Juniper SECURITY THREAT RESPONSE MANAGER 2008.2 R2 - LOG MANAGEMENT ADMINISTRATION GUIDE REV 1 Manual Download Page 241 | Manualshive

Page: 241 / 246

background image

STRM Users Guide

G

LOSSARY

235

TCP resets

For TCP-based applications, STRM can issue a TCP reset to either the client or
server in a conversation. This stops the communications between the client and
the server.

threat posing

The degree or level of threat an attacker (source) is posing; calculated per interval.
Threat posing is calculated using the aggregated target category, added to the
aggregated Attacker then multiplied by the average number of offenses the
attacker has been associated with.

threat under

The degree or level of threat the target (destination) is under; calculated per
interval. Threat under is calculated using the target category aggregate for an
interval, multiplied by the average number of offenses the target has been
associated with.

threat view

A security-based custom view that contains object groups based on possible
threats to your network, including DOS, worms, and stealth activities.

threshold sentry

Monitors your deployment for activity that exceeds the configured threshold of the
sentry. STRM monitors relevant network objects and identifies whenever a
threshold is exceeded. Thresholds can be based on any data collected by STRM,
not just packet count or bandwidth.

Time Series

A reporting chart that graphs data based on time. This chart focuses on the
networks or IP address data information from the selected networks.

TopN

Displays the top

N

networks or IP address information for the data you are viewing.

For example, if you are using a Geographic view for U.S. data traffic, TopN can
display the top five networks generating traffic in the U.S.

TopN Time Series

A reporting graph option that focuses on the top N networks or IP address data
information, based on time, for the data you are graphing.

Transmission
Control Protocol
(TCP)

A reliable stream service that operates at the transport-layer Internet protocol,
which ensures successful end-to-end delivery of data packets without error.

Update Daemon

Stores all processed data.

view

Network activity is classified into a number of views that reflect a particular aspect
or property of the activity. These views determine what and how information is
displayed.

view objects

Groups and components in the defined view.

violation

Includes a violation of corporate policy.

Whois

Allows you to look up information about registered Internet names and numbers.

«
...
239
240
241
242
243
...
»

Summary of Contents for SECURITY THREAT RESPONSE MANAGER 2008.2 R2 - LOG MANAGEMENT ADMINISTRATION GUIDE REV 1

Page 1: ...niper Networks Inc 1194 North Mathilda Avenue Sunnyvale CA 94089 USA 408 745 2000 www juniper net Part Number 530 027294 01 Revision 1 Security Threat Response Manager STRM Users Guide Release 2008 2...

Page 2: ...ay radiate radio frequency energy If it is not installed in accordance with NetScreen s installation instructions it may cause interference with radio and television reception This equipment has been...

Page 3: ...TRM 9 Sorting Results 9 Refreshing the Interface 10 Pausing the Interface 10 Investigating IP Addresses 10 Viewing STRM Time 11 Accessing On line Help 11 STRM Administration Console 11 2 USING THE DAS...

Page 4: ...Investigating Traffic 35 Investigating Flows 36 4 MANAGING SENTRIES About Sentries 40 Types of Sentries 40 Viewing Sentries 42 Creating a Sentry 43 Creating a Security Policy Sentry 44 Creating a Beh...

Page 5: ...r 134 Using the Right Click Menu Options 134 Viewing Events 135 Viewing Normalized Events 135 Viewing Raw Events 139 Viewing Aggregate Normalized Events 140 Searching Events 145 Searching Events 145 D...

Page 6: ...ng a Group 185 Editing a Group 186 Copying a Template to Another Group 186 Deleting a Template From a Group 187 Assigning a Report to a Group 188 Creating a Report 188 Creating a Template 189 Configur...

Page 7: ...the Juniper Networks support web site locate the product and software release for which you require documentation Your comments are important to us Please send your e mail comments about this guide o...

Page 8: ...ing or maintaining STRM you can contact Customer Support as follows Log a support request 24 7 https juniper net support For access to the Juniper Networks support web site please contact Customer Sup...

Page 9: ...ewer Assets Network Surveillance Network Surveillance Reports Using STRM STRM Administration Console Note When navigating STRM do not use the browser Back button Use the navigation options available w...

Page 10: ...e Dashboard The Dashboard tab is the default interface that appears when you log in to STRM The Dashboard tab provides summary and detailed information on offenses occurring on your network your netwo...

Page 11: ...esolve the issue Note For more information on Offense Manager see Chapter 5 Investigating Offenses Event Viewer The Event Viewer allows you to view event logs being sent to STRM in real time or throug...

Page 12: ...hapter 7 Using the Flow Viewer Assets STRM automatically discovers assets servers and hosts operating on your network based on passive QFlow data as well as vulnerability data allowing STRM to build a...

Page 13: ...STRM Users Guide Assets 7 Note For more information see Chapter 8 Managing Assets...

Page 14: ...nce interface you can Sentries are a technology that monitors traffic seen in any Network Surveillance view such as apps network asset groups and geographies and alert on normal behavior Using the Net...

Page 15: ...Reports Using STRM Using STRM you can Sort the results See Sorting Results Refresh the interface See Refreshing the Interface Pause the current display See Pausing the Interface Further investigate a...

Page 16: ...right click on any IP address or asset name to access additional menus which allow you to further investigate that IP address or asset For more information on assets see the STRM Administration Guide...

Page 17: ...nt Configure views Allows you to manage your views Port Scan Performs a NMAP scan of the selected IP address This option is only available if NMAP is installed on your system For more information on i...

Page 18: ...s to your deployment through DSMs Configure flow sources Allows you to configure flow sources such as NetFlow or Packeteer All configuration updates using the Administration Console are saved to a sta...

Page 19: ...assets You can detach an item and monitor the item directly from your desktop This chapter includes About the Dashboard Network Surveillance Offense Manager Event Viewer Reports Enterprise Security St...

Page 20: ...appears on the Dashboard is user specific You can design the Dashboard as you wish as the changes made within a STRM session affect only your system The next time you log in STRM reflects your last Da...

Page 21: ...not remove the item from STRM Removing an item clears the item from the Dashboard You can add the item again at any time Detaching an Item To detach an item from the Dashboard click the green icon loc...

Page 22: ...add the following items to your Dashboard Threats Local Networks Client Applications Server Applications Geographic Flow Types Custom Views Bookmarks This menu option only appears if you have configu...

Page 23: ...Time Series Line Chart or Pie Chart at the top of the graph TopN TopN data displays the most active objects from the top of your network providing you with information from the most active network obj...

Page 24: ...er Time Most Severe and Most Recent Offenses The most recent and severe offenses are identified and classed with a magnitude bar to inform you of the importance of the offense Point your mouse to the...

Page 25: ...art type click Time Series Line Chart or Pie Chart at the top of the graph Attackers and Targets The Attackers and Targets option displays the top five attackers or top five local targets Each target...

Page 26: ...o customize your display Period of Time Using the drop down list box select the period of time you wish the Dashboard graph to display Chart Type You can display the data using a Time Series default L...

Page 27: ...hin the last 15 minutes The number of events sent from the specified device is indicated in the pie chart This item allows you to view potential changes in behavior for example if a firewall device th...

Page 28: ...value 0 to 10 This value is reported by the Magistrate component and is calculated each interval Target Threat Under The value applied to the threat a target is under over time For each offense in whi...

Page 29: ...lity State represents the network s current vulnerability posture The vulnerability state is formulated from monitoring all vulnerability data across the entire network to create a single metric that...

Page 30: ...created or modified with new evidence within the last 24 hours Data Reduction Ratio Specifies the ratio of data reduced based on the total events detected within the last 24 hours and the number of mo...

Page 31: ...traffic from various views and perspectives The menu options include Global Views Asset Map Bookmarks QRL Options Global Views By default Global Views display aggregated network traffic at the top of...

Page 32: ...fic IFIndexIn Displays traffic for inbound IfIndex traffic ASNDestination Displays traffic for destination ASN traffic QoS Displays traffic for Quality of Service QoS traffic Global Views displays you...

Page 33: ...tive components with no current traffic activity This option displays all legend objects and items No Scales Allows you to change the graph appearance and remove the scales from the graphs When access...

Page 34: ...t is currently selected Global Views are configurable views that capture and display your network activity Each view filters traffic and displays the data from many perspectives You can display your n...

Page 35: ...measured increments change as you zoom in on the graph Inbound Inbound selected layer such as bytes packets or hosts displays the inbound traffic activity Outbound Outbound selected layer such as byte...

Page 36: ...the graph allows you to select traffic for a specific time frame For example if you select 15 using the Select Time drop down list box and click an area of the graph 15 minutes of data appears on the...

Page 37: ...When displayed on the graphs this view provides a graphical representation for this type of traffic Applications View Displays traffic originating from client and server applications This is determine...

Page 38: ...d details on the highest volume networks are displayed in the TopN box Packets Second Specifies the traffic layer as the number of averaged packets per second Options include Normal Log Packets Hosts...

Page 39: ...rrently active on your network appear on your legend and in the QRL Definition box To display the Table 3 3 QRL Definition Box Parameter Description View Specifies the current view Layer Specifies byt...

Page 40: ...ptures the activity of the top five network objects TopN displays data with horizontal bars which depicts the amount of activity for each object TopN changes each time a new view is selected Each time...

Page 41: ...lue Depending on the layer you have selected can display number of bytes packets hosts per interval or unique ports for the most active networks in the last 60 seconds Rate Depending on the layer you...

Page 42: ...he IP address to reveal the following details Country Identifies the country of origin Network Identifies the network location Offenses Identifies any previous offenses Resolver Actions Identifies Res...

Page 43: ...s not currently appear on the graph you can use any of the following methods to gain access to a specific traffic type From the main menu select Global Views and choose a designated view to display tr...

Page 44: ...a single IP address click Search The Flow Search window appears For more information see Chapter 7 Using the Flow Viewer Note If you have upgraded your system to STRM 6 1 and you attempt to search for...

Page 45: ...nterface as these type of alerts are monitoring time series event data You can also distribute alert notifications to a syslog file e mail or run a custom script If you create a Security Policy sentry...

Page 46: ...contain all applications that you wish to monitor for inappropriate use Sentry Specifies which network location you wish the sentry to apply The network location component of the sentry can also speci...

Page 47: ...uipment such as switches and routers Monitoring remote access to servers to test for uncommon protocols Monitoring internal flow and failure from devices Security Policy A Security Policy sentry monit...

Page 48: ...generates if the 221st client attempts to login A Threshold sentry is useful for monitoring utilized bandwidth monitoring above noise for specific activity on your network or monitoring for device fai...

Page 49: ...ormation on creating sentries including Creating a Security Policy Sentry Creating a Behavior Sentry Creating an Anomaly Sentry Creating a Threshold Sentry Creating a Custom Sentry Table 4 1 Sentry Li...

Page 50: ...Surveillance interface appears Step 2 Navigate to the appropriate view you wish the sentry to apply For information on navigating views see Chapter 3 Managing Your Network Activity Note You cannot cre...

Page 51: ...as not present during the learning time becomes active Date is relevant Select the check box if you wish this sentry to consider the date When selected date fields appear Enter the relevant dates you...

Page 52: ...lected Table 4 2 Security Policy Sentry Parameters continued Parameter Action Table 4 3 Sentry Attributes Parameters Parameter Action Sentry Name Specify a name you wish to assign this sentry Sentry D...

Page 53: ...dow which allows you to indicate any users you wish to share this sentry Note This option is only available when the Auto learn policy learn for check box is selected Table 4 3 Sentry Attributes Param...

Page 54: ...version 2 2 community IP address 1 3 6 1 4 1 20212 200 3 Note These default scripts need to be customized for proper use in your environment To edit the script use SSH to login to your STRM Console a...

Page 55: ...lance interface appears Step 2 Navigate to the appropriate view you wish the sentry to apply For information on navigating views see Chapter 3 Managing Your Network Activity Note You cannot create a s...

Page 56: ...gher the value indicates more weight on the previously recorded value Current traffic trend Specify the weight 1 to 100 that you wish to assign to current traffic trends against the calculated behavio...

Page 57: ...value of 100 indicates the traffic is more than four times larger than the predicted value For example the level of alert sensitivity depends on the traffic experienced by your network If your networ...

Page 58: ...ection of traffic you wish this sentry to monitor The options are In Out or Both Test as group Select the check box if you wish all objects to add together to be tested Clear the check box if you wish...

Page 59: ...days you wish this sentry to consider By default the check box is clear Time of day is relevant Select the check box if you wish this sentry to consider the time of day When selected the time of day f...

Page 60: ...Share Package to share this package with other STRM users Minimum Activations Before Alert Specify the minimum number of times you wish this activity to occur before an alert generates We recommend th...

Page 61: ...NMP Trap notification Block IPs Sentry engine blocks specific IP addresses Parameters Specify the parameters required to trigger either the SNMP trap or to block IP addresses Enter parameters in the f...

Page 62: ...y Small Window 1 Hour Percent change required to alert 50 Condition for alert 25 12 5 37 5 If the SSH server is typically used for 15 minutes out of every hour and the server becomes active for more t...

Page 63: ...STRM Users Guide Creating a Sentry 57 Step 4 Select the Anomaly option Click Next The Sentry Parameters window appears Step 5 Enter values for the parameters...

Page 64: ...es an alert For a low activity network set this value to a high value For a high activity network set this to a low percentage value Layer Specifies the property and measurement used in the Y axis of...

Page 65: ...ated event displays in the Offense Manager STRM uses the following formula to calculate the weight sentry weight network weight object weight 3 time difference Where time difference is 1 second since...

Page 66: ...o generate If you set the Delay Between Alerts parameter to 0 and the Maximum responses per event to 1 only one alert generates per event Sharing Click Share Sentry to access the Select Users window w...

Page 67: ...form The options include Trigger Script Specify if you wish this sentry to use the following SNMP traps Sentry engine sends an SNMP Trap notification Block IPs Sentry engine blocks specific IP address...

Page 68: ...Guide 62 MANAGING SENTRIES Step 3 Below the graph click Add Sentry The Add Sentry Wizard appears Step 4 Specify the Threshold option The Sentry Parameters window appears Step 5 Enter values for the p...

Page 69: ...he values that can be used include bytes packets number of hosts and others Direction Specify the direction of traffic you wish this sentry to monitor The options are In Out or Both Test as group Sele...

Page 70: ...weight sentry weight network weight object weight 3 time difference Where time difference is 1 second since the sentry alerted 10 000 000 000 Save as package Select the check box if you wish to save...

Page 71: ...only one alert generates per event Sharing Click Share Sentry to access the Select Users window which allows you to indicate any users you wish to share this sentry Table 4 13 Sentry Attributes Parame...

Page 72: ...pt Specify if you wish this sentry to use the following SNMP traps Sentry engine sends an SNMP Trap notification Block IPs Sentry engine blocks specific IP addresses Parameters Specify the parameters...

Page 73: ...entry using an existing Package select the Use an existing Package option and use the drop down list box to select the desired Package This option allows you to edit the values of the Package but not...

Page 74: ...o monitor All selected applications appear under Selected Components Date is relevant Select the check box if you wish this sentry to consider date When selected date fields appear Enter the relevant...

Page 75: ...Set this function to 1 if you wish to test all objects as a group time Indicates time to make a comparison If no time is supplied current time is used learnPolicy During the learning period this funct...

Page 76: ...sh to save this information as a sentry Package Logic Name Specify a name you wish to assign to this Package Description Specify a description for this Package Share Logic Click Share Logic to access...

Page 77: ...is package with other STRM users Minimum Activations Before Alert Specify the minimum number of times you wish this activity to occur before an alert generates Delay Between Alerts Specify the number...

Page 78: ...ns include Trigger Script Specify if you wish this sentry to use the following SNMP traps Sentry engine sends an SNMP Trap notification Block IPs Sentry engine blocks specific IP addresses Parameters...

Page 79: ...Enabled Select the check box to enable this sentry Clear the check box to disable the sentry Options Select the check box if you wish this event to be included with other events to create an offense U...

Page 80: ...y to monitor Day of week is relevant Select the check box to indicate that this sentry must consider the day of the week When selected day of the week fields appear Using the drop down list boxes sele...

Page 81: ...the length of time in seconds you wish this sentry to consider a season A season indicates the cycle of data which STRM uses to determine future data flow This variable is for behavioral sentries Scal...

Page 82: ...eriod of time you wish to the system to monitor flows in your network This allows the system a basis of comparison for traffic over an smaller period of time If the large window and small window value...

Page 83: ...several tests that performed on an offense every time it has been scheduled for re evaluation usually because a events have been added or the minimum time for scheduling has occurred Attackers A devic...

Page 84: ...enses Includes a list of all offenses that have been assigned to you by the administrator All Offenses Includes all global offenses on the network By Category Includes a summary view of all offenses b...

Page 85: ...rs Viewing Offenses To view offenses Step 1 Click the Offense Manager tab The Offense Manager window appears Step 2 Click All Offenses from the navigation menu The selected list of offenses appears an...

Page 86: ...for offenses you wish to display For example if you configure the Minimum Offense Magnitude to Display parameter as 4 only offenses with a magnitude of 4 and above appear in the Offense Manager For m...

Page 87: ...name on the navigation trail Hint To view any section of the summary panel is greater details click the associated toolbar option For example if you wish to view the details of the Attacker Summary in...

Page 88: ...argeted network this field displays the network leaf Click the link to view the network information If the offense has more than one targeted network the term Multiple appears Click the link to view a...

Page 89: ...bilities associated with this attacker This value also includes the number of active and passive vulnerabilities Location Specifies the network location where this attacker is located If the location...

Page 90: ...to be vulnerable to this offense If this target is vulnerable this field indicates Yes Otherwise this field indicates Unknown Chained Specifies if this target has attacked since the offense was first...

Page 91: ...ditional information Identity Specifies the IP address of the attacker Location Specifies the location of the attacker Magnitude Specifies the relative importance of this attacker The magnitude bar pr...

Page 92: ...under over time This is calculated based on the average weighted value of the threat under over time Vulnerability Risk The vulnerability assessment risk level 0 to 10 for the asset where 0 is the lo...

Page 93: ...tion Specifies the details for this offense Time Specifies the date and time of the offense Weight Specifies the weight of this annotation Allows you to view all remote targets for this offense includ...

Page 94: ...ow results displayed is determined by the Web Max Matched Results parameter in the System Settings For more information see the STRM Administration Guide Actions Using the Actions drop down list box y...

Page 95: ...ue The range is 0 to 10 Relevance Using the drop down list box select if you wish to search relevance equal to less than or greater than the configured value The range is 0 to 10 Event Count Using the...

Page 96: ...ltered offenses from the summary panel Closing these offenses removes the offenses from the database If any additional events occur for that offense a new offense is created You can hide or close an o...

Page 97: ...he original option selected in the navigation menu Note Hiding an offense does not affect the offense counts that appear in the By Category section of the Offense Manager Viewing Hidden Offenses To vi...

Page 98: ...igning Offenses to Users Using the Offense Manager you can assign offenses to STRM users You must have appropriate privileges to assign offenses to users For more information on user roles see the STR...

Page 99: ...y view is organized offense count Click Save Layout at any time to save the current display as your default view The next time you log in to the Offense Manager the saved layout appears To view offens...

Page 100: ...STRM Users Guide 94 INVESTIGATING OFFENSES...

Page 101: ...alware Events relating to viruses trojans back door attacks or other forms of hostile software This may include a virus trojan malicious software or spyware Network Anomalies Network traffic patterns...

Page 102: ...cifies the number of active offenses offenses that have not been hidden or closed in the specified category Local Target Count Specifies the number of local targets associated with this offense in thi...

Page 103: ...result of attempting to attack your system All attackers are listed with the highest magnitude first This section provides information on Viewing Offenses by Attacker Searching Attackers Viewing Offe...

Page 104: ...he attacker The magnitude bar provides a visual representation of all the correlated variables of the attacker Variables include the vulnerability assessment risk and the amount of threat posed Threat...

Page 105: ...er Description Magnitude Specifies the relative importance of the attacker The magnitude bar provides a visual representation of all the correlated variables of the attacker Variables include the vuln...

Page 106: ...en on Specifies the date and time in which this attacker generated the first event Last event seen on Specifies the date and time of the last generated event associated with this attacker Table 5 10 A...

Page 107: ...s associated with this target Attacker Src Specifies the number of attackers associated with this target Events Specifies the number of events associated with this offense Last Event Specifies the dat...

Page 108: ...udes credibility relevance and severity Point your mouse to the magnitude bar to display values and the calculated magnitude Target s Dest Specifies the IP address of the target associated with this o...

Page 109: ...ies the date and time of the offense Annotation Specifies the details for this offense Weight Specifies the weight of this annotation Allows you to view all targeted networks for this offense includin...

Page 110: ...offenses see Hiding Offenses Close Allows you to close an offenses For more information on closing offenses see Closing an Offense Table 5 14 Offense Panel Toolbar continued Icon Function Table 5 15 A...

Page 111: ...recorded in the STRM database during a certain time period Once you select the check box use the calendar to select the dates you wish to search Last Event Between Select the check box if you wish to...

Page 112: ...w appears Step 2 Click By Target The Target panel appears The panel provides the following information Table 5 16 Viewing Target Parameters Parameter Description Follow up Flag Specifies action taken...

Page 113: ...Threat Under The value applied to the threat a target is under over time This is calculated based on the average weighted value of the threat under over time Point your mouse to the magnitude bar to d...

Page 114: ...all other hosts in your deployment Threat Under The value applied to the threat a target is under over time This is calculated based on the average weighted value of the threat posing over time Point...

Page 115: ...get See Step 4 Allows you to view a list of attackers associated with this target See Step 5 Actions Using the Actions drop down list box you can choose one of the following actions Follow up Allows y...

Page 116: ...s Allows you to view category information for this offense including Hint You can also further investigate the events relating to a specific category by using the right mouse button right click and se...

Page 117: ...e number of attackers associated with this target Offenses Targeted Specifies the number of offenses targeted at this network Offenses Launched Specifies the number of offenses launched by this networ...

Page 118: ...alculated value for this attacker over time that indicates how severe the attacker is compared to all other attackers in your network Vulnerability Risk The vulnerability assessment risk level 0 to 10...

Page 119: ...earch the amount of threat the target is experiencing to be equal to less than or greater than the configured value Event Count Using the drop down list box select if you wish to search the event coun...

Page 120: ...Click the Offense Manager tab The Offense Manager window appears Step 2 Click By Networks The Networks panel appears The Network panel provides the following information Table 5 25 Viewing Network Par...

Page 121: ...threat posing over time Vulnerability Risk The vulnerability assessment risk level 0 to 10 for the asset where 0 is the lowest and 10 is the highest This is a weighted value against all other hosts in...

Page 122: ...lculated value for this network over time that indicates how severe the network is compared to all other networks that include attackers Threat Under The value applied to the threat a network is under...

Page 123: ...ated with this network See Step 4 Allows you to view a list of targets associated with this network See Step 5 Allows you to view the list of offenses associated with this network See Step 6 Actions U...

Page 124: ...hosts in your deployment Offenses Specifies the number of offenses associated with this attacker Local Target s Dest Specifies the number of targets associated with this attacker Events Specifies the...

Page 125: ...arget Offenses Specifies the number of offenses associated with this target Attacker Src Specifies the number of attackers associated with this target Events Specifies the number of events associated...

Page 126: ...pecifies the IP address of the target associated with the offense Magnitude Specifies the relative importance of this offense The magnitude bar provides a visual representation of all the correlated v...

Page 127: ...include the vulnerability assessment risk and the amount of threat posed Point your mouse to the magnitude bar to values for the offense and the calculated magnitude Threat Posed The calculated value...

Page 128: ...under over time This is calculated based on the average weighted value of the threat under over time Vulnerability Risk The vulnerability assessment risk level 0 to 10 for the asset where 0 is the lo...

Page 129: ...ions for this offense including Annotation Specifies the details for this offense Time Specifies the date and time of the offense Weight Specifies the weight of this annotation Allows you to view all...

Page 130: ...see Hiding Offenses Close Allows you to close an offenses For more information on closing offenses see Closing an Offense Table 5 34 Offense Panel Toolbar continued Icon Function Table 5 35 Networks S...

Page 131: ...fense Step 1 Click the Offense Manager tab The Offense Manager window appears Step 2 Navigate to the offense you wish to add notes Step 3 Double click the offense to which you wish to add notes The de...

Page 132: ...can configure STRM to notify you through e mail if an offense changes This allows you to monitor specific offenses or policy violations for changes in behavior A notification is sent if a change is de...

Page 133: ...a result of a threshold behavior or anomaly sentry the details appear in Network Anomalies offenses Offenses are automatically updated every 10 minutes This section provides information on managing n...

Page 134: ...ons The Incident list box specifies layer information inbound or outbound bytes or local host and date and time of the incident From the list box select the incident you wish to view or click Show All...

Page 135: ...to close Note To select more than one offense press the CTRL key while you select other events Step 4 Click Close Network Location Specifies the network location that the event occurred Layer Specifie...

Page 136: ...only administrative users can configure advanced sentries on a system wide basis You can enable other users to view network anomaly offenses that have generated as a result of a sentry you created To...

Page 137: ...a If you wish to export the offenses in XML format select Export to XML from the Actions drop down list box b If you wish to export the offenses in CSV format select Export to CSV from the Actions dr...

Page 138: ......

Page 139: ...ting offenses Search events View event information aggregated by various options Export events in XML or CSV format You must have permission to view the Event Viewer interface For more information on...

Page 140: ...hat has an associated offense is noted by a red icon in the first column See Viewing the Associated Offense Opens the False Positive Tuning window which allows you to tune out events that are known to...

Page 141: ...Normalized Events Viewing Raw Events Viewing Aggregate Normalized Events Viewing Normalized Events To view normalized events Step 1 Click the Event Viewer tab The Event Viewer window appears Filter o...

Page 142: ...ion IP address are seen within a short period of time Time Specifies the date and time that STRM received the event Low Level Category Specifies the low level category associated to this event For mor...

Page 143: ...ailable Severity Specifies the severity of this event Credibility Specifies the credibility of this event Relevance Specifies the relevance of this event Magnitude Specifies the magnitude for this eve...

Page 144: ...s the destination port after the NAT values were applied Protocol Specifies the protocol associated with this event Username Specifies the username associated with this event if available QID Specifie...

Page 145: ...events Allows you to display the offenses that the event was correlated to Allows you to edit the event mapping For more information see Modifying Event Mapping Allows you to tune the event viewer to...

Page 146: ...ess of the event High Level Category Displays a summarized list of events grouped by the high level category of the event For more information on categories see the Event Category Correlation Referenc...

Page 147: ...zed list of events grouped by the source IP address event name and user Src IP Dst IP Event Name User Displays a summarized list of events grouped by the source IP address destination IP address event...

Page 148: ...igh Level Cat Displays a summarized list of events grouped by the source IP address and the high level category The aggregate results provides a list of source IP addresses For more information on cat...

Page 149: ...s to destination IP addresses and the low level category For more information on categories see the Event Category Correlation Reference Guide Table 6 7 Aggregate Normalized Events continued Aggregate...

Page 150: ...vent this field indicates Multiple and the number Category Specifies the low level category of this event If there are multiple categories associated with this event this field indicates Multiple and...

Page 151: ...ting Saved Searches Searching Events To search events Step 1 Click the Event Viewer tab The Event Viewer window appears Step 2 Choose one of the following options a If you have previously saved search...

Page 152: ...the first drop down list box select an attribute you wish to search For example Any IP Source Port or Protocol From the second drop down list box select the modifier you wish to use for the search Th...

Page 153: ...y the maximum search results are provided Step 5 To save the specified search criteria for future use a Click Save Search The Save Search window appears b Enter values for the parameters Search Order...

Page 154: ...ssociated offense Step 1 Click the Event Viewer tab The Event Viewer window appears Step 2 Select the normalized or raw event for which you wish to view the offense to which the event is correlated wh...

Page 155: ...from DSMs that the system is unable to categorize STRM categorizes these types of events as unknown These events may occur for several reasons including User defined Events Some DSMs such as SNORT al...

Page 156: ...Step 5 Step 5 To search for a particular QID or high and low level categories that you wish to map this event to a In the High Level Category drop down list box specify the high level category you wis...

Page 157: ...To tune a false positive event Step 1 Click the Event Viewer tab The Event Viewer window appears Step 2 Select the event you wish to tune Step 3 Click False Positive The False Positive window appears...

Page 158: ...p Language XML or Comma Separated Values CSV To export events Step 1 Click the Event Viewer tab The Event Viewer window appears Step 2 Choose one of the following a If you wish to export the event s i...

Page 159: ...ues or priorities STRM also visually profiles and displays network flow activity on color coded graphs based on time of day traffic type and network depth STRM uses traffic profiles to analyze the act...

Page 160: ...n port Table 7 1 Flow Viewer Interface Options Option Description Allows you to perform searches on flows including Edit Search Allows you to search flows Quick Searches Allows you to perform previous...

Page 161: ...s Parameter Description Current Filters The top of the table displays the details of the filter applied To clear filter values click Clear Filter Flow Type Specifies the flow type First Packet Time Sp...

Page 162: ...enables a network to provide various levels of service for flows QoS provides the following basic levels of service Best Effort This level of service does not guarantee delivery The delivery of the fl...

Page 163: ...kets are inbound the local IP address started this flow Source IP Specifies the source IP address of the flow Destination IP Specifies the destination IP address of the flow Source Port Specifies the...

Page 164: ...click Hex To view the payload in UTF click UTF To view in Base64 click Base64 Table 7 3 Flow Details continued Parameter Description Table 7 4 Aggregate Flows Aggregate Option Description Unioned Flow...

Page 165: ...by the destination Interface Index ifIndex of the flow Flow Direction Displays a summarized list of flows grouped by the direction of the flow ICMP Type Displays a summarized list of flows grouped by...

Page 166: ...ed list of flows grouped by the destination port and the protocol associated to the flow Dst Port Application Displays a summarized list of flows grouped by the destination port and the application re...

Page 167: ...f packets sent to the IP address Packets Out Specifies the number of packets sent from the IP address Total Packets Specifies the total number of packets associated with this IP address Host Count Spe...

Page 168: ...e flows If there are multiple applications associated with this event this field indicates Multiple and the number Bytes In Specifies the number of bytes sent to the IP address Bytes Out Specifies the...

Page 169: ...he protocol associated with this flow Note This parameter only applies to the Flow Direction Source Network Destination Network Protocol Source IP to Destination IP Source ASN Destination ASN Destinat...

Page 170: ...ng Saved Searches Searching Flows To search flows Step 1 Click the Flow Viewer tab The Flow Viewer window appears Step 2 Choose one of the following options a If you have previously saved search crite...

Page 171: ...criteria including From the first drop down list box select an attribute you wish to search For example Any IP Source Port or Protocol From the second drop down list box select the modifier you wish t...

Page 172: ...mation on your search results see Viewing Aggregated Flows Step 5 To save the specified search criteria for future use a Click Save Search The Save Search window appears b Enter values for the paramet...

Page 173: ...drop down list box b If you wish to export the flows in CSV format select Export to CSV from the Actions drop down list box Table 7 9 Save Search Parameters Parameter Description Search Name Specify...

Page 174: ...ide 168 USING THE FLOW VIEWER The status window appears When the export is complete the window disappears or click Notify When Done to resume your activities and receive a notification when the export...

Page 175: ...determine if the asset is vulnerable to this attack by correlating the attack to the asset profile Using the Assets tab you can view all the learned assets or search for specific assets to view there...

Page 176: ...may be a maximum of 20 characters Host Name Specify the host name of the asset This field supports using special characters to aid your search including Specifies any text Specifies any single charact...

Page 177: ...ng Specifies any text Specifies any single character Specifies that you wish to change the or symbol to a valid symbol For example if you include a name of name this means you are searching for a user...

Page 178: ...History option Table 8 1 Assets Panel continued Parameter Description Table 8 2 Asset Window Parameter Description IP Specifies the IP address of the asset MAC Specifies the last known MAC address of...

Page 179: ...meter Description Table 8 3 Asset Profile Window Parameter Description Name Specifies the name of the asset Description Specifies a description for this asset IP Address Specifies the IP address of th...

Page 180: ...3 Asset Profile Window continued Parameter Description Table 8 4 Ports Information Parameter Description Port Specifies the port number for the services discovered running on the asset OSVDB ID Speci...

Page 181: ...ne name of this asset If unknown this field is blank User Specifies the user for this asset If unknown this field is blank User Group Specifies the user group for this asset If unknown this field is b...

Page 182: ...e asset you wish to edit Step 5 Click Edit Asset The Asset Profile window appears The Asset Profile window provides the following information Description Specifies the description of the asset Asset W...

Page 183: ...nt Table 8 7 Asset Profile Window continued Parameter Description Table 8 8 Ports Information Parameter Description Port Specifies the port number for the services discovered running on the asset OSVD...

Page 184: ...lect multiple assets Step 5 From the Actions drop down list box select Delete Asset A confirmation window appears Step 6 Click Ok Deleting All Assets To delete all assets Step 1 Click the Assets tab T...

Page 185: ...process For example WebServer01 Weight Specifies a number from 0 to 10 which indicates the importance of this asset on your network A value of 0 denotes low importance and 10 is very high Description...

Page 186: ...n menu click Asset Profiles The Assets panel appears Step 3 Search for asset profiles For more information on searching asset profiles see Searching Asset Profiles Step 4 From the Actions drop down li...

Page 187: ...to other STRM users however administrative users can see all reports created by STRM users Reports also allows you to brand your documents with customized logos which enables you to support unique log...

Page 188: ...Displays the STRM user that generated the report Template Author Displays the user that created the template that generated this report Format Displays the available viewing formats Report Templates...

Page 189: ...ee Grouping Reports Allows you to manage report groups For more information see Grouping Reports Allows you to perform the following actions Create Allows you to create a new template For more informa...

Page 190: ...lity Categorizing your reports into groups allows you to efficiently view and track your reports For example you can view all reports related to compliance By default the Reports interface displays al...

Page 191: ...nu tree items to change the organization of the tree items Step 5 Click New Group The Group Properties window appears Step 6 Enter values for the parameters Name Specify the name you wish to assign to...

Page 192: ...ame Specify the name you wish to assign to the new group The name may be up to 255 characters in length Description Specify a description you wish to assign to this group The description may be up to...

Page 193: ...ete a template from a group Note Removing a template from a group only removes this template from the group Removing a template does not delete the template from Reports interface Step 1 Click the Rep...

Page 194: ...tep 3 Select the report s you wish to assign to a group Step 4 Click Assign Groups The Choose Group window appears Step 5 From the Item Groups list select the check box of the group you wish to assign...

Page 195: ...te a template Step 1 Click the Reports tab The Reports interface appears Step 2 From the Actions drop down list box select Create The Report Wizard appears Note Select the check box if you wish to dis...

Page 196: ...ific time frame from the previous day Click the check boxes beside each day you wish to generate a report Also using the drop down list box select a time to begin the reporting cycle Time is available...

Page 197: ...pe of report you wish to create do not choose a small chart container for graph content that may display a large number of objects Each graph is complete with a legend and a list of networks from whic...

Page 198: ...and used see Branding Your Report Chart Type Using the drop down list box select a chart for your container including Event Logs Flows Time Series Top Attackers Top Offenses Top Targeted Assets TopN T...

Page 199: ...eview your report Click Next The Report Format window appears The default is PDF Step 10 Select the check box for any or all formats for report viewing Click Next Note Generated reports can be one to...

Page 200: ...rmation on permissions see the STRM Administration Guide Email Select the check box if you wish to distribute the report using e mail Enter the report distribution email address es Specify the e mail...

Page 201: ...tes If you have not selected this option the report template is saved and generates as scheduled Table 9 5 Finishing Up Parameter Description Report Template Description Specify a description for this...

Page 202: ...a can be charted with several characteristics and created in a single report The following chart types are available for each template Event Logs Time Series Top Attackers Top Offenses Top Targeted As...

Page 203: ...u wish to appear on your report Options include Bar When selecting this option you must select the Timeline Interval from the Additional Details section Pie When selecting this option you must also se...

Page 204: ...our increments The default is 1 00 a m Weekly Choose one of the following options All data from previous week Data from a previous week Using the drop down list boxes select the days to begin and end...

Page 205: ...STRM Users Guide Creating a Report 199 Flows The Flows Chart allows you to view flow information for a specific period of time Figure 9 2 Flows Report...

Page 206: ...n Note For an example of how each type of graph charts data see Selecting a Graph Type Graph Using the drop down list box select the number of flows you wish to appear in the report Scheduling The sch...

Page 207: ...A Glance Network Health Summary Monthly Choose one of the following options All data from previous month Data from a previous month Using the drop down list boxes select the dates to begin and end ge...

Page 208: ...sing the drop down list box select the type of graph you wish to appear on your report Options include Line When selecting this option you must also select the Timeline Interval from the Additional De...

Page 209: ...l page width container only you must also select the Timeline Interval from the Additional Details section Note For an example of how each type of graph charts data see Selecting a Graph Type Scheduli...

Page 210: ...gregate of all objects on the chart Aggregate Baseline is default Graph Content Network Location Select the check box for each network you wish to chart data for You must select at least one network l...

Page 211: ...ting Group Expands chart to include Groups of a Network Location or View Object if the high level object is selected Leaves Expands chart to include Network Location leaves or View Object if the high...

Page 212: ...nge the automatically created sub title Enter a title to a maximum of 100 characters Top Using the drop down list box select the number of attackers to include on the graphs Graph Type Using the drop...

Page 213: ...hat are occurring at present time for the network locations you select Figure 9 5 Top Offenses Chart Daily Top Security and Policy Offenses Network Location Using the menu tree select the network s yo...

Page 214: ...of 100 characters Top Using the drop down list box select the number of offenses to include on the graphs Include Select the check box of the option you wish to include in your report The options are...

Page 215: ...Targeted Assets chart Daily Top Security and Policy Offenses Order Results By Using the drop down list box select how the data is sorted on the graph Options include Severity Magnitude Relevance Credi...

Page 216: ...nge the automatically created sub title Enter a title to a maximum of 100 characters Top Using the drop down list box select the number of items to include on the graphs Graph Type Using the drop down...

Page 217: ...example you can create an Executive Chart to represent Top 5 Threatening Traffic Categories Top 5 Event Categories Top 5 IP s Producing Threatening Traffic and Top 5 Networks by Security State Figure...

Page 218: ...tle to a maximum of 100 characters Graph Type Using the drop down list box select the type of graph you wish to appear on your report Options include HorizontalBar Pie Table full page width only Sched...

Page 219: ...such as Application data Event Data or Protocol Data TopN Time Series provides options to select View Objects from enabled Global Views In addition to these views TopN Time Series provides the followi...

Page 220: ...o include on the graph Options include None View Objects and Network Locations are graphed exactly as shown in the View Object tree menu This is the default setting Group Expands chart to include Grou...

Page 221: ...e Series chart type Bar Graph Available with the Time Series chart type Horizontal Bar Graph Available with the following chart types Top Attackers Top Offenses Top Targeted Assets TopN Time Series St...

Page 222: ...ated Reports panel When you re configure a template and enter a new report title your template takes on the new name however the original template remains the same Each template is designed to capture...

Page 223: ...he main Reports interface appears Step 2 Click the Report Templates menu option A list of templates appears Step 3 Select the report you wish to generate Step 4 Click Generate Report The report genera...

Page 224: ...es menu option A list of templates appears Step 3 Select the report s you wish to share Step 4 Click Share The Share Templates window appears Step 5 From the list of users select the user s you wish t...

Page 225: ...TRM Note To make sure your browser displays the new logo clear your browser cache Step 6 Select the logo you wish to use as the default and click Set Default Image This logo appears as the first optio...

Page 226: ......

Page 227: ...deny recommendation STRM recommends the deny action Note Before you create TNC recommendations you must install the Integrity Measurement Collector IMC and the Integrity Measurement Verifier IMV plug...

Page 228: ...including Deny Allow or Restrict Indicates compliance Using the drop down list box specify the compliance value you wish to be provided with the recommendation suggesting whether or Table 10 1 TNC Re...

Page 229: ...me Step 6 Click Make Recommendation Note You can also use the right mouse button right click to access the Make Recommendation menu item The recommendation appears in the Existing TNC Recommendation p...

Page 230: ...ations Parameter Description Use Allows you to select existing TNC recommendations Based On Specifies the existing recommended conditions The options are mac host machine name user user group or extra...

Page 231: ...s you if a policy has been breached or the network is under attack anomaly A deviation from expected behavior of the network anomaly sentry Monitors your deployment for any abnormal activity The algor...

Page 232: ...for the Internet which allocates and species Internet addresses used in inter domain routing With CIDR a single IP address can be used to designate many unique IP addresses client The host that origi...

Page 233: ...dress for resolving machine names to IP addresses duplicate flow When multiple QFlow Collectors detect the same flow this is referred to as a duplicate flow However in this event the QFlow Collector d...

Page 234: ...capture option has been selected and includes such details as when who how much protocols priorities options etc flow data Specific properties of a flow including IP addresses ports protocol bytes pac...

Page 235: ...e Internet Control Message Protocol IDS See Intrusion Detection System Internet Control Message Protocol ICMP An Internet network layer protocol between a host and gateway Internet Protocol IP The met...

Page 236: ...See Local To Local L2R See Local To Remote LAN See Local Area Network layers The property and measurement used in the Y axis of the main STRM graph The current value being used to draw the graphs is d...

Page 237: ...sed counts the number of bytes and packets and sends that data to a NetFlow collector You can configure STRM to accept NDE s and thus become a NetFlow collector Network Address Translation NAT See NAT...

Page 238: ...r a sentry all variables in the package configuration overwrite the Logic Unit variables The objects are created from any defined STRM views with the exception of the main network view For example a p...

Page 239: ...eting for your entire STRM deployment remote services view Using a remote IP address range remote services views allow you to determine how network resources are being used By default this view is dis...

Page 240: ...used for the network and subnet number through the use of a subnet mask subnet mask A bit mask that is logically ANDed with the destination IP address of an IP packet to determine the network address...

Page 241: ...ifies whenever a threshold is exceeded Thresholds can be based on any data collected by STRM not just packet count or bandwidth Time Series A reporting chart that graphs data based on time This chart...

Page 242: ...vulnerability risk The vulnerability assessment risk level 0 to 10 for the asset where 0 is the lowest and 10 is the highest This is a weighted value against all other hosts in your deployment Vulner...

Page 243: ...network anomalies 95 policy 95 potential exploit 95 recon 95 SIM audit 95 suspicious 95 system 96 VIS host discovery 96 conventions 1 correlate events 77 CRE category 95 custom category 96 custom sent...

Page 244: ...ossary 225 graphs interpreting 28 H high level category 93 I IP addresses investigating 10 J JavaScript functions custom sentry 69 L Layers box 32 Local Networks View 31 Logic Unit 40 low level catego...

Page 245: ...86 layout 188 layout preview 193 navigation menu 182 overview 9 scheduling options 189 selecting a container 192 selecting the layout 191 summary 195 template 189 time series chart 201 toolbar 183 top...

Page 246: ...geted assets 209 top targeted assets chart 209 TopN viewing 34 TopN time series 211 traffic location changing 33 trigger script 48 V variables sentry 74 views changing 30 global 25 VIS Host Discovery...

Reviews:

No comments

Related manuals for SECURITY THREAT RESPONSE MANAGER 2008.2 R2 - LOG MANAGEMENT ADMINISTRATION GUIDE REV 1

SmartSwitch 1800

Brand: Cabletron Systems Pages: 48

CRESTRON-APP-SSTV

Brand: Crestron Pages: 28

Portastudio iPad Application

Brand: Tascam Pages: 5

Mobile Anti-Virus 60 Series

Brand: F-SECURE Pages: 90

Brand: Adobe Pages: 306

Brand: ICP Pages: 77

Phaser 340 Installer

Brand: Xerox Pages: 2

Integrated Solution II

Brand: Lucent Technologies Pages: 177

Brand: TRENDnet Pages: 41

Brand: M-Audio Pages: 88

Brand: SAP Pages: 31

2521131 - Intel Wasp Motherboard

Brand: Intel Pages: 1

Brand: GRASS VALLEY Pages: 8

K2 FCP CONNECT -

Brand: GRASS VALLEY Pages: 19

Brand: Magellan Pages: 14

Brand: Guzik Pages: 29

Brand: Samsung Pages: 13

Brand: Viking Pages: 2

Brands by name

0 1 2 3 4 5 6 7 8 9 A B C D E F G H I J K L M N O P Q R S T U V W X Y Z

Popular brands

Load more brands