Installing ArcSight Open Source Threat Intelligence Solution Accelerator (TI) for Demonstration Purposes in a POC Environment

Summary:

This document provides instructions for installing an ArcSight Open Source Threat Intelligence Solution Accelerator (TI) on an ArcSight Express Appliance (AE) for demonstration purposes only. The solution is part of HP's offerings and requires obtaining content from PS Services Team, including Perl scripts and ESM content that provide updated threat information such as domains and IP addresses. Issues or inquiries should be directed to ARST-PSServicesEngineering@hp.com, Luke LeBoeuf, or Morris Hicks. **Key Points:** 1. **Accessing Resources**: Documentation, a webex recording, and a Syslog Connector setup guide are available for reference. 2. **POC Installation Requirements**: Requires an ArcSight Express Appliance (AE) with internet access. A Syslog Connector on UDP port 514 should be configured; modification might be necessary if using a proxy server. 3. **Installation Steps**: - Arrange agreement from the Account Manager and PS Services Team. - Obtain content from PS Services Engineering Team. - Configure a Syslog Connector for events, noting that built-in content or support in Logger exists for these events. 4. **Perl Script Dependencies**: Perl is already installed; download Active Perl (choose the correct version). 5. **Installing Modules Using CPAN**: - Open terminal and run `perl -MCPAN -e shell`. - Configure URL list: `cpan> o conf urllist add http://ppm.activestate.com/CPAN` and `cpan> o conf urllist add http://cpan.perl.org`. - Install required modules: `cpan> install Sys::Syslog` and `cpan> install LWP::UserAgent`. 6. **Running the Perl Script**: Execute the script using the command `perl.exe ati.pl 5000 .02 155.118.56.66` to load malicious domains and IPs into ArcSight Logger for analysis and alerting. 7. **Proxy Configuration**: If using a proxy server, modify Perl script to include proxy settings: ```perl use LWP::UserAgent; my $ua = LWP::UserAgent->new; $ua->proxy(<'http', 'ftp'>

, 'http://proxy.myorg.com:8080'); $ua->timeout(120); ``` **Additional Information:** - Ensure the correct version of Active Perl is used based on your system type (32-bit or 64-bit). - For proxy authentication, ensure the proxy string includes the username and password. This setup should facilitate the installation process and help users set up a POC environment for threat intelligence within an ArcSight deployment.

Details:

This document outlines the process of installing the ArcSight Open Source Threat Intelligence Solution Accelerator (TI) in a Proof of Concept (POC) environment for demonstration purposes only. The solution is provided by PS as part of their offerings and requires obtaining content from the PS Services Team, which includes Perl scripts and ESM content that provides regularly updated threat information such as domains and IP addresses. Issues or inquiries should be directed to ARST-PSServicesEngineering@hp.com, Luke LeBoeuf, or Morris Hicks. The solution accelerator is sold "as-is" with no additional support, emphasizing its purpose for demonstration purposes only. The provided information outlines a demonstration of an ArcSight solution using the iROCK platform, which includes several resources for understanding and accessing the content. Specifically, it highlights a Proof of Concept (POC) installation process for setting up the solution on an ArcSight Express Appliance (AE). Here's a summary of key points from the document: 1. **Accessing Resources:** The demonstration materials can be accessed through specific URLs provided in the text. These include links to documentation, a webex recording, and a Syslog Connector setup guide. 2. **POC Installation Requirements:**

• An ArcSight Express Appliance (AE) with internet access is necessary.

• A Syslog Connector on UDP port 514 should be configured, which might require modification if the prospect requires a proxy for accessing the internet.

3. **Installation Steps:** The steps include:

• Arranging agreement from the Account Manager and PS to position the solution to the prospect.

• Obtaining the latest version of the content from the PS Services Engineering Team.

• Noting that while events can flow into Logger, there is no built-in content or support for these events in Logger itself.

• Specifying that this solution cannot be installed on Logger or Conap appliances due to missing base software.

• Using WinSCP to transfer a perl script (.pl file) to the AE appliance and configuring it via SSH as root.

4. **Perl Script Dependencies:** The perl script requires Perl, which is already installed, along with additional Perl modules that need to be installed manually on the AE appliance. This document provides clear instructions for a preliminary demonstration setup of an ArcSight solution, emphasizing its use in a Proof of Concept environment and cautioning against long-term deployment directly onto certain appliances without further development or support infrastructure. To install Perl modules using CPAN on a Linux system, you can follow these steps: 1. Open the terminal and run the command to open the Perl shell with CPAN enabled: ```bash perl -MCPAN -e shell ``` 2. Inside the CPAN shell, install the required modules for Sys::Syslog and LWP::UserAgent by typing: ```shell install Sys::Syslog install LWP::UserAgent exit ``` 3. If you encounter issues with FTP outbound or prefer using HTTP to download files from CPAN, update the configuration settings in the CPAN shell: ```shell o conf urllist http://ppm.activestate.com/CPANhttp://cpan.perl.org install Sys::Syslog install LWP::UserAgent exit ``` 4. Make your Perl script executable by running the command: ```bash chmod +x ati.pl ``` 5. Test the script with appropriate parameters to display Domains and IP Address in an SSH session: ```bash ./ati.pl 5000 .02 A.B.C.D ``` 6. If a proxy server is required for the AE Appliance, modify the script by adding the following line below the timeout settings: ```perl $ua->proxy(<'http', 'ftp'>

=> 'http://proxy.myorg.com:8080'); ``` 7. To schedule daily updates using a cronjob, edit the crontab with superuser privileges and add the following entry: ```bash # crontab -e 5 2 * * * /usr/bin/perl /root/APT/ati.pl 5000 .02 A.B.C.D > /tmp/script.out ``` Note: This guide is for Linux systems, while the Open Source Threat Intelligence Solution Accelerator may also work on Windows but has a different method of installing required modules. The provided text outlines steps for installing the ArcSight Open Source Threat Intelligence Solution Accelerator (TI) in a Proof of Concept (POC) environment. The process involves setting up Active Perl, getting necessary modules like Sys-Syslog, and configuring SYSLOG receiver settings on the Connector appliance or wherever required by the solution. To install the ArcSight TI Solution Accelerator: 1. Download and install Active Perl from the provided link, choosing the correct version for Windows 7 Ultimate (if using a 32-bit system, choose Windows (x86)). 2. Run the Perl Package Manager to get Sys-Syslog module by right-clicking on it in the installed modules list and selecting "Install." 3. If you encounter errors related to missing modules or versions, ensure that the correct version of Active Perl is being used for your operating system. 4. Follow the instructions provided with the ArcSight Threat Intelligence (ATI) Solutions Accelerator from HP. 5. Create a SYSLOG receiver on the Connector appliance and configure the SYSLOG connector to point to the manager. 6. Execute the script using the command "perl.exe ati.pl 5000 .02 155.118.56.66" to load the list of malicious domains and IPs. 7. Check for Malicious Domain Details List, including IPs in the list. In some cases, issues with FTP connections prompted users like Victor Tham to switch CPAN's use of HTTP instead of FTP during installation, allowing them to proceed with the missing files required for setup. To install modules like `Sys::Syslog` and `LWP::UserAgent` using CPAN in Perl, follow these steps: 1. Open your terminal or command prompt. 2. At the root prompt, run the following command to start a Perl shell with CPAN enabled: ``` perl -MCPAN -e shell ``` 3. Once inside the CPAN shell, type the following commands to configure the URL list for CPAN: ``` cpan> o conf urllist add http://ppm.activestate.com/CPAN cpan> o conf urllist add http://cpan.perl.org ``` 4. Install the required modules by typing: ``` cpan> install Sys::Syslog cpan> install LWP::UserAgent ``` 5. Exit the CPAN shell when done: ``` cpan> exit ``` For those using a proxy server that requires authentication, modify the script to include the proxy settings before running the installation commands. For example: ```perl use LWP::UserAgent; my $ua = LWP::UserAgent->new; $ua->proxy(<'http', 'ftp'>

, 'http://proxy.myorg.com:8080'); $ua->timeout(120); ``` This setup should prompt for authentication if the proxy requires it. If you're having trouble with the script not prompting for credentials, ensure that the proxy string is correctly formatted with the username and password included. The original post is a response to someone's question about configuring a Perl script with a proxy server in order to work properly, and the user shares their excitement when it eventually works after setting up the proxy configuration.