5 Replies Latest reply on Nov 28, 2012 1:49 PM by Chris Boldiston

    When there's "Nitro Plugin Protocol" in siem-device-support, what does it mean?

    parinya.ekparinya

      I know what Nitro Plugin Protocol is. But when it has been specified in method of collection column of siem-device-support document, what's the method of collection? how can Nitro collect log?

      AFAIK, NPP (Now called MEF) only refer to a protocol used. It would be good if we know method of collection as well.

       

      For example:

      z/OS, z/vm     |      Mainframe SMF (System Management Facilities) Types 30, 14, 15, 17, 18, 56, 62, 64, 80     |     Nitro Plugin Protocol

       

      I can't tell if receiver can pull log from Mainframe directly using NPP or via an agent.

      So can someone explain to me a bit more what does "NPP" mean in the context of siem-device-support document.

      Thank you.

       

      Best regards,

      Parinya Ekparinya

        • 1. Re: When there's "Nitro Plugin Protocol" in siem-device-support, what does it mean?
          Chris Boldiston

          Hi Parinya

           

           

          The MEF / NPP is an encrypted TCP/IP connection which is made to the McAfee Agent. We have agents for Linux and also for Windows. The Agent collects events and then they are transmitted to the collector using that protocol. We do provide information for customers to utilize the protocol so an external program can insert events into the Receiver's database. One example is an output plug-in for Barnyard using Snort's unified (fast) output.

           

          If you check the online help for “McAfee Event Format” and “NPP Example Code” you will see some detailed information that will enable you to understand the API in detail.

           

           

          Regards,




          Chris

          1 of 1 people found this helpful
          • 2. Re: When there's "Nitro Plugin Protocol" in siem-device-support, what does it mean?
            parinya.ekparinya

            According to information you gave, MEF or NPP in this context refer to only protocol used. They didn't tell us what's an agent or a piece of software required. I understand that we do have Windows & Linux agent. But that doesn't cover all data sources in the data sheet. Mainframe for example, we may need to use 3rd party or develop an agent ourselves. The document just told us MEF(NPP) protocol can be used here. In my opinion, I consider these are not "out of the box support" data sources because nothing we can use right away.

             

            Am I correct? Do I missing something? Or are there any piece of software provided to support those data sources out of the box such as "z/OS, z/vm" above I gave as an example?

             

            Anyway, I'll take a look at example code and API. Thank you very much.

             

             

            Best regards,

             

            Parinya Ekparinya

            • 3. Re: When there's "Nitro Plugin Protocol" in siem-device-support, what does it mean?
              Chris Boldiston

              Hi Parinya

               

              I have updated my previous post with a correction. My apologies for the previous incorrect information.

               

              We do support IBM and other mainframes but that requires a thirdparty agent software. My understanding is that the MEAS agent is a more mature product. Some more information is listed below;

               

              DG Technology  MEAS

               

              MainFrame

                DB2/IMS/Datacom/IDMS

                CICS

                FTP

                MasterConsole

                RACF/Top Secret/ACF2

                Telnet

                VSAM/BDAM/PDS

                TCP/IP

                SMP/E

                Authorized Load Libraries

                RMF Performance Data

                Batch Job and Started Tasks

              Start/Stop

                Top Secret, Type 80

               

              5.x, 6.x  ASP - Syslog

               

              ####

               

              Enforcive

              (formerly BSafe)

              Cross Platform Audit

              MainFrame

                AS/400

                DB2/IMS/Datacom/IDMS

                FTP

                RACF/Top Secret/ACF2

                Telnet

                VSAM/BDAM/PDS

              All  Enforcive Agent

               

               

              Regards

               

               


              Chris

               

              Message was corrected by: Chris on 11/27/12 11:07:16 AM EST
              • 4. Re: When there's "Nitro Plugin Protocol" in siem-device-support, what does it mean?
                parinya.ekparinya

                Anyway, MEF or NPP in that document still refer to only protocol part. IMHO, it would cause confusion.

                Especially, when someone want to sell Nitro but found later that those aren't supported out-of-the-box and need 3rd party software agents.

                Should we have some more clearer document where we can mention approriate 3rd party software agent if those ones needed?

                Is there any other data source that we also need 3rd party software agent?

                As far as I know, Mainframe is the one and only one we need 3rd party. Not sure though about those SCADA ones. If you know about other, could you share with the rest of us?

                 

                One more thing, do we have plan to produce or release an official solution solely provided by McAfee.

                Custom may think about who should buy those software and who should maintain them. Without local support team it might make things a bit (or A LOT !?) harder. Especially for banking customers who got thier mainframe running.

                 

                Best regards,

                Parinya

                • 5. Re: When there's "Nitro Plugin Protocol" in siem-device-support, what does it mean?
                  Chris Boldiston

                  Hi Parinya

                   

                   

                  You are correct that the document could be clearer. I have asked PM if they can update that external facing document with some better information so 3rd party agents are clearly stated.

                   

                  I am not aware of any official solution that McAfee would be providing to replace the integrations with those 3rd party agents but I will also check with PM and let you know if they have some plans for that.

                   


                  Thanks

                   

                   

                  Chris