Skip to Content
Information
Space banner This space provides the same content as before, but the organization of the home page has changed. The content is now organized based on logical branches instead of legacy book titles. We hope that the new structure will help you quickly find the content that you need.

Invoking TCP SIEM data refinement

There are two types of refinement criteria: global and local. To specify global refinement criteria, add DD REFNTCP to the step running VTCSSRCH in the started task job associated with the Session Monitor PARMLIB parameter SWITCH_REPOSITORY_TASK. The DSN specified can be either a sequential dataset or a PDS member. The DCB information for the global refinement criteria dataset is DCB=(RECFM=FB,LRECL=80,BLKSIZE=0). The following is an example of a DD card added to the SWITCH_REPOSITORY_TASK task:

//REFNTCP DD DSN=MY.REFINE.CRITERIA(CRITTCP),DISP=SHR

To specify local refinement criteria, create member REFINE in:

<registry-dataset>.#0000000

for a SIEM archive record request and enter refinement parameters (where <registry-dataset> is the name of the registry dataset associated with the SIEM archive request). Only one type of refinement criteria may be used, and local refinement criteria take precedence over global refinement criteria.

ALTER command

image2022-11-18_15-47-27.png

The ALTER command allows for the alteration, augmentation, and/or skipping of data to be sent to the SIEM tool. Multiple ALTER commands are supported. This means that more than one ALTER command can refine a specific TCP message being sent to the SIEM tool.

The SUPPRESS statement allows for the reduction of data being sent to the SIEM tool. Either the entire message or just the TCP message content can be suppressed. Reducing data being sent to the SIEM tool can save storage space and associated costs. There may be TCP messages that are of no interest, and they can be easily eliminated. However, be careful with reducing data sent to the SIEM tool to ensure that any data that may be of value to an auditor is retained.

The TAG statement allows for augmenting the data being sent to the SIEM tool. Augmentation allows identifying specific positions within the TCP message content with a meaningful tag name that can be used by a SIEM tool. In conjunction with the SUPPRESS(CONTENT) parameter, data related to the TCP message content sent to the SIEM tool can be limited to just the relevant information. Be careful of creating too many tags without suppressing the content data because this will increase the amount of storage needed by the SIEM tool.

The MASK statement allows for the obfuscation of data being sent to the SIEM tool. Obfuscating data can help with privacy concerns by only showing partial values of a field. Be careful about completely obfuscating an entire field or obfuscating too much of a field because it may reduce the value of the data being sent to the SIEM tool. For example, if account numbers are completely obfuscated, finding when an account has been compromised may be almost impossible.

When specifying multiple statements, the effect of the refinement occurs in the order in which the parameters are specified.

Statements

WHEN (Required)

Specifies the criteria to determine the TCP messages on which the ALTER command will perform data refinement. The WHEN statement must be specified once on an ALTER command with at least one of the valid clauses, and multiple clauses must be separated by a comma. All WHEN statement clauses on an ALTER command must be true for data refinement statements to take effect. The WHEN statement must occur before all other statements.

The WHEN statement has the following clauses:

ALWAYS

All TCP messages are to be refined with the data refinements specified. Any subsequent clauses to the WHEN statement will be ignored.

CONTENT

Specifies that a position on the TCP message content is to be compared for a specified length. The format of a CONTENT clause is as follows:

CONTENT(positionlengthoperator, "compare-value", type)

The following parameters are specified on the CONTENT clause:

  • position – The location of the data being compared. An asterisk (*) indicates all positions.
  • length – The length of the data being compared. An asterisk (*) indicates the length is the same as the length of the compare-value.
  • operator – One of the following operators may be specified:
    • EQ – Perform a character equal comparison between the compare-value and the specified message content position.
    • NE – Perform a character not equal comparison between the compare-value and the specified message content position.
    • CO – Check whether the compare-value appears within the specified message content area.
    • NC – Check whether the compare-value does not appear within the specified message content area.
  • compare-value – The value being compared to the specified message content position. A null value cannot be specified. This can be specified as either a character string or a hexadecimal string.
  • type – The type of data the compare-value represents. The compare-value will always be specified in EBCDIC, but this will indicate that it needs to be converted.
    • E – EBCDIC (default). The compare will be done as is.
    • U – UTF-8. The compare-value will be converted from the EBCDIC codepage specified on the CODEPAGE parameter in the PARMLIB member for Session Monitor to
      UTF-8 before doing the comparison.
  • X – Hexadecimal. The comparison will be done based on hexadecimal values to allow for comparison of binary data.
Error
Warning

Due to the unpredictable nature of how data packets are sent/received by TCP, captured packets may not be complete or may contain more data than just a single message. For example, an application might send 32K in a single TCP write, but TCP may separate the message into more than one packet. Alternatively, if an application does two distinct TCP writes, TCP may send both messages in a single packet. This can make data refinement when using the WHEN statement on CONTENT (particularly large content) more challenging because data may not necessarily be in the expected location. A better approach is to use the CONTENT operator CO (contains) and length "*" to avoid relying on an exact position. This will increase the chances of successful data refinement. Use of a SIEM exit for TCP data may prove to be a better option.

CLIENTADDR

Specifies that the client IP address associated with the TCP message is to be compared. The format of the CLIENTADDR clause is as follows:

CLIENTADDR(operator, "compare-value")

The following parameters are specified on the CLIENTADDR clause:

  • operator – One of the following operators may be specified:
    • EQ – Perform a character equal comparison between the compare-value and the client IP address associated with the TCP message. The compare-value may be wildcarded.
    • NE – Perform a character not equal comparison between the compare-value and the client IP address associated with the TCP message. The compare-value may be wildcarded.
    • CO – Check whether the compare-value appears within the client IP address associated with the TCP message. The compare-value may not be wildcarded.
    • NC – Check whether the compare-value does not appear within the client IP address associated with the TCP message. The compare-value may not be wildcarded.
  • compare-value – The value being compared to the client IP address associated with the TCP message.
CLIENTPORT

Specifies that the client port associated with the TCP message is to be compared. The format of the CLIENTPORT clause is as follows:

CLIENTPORT(operator, "compare-value")

The following parameters are specified on the CLIENTPORT clause:

  • operator – One of the following operators may be specified:
    • EQ – Perform a character equal comparison between the compare-value and the client port associated with the TCP message. The compare-value may be wildcarded.
    • NE – Perform a character not equal comparison between the compare-value and the client port associated with the TCP message. The compare-value may be wildcarded.
    • CO – Check whether the compare-value appears within the client port associated with the TCP message. The compare-value may not be wildcarded.
    • NC – Check whether the compare-value does not appear within the client port associated with the client port message. The compare-value may not be wildcarded.
  • compare-value – The value being compared to the client port associated with the TCP message.
SERVERADDR

Specifies that the server IP address associated with the TCP message is to be compared. The format of the SERVERADDR clause is as follows:

SERVERADDR(operator, "compare-value")

The following parameters are specified on the SERVERADDR clause:

  • operator – One of the following operators may be specified:
    • EQ – Perform a character equal comparison between the compare-value and the server IP address associated with the TCP message. The compare-value may be wildcarded.
    • NE – Perform a character not equal comparison between the compare-value and the server IP address associated with the TCP message. The compare-value may be wildcarded.
    • CO – Check whether the compare-value appears within the server IP address associated with the TCP message. The compare-value may not be wildcarded.
    • NC – Check whether the compare-value does not appear within the server IP address associated with the TCP message. The compare-value may not be wildcarded.
  • compare-value – The value being compared to the server IP address associated with the TCP message.

MASK

Specifies positions in the message that will be obfuscated. This parameter is optional and may be specified many times on the ALTER command. The format of the MASK statement is as follows:

MASK(positionlength, "replace-value")

The following parameters are specified on the MASK statement:

  • position – The position in the data being masked.
  • length – The length of the data being masked.
  • replace-value – The value which will mask the field specified. This value will be truncated if its length is less than the length of the replace-value and will be repeated if its length is greater than the length of the replace-value. If the replace-value is the null string (that is, ""), the data will be masked with binary zeros.

TAG

Creates tags with data extracted from the screen. This parameter is optional and may be specified many times on the ALTER command. The format of the TAG statement is as follows:

TAG(positionlength, "tag-name", type)

The following parameters are specified on the TAG statement:

  • position – The position i the field being extracted.
  • length – The length of the field name being extracted.
  • tag-name – The name associated with data being extracted. The tag-name must be a unique valid XML tag name.
  • type – Indicates how the source data is to be considered when being tagged.
    • E – EBCDIC (default). No translation of the data is done.
    • U – UTF-8. The tag value will be converted from UTF-8 to the EBCDIC codepage specified on the CODEPAGE parameter in the PARMLIB member for Session Monitor.
    • X – Hexadecimal. The tag value will be converted to Hexadecimal.

SUPPRESS

Indicates whether to suppress the entire message or just the TCP message content. This parameter can only be specified once per ALTER command. The format of the SUPPRESS statement is as follows:

SUPPRESS(action)

The following parameter is specified on the SUPPRESS statement:

  • action – One of the following actions may be specified:
    • MESSAGE – Indicates the entire message (TCP content and all other data associated with the TCP message) will not be sent to the SIEM tool. No other parameters should be specified because an EXIT statement is implied.

    • CONTENT – Indicates the TCP message content will not be part of the data sent to the SIEM tool, but data associated with the TCP message will be sent to the SIEM tool.

      Warning

      Important

      If SUPPRESS is not specified, the entire TCP message along with the associated data will be included in the data sent to the SIEM tool.

EXIT

Indicates whether subsequent ALTER commands are to be executed.

ALTER Command

A nested ALTER command can be specified to refine the data even further. This would serve to perform data refinement on a subset of the encompassing ALTER command.

BREAK

Terminates activity in the current ALTER, for inner alters.

Examples

  1. The following example specifies criteria to limit the data being sent to the SIEM tool to only send data being sent to port 80 (HTTP).

    Information
    Example
    ALTER
    (
    WHEN (SERVERPORT(EQ,"80"))
    EXIT
    )
    ALTER
    (
    WHEN (ALWAYS)
    SUPPRESS(MESSAGE)
    )

  2. The following example specifies criteria to create a tag called TRANSACTION_ID from activity from server IP address 1.2.3.4 port 422 with the first six bytes of the message being X'AABBCCDDEEFF' which uses the next four bytes to identify the transaction ID which is expressed in ASCII/UTF-8 in the content. It will also obfuscate bytes 11 through 30.

    Information
    Example
    ALTER
    (
    WHEN (CONTENT(1,6,EQ,"AABBCCDDEEFF",X)
    SERVERADDR(EQ, "1.2.3.4"),
    SERVERPORT(EQ, "422"))
    TAG(7, 4, "TRANSACTION_ID", "U")
    MASK(11, 20, "*")
    )
    1. In this example, content sent from IPV6 address ::ffff:3.4.5.6 should not be sent to the SIEM tool.
    ALTER
    (
    WHEN (CLIENTADDR(EQ,"::ffff:3.4.5.6"))
    SUPPRESS(CONTENT)
    )

Splunk considerations

When creating tags, add the new tags to the FIELDALIAS-tcp property for hiperstation_tcp in the /etc/system/default/props.conf in the Splunk directory. For each tag, add:

tcpmessage.<tag_name> as <tag_name>

to the end of the FIELDALIAS-tcp property. This will allow referencing by the tag name in Splunk, rather than having to specify the fully-qualified name.

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*

BMC AMI Security Session Monitor 17.02