cancel
Showing results for 
Search instead for 
Did you mean: 
parinya.ekparin
Not applicable
Report Inappropriate Content
Message 1 of 6

When there's "Nitro Plugin Protocol" in siem-device-support, what does it mean?

Jump to solution

I know what Nitro Plugin Protocol is. But when it has been specified in method of collection column of siem-device-support document, what's the method of collection? how can Nitro collect log?

AFAIK, NPP (Now called MEF) only refer to a protocol used. It would be good if we know method of collection as well.

For example:

z/OS, z/vm     |      Mainframe SMF (System Management Facilities) Types 30, 14, 15, 17, 18, 56, 62, 64, 80     |     Nitro Plugin Protocol

I can't tell if receiver can pull log from Mainframe directly using NPP or via an agent.

So can someone explain to me a bit more what does "NPP" mean in the context of siem-device-support document.

Thank you.

Best regards,

Parinya Ekparinya

1 Solution

Accepted Solutions
McAfee Employee siemchris
McAfee Employee
Report Inappropriate Content
Message 4 of 6

Re: When there's "Nitro Plugin Protocol" in siem-device-support, what does it mean?

Jump to solution

Hi Parinya

I have updated my previous post with a correction. My apologies for the previous incorrect information.

We do support IBM and other mainframes but that requires a thirdparty agent software. My understanding is that the MEAS agent is a more mature product. Some more information is listed below;

DG Technology  MEAS

MainFrame

  DB2/IMS/Datacom/IDMS

  CICS

  FTP

  MasterConsole

  RACF/Top Secret/ACF2

  Telnet

  VSAM/BDAM/PDS

  TCP/IP

  SMP/E

  Authorized Load Libraries

  RMF Performance Data

  Batch Job and Started Tasks

Start/Stop

  Top Secret, Type 80

5.x, 6.x  ASP - Syslog

####

Enforcive

(formerly BSafe)

Cross Platform Audit

MainFrame

  AS/400

  DB2/IMS/Datacom/IDMS

  FTP

  RACF/Top Secret/ACF2

  Telnet

  VSAM/BDAM/PDS

All  Enforcive Agent

Regards


Chris

Message was corrected by: Chris on 11/27/12 11:07:16 AM EST
5 Replies
McAfee Employee siemchris
McAfee Employee
Report Inappropriate Content
Message 2 of 6

Re: When there's "Nitro Plugin Protocol" in siem-device-support, what does it mean?

Jump to solution

Hi Parinya

The MEF / NPP is an encrypted TCP/IP connection which is made to the McAfee Agent. We have agents for Linux and also for Windows. The Agent collects events and then they are transmitted to the collector using that protocol. We do provide information for customers to utilize the protocol so an external program can insert events into the Receiver's database. One example is an output plug-in for Barnyard using Snort's unified (fast) output.

If you check the online help for “McAfee Event Format” and “NPP Example Code” you will see some detailed information that will enable you to understand the API in detail.

Regards,




Chris

parinya.ekparin
Not applicable
Report Inappropriate Content
Message 3 of 6

Re: When there's "Nitro Plugin Protocol" in siem-device-support, what does it mean?

Jump to solution

According to information you gave, MEF or NPP in this context refer to only protocol used. They didn't tell us what's an agent or a piece of software required. I understand that we do have Windows & Linux agent. But that doesn't cover all data sources in the data sheet. Mainframe for example, we may need to use 3rd party or develop an agent ourselves. The document just told us MEF(NPP) protocol can be used here. In my opinion, I consider these are not "out of the box support" data sources because nothing we can use right away.

Am I correct? Do I missing something? Or are there any piece of software provided to support those data sources out of the box such as "z/OS, z/vm" above I gave as an example?

Anyway, I'll take a look at example code and API. Thank you very much.

Best regards,

Parinya Ekparinya

McAfee Employee siemchris
McAfee Employee
Report Inappropriate Content
Message 4 of 6

Re: When there's "Nitro Plugin Protocol" in siem-device-support, what does it mean?

Jump to solution

Hi Parinya

I have updated my previous post with a correction. My apologies for the previous incorrect information.

We do support IBM and other mainframes but that requires a thirdparty agent software. My understanding is that the MEAS agent is a more mature product. Some more information is listed below;

DG Technology  MEAS

MainFrame

  DB2/IMS/Datacom/IDMS

  CICS

  FTP

  MasterConsole

  RACF/Top Secret/ACF2

  Telnet

  VSAM/BDAM/PDS

  TCP/IP

  SMP/E

  Authorized Load Libraries

  RMF Performance Data

  Batch Job and Started Tasks

Start/Stop

  Top Secret, Type 80

5.x, 6.x  ASP - Syslog

####

Enforcive

(formerly BSafe)

Cross Platform Audit

MainFrame

  AS/400

  DB2/IMS/Datacom/IDMS

  FTP

  RACF/Top Secret/ACF2

  Telnet

  VSAM/BDAM/PDS

All  Enforcive Agent

Regards


Chris

Message was corrected by: Chris on 11/27/12 11:07:16 AM EST
parinya.ekparin
Not applicable
Report Inappropriate Content
Message 5 of 6

Re: When there's "Nitro Plugin Protocol" in siem-device-support, what does it mean?

Jump to solution

Anyway, MEF or NPP in that document still refer to only protocol part. IMHO, it would cause confusion.

Especially, when someone want to sell Nitro but found later that those aren't supported out-of-the-box and need 3rd party software agents.

Should we have some more clearer document where we can mention approriate 3rd party software agent if those ones needed?

Is there any other data source that we also need 3rd party software agent?

As far as I know, Mainframe is the one and only one we need 3rd party. Not sure though about those SCADA ones. If you know about other, could you share with the rest of us?

One more thing, do we have plan to produce or release an official solution solely provided by McAfee.

Custom may think about who should buy those software and who should maintain them. Without local support team it might make things a bit (or A LOT !?) harder. Especially for banking customers who got thier mainframe running.

Best regards,

Parinya

Highlighted
McAfee Employee siemchris
McAfee Employee
Report Inappropriate Content
Message 6 of 6

Re: When there's "Nitro Plugin Protocol" in siem-device-support, what does it mean?

Jump to solution

Hi Parinya

You are correct that the document could be clearer. I have asked PM if they can update that external facing document with some better information so 3rd party agents are clearly stated.

I am not aware of any official solution that McAfee would be providing to replace the integrations with those 3rd party agents but I will also check with PM and let you know if they have some plans for that.


Thanks

Chris

McAfee ePO Support Center Plug-in
Check out the new McAfee ePO Support Center. Simply access the ePO Software Manager and follow the instructions in the Product Guide for the most commonly used utilities, top known issues announcements, search the knowledgebase for product documentation, and server status and statistics – all from within ePO.