Collecting McAfee ePO threat data using AlienVault OSSIM

If you are using AlienVault OSSIM you can collect ePO Threat Data and add it to your SIEM Security Events.

AlienVault have already development a database plugin to connect to the ePO Database, collect and parse the data into the OSSIM Database, but I have struggled to get this to work with our MS-SQL Database cluster, resulting in 'ParserDatabase [INFO]: Can't connect to MS-SQL database' errors.

The steps for enabling the plugin and collecting the data are:

• Enabling the Plugin
• Creating a local configuration file
• Configuring the database connection
• Troubleshooting connection errors

Enabling the Plugin

• ssh onto the sensor you wish to use to collect the data from the McAfee database
• From the menu select Configure Sensor > Configure Data Source Plugins
• Select mcafee-epo from the list using the spacebar (hint: jump to 'm' by using the m key)
• Select OK
• Select Back
• Select 'Apply all changes' from the main menu

During the final stages the OSSIM-Agent will be restarted and is now ready for your database configuration.

Configure the plugin

We now need to configure the plugin to connect to our MS-SQL database.  This is done by providing connection details within the cfg file for the plugin.

Firstly from the sensor Main Menu select the 'Jailbreak System' option and agree to the notice.

Create a new local configuration file for the plugin called mcafee-epo.cfg.local and place the [config] data in this file:

# nano /etc/ossim/agent/plugins/mcafee-epo.cfg.local

[config]
type=detector
enable=yes
custom_functions_file=/etc/ossim/agent/plugins/custom_functions/mcafee_epo_custom_functions.cfg
source=database
source_type=mssql
source_ip=<serverip>\<instancename>
source_port=
user=<sql db username>
password=<sal db password>
db=<database name>
sleep=60
process=
start=no
stop=no

This config data will survive any updates rolled out by AlienVault.

Once the mcafee-epo.cfg.local file has been saved restart the ossim-agent:

# /etc/init.d/ossim-agent restart

[ ok ] Restarting OSSIM Agent: ossim-agent.

Once the ossim-agent has restarted check the agent log for connection status messages.

# tail -F /var/log/alienvault/agent/agent.log | grep ParserDatabase

If the connection is successful you should see a message similar to:

2016-09-30 16:17:24,339 ParserDatabase [INFO]: Connected to DB after 1 tries

If the connection fails you should see a message similar to:

2016-09-30 16:12:07,627 ParserDatabase [INFO]: Can't connect to MS-SQL database

2016-09-30 16:12:07,628 ParserDatabase [INFO]: We cant connect to data base, retrying in 10 seconds....try:0 

If the connection fails we can check connectivity to the MS-SQL server as detailed below.

Troubleshooting connection errors

We can check connectivity to an MS-SQL Database from the command line using python:

# python
>>> import pymssql
>>> con = pymssql.connect(host="<serverip>\<instance>", user="<sql db username>", password="<sql db password>", database="<ePO database name>")
>>> cursor = con.cursor()
>>> cursor.execute("SELECT TOP 1 AutoID FROM EPOEvents ORDER BY AutoID DESC")
>>> print cursor.fetchall()

This should return the AutoID of the most recent Event in the EPOEvents table

use ctrl + d to exit back to the prompt

In most cases the server, instance, port or credentials are the cause of any connection issues.

If you are using a named instance for your database server such as SQLSRV1\DB1 do not enter a port number, the SQL Browser service will assign the appropriate dynamic port number, even if the instance is using a fixed port, do not enter it in the connection string or the config for the agent plugin.

Viewing the Security Events

Once you have the sensor collecting the data check to see if the events are being collected correctly

In the web console navigate to Analysis > Security Events (SIEM)

Select Mcafee-epo from the Data Sources drop down and select GROUPED under the events list.