Sunday, August 17, 2014

Trustwave LP appliances behind the scenes

As mentioned in a previous post, Trustwave has 5 lines of LP devices ranging from LP1..LP5. The appliances contain all 3 tiers of the system:


  • The user interface is Java + Flash + PHP website. It does not look bad at all and quite intuitive. It mainly provides event search, dashboard creation, report building and system configuration capabilities.
  • The business logic is implemented by J2EE applications running on Tomcat. 
  • The back end database is running on MySQL. 

The appliances run Syslog-ng to receive the log messages and save them to a specific "Inbox" directory depending on the filter for each data source "Device". Couple of Java processes namely "DA", "DL" and "DLA" parse the logs using regex, upload them to the database and archive them respectively. Another process "RG" check the logs against the notification criteria configured by the user. 

Another way of forwarding the logs is using FTP and SCP in the latest updates. The appliances run PureFTP server where each user name is linked to an "Inbox" directory. In addition, the appliances support multiple proprietary protocols for different vendors such as Checkpoint LEA, Cisco SDEE,....

The raw logs can be forwarded or "upstream" to other Trustwave appliances or other syslog servers. The parsed logs can be forwarded only to Trustwave products. This is the main function of the log aggregators (LA) family of products. 

All notification filters are checked every 30 minutes with the exception of the silent device alert which is triggered every 10 minutes for data sources that stop sending logs for some reason. Notifications can be sent via SMTP or as SNMP traps.

Report schedules are quite flexible. They can be configured to run daily, weekly or on specific date for reports on logs in a specific period. The reports can be emailed or saved locally and they can be exported in .PDF, .CSV, .XLS and other formats. 

A very useful, yet overpriced feature is the high availability where two appliances form a shared nothing cluster. it is built on top of Pacemaker resource manager available on Linux. The storage is replicated by means of the distributed replicated storage system DRBD. The HA setup allows replication of the database containing logs and the raw and parsed log files. A virtual IP address is one of the cluster resources that is owned by the active node so that it would process the traffic sent to the cluster address. 


Tuesday, August 5, 2014

Introduction to Trustwave SIEM solutions - Part 1

I was fortunate enough to use different Trustwave SIEM products in my current job. Even though I've never heard of Trustwave, my first impression was wow, this such a polished user interface. Digging into the product's capabilities answered my question of why this is not the market leader.

The SIEM product were originally Intellitactics SAFE and later acquired by Trustwave in order for them to enter the SIEM market. There are currently three flavours of the SIEM products. First, SIEM LA appliances which are log aggregators with no processing capabilities whatsoever rather, they forward the logs or upstream them to other products with processing capabilities.

The second line is SIEM XL or LP1 to LP5 which are log processor appliances which provide event parsing, dashboards, basic reports and alerts (notifications).  The third member of the family is SIEM OE which is software with advanced customization and correlation capabilities. The latest product is SIEM Enterprise which is an appliance with SIEM OE advanced features. For full hardware specifications of the appliances, you may refer to http://www.ireo.com/fileadmin/img/Fabricantes_y_productos/trustwave/siem/Trustwave-SIEM-Hardware_Specs.pdf

There are more than 200 log sources or devices supported by Trustwave and you can review the full list in this page https://www3.trustwave.com/siem-supported-devices. With the suport of this wide range of products, there is a slim chance that you would have an application or infrastructure solution that isn't supported. In addition, if you purchase support, you may request a parser development for other data sources such as home grown application.

If you are serious about SIEM deployment, you would need SIEM OE or SIEM Enterprise and build a SOC team to investigate the alerts by either. I'll walk you through the features and limitations of Trustwave as a SIEM vendor in the next posts, stay tuned.

Saturday, November 5, 2011

Impressive NTP results

Last week, I received a complaint from one of the application support teams that the system time is not in sync with the stock exchange clock. It's known that domain members sync their time with domain controllers but I found there was around 0.8 offset! Does it mean that there was something wrong with the time client running on this server?

Friday, October 28, 2011

Use Exmerge to export mailboxes to .PST

Last week we had to migrate almost 200 mailboxes from one domain to another. Since there was no trust between the 2 domains, we handled both the exporting and importing operations separately. The source Exchange server was 2003 and the destination server was Exchange 2007. Exmerge was intuitive option for export the mailboxes to PST files but it has 2 limitations:

Friday, July 29, 2011

تعديل خصائص صندوق بريد

احتجت لتعديل خصائص صندوق بريد على Exchange 2003 وذلك لعمل ما يشبه ابطال صندوق البريد، وللقيام بهذا باستخدام VBScript قمت بكتابة الكود التالي

Sunday, June 26, 2011

Ping in VBA

اذا كنت تريد التأكد من وجود مجموعة من الاجهزة على الشبكة يمكنك تنفيذ الكود التالي. هذا على افتراض عدم وجود ما يمنع الاجهزة من الاتصال من جدار ناري او ما شابه. الكود يقوم بعمل دورة على كل الاجهزة الموجود في صفحة اكسيل حيث اسماء الاجهزة مكتوبة في العمود ايه

Monday, April 18, 2011

Dynamic approval in SM7

In a previous project, dynamic approval was required such that different users have to approve a change depending on the system ID. SM7 does not provide such facility. You can customize the approver list depending on the change type which may not meet the customer requirements.