------------------------------------------------------------------------ jkb 2008/05/12 Document Created ------------------------------------------------------------------------ 2008/03/05 APAR IZ17037 Cisco IOS messages auto-detected as Cisco PIX: Added more logic and effort to provide accuracy in auto-detect capabilities to provide best effort for identifying a new event source to the closest device related to the context of an event 2008/03/11 APAR IZ17399 Cisco IOS events being dropped: $loghost value needed to be undefined between event parsing 2008/03/14 PMR 00606,634,760 ProFTPD support requested: ProFTPD used and logic for Syslog messages reported by ProFTPD were added to rules 2008/04/02 APAR IZ17634 Symantec Network Security Syslog messages were not being parsed: added logic for Syslog message structure 2008/04/07 PMR 00716,634,760 Hostnames were not extracted from ProFTPD events: Logic to extract source/dest hostnames from ProFTPD events was added 2008/04/08 PMR 00797,634,760 Syslog Conduit sensor times were set to the EAM time: $utimestamp value was often set to local time instead of the time extracted from the event Logic was corrected to ensure appropriate time was used to set $utimestamp variable 2008/04/23 PMR 42944,SGC,724 Starent ST40 support requested: Added device support via Syslog Conduit for Starent ST40 syslog messages 2008/03 Internal: Added Cisco FWSM as a device 2008/03 Internal: ISCdhcpd.pm declared default protocol value of 0 instead of the correct value of -1 2008/03 Internal: Added MAC Address extraction logic to ISCdhcpd.pm 2008/03 Internal: Replaced all instances where $protocol = 0 to $protocol = -1 to prevent wrong protocol being recorded (HOPOPT) 2008/03 Internal: Added optional ability to leverage /etc/hosts to define hostnames to src or dest IPs in all Perl-based rules 2008/03 Internal : Logic improved to parse SSHD_FAILED_ROOT_PASSWORD messages 2008/03 Internal: removed unused scalar settings for class_id as this variable was used in TSOM 3.1 - not TSOM 4.1 2008/03 Internal: ensuring $information is set to original event string 2008/04 Internal: removed old code for $logAllMessages as it is not valid for the TSOM 4.1 product 2008/05 Cisco-based products have the Event Type set to the Cisco- based error reporting: FACILITY-SEVERITY-MNEMONIC ------------------------------------------------------------------------ 2008/05/20 APAR IZ20669 SNMP Rules not setting correct sensor type for TCIM or zAlert. ------------------------------------------------------------------------ 2008/05 APAR IZ21300 Added logic to look for an IP address from a sensor's Identifier List for all UCM/Windows related events 2008/05/21 APAR IZ22710 Sensor type identifier for Cisco IOS was corrected to reflect ROUTER instead of original FIREWALL identifier 2008/06/04 APAR IZ22410 Corrected WebSEAL classification as an event source for parsing 2008/06/04 APAR IZ22216 Added logic to handle AIX-based Syslog messages that were not being properly parsed 2008/05/29 Internal : added logic as to identify Apache messages as a product instead of a Unix-based OS 2008/06 Internal : Added Syslog-based support of ModSecurity events 2008/06/06 Internal : array undefined to prevent performance issue with variable clean-up for Perl- based rules 2008/06/06 Internal : added variables to Perl-based rules as to reference other rule files and handlers - providing more flexible links instead of hard-coded links 2008/06/06 Internal : added support for Symantec Mail Security logs via the UCM and UCM Conduit 2008/06/06 Internal : added Syslog-based checks for potential messages from unknown devices to be handled by Miscellany and report closest event type as possible 2008/06/10 Internal : added identifier for ISC products instead of using generic Unix-based sensor identifiers 2008/06/10 Internal : added logic to take rhost values from SSH messages and determine if they are a source IP or source hostname 2008/06/11 Internal : corrected named reference to time function in Auditd.pm 2008/06/11 Adjusted Perl library references as to be aware of different versions of Perl ------------------------------------------------------------------------ 2008/06/23 APAR IZ24062 Added necessary SQL statements to tie Symantec Console to the UCM conduit 2008/06/24 APAR IZ24062 Associated Symantec System Console sensor to UCM and updated support for this sensor 2008/06/20 APAR IZ24431 Adjusted logic to ensure that Sourcefire events leveraged the Sourcefire rule and not SNORT 2008/06/19 Internal : Added 'Solaris 10' to the list of sensor types 2008/06/23 Internal : Added additional parsing logic to extract any username, usercontext, or IP related data from Windows Events gathered via Windows Log Parser/ UCM 2008/06/27 Internal : Added UCM.CFG and UCM Conduit support for Trend Micro Control Manager ------------------------------------------------------------------------ 2008/07/08 APAR IZ24431 Added logic to differentiate the Snort logic from parsing and identifying Sourcefire events as Snort 2008/07/08 APAR IZ22710 Cisco IOS is classified as a ROUTER/SWITCH sensor 2008/07/14 APAR IZ26626 Improved logic to avoid Cisco IOS-based events from being classified auto-detected as a Cisco Secure IDS 3.x sensor 2008/07/14 APAR IZ26877 Corrected event analysis as to avoid Cisco IOS events with an hour:minute:second timestamp from being dropped 2008/07/15 APAR IZ26899 Corrected the logic to prevent Tipping Point event sources from being parsed as Cisco IOS 2008/07/16 APAR IZ27007 Added logic to identify and parse Fortigate events via the Syslog Conduit 2008/07 Internal : Ensured that parsed Snort messages are auto-detected with a hostname of the event source, not the Snort process name and PID 2008/07/08 Internal : Corrected spelling of 'Solaris 10' sensor name 2008/07/08 Internal : Added additional logic to the Sourcefire rule as to support legacy, current, and custom event formats 2008/07/09 Internal : Added initial support for Tumbleweed Email Firewall log tailing via the UCM. The UCM.CFG database tailer added is database tailer #35 2008/07/09 Internal : Added a "Generic Syslog" sensor as to help the auto-detect/auto-config in its best effort approach to default an unkown event source or event source from an unknown OS to be more generic, instead of defaulting to sensor type LINUX ------------------------------------------------------------------------ 2008/08/04 APAR IZ28925 Added logic to strip colons from source hostnames extracted from AIX Syslog messages 2008/08/04 APAR IZ17399 Cisco-based Syslog messages had the %SEC facility in a different position than previously expected and logic was added to ensure these message structures are parsed 2008/08 Internal: Beginning process of adding or updating version numbers device list 2008/08/11 Internal: Added versions to supported sensor names: ProFTPD 1.3.1 Sourcefire 4.7 Sourcefire Defense Center 4.7 ISC DHCPD 3.1.1 ISC BIND 9.3 Cisco FWSM 7.1 ModSecurity Web Firewall 2.5.3 2008/08/11 Internal: Added preliminary support for Microsoft IAG 2007 Syslog messages 2008/08/14 Internal: Added code to handle Sourcefire Defense Center 4.7/ Sourcefire 4.7 messages and updated sensor names to reflect this version ------------------------------------------------------------------------ 2008/08/22 APAR IZ29086 Added check for Syslog-service rules to ensure AIX messages are flagged accordingly and not flagged as Cisco IOS or Generic Syslog 2008/08/28 APAR IZ27007 Previously unrecognized format from Fortigate accommodated for as to be auto-configured accordingly 2008/09/18 APAR IZ28699 Auto-detection and configuration of TAM Auth and Policy fixed 2008/09 APAR IZ31430 Wrong source and destination IP addresses being tied to certain events during event parsing process 2008/09/23 APAR IZ28593 Added support for Starent ST40 restart message: extract port information for destination 2008/09 Internal: Added initial support for SELinux AVC messages via Syslog 2008/08/20 Internal: Added support for specific Cisco ASA/PIX source & destination IP format 2008/08/20 Internal: Added logic to Syslog Conduit function to satisfy a source or destination IP address that is 0.0.0.0 from a sensor's Sensor Identifier list, if an IP address is defined 2008/08/28 Internal: Corrected order of elements for hostname translate in iPlanet parsing logic 2008/09/04 Internal: Added version to Tumbleweed Email Firewall sensor name to reflect version supported 2008/09/09 Internal: Added support of source IP format for Cisco FWSM 2008/09/19 Internal: Added Java-based logic for parsing Sourcefire 3D Sensor data ------------------------------------------------------------------------ 2008/10/09 APAR IZ33876 Checked in correction to SiteProtector.java as to ensure SNMP events from this source are parsed 2008/10/23 APAR IZ34593 Updated Air Defense 7 support for Perl as well as created a Java-based rule to support two known event formats from Air Defense 7 2008/10/30 APAR IZ34593 Corrected Syslog rules to identify and parse Dragon 7 Syslog events 2008/10/30 APAR IZ33876 SiteProtector.java file updated as it had caused problems with SNMP conduit 2008/10/31 APAR IZ317008 Adjusted ns_syslog.rules to determine Intrushield Syslog messages for auto-configuration and parsing 2008/10/21 Internal: Added Java-based rule support for SELinux AVC messages 2008/10/22 Internal: Added Sybari Antigen version 8 Perl-based support 2008/10/24 Internal: Cisco PIX ICMP message support augmented to ensure Protocol is ICMP and source/destination ports are 0 2008/10/27 Internal: Added Sybari Antigen version 9 Perl-based support 2008/10/30 Internal: Added association of Cisco IPS to SDEE Conduit 2008/10/30 Internal: Added initial Perl- based support for Cisco Local Director 4.2.1 syslog messages ------------------------------------------------------------------------ 2008/12/08 APAR IZ39418 Corrected potential for null pointer exception in SELinuxAVC.java 2008/12/03 APAR IZ39417 Added regex to parse BlueCoat events as they were flagged as Generic Syslog. 2008/11/17 Internal: Added checks to ensure logdCodes are not null in the Syslog Conduit 2008/11/17 Internal: Added sensor time extraction from OID->value pair of ISS Site Protector where a trap may contain this info. 2008/11/18 Internal: Added support for RFC via the Syslog Conduit for both Java and Perl 2008/11/25 Internal: Added support of %PIX identifier in previously unknown formats 2008/12/03 Internal: Added support in CiscoPix.java to recognize and extract time formats from within messages, specifically the format of MMM DD YYYY HH:MM:SS or Dec 03 2008 06:00:00 as an example. 2008/12/04 Internal: Associated sensor Trend Micro ScanMail to the CONTENT FILTER class. 2008/12/04 Internal: Removed Windows Event Log UCM rules as they are no longer used 2008/12/04 Internal: Removed custom parse logic for SourceFire (Perl) 2008/12/16 Internal: Added WebSphere 7 Activity Log support via the UCM 2008/12/18 Internal: Added DB2 Audit Log support via UCM 2008/12/18 Internal: Removed Firewall-1 Log Grabber code from Perl rule base ------------------------------------------------------------------------ 2009/01/07 Internal: Augmented DB2 Audit support to handle the db2audit delimited format (single line events) 2009/01/26 Internal: Added extra check for Netscreen messages 2009/01/30 Internal: Fixed checkKey method in SELinuxAVC.java parser 2009/02/20 APAR IZ43341 Updated device rules to support standard IIS Log File. Added also the flexibility to configure the event source in line with IIS log configuration in case custom logging setup is used. 2009/02/20 APAR IZ44116 Extended support for CiscoIOS12.X to recognize source and destination IP from logs in format X.X.X.X -> Y.Y.Y.Y 2009/03/06 APAR IZ42756, IZ45438 Rewritten WindowsLogParser.java 2009/03/11 APAR IZ45452 Extended support for Bluecoat Proxy SG to recognize ELFF log format 2009/03/17 Internal: Added Oracle 10g support via UCM conduit 2009/03/17 Internal: Added Sophos Enterprise Console 3 support via SNMP conduit 2009/03/26 APAR IZ48165 Corrected parsing of Adiscon events to properly handle usernames with '@' and '$' signs. 2009/03/27 APAR IZ45733 Corrected detection and parsing of Snort events: events parsed as unix/generic syslog events, event types and src/ip addresses parsed incorrectly, maint events parsed as unknown. 2009/03/27 Intertal: Corrected potential for null pointer exception in RFC.java 2009/04/02 APAR IZ46175 Updated parsing of Cisco ASA log to extract correctly source/destination IPs/ports username and usercontext. 2009/04/02 APAR IZ43754 Improved detection and parsing of AIX syslog messages that were sometimes detected as Generic Syslog events. ------------------------------------------------------------------------ 2009/05/11 APAR IZ47046 Improvement in parsing SSHd logs containing quotes around source IP address. 2009/05/15 APAR IZ51063 Fixed detection of Netscreen firewall events (that sometimes were detected as Generic Syslog). Improved parsing of src/dst IP addresses. Improved severity classification for better threat calculation. Changed the event type naming scheme. From now on all Netscreen events shall have upper case original Netscreen log names e.g. SYSTEM-WARNING-00520. However the most interesting events (most of the emergency/alert/critical and few error/warning/info events) shall have additional short textual descriptive name appended to the end. For example: SYSTEM-ALERT-00011-ICMP-FLOOD. 2009/05/15 APAR IZ47665 Added support for Juniper JUNOS Router messages. 2009/05/20 APAR IZ47059 Fixed detection of Dragon IDS 7.x events. 2009/05/25 APAR IZ51658 Improvement in detecting Linux services: snmpd, iptables, sshd, httpd, pdns, checklogin. ------------------------------------------------------------------------ ADVISORY: If any custom device rules have been written, always back them up. The dev_support.sh script will not overwrite them, but in the event of a rollback (dev_support.sh -r), these files could be archived into the $TSOM_HOME/maint/ directory. Additionally, for any new device rules that are written, it is advised that a sensor_type_id value (for the CMS sensor_type table) of 10000 or greater is utilized. This will prevent any issues - at the CMS' database level - when applying an IBM TSOM Device Package. Our supported devices have associated a sensor_type_id that is less than this integer, which from the database perspective, is used as a key for associative purposes. An example is as follows: insert into sensor_type (sensor_type_id, name, sensor_class_id_fk) values (6,'Cisco IOS 12.x',12); If a custom rule is written and supporting SQL is used to populate the CMS' database for sensor_type_id of 355, there is a potential for a foreign key constraint error if an IBM TSOM Device Package is applied. Our development may produce a package with support for a device and its sensor_type_id could be 355.