You are looking for a list of signatures for SSIM Syslog type collectors

book

Article ID: 157379

calendar_today

Updated On:

Products

Security Information Manager

Issue/Introduction

You are looking for a list of signatures for SSIM Syslog type collectors. 

Resolution

 The following collectors:  

  • CyberGuard® Firewall/VPN,
  • Nortel™ Contivity
  • Tipping Point v4.2
  • Tipping Point v4.3
  • McAfee UTM Firewall

and others do not have signatures that are unique to the 3rd Party product.  However, almost all Syslog sensor based collectors can be used in Syslog Director. But in some 3rd party products the events don't contain unique word which might be used as signature for Syslog Director Director. In this case, you can use an IP address or hostname of the device which will be included into the header of every Syslog event as Syslog Director signature. For example, if your device IP is 169.254.13.111, then all events will have a header similar to: Aug 19 17:16:03 169.254.13.111. So, each of events will have 169.254.13.111 in it and you can use this as signature.  We have several collectors where we suggest using IP or hostname of the device as signature if their events don't have unique flag.


These following Syslog type collectors cannot be used with Syslog Director even if you add the IP address or Hostname:

  • F5 Big-IP - It is recommended you do not try to use Syslog Director with this collector so no signatures are needed with this collector, .
     

The table below contains the signatures for current SSIM Collectors.  This is meant to be a list of current Syslog Collectors signatures, but there might be newer Syslog type collectors that have been released since this table was created, please check the guide for your SSIM Event Collector for additional information.

 

Collector Signatures:

 

 

Collector Name

Collector Signature

Default Port

AirDefense Event Collector  Category=Platform Health,Category=Reconnaissance,Category=Rogue,Category=Vulnerabilities,Category=Infrastructure, Category=Policy Compliance,Category=Exploits,Category=Performance As assigned
IBM AIX Audit Event Collector  ibmaixaudit 10561
Arbor Peakflow Event Collector Arbor PeakFlow X Event Collector Alerting Entity, High Bandwidth, Low Bandwidth, Monitored Bandwidth, Profiled Bandwidth, Collector Down, Collector Up, Unapproved Connection, Unapproved Client, Unapproved Server, Unapproved Host Pair, Unapproved Service, anomaly Protocol, anomaly TCP_Flags, anomaly Bandwidth, anomaly ICMP_Misuse, anomaly TCP_NULL_Misuse, anomaly TCP_SYN_Misuse, anomaly IP_Proto_Misuse, anomaly IP_Fragment_Misuse, anomaly Private_IP_Misuse, anomaly Fingerprint, anomaly TCP_RST_Misuse, anomaly Total_Traffic_Misuse As assigned
ArcSight CEF Event Collector  CEF:  As assigned
ArubaWireless Event Collector

authmgr,isakmpd,wms,localdb,sapd,stm,mobileip,fpapps,httpd,aaa,cfgm,webui,sshd,nanny,pim,esi,KERNEL,cli

As assigned
BarracudaWeb Application Controller Event Collector WF,TR,NF,SYS,CONN 10553
Cisco(R) ASA(R) Event Collector (replaced PIX) %PIX, %ASA, 10557
Cisco IOS Event Collector

%FWSM-,%IPS-, %IDS-, %FW-, %SEC-, %URLF-, %SSH-,%IP-, %LINK-, %HWVPN-, %ALARM-,%AAA

10517
Cisco® VPN Concentrator Event Collector SEV= 10521
ForeScout© CounterACT™ Event Collector CounterACT[, Scout[ 10540
Fortinet Event Collector type=event, type=virus, type=ips, type=traffic, type=im, type=emailfilter, type=webfilter, type=content-log, type=contentlog, type=im, type=app-ctrl 10526
HP ProCurve Event Collector  snmp:,auth:,usb:,tftp:,update:,mgr:,ssh:,ssl:,chassis:,sFlow:, ports: 10547
ISC DHCP Event Collector dhcpd: 10541
Juniper VPN Event Collector Juniper 10522
Radware DefensePro Event Collector DefensePro, LinkProof, AppDi 10563
RSA Authentication Manager Event Collector system.com,audit.admin,audit.runtime 10566
Sidewinder G2 Event Collector auditd 10546
Snare forWindows Event Collector MSWinEventLog 10529
Snort(R) Syslog Event Collector snort:, snort[, SFIMS: 10524
Stonesoft(R) StoneGate Event Collector <STONEGATE_LOG>, <ALERT_LOG>, <IPS_LOG> 10565
Third Brigade Event Collector dsa_mpld:, dsa_mpf:, DSM: 10544
UNIX(R) OS Event Collector dhclient, sshd, su, LOGIN, pam_unix, xinetd, kernel,useradd, adduser, userdel, gdm, rpc.statd,usermod, init:,reboot:, ftpd, last message repeated, shutdown:, audispd:,named, httpd:, login:, Firewall 10525