Video Screencast Help

SSIM Collector Parsing - McAfee ePolicy Orchestrator Collector

Created: 12 Jul 2013

The collector "McAfee ePolicy Orchestrator Event Collector" does not appear to properly parse McAfee events that are HIPS intrusion events coming from a central ePO manager. None of these HIPS-based signatures parse correctly, in my opinion.

The vendor signature field only contains a code ID. Is this because Symantec is unable to provide a table of codes-to-signature meanings like they do for all other product signatures, such as the malware signatures.

For an example, here is a sample raw event, anonymized for your viewing pleasure:

raw_event = AutoID|xxxxxxxxx|EventDateTime|xxxx000|Severity|4|TVDEventID
DETECTED_AND_HANDLED|CVECode|null|ProductName|McAfee Host Intrusion Prevention
|null|SourceProcessName|C:\Program Files\Internet Explorer\iexplore.exe
|SourceURL|file:///C:\Program Files\Internet Explorer\iexplore.exe

18000 is generic and means nothing of value. The valuable vendor signature code here is "3854"

According to McAfee, 3854 = Sun Java WebStart JNLP Stack Buffer Overflow Vulnerability

Now, this is only one example, and the honest truth is that these raw events change from event to event, so I can understand if the response is that it's just not possible with current resources to make this collector robust enough to interpret all of the different HIPS events. But if it is possible, some attention should be paid to improve this collector to account for HIPS events. 

In today's environment, these HIPS events are crucial to correlation and pattern detection. I spend 30% of my day looking at the RAW EVENT for these events, because most of the time, the valuable content is not parsed into any event fields.

So, the bottom line is, why doesn't the collector parse this code as the vendor signature when these types of events are seen, and can it be improved to do so?

Operating Systems: