:00.000-05:002008-02-06T01:04:00.000-05:00Paul,Glad you find value in the patch! I wrote it ...Paul,<BR/><BR/>Glad you find value in the patch! I wrote it on a whim about a week ago. I don't even use ArcSight.<BR/><BR/>Let me know if you've got features or changes you'd like to see.<BR/><BR/>Thanks,<BR/>ColinColinhttps://www.blogger.com/profile/02091038205070001195noreply@blogger.com