NetWitness Community

Hello David,

Events from IPS sensor has very simple format and look like:

1 2016-05-18T11:06:13+0300 xgs alpsd 1022 -SetParam [FNXIPS@2 AdapterID="1.2" AdapterMode="Inline Protection" algorithm-id="2106286" appid="ldap" block="false" count="1" dstip="1.1.1.1" dstport="389" filterid="9583b397-9600-4546-9882-4831b0a82f10" iprdststate="disable" iprlicensed="1" iprsrcstate="disable" ipsid="16df2767-81b7-428b-b1d3-b86ea9d59e1a" name="LDAP_Active_Directory_Request_DoS" nvpdata="Control=1.2.840.113556.1.4.1339,adapter=1" priority="low" protocol="TCP" quarantineendtime="0" ruleid="1ea359e0-36ba-012e-9a54-0017faab3ff6" ruleorder="10" srcip="2.2.2.2" srcport="0" sslmethod="NotApplicable" time="2016-05-18T11:05:13+0300" timestamp="1463558713" userid="Unauthenticated Users" vulnstatus="not blocked" SensorAddress="3.3.3.3" SensorName="xgs" SensorGUID="" ProductID="107" IANAProtocolId="6"]

I don't know how look events from "Network Acces Events" part of XGS.

I'm a little bit confused what RSA dosn't have brand parser for this secuiry tool.

I able to write and share parser for this.

Here is version 7 of the parser

Changelog

Version 7: 27th May 2016

Added new message id MSG 9 and MSG 10 to cope with some more unknown messages

Version 6:

Changed meta key name to policy.name

MSG7 and MSG  8 had difference in time field

In your table-map-custom.xml add the following keys and set them to point to whatever metakeys you want them to go into.

<!-- BEGIN List of keys Not in table-map-custom.xml -->

<!-- BEGIN List of keys Not in table-map-custom.xml -->

<mapping envisionName="adapterid" nwName="adapterid" flags="None" format="Text"/>

<mapping envisionName="adaptermode" nwName="adaptermode" flags="None" format="Text"/>

<mapping envisionName="algid" nwName="algid" flags="None" format="Text"/>

<mapping envisionName="endtimestr" nwName="endtimestr" flags="None" format="Text"/>

<mapping envisionName="filterid" nwName="filterid" flags="None" format="Text"/>

<mapping envisionName="ianaprotocolid" nwName="ianaprotocolid" flags="None" format="Text"/>

<mapping envisionName="iprdststate" nwName="iprdststate" flags="None" format="Text"/>

<mapping envisionName="iprlicensed" nwName="iprlicensed" flags="None" format="Text"/>

<mapping envisionName="iprsrcstate" nwName="iprsrcstate" flags="None" format="Text"/>

<mapping envisionName="ipsid" nwName="ipsid" flags="None" format="Text"/>

<mapping envisionName="nvpdata" nwName="nvpdata" flags="None" format="Text"/>

<mapping envisionName="policy.name" nwName="policy.name" flags="None" format="Text"/>

<mapping envisionName="priority" nwName="priority" flags="None" format="Text"/>

<mapping envisionName="productid" nwName="productid" flags="None" format="Text"/>

<mapping envisionName="quarantineendtime" nwName="quarantineendtime" flags="None" format="Text"/>

<mapping envisionName="ruleid" nwName="ruleid" flags="None" format="Text"/>

<mapping envisionName="ruleorder" nwName="ruleorder" flags="None" format="Text"/>

<mapping envisionName="sensorguid" nwName="sensorguid" flags="None" format="Text"/>

<mapping envisionName="sslmethod" nwName="sslmethod" flags="None" format="Text"/>

<mapping envisionName="starttimestr" nwName="starttimestr" flags="None" format="Text"/>

<mapping envisionName="timestamp" nwName="timestamp" flags="None" format="Text"/>

<mapping envisionName="vulnstatus" nwName="vulnstatus" flags="None" format="Text"/>

<!-- END List of keys Not in table-map-custom.xml -->

To deploy

Create a direcorty on your logdecoder called

/etc/netwitness/ng/envision/etc/devices/ibmxgs

and place the ini and xml file attached into this directory

Then restart your logdecoder for it to pick up the new parser.