background image

STRM Users Guide

Viewing Offense By Category

93

Step 5

From the Username drop-down list box, select the user you wish to assign this 
offense. 

Step 6

Click 

Save

The offense is assigned to the selected user. The user icon appears in the Flag 
column of the offenses indicating the offense is assigned. The user can also see 
this offense in the My Offenses interface. 

Viewing Offense By 

Category

The By Category panel provides you with a view of all offenses based on the 
high-level category. 

Hint: 

By default, the By Category view is organized offense count. Click 

Save 

Layout 

at any time to save the current display as your default view. The next time 

you log in to the Offense Manager, the saved layout appears. 

To view offenses using the by category view:

Step 1

Click the 

Offense Manager 

tab. 

The Offense Manager window appears. 

Step 2

Click 

By Category 

from the navigation menu. 

The By Category view appears displaying high-level categories. The counts for 
each category are accumulated from the values in the low-level categories. 

Hint: 

Only low-level categories with associated offenses appear with an arrow. 

You can click the arrow to view the associated low-level categories. If you wish to 
view all categories, click 

Show Inactive Categories.

 

Содержание SECURITY THREAT RESPONSE MANAGER 2008.2 R2 - LOG MANAGEMENT ADMINISTRATION GUIDE REV 1

Страница 1: ...niper Networks Inc 1194 North Mathilda Avenue Sunnyvale CA 94089 USA 408 745 2000 www juniper net Part Number 530 027294 01 Revision 1 Security Threat Response Manager STRM Users Guide Release 2008 2...

Страница 2: ...ay radiate radio frequency energy If it is not installed in accordance with NetScreen s installation instructions it may cause interference with radio and television reception This equipment has been...

Страница 3: ...TRM 9 Sorting Results 9 Refreshing the Interface 10 Pausing the Interface 10 Investigating IP Addresses 10 Viewing STRM Time 11 Accessing On line Help 11 STRM Administration Console 11 2 USING THE DAS...

Страница 4: ...Investigating Traffic 35 Investigating Flows 36 4 MANAGING SENTRIES About Sentries 40 Types of Sentries 40 Viewing Sentries 42 Creating a Sentry 43 Creating a Security Policy Sentry 44 Creating a Beh...

Страница 5: ...r 134 Using the Right Click Menu Options 134 Viewing Events 135 Viewing Normalized Events 135 Viewing Raw Events 139 Viewing Aggregate Normalized Events 140 Searching Events 145 Searching Events 145 D...

Страница 6: ...ng a Group 185 Editing a Group 186 Copying a Template to Another Group 186 Deleting a Template From a Group 187 Assigning a Report to a Group 188 Creating a Report 188 Creating a Template 189 Configur...

Страница 7: ...the Juniper Networks support web site locate the product and software release for which you require documentation Your comments are important to us Please send your e mail comments about this guide o...

Страница 8: ...ing or maintaining STRM you can contact Customer Support as follows Log a support request 24 7 https juniper net support For access to the Juniper Networks support web site please contact Customer Sup...

Страница 9: ...ewer Assets Network Surveillance Network Surveillance Reports Using STRM STRM Administration Console Note When navigating STRM do not use the browser Back button Use the navigation options available w...

Страница 10: ...e Dashboard The Dashboard tab is the default interface that appears when you log in to STRM The Dashboard tab provides summary and detailed information on offenses occurring on your network your netwo...

Страница 11: ...esolve the issue Note For more information on Offense Manager see Chapter 5 Investigating Offenses Event Viewer The Event Viewer allows you to view event logs being sent to STRM in real time or throug...

Страница 12: ...hapter 7 Using the Flow Viewer Assets STRM automatically discovers assets servers and hosts operating on your network based on passive QFlow data as well as vulnerability data allowing STRM to build a...

Страница 13: ...STRM Users Guide Assets 7 Note For more information see Chapter 8 Managing Assets...

Страница 14: ...nce interface you can Sentries are a technology that monitors traffic seen in any Network Surveillance view such as apps network asset groups and geographies and alert on normal behavior Using the Net...

Страница 15: ...Reports Using STRM Using STRM you can Sort the results See Sorting Results Refresh the interface See Refreshing the Interface Pause the current display See Pausing the Interface Further investigate a...

Страница 16: ...right click on any IP address or asset name to access additional menus which allow you to further investigate that IP address or asset For more information on assets see the STRM Administration Guide...

Страница 17: ...nt Configure views Allows you to manage your views Port Scan Performs a NMAP scan of the selected IP address This option is only available if NMAP is installed on your system For more information on i...

Страница 18: ...s to your deployment through DSMs Configure flow sources Allows you to configure flow sources such as NetFlow or Packeteer All configuration updates using the Administration Console are saved to a sta...

Страница 19: ...assets You can detach an item and monitor the item directly from your desktop This chapter includes About the Dashboard Network Surveillance Offense Manager Event Viewer Reports Enterprise Security St...

Страница 20: ...appears on the Dashboard is user specific You can design the Dashboard as you wish as the changes made within a STRM session affect only your system The next time you log in STRM reflects your last Da...

Страница 21: ...not remove the item from STRM Removing an item clears the item from the Dashboard You can add the item again at any time Detaching an Item To detach an item from the Dashboard click the green icon loc...

Страница 22: ...add the following items to your Dashboard Threats Local Networks Client Applications Server Applications Geographic Flow Types Custom Views Bookmarks This menu option only appears if you have configu...

Страница 23: ...Time Series Line Chart or Pie Chart at the top of the graph TopN TopN data displays the most active objects from the top of your network providing you with information from the most active network obj...

Страница 24: ...er Time Most Severe and Most Recent Offenses The most recent and severe offenses are identified and classed with a magnitude bar to inform you of the importance of the offense Point your mouse to the...

Страница 25: ...art type click Time Series Line Chart or Pie Chart at the top of the graph Attackers and Targets The Attackers and Targets option displays the top five attackers or top five local targets Each target...

Страница 26: ...o customize your display Period of Time Using the drop down list box select the period of time you wish the Dashboard graph to display Chart Type You can display the data using a Time Series default L...

Страница 27: ...hin the last 15 minutes The number of events sent from the specified device is indicated in the pie chart This item allows you to view potential changes in behavior for example if a firewall device th...

Страница 28: ...value 0 to 10 This value is reported by the Magistrate component and is calculated each interval Target Threat Under The value applied to the threat a target is under over time For each offense in whi...

Страница 29: ...lity State represents the network s current vulnerability posture The vulnerability state is formulated from monitoring all vulnerability data across the entire network to create a single metric that...

Страница 30: ...created or modified with new evidence within the last 24 hours Data Reduction Ratio Specifies the ratio of data reduced based on the total events detected within the last 24 hours and the number of mo...

Страница 31: ...traffic from various views and perspectives The menu options include Global Views Asset Map Bookmarks QRL Options Global Views By default Global Views display aggregated network traffic at the top of...

Страница 32: ...fic IFIndexIn Displays traffic for inbound IfIndex traffic ASNDestination Displays traffic for destination ASN traffic QoS Displays traffic for Quality of Service QoS traffic Global Views displays you...

Страница 33: ...tive components with no current traffic activity This option displays all legend objects and items No Scales Allows you to change the graph appearance and remove the scales from the graphs When access...

Страница 34: ...t is currently selected Global Views are configurable views that capture and display your network activity Each view filters traffic and displays the data from many perspectives You can display your n...

Страница 35: ...measured increments change as you zoom in on the graph Inbound Inbound selected layer such as bytes packets or hosts displays the inbound traffic activity Outbound Outbound selected layer such as byte...

Страница 36: ...the graph allows you to select traffic for a specific time frame For example if you select 15 using the Select Time drop down list box and click an area of the graph 15 minutes of data appears on the...

Страница 37: ...When displayed on the graphs this view provides a graphical representation for this type of traffic Applications View Displays traffic originating from client and server applications This is determine...

Страница 38: ...d details on the highest volume networks are displayed in the TopN box Packets Second Specifies the traffic layer as the number of averaged packets per second Options include Normal Log Packets Hosts...

Страница 39: ...rrently active on your network appear on your legend and in the QRL Definition box To display the Table 3 3 QRL Definition Box Parameter Description View Specifies the current view Layer Specifies byt...

Страница 40: ...ptures the activity of the top five network objects TopN displays data with horizontal bars which depicts the amount of activity for each object TopN changes each time a new view is selected Each time...

Страница 41: ...lue Depending on the layer you have selected can display number of bytes packets hosts per interval or unique ports for the most active networks in the last 60 seconds Rate Depending on the layer you...

Страница 42: ...he IP address to reveal the following details Country Identifies the country of origin Network Identifies the network location Offenses Identifies any previous offenses Resolver Actions Identifies Res...

Страница 43: ...s not currently appear on the graph you can use any of the following methods to gain access to a specific traffic type From the main menu select Global Views and choose a designated view to display tr...

Страница 44: ...a single IP address click Search The Flow Search window appears For more information see Chapter 7 Using the Flow Viewer Note If you have upgraded your system to STRM 6 1 and you attempt to search for...

Страница 45: ...nterface as these type of alerts are monitoring time series event data You can also distribute alert notifications to a syslog file e mail or run a custom script If you create a Security Policy sentry...

Страница 46: ...contain all applications that you wish to monitor for inappropriate use Sentry Specifies which network location you wish the sentry to apply The network location component of the sentry can also speci...

Страница 47: ...uipment such as switches and routers Monitoring remote access to servers to test for uncommon protocols Monitoring internal flow and failure from devices Security Policy A Security Policy sentry monit...

Страница 48: ...generates if the 221st client attempts to login A Threshold sentry is useful for monitoring utilized bandwidth monitoring above noise for specific activity on your network or monitoring for device fai...

Страница 49: ...ormation on creating sentries including Creating a Security Policy Sentry Creating a Behavior Sentry Creating an Anomaly Sentry Creating a Threshold Sentry Creating a Custom Sentry Table 4 1 Sentry Li...

Страница 50: ...Surveillance interface appears Step 2 Navigate to the appropriate view you wish the sentry to apply For information on navigating views see Chapter 3 Managing Your Network Activity Note You cannot cre...

Страница 51: ...as not present during the learning time becomes active Date is relevant Select the check box if you wish this sentry to consider the date When selected date fields appear Enter the relevant dates you...

Страница 52: ...lected Table 4 2 Security Policy Sentry Parameters continued Parameter Action Table 4 3 Sentry Attributes Parameters Parameter Action Sentry Name Specify a name you wish to assign this sentry Sentry D...

Страница 53: ...dow which allows you to indicate any users you wish to share this sentry Note This option is only available when the Auto learn policy learn for check box is selected Table 4 3 Sentry Attributes Param...

Страница 54: ...version 2 2 community IP address 1 3 6 1 4 1 20212 200 3 Note These default scripts need to be customized for proper use in your environment To edit the script use SSH to login to your STRM Console a...

Страница 55: ...lance interface appears Step 2 Navigate to the appropriate view you wish the sentry to apply For information on navigating views see Chapter 3 Managing Your Network Activity Note You cannot create a s...

Страница 56: ...gher the value indicates more weight on the previously recorded value Current traffic trend Specify the weight 1 to 100 that you wish to assign to current traffic trends against the calculated behavio...

Страница 57: ...value of 100 indicates the traffic is more than four times larger than the predicted value For example the level of alert sensitivity depends on the traffic experienced by your network If your networ...

Страница 58: ...ection of traffic you wish this sentry to monitor The options are In Out or Both Test as group Select the check box if you wish all objects to add together to be tested Clear the check box if you wish...

Страница 59: ...days you wish this sentry to consider By default the check box is clear Time of day is relevant Select the check box if you wish this sentry to consider the time of day When selected the time of day f...

Страница 60: ...Share Package to share this package with other STRM users Minimum Activations Before Alert Specify the minimum number of times you wish this activity to occur before an alert generates We recommend th...

Страница 61: ...NMP Trap notification Block IPs Sentry engine blocks specific IP addresses Parameters Specify the parameters required to trigger either the SNMP trap or to block IP addresses Enter parameters in the f...

Страница 62: ...y Small Window 1 Hour Percent change required to alert 50 Condition for alert 25 12 5 37 5 If the SSH server is typically used for 15 minutes out of every hour and the server becomes active for more t...

Страница 63: ...STRM Users Guide Creating a Sentry 57 Step 4 Select the Anomaly option Click Next The Sentry Parameters window appears Step 5 Enter values for the parameters...

Страница 64: ...es an alert For a low activity network set this value to a high value For a high activity network set this to a low percentage value Layer Specifies the property and measurement used in the Y axis of...

Страница 65: ...ated event displays in the Offense Manager STRM uses the following formula to calculate the weight sentry weight network weight object weight 3 time difference Where time difference is 1 second since...

Страница 66: ...o generate If you set the Delay Between Alerts parameter to 0 and the Maximum responses per event to 1 only one alert generates per event Sharing Click Share Sentry to access the Select Users window w...

Страница 67: ...form The options include Trigger Script Specify if you wish this sentry to use the following SNMP traps Sentry engine sends an SNMP Trap notification Block IPs Sentry engine blocks specific IP address...

Страница 68: ...Guide 62 MANAGING SENTRIES Step 3 Below the graph click Add Sentry The Add Sentry Wizard appears Step 4 Specify the Threshold option The Sentry Parameters window appears Step 5 Enter values for the p...

Страница 69: ...he values that can be used include bytes packets number of hosts and others Direction Specify the direction of traffic you wish this sentry to monitor The options are In Out or Both Test as group Sele...

Страница 70: ...weight sentry weight network weight object weight 3 time difference Where time difference is 1 second since the sentry alerted 10 000 000 000 Save as package Select the check box if you wish to save...

Страница 71: ...only one alert generates per event Sharing Click Share Sentry to access the Select Users window which allows you to indicate any users you wish to share this sentry Table 4 13 Sentry Attributes Parame...

Страница 72: ...pt Specify if you wish this sentry to use the following SNMP traps Sentry engine sends an SNMP Trap notification Block IPs Sentry engine blocks specific IP addresses Parameters Specify the parameters...

Страница 73: ...entry using an existing Package select the Use an existing Package option and use the drop down list box to select the desired Package This option allows you to edit the values of the Package but not...

Страница 74: ...o monitor All selected applications appear under Selected Components Date is relevant Select the check box if you wish this sentry to consider date When selected date fields appear Enter the relevant...

Страница 75: ...Set this function to 1 if you wish to test all objects as a group time Indicates time to make a comparison If no time is supplied current time is used learnPolicy During the learning period this funct...

Страница 76: ...sh to save this information as a sentry Package Logic Name Specify a name you wish to assign to this Package Description Specify a description for this Package Share Logic Click Share Logic to access...

Страница 77: ...is package with other STRM users Minimum Activations Before Alert Specify the minimum number of times you wish this activity to occur before an alert generates Delay Between Alerts Specify the number...

Страница 78: ...ns include Trigger Script Specify if you wish this sentry to use the following SNMP traps Sentry engine sends an SNMP Trap notification Block IPs Sentry engine blocks specific IP addresses Parameters...

Страница 79: ...Enabled Select the check box to enable this sentry Clear the check box to disable the sentry Options Select the check box if you wish this event to be included with other events to create an offense U...

Страница 80: ...y to monitor Day of week is relevant Select the check box to indicate that this sentry must consider the day of the week When selected day of the week fields appear Using the drop down list boxes sele...

Страница 81: ...the length of time in seconds you wish this sentry to consider a season A season indicates the cycle of data which STRM uses to determine future data flow This variable is for behavioral sentries Scal...

Страница 82: ...eriod of time you wish to the system to monitor flows in your network This allows the system a basis of comparison for traffic over an smaller period of time If the large window and small window value...

Страница 83: ...several tests that performed on an offense every time it has been scheduled for re evaluation usually because a events have been added or the minimum time for scheduling has occurred Attackers A devic...

Страница 84: ...enses Includes a list of all offenses that have been assigned to you by the administrator All Offenses Includes all global offenses on the network By Category Includes a summary view of all offenses b...

Страница 85: ...rs Viewing Offenses To view offenses Step 1 Click the Offense Manager tab The Offense Manager window appears Step 2 Click All Offenses from the navigation menu The selected list of offenses appears an...

Страница 86: ...for offenses you wish to display For example if you configure the Minimum Offense Magnitude to Display parameter as 4 only offenses with a magnitude of 4 and above appear in the Offense Manager For m...

Страница 87: ...name on the navigation trail Hint To view any section of the summary panel is greater details click the associated toolbar option For example if you wish to view the details of the Attacker Summary in...

Страница 88: ...argeted network this field displays the network leaf Click the link to view the network information If the offense has more than one targeted network the term Multiple appears Click the link to view a...

Страница 89: ...bilities associated with this attacker This value also includes the number of active and passive vulnerabilities Location Specifies the network location where this attacker is located If the location...

Страница 90: ...to be vulnerable to this offense If this target is vulnerable this field indicates Yes Otherwise this field indicates Unknown Chained Specifies if this target has attacked since the offense was first...

Страница 91: ...ditional information Identity Specifies the IP address of the attacker Location Specifies the location of the attacker Magnitude Specifies the relative importance of this attacker The magnitude bar pr...

Страница 92: ...under over time This is calculated based on the average weighted value of the threat under over time Vulnerability Risk The vulnerability assessment risk level 0 to 10 for the asset where 0 is the lo...

Страница 93: ...tion Specifies the details for this offense Time Specifies the date and time of the offense Weight Specifies the weight of this annotation Allows you to view all remote targets for this offense includ...

Страница 94: ...ow results displayed is determined by the Web Max Matched Results parameter in the System Settings For more information see the STRM Administration Guide Actions Using the Actions drop down list box y...

Страница 95: ...ue The range is 0 to 10 Relevance Using the drop down list box select if you wish to search relevance equal to less than or greater than the configured value The range is 0 to 10 Event Count Using the...

Страница 96: ...ltered offenses from the summary panel Closing these offenses removes the offenses from the database If any additional events occur for that offense a new offense is created You can hide or close an o...

Страница 97: ...he original option selected in the navigation menu Note Hiding an offense does not affect the offense counts that appear in the By Category section of the Offense Manager Viewing Hidden Offenses To vi...

Страница 98: ...igning Offenses to Users Using the Offense Manager you can assign offenses to STRM users You must have appropriate privileges to assign offenses to users For more information on user roles see the STR...

Страница 99: ...y view is organized offense count Click Save Layout at any time to save the current display as your default view The next time you log in to the Offense Manager the saved layout appears To view offens...

Страница 100: ...STRM Users Guide 94 INVESTIGATING OFFENSES...

Страница 101: ...alware Events relating to viruses trojans back door attacks or other forms of hostile software This may include a virus trojan malicious software or spyware Network Anomalies Network traffic patterns...

Страница 102: ...cifies the number of active offenses offenses that have not been hidden or closed in the specified category Local Target Count Specifies the number of local targets associated with this offense in thi...

Страница 103: ...result of attempting to attack your system All attackers are listed with the highest magnitude first This section provides information on Viewing Offenses by Attacker Searching Attackers Viewing Offe...

Страница 104: ...he attacker The magnitude bar provides a visual representation of all the correlated variables of the attacker Variables include the vulnerability assessment risk and the amount of threat posed Threat...

Страница 105: ...er Description Magnitude Specifies the relative importance of the attacker The magnitude bar provides a visual representation of all the correlated variables of the attacker Variables include the vuln...

Страница 106: ...en on Specifies the date and time in which this attacker generated the first event Last event seen on Specifies the date and time of the last generated event associated with this attacker Table 5 10 A...

Страница 107: ...s associated with this target Attacker Src Specifies the number of attackers associated with this target Events Specifies the number of events associated with this offense Last Event Specifies the dat...

Страница 108: ...udes credibility relevance and severity Point your mouse to the magnitude bar to display values and the calculated magnitude Target s Dest Specifies the IP address of the target associated with this o...

Страница 109: ...ies the date and time of the offense Annotation Specifies the details for this offense Weight Specifies the weight of this annotation Allows you to view all targeted networks for this offense includin...

Страница 110: ...offenses see Hiding Offenses Close Allows you to close an offenses For more information on closing offenses see Closing an Offense Table 5 14 Offense Panel Toolbar continued Icon Function Table 5 15 A...

Страница 111: ...recorded in the STRM database during a certain time period Once you select the check box use the calendar to select the dates you wish to search Last Event Between Select the check box if you wish to...

Страница 112: ...w appears Step 2 Click By Target The Target panel appears The panel provides the following information Table 5 16 Viewing Target Parameters Parameter Description Follow up Flag Specifies action taken...

Страница 113: ...Threat Under The value applied to the threat a target is under over time This is calculated based on the average weighted value of the threat under over time Point your mouse to the magnitude bar to d...

Страница 114: ...all other hosts in your deployment Threat Under The value applied to the threat a target is under over time This is calculated based on the average weighted value of the threat posing over time Point...

Страница 115: ...get See Step 4 Allows you to view a list of attackers associated with this target See Step 5 Actions Using the Actions drop down list box you can choose one of the following actions Follow up Allows y...

Страница 116: ...s Allows you to view category information for this offense including Hint You can also further investigate the events relating to a specific category by using the right mouse button right click and se...

Страница 117: ...e number of attackers associated with this target Offenses Targeted Specifies the number of offenses targeted at this network Offenses Launched Specifies the number of offenses launched by this networ...

Страница 118: ...alculated value for this attacker over time that indicates how severe the attacker is compared to all other attackers in your network Vulnerability Risk The vulnerability assessment risk level 0 to 10...

Страница 119: ...earch the amount of threat the target is experiencing to be equal to less than or greater than the configured value Event Count Using the drop down list box select if you wish to search the event coun...

Страница 120: ...Click the Offense Manager tab The Offense Manager window appears Step 2 Click By Networks The Networks panel appears The Network panel provides the following information Table 5 25 Viewing Network Par...

Страница 121: ...threat posing over time Vulnerability Risk The vulnerability assessment risk level 0 to 10 for the asset where 0 is the lowest and 10 is the highest This is a weighted value against all other hosts in...

Страница 122: ...lculated value for this network over time that indicates how severe the network is compared to all other networks that include attackers Threat Under The value applied to the threat a network is under...

Страница 123: ...ated with this network See Step 4 Allows you to view a list of targets associated with this network See Step 5 Allows you to view the list of offenses associated with this network See Step 6 Actions U...

Страница 124: ...hosts in your deployment Offenses Specifies the number of offenses associated with this attacker Local Target s Dest Specifies the number of targets associated with this attacker Events Specifies the...

Страница 125: ...arget Offenses Specifies the number of offenses associated with this target Attacker Src Specifies the number of attackers associated with this target Events Specifies the number of events associated...

Страница 126: ...pecifies the IP address of the target associated with the offense Magnitude Specifies the relative importance of this offense The magnitude bar provides a visual representation of all the correlated v...

Страница 127: ...include the vulnerability assessment risk and the amount of threat posed Point your mouse to the magnitude bar to values for the offense and the calculated magnitude Threat Posed The calculated value...

Страница 128: ...under over time This is calculated based on the average weighted value of the threat under over time Vulnerability Risk The vulnerability assessment risk level 0 to 10 for the asset where 0 is the lo...

Страница 129: ...ions for this offense including Annotation Specifies the details for this offense Time Specifies the date and time of the offense Weight Specifies the weight of this annotation Allows you to view all...

Страница 130: ...see Hiding Offenses Close Allows you to close an offenses For more information on closing offenses see Closing an Offense Table 5 34 Offense Panel Toolbar continued Icon Function Table 5 35 Networks S...

Страница 131: ...fense Step 1 Click the Offense Manager tab The Offense Manager window appears Step 2 Navigate to the offense you wish to add notes Step 3 Double click the offense to which you wish to add notes The de...

Страница 132: ...can configure STRM to notify you through e mail if an offense changes This allows you to monitor specific offenses or policy violations for changes in behavior A notification is sent if a change is de...

Страница 133: ...a result of a threshold behavior or anomaly sentry the details appear in Network Anomalies offenses Offenses are automatically updated every 10 minutes This section provides information on managing n...

Страница 134: ...ons The Incident list box specifies layer information inbound or outbound bytes or local host and date and time of the incident From the list box select the incident you wish to view or click Show All...

Страница 135: ...to close Note To select more than one offense press the CTRL key while you select other events Step 4 Click Close Network Location Specifies the network location that the event occurred Layer Specifie...

Страница 136: ...only administrative users can configure advanced sentries on a system wide basis You can enable other users to view network anomaly offenses that have generated as a result of a sentry you created To...

Страница 137: ...a If you wish to export the offenses in XML format select Export to XML from the Actions drop down list box b If you wish to export the offenses in CSV format select Export to CSV from the Actions dr...

Страница 138: ......

Страница 139: ...ting offenses Search events View event information aggregated by various options Export events in XML or CSV format You must have permission to view the Event Viewer interface For more information on...

Страница 140: ...hat has an associated offense is noted by a red icon in the first column See Viewing the Associated Offense Opens the False Positive Tuning window which allows you to tune out events that are known to...

Страница 141: ...Normalized Events Viewing Raw Events Viewing Aggregate Normalized Events Viewing Normalized Events To view normalized events Step 1 Click the Event Viewer tab The Event Viewer window appears Filter o...

Страница 142: ...ion IP address are seen within a short period of time Time Specifies the date and time that STRM received the event Low Level Category Specifies the low level category associated to this event For mor...

Страница 143: ...ailable Severity Specifies the severity of this event Credibility Specifies the credibility of this event Relevance Specifies the relevance of this event Magnitude Specifies the magnitude for this eve...

Страница 144: ...s the destination port after the NAT values were applied Protocol Specifies the protocol associated with this event Username Specifies the username associated with this event if available QID Specifie...

Страница 145: ...events Allows you to display the offenses that the event was correlated to Allows you to edit the event mapping For more information see Modifying Event Mapping Allows you to tune the event viewer to...

Страница 146: ...ess of the event High Level Category Displays a summarized list of events grouped by the high level category of the event For more information on categories see the Event Category Correlation Referenc...

Страница 147: ...zed list of events grouped by the source IP address event name and user Src IP Dst IP Event Name User Displays a summarized list of events grouped by the source IP address destination IP address event...

Страница 148: ...igh Level Cat Displays a summarized list of events grouped by the source IP address and the high level category The aggregate results provides a list of source IP addresses For more information on cat...

Страница 149: ...s to destination IP addresses and the low level category For more information on categories see the Event Category Correlation Reference Guide Table 6 7 Aggregate Normalized Events continued Aggregate...

Страница 150: ...vent this field indicates Multiple and the number Category Specifies the low level category of this event If there are multiple categories associated with this event this field indicates Multiple and...

Страница 151: ...ting Saved Searches Searching Events To search events Step 1 Click the Event Viewer tab The Event Viewer window appears Step 2 Choose one of the following options a If you have previously saved search...

Страница 152: ...the first drop down list box select an attribute you wish to search For example Any IP Source Port or Protocol From the second drop down list box select the modifier you wish to use for the search Th...

Страница 153: ...y the maximum search results are provided Step 5 To save the specified search criteria for future use a Click Save Search The Save Search window appears b Enter values for the parameters Search Order...

Страница 154: ...ssociated offense Step 1 Click the Event Viewer tab The Event Viewer window appears Step 2 Select the normalized or raw event for which you wish to view the offense to which the event is correlated wh...

Страница 155: ...from DSMs that the system is unable to categorize STRM categorizes these types of events as unknown These events may occur for several reasons including User defined Events Some DSMs such as SNORT al...

Страница 156: ...Step 5 Step 5 To search for a particular QID or high and low level categories that you wish to map this event to a In the High Level Category drop down list box specify the high level category you wis...

Страница 157: ...To tune a false positive event Step 1 Click the Event Viewer tab The Event Viewer window appears Step 2 Select the event you wish to tune Step 3 Click False Positive The False Positive window appears...

Страница 158: ...p Language XML or Comma Separated Values CSV To export events Step 1 Click the Event Viewer tab The Event Viewer window appears Step 2 Choose one of the following a If you wish to export the event s i...

Страница 159: ...ues or priorities STRM also visually profiles and displays network flow activity on color coded graphs based on time of day traffic type and network depth STRM uses traffic profiles to analyze the act...

Страница 160: ...n port Table 7 1 Flow Viewer Interface Options Option Description Allows you to perform searches on flows including Edit Search Allows you to search flows Quick Searches Allows you to perform previous...

Страница 161: ...s Parameter Description Current Filters The top of the table displays the details of the filter applied To clear filter values click Clear Filter Flow Type Specifies the flow type First Packet Time Sp...

Страница 162: ...enables a network to provide various levels of service for flows QoS provides the following basic levels of service Best Effort This level of service does not guarantee delivery The delivery of the fl...

Страница 163: ...kets are inbound the local IP address started this flow Source IP Specifies the source IP address of the flow Destination IP Specifies the destination IP address of the flow Source Port Specifies the...

Страница 164: ...click Hex To view the payload in UTF click UTF To view in Base64 click Base64 Table 7 3 Flow Details continued Parameter Description Table 7 4 Aggregate Flows Aggregate Option Description Unioned Flow...

Страница 165: ...by the destination Interface Index ifIndex of the flow Flow Direction Displays a summarized list of flows grouped by the direction of the flow ICMP Type Displays a summarized list of flows grouped by...

Страница 166: ...ed list of flows grouped by the destination port and the protocol associated to the flow Dst Port Application Displays a summarized list of flows grouped by the destination port and the application re...

Страница 167: ...f packets sent to the IP address Packets Out Specifies the number of packets sent from the IP address Total Packets Specifies the total number of packets associated with this IP address Host Count Spe...

Страница 168: ...e flows If there are multiple applications associated with this event this field indicates Multiple and the number Bytes In Specifies the number of bytes sent to the IP address Bytes Out Specifies the...

Страница 169: ...he protocol associated with this flow Note This parameter only applies to the Flow Direction Source Network Destination Network Protocol Source IP to Destination IP Source ASN Destination ASN Destinat...

Страница 170: ...ng Saved Searches Searching Flows To search flows Step 1 Click the Flow Viewer tab The Flow Viewer window appears Step 2 Choose one of the following options a If you have previously saved search crite...

Страница 171: ...criteria including From the first drop down list box select an attribute you wish to search For example Any IP Source Port or Protocol From the second drop down list box select the modifier you wish t...

Страница 172: ...mation on your search results see Viewing Aggregated Flows Step 5 To save the specified search criteria for future use a Click Save Search The Save Search window appears b Enter values for the paramet...

Страница 173: ...drop down list box b If you wish to export the flows in CSV format select Export to CSV from the Actions drop down list box Table 7 9 Save Search Parameters Parameter Description Search Name Specify...

Страница 174: ...ide 168 USING THE FLOW VIEWER The status window appears When the export is complete the window disappears or click Notify When Done to resume your activities and receive a notification when the export...

Страница 175: ...determine if the asset is vulnerable to this attack by correlating the attack to the asset profile Using the Assets tab you can view all the learned assets or search for specific assets to view there...

Страница 176: ...may be a maximum of 20 characters Host Name Specify the host name of the asset This field supports using special characters to aid your search including Specifies any text Specifies any single charact...

Страница 177: ...ng Specifies any text Specifies any single character Specifies that you wish to change the or symbol to a valid symbol For example if you include a name of name this means you are searching for a user...

Страница 178: ...History option Table 8 1 Assets Panel continued Parameter Description Table 8 2 Asset Window Parameter Description IP Specifies the IP address of the asset MAC Specifies the last known MAC address of...

Страница 179: ...meter Description Table 8 3 Asset Profile Window Parameter Description Name Specifies the name of the asset Description Specifies a description for this asset IP Address Specifies the IP address of th...

Страница 180: ...3 Asset Profile Window continued Parameter Description Table 8 4 Ports Information Parameter Description Port Specifies the port number for the services discovered running on the asset OSVDB ID Speci...

Страница 181: ...ne name of this asset If unknown this field is blank User Specifies the user for this asset If unknown this field is blank User Group Specifies the user group for this asset If unknown this field is b...

Страница 182: ...e asset you wish to edit Step 5 Click Edit Asset The Asset Profile window appears The Asset Profile window provides the following information Description Specifies the description of the asset Asset W...

Страница 183: ...nt Table 8 7 Asset Profile Window continued Parameter Description Table 8 8 Ports Information Parameter Description Port Specifies the port number for the services discovered running on the asset OSVD...

Страница 184: ...lect multiple assets Step 5 From the Actions drop down list box select Delete Asset A confirmation window appears Step 6 Click Ok Deleting All Assets To delete all assets Step 1 Click the Assets tab T...

Страница 185: ...process For example WebServer01 Weight Specifies a number from 0 to 10 which indicates the importance of this asset on your network A value of 0 denotes low importance and 10 is very high Description...

Страница 186: ...n menu click Asset Profiles The Assets panel appears Step 3 Search for asset profiles For more information on searching asset profiles see Searching Asset Profiles Step 4 From the Actions drop down li...

Страница 187: ...to other STRM users however administrative users can see all reports created by STRM users Reports also allows you to brand your documents with customized logos which enables you to support unique log...

Страница 188: ...Displays the STRM user that generated the report Template Author Displays the user that created the template that generated this report Format Displays the available viewing formats Report Templates...

Страница 189: ...ee Grouping Reports Allows you to manage report groups For more information see Grouping Reports Allows you to perform the following actions Create Allows you to create a new template For more informa...

Страница 190: ...lity Categorizing your reports into groups allows you to efficiently view and track your reports For example you can view all reports related to compliance By default the Reports interface displays al...

Страница 191: ...nu tree items to change the organization of the tree items Step 5 Click New Group The Group Properties window appears Step 6 Enter values for the parameters Name Specify the name you wish to assign to...

Страница 192: ...ame Specify the name you wish to assign to the new group The name may be up to 255 characters in length Description Specify a description you wish to assign to this group The description may be up to...

Страница 193: ...ete a template from a group Note Removing a template from a group only removes this template from the group Removing a template does not delete the template from Reports interface Step 1 Click the Rep...

Страница 194: ...tep 3 Select the report s you wish to assign to a group Step 4 Click Assign Groups The Choose Group window appears Step 5 From the Item Groups list select the check box of the group you wish to assign...

Страница 195: ...te a template Step 1 Click the Reports tab The Reports interface appears Step 2 From the Actions drop down list box select Create The Report Wizard appears Note Select the check box if you wish to dis...

Страница 196: ...ific time frame from the previous day Click the check boxes beside each day you wish to generate a report Also using the drop down list box select a time to begin the reporting cycle Time is available...

Страница 197: ...pe of report you wish to create do not choose a small chart container for graph content that may display a large number of objects Each graph is complete with a legend and a list of networks from whic...

Страница 198: ...and used see Branding Your Report Chart Type Using the drop down list box select a chart for your container including Event Logs Flows Time Series Top Attackers Top Offenses Top Targeted Assets TopN T...

Страница 199: ...eview your report Click Next The Report Format window appears The default is PDF Step 10 Select the check box for any or all formats for report viewing Click Next Note Generated reports can be one to...

Страница 200: ...rmation on permissions see the STRM Administration Guide Email Select the check box if you wish to distribute the report using e mail Enter the report distribution email address es Specify the e mail...

Страница 201: ...tes If you have not selected this option the report template is saved and generates as scheduled Table 9 5 Finishing Up Parameter Description Report Template Description Specify a description for this...

Страница 202: ...a can be charted with several characteristics and created in a single report The following chart types are available for each template Event Logs Time Series Top Attackers Top Offenses Top Targeted As...

Страница 203: ...u wish to appear on your report Options include Bar When selecting this option you must select the Timeline Interval from the Additional Details section Pie When selecting this option you must also se...

Страница 204: ...our increments The default is 1 00 a m Weekly Choose one of the following options All data from previous week Data from a previous week Using the drop down list boxes select the days to begin and end...

Страница 205: ...STRM Users Guide Creating a Report 199 Flows The Flows Chart allows you to view flow information for a specific period of time Figure 9 2 Flows Report...

Страница 206: ...n Note For an example of how each type of graph charts data see Selecting a Graph Type Graph Using the drop down list box select the number of flows you wish to appear in the report Scheduling The sch...

Страница 207: ...A Glance Network Health Summary Monthly Choose one of the following options All data from previous month Data from a previous month Using the drop down list boxes select the dates to begin and end ge...

Страница 208: ...sing the drop down list box select the type of graph you wish to appear on your report Options include Line When selecting this option you must also select the Timeline Interval from the Additional De...

Страница 209: ...l page width container only you must also select the Timeline Interval from the Additional Details section Note For an example of how each type of graph charts data see Selecting a Graph Type Scheduli...

Страница 210: ...gregate of all objects on the chart Aggregate Baseline is default Graph Content Network Location Select the check box for each network you wish to chart data for You must select at least one network l...

Страница 211: ...ting Group Expands chart to include Groups of a Network Location or View Object if the high level object is selected Leaves Expands chart to include Network Location leaves or View Object if the high...

Страница 212: ...nge the automatically created sub title Enter a title to a maximum of 100 characters Top Using the drop down list box select the number of attackers to include on the graphs Graph Type Using the drop...

Страница 213: ...hat are occurring at present time for the network locations you select Figure 9 5 Top Offenses Chart Daily Top Security and Policy Offenses Network Location Using the menu tree select the network s yo...

Страница 214: ...of 100 characters Top Using the drop down list box select the number of offenses to include on the graphs Include Select the check box of the option you wish to include in your report The options are...

Страница 215: ...Targeted Assets chart Daily Top Security and Policy Offenses Order Results By Using the drop down list box select how the data is sorted on the graph Options include Severity Magnitude Relevance Credi...

Страница 216: ...nge the automatically created sub title Enter a title to a maximum of 100 characters Top Using the drop down list box select the number of items to include on the graphs Graph Type Using the drop down...

Страница 217: ...example you can create an Executive Chart to represent Top 5 Threatening Traffic Categories Top 5 Event Categories Top 5 IP s Producing Threatening Traffic and Top 5 Networks by Security State Figure...

Страница 218: ...tle to a maximum of 100 characters Graph Type Using the drop down list box select the type of graph you wish to appear on your report Options include HorizontalBar Pie Table full page width only Sched...

Страница 219: ...such as Application data Event Data or Protocol Data TopN Time Series provides options to select View Objects from enabled Global Views In addition to these views TopN Time Series provides the followi...

Страница 220: ...o include on the graph Options include None View Objects and Network Locations are graphed exactly as shown in the View Object tree menu This is the default setting Group Expands chart to include Grou...

Страница 221: ...e Series chart type Bar Graph Available with the Time Series chart type Horizontal Bar Graph Available with the following chart types Top Attackers Top Offenses Top Targeted Assets TopN Time Series St...

Страница 222: ...ated Reports panel When you re configure a template and enter a new report title your template takes on the new name however the original template remains the same Each template is designed to capture...

Страница 223: ...he main Reports interface appears Step 2 Click the Report Templates menu option A list of templates appears Step 3 Select the report you wish to generate Step 4 Click Generate Report The report genera...

Страница 224: ...es menu option A list of templates appears Step 3 Select the report s you wish to share Step 4 Click Share The Share Templates window appears Step 5 From the list of users select the user s you wish t...

Страница 225: ...TRM Note To make sure your browser displays the new logo clear your browser cache Step 6 Select the logo you wish to use as the default and click Set Default Image This logo appears as the first optio...

Страница 226: ......

Страница 227: ...deny recommendation STRM recommends the deny action Note Before you create TNC recommendations you must install the Integrity Measurement Collector IMC and the Integrity Measurement Verifier IMV plug...

Страница 228: ...including Deny Allow or Restrict Indicates compliance Using the drop down list box specify the compliance value you wish to be provided with the recommendation suggesting whether or Table 10 1 TNC Re...

Страница 229: ...me Step 6 Click Make Recommendation Note You can also use the right mouse button right click to access the Make Recommendation menu item The recommendation appears in the Existing TNC Recommendation p...

Страница 230: ...ations Parameter Description Use Allows you to select existing TNC recommendations Based On Specifies the existing recommended conditions The options are mac host machine name user user group or extra...

Страница 231: ...s you if a policy has been breached or the network is under attack anomaly A deviation from expected behavior of the network anomaly sentry Monitors your deployment for any abnormal activity The algor...

Страница 232: ...for the Internet which allocates and species Internet addresses used in inter domain routing With CIDR a single IP address can be used to designate many unique IP addresses client The host that origi...

Страница 233: ...dress for resolving machine names to IP addresses duplicate flow When multiple QFlow Collectors detect the same flow this is referred to as a duplicate flow However in this event the QFlow Collector d...

Страница 234: ...capture option has been selected and includes such details as when who how much protocols priorities options etc flow data Specific properties of a flow including IP addresses ports protocol bytes pac...

Страница 235: ...e Internet Control Message Protocol IDS See Intrusion Detection System Internet Control Message Protocol ICMP An Internet network layer protocol between a host and gateway Internet Protocol IP The met...

Страница 236: ...See Local To Local L2R See Local To Remote LAN See Local Area Network layers The property and measurement used in the Y axis of the main STRM graph The current value being used to draw the graphs is d...

Страница 237: ...sed counts the number of bytes and packets and sends that data to a NetFlow collector You can configure STRM to accept NDE s and thus become a NetFlow collector Network Address Translation NAT See NAT...

Страница 238: ...r a sentry all variables in the package configuration overwrite the Logic Unit variables The objects are created from any defined STRM views with the exception of the main network view For example a p...

Страница 239: ...eting for your entire STRM deployment remote services view Using a remote IP address range remote services views allow you to determine how network resources are being used By default this view is dis...

Страница 240: ...used for the network and subnet number through the use of a subnet mask subnet mask A bit mask that is logically ANDed with the destination IP address of an IP packet to determine the network address...

Страница 241: ...ifies whenever a threshold is exceeded Thresholds can be based on any data collected by STRM not just packet count or bandwidth Time Series A reporting chart that graphs data based on time This chart...

Страница 242: ...vulnerability risk The vulnerability assessment risk level 0 to 10 for the asset where 0 is the lowest and 10 is the highest This is a weighted value against all other hosts in your deployment Vulner...

Страница 243: ...network anomalies 95 policy 95 potential exploit 95 recon 95 SIM audit 95 suspicious 95 system 96 VIS host discovery 96 conventions 1 correlate events 77 CRE category 95 custom category 96 custom sent...

Страница 244: ...ossary 225 graphs interpreting 28 H high level category 93 I IP addresses investigating 10 J JavaScript functions custom sentry 69 L Layers box 32 Local Networks View 31 Logic Unit 40 low level catego...

Страница 245: ...86 layout 188 layout preview 193 navigation menu 182 overview 9 scheduling options 189 selecting a container 192 selecting the layout 191 summary 195 template 189 time series chart 201 toolbar 183 top...

Страница 246: ...geted assets 209 top targeted assets chart 209 TopN viewing 34 TopN time series 211 traffic location changing 33 trigger script 48 V variables sentry 74 views changing 30 global 25 VIS Host Discovery...

Отзывы: