Sophos PureMessage

The Sophos PureMessage DSM for JSA accepts events by using Java Database Connectivity (JDBC).

JSA records all relevant quarantined email events. This document provides information about configuring JSA to access the Sophos PureMessage database by using the JDBC protocol.

JSA supports the following Sophos PureMessage versions:

Sophos PureMessage for Microsoft Exchange - Stores events in a Microsoft SQL Server database that is specified as savexquar.
Sophos PureMessage for Linux - Stores events in a PostgreSQL database that is specified as pmx_quarantine.

Here's information on integrating JSA with Sophos:

Integrating JSA with Sophos PureMessage for Microsoft Exchange

You can integrate JSA with Sophos PureMessage for Microsoft Exchange.

Log in to the Microsoft SQL Server command-line interface (CLI):
osql -E -S localhost\sophos
Type which database you want to integrate with JSA:
use savexquar; go

Type the following command to create a SIEM view in your Sophos database to support JSA:

After you create your SIEM view, you must configure JSA to receive event information by using the JDBC protocol. To configure the Sophos PureMessage DSM with JSA, see Sophos PureMessage.

Configuring JSA to Collect Events from Sophos PureMessage by using the JDBC Protocol

Configure JSA to collect events from the Sophos PureMessage for Microsoft Exchange database by using the JDBC protocol.

Log in to JSA.
Click the Admin tab.
Click the Log Sources icon.
Click Add.

Configure the parameters. The following table describes the parameters that require specific values to collect event from Sophos PureMessage:Note

You must refer to the database configuration settings on your Sophos PureMessage device to define the parameters that are required to configure the Sophos PureMessage DSM in JSA.

Table 1: Sophos PureMessage JDBC Parameters for Microsoft Exchange

Parameter	Description

Log Source Description (Optional)	Type a description for the log source.
Log Source Type	Sophos PureMessage
Protocol Configuration	JDBC
Log Source Identifier	Type a name for the log source. The name can't contain spaces and must be unique among all log sources of the log source type that is configured to use the JDBC protocol. If the log source collects events from a single appliance that has a static IP address or host name, use the IP address or host name of the appliance as all or part of the Log Source Identifier value; for example, 192.168.1.1 or JDBC192.168.1.1. If the log source doesn't collect events from a single appliance that has a static IP address or host name, you can use any unique name for the Log Source Identifier value; for example, JDBC1, JDBC2.
Database Type	MSDE
Database Name	Type `savexquar`.
IP or Hostname	Type the IP address or host name of the Sophos PureMessage server.
Port	Type the port number used by the database server. The default port for MSDE is 1433. Sophos installations typically use 24033. You can confirm port usage using the SQL Server Configuration Manager utility. For more information, see your vendor documentation. The JDBC configuration port must match the listener port of the Sophos database. The Sophos database must have incoming TCP connections enabled to communicate with JSA. If you define a database instance in the Database Instance parameter, you must leave the Port parameter blank. You can only define a database instance if the database server uses the default port of 1433. This is not the standard Sophos configuration.
Username	Type the user name required to access the database.
Password	Type the password required to access the database. The password can be up to 255 characters in length.
Confirm Password	Confirm the password required to access the database. The confirmation password must be identical to the password entered in the Password parameter.
Authentication Domain	If you did not select Use Microsoft JDBC, Authentication Domain is displayed. The domain for MSDE that is a Windows domain. If your network does not use a domain, leave this field blank.
Database Instance	The database instance, if required. MSDE databases can include multiple SQL server instances on one server. When a non-standard port is used for the database or access is blocked to port 1434 for SQL database resolution, the Database Instance parameter must be blank in the log source configuration.
Predefined Query (Optional)	Select a predefined database query for the log source. If a predefined query is not available for the log source type, administrators can select the none option.
Table Name	Type `siem_view` as the name of the table or view that includes the event records.
Select List	Type `` for all fields from the table or view. You can use a comma-separated list to define specific fields from tables or views, if it is needed for your configuration. The list must contain the field that is defined in the Compare Field* parameter. The comma-separated list can be up to 255 alphanumeric characters in length. The list can include the following special characters: dollar sign (`$`), number sign (`#`), underscore (`_`), en dash (`-`), and period(`.`).
Compare Field	Type `ID`. The Compare Field parameter is used to identify new events added between queries to the table.
Use Prepared Statements	Select this check box to use prepared statements. Prepared statements enable the JDBC protocol source to set up the SQL statement one time, then run the SQL statement many times with different parameters. For security and performance reasons, we recommend that you use prepared statements. Clearing this check box requires you to use an alternative method of querying that does not use pre-compiled statements.
Start Date and Time (Optional)	Type the start date and time for database polling in the following format: yyyy-MM-dd HH:mm with HH specified by using a 24-hour clock. If the start date or time is clear, polling begins immediately and repeats at the specified polling interval.
Polling Interval	Enter the amount of time between queries to the event table. To define a longer polling interval, append H for hours or M for minutes to the numeric value. The maximum polling interval is one week.
EPS Throttle	The number of Events Per Second (EPS) that you do not want this protocol to exceed. The valid range is 100 - 20,000.
Use Named Pipe Communication	If you did not select Use Microsoft JDBC, Use Named Pipe Communication is displayed. Clear the Use Named Pipe Communication check box. MSDE databases require the user name and password field to use a Windows authentication user name and password and not the database user name and password. The log source configuration must use the default that is named pipe on the MSDE database.
Database Cluster Name	If you selected the Use Named Pipe Communication check box, the Database Cluster Name parameter is displayed. If you are running your SQL server in a cluster environment, define the cluster name to ensure Named Pipe communication functions properly.
	If you did not select Use Microsoft JDBC, Use NTLMv2 is displayed. Select this option if you want MSDE connections to use the NTLMv2 protocol when they are communicating with SQL servers that require NTLMv2 authentication. This option does not interrupt communications for MSDE connections that do not require NTLMv2 authentication. Does not interrupt communications for MSDE connections that do not require NTLMv2 authentication.
	If you want to use the Microsoft JDBC driver, you must enable Use Microsoft JDBC.
	Select this option if your connection supports SSL. This option appears only for MSDE.
Microsoft SQL Server Hostname	If you selected Use Microsoft JDBC and Use SSL, the Microsoft SQL Server Hostname parameter is displayed.

Note

Selecting a value greater than 5 for the Credibility parameter weights your Sophos PureMessage log source with a higher importance compared to other log sources in JSA.

Click Save.
On the Admin tab, click Deploy Changes.

Integrating JSA with Sophos PureMessage for Linux

You can integrate JSA with Sophos PureMessage for Linux.

Navigate to your Sophos PureMessage PostgreSQL database directory:
cd /opt/pmx/postgres-8.3.3/bin
Access the pmx_quarantine database SQL prompt:
./psql -d pmx_quarantine

Type the following command to create a SIEM view in your Sophos database to support JSA:

After you create your database view, you must configure JSA to receive event information by using the JDBC protocol.

Configuring a Log Source for Sophos PureMessage for Microsoft Exchange

You can configure JSA to access the Sophos PureMessage database using the JDBC protocol:

Log in to JSA.
Click the Admin tab.
On the navigation menu, click Data Sources.
The Data Sources pane is displayed.
Click the Log Sources icon.
The Log Sources window is displayed.
Click Add.
The Add a log source window is displayed.
From the Log Source Type list, select Sophos PureMessage.
From the Protocol Configuration list, select JDBC.Note
You must refer to the Configure Database Settings on your Sophos PureMessage to define the parameters required to configure the Sophos PureMessage DSM in JSA.

Configure the following values:

Parameter	Description
Log Source Identifier	Type the identifier for the log source. Type the log source identifier in the following format: `<Sophos PureMessage Database>@<Sophos PureMessage Database Server IP or Host Name>` Where: <`Sophos PureMessage Database`> is the database name, as entered in the Database Name parameter. <`Sophos PureMessage Database Server IP or Host Name`> is the hostname or IP address for this log source, as entered in the IP or Hostname parameter. When defining a name for your log source identifier, you must use the values of the Database and Database Server IP address or host name of the Sophos PureMessage device.
Database Type	From the list, select Postgres.
Database Name	Type `pmx_quarantine`.
IP or Hostname	Type the IP address or host name of the Sophos PureMessage server.
Port	Type the port number used by the database server. The default port is 1532. The JDBC configuration port must match the listener port of the Sophos database. The Sophos database must have incoming TCP connections enabled to communicate with JSA.
Username	Type the user name required to access the database.
Password	Type the password required to access the database. The password can be up to 255 characters in length.
Confirm Password	Confirm the password required to access the database. The confirmation password must be identical to the password entered in the Password parameter.
Database Instance	Optional. Type the database instance, if you have multiple SQL server instances on your database server. If you use a non-standard port in your database configuration, or have blocked access to port 1434 for SQL database resolution, you must leave the Database Instance parameter blank in your configuration.
Table Name	Type `siem_view` as the name of the table or view that includes the event records.
Select List	Type `*` for all fields from the table or view. You can use a comma-separated list to define specific fields from tables or views, if required for your configuration. The list must contain the field defined in the Compare Field parameter. The comma-separated list can be up to 255 alphanumeric characters in length. The list can include the following special characters: dollar sign (`$`), number sign (`#`), underscore (`_`), en dash (`-`), and period(`.`).
Compare Field	Type `ID`. The Compare Field parameter is used to identify new events added between queries to the table.
Use Prepared Statements	Select this check box to use prepared statements. Prepared statements allows the JDBC protocol source to set up the SQL statement one time, then run the SQL statement many times with different parameters. For security and performance reasons, we recommend that you use prepared statements. Clearing this check box requires you to use an alternative method of querying that does not use pre-compiled statements.
Start Date and Time	Optional. Type the start date and time for database polling. The Start Date and Time parameter must be formatted as yyyy-MM-dd HH: mm with HH specified by using a 24-hour clock. If the Start Date and Time parameter is clear, polling begins immediately and repeats at the specified polling interval.
Polling Interval	Type the polling interval, which is the amount of time between queries to the event table. The default polling interval is 10 seconds. You can define a longer polling interval by appending H for hours or M for minutes to the numeric value. The maximum polling interval is 1 week in any time format. Numeric values entered without an H or M poll in seconds.