Damballa CSP Connector配置指南说明书

Common Event Format Configuration Guide Damballa
CSP
April 25, 2011
CEF Connector Configuration Guide
Damballa® CSP
April 25th, 2011
Revision History
Date Description
04/25/2011 First edition of Certified CSP Configuration Guide.
Failsafe ArcSight Configuration Guide
This guide provides information for configuring the Damballa CSP Connector for syslog
event collection. This Connector is supported on Windows, Linux, and Solaris platforms.
Damballa® CSP version 1.6+ is supported.
Overview
Damballa® CSP is specifically designed to identify malicious activity originating from
subscriber’s devices on the Communication Service Provider’s network. The Damballa
CSP system isolates and terminates any online threat, such as a botnet or advanced
malware, which uses network-based CnC to link compromised systems together into a
secret malicious network.
Configuration
Damballa CSP’s integration with ArcSight is simple to configure.
Step 1:Logon to the Damballa CSP Collector Quick Install Menu and navigate to the
ArcSight Configuration section. Follow the onscreen prompts.
Step 2: “Do you want to send events to ArcSight?” [Y/N]
Step 3: “Please enter the hostname or IP of the ArcSight ESM:” [IP Address or hostname,
example 10.10.1.10]
Step 4: “Please enter ArcSight ESM destination port number:” [port number, example 514]
Step 5: “Please enter ArcSight ESM source port number:” [port number, example 514]
Step 6: Please enter a minute interval (between 5 and 60) for events to be sent to the
ArcSight ESM:” [minutes in 5 minute intervals, example 15]
Screen Shot
Events
The Damballa CSP Connector to ArcSight provides CEF events when Damballa CSP
identifies evidence of a Subscriber IP making a DNS query for a CnC Domain (DNS
Query). Events include other relevant information such as information on the threat and
forensic information captured by Damballa CSP.
Device Event Mapping to ArcSight Data Fields
Information contained within vendor-specific event definitions are sent to the ArcSight
SmartConnector and then mapped to an ArcSight data field.
The following table lists the mappings from ArcSight data fields to the supported vendor-
specific event definitions.
Damballa CSP Connector Field Mappings
Damballa CSP ArcSight ESM integration includes the following content in each syslog
event:
Sample Event:
CEF:0|Damballa|SP Solution|1.5|1|classified_domain|10|cat=DNSQuery cnt=2
cs1=Damballa Test cs1Label=ThreatName cs2=Damballa Test Industry
cs2Label=IndustryName destinationDnsDomain=
dvchost=sensor1 end=1300194678000 src=1.2.3.4 start=1300192878000
Field (Data Type) Contents Description
CEF: Version (Integer) 0 ArcSight CEF Format Version
Device Vendor (String) Damballa
Device Product (String) SP Solution
Device Version (String) 1.5 CSP Solution version number
Signature ID (String) (botnet ID) A unique identifier for the botnet. Provides tie to content provided in Damballa CSP Activity and Threat reports via the field “botnet_id”.
Name (String) (Evidence) Type of event such as classified_domain
cnt (Integer) (count) The number of queries from first/last seen for a threat/botnet identified on a Subscriber IP. Provides a tie to content provided in Damballa CSP Activity report via the field “lookup_count”.
Severity (Integer) (severity) The Damballa severity score for the threat / botnet. Provides a tie to the content provided in the Damballa CSP Threat report via the field “global_severity_score”.
Cat (String) DNSQuery The event category
start (TimeStamp) (start_time) The timestamp of first query in the time period - MMM dd yyyy HH:mm:ss or milliseconds since epoch. Provides a tie to the Damballa CSP Activity report via the field “first_seen”.
end (TimeStamp) (time) The timestamp of last query in the time period - MMM dd yyyy HH:mm:ss or milliseconds since epoch. Provides a tie to the Damballa CSP Activity report via the field "last_seen”.
src (IPv4 Address) (source IPv4) The IP address of querying subscriber. Provides a tie to the Damballa CSP Activity report via the field “client_IP”.
destinationDnsDomain (String) (destination domain)
The CnC domain name being queried by a Subscriber IP. Provides a tie
to the Damballa CSP Activity report via the field “domain”.
cs1Label (String) ThreatName Custom Field Label
cs1 (String) (Threatname) The unique Damballa name for the operator / threat. Provides a tie to the Damballa CSP Threat report via the field “operator_name”.
cs2Label (String) IndustryName Custom Field Label
cs2 (String) (Industry Name) The common industry name for the operator/threat (if available). Provides a tie to the Damballa CSP Threat report via the field “industry_name”.
cs3Label (String) GroupName Custom Field Label
Notes and Other Information
Although the asset information (ip/hostname/mac address) of the suspicious/compromised subscriber IP is mapped to the source fields in the CEF event, this information will be present in the corresponding target fields when the event is processed by ArcSight. This is due to the nature of these events. Damballa CSP is reporting subscribers that are
attempting to engage in communications with Command and Control, CnC, servers. The CnC server, if present, is the actual attacker, while the compromised subscriber is in reality, the target.
cs3 (String)
(Group Name) Group name / description of specified IP range group. cn1Label (String) PortStart Custom Field Label
cn1 (Integer) (Port Start) The first port number of assigned source port block based on customer configured NAT port groupings.
dvchost (String) (sensor name)
Name of the sensor which collected the evidence。