LiveUpdates released for Symantec Security Information Manager (SSIM) Collectors - June 2011

Article:TECH163958  |  Created: 2011-07-05  |  Updated: 2011-07-05  |  Article URL
Article Type
Technical Solution


You would like to review which SSIM Collectors LiveUpdate packages were released June 2011. 

Note: You must update your Java LiveUpdate before downloading LiveUpdates for Collectors


June 2011, Symantec has released collector LiveUpdate packages for the following collectors:


  • Symantec Event Collector for Arcsight CEF 4.4 –  updated to address Human Readable date/time parsing issue with rt field.
  • Symantec Event Collector for Check Point(R) FireWall-1 4.3 – updated to address issue with pulling old logs and to support Denial of Service attack and correctly populate user_name when it contains space.
  • Symantec Event Collector for Cisco IOS 4.3 – updated to address issue when collector incorrectly populates Logging Device IP/Name if syslog header contains hostname rather than IP.
  • Symantec Event Collector for Cisco IPS 4.4 – updated to now be able to map Action and RiskRatingValue.
  • Symantec Event Collector for DLP 4.4 – updated to address issue with the export script for DLP v11.
  • Symantec Event Collector for Fortinet 4.3 – updated to now support FortiMail devices.
  • Redirector Processor – updated to now be able to map severity to RCF 5424 format.
  • Symantec Event Collector for ISS Siteprotector 4.3 – updated to not truncate Vendor Signature field to 40 symbols.Symantec Event Collector for McAfee EPO v4 4.3 – updated to address issue with incorrect source_ip mapping.
  • Symantec Event Collector for Microsoft Windows DHCP Server 4.3 – updated to address issue found for MS DHCP v2008 R2 where collector incorrectly inverts IP addresses and sometimes logs  “got null from translator” messages in the collector’s log.
  • Symantec Event Collector for nCircle 4.2 – updated to address the following issues:
         1.  Audit Start and End events incorrectly contained xml_host_name field
         2.  Exposure reported as a Vulnerability
         3.  CVE fields were not populated at all or populated incorrectly
         4.  bugtraq id contained ALL found BIDs instead of one
  • Symantec Event Collector for Oracle DB 4.4 – updated to correctly populate fields with TIMESTAMP type.
  • Symantec Event Collector for Palo Alto Networks Firewall 4.4 – added signatures for Syslog Director into Utils folder of the collector. 
  • Symantec Event Collector for IBM Resource Access Control Facility 3.8 – updated to address issue with incorrect translation of ALTER SUCCESS events when user name was incorrectly populated.
  • Symantec Event Collector for Snare for Windows 4.3 – updated to address performance issue and issue with incorrect mapping for Event ID 636.
  • Symantec Event Collector for Snort Syslog 4.3 – updated to address issue that incorrectly populates target_resource with null.null  and Sourcefire RNA Host Timeout events were populated as vulnerabilities.
  • Symantec Event Collector for Security Information Manager Local 4.3 – updated to parse netfs events from messages file.
  • Symantec Event Collector for Symantec CCS Vulnerability Manager v4.4 – updated to address the following issues:
         1.  destination_host_name populated with VULN_NAME or with empty value
         2.  target_resource populated with empty value
         3.  Not populating Host MAC in assets.
  • Symantec Event Collector for Symantec MailSecurity For SMTP v4.3 – updated to address issues with events not populating correctly against Symantec Messaging Gateway 9.5. This includes Virus events, Delivery events, Spam events and Received events. Also added corresponding option3_type for Option 3. 
  • Symantec Universal Framework – updated to version 4.7 to address the following issues:
         1.  Added “Every N minutes” value for In Execution Time property
         2.  Added several new functions in framework:
              i.  Replace/Replace all 
              ii. Operations with date type fields
              iii.  Multiplication and division
         3.  Added support for negative values for INT type
  • Symantec Database Sensor – updated to version 2.22 to add ability to adjust frequency of how often the Db sensor connects when connection fails and also  addresses issue with Oracle Server listener logging 12 connections instead of 3.
  • Symantec Logfile Sensor – updated to version 2.42  to add ability to process gz/tar/zip files, to add property to move or delete processed files, and to address exception with FIPS mode. 
  • Symantec Opsec LEA Sensor – updated to version 2.08 to add ability to provide service_map instead of raw_event for new collector and address issue with pulling old events which were previously processed.
  • Symantec Windows Event Log Sensor – updated to version 3.15 to address a sensor issue that gets instead of the Event.
  • Symantec nCircle Sensor – updated to version 2.23 to address the issue with incorrect bugtraq_id.
  • Symantec SDEE Sensor – updated to version 2.03 to add ability to map Action and RiskRatingValue.

These LiveUpdates are recommended for organizations running the aforementioned collectors or sensors within their environment. Apply these LiveUpdates only to the Information Manager appliances or collector installations running the versions of the software as shipped by Symantec.

Please refer to collector manuals on application of LiveUpdates to these products.

Article URL

Terms of use for this information are found in Legal Notices