What SIEMs are compatible with Sourcefire?

Purpose
This article describes how eStreamer communicates with clients and
lists the SIEMs known to function with eStreamer.
Detail s
Sourcefire Event Streamer (eStreamer) acts as a conduit for event data from the Sourcefire
Defense Center or 3D Sensor to your client application. All communication with eStreamer is
initiated by the client and occurs over a TCP SSL connection on port 8302. There are four
major stages of communication that occur between a client and the eStreamer service on the
eStreamer server:
1. The client establishes a connection with the eStreamer server and the connection
is authenticated by both parties.
2. The client sends a data request to the eStreamer service on the eStreamer
server.
3. The eStreamer service on the eStreamer server transfers event data to the client.
4. The connection is terminated.
Before a client can request data from eStreamer, the client must initiate an SSL-enabled TCP
connection with the eStreamer service on the eStreamer server. When the client initiates the
connection, the eStreamer server responds, initiating an SSL handshake with the client. As
part of the SSL handshake, the eStreamer server requests the clients authentication
certificate, and verifies that the certificate is valid (signed by the Internal Certificate
Authority [Internal CA] on the eStreamer server). After the SSL session is established, the
eStreamer server performs an additional post-connection verification of the certificate. This
includes verifying that the client connection originates from the host specified in the
certificate and that the subject name of the certificate contains the appropriate value.
Any program that creates valid data requests to the eStreamer service can be used as an
eStreamer client. Sourcefire provides a reference client with the eStreamer SDK. This client
is a set of sample client scripts and Perl modules which illustrate how the eStreamer API can
be used. You can run them to familiarize yourself with eStreamer output, or you can use
them to debug problems with installations of your custom-built client.
There are a number of pre-built SIEMs that work well with eStreamer. These systems have
been shown to be compatible:
Q1 Labs QRadar SIEM platform leverages Sourcefires eStreamer API to gain
access to all types of Sourcefire event data including Impact Flag and other rich
content. Q1 uses this data for correlation and compliance management.
Trustwaves (formerly the Intellitactics SIEM solution) SIEM platform uses the
Sourcefire eStreamer API to import content rich event data. The Trustwave SIEM
provides event correlation, event management and helps speed investigations.
HAWK Network Defenses EyeCon SIEM platform supports Sourcefire Version
5.x. Customers can collect NGIPS as well as NGFW event data for analysis and
correlation.
LogRhythm's SIEM 2.0 has an eStreamer based event collection capability.
netForensics nFX Cinxi One platform uses the Sourcefire eStreamer API to import
content-rich event data into its event management and correlation platform.
Sourcefire data can then be correlated with a wide range of event data from other
security and network applications.
Arcsights Enterprise Security Manager (ESM) platform uses Sourcefires
eStreamer API to pull content rich data into its database for event management and
correlation.
Splunk can connect to an eStreamer server (e.g. Defense Center) and pull intrusion
event records and packet records (pcap data) into Splunk. A user can search
through eStreamer records based on IP addresses, ports, event ID, etc.
Knowledge KB Article https://na8.salesforce.com/articles/Informational/000001476/p
1 of 2 03/06/2013 12:59 p.m.
McAfee's NitroView Enterprise Security Manger (ESM) uses eStreamer as one of
its methods of collecting log data to ensure a provably-secure chain of custody.
Pl atform All
Additional
Informati on
Attachments
Knowledge KB Article https://na8.salesforce.com/articles/Informational/000001476/p
2 of 2 03/06/2013 12:59 p.m.