Skip to main content

Posts

Showing posts from April, 2012

Arcsight Syslog Connector Test - Scapy

This Python script uses Scapy to generate a UDP syslog frame, in Common Event Format (CEF), simulating a McAfee IPS output following detection of a Java heap buffer overflow attack. #! /usr/bin/env python # Note  need to be superuser or root access to run as Scapy sends # packets to the network card driver, an operation that users with ordinary # access are not permitted to do. from scapy.all import * a = IP(dst="192.168.1.2") u = UDP(dport=514) pay = "Aug 1 10:00:00 McAfee CEF:0|McAfee|Network Security Manager|Simulated|44800015|HTTP: Java heap buffer overflow detected|8|dvc=192.186.1.170" packet = a/u/pay packet.display() send(packet) The UDP packet is sent to the Arcsight CEF syslog connector at 192.168.1.2 for onward transmission to the Arcsight ESM. The Wireshark capture is as follows: