Enterasys Intrusion Prevention System Reporting Manual Download Page 13 | Manualshive

Page: 13 / 122

background image

Enterasys IPS Analysis and Reporting Guide 1-1

1

Getting Started

The Enterasys IPS Enterprise Management Server (EMS) provides a Web-based interface for
reporting that lets you report on real-time data, perform forensics analysis, and spot trends. The
reports use data from Network and Host Sensors. Enterasys IPS Reporting uses this data to
generate customized reports that help you isolate attacks. The reports help you analyze IDS events
in real time, spot long-term trends, and inspect individual event details and associated
information.

Starting with v7.4, Enterasys IPS reporting supports IPv6 and IPv4.

Starting Enterasys IPS Reporting

Use the following procedure to start using the Enterasys IPS reporting tools:

1.

Access the analysis and reporting tools in one of three ways:

•

Directly, by entering the following URL in your web browser:

https://<

IP address

>:9443/dragonreports

where <

IP address

> is the IP address of the Reporting server.

•

From the EMS client GUI. Select

Tools > Dragon Analysis & Reporting > Launch

.

For information about...

Refer to page...

Starting Enterasys IPS Reporting

1-1

Displaying Interactive Reports

1-4

Creating and Viewing User Defined Reports

1-11

Finding Events

1-13

Viewing Database Restore Status

1-14

«
...
11
12
13
14
15
...
»

Summary of Contents for Intrusion Prevention System

Page 1: ...P N 9034069 13 Enterasys Intrusion Prevention System Analysis and Reporting Guide...

Page 2: ......

Page 3: ...r are registered trademarks of Adobe Systems Incorporated Intel Intel Pentium Xeon Celeron and Pentium II are trademarks or registered trademarks of Intel Corporation Cisco is a registered trademark o...

Page 4: ...ssemble electronically transfer or reverse engineer the Licensed Software or to translate the Licensed Software into another computer language The media embodying the Licensed Software may be copied b...

Page 5: ...obligation under this Agreement including a failure to pay any sums due to Enterasys or in the event that You become insolvent or seek protection voluntarily or involuntarily under any bankruptcy law...

Page 6: ...es do not allow limitations on how long an implied warranty lasts and some states do not allow the exclusion or limitation of incidental or consequential damages so the above limitation and exclusion...

Page 7: ...ashboard Overview 2 1 The Views Panel 2 2 The Tabbed Panel 2 4 Systems Tab 2 4 Sensors Tab 2 7 Interfaces Tab 2 9 EMS Reporting Tab 2 11 Customizing the Dashboard Interface 2 12 Customizing the Views...

Page 8: ...and Grouping In Columns 6 4 Exporting Tables in CSV Format 6 6 Chapter 7 Event Details Chapter 8 Viewing a PCAP File for an Event Chapter 9 User Defined Reporting Creating a User Defined Report 9 1 V...

Page 9: ...11 17 Realtime Status 11 18 Using the Forensics Console 11 18 Reviewing Forensics 11 18 Notes Option 11 21 Using the Trending Console 11 22 Event Summaries 11 22 IP Address Summaries 11 24 Event Detai...

Page 10: ...viii...

Page 11: ...n System Version 7 5 and higher Related Documents The Enterasys IPS user documentation listed below is available from https extranet enterasys com downloads Enterasys IPS Document Title Description Ap...

Page 12: ...of trouble if known The device history for example have you returned the device before is this a recurring problem Any previous Return Material Authorization RMA numbers installdir Indicates to enter...

Page 13: ...s and associated information Starting with v7 4 Enterasys IPS reporting supports IPv6 and IPv4 Starting Enterasys IPS Reporting Use the following procedure to start using the Enterasys IPS reporting t...

Page 14: ...ress of the Reporting server b When the Launch page displays click on the Dragon Reporting link The Enterasys IPS Launch page also offers a link to the Legacy Dragon Reporting tools which are describe...

Page 15: ...specific events Schedule and manage user defined reports Display help and logout Displaying Interactive Reports on page 1 4 Finding Events on page 1 13 Creating and Viewing User Defined Reports on pag...

Page 16: ...ed in the last 24 hours only once but gives you the number of times it has occurred during the last 24 hours and the hours in which it occurred Clicking on an event causes event details to be displaye...

Page 17: ...red in the last 24 hours in sequential order You can filter the data further by selecting an existing filter from the Filter drop down list or by creating a new filter as described in Creating and Edi...

Page 18: ...er 4 Top N Reports By default Top N reports chart the top 10 occurrences of the selected event data such as Events by Event Group Events by Score and so on You select the event data to display from a...

Page 19: ...clicking on a data group in the chart causes event details to be displayed in the Event Table pane located at the bottom of the interface window as shown in the following figure Right clicking on an e...

Page 20: ...hour period as shown in the figure below Also by default Event Growth charts Column Bar Pie show the Top 10 and Bottom 10 events the Top 10 events are those that showed the greatest positive growth ov...

Page 21: ...for the period an n day moving average and a daily event count Below the chart the total event count is displayed for the period as well as the average event count for the period shown The minimum and...

Page 22: ...g Average by clicking the up or down arrows next to the field or by configuring a custom filter For more information about creating a custom filter see Creating and Editing Report Filters Creating and...

Page 23: ...me group area is grayed out and not available 5 When you have completed specifying the filter parameters click Apply to apply the filter to the report Note that this does not save the filter but only...

Page 24: ...s and click Save 3 Your report template is added to the list of User Defined Templates 4 Run the report manually by clicking on the Run icon green arrow on the right of the report template s row and v...

Page 25: ...vents You can use the Find Events menu bar item to search for specific events based on criteria that you provide The Find Events tab allows you to select from predefined criteria sets as well as to sp...

Page 26: ...s on page 3 4 Viewing Database Restore Status As part of a software upgrade install you can specify the number of days to restore from the existing database dragon db files The restore starts at the n...

Page 27: ...now to effectively manage your Enterasys IPS deployment This includes status information for the sensors and nodes within a deployment The Dashboard lets you see at a glance both an overview of the st...

Page 28: ...vidual bar in a bar graph applies that chart element as a filter in the Tabbed Panel of the Dashboard described in The Tabbed Panel on page 2 4 Use this feature to zoom in on the specific information...

Page 29: ...rs that are up down and unmanaged The tooltip per bar displays the type of sensor Network or Host the status shown by the bar and the number of sensors represented by the bar Clicking any bar in the c...

Page 30: ...as shown in Figure 2 1 on page 2 5 Top Sensors by Event Rate The Top Sensors by Event Rate chart displays a bar graph of the top ten most active by Event Rate Host and Network Sensors Each of the top...

Page 31: ...em Refer to Table 2 4 on page 2 6 for more information Configuration Channel Status Status of system s Configuration Channel Values can be Connected Disconnected Unknown typically status of Unmanaged...

Page 32: ...gabytes and of total available Disk Total MB The amount of disk space on the drive or the partition where Dragon is installed Disk Used MB Disk space used by all files and applications on the drive or...

Page 33: ...You can display details about a specific sensor by selecting the sensor and clicking the double arrow button at the bottom right of the tab as shown in Figure 2 2 below Figure 2 2 The Sensors Tab Net...

Page 34: ...packets per second Packets Blocked pps In an in line IPS deployment the packets that are blocked due to either intrusion prevention rules or a black list rule Expressed in packets per second Packets W...

Page 35: ...lay options Table 2 6 on page 2 9 describes the type of data shown in the Interfaces tab table columns You can display details about a specific interface by selecting the interface and clicking the do...

Page 36: ...intrusion prevention rules or a black list rule Expressed in packets per second Packets White listed pps In an in line IPS deployment the packets that were read in successfully and transmitted without...

Page 37: ...The EMS Reporting Tab Event Cache Traffic Graph The Event Cache Traffic graph provides a visual indication of the rate at which events are being sent to the EMS and the rate at which they are being pr...

Page 38: ...r and gauge how well it is keeping up with that load Customizing the Dashboard Interface Customizing the Views Panel You can resize interface elements in the Dashboard such as panels For example to re...

Page 39: ...icon in the views title bar Figure 2 8 Show or Hide Individual Views If you remove a view from the Views Panel layout using the Close icon in the views title bar you can use the Views drop down menu...

Page 40: ...ns You can resize table columns For example to resize a column mouse over the area between columns until the cursor changes as shown in Figure 2 11 Click drag and release the column separator to resiz...

Page 41: ...Figure 2 13 Column Drop Down Menu Group Options Use the Group By This Field option to group the report displayed by the values in a specific column as shown in Figure 2 14 When you select Group By Th...

Page 42: ...terfaces tab tables by checking and unchecking the desired columns in the Columns option drop down menu Figure 2 16 on page 2 17 illustrates how to display a list of columns Check or uncheck the appro...

Page 43: ...nvironment If the component starts reporting statistics again it will again be displayed in the Dashboard Removing or Applying a Table Filter The Systems Sensors and Interfaces tabs have a Status Tota...

Page 44: ...be prompted to specify the location Table 2 7 Systems and Sensors Tab Status Filters State Description Active Filter on Enterasys IPS systems sensors with a status of Active meaning that they are oper...

Page 45: ...Reporting server cookies as follows 1 In the Web browser you use to view Enterasys IPS Reporting view stored cookies In Firefox for example select Tools Options from the main menu then click Privacy...

Page 46: ...n partition Total disk space used on the Dragon partition Total memory available on the system in megabytes MB Total memory used on the system in megabytes MB System uptime Event rate from the system...

Page 47: ...disk space available on the Dragon partition Total disk space used on the Dragon partition Total memory available on the system in megabytes MB Total memory used on the system in megabytes MB System...

Page 48: ...Platform Specific Dashboard Details System Dashboard 2 22 Enterasys IPS Analysis and Reporting Guide...

Page 49: ...s in which it occurred in the green bullets in the hour columns Table 3 1 on page 3 2 describes the columns in the Event Summary report You can filter the data in the report by selecting an existing f...

Page 50: ...ther by selecting an existing filter from the Filter drop down list or by creating a new report filter as described in Creating and Editing Report Filters on page 1 10 Table 3 1 Event Summary Report C...

Page 51: ...ow that attempts to resolve the IP address using a DNS lookup Additional publicly available web sites that perform address resolution are provided as links on the browser page Destination Address Look...

Page 52: ...e 24 Hours reports on or off Customizing 24 Hours Report Tables The following sections describe customizations you can perform on the tables in the 24 Hours reports Resizing Columns You can resize tab...

Page 53: ...tion to group the report displayed by the values in a specific column as shown in Figure 3 6 When you select Group By This Field the Show in Groups checkbox is automatically checked To undo the groupi...

Page 54: ...nt Summary report Check or uncheck the appropriate check box to display or hide specific columns Figure 3 8 Selecting Columns to Display Exporting Tables in CSV Format The tables displayed in the 24 H...

Page 55: ...2 on page 4 3 Table 4 1 on page 4 3 describes the Top N reports You can interactively change the number of occurrences charted by increasing or decreasing the number in the Top field at the top of the...

Page 56: ...N Reports 4 2 Enterasys IPS Analysis and Reporting Guide Figure 4 1 Top N Report Window Selecting the Top N Report Type Figure 4 2 shows the drop down list of Top N report types that can be selected T...

Page 57: ...value The value of N is 10 by default but can be changed in the Top field Events by Destination Address Charts the top N destination addresses of events over the time period specified by the Filter v...

Page 58: ...by the Filter value The value of N is 10 by default but can be changed in the Top field Attacks by Destination Address Displays the top event counts categorized as ATTACKs by destination address over...

Page 59: ...rt Type The default chart type of Top N reports is Column and the default chart type of Event Breakdown charts is Pie but you can interactively change the chart type by clicking on the chart type icon...

Page 60: ...Selecting a Chart Type Top N Reports 4 6 Enterasys IPS Analysis and Reporting Guide...

Page 61: ...nt Rate report tab and the Event Growth report tab Daily Event Rate Report The Daily Event Rate report provides the average event count for the period an n day moving average and a daily event count B...

Page 62: ...displays the total event count and the event count change from the prior time period The text boxes displaying this information are bordered in green if the event count increased and in red if the ev...

Page 63: ...shown in Figure 5 1 with lines indicating the average event count over the period and the moving average Figure 5 2 shows a Daily Event Rate Bar chart in logarithmic view Figure 5 2 Daily Event Rate...

Page 64: ...event count per day the difference in count from the previous day and the moving average Note Pie chart legends have the potential for their bottom keys to be chopped off if the view port browser win...

Page 65: ...reating and Editing Report Filters on page 1 10 You can also interactively change the days in moving average by increasing or decreasing the number in the Days in Moving Average field at the top of th...

Page 66: ...ow only the Top n only the Bottom n or both Top and Bottom The maximum value of n is 50 The Event Growth Table shows all event counts for the two time periods not just the Top and or Bottom n events F...

Page 67: ...le Column and Bar Charts The Bar and Column charts show the event totals for each range side by side These views provide more depth allowing you to compare the event totals in one range with another T...

Page 68: ...ent Growth Tab Pie Chart Table Reports Table reports show all the data not just the Top n and Bottom n events as shown in Figure 5 8 on page 5 9 In the Table report you can right click on an event row...

Page 69: ...period t the time periods used in the event comparison are the most recent period t and the period t immediately preceding the most recent period t For example if you specify one day the period used...

Page 70: ...Event Growth Report Trending Reports 5 10 Enterasys IPS Analysis and Reporting Guide...

Page 71: ...ding Daily Event Rate reports Displaying Data in the Event Table Pane The Event Table pane is located at the bottom of the interface window Single clicking on a data group in a chart or table causes t...

Page 72: ...y score of the event Table can be filtered by score value Group The event group of the event Table can be organized by event group and also filtered by group Source IP The source IP address of the eve...

Page 73: ...able 6 2 Right Click Action Menu Options Option Description Event Details Displays a pop up window containing details of the event See Chapter 7 Event Details for more information Source Address Looku...

Page 74: ...umn name to a new location Figure 6 5 shows the Group column being repositioned to the left of the Score column Figure 6 5 Moving Columns Sorting Filtering and Grouping In Columns All columns in the E...

Page 75: ...Show in Groups checkbox is automatically checked To undo the grouping uncheck the Show in Groups checkbox Figure 6 7 Grouping Options Selecting Columns to Display You can select what columns to displa...

Page 76: ...Score column lets you choose from the possible values that can be displayed in that column Critical High Medium Low Figure 6 9 Column Filters Option Exporting Tables in CSV Format Tables displayed in...

Page 77: ...selected event You can launch an Event Details window for any event instance or event name reported in a table such as Event Summary Event Log and the Event Table pane To display the Event Details wi...

Page 78: ...Details window from Event Log the Event Table pane or Find Events the Event Details window has an upper pane with details about the event see Table 7 1 on page 7 3 and three tabs Description Includes...

Page 79: ...t perform address resolution are provided as links on the browser page Port The source port Destination IP The destination IP address of the event Click the address link to display a new browser windo...

Page 80: ...vent Summary the Event Details window contains only the Description and Signature Definition tabs Sensor Name Name of the Dragon sensor that generated the event In the case of Network Sensors this is...

Page 81: ...event in the form of a PCAP file This lets you view traffic data in an application such as Wireshark To view captured session traffic data for an event 1 In the Event Table pane right click and select...

Page 82: ...Viewing a PCAP File for an Event 8 2 Enterasys IPS Analysis and Reporting Guide...

Page 83: ...ormats User defined report templates are created from predefined templates To create a new user defined report template and run the report 1 Select Schedule Manage Report Templates from the main menu...

Page 84: ...ort is generated weekly on Sunday at 1 00 AM MONTHLY Report is generated monthly on the first of the month at 1 00 AM 6 To email this report to one or more recipients when it is generated enter one or...

Page 85: ...en generated from user defined templates The Generated Reports page displays a row for each generated report Figure 9 1 Viewing Generated Reports Each generated report provides the tools described in...

Page 86: ...Viewing Generated Reports User Defined Reporting 9 4 Enterasys IPS Analysis and Reporting Guide Prompts you to delete the selected generated report Table 9 2 Generated Reports Tools Icon Description...

Page 87: ...u bar Figure 10 1 shows the Reporting Preferences page Figure 10 1 Reporting Preferences The available preferences that apply to Schedule menu features are described in Table 10 1 For information abou...

Page 88: ...to elapse before Reporting sessions timeout session timeout 30 session timeout For example change session timeout 30 session timeout to session timeout 500 session timeout 3 Restart the JBoss server...

Page 89: ...nformation They provide 48 hour breakout histograms of events so you can spot trends at a glance The tools are Realtime Console Forensic Console Trending Console Executive Reporting EMS Statistics Dra...

Page 90: ...nt filters that allow you to quickly focus on a string of events Dragon Trending Console The Dragon Trending Console is used to answer questions about long term trends and activity The tool reads even...

Page 91: ...Reporting server 2 When the Launch page displays click on the Continue to Legacy Dragon Reporting IPv4 support only link as shown in the following figure 3 When the login screen displays enter your U...

Page 92: ...y of navigation areas depending on the tool selected and the current task There is a top right navigation area which allows you to select the desired tool The Top left navigation area provides tool sp...

Page 93: ...Figure 11 2 Navigation Areas Display Area The Display Area populates most of the right side of the window It is in this area that the data selected is displayed and that you manipulate that data Top R...

Page 94: ...ers the total event count To access the Realtime Console Main Window 1 Click Realtime in the top right navigation area The Realtime Console main window appears as shown in Figure 11 3 Navigation optio...

Page 95: ...LIC events Figure 11 5 Realtime Console AnalyzeEvent Graph of SNMP PUBLIC Events These SNMP events occurred over several months yet some distinct patterns emerge All of the events seem to be concentra...

Page 96: ...vent summaries print out a quick low resolution graph of the recent activity The graphs are designed for fast downloading Graphing of total events or scores is achieved For events a simple count of ma...

Page 97: ...event If the number of events matching a query is greater than the number of events in the Lines Sessions filter value a set of up to ten URLs are printed at the bottom of the displayed HTML output Th...

Page 98: ...Packet Data column provides the specific packet s information Figure 11 9 Pre Event Packet Data EventsByGroup This event summary lists all of the active event groups and the number of events in each...

Page 99: ...lts in many matches most of which cannot be displayed You may start off by selecting a CIDR block of 8 then drilling down until the list events tool is called listing events from that particular IP ad...

Page 100: ...ny events are observed to be active almost all of the time This usually indicates a high rate of false positives Figure 11 14 shows a more common output on a well tuned Dragon Network Sensor Notice th...

Page 101: ...lar group name takes you to a SumEvents interface filtered for only events of that group and in that direction Figure 11 16 Realtime SummaryByDirection SummaryLast7Days The SummaryLast7Days event summ...

Page 102: ...ueries The Custom Query window allows you to enter specific criteria that is used to generate customized information To enter Custom Queries 1 Click Custom Query in the top left navigation area 2 Ente...

Page 103: ...ified by placing a dash between port values for example 80 100 Multiple values of single ports or port ranges must be separated by spaces Time Start Stop The Time Start Stop fields specify different v...

Page 104: ...rom the Time Stop field is taken into consideration Events up to that specified time are retrieved span value selected both values in the Time Start and Time Stop fields are taken into consideration E...

Page 105: ...lters pulldown menu 4 Click Execute The display area is populated with a single statement asking if you want to delete the selected filter 5 Click the statement to delete the listed filter If you do n...

Page 106: ...of events along with other data You can also produce a list of individual events in the database that match a selected event In this list each event can have extra data displayed about it such as the...

Page 107: ...of events In the list or direction output modes clicking on a unique event name produces a mklog report sum_ip Produces a list of unique IP addresses or CIDR blocks that have occurred in a 24 hour pe...

Page 108: ...in a dragon db file When a partial list of matching sessions is displayed the number of packets present in each session is indicated Clicking on this number replays that unique session If source and d...

Page 109: ...Forensics sum_event Tool Output Filtering Option Notes Option The Dragon Forensics Console also includes a utility to keep a daily log along with each of the dragon db files This allows you to write...

Page 110: ...es over the selected time range is displayed The Trending Console is especially useful when you can only store a week or less worth of events in the Dragon Realtime Console To access the Trending Cons...

Page 111: ...ng certain events can cause this graph and table to regenerate 2 Select the desired information to view by clicking the navigation buttons and selecting the desired item in the pulldown menu Table 11...

Page 112: ...ey and drag the mouse to select a region The top seven events are indexed in a legend to the left of the graph Filtering certain events can cause this graph and table to regenerate 2 Select the desire...

Page 113: ...dividual days and optionally times within days All queries outside of the range are ignored Hosts A list of IP addresses or CIDR blocks can be specified here The resulting list can be applied to all t...

Page 114: ...any type source address destination address or both For example if a single CIDR block is specified and a query only looking for internal attacks is desired a setting of both is chosen for the IP Filt...

Page 115: ...rt values for example 80 100 Multiple values of single ports or port ranges must be separated by spaces Time Start Stop The Time Start Stop fields specify different values depending on the values of t...

Page 116: ...r example if the value indicates 36 events in the past 36 hours will be retrieved start value selected only the value from the Time Start field is taken into consideration Events starting at that spec...

Page 117: ...urn to the reporting main navigation window to save reports To save all reports 1 Click Save All Reports A new window appears allowing you to select the sensors for which to save the report Reports th...

Page 118: ...to return to the Reporting main window Viewing Saved Reports Saved reports are viewable in PDF format To view the list of saved reports 1 Click List Saved Reports in the left navigation panel of the R...

Page 119: ...Legacy Reporting Managing Reports Enterasys IPS Analysis and Reporting Guide 11 31 Figure 11 29 Event Count by Classification Figure 11 30 Event Count by Day...

Page 120: ...Managing Reports Legacy Reporting 11 32 Enterasys IPS Analysis and Reporting Guide Figure 11 31 Event Ratios by Day...

Page 121: ...0 mkchart 11 20 mkicmp 11 20 mklog 11 19 mkports 11 20 mksesson 11 20 mktime 11 20 notes 11 21 sum_db 11 19 sum_event 11 19 sum_ip 11 19 G GraphEvents 11 8 GraphScores 11 8 I Interfaces tab 2 9 column...

Page 122: ...report filters 1 10 report types 4 3 setting display preferences 3 4 6 3 trending custom queries 11 26 event details 11 25 event summaries 11 22 IP address summaries 11 24 Trending Console 11 2 11 22...

Reviews:

No comments

Related manuals for Intrusion Prevention System

70 MC - ZR70MC MiniDV Digital Camcorder

Brand: Canon Pages: 57

Brand: Canon Pages: 90

Brand: Canon Pages: 8

3508B001 - PowerShot D10 Digital Camera

Brand: Canon Pages: 64

3508B001 - PowerShot D10 Digital Camera

Brand: Canon Pages: 47

3211B001 - PowerShot E1 Digital Camera

Brand: Canon Pages: 83

3211B001 - PowerShot E1 Digital Camera

Brand: Canon Pages: 50

DocuColor 45054549

Brand: Xerox Pages: 30

SmartOffice SmartOffice Mobile

Brand: Palm Pages: 29

MOBILE SECURITY 2010 FOR ANDROID

Brand: F-SECURE Pages: 20

38000827 - Macromedia ColdFusion MX Standard Edition

Brand: Adobe Pages: 68

Brand: MACROMEDIA Pages: 156

Brand: SanDisk Pages: 11

NETWORK BASIC - USER REFERENCE GUIDE 4.0

Brand: Red Hat Pages: 92

ANTI-VIRUS - FOR FREEBSD-OPENBSD-BSDI MAIL SERVER

Brand: KAPERSKY Pages: 295

Brand: HP Pages: 4

Brand: Samsung Pages: 2

Brand: Samsung Pages: 4

Brands by name

0 1 2 3 4 5 6 7 8 9 A B C D E F G H I J K L M N O P Q R S T U V W X Y Z

Popular brands

Load more brands