Andrisoft Wanguard 5.2 User And Administrator Manual Download

Page: 36 / 73

WANGUARD 5.2 User Manual & Administrator's Guide

Conditional & Dynamic Parameters

CONDITIONAL PARAMETER

TYPE

DYNAMIC PARAMETER

DESCRIPTION

GENERAL PARAMETERS

IP Address

String

{ip}

The IP or Subnet involved in the anomaly.

String

{ip_dns}

The reverse DNS of the IP involved in the
anomaly. It's {ip} if the lookup is not
successful.

CIDR

Number

{cidr}

The CIDR (prefx mask) of the IP or
Subnet involved in the anomaly.

Prefx

String

{prefix}

The IP/CIDR involved in the anomaly.

IP Group

String

{ip_group}

The IP Group of the IP or Subnet involved
in the anomaly.

Sensor Name

String

{sensor}

The Sensor's name.

Sensor Group

String

{sensor_group}

The Sensor's Interface Group.

Sensor IP

String

{sensor_ip}

The IP of the server running the Sensor.

Sensor Type [snif,fow,virtual]

String

{sensor_type}

It's “snif” for the Snifng Sensor, “fow”
for the Flow Sensor, or “virtual” for the
Virtual Sensor.

Sensor ID

Number

{sensor_id}

The unique ID of the Sensor.

Flow Exporter IP

String

{router_ip}

The Flow exporter's IP. Empty when using
the Snifng Sensor.

IP Zone Name

String

{ipzone}

The IP Zone used by the Sensor.

Response Name

String

{response}

The Response used for the anomaly.

Template Name

String

{template}

The Template that defned the anomaly's
triggering rule, if any.

Expiraton Delay (seconds)

String

{expiration}

The number of seconds between the last
tme the anomaly is detected and the tme
the anomaly is expired.

Captured Packets

Number

{captured_pkts}

The number of captured packets during
the Response, if any.

BGP Log Size (bytes)

Number

{bgplog_bytes}

The size of the BGP announcements logs.

Unique Dynamic Parameters

String

{exclusive}

The Unique Dynamic Parameters contain
Dynamic Parameters that must be unique
for the validaton of an Acton.

ANOMALY PARAMETERS

Anomaly Descripton

String

{anomaly}

A descripton of the anomaly.

- 35 -

Summary of Contents for Wanguard 5.2

Page 1: ......

Page 2: ...ment ANDRISOFT S R L 2013 All rights reserved All rights reserved This document is copyrighted and all rights are reserved by ANDRISOFT S R L No part of this document may be reproduced or transmited i...

Page 3: ...s Tools Reports Anomalies Tools 7 7 Anomalies 7 Actve Anomalies 7 Anomalies Archive 9 Anomalies Overview 9 BGP Prefxes 9 BGP Operatons 9 BGP Logs 10 Flow Collector 10 List Flows 10 Flows Tops 11 Auton...

Page 4: ...necton Confguraton BGP Connecton Confguraton 51 51 17 17 Filter Confguraton Filter Confguraton 53 53 18 18 Scheduled Reports Scheduled Reports 57 57 19 19 Events Reportng Events Reportng 58 58 20 20 U...

Page 5: ...fxes in BGP null routng send SNMP traps etc DETAILED ATTACK INFORMATION View atack details with atackers and packet samples Atack reports can be emailed automatcally to you or to your customers TRAFFI...

Page 6: ...o efectvely monitor and protect their network through a single integrated package The components have been built from the ground up to be high performing reliable and secure WANGUARD relies on the Sni...

Page 7: ...n sessions Panels are refreshed automatcally every 5 to 10 seconds The Reports secton ttle bar contains a Quick Search functonality buton Shortcut Ctrl S Central Region home of tabbed Reports and Dash...

Page 8: ...of the anomaly Click it to open a detailed Anomaly Report Prefx The IP address or IP class of the trafc anomaly and the reverse DNS In the front of the Prefx the graphic arrow indicates the directon...

Page 9: ...bits from the total trafc during the anomaly Overall Trafc The percent between the anomaly trafc and the overall trafc Threshold The threshold s value IP Zone The IP Zone of the Sensor Click it to op...

Page 10: ...afc anomalies sorted by tme in descending order By clicking the down arrow on any column header you can apply flters change sortng directon and hide or show columns The sign from the frst column expan...

Page 11: ...e Acton feld is visible only for Administrator or Operator roles BGP Logs BGP Logs shows all BGP announcements sent by WANGUARD sorted by tme in descending order By clicking the down arrow on any colu...

Page 12: ...ump opton to view the CLI command used to generate the data You can execute the command locally forward the output to a fle etc Aggregaton By default the fows are not aggregated By clicking on the che...

Page 13: ...fows are not aggregated By clicking on the checkboxes you can select how you want to have your fows aggregated You may also aggregate entre subnets when selectng srcIPv4 subnet bits Limit Limit the ou...

Page 14: ...ed trafc data is generated for all Flow Sensors Stack ASNs If you entered multple AS Numbers then you can sum all of them in a single AS graph Useful with ISPs and AS owners that have more than 1 allo...

Page 15: ...ton it will name the fles with enough leading 0s to support the maximum number of fles allowing them to sort correctly Time Rotaton s If specifed it rotates the fle every number seconds Sampling Type...

Page 16: ...size of the latest dump fle Packets The number of packets captured Actons Click the frst icon to view the latest dump fle in a Wireshark like web interface Click the second icon to download the lates...

Page 17: ...nd To collapse a widget click the frst icon on the widget ttle bar To edit a widget click the second icon from it s ttle bar To delete a widget click the third icon from it s ttle bar Along with speci...

Page 18: ...ng format Status If the Console is functoning properly a green checked arrow is displayed If there s a red cross instead re start the WANsupervisor daemon from the Console server Online Users The numb...

Page 19: ...pen a new tab with data specifc to the Sensor Administrators and Operators can right click it to open the Sensor s confguraton IPs The number of IP addresses that sent or received trafc Only your netw...

Page 20: ...ton and outbound usage percent Flows s The rate of fows per second received by the Flow Sensor Flows Delay Because trafc data must be aggregated frst fow devices export fows with a confgured delay Som...

Page 21: ...Load The load of the operatng system for the last 5 minutes Peak CPU The maximum CPU percent used by the Filter process RAM The amount of memory used by the Filter process Start Time The date when the...

Page 22: ...ow Sensors it represents the rate of received fows before validaton Dropped frames For Snifng Sensors it represents the number of packets dropped in the capturing process When the number is high it in...

Page 23: ...enter your own text that will be rendered as a ttle Graph Legend Select the details of the graph s legend Consolidaton If you are interested in spikes select the MAXIMUM aggregaton type If you are int...

Page 24: ...top generaton The number of top items and decoders can be modifed in the Storage Graphs Confguraton see page 32 Generatng tops for many Sensors and large tme frames may take minutes It may require th...

Page 25: ...WANGUARD 5 2 User Manual Administrator s Guide Anomalies Overview Here you can view trends and summarizatons of atacks detected by Sensor s for the selected tme frame and decoders 24...

Page 26: ...Groups opens the same type of tab that contains few sub tabs on the botom side All sub tabs use the following common toolbar felds Sensors Select the Sensors you re interested in or All to select all...

Page 27: ...s HTTP and HTTPS the graph will display stacked decoders to show the most specifc ones This generates both accurate and intuitve trafc graphs In the example TOTAL will show as TOTAL OTHER and TCP as T...

Page 28: ...s available only if there is at least one confgured Flow Sensor Flows Tops You can process and flter the fow data to generate tops for the IP class host or IP Group The optons are documented on page 1...

Page 29: ...n Debian Linux 6 0 free community supported distributon Ubuntu 12 x Other distributons may work but haven t been tested yet The WANGUARD architecture is completely scalable By installing the sofware o...

Page 30: ...Fast Ethernet for management 1 x 10 GbE Cards with 82599 chipset 1 x Fast Ethernet for management Operatng System RHEL 5 CentOS 5 RHEL CentOS 6 Debian 6 Ubuntu Server 12 OpenSUSE 12 RHEL 5 CentOS 5 RH...

Page 31: ...ntextual Help you must install Adobe PDF Reader Software Installation Download Sofware installaton instructons are listed and updated on the Andrisof website for RedHat based SuSE based and Debian bas...

Page 32: ...ents review decoders and graphs parameters page 32 Setup the anomalies detecton parameters and decoders page 33 Confgure the reacton to trafc anomalies page 34 Add your IP address ranges and important...

Page 33: ...ached rrdcached sock and you must confgure it frst The frst accuracy parameter or Archive default is 5 minutes specifes the granularity of the graphs for recent data It can be set as high as 5 seconds...

Page 34: ...decoders for the trafc for which you will apply thresholds Decoders determine the underlying protocols of each packet or fow Profle Anomalies Are detected through a behavioral recogniton approach The...

Page 35: ...u to see what IP classes are confgured to use the Response All Actons have their specifc felds together with the following common felds Actve selects if the Acton is enabled or disabled Priority selec...

Page 36: ...nsor fow for the Flow Sensor or virtual for the Virtual Sensor 9 Sensor ID Number sensor_id The unique ID of the Sensor 10 Flow Exporter IP String router_ip The Flow exporter s IP Empty when using the...

Page 37: ...less than expected thresholds 10 Unit pkts s bits s String unit It s pkts s for packets per second anomalies or bits s for bits per second anomalies 11 Threshold Value Number rule_value It s the thres...

Page 38: ...the IP or Subnet for all trafc 4 Latest TOTAL Bits s Number latest_total_bps The latest bits s throughput of the IP or Subnet for all trafc 5 TOTAL Packets Number sum_total_pkts The sum of packets of...

Page 39: ...cker dest destnaton port of the victm proto the IP Protocol feld len the size of the packets tl the TimeToLive feld others 3 Filter Value String filter_value The atack patern s value String filter_ip_...

Page 40: ...k patern s trafc String filter_log_100 The frst 100 packets of the atack patern s trafc String filter_log_500 The frst 500 packets of the atack patern s trafc String filter_log_1000 The frst 1000 pack...

Page 41: ...l IPs When adding a new Prefx the tree below is automatcally updated The right secton contains panels with user provided setngs for the selected Prefx WANGUARD understands IPs and IP classes entered i...

Page 42: ...per second so select pkts s to detect them For bandwidth related anomalies select bits s Response Select a previously defned Response or select None if you re not interested in reactng to the anomaly...

Page 43: ...the trafc analysis Packet snifng provides extremely fast and accurate trafc analysis and accountng results The downside is that it needs fast CPUs and good NICs Flow Sensor for NetFlow v5 v7 v9 jFlow...

Page 44: ...5400S series Brocade BigIron series FastIron series IronPoint series NetIron series SecureIron series ServerIron series Barracuda Barracuda NG Firewall Comtec Systems Rex 16Gi 24Gi 24Gi Combo Dell For...

Page 45: ...the Console to group multple interfaces by locaton roles etc Graph Color The color used in graphs for this Sensor The default color is a random one but you can change it To change the color you can e...

Page 46: ...ream MAC MAC validaton is actve and the MAC Address belongs to the downstream router The MAC Address must be writen using the Linux conventon six groups of two hexadecimal values separated by colons B...

Page 47: ...WANGUARD 5 2 User Manual Administrator s Guide like tcpdump The syntax is tcpdump i interface_usually_eth1 n c 100 If the IP Validaton is not disabled then the IP Zone must contain all your subnets 46...

Page 48: ...uter switch probe etc Usually the Loopback0 address of the router Each server running the Flow Sensor must have its system tme synchronized with the fow exporter Sampling 1 N Must contain the sampling...

Page 49: ...subnet setngs For more informaton about IP Zones please consult IP Zones Setup chapter on page 40 IP Validaton This opton can be used to distnguish the directon of the trafc or to skip unwanted fows...

Page 50: ...inutes please check the following You have correctly confgured the fow exporter to send fows to the server for each of the confgured interfaces The server is receiving the fow packets on the confgured...

Page 51: ...olor used in graphs for this Virtual Sensor The default color is a random one but you can change it To change the color you can enter the color as a HTML Color Code or you can manually select the colo...

Page 52: ...fer you have previously installed and confgured the bgpd daemon included in the quagga htp www quagga net package Some bgpd confguraton steps can be found on Appendix 3 Confguring Trafc Diversion at p...

Page 53: ...ng BGP prefxes that have the IPv4 CIDR mask less than the confgured value For example a value of 32 rejects all prefxes that are not hosts Reject IPv6 under You can restrict sending BGP prefxes that h...

Page 54: ...Interface Group Optonal descripton used within the Console to group multple interfaces by locaton roles etc Graph Color The color used in graphs for the Filter The default color is a random one but y...

Page 55: ...ters atack paterns If an atack patern is not whitelisted then the whole trafc matched by the atack patern is dropped The rest of the trafc is forwarded through the Outbound Interface Filter the atack...

Page 56: ...nable if you have PF_RING installed on the server PF_RING provides high speed packet analysis Trafc Diversion The Trafc Diversion feld provides a selecton of currently defned BGP Connectons that may b...

Page 57: ...what type of trafc the rule will match ANY TCP UDP ICMP Parameter Which trafc parameter should be compared IP Address Source Port Destnaton Port Packet Length IP Packet TimeToLive IP Protocol Type Op...

Page 58: ...y generate Reports and send them by email to you or to your customers at preconfgured intervals of tme You can include more than one email address in the Email To feld separated by comma The emails ar...

Page 59: ...flter Events Event s severity indicates the importance of the event MELTDOWN Meltdown events are generated when a very serious error is detected such as a hardware error CRITICAL Critcal events are g...

Page 60: ...n press Modify User The Full Name Company Positon Email Phone and Comments felds are optonal The Landing Tab list contains the tabs that can be opened immediately afer logging in The list is dynamic a...

Page 61: ...dress and which part belongs to the node address see IP address Classes further on The locaton of the boundary between the network and host portons of an IP address is determined through the use of a...

Page 62: ...eir frst two bits set to 1 and their third bit set to 0 Since Class C addresses have a 24 bit network mask this leaves 21 bits for the network porton of the address allowing for a maximum of 2 097 152...

Page 63: ...000 16 256 C 1 B 65536 255 255 000 000 15 512 C 2 B 131072 255 254 000 000 14 1024 C 4 B 262144 255 252 000 000 13 2048 C 8 B 524288 255 248 000 000 12 4096 C 16 B 1048576 255 240 000 000 11 8192 C 32...

Page 64: ...he flow For example interface FastEthernet0 ip route cache flow interface Serial2 1 ip route cache flow It is necessary to enable NetFlow on all interfaces through which trafc you are interested in wi...

Page 65: ...nfgured listening port UDP port 2000 is used only as an example switch enable set mls nde version 5 The following command is required to set up fow mask to full fows switch enable set mls flow full Th...

Page 66: ...r Engine 2 or 720 running IOS version 12 1 13 E or higher issue the following commands instead switch config mls flow ip interface full switch config mls nde interface Configuring NDE on a 4000 Series...

Page 67: ...WANGUARD 5 2 User Manual Administrator s Guide accept forwarding options sampling input family inet rate 100 output cflowd 192 168 1 100 port 2000 version 5 66...

Page 68: ...t matching prefx also known as the most specifc Afer establishing a BGP session with the router Filter sends a routng update where the Filter system is listed as the best path for the atacked destnato...

Page 69: ...Confgure the bgpd not to send routng informaton and to drop incoming BGP routng informaton Set the bgpd BGP community atribute values to no export and no advertse A match in the community atributes en...

Page 70: ...er The following example describes the distribute list method You can use the prefx list or route map fltering method types as long as the routng informaton is not sent to bgpd localhost config router...

Page 71: ...onfig router neighbor WANGUARD Filter IP address soft reconfiguration inbound r7500 config router neighbor WANGUARD Filter IP address distribute list routesToWANGUARDFilter out r7500 config router nei...

Page 72: ...ording to the routng table on the divert from router before trafc diversion is actvated Static Routing Layer 2 Forwarding Method In a Layer 2 topology the Filter system divert from router and next hop...

Page 73: ...method is the default gateway on the Filter system so that it points to the inject to next hop router Configuring GRE IP over IP Tunneling Layer 3 Forwarding Method In the tunnel diversion method you...

Search results

Summary of Contents for Wanguard 5.2

Reviews:

Related manuals for Wanguard 5.2

Brands by name

Popular brands

Andrisoft Wanguard 5.2, User And Administrator Manual

Search results

Summary of Contents for Wanguard 5.2

Reviews:

Related manuals for Wanguard 5.2

Brands by name

Popular brands