Live Updates released for Symantec Security Information Manager (SSIM) Collectors - April 2013

book

Article ID: 157897

calendar_today

Updated On:

Products

Security Information Manager

Issue/Introduction

You would like to review which SSIM Collectors LiveUpdate packages were released April 2013. 

Note: You must update your Java LiveUpdate to Jave LiveUpdate v3.7.7 or better before downloading Live Updates for Collectors

Note if using LiveUpdate Administrator you must update to LUA 2.3.2 or newer to download SSIM v5.0 and newer collector Live Updates

 

 

Resolution

April 2013, Symantec has released collector LiveUpdate packages for the following collectors:  

 Overview

Symantec has released collector LiveUpdate packages for the following collectors and sensors:  

 

a.  Symantec Event Collector 4.4 for Arcsight CEF 


1.  Fixed: Arcsight CEF: Logs from Fireeye should be supported

2.  Fixed: Arcsight CEF FireEye: vendor_code needs to be populated from vendor sname field

3.  Fixed: Arcsight CEF FireEye: incorrect event class and symc_device_action

4.  Fixed: Arcsight CEF FireEye: target_resource should be populated from the channel field

5.  Fixed: McAfee_EPO: Source Host Name should not contain "localhost"

6.  Fixed: Archsight CEF : Translator search keyword

7.  Fixed: Arcsight CEF FireEye - 'Malware-object' events incorrect symc_device_action

8.  Fixed: Incorrect usage of event_id (using eventClass_id instead of event_id)

9.  Fixed: Arcsight CEF FireEye - Signature Name Adjustment

10. Fixed: ArcsightCEF_Fireeye: Fireeye - Not all the date formats are handled resulting in invalid event_dt field

11. Fixed: ArcSight: PaloAlto url-blocking event should be translated more precisely

12. Fixed: Most of [Service Shutdown] events are translated as Generic Firewall

13. Fixed: Oracle LOGOFF events are translated as symc_system

14. Fixed: Scan Start events are translated as Firewall Events

15. Fixed: scan stop events are translated as Firewall events

16. Fixed: Loggin_device_ip sometimes is not populated when logging_device_name contains IP address

17. Fixed: In some events destination_host_name/ip and souce_host_name/ip are populated with localhost/127.0.0.1

18. Fixed: Mismatch between target_type_id and target-resource

19. Fixed: synchronise data_type_id and target-type_id

20. Fixed: Intrusion events with act=Denied symc_device_action and outcome_id

21. Fixed: ArcsightCEF_Fireeye: nw_protocol field is not populated for malware-callback events

22. Fixed: Most of [service] started events are translated as "Firewall events"

23. Fixed: Teardown event is translated as Connection Accepted

24. Fixed: ArcSightCEF_EPO: mismatch in data type id and target resource fields for some events

25. Fixed: ArcSight ePO: deviceCustomDate1 field is missing in the collector output

26. Fixed: Arcsight CEF : user_name is wrongly populated.

27. Fixed: Arcsight CEF McAfee ePO: has only partial VirusScan event support


b.  Symantec Event Collector 4.4 for Cisco ASA 


1.  Fixed: IF year comes in the log line, then extrating the proxy machine at position five logic breaks.

2.  Fixed: If the raw log line has chain of syslog headers then logic of mapping proxy machine details to logging device ip, source ip an ddestination ip fails

3.  Fixed: Proxy machine extraction from was not consistent on translator rules, Msg 325003,110002 fixed position at 5 Msg PIX|ASA -6-302020; 6-302021; 6-302012 fixed position at 5

4.  Fixed: ASA-4-106023 type event is showing the firewall as the source address and no destination address

5.  Fixed: Target operation should be dir disk0:/dap.xml

6.  Fixed: wrong source and destination ips

7.  Fixed: log line mapped to wrong translator rule

8.  Fixed: For eventid 113005, username and target_resource populated wrongly

9.  Fixed: url needs to be properly captured

10. Fixed: data_type_id and destination_ip are wrong

11. Fixed: Incorrect target resource, destination host name population

12. Fixed: data_type_id should be removed.


c.  Symantec Event Collector 4.4 for Cisco IOS 


1.  Fixed: %LINEPROTO-5-UPDOWN: Interface Name is wrongly populated

2.  Fixed: IP from device log not captured in collector output.

3.  Fixed: Need to Include "Page access: /badlogin.html" signatures to "Unauthorized: Authorization Failed" Category

4.  Fixed: %LINK-3-UPDOWN: The event id can be 2102000 - "System InformationEvent"

5.  Fixed: Target resource and desination interface name should be the same

6.  Fixed: The logging device name present in the character form in the device log is not capturing in the collector output.

7.  Fixed: Logging device name is taking the Month Value instead of taking the IP address

8.  Fixed: nw_protocol populating incorrect value as 'UDP port'

9.  Fixed: nw_protocol field populating incorrect value.

10. Fixed: Event date translated with 12h clock rather than a 24 hour clock with CISCO IOS collector

11. Fixed: Source_IP and Source Host_name showing wrong values.

12. Fixed: %LINEPROTO-5-UPDOWN: Destination_interface_name should not be populated as Target_resource and it can be mapped to destination_ip

13. Fixed: Collection Device IP gets mapped incorrectly when events are forwarded from syslog relay


d.  Symantec Event Collector 4.4 for Cisco IPS 


1.  Fixed: Cisco IPS not populating logging device correctly (or at all)

2.  Fixed: Event_Class should be symc_host_intrusion instead of symc_system for FTP events.

3.  Fixed: Event_Class should be symc_Host_intrusion instead of symc_system for SSH Gobbles events

4.  Fixed: Category id should be security for all IPS events.Event class name should be symc_network_intrusion instead of symc_system

5.  Fixed: Wrong Field mapping for TCP FIN Host Sweep events

6.  Fixed: Intrusion target type id is wrong for TCP Source event

7.  Fixed: Event_Class should be symc_host_intrusion for NBT NetBIOS Session Service Failed Login event

8.  Fixed: Intrusion_target_type_id should be ' 1037105 – File instead of1037123 – Network Protocol for Unix Password File Access Attempt and Apache Server .ht File Access events

9.  Fixed: Intrusion data is not populated as option21 Type

10. Fixed: For Limewire File request,intrusion target type should be File and for WWW.winnt cmd .exe,target type should be URL.

11. Fixed: Populate intrusion_action_id,intent_id,outcome_id,target_type_id for Events.

12. Fixed: Event id should be Network intrusion event instead of system information event

13. Fixed: Intrusion_intent_id should be degradation instead of unknown.

14. Fixed: Packet data not captured in intursion_packet field

15. Fixed: Intrusion outcome id is not populated for TCP NULL HOST SWEEP, TCP syn fin host sweep.

16. Fixed: Intrusion fields are not populated correctly.

17. Fixed: Vendor code is wrongly populated

18. Fixed: Target_resource should populate with user_name.

19. Fixed: Many fields are not correctly populated

20. Fixed: destination details should maped with server_address

21. Fixed: Multiple collector fields need to be corrected

22. Fixed: Event class is taken as symc_network_intrusion but as per log description it should be Symc_system

23. Fixed: Vendor code is not Populated by the collector all Error logs


e.  Symantec Event Collector 5.0 for Cisco IPWS 


1.  Fixed: x-webroot-spyid is not getting captured.

2.  Fixed: Timestamp value is not getting captured.

3.  Fixed: Temporary fields x-mcafee-scanverdict x-webroot-scanverdict must be removed

4.  Fixed: x-error-code field value is not captured

5.  Fixed: cs-version field value is not populated

6.  Fixed: MSS: Mandatory field Network Protocol ID missing

7.  Fixed: MSS: Mandatory field data_type_id missing for event class symc_data_virus_incident class.

8.  Fixed: Incorrect symc_device_action populated for some events.

9.  Fixed: Incorrect population of event_id and category id for some events

10. Fixed: Event_detail_id missing for some events

11. Fixed: Destination service name is missing for some events.

12. Fixed: data_type_id missing for some events

13. Fixed: destination ip not getting populated.

14. Fixed: Incorrect population for symc_device_action

15. Fixed: Incorrect symc_device_action population

16. Fixed: For th version 7.5 the vendor code need to be changed to proper value instead of TCP_Denied for symc_data virus incidents

17. Fixed: Data status is seen for firewall network class it should be removed for the firewall network and other except teh data virus incident classes

18. Fixed: For the same vendor code the event class is showing as symc_firewall_network AND symc_fw_conn_stats and the sym device action is 101 accept it should be consisitent

19. Fixed: network_protocol_id is not captured after collector output for some log events of version 7.1.3


f.  Symantec Event Collector Sensor 5.0 for eStreamer 


1.  Fixed: update sourcefireipv6 to support sourcefire v5.0+


g.  Symantec Event Collector 4.3 for Forescout CounterACT 


1.  Fixed: Forescout CounterAct 4.3 collectors has three duplicate filters

2.  Fixed: ForScout: Null is observed in the compliance found field.

3.  Fixed: Forscout: logging device name and proxy machine name should not be same.

4.  Fixed: Forscout: Message information is missing in the collector output for Host Vulnerabilities events

5.  Fixed: Forscout: Option 5 type is missing in some events.

6.  Fixed: ForeScout: DEC field has not been captured for the compliance events.

7.  Fixed: forescoutcounteract:Log retention support issues

8.  Fixed: ForeScout: Incomplete Information in the option5 field.

9.  Fixed: ForeScout: dvshost and rt information is missing in the collector output for noncompliance events

10. Fixed: Forescout : same descriptors with different values in option fields

11. Fixed: Add support for CEF format in Forescout 6.3.4 counteract collector.


h.  Symantec Event Collector 5.0 for Fortinet Services 


1.  Fixed: symc_device_action populated wrongly in Web Filter.

2.  Fixed: nw_protocol can be populated as TCP for http events

3.  Fixed: Target Resource,Event_Desc ,Data_sender,Data_recipients should not populate under "" 

4.  Fixed: Destination Service name is not populated by collector it should be 65535/tcp

5.  Fixed: Logging_device_name is incorrectly populated for all the logs

6.  Fixed: For vendor_severity 'Critical' collector populates the severity as '3-Minor'

7.  Fixed: Attack_name 'tcp_syn_flood' should be captured without fail

8.  Fixed: Service should be captured as an optional field if deleted by ses rule.

9.  Fixed: For vendor_severity 'Critical' collector wrongly populates the severity as '3-Minor'

10. Fixed: destination_host_name wrongly populating the logging_device_name.

11. Fixed: Data Status ID should be Delay- 117236 instead of unknown since the Deposition =Delay for type=statistics device log

12. Fixed: "Proto" value is not populating in the collector output

13. Fixed: Destination Service name and Intrusion protocol is populating as BLANK if not present in log file

14. Fixed: rule for capturing destination_host_name is wrong in Catch all translator rule

15. Fixed: Logging_device_ip not populated and target resource populated wrongly.

16. Fixed: event_desc is missing.

17. Fixed: Target_resource is missing.

18. Fixed: username wrongly populates if there is a space in username. Eg-"good usr".

19. Fixed: source_ip from loc_ip and destination_ip from rem_ip should be populated.

20. Fixed: "Policyid" is missing for all User Authentication logs in the collector output.

21. Fixed: EventclassName for Netscan logs should map to "symc_data_scan" instead of "symc_system"

22. Fixed: Intrusion_protocol value is populating the wrong value from "ui" field

23. Fixed: User name is not captured completely in Catch All.

24. Fixed: network_Protocol_Id ,Event_desc is wrong and also few field are missing for type=netscan subtype=discovery,type=netscan subtype=vulnerability

25. Fixed: Issues in 43012

26. Fixed: Issues in 43020 (CATCH ALL)

27. Fixed: destination_service_name 'http', destination_port '80', nw_protocol 'TCP' is not populated in collector.

28. Fixed: port number and nw_protocol is not populated

29. Fixed: data Status Id is need to be handeled properely

30. Fixed: Destination port, source port and target resource is not populated even if present in device log

31. Fixed: event_id incorrectly mapped in some cases for WebFilter Logs.

32. Fixed: Fortinet Services-or the device log have type=event subtype=auth few fields are wrongly populatde for log_id=0106043023, log_id=0106043022, log_id=0106043021, log_id=0106043024 ,log_id=0106043012


i.  Symantec Event Collector 4.3 for MS DHCP 


1.  Fixed: For 'DNS Update successful' event, intrusion_outcome_id is wrongly populated.

2.  Fixed: Name of the ses-processor rule [Remove invalid source_mac field from DNS Update Request Failed messages] is incorrect.

3.  Fixed: Name of the SES-Processor rule [source_ip validation] is incorrect,support validation for IPv6 as well in case of destination IP.

4.  Fixed: mac address is not captured in collector studio v5.0

5.  Fixed: destination_host_name is populating as 'BAD_ADDRESS'

6.  Fixed: VendorClass and UserClass are not populated even if they are present in log line.

7.  Fixed: network_ protocol_id should be UDP(167103)

8.  Fixed: intrusion_outcome_id need to handled properly

9.  Fixed: GUID need to handled properly

10. Fixed: user name is populating incorrect value

11. Fixed: destination_host_name & destiantion_ip are not populated into "Authorization failure, stopped servicing" event.

12. Fixed: target_resource are not getting populated.

13. Fixed: msdhcp-Collector populates option7 and option8 incorrect value even has empty value with old log line Unique_Logs_2008.txt for all vendor code

14. Fixed: msdhcp-Event_Class_Name of vendor code -54 is wrong

15. Fixed: msdhcp-Event ID 1042000 is wrong for symc_host_intrusion it belongs to Network Intrusion Event (1042000)

16. Fixed: msdhcp-There is no SES-Processor rule for Intrusion_intent_id - Overall intent of the attempted intrusion activity.

17. Fixed: msdhcp-Event_Class_Name of vendor code -51 is wrong

18. Fixed: msdhcp-option2 & option2_type are populating incorrect value

19. Fixed: msdhcp-Collector doesn't populates ip_type_id for symc_system class


j.  Symantec Event Collector 4.3 for MS IIS 


1.  Fixed: Ses processor rules ‘Reassigning severity for result code 403, 501, 502, 503, 504, 505 are duplicated.

2.  Fixed: Ses processor rules 'IISCGIShell' are duplicated.

3.  Fixed: Ses processor rules 'IISCGIWebcart' are duplicated.

4.  Fixed: Ses processor rules 'IISCGIViewsource' are duplicated.

5.  Fixed: Ses processor rules 'IISCGIPerl' are duplicated.

6.  Fixed: Ses processor rules 'IISCGIguestbook' are duplicated.

7.  Fixed: Spelling of ses Processor rule 'Remove Target Resource if contains '-' is wrong.

8.  Fixed: Ses processor rules 'IISDotDotAttack',IISASPSourceDisclosure, 'IISCGIWebcomguestbook' are duplicated

9.  Fixed: network_protocol id missing for symc_firewall_network class

10. Fixed: Intrusion_action_id is incorrectly mapped for FTP events with cs-method as CWD

11. Fixed: Intrusion_intent_id is incorrectly mapped for FTP events with cs-method as CWD

12. Fixed: Target resource is incorrectly mapped for FTP events with cs-method as CWD

13. Fixed: Target resource is mapped incorrectly for FTP events in MS IIS.

14. Fixed: Few fields are not captured for FTP events.

15. Fixed: Intrusion_outcome_id is mapped incorrectly for FTP events

16. Fixed: Event dt is not populated in IIS5.

17. Fixed: Some fields are not populated for W3C IIS5 events

18. Fixed: Some fields are not populated for W3C IIS6 events

19. Fixed: intrusion_target_type_id and target_resource are mapped incorrectly

20. Fixed: event_detail_id is mapped incorrectly

21. Fixed: Few fields are not captured in FTP 7.5 events

22. Fixed: Few fields are not populated for MSIIS Logging events

23. Fixed: Few fields are not populated for NCSA events

24. Fixed: Few events are filtered by the collector for MS IIS 8

25. Fixed: Few fields are not populated for FTP IIS events

26. Fixed: msiis:Intrusion fields are not correctly mapped for below mentioned log lines

27. Fixed: msiis-There is no option_type for info1,2 and 3 fields taken to understand the significance of the value field.

28. Fixed: msiis:User Name should be IEUser instead of [email protected]

29. Fixed: mmsiis:Option 16_type should be protocol version instead version.

30. Fixed: msiis-Vendor code should be http_post instead of POST for http post events,also vendor_code is missing for some device logs

31. Fixed: msiis:• Event_desc and user_name absent for all IIS6 events

32. Fixed: msiis:• For same ip, source hostname is not resolved. (proxy machine name , destination hostname is resolved).

33. Fixed: msiis:1. For port no. 443, destination_service_name will be HTTPS.

34. Fixed: msiis:Target resource and others verious fields from the translator output is incorrect

35. Fixed: In MS IIS event collector v 4.3.6, for some translator rules field event_desc is not getting populated which is recommended field.


k.  Symantec Event Collector 4.4 for MS NPS 


1.  Fixed: Microsoft Network Policy Server Collector not mapping phone number correctly.


l.  Symantec Event Collector 4.4 for MS SQL Error 


1.  Fixed: Recommended field Source_Port is missing in SQL Server Error Log Event Collector.

2.  Fixed: Do not populate Loop Back IP (127.0.0.1) in Source_IP and Destiantion_IP field

3.  Fixed: intrusion_source_user_name is wrong in collector output

4.  Fixed: Source_host_name is not populating correct information.


m.  Symantec Event Collector 5.0 for WS Management 


1.  Fixed: WS Management Collector 5.0 mapping of option 10 for "Client Address"

2.  Fixed: Event ID 65 has incorrect Severity in SSIM

3.  Fixed: Destination IP address does not support IPv6 format.

4.  Fixed: SES Processor rule "option9_type Removal - /option" is incorrectly written.

5.  Fixed: SES Processor rule "logging_device_name Validation" is written twice consecutively.

6.  Fixed: SES Processor rule "proxy_machine Validation" is written twice consecutively.

7.  Fixed: field Logging Device IP is not getting populated.

8.  Fixed: SES Processor rule "option16 Removal - This should not be here" is not getting validated.

9.  Fixed: Source host name is getting populated incorrectly for some events.

10. Fixed: Source_host_name is getting populated incorrectly for some events.

11. Fixed: field Source ip is missing for some events.

12. Fixed: Incorrect revision number and revision date are shown.

13. Fixed: field source_ip missing for some events.

14. Fixed: User name and target resource are populating values as -

15. Fixed: Incorrect user name and target resource for event type Security:4625

16. Fixed: Event description is containing truncated text.

17. Fixed: Intrusion outcome id is getting populated incorrectly for event id:4648

18. Fixed: Intrusion action id is missing for the log events which have the intrusion out come id for MS Vista collector

19. Fixed: Destination host name and source host name should reflect to server name of computer instead when proxy machine =local host

20. Fixed: Event desc is truncated for couple of log lines in 2012 and 2008 for WS Management v 5.0

21. Fixed: [Windows 2012] value in option fields incorrectly populated

22. Fixed: [windows 2012]Data in log not captured in collectors output.

23. Fixed: [Windows 2012]Data not captured in collector.


n.  Symantec Event Collector 4.4 for Netscreen 


1.  Fixed: Netscreen: Session id ,action captured in options fields for traffic xlated catch-all events

2.  Fixed: Netscreen: collector is not able to parse the web-filtering config-update events.

3.  Fixed: NetScreen: Mandatory field Data_status_id is not populated for the symc_virus_incident event class

4.  Fixed: Netscreen: collector is not able to parse the SSHv1,SSHv2 catch-all events.

5.  Fixed: Netscreen: source_port and source hostname are populating incorrectly for some events

6.  Fixed: Netscreen: destination port is getting populating incorrectly for IKE events

7.  Fixed: Netscreen: event date is not populated for most of the events.

8.  Fixed: Netscreen: Service catch-all translator rule is not getting triggered.

9.  Fixed: Netscreen: start time should be captured in options fields for traffic xlated catch-all events

10. Fixed: NetScreen: event_id is mapped incorrectly for system configuration events.

11. Fixed: Netscreen: Destination service name and Network protocol should be populated.

12. Fixed: Netscreen: For VPN IKE packets received event the event id is populated incorrectly.

13. Fixed: NetScreen: cookies field is not captured for IKE packet events.

14. Fixed: NetScreen: user name field is missing.

15. Fixed: Netscreen: icmp type and icmp code fields are not captured for traffic xlated catch-all events.

16. Fixed: NetScreen: ACK ID field missing for AdminAuthFail catch-all 1 events.

17. Fixed: Netscreen: Certificate details are not captured for PKI-catch all events.

18. Fixed: Netscreen: DHCP events are not getting parsed properly.

19. Fixed: NetScreen: vpn_index is blank for the traffic xlated catch-all(vpn) events.

20. Fixed: Netscreen: Policy ID is field should be captured in the rule for Anti spam catch all

21. Fixed: NetScreen: Name of the Virus should be captured for Antivirus events.

22. Fixed: Netscreen: Source host name is populated incorrectly for the SPAM FOUND -catch all events.

23. Fixed: Netscreen: Accepted at and duration should be captured in the options field.

24. Fixed: Netscreen: ftp and ftp group is not getting populated.

25. Fixed: Netscreen: Category should be captured in the options field for the web-filtering config-update events.

26. Fixed: Netscreen: IP address is not captured from the log line.

27. Fixed: Netscreen: symc_device action is populated incorrectly for vpn events.

28. Fixed: Netscreen: symc_device action is populated in correctly for PKI events.

29. Fixed: Netscreen: LDAP server log is not getting parsed properly.

30. Fixed: Netscreen: some login events are going in to the catch all.

31. Fixed: NetScreen: Target resource is populated as 0.0.0.0

32. Fixed: Netscreen: Logs which are not supported should be filtered out.

33. Fixed: Netscreen: user name is populated incorrectly.

34. Fixed: Netscreen: Event description is not populated in some events.

35. Fixed: Netscreen: Target resource is populated incorrectly.


o.  Symantec Event Collector 4.3 for Site Protector 


1.  Fixed: ISS_SITEPROTECTOR: DHCP_Ack: Domain name and client_MAC_address should be populated.

2.  Fixed: ISS_SITEPROTECTOR: AOLIM_Message: source_user field is not required for the given log.

3.  Fixed: ISS_SITEPROTECTOR: Vendor device id not populated for System_Info logs.

4.  Fixed: ISS_SITEPROTECTOR: HTTP_AuthResponse_Possible_CSRF AlertDateTime:Symc_decvice_action failed should be populated for error code '401'

5.  Fixed: ISS_SITEPROTECTOR; Issues in Windows_Access_Error logs.

6.  Fixed: ISS_SITEPROTECTOR: source_user in SIP_Message_Detected does not require tag and epid.

7.  Fixed: ISS_SITEPROTECTOR: Netbios_Session_Rejected: symc_device_action should be populated as 'DENY'

8.  Fixed: ISS_SITEPROTECTOR: Netbios_Session_Granted: symc_device_action can be mapped to 'Accept'

9.  Fixed: SiteProtectorSPL , In target resources field populates null/ if url field =/ and since there is no server name it displays null

10. Fixed: ISS_SITEPROTECTOR:For DHCP_Request and DHCP_Discover alert, following fields are populating wrong value (destination mac and source ip for DHCP_Discover)

11. Fixed: ISS_SITEPROTECTOR: For AOLIM_Message alert, source_user is populating wrong value.

12. Fixed: In POP_Filename destination user is populated incompletely.

13. Fixed: ISS_SITEPROTECTOR: event_desc is not populated.

14. Fixed: IBM ISS NIPS 4.6 SPL collector


p.  Symantec Event Collector 5.0 for SourceFire IPv6 


1.  Fixed: Collector should populate ICMPv6 (58) network protocol id.

2.  Fixed: option field need to be added for MessageType

3.  Fixed: target_resource need to be populated

4.  Fixed: The record type name is not matching to the product document of source fire v5.0+

5.  Fixed: source_ip gets value of 0.0.0.0 if it contains IPV6 format.

6.  Fixed: mobile_devices, web_app contains value {}

7.  Fixed: network_protocol_id & nw_protocol need to populate upon transport_protocol values

8.  Fixed: vendor code and option 56 fields are not reflecting the same record type value for File event-Melaware

9.  Fixed: mapping need to be do for fields like vlan_type, vlan_presence, vlan_priority, hops_from_host_to_3d_sensor, primary_or_secondary_network

10. Fixed: Connections file som fields not parsing properly after collector output.

11. Fixed: For user login change event the log in type and reported by are not seeen inthe original log fileand the E-mail field is blank after parsing

12. Fixed: port info need to map with respective port

13. Fixed: Event description is not matching to the disposition value for file events which r not malaware

14. Fixed: Discovery log files issues

15. Fixed: version contains blank value, & need to be removed

16. Fixed: For intrusion Events the event class need to be update to symc_network_intrusion for "Intrusion" events (record type [7,104,207,208,400])

17. Fixed: For Record type name=New Network Protocol the network_protocol and nw_pprotocol has same values

18. Fixed: Transport/network protocol fields with multiple protocol numbers

19. Fixed: Option 5 is showing the event.typevalue so it should be just the value of event type

20. Fixed: For user events 5.0 for the record type name user removed change event the fields are parsing ebenthough they have no valuein the original log line

21. Fixed: ICMP Type and code not mapped in right fields in Intrusion logs


q.  Symanted Event Collector Sensor 5.0 for Symantec DLP 


1.  Fixed: Option 6 field is not populated in the SSIM console

2.  Fixed: DLP WSAPI: Sensor is not able to collect network type incidents from DLP 11.5

3.  Fixed: Issue in DLP WSAPI sensor pulling information


r.  Symantec Event Collector 5.0 for Symanted DLP WSAPI 


1.  Fixed: New device request for Symantec DLP WSAPI Event collector to support 11.5

2.  Fixed: DLP WSAPI: Information such as Application path, source port, proxy port are not captured in the collector output even though log line contains these information.

3.  Fixed: DLP WSAPI: In collector output scan date field is not in human readable format.

4.  Fixed: DLP WSAPI: Logging device name and source host name populating incorrectly.

5.  Fixed: DLP WSAPI: Data_status_id and event_id is populated incorrectly.

6.  Fixed: DLP WSAPI: Source_ip and Destination_ip is not getting resolved.

7.  Fixed: DLP WSAPI: Vendor Device Id is missing.

8.  Fixed: DLP WSAPI: Vendor codes are very generic.

9.  Fixed: DLP WSAPI: Event_class_name changed for FTP,SMTP,HTTP and NNTP events.

10. Fixed: DLP WSAPI: Event_id field populated incorrectly for IM protocol events.

11. Fixed: DLP WSAPI: Field Application_window_title is not getting captured anywhere in the collector output.

12. Fixed: DLP WSAPI: Proxy machine IP and proxy machine name populated incorrectly for scan events.

13. Fixed: DLP WSAPI: SSIM does not collect log events that are of type DLP - Discover.

14. Fixed: Option 6 field is not populated in the SSIM console

15. Fixed: DLP WSAPI: Sensor is not able to collect network type incidents from DLP 11.5

16. Fixed: Issue in DLP WSAPI sensor pulling information


s.  Symantec Event Collector 5.0 for Symantec SEP 


1.  Fixed: SYMCEP:Destination host name is not correctly mapped by collector

2.  Fixed: SEP V5.0 - Missing "DOMAIN_NAME" Information in the collector output for Agentbehaviour Logtype.

3.  Fixed: SEP 5.0 - Missing "LOG_IDX" Unique ID field in the Collector output and DSX output logs.

4.  Fixed: Server Client logs add SES Processors to account for EVENT_ID values of 24 to 26.

5.  Fixed: event_dec should be mapped with Client downloaded globalindex.dax when EVENT_ID is 23 for ServerClientQuery log

6.  Fixed: OS_LANG & LAST_VIRUS_TIME field should be populated by the collector for Alerts Query log

7.  Fixed: SEP 5.0-TEST_MODE is not captured at the collector

8.  Fixed: SEP-5.0-Event class name,cateogy id& event_id needs to be updated for ServerClientQuery log

9.  Fixed: SEP 5.0-Infected & WORSTINFECTION_IDX fields are not populated for AlertsQuery log

10. Fixed: SEP-5.0-ACTUALACTION_IDX is not properly configured at SES processor


t.  Symantec Event Collector 5.0 for Symantec Messaging Gateway


1.  Fixed: SMG Collector incorrectly populates proxy and logging device fields

2.  Fixed: SMG Collector not mapping NDR bounce email correctly

3.  Fixed: SMG Collector not mapping "possible spam" correctly


u.  Symantec Event Collector 4.4 for Symantec Web Gateway


1.  Fixed: SMG Collector incorrectly populates proxy and logging device fields

2.  Fixed: SMG Collector not mapping NDR bounce email correctly

3.  Fixed: SMG Collector not mapping "possible spam" correctly


v.  Symantec Event Collector 4.3 for Trend Micro Control Manager


1.  Fixed: Trend Micro Control Manager Event Collector not mapping for VLF_FirstActionResult


w.  Symantec Event Collector 4.4 for Trend Micro Control Manager


1.  Fixed: Missing destination ip

2.  Fixed: Loggind device ip is missing in the collector for hostintrusion event of trend micro control manager collector

3.  Fixed: TMCM: Option14_type populated without the value

4.  Fixed: Trend Micro Control Manager Event Collector not mapping for VLF_FirstActionResult

5.  Fixed: Trend Micro Control Manager Event Collector not mapping Source Host Name

6.  Fixed: Incorrect translation for some important fields in TMCM

7.  Fixed: Add check on data_name = null

8.  Fixed: incorrect translation for data_name and data_part_name

9.  Fixed: Populate option1 for Common Virus Wall (CVW) events

10. Fixed: Ensure "Vendor_device_id" field is populated

11. Fixed: TMCM: missing data_type_id for some file infection events

12. Fixed: Create Filter for non-Office Scan Events