Threat Report: Exposing Malware in Linux-Based Multi-Cloud Environments | Download Now

Missing netconns in SIEM via event-forwarder

Missing netconns in SIEM via event-forwarder

Environment

  • Cb Response 6.1.2-6.2.1, with cb-event-forwarder

Symptoms

  • Sensors on 6.1.2 or later versions.
  • Netconns are observed within the CB Response console
  • Netconns are not observed in external SIEM while using cb-event-forwarder to send data (or fewer than expected are observed, or only netconns from sensors before 6.1.2)

Cause

There is an identified defect in CB Response related to Netconn_v2 type events (introduced in 6.1.2 and later sensors) when broadcasting event via default method.  This known issue is being tracked as: CB-17446.  This will be addressed in a future product release.

Resolution

This issue can be addressed by switching from the 'default' broadcast (which is impacted by CB-17446) to "raw sensor exchange" (which is not).  This change is invisible from the SIEM perspective and no changes are needed from SIEM side.

1.  Ensure that cb-event-forwarder is upgraded to the latest version:

          yum info cb-event-forwarder

If it is not the latest (3.4, currently), then stop the cb-event-forwarder and update it:

     initctl stop cb-event-forwarder

     yum upgrade cb-event-forwarder

2.  On master/standalone server (where cb-event-forwarder is installed), edit your /etc/cb/integrations/event-forwarder/cb-event-forwarder.conf and locate the following parameter and uncomment it:

      #use_raw_sensor_exchange=true

          change to:

     use_raw_sensor_exchange=true

3.   On master/standalone server and all minions in the cluster, edit your /etc/cb/cb.conf and add the following parameter (bottom of the file is fine, it is not present out-of-box):

      EnableRawSensorDataBroadcast=True

4.   Again, in your /etc/cb/cb.conf on master/standalone server and all minions in the cluster, comment out the following line:

     DatastoreBroadcastEventTypes=<your current settings>

          change to:

     #DatastoreBroadcastEventTypes=<your current settings>

5.  Confirm your /etc/cb/integrations/event-forwarder/cb-event-forwarder.conf on the system that is running cb-event-forwarder has the correct setting you want for the events_raw_sensor parameter.  The events_raw_sensor value should reflected the DatastoreBroadcastEventTypes value you commented out the previous step above.  In case of an original setting of DatastoreBroadcastEventType=* in step 4, use events_raw_sensor=ALL.  For any other settings, the parameters should have the same setting.

          events_raw_sensor=<your setting>

6.  Do a complete server/cluster restart as per the normal procedure and also restart cb-event-forwarder:

     initctl stop cb-event-forwarder

     initctl start cb-event-forwarder

7.  Wait for a few minutes and confirm that you are now getting expected netconns via cb-event-forwarder to your SIEM

Labels (1)
Was this article helpful? Yes No
100% helpful (1/1)
Article Information
Author:
Creation Date:
‎03-07-2018
Views:
1200
Contributors