5 Replies Latest reply on Apr 9, 2015 8:03 PM by bperez

    McAfee IPS integration problem

    Chandimal Karunarathne

      I have integrated McAfee IPS (network security Manager )with my Mcafee ESM.  But it not displaywith different category events. ESm display all the logs in one raw with onecategory name.  Please let me is thereany integration problem with ESM? How can I integrate properly with ESM.

      I really appreciate your support gentlemen’s.

        • 1. Re: McAfee IPS integration problem
          Scott Taschler

          There was an old version of the NSM parser that worked this way, but it should no longer be the case with the current parser.  You should verify the following:

           

          • Ensure you are using the proper parser. 
            • If you are pulling events via syslog, the parser is "Network Security Manager (ASP)". 
            • If you are using the SQL Pull method of retrieving events from NSP, you should have your NSP defined as a "device", not a "data source" (select ESM, then click button for "Add Device" and select "McAfee Network Security Manager".

           

          • Ensure you have the latest rules downloaded and rolled out to your Receivers.

           

          Scott

          • 2. Re: McAfee IPS integration problem
            Chandimal Karunarathne

            hi Scott,

             

            thank you for your reply.

             

            I have updated rules and roll out for devices, but still i am receiving assame. i am getting only one category with i attached below screen shot. Also I haveattached IPS setting for your more information. Please let me know what I haveto do for parser McAfee IPS logs properly.

             

            Thank you,

             

            Chandimal.k

            McAfee-IPS-02.png

            McAfee-IPS-01.png

            • 3. Re: McAfee IPS integration problem
              Scott Taschler

              It's not entirely clear what the problem is here.  The events you are seeing here do not look at all like events that would come from NSP.  Since you have configured the NSP parser to receive via syslog, have you configured your NSM to send events to the ESM via syslog?  You might have best results contacting McAfee Support for assistance.

               

              Scott

              • 4. Re: McAfee IPS integration problem
                Chandimal Karunarathne

                I have integrated McAfee IPS with ESM with the help of McAfeeSIEM Technical support team. If anyone want to intergrade McAfee IPS , add thisas devices not as data source.  You haveto follow below step to get the max.

                 

                1. First upgrade the ESM on the supported version (either9.2.2 or 9.3.1). 
                2. Make sure McAfee NSM is on supported version(7.1.3 or later).
                3. You must run the NSM Configuration Utility  on the Server running the NSM MySQL

                For your reference, please findthe link to the same below.

                http://kc.mcafee.com/agent/index?page=content&id=KB77091

                 

                     4.   Add McAfee NSM as device on ESM, test the SQL rootuser connectivity and NSM admin connectivity.

                 

                This will enable add automatically  childe sensors whichare configured with NSM.

                 

                All the Best,

                • 5. Re: McAfee IPS integration problem
                  bperez

                  To configure the NSM in the SIEM you must prepare the MySql database to accept connections from the receiver ip address here's the commands:

                  Assuming that scenario:

                  SIEM Receiver IP: 192.168.100.1

                  NSM Manager IP:: 192.168.100.2

                  User to access the NSM database from SIEM: siem pass: siempass (you must change without special characters)

                   

                  A)Access to the windows system in the NSM Manager and run the following commands:

                  • C:\Program Files (x86)\McAfee\Network Security Manager\MySQL\bin>mysql --user=root mysql -p (ask for the root password)
                  • add a mysql user to read the lf database from the siem ip address: create user siem@192.168.100.1 identified by 'siempass';
                  • grant permisions to the lf table to siem user: grant select in lf.* to 'siem'@'192.168.100.1';

                  B) Create a new device in NSM:

                  Capture.JPG

                  Capture2.JPG

                  Capture3.JPG

                  Capture4.JPG

                   

                  Now you are getting connected with NSM and SIEM