Fortinet black logo

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:


Table of Contents

External Systems Configuration Guide

McAfee IntruShield

What is Discovered and Monitored

Protocol Information Discovered Metrics Collected Used For
 Syslog

Event Types

There are no event types defined specifically for this device.

Rules

There are no predefined rules for this device. 

Reports

There are no predefined reports for this device. 

Settings for Access Credentials

Set these Access Method Definition values to allow FortiSIEM to communicate with your device.

Setting Value
Name <set name>
Device Type McAfee Intrushield
Access Protocol See Access Credentials
Port See Access Credentials
Password config See Password Configuration

Configuration

Syslog

FortiSIEM handles custom syslog messages from McAfee Intrushield.

  1. Log in to McAfee Intrushield Manager.
  2. Create a customer syslog format with these fields:
    • AttackName
    • AttackTime
    • AttackSeverity
    • SourceIp
    • SourcePort
    • DestinationIp
    • DestinationPort
    • AlertId
    • AlertType
    • AttackId
    • AttackSignature
    • AttackConfidence
    • AdminDomain
    • SensorName:ASCDCIPS01
    • Interface
    • Category
    • SubCategory
    • Direction
    • ResultStatus
    • DetectionMechanism
    • ApplicationProtocol
    • NetworkProtocol
    • Relevance
  3. Set the message format as a sequence of Attribute:Value pairs as in this example.
    AttackName:$IV_ATTACK_NAME$,AttackTime:$IV_ATTACK_TIME$,AttackSeverity::$IV_ATTACK_SEVERITY$,SourceIp:$IV_SOURCE_IP$,SourcePort:$IV_SOURCE_PORT$,
    DestinationIp:$IV_DESTINATION_IP$,DistinationPort:$IV_DESTINATION_PORT$,AlertId:$IV_ALERT_ID$,AlertType:$IV_ALERT_TYPE$,AttackId$IV_ATTACK_ID$,
    AttackSignature:$IV_ATTACK_SIGNATURE$,AttackConfidence:$IV_ATTACK_CONFIDENCE$,AdminDomain:$IV_ADMIN_DOMAIN$,SensorName:$IV_SENSOR_NAME$,
    Interface:$IV_INTERFACE$,Category:$IV_CATEGORY$,SubCategory:$IV_SUB_CATEGORY$,Direction:$IV_DIRECTION$,ResultStatus:$IV_RESULT_STATUS$,
    DetectionMechanism:$IV_DETECTION_MECHANISM$,ApplicationProtocol:$IV_APPLICATION_PROTOCOL$,NetworkProtocol:$IV_NETWORK_PROTOCOL$,Relevance:$IV_RELEVANCE$
  4. Set FortiSIEM as the syslog recipient. 

Sample Parsed Syslog Message

Mar 24 16:23:18 SyslogAlertForwarder: AttackName:Invalid Packets detected,AttackTime:2009-03-24 16:23:17 EDT,AttackSeverity:Low,SourceIp:127.255.106.236,
SourcePort:N/A,DestinationIp:127.255.106.252,DistinationPort:N/A,AlertId:5260607647261334188,AlertType:Signature,AttackId:

0x00009300,AttackSignature:N/A,
AttackConfidence:N/A,AdminDomain:ASC,SensorName:ASCDCIPS01,Interface:1A-1B,Category:Exploit,SubCategory:protocol-violation,Direction:Outbound,
ResultStatus:May be successful,DetectionMechanism:signature,ApplicationProtocol:N/A,NetworkProtocol:

N/A,Relevance:N/A,HostIsolationEndTime:N/A

McAfee IntruShield

What is Discovered and Monitored

Protocol Information Discovered Metrics Collected Used For
 Syslog

Event Types

There are no event types defined specifically for this device.

Rules

There are no predefined rules for this device. 

Reports

There are no predefined reports for this device. 

Settings for Access Credentials

Set these Access Method Definition values to allow FortiSIEM to communicate with your device.

Setting Value
Name <set name>
Device Type McAfee Intrushield
Access Protocol See Access Credentials
Port See Access Credentials
Password config See Password Configuration

Configuration

Syslog

FortiSIEM handles custom syslog messages from McAfee Intrushield.

  1. Log in to McAfee Intrushield Manager.
  2. Create a customer syslog format with these fields:
    • AttackName
    • AttackTime
    • AttackSeverity
    • SourceIp
    • SourcePort
    • DestinationIp
    • DestinationPort
    • AlertId
    • AlertType
    • AttackId
    • AttackSignature
    • AttackConfidence
    • AdminDomain
    • SensorName:ASCDCIPS01
    • Interface
    • Category
    • SubCategory
    • Direction
    • ResultStatus
    • DetectionMechanism
    • ApplicationProtocol
    • NetworkProtocol
    • Relevance
  3. Set the message format as a sequence of Attribute:Value pairs as in this example.
    AttackName:$IV_ATTACK_NAME$,AttackTime:$IV_ATTACK_TIME$,AttackSeverity::$IV_ATTACK_SEVERITY$,SourceIp:$IV_SOURCE_IP$,SourcePort:$IV_SOURCE_PORT$,
    DestinationIp:$IV_DESTINATION_IP$,DistinationPort:$IV_DESTINATION_PORT$,AlertId:$IV_ALERT_ID$,AlertType:$IV_ALERT_TYPE$,AttackId$IV_ATTACK_ID$,
    AttackSignature:$IV_ATTACK_SIGNATURE$,AttackConfidence:$IV_ATTACK_CONFIDENCE$,AdminDomain:$IV_ADMIN_DOMAIN$,SensorName:$IV_SENSOR_NAME$,
    Interface:$IV_INTERFACE$,Category:$IV_CATEGORY$,SubCategory:$IV_SUB_CATEGORY$,Direction:$IV_DIRECTION$,ResultStatus:$IV_RESULT_STATUS$,
    DetectionMechanism:$IV_DETECTION_MECHANISM$,ApplicationProtocol:$IV_APPLICATION_PROTOCOL$,NetworkProtocol:$IV_NETWORK_PROTOCOL$,Relevance:$IV_RELEVANCE$
  4. Set FortiSIEM as the syslog recipient. 

Sample Parsed Syslog Message

Mar 24 16:23:18 SyslogAlertForwarder: AttackName:Invalid Packets detected,AttackTime:2009-03-24 16:23:17 EDT,AttackSeverity:Low,SourceIp:127.255.106.236,
SourcePort:N/A,DestinationIp:127.255.106.252,DistinationPort:N/A,AlertId:5260607647261334188,AlertType:Signature,AttackId:

0x00009300,AttackSignature:N/A,
AttackConfidence:N/A,AdminDomain:ASC,SensorName:ASCDCIPS01,Interface:1A-1B,Category:Exploit,SubCategory:protocol-violation,Direction:Outbound,
ResultStatus:May be successful,DetectionMechanism:signature,ApplicationProtocol:N/A,NetworkProtocol:

N/A,Relevance:N/A,HostIsolationEndTime:N/A