Has anybody had to add a custom event source where the application does not have the utility to add the rapid7 cert, which would mean the cert needs to be trusted on the OS level(feel free to correct me if I am wrong). I was looking for any info, insight or stories on exactly how the certificate was brought into the server as trusted.
In this case the server is Windows server 2019.
I found the steps below on the Microsoft site. Has anyone completed this procedure successfully?
Event Source is McAfee DAM which is managed by Rimimi Street and they call it an ADM Server. I tried to set the event source up to send over UDP 10xxx port but data did not populate so I suspect it needs to be send over TCP
MS steps -Adding certificate snap-ins
- Launch MMC (mmc.exe).
- Choose File > Add/Remove Snap-ins.
- Choose Certificates, then choose Add.
- Choose My user account.
- Choose Add again and this time select Computer Account.
- Move the new certificate from the Certificates-Current User > Trusted Root Certification Authorities into Certificates (Local Computer) > Trusted Root Certification Authorities.
@tracey_jackson
You can potentially do this by adding the cert to the security cert store in the java directory of the collector
https://r7support.force.com/s/article/How-to-import-a-certificate-to-a-Collector
On Windows the path is C:\Program Files\Rapid7\collector\jre\lib\security\cacerts
Depending on the handshake method between the source application and the collector, your mileage may vary.
Some customers have been successful in getting this to work with certain appliances.
David
Hello Again. I meant importing the Rapid 7 cert into the McAfee server which is the event source being set up to send to a collector ie the R7 IDR platform. (the one downloadable when setting up the event source if encrypting event source in R7 IDR platform) . I hope that is clearer. I know Rapid 7 supports other McAfee products . they all refer to encryption. Oddly the documentation for the DAM server does not mention encryption.
Hello David, did my update make sense to you?
Hi Tracey,
it does sorry for the mixup, as for the UDP not working. Are you sure there was no software or firewall preventing those UDP packets from reaching the collector service?
As for getting the cert installed on the sender side I can’t say I’ve any experience with that in particular. We have had complaints from customers in the past about encryption not working successfully, and we have some outstanding tickets on our backlog to bolster the functionality as its current implementation is somewhat limited.
After you performed the above steps using the snap-in method did you have any success?
David
I am so glad you replied about encryption possible being an issue. A lot of my event sources were set up just before I started. I have set up some too. I had the question in my head as to why UDP unique ports were used rather than TCP encrypted. The UDP setup usually works without issue.
I AM NOT SURE it is because of encryption. I am going to pull some logs from the server. Do you have advice as to what files will give the most information about the connection problem. I have seen firewall logs that appear to show the server is sending. When I changed the UDP port to TCP in IDR Event Source config few 1/2 encrypted raw logs showed up.
Thanks so much.
Hi Tracey,
I’d recommend you raise a support case with us so we can get access to your account and take a closer look perhaps over a call. It’d probably be the best route forward.
David
I have one Case01306296 that has been open since 12-29-2021. I also have one also with Direct Defense. It was a difficult time of year because people were in and out on PTO. I was attempting to get specific info on the setup or troubleshooting this particular event source… I will invite all parties to trouble shoot. Documentation is scarce on both side. if you have any advice on logs that may have value. Just want to send syslog to my siem. ugg
Thanks for joining the call last week Tracey, glad we could figure out that the problem seems to lie with the McAfee source in this case. Hopefully you can get those logs writing to disk and they will be ingested as expected. Please let us know.
Thank you David!
We were able to prove that both IDR Event source setups were configured properly and could receive the data once sent. The certificate was never the issue.
Your support was valuable and appreciated.