3 Replies Latest reply on Mar 16, 2016 4:02 AM by peter.mason

    ArcSight ESM pulling from McAfee NSM 8.1 - AttackName field missing after signature update

    rmilman

      We have ArcSight ESM 8.6 configured to pull from McAfee NSM 8.1 using a SQL based connector. It works great most of the time except when McAfee releases new signatures. For some reason the AttackName field gets dropped from the pull. We've opened a case with HP to look at the ArcSight end, but I was wondering is anyone in the McAfee space has seen something like this? If so, how did you fix it?

       

      Right now the only solution is to restart the connector in ArcSight when a new signature is applied to the NSM and sensors. Not the best work around, but it does work.

       

      Thanks,

       

      Rob

        • 1. Re: ArcSight ESM pulling from McAfee NSM 8.1 - AttackName field missing after signature update
          peter.mason

          Hey Rob,

           

          Can you share the query that you run?

           

          Is it running constantly or on a schedule?

           

          Are you seeing any temp tables created when installing SigSets that might indicate a lock issue?

           

          Has this always been an issue or did it occur after a particular SigSet or MR?

           

          Regards

           

          Peter

          • 2. Re: ArcSight ESM pulling from McAfee NSM 8.1 - AttackName field missing after signature update
            rmilman

            Hi Peter,

             

            See below for a detailed status report from ArcSight.

             

            It runs constantly. It works fine until a sig set is released, then the attack name field is blank. A connector restart fixes it.

             

            I'm not sure where to look for temp tables. Would that be in NSM or in Arcsight?

             

            Apparently this has always been an issue since ArcSight was installed in the spring last year. I took over the account recently and it seems the previous provider just kept restarting the connector every time new signatures were released. I'd rather fix it than having to remember to restart it as a workaround.

             

            Thanks,

             

            Rob

             

            Agent Type...................................intrushield_db

            Agent Version................................7.1.6.7563.0

            CommandResponses Processed...................40025

            Event rate LTC...............................Mon Mar 14 09:29:30 MDT 2016

            Events Processed.............................1088151

            Events Processed(SLC)........................79

            Events/Sec...................................0.9048561079290318

            Events/Sec(SLC)..............................1.3166666666666667

            FCP Version..................................0

            FIPS Enabled.................................false

            First CommandResponse Processed..............Mon Feb 29 10:27:35 MST 2016

            First Event Processed........................Mon Feb 29 10:27:40 MST 2016

            Host Address.................................10.146.96.91

            Host Name....................................ARCCPRDCGY003

            JDBCDriver...................................org.gjt.mm.mysql.Driver

            Last CommandResponse Processed...............Mon Mar 14 09:29:30 MDT 2016

            Last Event Processed.........................Mon Mar 14 09:30:29 MDT 2016

            TF[3fyN-XEwBABDSHctpX5wEpw==].Last Processed..6264267456518075802

            TF[3fyN-XEwBABDSHctpX5wEpw==].Last Query Time(ms)..4

            TF[3fyN-XEwBABDSHctpX5wEpw==].Last Row Count..2

            activeThreadCount............................245

            dbversion....................................7.5

            parserfolder.................................typespecificdata

            password.....................................**********

            url..........................................jdbc:mysql://156.44.239.38:3306/lf

            user.........................................**********

            • 3. Re: ArcSight ESM pulling from McAfee NSM 8.1 - AttackName field missing after signature update
              peter.mason

              Hi Rob,

               

              I don't use ArcSight so I can't help on that end.

               

              You would look for the temp tables on the NSM, they are in the MySQL\Data or MySQL\Data\lf folder.

               

              Some processes on the NSM such as DB tuning can create temp tables which get updated and then the original table is dropped and replaced with the updated temp table, I'm assuming this is a similar process for updating the iv_signature table in the database.

               

              Peter