manualshive.com logo in svg

Enterasys Intrusion Prevention System, Руководство по отчетности, Страница: 108 / 122

Поделиться
Скачать
Enterasys Intrusion Prevention System Скачать руководство пользователя страница 108

Using the Forensics Console

Legacy Reporting

11-20 Enterasys IPS Analysis and Reporting Guide

As tools are selected, different filtering options are enabled or disabled in the filter buttons.

4.

Click 

Date

 in the left navigation area. 

The date pulldown appears in the display area.

5.

Select the desired log file date for which you want the selected tool to apply.

6.

Select the desired filter buttons.

Filtering options are dynamic and vary for each tool selected. As URLs are generated in the 
reporting content in the display area, the filtering options are updated. For example, if you 
start with a sum_event report, and click on an event name, you are taken to a mklog report. 
The mklog report now includes a filter update that indicates which event was filtered. 

As you drill down from report to report, you can modify the current filtering rule. You can 
remove a filter for a specific port, or change a specific IP address to a more generic CIDR 
block.

Selecting a new tool clears all current dynamic filters.

7.

Click 

execute

.

The display area is populated with the requested data.

The following figures provide two sample reports. 

Figure 11-22

 is an example output of the 

sum_event tool. 

Figure 11-23

 shows the sum_event tool options used to select the desired 

output format.

mksession

Reconstructs TCP and UDP sessions from IP packets collected. Also lists times, IP 
addresses, and ports of active sessions in a dragon.db file.
When a partial list of matching sessions is displayed, the number of packets present in each 
session is indicated. Clicking on this number replays that unique session.
If source and destination IP addresses and source and destination ports are selected, a 
reconstruction of that particular session is attempted. Otherwise, a list of potentially 
matching sessions is displayed which can then be selected for display.

mkalarm

Scores each active IP address in dragon.db based on the amount of events and the 
seriousness of each event.

mkicmp

Searches for events from Dragon Network Sensors that contain ICMP packets. The tool 
can sort based on ICMP type and code, and print out a hash of the randomness of the 
ICMP payload which is key in detecting active ICMP based backdoors.

mkchart

Provides an ASCII chart that breaks out the number of events that have occurred against a 
range of IP addresses.
Clicking on a particular event number launches a mklog report filtered on the particular IP 
address and event name.
A CIDR block must be entered into the hosts filter with a last octet of zero. For example, to 
chart a CIDR block of 10.100.100.0/24, an IP address of 10.100.100.0 must be added.

mktime

Provides a 24-hour ASCII chart of time versus events. This is useful for identifying peak 
activity periods such as DoS attacks or brute force attacks.
Selecting any hourly bar chart produces a sum_event report of all events plus or minus 15 
minutes of the time selected.

mkports

Provides a chart listed by UDP and TCP ports.

Table 11-2 Forensics Tools  (Continued)

Forensics 
Tool

Description

Содержание Intrusion Prevention System

Страница 1: ...P N 9034069 13 Enterasys Intrusion Prevention System Analysis and Reporting Guide...

Страница 2: ......

Страница 3: ...r are registered trademarks of Adobe Systems Incorporated Intel Intel Pentium Xeon Celeron and Pentium II are trademarks or registered trademarks of Intel Corporation Cisco is a registered trademark o...

Страница 4: ...ssemble electronically transfer or reverse engineer the Licensed Software or to translate the Licensed Software into another computer language The media embodying the Licensed Software may be copied b...

Страница 5: ...obligation under this Agreement including a failure to pay any sums due to Enterasys or in the event that You become insolvent or seek protection voluntarily or involuntarily under any bankruptcy law...

Страница 6: ...es do not allow limitations on how long an implied warranty lasts and some states do not allow the exclusion or limitation of incidental or consequential damages so the above limitation and exclusion...

Страница 7: ...ashboard Overview 2 1 The Views Panel 2 2 The Tabbed Panel 2 4 Systems Tab 2 4 Sensors Tab 2 7 Interfaces Tab 2 9 EMS Reporting Tab 2 11 Customizing the Dashboard Interface 2 12 Customizing the Views...

Страница 8: ...and Grouping In Columns 6 4 Exporting Tables in CSV Format 6 6 Chapter 7 Event Details Chapter 8 Viewing a PCAP File for an Event Chapter 9 User Defined Reporting Creating a User Defined Report 9 1 V...

Страница 9: ...11 17 Realtime Status 11 18 Using the Forensics Console 11 18 Reviewing Forensics 11 18 Notes Option 11 21 Using the Trending Console 11 22 Event Summaries 11 22 IP Address Summaries 11 24 Event Detai...

Страница 10: ...viii...

Страница 11: ...n System Version 7 5 and higher Related Documents The Enterasys IPS user documentation listed below is available from https extranet enterasys com downloads Enterasys IPS Document Title Description Ap...

Страница 12: ...of trouble if known The device history for example have you returned the device before is this a recurring problem Any previous Return Material Authorization RMA numbers installdir Indicates to enter...

Страница 13: ...s and associated information Starting with v7 4 Enterasys IPS reporting supports IPv6 and IPv4 Starting Enterasys IPS Reporting Use the following procedure to start using the Enterasys IPS reporting t...

Страница 14: ...ress of the Reporting server b When the Launch page displays click on the Dragon Reporting link The Enterasys IPS Launch page also offers a link to the Legacy Dragon Reporting tools which are describe...

Страница 15: ...specific events Schedule and manage user defined reports Display help and logout Displaying Interactive Reports on page 1 4 Finding Events on page 1 13 Creating and Viewing User Defined Reports on pag...

Страница 16: ...ed in the last 24 hours only once but gives you the number of times it has occurred during the last 24 hours and the hours in which it occurred Clicking on an event causes event details to be displaye...

Страница 17: ...red in the last 24 hours in sequential order You can filter the data further by selecting an existing filter from the Filter drop down list or by creating a new filter as described in Creating and Edi...

Страница 18: ...er 4 Top N Reports By default Top N reports chart the top 10 occurrences of the selected event data such as Events by Event Group Events by Score and so on You select the event data to display from a...

Страница 19: ...clicking on a data group in the chart causes event details to be displayed in the Event Table pane located at the bottom of the interface window as shown in the following figure Right clicking on an e...

Страница 20: ...hour period as shown in the figure below Also by default Event Growth charts Column Bar Pie show the Top 10 and Bottom 10 events the Top 10 events are those that showed the greatest positive growth ov...

Страница 21: ...for the period an n day moving average and a daily event count Below the chart the total event count is displayed for the period as well as the average event count for the period shown The minimum and...

Страница 22: ...g Average by clicking the up or down arrows next to the field or by configuring a custom filter For more information about creating a custom filter see Creating and Editing Report Filters Creating and...

Страница 23: ...me group area is grayed out and not available 5 When you have completed specifying the filter parameters click Apply to apply the filter to the report Note that this does not save the filter but only...

Страница 24: ...s and click Save 3 Your report template is added to the list of User Defined Templates 4 Run the report manually by clicking on the Run icon green arrow on the right of the report template s row and v...

Страница 25: ...vents You can use the Find Events menu bar item to search for specific events based on criteria that you provide The Find Events tab allows you to select from predefined criteria sets as well as to sp...

Страница 26: ...s on page 3 4 Viewing Database Restore Status As part of a software upgrade install you can specify the number of days to restore from the existing database dragon db files The restore starts at the n...

Страница 27: ...now to effectively manage your Enterasys IPS deployment This includes status information for the sensors and nodes within a deployment The Dashboard lets you see at a glance both an overview of the st...

Страница 28: ...vidual bar in a bar graph applies that chart element as a filter in the Tabbed Panel of the Dashboard described in The Tabbed Panel on page 2 4 Use this feature to zoom in on the specific information...

Страница 29: ...rs that are up down and unmanaged The tooltip per bar displays the type of sensor Network or Host the status shown by the bar and the number of sensors represented by the bar Clicking any bar in the c...

Страница 30: ...as shown in Figure 2 1 on page 2 5 Top Sensors by Event Rate The Top Sensors by Event Rate chart displays a bar graph of the top ten most active by Event Rate Host and Network Sensors Each of the top...

Страница 31: ...em Refer to Table 2 4 on page 2 6 for more information Configuration Channel Status Status of system s Configuration Channel Values can be Connected Disconnected Unknown typically status of Unmanaged...

Страница 32: ...gabytes and of total available Disk Total MB The amount of disk space on the drive or the partition where Dragon is installed Disk Used MB Disk space used by all files and applications on the drive or...

Страница 33: ...You can display details about a specific sensor by selecting the sensor and clicking the double arrow button at the bottom right of the tab as shown in Figure 2 2 below Figure 2 2 The Sensors Tab Net...

Страница 34: ...packets per second Packets Blocked pps In an in line IPS deployment the packets that are blocked due to either intrusion prevention rules or a black list rule Expressed in packets per second Packets W...

Страница 35: ...lay options Table 2 6 on page 2 9 describes the type of data shown in the Interfaces tab table columns You can display details about a specific interface by selecting the interface and clicking the do...

Страница 36: ...intrusion prevention rules or a black list rule Expressed in packets per second Packets White listed pps In an in line IPS deployment the packets that were read in successfully and transmitted without...

Страница 37: ...The EMS Reporting Tab Event Cache Traffic Graph The Event Cache Traffic graph provides a visual indication of the rate at which events are being sent to the EMS and the rate at which they are being pr...

Страница 38: ...r and gauge how well it is keeping up with that load Customizing the Dashboard Interface Customizing the Views Panel You can resize interface elements in the Dashboard such as panels For example to re...

Страница 39: ...icon in the views title bar Figure 2 8 Show or Hide Individual Views If you remove a view from the Views Panel layout using the Close icon in the views title bar you can use the Views drop down menu...

Страница 40: ...ns You can resize table columns For example to resize a column mouse over the area between columns until the cursor changes as shown in Figure 2 11 Click drag and release the column separator to resiz...

Страница 41: ...Figure 2 13 Column Drop Down Menu Group Options Use the Group By This Field option to group the report displayed by the values in a specific column as shown in Figure 2 14 When you select Group By Th...

Страница 42: ...terfaces tab tables by checking and unchecking the desired columns in the Columns option drop down menu Figure 2 16 on page 2 17 illustrates how to display a list of columns Check or uncheck the appro...

Страница 43: ...nvironment If the component starts reporting statistics again it will again be displayed in the Dashboard Removing or Applying a Table Filter The Systems Sensors and Interfaces tabs have a Status Tota...

Страница 44: ...be prompted to specify the location Table 2 7 Systems and Sensors Tab Status Filters State Description Active Filter on Enterasys IPS systems sensors with a status of Active meaning that they are oper...

Страница 45: ...Reporting server cookies as follows 1 In the Web browser you use to view Enterasys IPS Reporting view stored cookies In Firefox for example select Tools Options from the main menu then click Privacy...

Страница 46: ...n partition Total disk space used on the Dragon partition Total memory available on the system in megabytes MB Total memory used on the system in megabytes MB System uptime Event rate from the system...

Страница 47: ...disk space available on the Dragon partition Total disk space used on the Dragon partition Total memory available on the system in megabytes MB Total memory used on the system in megabytes MB System...

Страница 48: ...Platform Specific Dashboard Details System Dashboard 2 22 Enterasys IPS Analysis and Reporting Guide...

Страница 49: ...s in which it occurred in the green bullets in the hour columns Table 3 1 on page 3 2 describes the columns in the Event Summary report You can filter the data in the report by selecting an existing f...

Страница 50: ...ther by selecting an existing filter from the Filter drop down list or by creating a new report filter as described in Creating and Editing Report Filters on page 1 10 Table 3 1 Event Summary Report C...

Страница 51: ...ow that attempts to resolve the IP address using a DNS lookup Additional publicly available web sites that perform address resolution are provided as links on the browser page Destination Address Look...

Страница 52: ...e 24 Hours reports on or off Customizing 24 Hours Report Tables The following sections describe customizations you can perform on the tables in the 24 Hours reports Resizing Columns You can resize tab...

Страница 53: ...tion to group the report displayed by the values in a specific column as shown in Figure 3 6 When you select Group By This Field the Show in Groups checkbox is automatically checked To undo the groupi...

Страница 54: ...nt Summary report Check or uncheck the appropriate check box to display or hide specific columns Figure 3 8 Selecting Columns to Display Exporting Tables in CSV Format The tables displayed in the 24 H...

Страница 55: ...2 on page 4 3 Table 4 1 on page 4 3 describes the Top N reports You can interactively change the number of occurrences charted by increasing or decreasing the number in the Top field at the top of the...

Страница 56: ...N Reports 4 2 Enterasys IPS Analysis and Reporting Guide Figure 4 1 Top N Report Window Selecting the Top N Report Type Figure 4 2 shows the drop down list of Top N report types that can be selected T...

Страница 57: ...value The value of N is 10 by default but can be changed in the Top field Events by Destination Address Charts the top N destination addresses of events over the time period specified by the Filter v...

Страница 58: ...by the Filter value The value of N is 10 by default but can be changed in the Top field Attacks by Destination Address Displays the top event counts categorized as ATTACKs by destination address over...

Страница 59: ...rt Type The default chart type of Top N reports is Column and the default chart type of Event Breakdown charts is Pie but you can interactively change the chart type by clicking on the chart type icon...

Страница 60: ...Selecting a Chart Type Top N Reports 4 6 Enterasys IPS Analysis and Reporting Guide...

Страница 61: ...nt Rate report tab and the Event Growth report tab Daily Event Rate Report The Daily Event Rate report provides the average event count for the period an n day moving average and a daily event count B...

Страница 62: ...displays the total event count and the event count change from the prior time period The text boxes displaying this information are bordered in green if the event count increased and in red if the ev...

Страница 63: ...shown in Figure 5 1 with lines indicating the average event count over the period and the moving average Figure 5 2 shows a Daily Event Rate Bar chart in logarithmic view Figure 5 2 Daily Event Rate...

Страница 64: ...event count per day the difference in count from the previous day and the moving average Note Pie chart legends have the potential for their bottom keys to be chopped off if the view port browser win...

Страница 65: ...reating and Editing Report Filters on page 1 10 You can also interactively change the days in moving average by increasing or decreasing the number in the Days in Moving Average field at the top of th...

Страница 66: ...ow only the Top n only the Bottom n or both Top and Bottom The maximum value of n is 50 The Event Growth Table shows all event counts for the two time periods not just the Top and or Bottom n events F...

Страница 67: ...le Column and Bar Charts The Bar and Column charts show the event totals for each range side by side These views provide more depth allowing you to compare the event totals in one range with another T...

Страница 68: ...ent Growth Tab Pie Chart Table Reports Table reports show all the data not just the Top n and Bottom n events as shown in Figure 5 8 on page 5 9 In the Table report you can right click on an event row...

Страница 69: ...period t the time periods used in the event comparison are the most recent period t and the period t immediately preceding the most recent period t For example if you specify one day the period used...

Страница 70: ...Event Growth Report Trending Reports 5 10 Enterasys IPS Analysis and Reporting Guide...

Страница 71: ...ding Daily Event Rate reports Displaying Data in the Event Table Pane The Event Table pane is located at the bottom of the interface window Single clicking on a data group in a chart or table causes t...

Страница 72: ...y score of the event Table can be filtered by score value Group The event group of the event Table can be organized by event group and also filtered by group Source IP The source IP address of the eve...

Страница 73: ...able 6 2 Right Click Action Menu Options Option Description Event Details Displays a pop up window containing details of the event See Chapter 7 Event Details for more information Source Address Looku...

Страница 74: ...umn name to a new location Figure 6 5 shows the Group column being repositioned to the left of the Score column Figure 6 5 Moving Columns Sorting Filtering and Grouping In Columns All columns in the E...

Страница 75: ...Show in Groups checkbox is automatically checked To undo the grouping uncheck the Show in Groups checkbox Figure 6 7 Grouping Options Selecting Columns to Display You can select what columns to displa...

Страница 76: ...Score column lets you choose from the possible values that can be displayed in that column Critical High Medium Low Figure 6 9 Column Filters Option Exporting Tables in CSV Format Tables displayed in...

Страница 77: ...selected event You can launch an Event Details window for any event instance or event name reported in a table such as Event Summary Event Log and the Event Table pane To display the Event Details wi...

Страница 78: ...Details window from Event Log the Event Table pane or Find Events the Event Details window has an upper pane with details about the event see Table 7 1 on page 7 3 and three tabs Description Includes...

Страница 79: ...t perform address resolution are provided as links on the browser page Port The source port Destination IP The destination IP address of the event Click the address link to display a new browser windo...

Страница 80: ...vent Summary the Event Details window contains only the Description and Signature Definition tabs Sensor Name Name of the Dragon sensor that generated the event In the case of Network Sensors this is...

Страница 81: ...event in the form of a PCAP file This lets you view traffic data in an application such as Wireshark To view captured session traffic data for an event 1 In the Event Table pane right click and select...

Страница 82: ...Viewing a PCAP File for an Event 8 2 Enterasys IPS Analysis and Reporting Guide...

Страница 83: ...ormats User defined report templates are created from predefined templates To create a new user defined report template and run the report 1 Select Schedule Manage Report Templates from the main menu...

Страница 84: ...ort is generated weekly on Sunday at 1 00 AM MONTHLY Report is generated monthly on the first of the month at 1 00 AM 6 To email this report to one or more recipients when it is generated enter one or...

Страница 85: ...en generated from user defined templates The Generated Reports page displays a row for each generated report Figure 9 1 Viewing Generated Reports Each generated report provides the tools described in...

Страница 86: ...Viewing Generated Reports User Defined Reporting 9 4 Enterasys IPS Analysis and Reporting Guide Prompts you to delete the selected generated report Table 9 2 Generated Reports Tools Icon Description...

Страница 87: ...u bar Figure 10 1 shows the Reporting Preferences page Figure 10 1 Reporting Preferences The available preferences that apply to Schedule menu features are described in Table 10 1 For information abou...

Страница 88: ...to elapse before Reporting sessions timeout session timeout 30 session timeout For example change session timeout 30 session timeout to session timeout 500 session timeout 3 Restart the JBoss server...

Страница 89: ...nformation They provide 48 hour breakout histograms of events so you can spot trends at a glance The tools are Realtime Console Forensic Console Trending Console Executive Reporting EMS Statistics Dra...

Страница 90: ...nt filters that allow you to quickly focus on a string of events Dragon Trending Console The Dragon Trending Console is used to answer questions about long term trends and activity The tool reads even...

Страница 91: ...Reporting server 2 When the Launch page displays click on the Continue to Legacy Dragon Reporting IPv4 support only link as shown in the following figure 3 When the login screen displays enter your U...

Страница 92: ...y of navigation areas depending on the tool selected and the current task There is a top right navigation area which allows you to select the desired tool The Top left navigation area provides tool sp...

Страница 93: ...Figure 11 2 Navigation Areas Display Area The Display Area populates most of the right side of the window It is in this area that the data selected is displayed and that you manipulate that data Top R...

Страница 94: ...ers the total event count To access the Realtime Console Main Window 1 Click Realtime in the top right navigation area The Realtime Console main window appears as shown in Figure 11 3 Navigation optio...

Страница 95: ...LIC events Figure 11 5 Realtime Console AnalyzeEvent Graph of SNMP PUBLIC Events These SNMP events occurred over several months yet some distinct patterns emerge All of the events seem to be concentra...

Страница 96: ...vent summaries print out a quick low resolution graph of the recent activity The graphs are designed for fast downloading Graphing of total events or scores is achieved For events a simple count of ma...

Страница 97: ...event If the number of events matching a query is greater than the number of events in the Lines Sessions filter value a set of up to ten URLs are printed at the bottom of the displayed HTML output Th...

Страница 98: ...Packet Data column provides the specific packet s information Figure 11 9 Pre Event Packet Data EventsByGroup This event summary lists all of the active event groups and the number of events in each...

Страница 99: ...lts in many matches most of which cannot be displayed You may start off by selecting a CIDR block of 8 then drilling down until the list events tool is called listing events from that particular IP ad...

Страница 100: ...ny events are observed to be active almost all of the time This usually indicates a high rate of false positives Figure 11 14 shows a more common output on a well tuned Dragon Network Sensor Notice th...

Страница 101: ...lar group name takes you to a SumEvents interface filtered for only events of that group and in that direction Figure 11 16 Realtime SummaryByDirection SummaryLast7Days The SummaryLast7Days event summ...

Страница 102: ...ueries The Custom Query window allows you to enter specific criteria that is used to generate customized information To enter Custom Queries 1 Click Custom Query in the top left navigation area 2 Ente...

Страница 103: ...ified by placing a dash between port values for example 80 100 Multiple values of single ports or port ranges must be separated by spaces Time Start Stop The Time Start Stop fields specify different v...

Страница 104: ...rom the Time Stop field is taken into consideration Events up to that specified time are retrieved span value selected both values in the Time Start and Time Stop fields are taken into consideration E...

Страница 105: ...lters pulldown menu 4 Click Execute The display area is populated with a single statement asking if you want to delete the selected filter 5 Click the statement to delete the listed filter If you do n...

Страница 106: ...of events along with other data You can also produce a list of individual events in the database that match a selected event In this list each event can have extra data displayed about it such as the...

Страница 107: ...of events In the list or direction output modes clicking on a unique event name produces a mklog report sum_ip Produces a list of unique IP addresses or CIDR blocks that have occurred in a 24 hour pe...

Страница 108: ...in a dragon db file When a partial list of matching sessions is displayed the number of packets present in each session is indicated Clicking on this number replays that unique session If source and d...

Страница 109: ...Forensics sum_event Tool Output Filtering Option Notes Option The Dragon Forensics Console also includes a utility to keep a daily log along with each of the dragon db files This allows you to write...

Страница 110: ...es over the selected time range is displayed The Trending Console is especially useful when you can only store a week or less worth of events in the Dragon Realtime Console To access the Trending Cons...

Страница 111: ...ng certain events can cause this graph and table to regenerate 2 Select the desired information to view by clicking the navigation buttons and selecting the desired item in the pulldown menu Table 11...

Страница 112: ...ey and drag the mouse to select a region The top seven events are indexed in a legend to the left of the graph Filtering certain events can cause this graph and table to regenerate 2 Select the desire...

Страница 113: ...dividual days and optionally times within days All queries outside of the range are ignored Hosts A list of IP addresses or CIDR blocks can be specified here The resulting list can be applied to all t...

Страница 114: ...any type source address destination address or both For example if a single CIDR block is specified and a query only looking for internal attacks is desired a setting of both is chosen for the IP Filt...

Страница 115: ...rt values for example 80 100 Multiple values of single ports or port ranges must be separated by spaces Time Start Stop The Time Start Stop fields specify different values depending on the values of t...

Страница 116: ...r example if the value indicates 36 events in the past 36 hours will be retrieved start value selected only the value from the Time Start field is taken into consideration Events starting at that spec...

Страница 117: ...urn to the reporting main navigation window to save reports To save all reports 1 Click Save All Reports A new window appears allowing you to select the sensors for which to save the report Reports th...

Страница 118: ...to return to the Reporting main window Viewing Saved Reports Saved reports are viewable in PDF format To view the list of saved reports 1 Click List Saved Reports in the left navigation panel of the R...

Страница 119: ...Legacy Reporting Managing Reports Enterasys IPS Analysis and Reporting Guide 11 31 Figure 11 29 Event Count by Classification Figure 11 30 Event Count by Day...

Страница 120: ...Managing Reports Legacy Reporting 11 32 Enterasys IPS Analysis and Reporting Guide Figure 11 31 Event Ratios by Day...

Страница 121: ...0 mkchart 11 20 mkicmp 11 20 mklog 11 19 mkports 11 20 mksesson 11 20 mktime 11 20 notes 11 21 sum_db 11 19 sum_event 11 19 sum_ip 11 19 G GraphEvents 11 8 GraphScores 11 8 I Interfaces tab 2 9 column...

Страница 122: ...report filters 1 10 report types 4 3 setting display preferences 3 4 6 3 trending custom queries 11 26 event details 11 25 event summaries 11 22 IP address summaries 11 24 Trending Console 11 2 11 22...

Отзывы:

Нет отзывов