SmartConnector™

Configuration Guide for

Trend Micro Control Manager NG DB

May 15, 2012

SmartConnector™ Configuration Guide for

Trend Micro Control Manager NG DB

May 15, 2012

Copyright © 2003 – 2012 Hewlett-Packard Development Company, L.P.Confidential computer software. Valid license
from HP required for possession, use or copying. Consistent with FAR 12.211 and 12.212, Commercial Computer
Software, Computer Software Documentation, and Technical Data for Commercial Items are licensed to the U.S.
Government under vendor's standard commercial license.

The information contained herein is subject to change without notice. The only warranties for HP products and services
are set forth in the express warranty statements accompanying such products and services. Nothing herein should be
construed as constituting an additional warranty. HP shall not be liable for technical or editorial errors or omissions
contained herein.

Follow this link to see a complete statement of ArcSight's copyrights, trademarks and acknowledgements:
http://www.arcsight.com/copyrightnotice.

The network information used in the examples in this document (including IP addresses and hostnames) is for illustration
purposes only.

This document is confidential.

Revision History
Date Description
05/15/2012 Added new installation procedure.
02/15/2012 Added driver download information for Connector Appliance.
09/30/2011 Updated JDBC driver download information.
02/15/2011 Updated troubleshooting information.
09/24/2010 Updated mappings for Device Action and Name fields for v3.5 Web Security event mappings.
03/31/2010 Added default database name.
02/11/2010 Added support for OfficeScan Client/Server Edition version 8.4. Added support for FIPS Suite B and CEF
File transport.
11/11/2009 Added support for OfficeScan Client/Server Edition version 10 and Spyware events with Trend Micro
Control Manager version 5.0.
08/21/2009 Updated JDBC driver information; corrected SQL Server example information; added troubleshooting
information.
06/30/2009 Global update to installation procedure. Reference added for JDBC driver Connector Appliance upload
information.
03/27/2009 Updated field mappings for Trend Micro Control Manager version 3.5 Web Security log.
 Configuration Guide

SmartConnector for Trend Micro Control Manager NG DB

This guide provides information for installing the SmartConnector for Trend Micro Control Manager NG
DB and configuring the device for database event collection. The Trend Micro Control Manager versions
and the products supported include:

Trend Micro Control Manager v5.0:

OfficeScan Client/Server Edition versions 10.0, 8.0, 8.4

InterScan Messaging Security Suite version 7.0

Trend Micro Control Manager v3.5:

OfficeScan Client/Server Edition version 7.3
InterScan Messaging Security Suite version 5.7
InterScan Web Security Suite version 2.2

See the section "Device Event Mapping to ArcSight Data Fields" later in this document for the specific
events mapped to fields in the ArcSight database.

Product Overview
Trend Micro Control Manager Database is a software management solution that lets other Trend Micro
products report security events to a central SQL Server database. The SmartConnector for Trend Micro
Control Manager NG DB lets you import Virus Log, Security Log, Web Security Log, and Office Scan
Antivirus Log activity and alarm events (generated and stored in the SQL Server database by Trend
Micro Control Manager) into the ArcSight system.

The following Trend Micro Control Manager products are supported:

OfficeScan Client/Server Edition

which protects enterprise networks from viruses, Trojans, worms, hackers, and network viruses,
plus spyware and mixed threat attacks.

InterScan Messaging Security Suite

which integrates high-performance antivirus and content filtering security plus the optional Trend
Micro Spam Prevention Solution with anti-spam and anti-phishing, all in a single platform at the
Internet messaging gateway.

InterScan Web Security Suite

which provides the first line of defense against multiple Web-based threats, blocking attacks at the
gateway. It guards against viruses, spyware, grayware, and phishing, and offers optional security
modules to combat malicious mobile code and manage employee Internet use.

Confidential 3
SmartConnector for Trend Micro Control Manager NG DB

Configuration
Create an ODBC Data Source for the SQL Server Database
Before installing the SmartConnector, if you will be using an ODBC driver, create a 32-bit ODBC Data
Source for your database instance. An ODBC Data Source is not required when installing the
connector on Connector Appliance or Linux systems.

Create an ODBC Data Source

The ODBC data source must be configured on the machine where the SmartConnector is to be installed,
not on the database server. Ensure that you have the required privileges for your environment to create
data sources on the machine.

1 For 32-bit platforms, from the Windows Start menu, select Control Panel -> Administrative Tools
-> Data Sources (ODBC). The User DSN tab is displayed by default. Click the System DSN tab
(the data source must be added from the System DSN tab). For 64-bit platforms, invoke the
following command to create a 32-bit ODBC data source:
C:\windows\sysWOW64\odbcad32.exe.

2 Select the SQL Server driver from the list of System Data Sources; click Add.

3 Select SQL Server from the list of drivers in the Create New Data Source window, then click
Finish.

4 Confidential
 Configuration Guide

4 Windows displays a dialog box in which you can specify additional information for the data source
you are creating. Provide a name and description for the new data source and specify the SQL
Server host name where the database server is installed. Remember the data source name as you
will use it when installing the ArcSight SmartConnector. Click Next.

5 Select how SQL Server should verify the authenticity of the login ID. If you select "With SQL
Server authentication using a login ID and password entered by the user," enter the Login ID and
Password for a user with appropriate authority to access SQL Server. Click Next.

Confidential 5
SmartConnector for Trend Micro Control Manager NG DB

6 Check Change the default database to and select the appropriate database from the drop-down
box. This example shows master as the database name; be sure to select your actual database
name. Do not change the other default settings. Click Next, then click Finish.

6 Confidential
 Configuration Guide

7 You can test the ODBC data source by clicking on Test Data Source. Click OK after receiving the
TESTS COMPLETED SUCCESSFULLY! message.

Confidential 7
SmartConnector for Trend Micro Control Manager NG DB

8 The data source you just created will now be listed on the System DSN tab of the ODBC Data
Source Administrator window.

Install the SmartConnector

ArcSight recommends you do not install database connectors on the database server or any mission
critical servers as this could cause performance issues.

Before you install any SmartConnectors, make sure that the ArcSight products with which the
connectors will communicate have already been installed correctly (such as ArcSight ESM or ArcSight
Logger). This configuration guide takes you through the installation process with ArcSight Manager
(encrypted) as the destination.

8 Confidential
 Configuration Guide

For complete product information, read the Administrator's Guide as well as the Installation and
Configuration guide for your ArcSight product before installing a new SmartConnector. If you are
adding a connector to the Connector Appliance, see the ArcSight Connector Appliance Administrator's
Guide for instructions, and start the installation procedure at step 3.

Before installing the SmartConnector, be sure the following are available:

 Local access to the machine where the SmartConnector is to be installed

 Administrator passwords

Unless specified otherwise at the beginning of this guide, this SmartConnector can be installed on all
ArcSight supported platforms; for the complete list, see the SmartConnector Product and Platform
Support document, available from the HP SSO and Protect 724 sites.

1 Download the SmartConnector executable for your operating system from the HP SSO site.

2 Start the SmartConnector Installer by running the executable.

Follow the installation wizard through the following folder selection tasks and installation of the core
connector software:

Introduction
Choose Install Folder
Choose Install Set
Choose Shortcut Folder
Pre-Installation Summary
Installing...

3 When the installation of SmartConnector core component software is finished, the following window
is displayed.

Confidential 9
SmartConnector for Trend Micro Control Manager NG DB

Click Cancel to leave the configuration wizard at this point.

If you are using an ODBC driver, skip to step 4. If you are using a JDBC driver, required for
Connector Appliance and Linux systems, continue with step A.

A For information about and to download the MS SQL Server JDBC Driver, see:

http://msdn.microsoft.com/en-us/sqlserver/aa937724

Different versions of the JDBC driver are required for different SQL Server database versions; be sure to
use the correct driver for your database version. The name of the jar file may be different for some
JDBC driver versions.

B Install the driver.

C For software connectors, copy the jar file appropriate for your SQL Server version from the
installation folder for the SQL Server JDBC driver to
$ARCSIGHT_HOME/current/user/agent/lib, where $ARCSIGHT_HOME refers to the
SmartConnector installation folder, such as c:\ArcSight\SmartConnectors. Copy only
the jar file associated with the version of the driver to be installed to this location. For
Connector Appliance users, see "Add a JDBC Driver to the Connector Appliance" later in this
guide.

D From $ARCSIGHT_HOME/current/bin, double-click runagentsetup to return to the

SmartConnector Configuration Wizard.

4 Select Trend Micro Control Manager NG DB and click Next.

5 Enter the required SmartConnector parameters to configure the SmartConnector, then click Next.

Parameter Description
Jdbcdriver If you are using an ODBC DRIVER, select the 'sun.jdbc.odbc.JdbcOdbcDriver' driver. For
JDBC drivers, select the 'com.microsoft.sqlserver.jdbc.SQLServerDriver' driver.

10 Confidential
 Configuration Guide

Parameter Description
Url If you are using an ODBC DRIVER, enter: 'jdbc:odbc:<ODBC Data Source Name>, where the
<ODBC Data Source Name> is the name of the ODBC data source you just created. For
JDBC drivers, enter: 'jdbc:sqlserver://<MS SQL Server Host Name or IP
Address>:1433;DatabaseName=<MS SQL Server Database Name>,' substituting actual
values for <MS SQL Server Host Name or IP Address> and <MS SQL Server Database
Name>. The default Trend Micro database name is 'db_ControlManager'.
User Enter the login name of the database user with database privilege.
Password Enter the password for the authorized database user.

6 Make sure ArcSight Manager (encrypted) is selected and click Next. For information about the
other destinations listed, see the ArcSight SmartConnector User's Guide as well as the
Administrator's Guide for your ArcSight product.

7 Enter the Manager Host Name, Manager Port, and a valid ArcSight User Name and Password.
This is the same user name and password you created during the ArcSight Manager installation.
Click Next.

Confidential 11
SmartConnector for Trend Micro Control Manager NG DB

8 Enter a name for the SmartConnector and provide other information identifying the connector's use
in your environment. Click Next; the connector starts the registration process.

9 The certificate import window for the ESM Manager is displayed. Select Import the certificate to
the connector from destination and click Next. If you select Do not import the certificate to
connector from destination, the connector installation will end.

12 Confidential
 Configuration Guide

The certificate is imported and the Add connector Summary window is displayed.

10 Review the Add connector Summary and click Next. If the summary is incorrect, click Previous
to make changes.

11 The wizard now prompts you to choose whether you want to run the SmartConnector as a stand-
alone process or as a service. If you choose to run the connector as a stand-alone process, skip
step 12. If you choose to run the connector as a service, the wizard prompts you to define service
parameters.

Confidential 13
SmartConnector for Trend Micro Control Manager NG DB

12 Enter the service parameters and click Next. The Install Service Summary window is displayed.

13 Click Next.

14 Confidential
 Configuration Guide

To complete the installation, choose Exit and click Next. To enable FIPS-compliant mode, choose
Continue, click Next, and continue with "Enable FIPS Mode."

Enable FIPS Mode

14 After choosing Continue and clicking Next after connector installation, choose Enable FIPS Mode
and click Next.

The following window is displayed when FIPS mode is enabled.

Confidential 15
SmartConnector for Trend Micro Control Manager NG DB

15 Click Next. To complete installation of FIPS support, click Exit. To enable FIPS Suite B mode,
click Continue.

16 On the window displayed, select Modify Connector.

17 Select the destination for which you want to enable FIPS Suite B mode and click Next.

16 Confidential
 Configuration Guide

18 Select Modify destination parameters and click Next.

19 When the parameter window is displayed, select FIPS with Suite B 128 bits or FIPS with Suite B
192 bits for the FIPS Cipher Suites parameter. Click Next.

Confidential 17
SmartConnector for Trend Micro Control Manager NG DB

20 The following window shows the editing changes to be made. Confirm and click Next to continue.
(To adjust changes before confirming, click Previous.)

21 The next window summaries the configuration changes made. Click Next to continue.

18 Confidential
 Configuration Guide

22 Click Exit to exit the configuration wizard.

For some SmartConnectors, a system restart is required before the configuration settings you made
take effect. If a System Restart window is displayed, read the information and initiate the system
restart operation.

Save any work on your computer or desktop and shut down any other running applications (including the
ArcSight Console, if it is running), then shut down the system.

Complete any Additional Configuration required, then continue with the "Run the SmartConnector."

For connector upgrade or uninstall instructions, see the SmartConnector User's Guide.

Add a JDBC Driver to the Connector Appliance

After downloading and extracting the JDBC driver, upload the driver into the repository and apply it to
the appropriate container or containers, as described in this section.

1 From the Connector Appliance, select Setup -> Repositories.

2 Select JDBC Drivers from the left pane and click the JDBC Drivers tab.

3 Click Upload to Repository.

4 From the Repository File Creation Wizard, select Individual Files, then click Next.

5 Retain the default selection and click Next.

6 Click Upload and locate and select the .jar file you downloaded in step 3 of SmartConnector
Installation.

Confidential 19
SmartConnector for Trend Micro Control Manager NG DB

7 Click Submit to add the specified file to the repository and click Next to continue.

8 After adding all files you require, click Next.

9 In the Name field, enter a descriptive name for the zip file (JDBCdriver, for example). Click Next.

10 Click Done to complete the process; the newly added file is displayed in the Name field under Add
Connector JDBC Driver File.

11 To apply the driver file, select the driver .zip file and click the up arrow to invoke the Upload
Container Files wizard. Click Next.

12 Select the container or containers into which the driver is to be uploaded; click Next.

13 Click Done to complete the process.

14 Add the connector through the Connector Appliance interface; see the Connector Appliance Online
Help for detailed information. Descriptions of parameters to be entered during connector
configuration are provided in the "Install the SmartConnector" section of this guide.

Run the SmartConnector

SmartConnectors can be installed and run in standalone mode, on Windows platforms as a Windows
service, or on UNIX platforms as a UNIX daemon, depending upon the platform supported. On
Windows platforms, SmartConnectors also can be run using shortcuts and optional Start menu entries.

If installed standalone, the SmartConnector must be started manually, and is not automatically active
when a host is re-started. If installed as a service or daemon, the SmartConnector runs automatically
when the host is re-started. For information about connectors running as services or daemons, see the
ArcSight SmartConnector User's Guide.

For connectors installed standalone, to run all installed SmartConnectors on a particular host, open a
command window, go to $ARCSIGHT_HOME\current\bin and run: arcsight connectors

To view the SmartConnector log, read the file $ARCSIGHT_HOME\current\logs\agent.log; to

stop all SmartConnectors, enter Ctrl+C in the command window.

Device Event Mapping to ArcSight Fields

The following section lists the mappings of ArcSight data fields to the device's specific event definitions.
See ArcSight 101 for more information about the ArcSight data fields.

Control Manager 5.0 OfficeScan Log Mappings

ArcSight ESM Field Device-Specific Field
Base Event Count AggregatedCount
Connector Severity Very High = Critical; Medium = Error or Warning; Low = Unknown or Information
Destination Host Name extracted from VLF_InfectionDestination
Destination User Name One of (VLF_InfectionDestination, FVL_LoginUser)
Device Action VLF_FirstAction (0 = Unknown, 1 = NA, 2 = Clean, 3 = Delete, 4 = Move, 5 =
Rename, 6 = Pass, 7 = Strip, 8 = Drop, 9 = Quarantine, 10 = Replace, 11 = Archive,
12 = Stamp)

20 Confidential
 Configuration Guide

ArcSight ESM Field Device-Specific Field

Device Custom Date 1 CLF_LogGenerationTime
Device Custom Number 1 VLF_PatternNumber
Device Custom Number 2 VLF_SecondAction
Device Custom String 1 VLF_Virus Name
Device Custom String 2 VLF_EngineVersion
Device Custom String 3 CLF_ProductVersion
Device Custom String 4 CLF_ReasonCode
Device Custom String 5 VLF_FirstActionResult
Device Custom String 6 VLF_SecondActionResult
Device Event Category CLF_MsgLogType
Device Event Class ID VLF_FirstAction
Device Host Name CLF_ComputerName
Device Product 'Control Manager'
Device Receipt Time CLF_LogReceivedTime
Device Severity CLF_Severity Code (0 = Unknown, 1 = Information, 2 = Warning, 3 = Error, 4 =
Critical)
Device Vendor 'Trend Micro'
Device Version '5.0'
External ID ID
File Name VLF_FileName
File Path VLF_FilePath
Message VLF_FileNameInCompressedFile
Name VLF_VirusName
Source Host Name extracted from VLF_InfectionSource
Source User Name extracted from VLF_InfectionSource

Control Manager 5.0 Spyware Event Mappings

ArcSight ESM Field Device-Specific Field
Base Event Count AggregatedCount
Connector Severity Very High = Critical; Medium = Error, Warning; Low = Unknown,
Information
Destination Host Name ComputerName
Device Custom Date 1 LogGenLocalDatetime
Device Custom Number 1 PatternType
Device Custom String 1 VirusName
Device Custom String 2 EngineVersion
Device Custom String 5 ActionResult
Device Custom String 6 PatternVersion
Device Event Category MsgLogType
Device Event Class ID 'Spyware Detected'
Device Host Name ComputerName
Device Product 'Control Manager'
Device Receipt Time LogReceived Time
Device Vendor 'Trend Micro'

Confidential 21
SmartConnector for Trend Micro Control Manager NG DB

ArcSight ESM Field Device-Specific Field

Device Version '5.0'
External ID ID
File Name FileName
File Path FileName
Name 'Spyware Detected'

Control Manager 5.0 Web Security Event Mappings

ArcSight ESM Field Device-Specific Field
Application Protocol SLF_Protocol
Base Event Count AggregatedCount
Connector Severity Very High = Critical; Medium = Error or Warning; Low = Unknown or Information
Destination Address SLF_ServerIP
Destination Port SLF_ServerPort
Device Action SLF_BlockingType (0=Unknown, 1=Filename, 2=WebMailSite, 3=WebServer,
4=URLPattern, 5=JavaVBScript, 6=TrueFileType, 7=UserDefine,
36=WebReputation)
Device Custom Date 1 CLF_LogGenerationTime
Device Custom String 1 SLF_PolicyName
Device Custom String 4 CLF_ReasonCode
Device Custom String 5 CLF_ReasonCodeSource
Device Direction SLF_Direction
Device Event Category SLF_BlockingType
Device Event Class ID SLF_BlockingType
Device Host Name CLF_ComputerName
Device Product 'Control Manager'
Device Receipt Time CLF_LogReceivedTime
Device Severity CLF_SeverityCode (0=Unknown, 1=Information, 2=Warning, 3=Error, 4=Critical)
Device Vendor 'Trend Micro'
Device Version '5.0'
External ID ID
File Name SLF_FileName
Name One of (SLF_BlockingRule, SLF_BlockingType)
Request URL SLF_ObjectNameURL
Source Address SLF_ClientIP

Control Manager 5.0 Security Log Mappings

ArcSight ESM Field Device-Specific Field
Base Event Count AggregatedCount
Connector Severity Very High = Critical; Medium = Error or Warning; Low = Unknown or Information
Destination Host Name TrendMicroHostName (SL_Recipient)
Destination User Name TrendMicroUser (SL_Recipient)
Device Action SL_FilterAction (0=Unknown, 1-NA, 2=Deliver, 3=Delete, 4=Quarantine, 5=Postpone,
6=Forward, 7=Replace, 8=Archive, 100=Strip, 101=Pass)

22 Confidential
 Configuration Guide

ArcSight ESM Field Device-Specific Field

Device Custom Date 1 CLF_LogGenerationTime
Device Custom String 1 SL_PolicyContent
Device Custom String 2 CLF_ProductVersion
Device Custom String 3 SL_FilterType (0=Unknown, 1=ContentFilter, 2=AttachmentFilter, 3=StandardFilter,
4=SizeFilter, 5=DisclaimerMgr, 6=SpamFilter, 7=OPP, 8=ImportFilter,
9=PhishingFilter, 10=UrlReputationFilter)
Device Custom String 4 CLF_ReasonCode
Device Custom String 5 CLF_ReasonCodeSource
Device Custom String 6 SL_MessageAction (0=Unknown, 1-NA, 2=Deliver, 3=Delete, 4=Quarantine,
5=Postpone, 6=Forward, 7=Replace, 8=Archive, 100=Strip, 101=Pass)
Device Event Category CLF_MsgLogType
Device Event Class ID SL_FilterAction
Device Host Name CLF_ComputerName
Device Product 'Control Manager'
Device Receipt Time CLF_LogReceivedTime
Device Severity CLF_ServerityCode (0=Unknown, 1=Information, 2=Warning, 3=Error, 4=Critical)
Device Vendor 'Trend Micro'
Device Version '5.0'
External ID ID
File Name FileName
Message One of (SL_ViolationDescription, SL_Subject)
Name SL_PolicyName
Source Host Name extracted from SL_Sender
Source User Name extracted from SL_Sender

Control Manager 3.5 OfficeScan Log Mappings

ArcSight ESM Field Device-Specific Field
Connector Severity Very High = Critical; Medium = Error or Warning; Low = Unknown or
Information
Destination Host Name VLF_InfectionDestination
Destination User Name VLF_InfectionDestination, FVL_LoginUser
Device Action VLF_FirstAction (1 = NA, 2 = Clean, 3 = Delete, 4 = Move, 5 = Rename, 6 =
Pass, 7 = Strip, 8 = Drop, 9 = Quarantine
Device Custom Date 1 CLF_LogGenerationTime
Device Custom Number 1 VLF_PatternNumber
Device Custom String 1 VLF_VirusName
Device Custom String 2 VLF_EngineVersion
Device Custom String 3 CLF_ProductVersion
Device Custom String 4 CLF_ReasonCode
Device Event Category CLF_MsgLogType
Device Event Class ID 'AV' plus VLF_FirstAction
Device Host Name CLF_ComputerName
Device Product 'Control Manager'
Device Receipt Time CLF_LogReceivedTime
Device Severity CLF_Serverity Code (1 = Information, 2 = Warning, 3 = Error, 4 = Critical)

Confidential 23
SmartConnector for Trend Micro Control Manager NG DB

ArcSight ESM Field Device-Specific Field

Device Vendor 'Trend Micro'
Device Version '3.5'
External ID ID
File Name VLF_FileName
File Path VLF_FilePath
Name VLF_VirusName
Source Host Name VLF_InfectionSource
Source User Name VLF_InfectionSource

Control Manager 3.5 Web Security Log Mappings

ArcSight ESM Field Device-Specific Field
Connector Severity Very High = Critical; Medium = Error or Warning; Low = Unknown or Information
Device Action SLF_BlockingType (0=Unknown, 1 = Filename, 2 = WebMailSite, 3 = WebServer, 4
= URLPattern, 5 = JavaVBScript, 6 = TrueFileType, 7 = UserDefine,
36=WebReputation)
Device Custom Date 1 CLF_LogGenerationTime
Device Event Category CLF_MsgLogType
Device Event Class ID 'WB:' plus SLF_BlockingType
Device Host Name CLF_ComputerName
Device Product 'Control Manager'
Device Receipt Time CLF_LogReceivedTime
Device Severity CLF_ServerityCode (1 = Information, 2 = Warning, 3 = Error, 4 = Critical)
Device Vendor 'Trend Micro'
Device Version '3.5'
External ID ID
File Name SLF_FileName
Name SLF_BlockingType (0=Unknown, 1 = Filename, 2 = WebMailSite, 3 = WebServer, 4
= URLPattern, 5 = JavaVBScript, 6 = TrueFileType, 7 = UserDefine,
36=WebReputation)
Request URL SLF_ObjectNameURL
Source Address SLF_ClientIP

Control Manager 3.5 Security Log Mappings

ArcSight ESM Field Device-Specific Field
Connector Severity Very High = Critical; Medium = Error or Warning; Low = Unknown or
Information
Destination Host Name SL_Recipient
Destination User Name SL_Recipient
Device Action SL_FilterAction (0 = Unknow, 1 = NA, 2 = Deliver, 3 = Delete, 4 = Quarantine,
5 = Postpone, 6 = Forward, 100 = Strip, 101 = Pass)
Device Custom Date 1 CLF_LogGenerationTime
Device Custom Number 1 SL_FilterType
Device Custom String 1 SL_PolicyContent
Device Custom String 2 CLF_ProductVersion

24 Confidential
 Configuration Guide

ArcSight ESM Field Device-Specific Field

Device Custom String 4 CLF_ReasonCode
Device Event Category CLF_MsgLogType
Device Event Class ID 'MS' plus SL_FilterAction
Device Host Name CLF_ComputerName
Device Product 'Control Manager'
Device Receipt Time CLF_LogReceivedTime
Device Severity CLF_ServerityCode (1 = Information, 2 = Warning, 3 = Error, 4 = Critical)
Device Vendor 'Trend Micro'
Device Version '3.5'
External ID ID
File Name SL_FileName
Message SL_ViolationDescription or SL_Subject
Name SL_PolicyName
Source Host Name extracted from SL_Sender
Source User Name extracted from SL_Sender

Web Security Log Blocking Types

0 Unknown 1 Filename 2 WebMailSite
3 WebServer 4 UrlPattern 5 JavaVbScript
6 TrueFiletype 7 UserDefine 8 ServerDefine
9 WebPolicy 11 PhishPhish 12 PhishSpyware
13 PhishVirusAccomplice 14 PhishForgedSignature 15 PhishDiseaseVector
16 PhishMalApplet 17 PhishRepetation 20 PolicyIpTranslate
21 PolicyJavaScan 22 PolicyMmc 31 Pharming
32 UrlBlocking 33 UrlFiltering 34 ClientIpBlocking
35 DestinationPortBlocking 36 WebReputation 41 UnsupportedFileType
42 ExceedFileCountLimit 43 ExceedFileSizeLimit 44 ExceedDecompressLayerLimit
45 ExceedDecompressTimeLimit 46 ExceedCompressionRatioLimit 47 PasswordProtectedFile
48 RestrictedSpywareType 60 StringPattern -1 VirusMalware
-2 SpywareGrayware -3 NetworkVirus -4 Intellitrap
-5 SuspiciousVirusMalware -6 SuspiciousSpywareGrayware -7 Fraud
-8 SuspiciousBehavior

Web Security Log Protocols

0 UNKNOWN 1 SMTP 2 POP3
3 IRC 4 DNS 5 HTTP
6 FTP 7 TFTP 8 SMB
9 MSN 10 AIM 11 YMSG
12 GMAIL 13 YAHOO_MAIL 14 HOTMAIL
15 RDP 16 DHCP 17 TELNET

Confidential 25
SmartConnector for Trend Micro Control Manager NG DB

18 LDAP 19 FILE_TRANSFER 20 SSH

21 DAMEWARE 22 VNC 23 CISCO_TELNET
24 KERBEROS 25 DCE_RPC 26 SQL
27 PCANYWHERE 28 ICMP 29 SNMP
30 VIRUS_PATTERN_TCP 31 VIRUS_PATTERN_UDP 32 HTTPS
256 BITTORRENT 257 KAZAA 258 LIMEWARE
259 BEARSHARE 260 BLUBSTER 261 EDONKEY_EMULE
262 EDONKEY2000 263 FILEZILLA 264 GNUCLEUS
265 GNUTELLA 266 WINNYLLA 268 MORPHEUS
269 NAPTER 270 SHAREAZA 271 WINMX
272 MLDONKEY 273 DIRECT_CONNECT 274 SOULSEEK
275 OPENNAP 276 KURO 277 IMESH
278 SKYPE 279 GOOGLE_TALK 10001 IP
10002 ARP 10003 TCP 10004 UDP
10005 IGMP

Security Event Reason Codes

-1 EMPTY 0 UNKNOWN
1 VSAPI_SCAN_ENGINE 2 VSAPI_SCAN_ENGINE_SECOND
3 VSAPI_SCAN_PATTERN 4 VSAPI_SCAN_PATTERN_SECOND
5 MTA 6 SMTP_SERVER
7 HTTP_SERVER 8 FTP_SERVER
9 SCAN_MODULE 10 TVCS_AGENT
11 FIREWALL_MODULE 12 FIREWALL_PATTERN
13 ANTISPAM_FILTER 14 CONTENT_FILTER
15 ATTACHMENT_FILTER 16 DISCLAIMER_FILTER
17 ACTIVEUPDATE 18 HOOK_MODULE
19 NOTIFICATION_MODULE 20 LOG_MODULE
21 POLICY_MODULE 22 VSAPI2_SCAN_ENGINE
23 VSAPI2_SCAN_ENGINE_SECOND 24 VSAPI2_SCAN_PATTERN
25 VSAPI2_SCAN_PATTERN_SECOND 26 CAV_LITE_SCAN_PATTERN
27 CAV_LITE_SCAN_PATTERN_SECOND 28 TSC_SCAN_ENGINE
29 TSC_SCAN_PATTERN 30 PRODUCT_REGISTRY_MODULE
31 DAMAGE_CLEANUP_ENGINE 32 DAMAGE_CLEANUP_TEMPLATE
33 VA_PATTERN 34 VA_ENGINE
35 ASPY_PATTERN 36 ASPY_ENGINE
37 SSAPI_ENGINE 38 SSAPI_PATTERN
39 UFE_ENGINE 40 UFEF_PATTERN
41 UFEP_PATTERN 42 FPGA_ENGINE
43 NCIT_ENGINE 44 VSAPI_PLUS_ENGINE

26 Confidential
 Configuration Guide

Troubleshooting
"Why am I receiving the message 'Login failed for user 'sqluser'. The user is not associated with
a trusted SQL Server connection."

The JDBC driver does not support the integrated authentication on non-Windows operating systems.
The driver also does not provide function to supply Windows authentication credentials such as user
name and password. In such cases, the applications must use SQL Server Authentication. When
installing the connector on a non-Windows platform, configure the Microsoft SQL Server for Mixed
Mode Authentication or SQL Server Authentication.

"How can I keep the connector from becoming clogged with events after being shut down for
awhile?"

If the connector is shut down for some time on an active database, a lot of events can accumulate that
can clog the connector on restart. The preservestate parameter can be used to avoid this situation.
This parameter is enabled (true) by default. Setting preservestate to disabled (false) allows the
connector to skip the old events and start from real time.

To enable the preservestate parameter:

1 In a DOS command window, from the $ARCSIGHT_HOME\current\bin directory, enter:

arcsight connectorsetup

2 When the following Warning message is displayed, select No.

"SmartConnector setup is being started in Advanced Mode! The supported mode for changing
SmartConnector properties is the Wizard Mode, which can be invoked by running the
'runagentsetup' script. Do you want to start in Wizard Mode instead?"

The Agent Configuration Tool is displayed.

3 Under Agents Configured, select the appropriate database, as shown in the following figure.

4 From the Options menu, select Show Internal Parameters.

Confidential 27
SmartConnector for Trend Micro Control Manager NG DB

5 Locate the preservestate Parameter and change the Value from true to false.

6 Click OK and restart the connector for your changes to take effect.

28 Confidential