Guest

Preview Tool

Cisco Bug: CSCvt10365 - eNCore eStreamer client displaying rec_type=511 messages with disposition=N/A

Last Modified

Mar 18, 2020

Products (1)

  • Cisco Firepower Management Center

Known Affected Releases

3.5.4

Description (partial)

Symptom:
When integrated with the Cisco FMC, the eNCore eStreamer client is displaying rec_type=511 messages with invalid disposition values like: disposition=N/A

Example:
rec_type=511 sha256=5d13f9907ac381d19f0a7552fd6d9fc07c9bd42c0f9ce017fff75587e1890375 name=Clean rec_type_desc="File Event SHA Hash" user_defined=0 disposition=N/A rec_type_simple="FILELOG SHA"

rec_type=511 sha256=ed4624bf4bfbeb19ccc102e22245a50fb1f31121b765052c70b4439ba5dcf736 name=Unknown rec_type_desc="File Event SHA Hash" user_defined=0 disposition=N/A rec_type_simple="FILELOG SHA"

We confirmed that eStreamer is sending disposition #2, which should be mapped to Unknown, but appears in Splunk as N/A.

From the eStreamer Integration Guide:

The malware status of the file. Possible values include:

• 1 — CLEAN The file is clean and does not contain malware.
• 2 — UNKNOWN It is unknown whether the file contains malware.
• 3 — MALWARE The file contains malware.
• 4 — UNAVAILABLE The software was unable to send a request to the AMP cloud for a disposition, or the AMP cloud services did not respond to the request.
• 5 — CUSTOM SIGNATURE The file matches a user-defined hash, and is treated in a fashion designated by the user

Conditions:
FMC integration with the eStreamer eNcore as eStreamer client, this issue is confirmed happening in eStreamer eNcore Add-on for Splunk v3.5 and 3.6.6.
Bug details contain sensitive information and therefore require a Cisco.com account to be viewed.

Bug Details Include

  • Full Description (including symptoms, conditions and workarounds)
  • Status
  • Severity
  • Known Fixed Releases
  • Related Community Discussions
  • Number of Related Support Cases
Bug information is viewable for customers and partners who have a service contract. Registered users can view up to 200 bugs per month without a service contract.