Security Threat Response Manager

STRM Administration Guide

Release 2009.2

Juniper Networks, Inc.
1194 North Mathilda Avenue Sunnyvale, CA 94089 USA 408-745-2000

www.juniper.net
Published: 2010-04-01

Copyright Notice
Copyright © 2008 Juniper Networks, Inc. All rights reserved. Juniper Networks and the Juniper Networks logo are registered trademarks of Juniper Networks Inc. in the United States and other countries. All other trademarks, service marks, registered trademarks, or registered service marks in this document are the property of Juniper Networks or their respective owners. All specifications are subject to change without notice. Juniper Networks assumes no responsibility for any inaccuracies in this document or for any obligation to update information in this document. Juniper Networks reserves the right to change, modify, transfer, or otherwise revise this publication without notice.

FCC Statement
The following information is for FCC compliance of Class A devices: This equipment has been tested and found to comply with the limits for a Class A digital device, pursuant to part 15 of the FCC rules. These limits are designed to provide reasonable protection against harmful interference when the equipment is operated in a commercial environment. The equipment generates, uses, and can radiate radio-frequency energy and, if not installed and used in accordance with the instruction manual, may cause harmful interference to radio communications. Operation of this equipment in a residential area is likely to cause harmful interference, in which case users will be required to correct the interference at their own expense. The following information is for FCC compliance of Class B devices: The equipment described in this manual generates and may radiate radio-frequency energy. If it is not installed in accordance with NetScreen’s installation instructions, it may cause interference with radio and television reception. This equipment has been tested and found to comply with the limits for a Class B digital device in accordance with the specifications in part 15 of the FCC rules. These specifications are designed to provide reasonable protection against such interference in a residential installation. However, there is no guarantee that interference will not occur in a particular installation. If this equipment does cause harmful interference to radio or television reception, which can be determined by turning the equipment off and on, the user is encouraged to try to correct the interference by one or more of the following measures: Reorient or relocate the receiving antenna. Increase the separation between the equipment and receiver. Consult the dealer or an experienced radio/TV technician for help. Connect the equipment to an outlet on a circuit different from that to which the receiver is connected. Caution: Changes or modifications to this product could void the user's warranty and authority to operate this device.

Disclaimer
THE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT ARE SET FORTH IN THE INFORMATION PACKET THAT SHIPPED WITH THE PRODUCT AND ARE INCORPORATED HEREIN BY THIS REFERENCE. IF YOU ARE UNABLE TO LOCATE THE SOFTWARE LICENSE OR LIMITED WARRANTY, CONTACT YOUR JUNIPER NETWORKS REPRESENTATIVE FOR A COPY. STRM Administration Guide Release 2009.2 Copyright © 2008, Juniper Networks, Inc. All rights reserved. Printed in USA. Revision History April 2010—Revision 1 The information in this document is current as of the date listed in the revision history.

2

CONTENTS
ABOUT THIS GUIDE
Audience 1 Conventions 1 Technical Documentation 1 Contacting Customer Support

2

1

OVERVIEW
About the Interface 3 Using the Interface 4 Deploying Changes 4 Resetting SIM 4 About High Availability 5

2

MANAGING USERS
Managing Roles 7 Viewing Roles 7 Creating a Role 8 Editing a Role 12 Deleting a Role 13 Managing User Accounts 14 Creating a User Account 14 Editing a User Account 15 Disabling a User Account 16 Authenticating Users 16

3

MANAGING THE SYSTEM
Managing Your License Keys 21 Updating your License Key 22 Exporting Your License Key Information Restarting a System 24 Shutting Down a System 24 Configuring Access Settings 25 Configuring Firewall Access 25 Updating Your Host Set-up 27 Configuring Interface Roles 28 Changing Passwords 29

24

Updating System Time

30

4

MANAGING HIGH AVAILABILITY
Adding an HA Cluster 36 Editing an HA Cluster 42 Removing an HA Host 43 Setting an HA Host Offline 44 Setting an HA Host Online 44 Restoring a Failed Host 44

5

SETTING UP STRM
Creating Your Network Hierarchy 47 Considerations 47 Defining Your Network Hierarchy 48 Scheduling Automatic Updates 52 Scheduling Automatic Updates 53 Updating Your Files On-Demand 56 Configuring System Settings 57 Configuring System Notifications 63 Configuring the Console Settings 65

6

MANAGING AUTHORIZED SERVICES
Viewing Authorized Services 69 Adding an Authorized Service 70 Revoking Authorized Services 71 Configuring the Customer Support Service Dismissing an Offense 72 Closing an Offense 72 Adding Notes to an Offense 72

71

7

MANAGING BACKUP AND RECOVERY
Managing Backup Archives 75 Viewing Backup Archives 75 Importing an Archive 76 Deleting a Backup Archive 77 Backing Up Your Information 78 Scheduling Your Backup 78 Initiating a Backup 81 Restoring Your Configuration Information 82 Restoring on a System with the Same IP Address Restoring to a System with a Different IP Address

82 84

8

USING THE DEPLOYMENT EDITOR
About the Deployment Editor 88 Accessing the Deployment Editor 89

Using the Editor 89 Creating Your Deployment 91 Before you Begin 91 Editing Deployment Editor Preferences 92 Building Your Flow View 92 Adding STRM Components 93 Connecting Components 95 Connecting Deployments 96 Renaming Components 99 Building Your Event View 99 Adding Components 101 Connecting Components 103 Forwarding Normalized Events 103 Renaming Components 106 Managing Your System View 106 Setting Up Managed Hosts 107 Using NAT with STRM 112 Configuring a Managed Host 117 Assigning a Component to a Host 117 Configuring Host Context 118 Configuring STRM Components 120 Configuring a Flow Collector 121 Configuring a Flow Processor 125 Configuring a Classification Engine 131 Configuring an Update Daemon 133 Configuring a Flow Writer 134 Configuring an Event Collector 135 Configuring an Event Processor 137 Configuring the Magistrate 139

9

MANAGING FLOW SOURCES
About Flow Sources 141 NetFlow 142 sFlow 143 J-Flow 143 Packeteer 143 Flowlog File 144 Napatech Interface 144 Managing Flow Sources 144 Adding a Flow Source 144 Editing a Flow Source 147 Enabling/Disabling a Flow Source 148 Deleting a Flow Source 149 Managing Flow Source Aliases 149 Adding a Flow Source Alias 149 Editing a Flow Source Alias 150 Deleting a Flow Source Alias 151

10

MANAGING SENTRIES
About Sentries 153 Viewing Sentries 154 Editing Sentry Details 155 Managing Packages 160 Creating a Sentry Package 160 Editing a Sentry Package 162 Managing Logic Units 163 Creating a Logic Unit 163 Editing a Logic Unit 165

11

MANAGING VIEWS
Using STRM Views 167 About Views 167 About Global Views 168 Defining Unique Objects 169 Managing Ports View 170 Default Ports Views 170 Adding a Ports Object 170 Editing a Ports Object 172 Managing Application Views 173 Default Application Views 173 Adding an Applications Object 175 Editing an Applications Object 176 Managing Remote Networks View 178 Default Remote Networks Views 178 Adding a Remote Networks Object 179 Editing a Remote Networks Object 181 Managing Remote Services Views 182 Default Remote Services Views 182 Adding a Remote Services Object 183 Editing a Remote Services Object 184 Managing Collector Views 186 Adding a Flow Collector Object 186 Editing a Flow Collector Object 187 Managing Custom Views 189 About Custom Views 189 Editing Custom Views 198 Editing the Equation 199 Enabling and Disabling Views 200 Using Best Practices 202

12

CONFIGURING RULES
Viewing Rules 204 Enabling/Disabling Rules 205 Creating a Rule 205 Event Rule Tests 213

Offense Rule Tests 229 Copying a Rule 236 Deleting a Rule 236 Grouping Rules 237 Viewing Groups 237 Creating a Group 237 Editing a Group 239 Copying an Item to Another Group(s) Deleting an Item from a Group 241 Assigning an Item to a Group 241 Editing Building Blocks 242

240

13 14

DISCOVERING SERVERS FORWARDING SYSLOG DATA
Adding a Syslog Destination Editing a Syslog Destination Delete a Syslog Destination 249 250 251

A 1

JUNIPER NETWORKS MIB ENTERPRISE TEMPLATE DEFAULTS
Default Sentries 267 Default Custom Views 275 IP Tracking Group 275 Threats Group 276 Attacker Target Analysis Group Target Analysis Group 281 Policy Violations Group 282 ASN Source Group 283 ASN Destination Group 284 IFIndexIn Group 284 IFIndexOut Group 284 QoS Group 284 Flow Shape Group 284 Default Rules 285 Default Building Blocks 298

280

2

UNIVERSITY TEMPLATE DEFAULTS
Default Sentries 317 Default Custom Views 325 IP Tracking Group 325 Threats Group 325 Attacker Target Analysis Group Target Analysis Group 330

329

Policy Violations Group 331 ASN Source Group 332 ASN Destination Group 333 IFIndexIn Group 333 IFIndexOut Group 333 QoS Group 333 Flow Shape Group 333 Default Rules 334 Default Building Blocks 347

3

VIEWING AUDIT LOGS
Logged Actions 365 Viewing the Log File 369

INDEX

ABOUT THIS GUIDE

The STRM Administration Guide provides you with information for managing STRM functionality requiring administrative access.

Audience

This guide is intended for the system administrator responsible for setting up STRM in your network. This guide assumes that you have STRM administrative access and a knowledge of your corporate network and networking technologies.

Conventions

Table 1 lists conventions that are used throughout this guide.
Table 1 Icons

Icon

Type Information note Caution

Description Information that describes important features or instructions. Information that alerts you to potential loss of data or potential damage to an application, system, device, or network. Information that alerts you to potential personal injury.

Warning

Technical Documentation

You can access technical documentation, technical notes, and release notes directly from the Juniper customer support web site at https://www.juniper.net/support/. Once you access the Juniper customer support web site, locate the product and software release for which you require documentation. Your comments are important to us. Please send your e-mail comments about this guide or any of the Juniper Networks documentation to: techpubs-comments@juniper.net. Include the following information with your comments:
• •

Document title Page number

STRM Administration Guide

2

ABOUT THIS GUIDE

Contacting Customer Support

To help you resolve any issues that you may encounter when installing or maintaining STRM, you can contact customer support as follows:
• •

Open a support case using the Case Management link at http://www.juniper.net/support/. Call 1-888-314-JTAC (from the United States,Canada, or Mexico) or 1-408-745-9500 (from elsewhere).

STRM Administration Guide

1

OVERVIEW

This chapter provides an overview of STRM administrative functionality including:
• • • • •

About the Interface Using the Interface Deploying Changes Resetting SIM About High Availability

About the Interface

You must have administrative privileges to access administrative functions. To access administrative functions, click the Admin tab in the STRM interface. The Admin tab provides access to the following functions:
• • • • • • • • • • • •

Manage users. See Chapter 2 Managing Users. Manage your network settings. See Chapter 3 Managing the System. Manage STRM settings. See Chapter 5 Setting Up STRM. Manage authorized services. See Chapter 6 Managing Authorized Services Backup and recover your data. See Chapter 7 Managing Backup and Recovery. Manage your deployment views. See Chapter 8 Using the Deployment Editor. Manage flow sources. See Chapter 9 Managing Flow Sources. Configure sentries. See Chapter 10 Managing Sentries. Configure views. See Chapter 11 Managing Views. Configure syslog forwarding. See Chapter 14 Forwarding Syslog Data. Managing vulnerability scanners. For more information, see the Managing Vulnerability Assessment Guide. Manage log sources. For more information, see the Log Sources Users Guide.

All configuration updates using the Admin tab are saved to a staging area. Once all changes are complete, you can deploy the configuration changes or all configuration settings to the remainder of your deployment.

STRM Administration Guide

4

OVERVIEW

Using the Interface

The Admin tab provides several tab and menu options that allow you to configure STRM including:

System Configuration - Provides access to administrative functionality, such as user management, automatic updates, license key, network hierarchy, sentries, system settings, system notifications, authorized services, backup and recovery, and Console configuration. Data Sources - Provides access to vulnerability scanners, log source management, custom event properties, and flow sources. Views Configuration - Provides access to STRM views.

• •

The Admin tab also includes several menu options including:
Table 1-1 Admin Tab Menu Options

Menu Option Deployment Editor

Sub-Menu

Description Opens the deployment editor interface. For more information, see

Chapter 8 Using the Deployment Editor.
Deploy Changes Deploys any configuration changes from the current session to your deployment. Clean SIM Model Deploy Full Configuration Resets the SIM module. See Resetting SIM. Deploys all changes.

Advanced

Deploying Changes

Once you update your configuration settings using the Admin tab, you must save those changes to the staging area. You must either manually deploy all changes using the Deploy Changes button or, upon exit, a window appears prompting you to deploy changes before you exit. All deployed changes are then applied throughout your deployment. Using the Admin tab menu, you can deploy changes as follows:
• •

Advanced > Deploy Full Configuration - Deploys all configuration settings to your deployment. Deploy Changes - Deploys any configuration changes from the current session to your deployment.

Resetting SIM

Using the Admin tab, you can reset the SIM module, which allows you to remove all offenses, attackers, and target information from the database and the disk. This option is useful after tuning your deployment to avoid receiving any additional false positive information.

STRM Administration Guide

About High Availability

5

To reset the SIM module:
Step 1 Click the Admin tab. Step 2 From the Advanced menu, select Clean SIM Model.

The Reset SIM Data Module window appears.

Step 3 Read the information in the window. Step 4 Select one of the following options:

• •

Soft Clean - Closes all offenses in the database. If you select the Soft Clean option, you can also select the Deactivate all offenses check box.

Hard Clean - Purges all current and historical SIM data including offenses, targets, and attackers.

Step 5 If you want to continue, select the Are you sure you want to reset the data

model? check box.
Step 6 Click Proceed.

A message appears indicating that the SIM reset process has started. This process may take several minutes, depending on the amount of data in your system.
Step 7 Click Close. Step 8 Once the SIM reset process is complete, reset your browser.

Note: If you attempt to navigate to other areas of the user interface during the SIM reset process, an error message appears.

About High Availability

The High Availability (HA) feature ensures availability of STRM data in the event of a hardware or network failure. Each HA cluster consists of a primary host and a standby secondary host. The secondary host maintains the same data as the
STRM Administration Guide

6

OVERVIEW

primary host by either replicating the data on the primary host or accessing a shared external storage. At regular intervals, every 10 seconds by default, the secondary host sends a heartbeat ping to the primary host to detect hardware or network failure. If the secondary host detects a failure, the secondary host automatically assumes all responsibilities of the primary host. Note: HA is not supported in an IPv6 environment. For more information about managing HA clusters, see Chapter 4 Managing High Availability.

STRM Administration Guide

2

MANAGING USERS

You can add or remove user accounts for all users that you want to access STRM. Each user is associated with a role, which determines the privileges the user has to functionality and information within STRM. You can also restrict or allow access to areas of the network. This chapter provides information on managing STRM users including:
• • •

Managing Roles Managing User Accounts Authenticating Users

Managing Roles

You must create a role before you can create user accounts. By default, STRM provides a default administrative role, which provides access to all areas of STRM. A user that is assigned administrative privileges (including the default administrative role) cannot edit their own account. Another administrative user must make any desired changes. Using the Admin tab, you can:
• • • •

View existing user roles. See Viewing Roles. Create a role. See Creating a Role. Edit a role. See Editing a Role. Delete a role. See Deleting a Role.

Viewing Roles

To view roles:

Step 1 Click the Admin tab. Step 2 In the navigation menu, click System Configuration.

The System Configuration panel appears.
Step 3 In the User Management section, click the User Roles icon.

The Manage Roles window appears.

STRM Administration Guide

8

MANAGING USERS

The Manage Roles window provides the following information:
Table 2-1 Manage Roles Parameters

Parameter Role Log Sources

Description Specifies the defined user role. Specifies the log sources you want this role to access. This allows you to restrict or grant access for users assigned to the role to view logs, events, and offense data received from assigned security and network log sources or log source groups. For non-administrative users, this column indicates a link that allows an administrative user to edit the permissions for the role. For more information on editing a user role, see Editing a Role. To view the list of log sources that have been assigned to this role, move your mouse over the text in the Log Sources column.

Associated Users Action

Specifies the users associated with this role. Allows you to edit or delete the user role.

Creating a Role

To create a role:

Step 1 Click the Admin tab. Step 2 In the navigation menu, click System Configuration.

The System Configuration panel appears.
Step 3 Click the User Roles icon.

The Manage User Roles window appears.
Step 4 Click Create Role.

The Manage Role Permissions window appears.

STRM Administration Guide

Managing Roles

9

Step 5 Enter values for the parameters. You must select at least one permission to

proceed.
Table 2-2 Create Roles Parameters

Parameter Role Name

Description Specify the name of the role. The name can be up to 15 characters in length and must only contain integers and letters. Select the check box if you want to grant this user administrative access to the STRM interface. Within the administrator role, you can grant additional access to the following:

Admin

Administrator Manager - Select this check box if you want to allow users the ability to create and edit other administrative user accounts. If you select this check box, the System Administrator check box is automatically selected. System Administrator - Select this check box if you want to allow users access to all areas of STRM except Views. Users with this access are not able to edit other administrator accounts. Views Administrator - Select this check box if you want to allow users the ability to create, edit, or delete Views. For example, the Application View and the Ports View.

STRM Administration Guide

10

MANAGING USERS

Table 2-2 Create Roles Parameters (continued)

Parameter Offenses

Description Select the check box if you want to grant this user access to Offenses interface. Within the Offenses interface functionality, you can grant additional access to the following:
• •

Customized Rule Creation - Select the check box if you want to allow users to create custom rules. Assign Offenses to Users - Select the check box if you want to allow users to assign offenses to other users.

For more information on the Offenses interface, see the STRM Users Guide. Events Select the check box if you want this user to have access to the Events interface. Within the Events role, you can also grant users additional access to the following:

Customized Rule Creation - Select the check box if you want to allow users to create rules using the Events interface. User Defined Event Properties - Select the check box if you want to allow users the ability to create user-defined event properties. Event Search Restrictions Override - Select the check box if you want to allow users the ability to override event search restrictions.

For more information on the Events interface, see the STRM Users Guide. Assets Select the check box if you want to grant this user access to Asset Management functionality. Within the Asset Management functionality, you can grant additional access to the following:
• • •

Server Discovery - Select the check box if you want to allow users the ability to discover servers. View VA Data - Select the check box if you want to allow users access to vulnerability assessment data. Perform VA Scans - Select the check box if you want to allows users to perform vulnerability assessment scans.

STRM Administration Guide

Managing Roles

11

Table 2-2 Create Roles Parameters (continued)

Parameter Network Surveillance

Description Select the check box if you want to grant this user access to Network Surveillance functionality. Within the Network Surveillance functionality, you can grant additional access to the following:

View Flows - Select the check box if you want to allow users access to content captured using the View Flows function. View Flow Content - Select the check box if you want to allow users access to data accessed through the View Flow function. Sentry Modification - Select the check box if you want to allow users to modify existing sentries. View Flows Restrictions Override - Select the check box if you want to allow users the ability to override sentry restrictions.

• •

For more information, see the STRM Users Guide. Reports Select the check box if you want to grant this user access to Reporting functionality. Within the Reporting functionality, you can grant users additional access to the following:
• •

Maintain Templates - Select the check box if you want to allow users to maintain reporting templates. Distribute Reports via Email - Select the check box if you want to allow users to distribute reports through e-mail.

For more information, see the STRM Users Guide. IP Right Click Menu Extensions
Step 6 Click Next. Step 7 Choose one of the following options: a b

Select the check box if you want to grant this user access to options added to the right mouse button (right-click) menu.

If you selected a role that includes Events permissions, go to Step 8. If you selected a role that does not include Events permissions, go to Step 11. The Add Log Sources to User Role window appears.

STRM Administration Guide

12

MANAGING USERS

Step 8 From the menu tree, locate and select a log source that you want user assigned to

this role to have access. The selected log source moves to the Selected Log Source Objects field.
Step 9 Repeat for all devices. Step 10 Click Next. Step 11 Click Return. Step 12 Close the Manage Roles window.

The Admin tab appears.
Step 13 From the Admin tab menu, click Deploy Changes.

Editing a Role

To edit a role:

Step 1 Click the Admin tab. Step 2 In the navigation menu, click System Configuration.

The System Configuration panel appears.
Step 3 In the User Management section, click the User Roles icon.

The Manage Role window appears.
Step 4 For the role you want to edit, click the edit

icon.

The Manage Role Permissions window appears.
Step 5 Update the permissions (see Table 2-2), as necessary. Step 6 Click Next. Step 7 Choose one of the following options: a b

If you are editing a role that includes the Events permissions role, go to Step 8. If you are editing a role that does not include Events permissions, go to Step 11.
STRM Administration Guide

Managing Roles

13

The Add Log Sources to User Role window appears.

Step 8 Update log source permissions, as desired: a To remove a log source permission, select the log source(s) in the Selected Log

Source Objects field that you want to remove. Click Remove Selected Devices.
b

To add a log source permission, select an object you want to add from the left panel.

Step 9 Repeat for all log sources you want to edit for this role. Step 10 Click Next. Step 11 Click Return. Step 12 Click Save. Step 13 Close the Manage User Roles window.

The Admin tab appears.
Step 14 From the Admin tab menu, click Deploy Changes.

Deleting a Role

To delete a role:

Step 1 Click the Admin tab. Step 2 In the navigation menu, click System Configuration.

The System Configuration panel appears.
Step 3 In the User Management section, click the User Roles icon.

The Manage Roles window appears.
Step 4 For the role you want to delete, click the delete icon.

A confirmation window appears.
Step 5 Click Ok. Step 6 From the Admin tab menu, click Deploy Changes.

STRM Administration Guide

14

MANAGING USERS

Managing User Accounts

You can create a STRM user account, which allows a user to access selected network components using the STRM interface. You can also create multiple accounts for your system that include administrative privileges. Only the main administrative account can create accounts that have administrative privileges. You can create and edit user accounts to access STRM including:
• • •

Creating a User Account Editing a User Account Disabling a User Account

Creating a User Account

To create an account for a STRM user:

Step 1 Click the Admin tab. Step 2 In the navigation menu, click System Configuration.

The System Configuration panel appears.
Step 3 Click the Users icon.

The Manage Users window appears.
Step 4 In the Manage Users area, click Add.

The User Details window appears.

Step 5 Enter values for the following parameters:

Table 2-3 User Details Parameters

Parameter Username Password

Description Specify a username for the new user. The username must not include spaces or special characters. Specify a password for the user to gain access. The password must be at least five characters in length. Specify the user’s e-mail address. Using the drop-down list box, select the role you want this user to assume. For information on roles, see Managing Roles. If you select Admin, this process is complete.
STRM Administration Guide

Confirm Password Re-enter the password for confirmation. Email Address Role

Managing User Accounts

15

Step 6 Click Next. Step 7 Choose one of the following options: a b

If you select Admin as the user role, go to Step 10. If you select a non-administrative user role, go to Step 8. The Selected Network Objects window appears.

Step 8 From the menu tree, select the network objects you want this user to be able to

monitor. The selected network objects appear in the Selected Network Object panel.
Step 9 Click Finish. Step 10 Close the Manage Users window.

The Admin interface appears. Editing a User Account To edit a user account:

Step 1 Click the Admin tab. Step 2 In the navigation menu, click System Configuration.

The System Configuration panel appears.
Step 3 Click the Users icon.

The Manage Users window appears.
Step 4 In the Manage Users area, click the user account you want to edit.

The User Details window appears.
Step 5 Update values (see Table 2-3), as necessary. Step 6 Click Next. STRM Administration Guide

16

MANAGING USERS

If you are editing a non-administrative user account, the Selected Network Objects window appears. If you are editing an administrative user account, go to Step 10.
Step 7 From the menu tree, select the network objects you want this user to access.

The selected network objects appear in the Selected Network Object panel.
Step 8 For all network objects you want to remove access, select the object from the

Selected Network Objects panel. Click Remove.
Step 9 Click Finish. Step 10 Close the Manage Users window.

The Admin tab appears. Disabling a User Account To disable a user account:

Step 1 Click the Admin tab. Step 2 In the navigation menu, click System Configuration.

The System Configuration panel appears.
Step 3 Click the Users icon.

The Manage Users window appears.
Step 4 In the Manage Users area, click the user account you want to disable.

The User Details window appears.
Step 5 In the Role drop-down list box, select Disabled. Step 6 Click Next. Step 7 Close the Manage Users window.

The Admin tab appears. This user no longer has access to the STRM interface. If this user attempts to log in to STRM, the following message appears: This account has been disabled. After you delete a user, items such as saved searches, reports, sentries, and assigned offenses, will remain associated with the deleted user.

Authenticating Users

You can configure authentication to validate STRM users and passwords. STRM supports the following user authentication types:
• •

System Authentication - Users are authenticated locally by STRM. This is the default authentication type. RADIUS Authentication - Users are authenticated by a Remote Authentication Dial-in User Service (RADIUS) server. When a user attempts to log in, STRM encrypts the password only, and forwards the username and password to the RADIUS server for authentication. TACACS Authentication - Users are authenticated by a Terminal Access Controller Access Control System (TACACS) server. When a user attempts to

STRM Administration Guide

Authenticating Users

17

log in, STRM encrypts the username and password, and forwards this information to the TACACS server for authentication.

LDAP/ Active Directory - Users are authenticated by a Lightweight Directory Access Protocol (LDAP) server using Kerberos.

If you want to configure RADIUS, TACACS, or LDAP/Active Directory as the authentication type, you must:
• • •

Configure the authentication server before you configure authentication in STRM. Make sure the server has the appropriate user accounts and privilege levels to communicate with STRM. See your server documentation for more information. Make sure the time of the authentication server is synchronized with the time of the STRM server. For more information on setting STRM time, see Chapter 5 Setting Up STRM. Make sure all users have appropriate user accounts and roles in STRM to allow authentication with the third-party servers.

Once authentication is configured and a user enters an invalid username and password combination, a message appears indicating the login was invalid. If the user attempts to access the system multiple times using invalid information, the user must wait the configured amount of time before attempting to access the system again. For more information on configuring Console settings for authentication, see Chapter 5 Setting Up STRM - Configuring the Console Settings. An administrative user can always access STRM through a third-party authentication module or by using the local STRM Admin password. An administrative user can access STRM through third-party authentication or the STRM Admin password. The STRM Admin password will still function if you have setup and activated a third-party authentication module, however, you can not change the STRM Admin password while the authentication module is active. If you want to change the STRM admin password, you need to temporarily disable the third-party authentication module, reset the password, and then reconfigure the third-party authentication module. To configure authentication:
Step 1 Click the Admin tab. Step 2 In the navigation menu, click System Configuration.

The System Configuration panel appears.
Step 3 Click the Authentication icon.

The Authentication window appears.

STRM Administration Guide

18

MANAGING USERS

Step 4 From the Authentication Module drop-down list box, select the authentication type

you want to configure.
Step 5 Configure the selected authentication type: a b

If you selected System Authentication, go to Step 6. If you selected RADIUS Authentication, enter values for the following parameters:

Table 2-4 RADIUS Parameters

Parameter RADIUS Server RADIUS Port Authentication Type

Description Specify the hostname or IP address of the RADIUS server. Specify the port of the RADIUS server. Specify the type of authentication you want to perform. The options are:

CHAP (Challenge Handshake Authentication Protocol) Establishes a Point-to-Point Protocol (PPP) connection between the user and the server. MSCHAP (Microsoft Challenge Handshake Authentication Protocol) - Authenticates remote Windows workstations. ARAP (Apple Remote Access Protocol) - Establishes authentication for AppleTalk network traffic. PAP (Password Authentication Protocol) - Sends clear text between the user and the server.

• • •

Shared Secret

Specify the shared secret that STRM uses to encrypt RADIUS passwords for transmission to the RADIUS server.

c

If you selected TACACS Authentication, enter values for the following parameters:

Table 2-5 TACACS Parameters

Parameter TACACS Server TACACS Port

Description Specify the hostname or IP address of the TACACS server. Specify the port of the TACACS server.

STRM Administration Guide

Authenticating Users

19

Table 2-5 TACACS Parameters (continued)

Parameter Authentication Type

Description Specify the type of authentication you want to perform. The options are:
• • •

ASCII PAP (Password Authentication Protocol) - Sends clear text between the user and the server. CHAP (Challenge Handshake Authentication Protocol) Establishes a PPP connection between the user and the server. MSCHAP (Microsoft Challenge Handshake Authentication Protocol) - Authenticates remote Windows workstations. MSCHAP2 - (Microsoft Challenge Handshake Authentication Protocol version 2)- Authenticates remote Windows workstations using mutual authentication. EAPMD5 (Extensible Authentication Protocol using MD5 Protocol) - Uses MD5 to establish a PPP connection.

• •

Shared Secret

Specify the shared secret that STRM uses to encrypt TACACS passwords for transmission to the TACACS server.

d

If you selected LDAP/ Active Directory, enter values for the following parameters:

Table 2-6 LDAP/ Active Directory Parameters

Parameter Server URL LDAP Context LDAP Domain
Step 6 Click Save.

Description Specify the URL used to connect to the LDAP server. For example, ldap://<host>:<port> Specify the LDAP context you want to use, for example, DC=Q1LABS,DC=INC. Specify the domain you want to use, for example q1labs.inc.

STRM Administration Guide

3

MANAGING THE SYSTEM

This chapter provides information for managing your system including:
• • • •

Managing Your License Keys Restarting a System Shutting Down a System Configuring Access Settings

Managing Your License Keys

For your STRM Console, a default license key provides you access to the interface for 5 weeks. You must manage your license key using the System and License Management window, which you can access using the Admin tab. This window provides the status of the license key for each system (host) in your deployment including:
• • •

Valid - The license key is valid. Expired - The license key has expired. To update your license key, see Updating your License Key. Override Console License - This host is using the Console license key. You can use the Console key or apply a license key for this system. If you want to use the Console license for any system in your deployment, click Default License in the Manage License window. The license for that system will default to the Console license key.

A license key allows a certain number of log sources to be configured in your system. If you exceed the limit of configured logs sources, as established by the license key, an error message appears in the interface. To extend the number of log sources allowed, contact your sales representative. This section provides information on managing your license keys including:
• •

Updating your License Key Exporting Your License Key Information

STRM Administration Guide

22

MANAGING THE SYSTEM

Updating your License Key

For your STRM Console, a default license key provides you with access to the interface for 5 weeks. Choose one of the following options for assistance with your license key:
• •

For a new or updated license key, contact your local sales representative. For all other technical issues, contact Juniper Networks customer support.

If you log in to STRM and your Console license key has expired, you are automatically directed to the System and License Management window. You must update the license key before you can continue. However, if one of your non-Console systems includes an expired license key, a message appears when you log in indicating a system requires a new license key. You must navigate to the System and License Management window to update that license key. To update your license key:
Step 1 Click the Admin tab. Step 2 In the navigation menu, click System Configuration.

The System Configuration panel appears.
Step 3 Click the System and License Management icon.

The System and License Management window appears providing a list of all hosts in your deployment.
Step 4 Select the host for which you want to view the license key. Step 5 From the Actions menu, select Manage License.

The Current License Details window appears providing the current license key limits. If you want to obtain additional licensing capabilities, please contact your sales representative.

STRM Administration Guide

Managing Your License Keys

23

Step 6 Click Browse beside the New License Key File field and locate the license key. Step 7 Once you locate and select the license key, click Open.

The Current License Details window appears.
Step 8 Click Save. Step 9 In the System and License Management window, click Deploy License Key.

Note: If you want to revert back to the previous license key, click Revert to Deployed. If you revert to the license key used by the STRM Console system, click Revert to Console. The license key information is updated in your deployment.

STRM Administration Guide

24

MANAGING THE SYSTEM

Exporting Your License Key Information

To export your license key information for all systems in your deployment:

Step 1 Click the Admin tab. Step 2 In the navigation menu, click System Configuration.

The System Configuration panel appears.
Step 3 Click the System and License Management icon.

The System and License Management window appears providing a list of all hosts in your deployment.

Step 4 Select the system that includes the license you want to export. Step 5 From the Actions menu, select Export Licenses.

The export window appears.
Step 6 Select one of the following options:

• •

Open with - Opens the license key data with the selected application. Save File - Allows you to save the file to your desktop.

Step 7 Click OK.

Restarting a System

To restart a STRM system:
Step 1 Click the Admin tab. Step 2 In the navigation menu, click System Configuration.

The System Configuration panel appears.
Step 3 Click the System and License Management icon.

The System and License Management window appears.
Step 4 Select the system you want to restart. Step 5 From the Actions menu, select Restart System.

Shutting Down a System

To shutdown a STRM system:

Step 1 Click the Admin tab. Step 2 In the navigation menu, click System Configuration.

The System Configuration panel appears.
STRM Administration Guide

Configuring Access Settings

25

Step 3 Click the System and License Management icon.

The System and License Management window appears.
Step 4 Select the system you want to shut down. Step 5 From the Actions menu, select Shutdown.

Configuring Access Settings

The System and License Management window provides access to the web-based system administration interface, which allows you to configure firewall rules, interface roles, passwords, and system time. This section includes:
• • • • •

Firewall access. See Configuring Firewall Access. Update your host set-up. See Updating Your Host Set-up. Configure the interface roles for a host. See Configuring Interface Roles. Change password to a host. See Changing Passwords. Update the system time. See Updating System Time.

Configuring Firewall Access

You can configure local firewall access to enable communications between devices and STRM. Also, you can define access to the web-based system administration interface. To enable STRM managed hosts to access specific devices or interfaces:

Step 1 Click the Admin tab. Step 2 In the navigation menu, click System Configuration.

The System Configuration panel appears.
Step 3 Click the System and License Management icon.

The System and License Management window appears.
Step 4 Select the host for which you want to configure firewall access settings. Step 5 From the Actions menu, select Manage System. Step 6 Log in to the System Administration interface. The default is:

Username: root Password: <your root password> Note: The username and password are case sensitive.
Step 7 From the menu, select Managed Host Config > Local Firewall.

The Local Firewall window appears.

STRM Administration Guide

26

MANAGING THE SYSTEM

Step 8 In the Device Access box, you must include any STRM systems you want to have

access to this managed host. Only managed hosts listed will have access. For example, if you only enter one IP address, only that one IP address will be granted access to the managed host. All other managed hosts are blocked. To configure access:
a

In the IP Address field, enter the IP address of the managed host you want to have access. specified IP address and port: UDP - Allows UDP traffic. TCP - Allows TCP traffic. Any - Allows any traffic.

b From the Protocol list box, select the protocol you want to enable access for the

c

In the Port field, enter the port on which you want to enable communications.

Note: If you change your External Flow Source Monitoring Port parameter in the QFlow Configuration, you must also update your firewall access configuration.
d

Click Allow.

Step 9 In the System Administration Web Control box, enter the IP address(es) of

managed host(s) that you want to allow access to the web-based system administration interface in the IP Address field. Only IP addresses listed will have access to the interface. If you leave the field blank, all IP addresses will have access. Click Allow. Note: Make sure you include the IP address of your client desktop you want to use to access the interface. Failing to do so may affect connectivity.
STRM Administration Guide

Configuring Access Settings

27

Step 10 Click Apply Access Controls. Step 11 Wait for the interface to refresh before continuing.

Updating Your Host Set-up

You can use the web-based system administration interface to configure the mail server you want STRM to use and the global password for STRM configuration: To configure your host set-up:

Step 1 Click the Admin tab. Step 2 In the navigation menu, click System Configuration.

The System Configuration panel appears.
Step 3 Click the System and License Management icon.

The System and License Management window appears.
Step 4 Select the host for which you want to update your host setup settings. Step 5 From the Actions menu, select Manage System. Step 6 Log in to the System Administration interface. The default is:

Username: root Password: <your root password> Note: The username and password are case sensitive.
Step 7 From the menu, select Managed Host Config > STRM Setup.

The STRM Setup window appears.

Step 8 In the Mail Server field, specify the address for the mail server you want STRM to

use. STRM uses this mail server to distribute alerts and event messages. To use the mail server provided with STRM, enter localhost.
Step 9 In the Enter the global configuration password, enter the password you want to

use to access the host. Confirm the entered password.

STRM Administration Guide

28

MANAGING THE SYSTEM

Note: The global configuration password must be the same throughout your deployment. If you edit this password, you must also edit the global configuration password on all systems in your deployment.
Step 10 Click Apply Configuration.

Configuring Interface Roles

You can assign specific roles to the network interfaces on each managed host. To assign roles:

Step 1 Click the Admin tab. Step 2 In the navigation menu, click System Configuration.

The System Configuration panel appears.
Step 3 Click the System and License Management icon.

The System and License Management window appears.
Step 4 Select the host for which you want to configure interface role settings. Step 5 From the Actions menu, select Manage System. Step 6 Log in to the System Administration interface. The default is:

Username: root Password: <your root password> Note: The username and password are case sensitive.
Step 7 From the menu, select Managed Host Config > Network Interfaces.

The Network Interfaces window appears with a list of each interface on your managed host. Note: For assistance with determining the appropriate role for each interface, contact Juniper Networks customer support.

STRM Administration Guide

Configuring Access Settings

29

Step 8 For each interface listed, select the role you want to assign to the interface using

the Role list box.
Step 9 Click Save Configuration. Step 10 Wait for the interface to refresh before continuing.

Changing Passwords

To change the passwords:

Step 1 Click the Admin tab. Step 2 In the navigation menu, click System Configuration.

The System Configuration panel appears.
Step 3 Click the System and License Management icon.

The System and License Management window appears.
Step 4 Select the host for which you want to configure interface role settings. Step 5 From the Actions menu, select Manage System. Step 6 Log in to the System Administration interface. The default is:

Username: root Password: <your root password> Note: The username and password are case sensitive.
Step 7 From the menu, select Managed Host Config > Root Password.

The Root Passwords window appears.
STRM Administration Guide

30

MANAGING THE SYSTEM

Step 8 Update the passwords:

Note: Make sure you record the entered values.
• •

New Root Password - Specify the root password necessary to access the web-based system administration interface. Confirm New Root Password - Re-enter the password for confirmation.

Step 9 Click Update Password.

Updating System Time

You are able to change the time for the following options:
• • • •

System time Hardware time Time Zone Time Server

Note: All system time changes must be made within the System Time window. You must change the system time information on the host operating the Console only. The change is then distributed to all managed hosts in your deployment. You can configure time for your system using one of the following methods:
• •

Configuring Your Time Server Using RDATE Configuring Time Settings For Your System

Configuring Your Time Server Using RDATE To update the time settings using RDATE:
Step 1 Click the Admin tab. Step 2 In the navigation menu, click System Configuration.

The System Configuration panel appears.
Step 3 Click the System and License Management icon.

The System and License Management window appears.
Step 4 Select the host for which you want to configure system time settings. Step 5 From the Actions menu, select Manage System. Step 6 Log in to the System Administration interface. The default is: STRM Administration Guide

Configuring Access Settings

31

Username: root Password: <your root password> Note: The username and password are case sensitive.
Step 7 From the menu, select Managed Host Config > System Time.

The System Time window appears. Caution: The time settings window is divided into four sections. You must save each setting before continuing. For example, when you configure System Time, you must click Apply within the System Time section before continuing.
Step 8 In the Time Zone box, select the time zone in which this managed host is located

using the Change timezone to drop-down list box. Click Save.

Step 9 In the Time Server box, you must specify the following options:

• • •

Timeserver hostnames or addresses - Specify the time server hostname or IP address. Set hardware time to - Select the check box if you want to set the hardware time as well. Synchronize on schedule? - Specify one of the following options: No - Select the option if you do not want to synchronize the time specified in the Run. Go to Step 10. Yes - Select the option if you want to synchronize the time.

• •

Simple Schedule - Specify if you want the time update to occur at a specific time. If not, select the Run at times selected below option. Times and dates are selected below - Specify the time you want the time update to occur.

STRM Administration Guide

32

MANAGING THE SYSTEM

Step 10 Click Sync and Apply.

Configuring Time Settings For Your System To update the time settings for your system:
Step 1 Click the Admin tab. Step 2 In the navigation menu, click System Configuration.

The System Configuration panel appears.
Step 3 Click the System and License Management icon.

The System and License Management window appears.
Step 4 Select the host for which you want to configure system time settings. Step 5 From the Actions menu, select Manage System. Step 6 Log in to the System Administration interface. The default is:

Username: root Password: <your root password> Note: The username and password are case sensitive.
Step 7 From the menu, select Managed Host Config > System Time.

The System Time window appears. Caution: The time settings window is divided into four sections. You must save each setting before continuing. For example, when you configure System Time, you must click Apply within the System Time section before continuing.

STRM Administration Guide

Configuring Access Settings

33

Step 8 In the System Time box, you must specify the current date and time you want to

assign to the managed host. Click Apply. If you want to set the System Time to the same as the Hardware time, click Set system time to hardware time.

Step 9 In the Hardware Time box, you must specify the current date and time you want to

assign to the managed host. Click Save. If you want to set the System Time to the same as the Hardware time, click Set hardware time to system time.

Step 10 In the Time Zone box, select the time zone in which this managed host is located

using the Change timezone to drop-down list box. Click Save.

STRM Administration Guide

4

MANAGING HIGH AVAILABILITY

The High Availability (HA) feature ensures availability of STRM data in the event of a hardware or network failure. An HA cluster consists of a primary host and a secondary host that acts as a standby for the primary. The secondary host maintains the same data as the primary host by one of two methods: data replication or shared external storage. At regular intervals, every 10 seconds by default, the secondary host sends a heartbeat ping to the primary host to detect hardware and network failure. If the secondary host detects a failure, the secondary host automatically assumes all responsibilities of the primary host. For more information about Primary and Secondary HA, see Installation Procedures in the STRM Installation Guide. An HA cluster consists of the following:

Primary host - The primary host is the host for which you want to configure HA. You can configure HA for any system (Console or non-Console) in your deployment. When you configure HA, the IP address of the primary host becomes the Cluster Virtual IP address; therefore, you must configure a new IP address for the primary host. Secondary host - The secondary host is the standby for the primary host. If the primary host fails, the secondary host automatically assumes all responsibilities of the primary host. Cluster Virtual IP address - When you configure HA, the IP address of the primary host becomes the Virtual Cluster IP address. In the event that the primary host fails, the Virtual Cluster IP address will be assumed by the secondary host.

Note: You can view the IP addresses for the HA cluster by pointing your mouse over the Host Name field in the System and License Management window. This chapter provides information for managing High Availability including:
• • • • •

Adding an HA Cluster Editing an HA Cluster Setting an HA Host Offline Setting an HA Host Online Restoring a Failed Host
STRM Administration Guide

36

MANAGING HIGH AVAILABILITY

Adding an HA Cluster

The System and License Management window allows you to manage your HA clusters Before adding an HA cluster, confirm the following:
• • • • • •

The secondary host you want to add must have a valid HA activation key. The secondary host you want to add must not already be a component in another HA cluster. The primary and secondary host must have the same STRM software version installed. The secondary host is located on the same subnet as the primary host. The new primary host IP address is set up on the same subnet. The secondary host must be configured with the same external iSCSI devices (if any) as the primary host. For more information about configuring iSCSI, see the Configuring iSCSI technical note. The /store partition on the secondary host must be larger than the /store partition on the primary host. The secondary host must use the same management interface specified as the primary host. For example, if the primary host uses ETH0 as the management interface, the secondary host must also use ETH0. If you plan to enable disk replication, we recommend that there is at least a 1 GB connection between the primary host and secondary host.

• •

Note: Disk replication is not required on Flow Collectors, Flow Processors, and Event Processors; however, you can enable disk synchronization if you want to synchronize flows and events. To add an HA cluster:
Step 1 Click the Admin tab. Step 2 In the navigation menu, click System Configuration.

The System Configuration panel appears.
Step 3 Click the System and License Management icon.

The System and License Management window appears.
Step 4 Select the host for which you want to configure HA. Step 5 From the Actions menu, select Add HA Host.

Note: If the primary host is a Console, a warning message appears to indicate that user interface restarts after you add the HA host. Click OK to proceed. The HA Wizard appears.

STRM Administration Guide

Adding an HA Cluster

37

Note: If you do not want to view the Welcome to the High Availability window again, select the Skip this page when running the High Availability wizard check box.
Step 6 Read the introductory text. Click Next.

The Select the High Availability Wizard Options window appears, automatically displaying the IP address of the primary host (Host IP).

STRM Administration Guide

38

MANAGING HIGH AVAILABILITY

Step 7 To configure the HA host information, configure the following parameters:

Table 4-1 HA Host Information Parameters

Parameter

Description

New Primary Host IP

Specify a new primary host IP address. The new primary host IP is assigned to the primary host. The previous IP address of the primary host becomes the Cluster Virtual IP address. If the primary host fails and the secondary host becomes active, the Cluster Virtual IP address is assigned to the secondary host.
Note: The new primary host IP address must be on the same subnet as the Host IP.

Secondary Host IP

Specify the IP address of the secondary host you want to add. The secondary host must be in the same subnet as the primary host. Specify the root password for the secondary host.

Enter the root password of the host

Confirm the root password of Confirm the root password for the secondary host. the host
Step 8 Optional. To configure advanced parameters: STRM Administration Guide

Adding an HA Cluster

39

a

To display the advanced option parameters, click the arrow beside Show Advanced Options. The advanced option parameters appear.

b

Configure the following parameters:

Table 4-2 Advanced Options Parameters

Parameter Heartbeat Intervals (seconds)

Description Specify the time, in seconds, you want to elapse between heartbeat messages. The default is 10 seconds. Specify the time, in seconds, you want to elapse before the primary host is considered unavailable if there is no heartbeat detected. The default is 30 seconds.

Heartbeat Timeout (seconds)

Network Connectivity Test Specify the IP address(es) of the host(s) you want to List peer IP addresses (comma ping to test the secondary host’s network delimited) connection. The default is all other hosts in your deployment. Disk Synchronization Rate (MB/s) Disable Disk Replication Specify or select the disk synchronization rate. The default is 100 MB/s. Select this option if you want to disable disk replication. Note: This option is only visible for non-Console hosts.
c

Click Next.

The Confirm the High Availability Wizard Options window appears.

STRM Administration Guide

40

MANAGING HIGH AVAILABILITY

Caution: If the primary host is configured with external storage, you must configure the secondary host with the same external storage before continuing.
Step 9 Review the information. Click Finish.

Note: If Disk Synchronization is enabled, it can take 4 to 6 hours for the data to initially synchronize. Note: If required, click Back to return to the Confirm the High Availability Wizard options window to edit the information. The System and License Management window displays the HA cluster you added. Use the Arrow icon to display or hide the secondary host.

The System and License Management window provides the status of your HA clusters including:

STRM Administration Guide

Adding an HA Cluster

41

Table 4-3 HA Status Descriptions

Status Active

Description Specifies that the host is acting as the active system with all services running. Either the primary or secondary host can display the Active status. If the secondary host is displaying the Active status, failover has occurred. Specifies that the host is acting as the standby system. This status will only display for a secondary host. The standby system has no services running. If disk replication is enabled, the standby system is replicating data from the primary host. If the primary host fails, the standby system automatically assumes the active role. Specifies that the host is in a failed state. Both the primary or secondary host can display the Failed status:

Standby

Failed

If the primary host displays the Failed status, the secondary host takes over the services and should now display the Active status. If the secondary host displays the Failed status, the primary host remains active, but is not protected by HA.

A system in the failed state must be manually repaired (or replaced), and then restored. See Restoring a Failed Host. Note: You may not be able to access a failed system from the Console. Synchronizing Specifies that host is synchronizing data on the local disk of the host to match the currently active system. Note: This status only appears if disk replication is enabled. Online Offline Specifies that the host is online. Specifies that the host is offline. All processes are stopped and the host is not monitoring the heartbeat from the active system. Both the primary or the secondary can display the Offline status. While in the Offline state, disk replication continues if it is enabled. Once you select High Availability > Restore System to restore a failed host (see Restoring a Failed Host), this status specifies that system is in the process of restoring. Specifies that a license key is required. See Updating your License Key. In the Needs License state, no processes are running.

Restoring

Needs License

STRM Administration Guide

42

MANAGING HIGH AVAILABILITY

Editing an HA Cluster

Using the Edit HA Host feature, you can edit the advanced options for your HA cluster. To edit an HA cluster:
Step 1 Click the Admin tab. Step 2 In the navigation menu, click System Configuration.

The System Configuration panel appears.
Step 3 Click the System and License Management icon.

The System and License Management window appears.
Step 4 Select the row for the HA cluster you want to edit. Step 5 From the High Availability menu, select Edit HA Host.

The HA Wizard appears, displaying the Select the High Availability Wizard Options window.

Step 6 Edit the parameters in the advanced options section. See Table 4-2. Step 7 Click Next.

The Confirm the High Availability Wizard Options window appears.

STRM Administration Guide

Removing an HA Host

43

Step 8 Review the information. Click Finish.

The secondary host restarts and your HA cluster continues functioning.

Removing an HA Host

You can remove an HA host from a cluster. When you remove an HA host, the host restarts and becomes available to be added to another cluster. You cannot remove a host from an HA cluster when the primary HA host is in the Failed, Offline, or Synchronizing state. To remove an HA host:

Step 1 Click the Admin tab. Step 2 In the navigation menu, click System Configuration.

The System Configuration panel appears.
Step 3 Click the System and License Management icon.

The System and License Management window appears.
Step 4 Select the HA host you want to set to remove. Step 5 From the High Availability menu, select Remove HA Host.

A confirmation message appears. A message appears to indicate that removing an HA host will reboot the user interface.
Step 6 Click OK. STRM Administration Guide

44

MANAGING HIGH AVAILABILITY

Setting an HA Host Offline

To set an HA host offline:

Step 1 Click the Admin tab. Step 2 In the navigation menu, click System Configuration.

The System Configuration panel appears.
Step 3 Click the System and License Management icon.

The System and License Management window appears.
Step 4 Select the HA host you want to set to offline. Step 5 From the High Availability menu, select Set System Offline.

The status for the host changes to Offline. If you set the active system to offline, the standby system becomes the active system. If you set the standby system to offline, the standby system no longer monitors the heartbeat of the active system, however, continues to synchronize data from the active system.

Setting an HA Host Online

To set an HA host online:

Step 1 Click the Admin tab. Step 2 In the navigation menu, click System Configuration.

The System Configuration panel appears.
Step 3 Click the System and License Management icon.

The System and License Management window appears.
Step 4 Select the offline HA host you want to set to online. Step 5 From the High Availability menu, select Set System Online.

The status for the host changes to Online. When you set the secondary host to online, the secondary host becomes the standby system. If you set the primary host to online while the secondary system is currently the active system, the primary host becomes the active system and the secondary host automatically becomes the standby system.

Restoring a Failed Host

If a host displays a status of Failed, a hardware or network failure occurred for that host. Note: Before you can restore the host using the user interface, you must manually repair the host. For more information, see your network administrator.

STRM Administration Guide

Restoring a Failed Host

45

To restore a failed system:
Step 1 Recover the failed host.

Note: Recovering a failed host involves re-installing STRM. For more information about recovering a failed host, see the STRM Installation Guide. If you are recovering a primary host and your HA cluster uses shared storage, you must manually configure iSCSI. For more information about configuring iSCSI, see the Configuring iSCSI technical note.
Step 2 Click the Admin tab. Step 3 In the navigation menu, click System Configuration.

The System Configuration panel appears.
Step 4 Click the System and License Management icon.

The System and License Management window appears.
Step 5 Select the failed HA host you want to restore. Step 6 From the High Availability menu, select Restore System.

The system restores the HA configuration on the failed host. The status of the host changes through the following sequence:
a b c

Restoring Synchronizing (if disk synchronization is enabled) Standby (secondary host) or Offline (primary host)

If the restored host is the primary system, you must set the primary system to the Online state. See Setting an HA Host Online.

STRM Administration Guide

5

SETTING UP STRM

This chapter provides information on setting up STRM including:
• • • • •

Creating Your Network Hierarchy Scheduling Automatic Updates Configuring System Settings Configuring System Notifications Configuring the Console Settings

Creating Your Network Hierarchy

STRM uses the network hierarchy to understand your network traffic and provide you with the ability to view network activity for your entire deployment. When you develop your network hierarchy, you should consider the most effective method for viewing network activity. Note that the network you configure in STRM does not have to resemble the physical deployment of your network. STRM supports any network hierarchy that can be defined by a range of IP addresses. You can create your network based on many different variables, including geographical or business units.

Considerations

Consider the following when defining your network hierarchy:
• • •

Group together systems and user groups that have similar behavior. This provides you with a clear view of your network. Create multiple top-level groups if your deployment is processing more than 600,000 flows. Organize your systems/networks by role or similar traffic patterns. For example, mail servers, departmental users, labs, development groups, or geographically disperse locations. This allows you to differentiate network behavior and enforce network management security policies. Do not group together servers that have unique behavior with other servers on your network. For example, placing a unique server alone provides the server greater visibility in STRM allowing you to enact specific policies. Within a group, place servers with high volumes of traffic, such as mail servers, at the top of the group. This provides you a clear visual representation when a discrepancy occurs. We recommend that you extend this practice to all views.

STRM Administration Guide

48

SETTING UP STRM

Combine multiple Classless Inter-Domain Routings (CIDRs) or subnets into a single network/group to conserve disk space. For example:
Group 1 2 3 Description Marketing Sales Database Cluster IP Address 10.10.5.0/24 10.10.8.0/21 10.10.1.3/32 10.10.1.4/32 10.10.1.5/32

Note: We recommend that you do not configure a network group with more than 15 objects. This may cause you difficulty in viewing detailed information for each group. You may also want to define an all-encompassing group so when you define new networks, the appropriate policies and behavioral monitors are applied. For example:
Group Cleveland Cleveland Cleveland Subgroup Cleveland misc Cleveland Sales Cleveland Marketing IP Address 10.10.0.0/16 10.10.8.0/21 10.10.1.0/24

If you add a new network to the above example, such as 10.10.50.0/24, which is an HR department, the traffic appears as Cleveland-based and any policies or sentries applied to the Cleveland group is applied by default. Defining Your Network Hierarchy To define your network hierarchy:

Step 1 Click the Admin tab. Step 2 In the navigation menu, click System Configuration.

The System Configuration panel appears.
Step 3 Click the Network Hierarchy icon.

The Network Views window appears.

STRM Administration Guide

Creating Your Network Hierarchy

49

Step 4 From the menu tree, select the areas of the network in which you want to add a

network component. The Manage Group window appears for the selected network component.
Step 5 Click Add.

The Add Network Object window appears.

Step 6 Enter your network object values:

Table 5-1 Add New Object Parameters

Parameter Group Name Weight

Action Specify the group for the new network object. Click Add Group to specify the group. Specify the name for the object. Specify the weight of the object. The range is 0 to 100 and indicates the importance of the object in the system.
STRM Administration Guide

50

SETTING UP STRM

Table 5-1 Add New Object Parameters (continued)

Parameter IP/CIDR(s) Description Color Database Length
Step 7 Click Save.

Action Specify the CIDR range(s) for this object. For more information on CIDR values, see Accepted CIDR Values. Specify a description for this network object. Specify a color for this object. Specify the database length.

Step 8 Repeat for all network objects. Step 9 Click Re-Order.

The Reorder Group window appears.
Step 10 Order the network objects in the desired order. Step 11 Click Save.

Note: We recommend adding key servers as individual objects and grouping other major but related servers into multi-CIDR objects. Accepted CIDR Values The following table provides a list of the CIDR values that STRM accepts:
Table 5-2 Accepted CIDR Values

CIDR Length /1 /2 /3 /4 /5 /6 /7 /8 /9 /10 /11 /12 /13 /14 /15 /16

Mask 128.0.0.0 192.0.0.0 224.0.0.0 240.0.0.0 248.0.0.0 252.0.0.0 254.0.0.0 255.0.0.0 255.128.0.0 255.192.0.0 255.224.0.0 255.240.0.0 255.248.0.0 255.252.0.0 255.254.0.0 255.255.0.0

Number of Networks 128 A 64 A 32 A 16 A 8A 4A 2A 1A 128 B 64 B 32 B 16 B 8B 4B 2B 1B

Hosts 2,147,483,392 1,073,741,696 536,870,848 268,435,424 134,217,712 67,108,856 33,554,428 16,777,214 8,388,352 4,194,176 2,097,088 1,048,544 524,272 262,136 131,068 65,534

STRM Administration Guide

Creating Your Network Hierarchy

51

Table 5-2 Accepted CIDR Values (continued)

CIDR Length /17 /18 /19 /20 /21 /22 /23 /24 /25 /26 /27 /28 /29 /30 /31 /32

Mask 255.255.128.0 255.255.192.0 255.255.224.0 255.255.240.0 255.255.248.0 255.255.252.0 255.255.254.0 255.255.255.0 255.255.255.128 255.255.255.192 255.255.255.224 255.255.255.240 255.255.255.248 255.255.255.252 255.255.255.254 255.255.255.255

Number of Networks 128 C 64 C 32 C 16 C 8C 4C 2C 1C 2 subnets 4 subnets 8 subnets 16 subnets 32 subnets 64 subnets none 1/256 C

Hosts 32,512 16,256 8,128 4,064 2,032 1,016 508 254 124 62 30 14 6 2 none 1

For example, a network is called a supernet when the prefix boundary contains fewer bits than the network's natural (such as, classful) mask. A network is called a subnet when the prefix boundary contains more bits than the network's natural mask:
• •

209.60.128.0 is a class C network address with a mask of /24. 209.60.128.0 /22 is a supernet that yields: 209.60.128.0 /24 209.60.129.0 /24 209.60.130.0 /24 209.60.131.0 /24

192.0.0.0 /25 Subnet Host Range 0 192.0.0.1-192.0.0.126 1 192.0.0.129-192.0.0.254

192.0.0.0 /26 Subnet Host Range 0 192.0.0.1 - 192.0.0.62 1 192.0.0.65 - 192.0.0.126
STRM Administration Guide

52

SETTING UP STRM

2 192.0.0.129 - 192.0.0.190 3 192.0.0.193 - 192.0.0.254

192.0.0.0 /27 Subnet Host Range 0 192.0.0.1 - 192.0.0.30 1 192.0.0.33 - 192.0.0.62 2 192.0.0.65 - 192.0.0.94 3 192.0.0.97 - 192.0.0.126 4 192.0.0.129 - 192.0.0.158 5 192.0.0.161 - 192.0.0.190 6 192.0.0.193 - 192.0.0.222 7 192.0.0.225 - 192.0.0.254

Scheduling Automatic Updates

STRM uses system configuration files to provide useful characterizations of network data flows. You can update your configuration files automatically or manually to make sure your configuration files contain the latest network security information. The updates, located on the Juniper customer support web site, include threats, vulnerabilities, and geographic information from various security-related web sites. Note: In an HA deployment, once you update your configuration files on the primary host and deploy your changes, the updates are automatically performed on the secondary host. If you do not deploy your changes, the updates are performed on the secondary host through an automated process that runs hourly. You can configure the automatic updates to include minor updates (such as on-line Help or updated scripts), major updates (such as updated JAR files), or DSM updates. You can configure the automatic updates function to download and install minor updates. Major updates and DSM updates must be downloaded and installed manually. The Console must be connected to the Internet to receive the updates. Note: We do not guarantee the accuracy of the third-party information contained on the above-mentioned web sites. STRM allows you to either replace your existing configuration files or integrate the updates with your existing files to maintain the integrity of your current configuration and information. You can also update the configuration files for all systems in your STRM deployment. However, the views must be currently created in your deployment editor. For more information on using the deployment editor, see Chapter 8 Using the Deployment Editor.

STRM Administration Guide

Scheduling Automatic Updates

53

Caution: Failing to build your deployment map before you configure automatic or manual updates results in your remote systems not being updated. This section includes:
• •

Scheduling Automatic Updates Updating Your Files On-Demand

Scheduling Automatic Updates

To schedule automatic updates:

Step 1 Click the Admin tab. Step 2 In the navigation menu, click System Configuration.

The System Configuration panel appears.
Step 3 Click the Auto Update icon.

The Auto Update Configuration window appears.
Step 4 Configure the update method and types of updates you want to receive using the

Choose Updates box:

Table 5-3 Choose Updates Parameters

Parameter Update Method

Description Using the drop-down list box, select the method you want to use for updating your system including:

Auto Integrate - Integrates the new configuration files with your existing files to maintain the integrity of your information. This is the default. Auto Update - Replaces your existing configuration files with the new configuration files.

Weekly Updates

Weekly updates include vulnerability, QID map updates, and security threat information. Using the drop-down list box, select one of the following:
• •

Enabled - Allows weekly updates for your system. This is the default. Disabled - Disables the option for your system to receive weekly updates.

STRM Administration Guide

54

SETTING UP STRM

Table 5-3 Choose Updates Parameters (continued)

Parameter Minor Updates

Description Minor updates include such items as additional on-line Help content or updated scripts. Using the drop-down list box, select one of the following options for minor updates:
• •

Disabled - Disables the option for your system to receive minor updates. Download - Downloads the minor updates to the designated download path location. See the readme file in the download files for installation instructions. Install - Automatically installs minor updates on your system. This is the default.

Major Updates

Major updates require service interruptions to install. Major updates include such items as updated JAR files. Using the drop-down list box, select one of the following options for major updates:
• •

Disabled - Disables the option for your system to receive major updates. This is the default. Download - Downloads the major updates to the designated download path location. See the readme file in the download files for installation instructions.

DSM Updates

Using the drop-down list box, select one of the following options for DSM updates:
• •

Disabled - Disables the option for your system to receive DSM updates. Download - Downloads the DSM updates to the designated download path location. This is the default. See the readme file in the download files for installation instructions.

Download Path

Specify the directory path location to which you want to store DSM, minor, and major updates.

Step 5 Configure the server settings:

STRM Administration Guide

Scheduling Automatic Updates

55

Table 5-4 Server Configuration Parameters

Parameter Webserver

Description Specify the web server from which you want to obtain the updates. The default web site is: http://www.juniper.net/ Specify the directory location on which you want to store the updates. The default is autoupdates/. Specify the URL for the proxy server. Specify the port for the proxy server. Specify the necessary username for the proxy server. A username is only required if you are using an authenticated proxy. Specify the necessary password for the proxy server. A password is only required if you are using an authenticated proxy.

Directory Proxy Server Proxy Port Proxy Username

Proxy Password

Step 6 Configure the update settings:

Table 5-5 Update Settings Parameters

Parameter Deploy changes

Description Select the check box if you want to deploy update changes automatically. If the check box is clear, a system notification appears in the Dashboard indicating that you must deploy changes. By default, the check box is clear. Select the check box if you want to send feedback to Juniper Networks regarding the update. Feedback is sent automatically using a web form if any errors occur with the update. By default, the check box is clear.

Send feedback

Backup Retention Specify the length of time, in days, that you want to store files Period (days) that may be replaced during the update process. The files will be stored in the location specified in the Backup Location parameter. Backup Location Specify the location that you want to store backup files.

Step 7 Configure the schedule for updates:

STRM Administration Guide

56

SETTING UP STRM

Table 5-6 Schedule Update Parameters

Parameter Schedule Update Frequency Hour Week Day

Description Using the drop-down list box, select the frequency you want to receive updates. The options are Disabled, Weekly, Monthly, or Daily. The default is Weekly. Using the drop-down list box, select the time of day you want your system to update. The default is 1 am. This option is only available if you select Weekly as the update frequency. Using the drop-down list box, select the day of the week you want to receive updates. The default is Monday. This option is only active when you select Monthly as the update frequency. Using the drop-down list box, select the day of the month you want to receive updates.

Month Day

Step 8 By default, all views are updated. To prevent views from being updated, select the

check box(es) in the Protected Views section for the views you do not want to update with the new configuration files. The configuration files for the selected views are not updated.
Step 9 Click Save.

If you selected the Deploy Changes check box in Step 6, the updates are enforced through your deployment. Once the automatic update process is complete, a system notification appears in the Dashboard and information appears in the Log field. For more information about the Dashboard, see the STRM Users Guide. Updating Your Files On-Demand You can update your files, whenever necessary, using the Auto Update window. To update your files:
Step 1 Click the Admin tab. Step 2 In the navigation menu, click System Configuration.

The System Configuration panel appears.
Step 3 Click the Auto Update icon.

The Auto Update Configuration window appears.
Step 4 In the Update Method drop-down list box, select the method you want to use for

updating your files:
• •

Auto Integrate - Integrates the new configuration files with your existing files to maintain the integrity of your information. Auto Update - Replaces your existing configuration files with the new configuration files.

Step 5 In the Protected views section, select the check box(s) for the views you do not

want to update with the new configuration files. The configuration files for the selected views are not updated.
Step 6 Click Save and Update Now.

STRM Administration Guide

Configuring System Settings

57

Your views are updated.
Step 7 From the Admin tab menu, click Deploy Changes.

If you selected the Deploy Changes check box, the updates are enforced through your deployment. Once the automatic update process is complete, a system notification appears in the Dashboard. For more information, see the STRM Users Guide.

Configuring System Settings

To configure system settings:

Step 1 Click the Admin tab. Step 2 In the navigation menu, click System Configuration.

The System Configuration panel appears.
Step 3 Click the System Settings icon.

The System Settings window appears.
Step 4 Enter values for the parameters:

Table 5-7 System Settings Parameters

Parameter System Settings Administrative Email Address

Description Specify the e-mail address of the designated system administrator. The default is root@localhost.

Alert Email From Address Specify the e-mail address from which you want to receive e-mail alerts. Delete Root Mail Root mail is the default location for host context messages. Specify one of the following:
• •

Yes - Delete the local administrator e-mail. This is the default. No - Do not delete local administrator e-mail.

Temporary Files Retention Period Asset Profile Reporting Interval Asset Profile Views VIS passive Asset Profile Interval Audit Log Enable

Specify the time period the system stores temporary files. The default is 6 hours. Specify the interval, in seconds, that the database stores new asset profile information. The default is 900 seconds. Specify the views you want the system to use when accumulating asset profile data. Specify the interval, in seconds, that the database stores all passive asset profile information. The default is 86,400 seconds. Enables or disables the ability to collect audit logs. You can view audit log information using the Events interface. The default is Yes.

STRM Administration Guide

58

SETTING UP STRM

Table 5-7 System Settings Parameters (continued)

Parameter TNC Recommendation Enable

Description Trusted Network Computing (TNC) recommendations enable you to restrict or deny access to the network based on user name or other credentials. Specify one of the following:
• •

Yes - Enables the TNC recommendation functionality. No - Disables the TNC recommendation functionality.

Coalescing Events

Enables or disables the ability for a log source to coalesce (bundle) events. This value applies to all log sources. However, if you want to alter this value for a specific log source, edit the Coalescing Event parameter in the log source configuration. For more information, see the Managing Log Sources Guide. The default is Yes. Enables or disables the ability for a log source to store event payload information. This value applies to all log sources. However, if you want to alter this value for a specific log source, edit the Event Payload parameter in the log source configuration. For more information, see the Log Sources Users Guide. The default is Yes. Specify the IP address of a non-Console system that does not have iptables configuration to which you want to enable direct access. To enter multiple systems, enter a comma-separated list of IP addresses. Specify the interval period, in seconds, you want to deploy changes for any dynamic custom view, such as, ASN or ifIndex Views. When the Classification Engine collects dynamic view information and reports this information to configuration services, this is the interval that configuration services component deploys the changes. The default is 15 seconds. Specify the amount of time, in minutes, that the status of a syslog device is recorded as error if no events have been received within the timeout period. The status appears in the Log Sources window (for more information, see the Log Sources Users Guide). The default is 720 minutes (12 hours). Specify the location of the user profiles. The default is /store/users. Specify the location of the database files. The default location is /store/db.

Store Event Payload

Global Iptables Access

Dynamic Custom View Deploy Interval

Syslog Event Timeout (minutes)

Database Settings User Data Files Database Storage Location

Sentry Database Location Specify the location of the sentry database. The default is /store/sentry/db.

STRM Administration Guide

Configuring System Settings

59

Table 5-7 System Settings Parameters (continued)

Parameter Network View Graph Retention Period All Views - Group Database Retention Period All Views - Object Database Retention Period Offense Retention Period Identity History Retention Period

Description Using the drop-down list box, select the period of time you want to store the network view graph information. The default is 4 weeks. Using the drop-down list box, select the period of time you want to store the group views information. The default is 1 week. Using the drop-down list box, select the period of time you want to store the object views information. The default is 1 week. Using the drop-down list box, select the period of time you want to retain offense information. The default is 3 days. Using the drop-down list box, select the length of time you want to store asset profile history records. The default is 1 week.

Attacker History Retention Specify the amount of time that you want to store the Period attacker history. The default is 6 months. Ariel Database Settings Flow Data Storage Location Flow Data Retention Period Asset Profile Storage Location Asset Profile Retention Period Log Source Storage Location Log Source Data Retention Period Custom View Retention Period Specify the location that you want to store the flow log information. The default location is /store/ariel/flows. Specify the period of time you want to store flow data. The default is 1 week. Specify the location that you want to store the asset profile storage location. The default location is /store/ariel/hprof. Specify the period of time, in days, that you want to store the asset profile information. The default is 30 days. Specify the location that you want to store the log source information. The default location is /store/ariel/events. Specify the amount of time that you want to store the log source data. The default is 30 days. Specify the amount of time, in seconds, that you want to store custom view information. The default is 259,2000 seconds.

Search Results Retention Using the drop-down list box, select the amount of time Period you want to store event and flow search results. The default is 1 day. Maximum Real Time Results Reporting Max Matched Results Command Line Max Matched Results Specify the maximum number of results you want to view in the Events and Flows interfaces. The default is 10,000. Specify the maximum number of results you want a report to return. This value applies to the search results in the Events and Flows interfaces. The default is 1,000,000. Specify the maximum number of results you want the command line to return. The default is 0.

STRM Administration Guide

60

SETTING UP STRM

Table 5-7 System Settings Parameters (continued)

Parameter

Description

Web Execution Time Limit Specify the maximum amount of time, in seconds, you want a query in the interface to process before a time-out occurs. This value applies to the search results in the Events and Flows interfaces. The default is 600 seconds. Reporting Execution Time Specify the maximum amount of time, in seconds, you Limit want a reporting query to process before a time-out occurs. The default is 57,600 seconds. Command Line Execution Specify the maximum amount of time, in seconds, you Time Limit want a query in the command line to process before a time-out occurs. The default is 0 seconds. Flow Log Hashing Event Log Hashing Hashing Algorithm Enables or disables the ability for STRM to store a hash file for every stored flow log file. The default is No. Enables or disables the ability for STRM to store a hash file for every stored event log file. The default is No. You can use a hashing algorithm for database storage and encryption. You can use one of the following hashing algorithms:

Message-Digest Hash Algorithm - Transforms digital signatures into shorter values called Message-Digests (MD). Secure Hash Algorithm (SHA) Hash Algorithm Standard algorithm that creates a larger (60 bit) MD.

Specify the log hashing algorithm you want to use for your deployment. The options are:
• • • •

MD2 - Algorithm defined by RFC 1319. MD5 - Algorithm defined by RFC 1321. SHA-1 - Default. Algorithm defined by Secure Hash Standard (SHS), NIST FIPS 180-1. SHA-256 - Algorithm defined by the draft Federal Information Processing Standard 180-2, SHS. SHA-256 is a 255-bit hash algorithm intended for 128 bits of security against security attacks. SHA-384 - Algorithm defined by the draft Federal Information Processing Standard 180-2, SHS. SHA-384 is a bit hash algorithm is provided by truncating the SHA-512 output. SHA-512 - Algorithm defined by the draft Federal Information Processing Standard 180-2, SHS. SHA-512 is a bit hash algorithm intended to provide 256 bits of security.

Sentry Settings Alert Directory Specify the location you want to store active alerts for each user. The default is /store/sentry/alerts.

STRM Administration Guide

Configuring System Settings

61

Table 5-7 System Settings Parameters (continued)

Parameter Default Sentry Scripts List of Sentry Scripts

Description Specify the default sentry scripts you want to execute. The default is /opt/qradar/triggerbin/system.js. Specify the sentry scripts you want to execute, in the order of execution. Separate each entry with a comma. The default is system.js,activity_anomaly.js, learn_policy.js,threshold.js,behavioral.js. Specify the sentry properties location. The default is /store/sentry/persistent_properties.xml. Specify the sentry response queue file. The default is /store/sentry/response_queue.xml.

Sentry Properties Sentry Response Queue

Sentry Database Location Specify the location of the sentry database. The default is /store/sentry/qc_persistentstorage. Transaction Sentry Settings Transaction Max Time Limit A transaction sentry detects unresponsive applications using transaction analysis. If an unresponsive application is detected, the transaction sentry attempts to return the application to a functional state. Using the drop-down list box, select the length of time you want the system to check for transactional issues in the database. The default is 10 minutes. Resolve Transaction on Non-Encrypted Host Using the drop-down list box, select whether you want the transaction sentry to resolve all erroneous conditions detected on the Console or non-encrypted managed hosts. If you select No, the conditions are detected and logged but you must manually intervene and correct the error. The default is Yes. Resolve Transaction on Encrypted Host Using the drop-down list box, select whether you want the transaction sentry to resolve all erroneous conditions detected on the encrypted managed host. If you select No, the conditions are detected and logged but you must manually intervene and correct the error. The default is Yes. SNMP Settings SNMP Version Using the drop-down list box, choose one of the following options:

Disabled - Specify if you do not want SNMP responses in the STRM custom rules engine. Disabling SNMP indicates that you do not want to accept events using SNMP. SNMPv3 - Specify if you want to use SNMP version 3 in your deployment. SNMPv2c - Specify if you want to use SNMP version 2 in your deployment.

• •

STRM Administration Guide

62

SETTING UP STRM

Table 5-7 System Settings Parameters (continued)

Parameter SNMPv2c Settings Destination Host Destination Port Community SNMPv3 Settings Destination Host Destination Port User Name Security Level

Description Specify the IP address to which you want to send SNMP notifications. Specify the port to which you want to send SNMP notifications. The default is 162. Specify the SNMP community, such as public. Specify the IP address to which you want to send SNMP notifications. Specify the port to which you want to send SNMP notifications. The default is 162. Specify the name of the user you want to access SNMP related properties. Specify the security level for SNMP. The options are:
• • •

NOAUTH_NOPRIV - Indicates no authorization and no privacy. This the default. AUTH_NOPRIV - Indicates authorization is permitted but no privacy. AUTH_PRIV - Allows authorization and privacy.

Authentication Protocol Authentication Password Privacy Protocol Privacy Password
Step 5 Click Save.

Specify the algorithm you want to use to authenticate SNMP traps. Specify the password you want to use to authenticate SNMP. Specify the protocol you want to use to decrypt SNMP traps. Specify the password used to decrypt SNMP traps.

Step 6 From the Admin tab menu, select Advanced > Deploy Full Configuration.

Configuring System Notifications

You can configure system performance alerts for thresholds using the Admin tab. This section provides information for configuring your system thresholds. To configure system thresholds:
Step 1 Click the Admin tab. Step 2 In the navigation menu, click System Configuration.

The System Configuration panel appears.
Step 3 Click the Global System Notifications icon.

The Global System Notifications window appears.
STRM Administration Guide

Configuring System Notifications

63

Step 4 Enter values for the parameters. For each parameter, you must select the following

options:
• •

Enabled - Select the check box to enable the option. Respond if value is - Specify one of the following options: Greater Than - An alert occurs if the parameter value exceeds the configured value. Less Than - An alert occurs if the parameter value is less than the configured value.

Table 5-8 Global System Notifications Parameters

Parameter User CPU usage Nice CPU usage System CPU usage Idle CPU usage Percent idle time Run queue length Number of processes in the process list System load over 1 minute System load over 5 minutes System load over 15 minutes Kilobytes of memory free

Description Specify the threshold percentage of user CPU usage. Specify the threshold percentage of user CPU usage at the nice priority. Specify the threshold percentage of CPU usage while operating at the system level. Specify the threshold percentage of idle CPU time. Specify the threshold percentage of idle time. Specify the threshold number of processes waiting for run time. Specify the threshold number of processes in the process list. Specify the threshold system load average over the last minute. Specify the threshold system load average over the last 5 minutes. Specify the threshold system load average over the last 15 minutes. Specify the threshold amount, in kilobytes, of free memory.

Kilobytes of memory used Specify the threshold amount, in kilobytes, of used memory. This does not consider memory used by the kernel. Percentage of memory used Specify the threshold percentage of used memory.

Kilobytes of cached swap Specify the threshold amount of memory, in kilobytes, memory shared by the system. Kilobytes of buffered memory Specify the threshold amount of memory, in kilobytes, used as a buffer by the kernel.

Kilobytes of memory used Specify the threshold amount of memory, in kilobytes, for disc cache used to cache data by the kernel. Kilobytes of swap memory Specify the threshold amount of free swap memory, in free kilobytes.

STRM Administration Guide

64

SETTING UP STRM

Table 5-8 Global System Notifications Parameters (continued)

Parameter

Description

Kilobytes of swap memory Specify the threshold amount, in kilobytes, of used swap used memory. Percentage of swap used Specify the threshold percentage of used swap space. Number of interrupts per second Received packets per second Transmitted packets per second Received bytes per second Transmitted bytes per second Received compressed packets Transmitted compressed packets Received multicast packets Receive errors Transmit errors Packet collisions Dropped receive packets Specify the threshold number of received interrupts per second. Specify the threshold number of packets received per second. Specify the threshold number of packets transmitted per second. Specify the threshold number of bytes received per second. Specify the threshold number of bytes transmitted per second. Specify the threshold number of compressed packets received per second. Specify the threshold number of compressed packets transmitted per second. Specify the threshold number of received Multicast packets per second. Specify the threshold number of corrupt packets received per second. Specify the threshold number of corrupt packets transmitted per second. Specify the threshold number of collisions that occur per second while transmitting packets. Specify the threshold number of received packets that are dropped per second due to a lack of space in the buffers.

Dropped transmit packets Specify the threshold number of transmitted packets that are dropped per second due to a lack of space in the buffers. Transmit carrier errors Receive frame errors Receive fifo overruns Specify the threshold number of carrier errors that occur per second while transmitting packets. Specify the threshold number of frame alignment errors that occur per second on received packets. Specify the threshold number of First In First Out (FIFO) overrun errors that occur per second on received packets. Specify the threshold number of First In First Out (FIFO) overrun errors that occur per second on transmitted packets. Specify the threshold number of transfers per second sent to the system.

Transmit fifo overruns

Transactions per second

STRM Administration Guide

Configuring the Console Settings

65

Table 5-8 Global System Notifications Parameters (continued)

Parameter Sectors written per second
Step 5 Click Save.

Description Specify the threshold number of sectors transferred to or from the system.

Step 6 From the Admin tab menu, click Deploy Changes.

Configuring the Console Settings

The STRM Console provides the interface for STRM. The Console provides real-time views, reports, alerts, and in-depth investigation of flows for network traffic and security threats. You can also manage the Console to manage distributed STRM deployments. You can access the Console from a standard web browser. When you access the system, a prompt appears for a user name and password, which must be configured in advance by the STRM administrator. STRM supports the following web browsers:
• •

Internet Explorer 7.0 Mozilla Firefox 3.0

To configure STRM Console settings:
Step 1 Click the Admin tab. Step 2 In the navigation menu, click System Configuration.

The System Configuration panel appears.
Step 3 Click the Console icon.

The STRM Console Settings window appears.

STRM Administration Guide

66

SETTING UP STRM

Step 4 Enter values for the parameters:

Table 5-9 STRM Console Parameters

Parameter Console Settings ARP - Safe Interfaces Enable 3D graphs in the user interface

Description Specify the interface you want to be excluded from ARP resolution activities. Using the drop-down list box, select one of the following:
• •

Yes - Displays graphics in 3-dimensional format in the interface. No - Displays graphics in 2-dimensional format in the interface.

Results Per Page

Specify the maximum number of results you want to display in the main STRM interface. This parameter applies to the Offenses, Events, Assets, Flows, and Reports interfaces. For example, if the Default Page Size parameter is configured to 50, the Offenses interface displays a maximum of 50 offenses. The default is 40.

Authentication Settings

STRM Administration Guide

Configuring the Console Settings

67

Table 5-9 STRM Console Parameters (continued)

Parameter Persistent Session Timeout (in days) Maximum Login Failures Login Failure Attempt Window (in minutes) Login Failure Block Time (in minutes) Login Host Whitelist

Description Specify the length of time, in days, that a user system will be persisted, in days. The default is 0, which disables this features and the remember me option upon login. Specify the number of times a login attempt may fail. The default is 5. Specify the length of time during which a maximum login failures may occur before the system is locked. The default is 10 minutes. Specify the length of time that the system is locked if the the maximum login failures value is exceeded. The default is 30 minutes. Specify a list of hosts who are exempt from being locked out of the system. Enter multiple entries using a comma-separated list. Specify the amount of time that a user will be automatically logged out of the system if no activity occurs. Specify the location and name of a file that includes content you want to appear on the STRM login window. This file may be in text or HTML format and the contents of the file appear below the current log in window. Using the drop-down list box, specify the level of network permissions you want to assign users. This affects the events that appear in the Events interface. The options include:

Inactivity Timeout (in minutes) Login Message File

Event Permission Precedence

Network Only - A user must have access to either the source network or the destination network of the event to have the event appear in the Events interface. Devices Only - A user must have access to either the device or device group that created the event to have the event appear in the Events interface. Networks and Devices - A user must have access to both the source or the destination network and the device or device group to have an event appear in the Events interface. None - All events appear in the Events interface. Any user with Events role permissions are able to view all events.

Note: For more information on managing users, see Chapter 2 Managing Users. DNS Settings

STRM Administration Guide

68

SETTING UP STRM

Table 5-9 STRM Console Parameters (continued)

Parameter Enable DNS Lookups for Asset Profiles

Description Enable or disable the ability for STRM to search for DNS information in asset profiles. When enabled, this information is available using the right-mouse button (right-click) on the IP address or host name located in the Host Name (DNS Name) field in the asset profile. The default is False. Enable or disable the ability for STRM to search for host identity information. When enabled, this information is available using the right-mouse button (right-click) on any IP address or asset name in the interface. The default is True. Specify the location of the Windows Internet Naming Server (WINS) server. Specify the period of time, in days, that you want the system to maintain reports. The default is 30 days. Specify whether you want to include a header in a CSV export file. Specify the maximum number of exports you want to occur at one time.

Enable DNS Lookups for Host Identity

WINS Settings WINS Server Reporting Settings Report Retention Period Data Export Settings Include Header in CSV Exports Maximum Simultaneous Exports
Step 5 Click Save. Step 6 From the Admin tab menu, click Deploy Changes.

STRM Administration Guide

6

MANAGING AUTHORIZED SERVICES

You can configure authorized services in the Admin tab to pre-authenticate a customer support service for your STRM deployment. Authenticating a customer support service allows the service to connect to your STRM interface and either dismiss or update notes to an offense using a web service. You can add or revoke an authorized service at any time. Note: To access the authorized services functionality, a user role must exist with only the Offenses check box selected. The Assign Offenses to Users and the Customized Rule Creation check boxes must be clear. For more information on creating user roles, see Chapter 6 Managing Users. This chapter provides information for managing authorized services including:
• • • •

Viewing Authorized Services Adding an Authorized Service Revoking Authorized Services Configuring the Customer Support Service

Viewing Authorized Services

To view authorized services for your STRM deployment:

Step 1 Click the Admin tab. Step 2 In the navigation menu, click System Configuration.

The System Configuration panel appears.
Step 3 Click the Authorized Services icon.

The Manage Authorized Services window appears providing the following information:
Table 6-1 Manage Authorized Services Parameters

Parameter Service Name Authorized By Authentication Token

Description Specifies the name of the authorized service. Specifies the name of the user or administrator that authorized the addition of the service. Specifies the token associated with this authorized service.

STRM Administration Guide

70

MANAGING AUTHORIZED SERVICES

Table 6-1 Manage Authorized Services Parameters (continued)

Parameter User Role Created Expires

Description Specifies the user role associated with this authorized service. Specifies the date that this authorized service was created. Specifies the date and time that the authorized service will expire. Also, this field indicates when a service has expired.

Step 4 To select a token from an authorized service, select the appropriate authorized

service. The token appears in the Selected Token field in the top bar. This allows you to copy the desired token into your third-party application to authenticate with STRM.

Adding an Authorized Service

To add an authorized service:

Step 1 Click the Admin tab. Step 2 In the navigation menu, click System Configuration.

The System Configuration panel appears.
Step 3 Click the Authorized Services icon.

The Manage Authorized Services window appears.
Step 4 Click Add Authorized Service.

The Add Authorized Service window appears.

Step 5 Enter values for the parameters:

Table 6-2 Add Authorized Services Parameters

Parameter Service Name User Role

Description Specify a name for this authorized service. The name can be up to 255 characters in length. Using the drop-down list box, select the user role you want to assign to this authorized service. The user roles assigned to an authorized service determines the functionality in the STRM interface this service can access.

STRM Administration Guide

Revoking Authorized Services

71

Table 6-2 Add Authorized Services Parameters (continued)

Parameter Expiry Date

Description Specify a date you want this service to expire or select the No Expiry check box if you do not want this service to expire. By default, the authorized service is valid for 30 days.

Step 6 Click Create Service.

A confirmation message appears. This message contains a token field that you must copy into your third-party application to authenticate with STRM. For more information about setting up your third-party application to integrate with STRM, contact your system administrator.

Revoking Authorized Services

To revoke an authorized service:

Step 1 Click the Admin tab. Step 2 In the navigation menu, click System Configuration.

The System Configuration panel appears.
Step 3 Click the Authorized Services icon.

The Manage Authorized Services window appears.
Step 4 Select the service you want to revoke. Step 5 Click Revoke Authorization.

A confirmation window appears.
Step 6 Click Ok.

Configuring the Customer Support Service

After you have configured an authorized service in STRM, you must configure your customer support service to access STRM offense information. For example, you can configure STRM to send an SNMP trap that includes the offense ID information. Your service must be able to authenticate to STRM using the provided authorized token by passing the information through an HTTP query string. Once authenticated, the service should interpret the authentication token as the user name for the duration of the session. Your customer support service must use a query string to update notes, dismiss, or close an offense. This section includes:
• • •

Dismissing an Offense Closing an Offense Adding Notes to an Offense

STRM Administration Guide

72

MANAGING AUTHORIZED SERVICES

Dismissing an Offense

To dismiss an offense, your customer support service must use the following query string:
https://<IP address>/console/do/sem/properties?appName=Sem& dispatch=updateProperties&id=<Offense ID>&nextPageId= OffenseList&nextForward=genericList&attribute=dismiss&daoName= offense&value=1&authenticationToken=<Token>

Where:
<IP address> is the IP address of your STRM system. <Offense ID> is the identifier assigned to the STRM offense. To obtain the

offense ID, see the Offenses interface. For more information, see the STRM Users Guide.
<Token> is the token identifier provided to the authorized service in the STRM interface. For information on copying the token, see the STRM Administration Guide.

Closing an Offense

To close an offense, your customer support service must use the following query string:
https://<IP address>/console/do/sem/properties?appName=Sem& dispatch=updateProperties&id=<Offense ID>&nextPageId= OffenseList&nextForward=genericList&attribute=dismiss&daoName= offense&value=2&authenticationToken=<Token>

Where:
<IP address> is the IP address of your STRM system. <Offense ID> is the identifier assigned to the STRM offense. To obtain the

offense ID, see the Offenses interface. For more information, see the STRM Users Guide.
<Token> is the token identifier provided to the authorized service in the STRM interface. For information on copying the token, see the STRM Administration Guide.

Adding Notes to an Offense

To add notes to an offense, your customer support service must use the following query string:
https://<IP address>/console/do/sem/properties?appName=Sem& dispatch=updateProperties&id=<Offense ID>&nextPageId= OffenseList&nextForward=genericList&attribute=notes&daoName= offense&value=<NOTES>&authenticationToken=<Token>

Where:
<IP address> is the IP address of your STRM system.

STRM Administration Guide

Configuring the Customer Support Service

73

<Offense ID> is the identifier assigned to the STRM offense. To obtain the

offense ID, see the Offenses interface. For more information, see the STRM Users Guide.
<Token> is the token identifier provided to the authorized service in the STRM

interface. For information on copying the token, see the STRM Administration Guide.

STRM Administration Guide

7

MANAGING BACKUP AND RECOVERY
You can backup and recover configuration information and data for STRM. Note: The restore process only restores your configuration information. For assistance in restoring your data, see the Restoring Your Data Technical Note. This chapter provides information on managing backup and recovery including:
• • •

Managing Backup Archives Backing Up Your Information Restoring Your Configuration Information

Managing Backup Archives

Using the Admin tab, you can:
• • •

View your successful backup archives. See Viewing Backup Archives. Import an archive file. See Importing an Archive. Delete an archive file. See Deleting a Backup Archive.

Viewing Backup Archives

To view all successful backups:

Step 1 Click the Admin tab. Step 2 In the navigation menu, click System Configuration.

The System Configuration panel appears.
Step 3 Click the Backup and Recovery icon.

The Backup Archives window appears providing the following information, depending on the status of the backup processes:
• •

If there are no backup archives, a message appears indicating no backup archives have been created. If a backup is in progress, a status window appears to indicate the duration of the current backup, which user/process initiated the backup, and provides you with the option to cancel the backup. If there are existing backup archives, the list of the successful backup archives that exists in the database appears. If a backup file is deleted, it is removed

STRM Administration Guide

76

MANAGING BACKUP AND RECOVERY

from the disk and from the database. Also, the entry is removed from this list and an audit event is generated to indicate the removal. Each archive file includes the data from the previous day. The list of archives is sorted by the Time Initiated column in descending order.

The Backup Archives window provides the following information for each backup archive:
Table 7-1 Backup Archive Window Parameters

Parameter Host Name Type

Description Specifies the host that initiated the backup process. Specifies the name of the backup archive. To download the backup file, click the name of the backup. Specifies the type of backup. The options are:
• •

config (configuration data) data (events, flows, and asset profile information)

Size Time Initiated Duration Initialized By

Specifies the size of the archive file. Specifies the time that the backup file was initiated. Specifies the time to complete the backup process. Specifies whether the backup file was created by a user or through a scheduled process.

Importing an Archive

To import a STRM backup archive file:

Step 1 Click the Admin tab. Step 2 In the navigation menu, click System Configuration.

The System Configuration panel appears.
Step 3 Click the Backup and Recovery icon.

The Backup Archives window appears.

STRM Administration Guide

Managing Backup Archives

77

Step 4 In the Upload Archive field, click Browse.

The File Upload window appears.
Step 5 Select the archive file you want to upload. The archive file must include a .tgz

extension. Click Open.
Step 6 Click Upload.

Deleting a Backup Archive

To delete a backup archive: Note: To delete a backup archive file, the backup archive file and the Host Context component must reside on the same system. The system must also be in communication with the Console and no other backup can be in progress.

Step 1 Click the Admin tab. Step 2 In the navigation menu, click System Configuration.

The System Configuration panel appears.
Step 3 Click the Backup and Recovery icon.

The Backup Archives window appears.

Step 4 Select the archive you want to delete. Step 5 Click Delete.

A confirmation window appears.
Step 6 Click Ok.

STRM Administration Guide

78

MANAGING BACKUP AND RECOVERY

Backing Up Your Information

You can backup your configuration information and data using the Backup Recovery Configuration window. By default, STRM creates a backup archive of your configuration information every night at midnight and the backup includes configuration and/or data from the previous day. You can backup your information using one of the following methods:
• • •

Creating a configuration only backup. See Initiating a Backup. Scheduling a nightly backup. See Scheduling Your Backup. Copying a backup archive file to the system on which you want to restore the archive. You can then restore the data. See Restoring Your Configuration Information.

This section provides information on both methods of backing up your data including:
• •

Scheduling Your Backup Initiating a Backup

Scheduling Your Backup

To schedule your backup process:

Step 1 Click the Admin tab. Step 2 In the navigation menu, click System Configuration.

The System Configuration panel appears.
Step 3 Click the Backup and Recovery icon.

The Backup Archives window appears.
Step 4 Click Configure.

The Backup Recovery Configuration window appears.

STRM Administration Guide

Backing Up Your Information

79

Step 5 Enter values for the parameters:

Table 7-2 Backup Recovery Configuration Parameters

Parameter Backup Repository Path

Description Specifies the location you want to store your backup file. This path must exist before the backup process is initiated. If this path does not exist, the backup process aborts. The default is /store/backup. Note: If you modify this path, make sure the new path is valid on every system in your deployment.

General Backup Configuration

Backup Retention Specify the length of time, in days, that you want to store backup Period (days) files. The default is 2 days. Note: This period of time only affects backup files generated as a result of a scheduled process. Manually initiated or imported backup files are not affected by this value.

STRM Administration Guide

80

MANAGING BACKUP AND RECOVERY

Table 7-2 Backup Recovery Configuration Parameters (continued)

Parameter Nightly Backup Schedule

Description Select one of the following options:
• •

No Nightly Backups - Disables the creation of a backup archive on a daily basis. Configuration Backup Only - Enables the creation of a daily backup at midnight that includes configuration information only. Configuration and Data Backups - Enables the creation of a daily backup at midnight that includes configuration information and data. If you select the Configuration and Data Backups option, you can select the hosts you want to backup. Once you select the host, you can select one of the following options: Event Data, Flow Data, and Asset Profile Data. Custom rules Flow and event searches Log sources Groups Flow sources Event categories Vulnerability data Device Support Modules (DSMs) User and user roles information Views Sentries License key information Event data Flow data Asset profile data Report data Audit log information Data tables for offenses and assets

Configuration backups includes the following components:
• • • • • • • • • • • •

Data backups includes the following information:
• • • • • •

Configuration Only Backup Backup Time Limit Specify the length of time, in minutes, that you want to allow the (min) backup to process. The default is 180 minutes. If the backup process exceeds the configured time limit, the backup will automatically be canceled.

STRM Administration Guide

Backing Up Your Information

81

Table 7-2 Backup Recovery Configuration Parameters (continued)

Parameter Backup Priority

Description Specify the level of importance (LOW, MEDIUM, HIGH) that you want the system to place on the configuration information backup process compared to other processes. A priority of medium or high will have a greater impact on system performance.

Data Backup Backup Time Limit Specify the length of time, in minutes, that you want to allow the (min) backup to process. The default is 1020 minutes. If the backup process exceeds the configured time limit, the backup will automatically be canceled. Backup Priority Specify the level of importance (LOW, MEDIUM, HIGH) you want the system to place on the data backup process compared to other processes. A priority of medium or high will have a greater impact on system performance.

Step 6 Click Save. Step 7 From the Admin tab menu, click Deploy Changes.

Initiating a Backup

To manually initiate a backup for your configuration information:

Step 1 Click the Admin tab. Step 2 In the navigation menu, click System Configuration.

The System Configuration panel appears.
Step 3 Click the Backup and Recovery icon.

The Backup Archives window appears.

Step 4 Click On Demand Backup.

The Create a Backup window appears.

STRM Administration Guide

82

MANAGING BACKUP AND RECOVERY

Step 5 Enter values for the following parameters:

Name - Specify a unique name you want to assign to this backup file. The name must be a maximum of 100 alphanumeric characters. Also, the name may contain following characters: underscore (_), dash (-), or period (.). Description - Specify a description for this configuration backup. The name can
be up to 255 characters in length.

Step 6 Click Run Backup.

A confirmation window appears.
Step 7 Click OK.

Restoring Your Configuration Information

You can restore configuration information from existing backup archives using the Restore Backup window. You can only restore a backup archive created within the same release of software. For example, if you are running STRM 2009.2, the backup archive must of been created in STRM 2009.2. You can restore configuration information in the following scenarios:
• •

Restore backup archive on a system that has the same IP address as the backup archive. See Restoring on a System with the Same IP Address. Restore backup archive on system with a different IP address than the backup archive. See Restoring to a System with a Different IP Address.

Note: If the backup archive originated on a NATed Console system, you can only restore that backup archive on a NATed system. Restoring on a System with the Same IP Address To restore your configuration information on a system that has the same IP address as the backup archive:

Step 1 Click the Admin tab. Step 2 In the navigation menu, click System Configuration.

The System Configuration panel appears.
Step 3 Click the Backup and Recovery icon. STRM Administration Guide

Restoring Your Configuration Information

83

The Backup Archives window appears.
Step 4 Select the archive you want to restore. Step 5 Click Restore.

The Restore a Backup window appears.

Step 6 To restore specific items in the archive: a

Clear the All Items check box. The list of archived items appears. Select the check box for each item you want to restore.

b

Step 7 Click Restore.

A confirmation window appears. Each backup archive includes IP address information of the system from which the backup archive was created.
Step 8 Click Ok.

The restore process begins. This process may take an extended period of time. When complete, a message appears.
Step 9 Click Ok. Step 10 Choose one of the following options: a b

If the STRM interface was closed during the restore process, open a browser and log in to STRM. If the STRM interface has not been closed, the login window appears. Log in to STRM.

A window appears providing the status of the restore process. This window provides any errors for each host. This window also provides instructions for resolving errors that have occurred.
Step 11 Follow the instructions on the status window.

Note: The restore process only restores your configuration information. For assistance in restoring your data, see the Restoring Your Data Technical Note. Note: If the backup archive originated on an HA cluster, you must click Deploy Changes to restore the HA cluster configuration after the restore is complete. If disk replication is enabled, the secondary host immediately synchronizes data once the system is restored. If the secondary host was removed from the deployment after backup was performed, the secondary host displays a Failed status in the System and License Management window.
STRM Administration Guide

84

MANAGING BACKUP AND RECOVERY

Restoring to a System with a Different IP Address

To restore your configuration information on a system with a different IP address than the backup archive:

Step 1 Click the Admin tab. Step 2 In the navigation menu, click System Configuration.

The System Configuration panel appears.
Step 3 Click the Backup and Recovery icon.

The Backup Archives window appears.
Step 4 Select the archive you want to restore. Step 5 Click Restore.

The Restore a Backup window appears. Since the IP address of the system on which you want to restore the information does not match the IP address of the backup archive, a message appears indicating that you must stop iptables on each managed host in your deployment

Step 6 To restore specific items in the archive: a

Clear the All Items check box. The list of archived items appears. Select the check box for each item you want to restore. Log into the managed host, as root. Enter the following command:
service iptables stop

b

Step 7 Stop IP tables: a b

c

Repeat for all managed hosts in your deployment.

Step 8 In the Restore a Backup window, click Test Host Access.

The Restore a Backup (Managed Hosts Accessibility) window appears.

STRM Administration Guide

Restoring Your Configuration Information

85

Table 7-3 provides the following information:
Table 7-3 Restore a Backup (Managed Host Accessibility Parameters

Parameter Host Name IP Address Access Status

Description Specifies the managed host name. Specifies the IP address of the managed host. Specifies the access status to the managed host. The options include:
• • •

Testing Access - The test to determine access status is not complete. No Access - The managed host can not be accessed. OK - The managed host is accessible.

Step 9 When the accessibility of all hosts is determined and the status in the Access

Status column indicates OK or No Access, click Restore. The restore process begins. Note: If the Access Status column indicates No Access for a host, stop iptables (see Step 7) again and click Test Host Access to attempt a connection.
Step 10 Click Ok.

The restore process begins. This process may take an extended period of time.
Step 11 Click Ok. Step 12 Choose one of the following options: a b

If the STRM interface has been closed during the restore process, open a browser and log in to STRM. If the STRM interface has not been closed, the login window appears. Log in to STRM.

A window appears providing the status of the restore process. This window provides any errors for each host. This window also provides instructions for resolving errors that have occurred.
Step 13 Follow the instructions on the status window.

Note: The restore process only restores your configuration information. For assistance in restoring your data, see the Restoring Your Data Technical Note.

STRM Administration Guide

86

MANAGING BACKUP AND RECOVERY

Note: If the backup archive originated on an HA cluster, you must click Deploy Changes to restore the HA cluster configuration after the restore is complete. If disk replication is enabled, the secondary host immediately synchronizes data once the system is restored. If the secondary host was removed from the deployment after backup was performed, the secondary host displays a Failed status in the System and License Management window.

STRM Administration Guide

8

USING THE DEPLOYMENT EDITOR

The deployment editor allows you to manage the individual components of your STRM, and SIM deployment. Once you configure your Flow, Event, and System Views, you can access and configure the individual components of each managed host. Note: The Deployment Editor requires Java Runtime Environment version 1.6.0_13 X86. Download at www.java.sun.com. Also, If you are using the Firefox browser, you must configure your browser to accept Java Network Language Protocol (JNLP) files. Caution: Many third-party web browsers that use the Internet Explorer engine, such as Maxthon or MyIE, install components that may be incompatible with the Admin tab interface. You may have to disable any third-party web browsers installed on your system. For further assistance, please contact customer support. If you want to access the deployment editor from behind a proxy server or firewall, you must configure the appropriate proxy settings on your desktop. This allows the software to automatically detect the proxy settings from your browser. To configure the proxy settings, open the Java configuration located in your Control Panel and configure the IP address of your proxy server. For more information on configuring proxy settings, see your Microsoft documentation. This chapter provides information on managing your views including:
• • • • • •

About the Deployment Editor Editing Deployment Editor Preferences Building Your Flow View Building Your Event View Managing Your System View Configuring STRM Components

STRM Administration Guide

88

USING THE DEPLOYMENT EDITOR

About the Deployment Editor

You can access the deployment editor using the Admin tab. You can use the deployment editor to create your deployment, assign connections, and configure each component. The deployment editor provides the following views of your deployment:

Flow View - Allows you to create a view that outlines how flows are processed in your deployment by allocating and connecting flow-based components, for example, connecting a Flow Collector to a Flow Processor. System View - Allows you to assign software components, such as a Flow Collector, to systems (managed hosts) in your deployment. The System View includes all managed hosts in your deployment. A managed host is a system in your deployment that has STRM software installed. By default, the System View also includes the Host Context component, which monitors all STRM components to ensure that each component is operating as expected. Event View - Allows you to create a view for your SIM components including Event Processor, Event Collector, and Magistrate components.

Each view is divided into two panels.

In the Flow View, the left panel provides a list of components that you can add to your view and the right panel provides the existing view of your deployment. In the Event View, the left panel provides a list of SIM components you can add to the view and the right panel provides an existing view of your SIM deployment. In the System View, the left panel provides a list of managed hosts, which you can view and configure. The deployment editor polls your deployment for updates to
STRM Administration Guide

About the Deployment Editor

89

managed hosts. If the deployment editor detects a change to a managed host in your deployment, a message appears notifying you of the change. For example, if you remove a managed host, a message appears indicating that the assigned components to that host must be re-assigned to another host. Also, if you add a managed host to your deployment, the deployment editor displays a message indicating that the managed host has been added. Accessing the Deployment Editor In the Admin tab, click Deployment Editor. The deployment editor appears. Once you update your configuration settings using the deployment editor, you must save those changes to the staging area. You must manually deploy all changes using the Admin tab menu option. All deployed changes are then enforced throughout your deployment. The deployment editor provides you with several menu and toolbar options when configuring your views including:
• •

Using the Editor

Menu Options Toolbar Options

Menu Options The menu options that appear depend on the selected component in your view. Table 8-1 provides a list of the menu options and the component for which they appear.
Table 8-1 Deployment Editor Menu Options

Menu Option File

Sub Menu Option Save to staging Save and close Open staged deployment Open production deployment Close current deployment Revert Edit Preferences Close editor

Description Saves deployment to the staging area. Saves deployment to the staging area and closes the deployment editor. Opens a deployment that was previously saved to the staging area. Opens a deployment that was previously saved. Closes the current deployment. Reverts current deployment to the previously saved deployment. Opens the preferences window. Closes the deployment editor. Deletes a component, host, or connection. Opens the Manage NATed Networks window, which allows you to manage the list of NATed networks in your deployment.

Edit Actions

Delete Manage NATed Networks

Add a managed host Opens the Add a Managed Host wizard.

STRM Administration Guide

90

USING THE DEPLOYMENT EDITOR

Table 8-1 Deployment Editor Menu Options (continued)

Menu Option

Sub Menu Option

Description This option is only available when a component is selected.

Rename component Renames an existing component.

Configure

Configures STRM components. This option is only available when a Flow Collector, Flow Processor, Classification Engine, Event Collector, Event Processor, Magistrate, or Update Daemon is selected.

Assign

Assigns a component to a managed host. This option is only available when a Flow Collector, Flow Processor, Classification Engine, Event Collector, Event Processor, Magistrate, or Update Daemon is selected.

Unassign

Unassigns a component from a managed host. This option is only available when the selected component has a managed host running a compatible version of STRM software. This option is only available when a Flow Collector, Flow Processor, Classification Engine, Event Collector, Event Processor, or Update Daemon is selected.

Toolbar Options The toolbar options include:
Table 8-2 Toolbar Options

Button

Description Saves deployment to the staging area and closes the deployment editor.

Opens current production deployment.

Opens a deployment that was previously saved to the staging area.

Discards recent changes and reloads last saved model.

STRM Administration Guide

About the Deployment Editor

91

Table 8-2 Toolbar Options (continued)

Button

Description Deletes selected item from the deployment view. This option is only available when the selected component has a managed host running a compatible version of STRM software. Opens the Add a Managed Host wizard, which allows you to add a managed host to your deployment. Opens the Manage NATed Networks window, which allows you to manage the list of NATed networks in your deployment. Resets the zoom to the default.

Zooms in.

Zooms out.

Creating Your Deployment

To create your deployment, you must:

Step 1 Build your Flow View. See Building Your Flow View. Step 2 Build your System View. See Managing Your System View. Step 3 Configure added components. See Configuring STRM Components. Step 4 Build your Event View. See Building Your Event View. Step 5 Configure SIM components. See Configuring STRM Components. Step 6 Stage the deployment. From the deployment editor menu, select File > Save to

Staging.
Step 7 Deploy all configuration changes. From the Admin tab menu, select Advanced >

Deploy Full Configuration. For more information on the Admin tab, see Chapter 1 Overview. Before you Begin Before you begin, you must:
• • • •

Install all necessary hardware and STRM software. Install Java Runtime Environment. You can download Java version 1.6.0_13 x 86 at the following web site: http://java.com/en/download/index.jsp If you are using the Firefox browser, you must configure your browser to accept Java Network Language Protocol (JNLP) files. Plan your STRM deployment including the IP addresses and login information for all devices in your STRM deployment.
STRM Administration Guide

92

USING THE DEPLOYMENT EDITOR

Note: If you require assistance with the above, please contact Juniper Networks customer support. Editing Deployment Editor Preferences To edit the deployment editor preferences:

Step 1 From the deployment editor main menu, select File > Edit Preferences.

The Deployment Editor Setting window appears.

Step 2 Enter values for the following parameters:

Presence Poll Frequency - Specify how often, in milliseconds, that the managed host monitors your deployment for updates, for example, a new or updated managed host. Zoom Increment - Specify the increment value when the zoom option is selected. For example. 0.1 indicates 10%.

Step 3 Close the window

The Deployment Editor appears.

Building Your Flow View

The Flow View allows you to create and manage the flow-based software components of your STRM deployment, for example, a Flow Collector or Flow Processor. If you are using a STRM appliance, a default Flow View appears with the appropriate components. You can edit or update the view, as necessary. To build your Flow View, you must:

Step 1 Add STRM components to your view. See Adding STRM Components. Step 2 Connect the added components. See Connecting Components. Step 3 Connect the deployments, if necessary. See Connecting Deployments. Step 4 Rename the components so each component has a unique name. See Renaming

Components Once you have completed building your Flow View, you can use the Event View to manage your SIM components. See Building Your Event View.

STRM Administration Guide

Building Your Flow View

93

Adding STRM Components

You can add the following STRM components to your Flow View:
• • • • •

Flow Collector - Collects data from devices and various live and recorded feeds. Flow Processor - Collects and consolidates data from one or more Flow Collector(s). Classification Engine - Receives input from one or more Flow Processor(s) as well as classifies and accumulates statistical data on flows. Update Daemon - Stores TopN and database data once the Classification Engine has processed the flows for an interval. Flow Writer - Stores the flow and asset profile data once the Classification Engine has processed the flows for an interval.

Note: The procedures in the section provide information on adding STRM components using the Flow View. You can also add components using the System View. For information on the System View, see Managing Your System View. To add STRM components to your Flow View:
Step 1 In the deployment editor, click the Flow View tab.

The Flow View appears.

Step 2 In the Flow Components panel, select a component you want to add to your

deployment. The Adding a New Component Wizard appears.

STRM Administration Guide

94

USING THE DEPLOYMENT EDITOR

Step 3 Enter a unique name for the component you want to add. The name can be up to

15 characters in length and may include underscores or hyphens. Make sure you record the assigned name. Click Next. Note: If the message “There are no hosts to which you can assign this component.” appears, your deployment does not include hosts with the capabilities to support the selected component or the host already has a full compliment of components installed. The Assign Component window appears.

Step 4 From the Select a host drop-down list box, select the managed host to which you

want to assign the new component. Click Next. The component ready to be added window appears.
Step 5 Click Finish. STRM Administration Guide

Building Your Flow View

95

The component appears in your Flow View.
Step 6 Repeat for each component you want to add to your view. Step 7 From the menu, select File > Save to staging.

Connecting Components

Once you add all the necessary components in your Flow View, you must connect them together. The Flow View only allows you to connect appropriate components together. For example, you can connect a Flow Processor to a Flow Collector and not an Update Daemon. To connect components:

Step 1 In the Flow View, select the component for which you want to establish a

connection.
Step 2 From the menu, select Actions > Add Connection.

Note: You can also use the right mouse button (right-click) to access the Actions menu item. An arrow appears in your map.
Step 3 Drag the end of the arrow to the component on which you want to establish a

connection. You can only connect appropriate components, for example, you can connect a Classification Engine to an Update Daemon. Table 8-3 provides a list of components you are able to connect.
Table 8-3 Component Connections

You can connect a... Flow Collector Flow Processor

To Flow Processor Flow Processor Classification Engine Off-site Target Off-site Source

Classification Engine

Update Daemon Flow Writer - Multiple Classification Engines may be connected to a single Flow Writer.

The arrow connects the two components.
Step 4 Repeat for all remaining components in your deployment that you want to establish

a connection.
Step 5 From the menu, select File > Save to Staging.

STRM Administration Guide

96

USING THE DEPLOYMENT EDITOR

Connecting Deployments

You can connect deployments in your network to allow deployments to share flow data. To connect your deployments, you must configure an off-site Flow Processor (target) in your current deployment and the associated off-site Flow Processor in the receiving deployment (source). You can add the following components to your Flow View:

Off-site Source - Indicates an off-site Flow Processor from which you want to receive data. The source must be configured with appropriate permissions to send flows to the off-site target. Off-site Target - Indicates an off-site Flow Processor to which you want to send data.

Note: The procedures in the section provide information on adding flow sources using the Flow View. You can also add sources using the System View. For information on the System View, see Managing Your System View. Figure 8-1 shows an example of connecting two deployments, A and B. In this example, deployment B wants to receive flows from deployment A. To connect these deployments, you must configure deployment A with an off-site target to provide the IP address of the managed host that includes Flow Processor B. You must then connect Flow Processor A to the off-site target. In deployment B, you must configure an off-site source with the IP address of the managed host that includes Flow Processor A and the port to which Flow Processor A is monitoring. If you want to disconnect the off-site source, you must remove the connections from both deployments. From deployment A, you must remove the off-site target and in deployment B, you must remove the off-site source. If you want to enable encryption between deployments, you must enable encryption on both off-site source and target. Also, you must ensure both the off-site source and target include the public keys to ensure appropriate access. In the example below, if you want to enable encryption between the off-site source and Flow Processor B, you must copy the public key (located at /root/.ssh/id_rsa.pub) from the Flow Processor to the off-site source (copy the file to /root/.ssh/authorized_keys). Note: To enable encryption between two managed hosts, each managed host must be running at least STRM 5.1.

STRM Administration Guide

Building Your Flow View

97

Figure 8-1 Example of Connecting Deployments

To connect your deployments:
Step 1 In the deployment editor, click the Flow View tab.

The Flow View appears.

Step 2 In the Flow Components panel, select either Add Off-site Source or Add Off-site

Target. The Adding a New Component Wizard appears.

STRM Administration Guide

98

USING THE DEPLOYMENT EDITOR

Step 3 Specify a unique name for the source or target. The name can be up to 15

characters in length and may include underscores or hyphens. Click Next. The flow source/target information window appears.

Step 4 Enter values for the parameters:

Enter a name for the off-site host - Specify the name of the off-site host. The name can be up to 15 characters in length and may include underscores or hyphens. Enter the IP address of the server - Specify the IP address of the managed host to which you want to connect. Enter port of managed host - Specify the off-site managed host port number.

• •

STRM Administration Guide

Building Your Event View

99

Encrypt traffic from off-site source - Select the check box if you want to encrypt traffic from an off-site source. To enable encryption, you must select this check box on the associated off-site source and target. For more information regarding encryption, see Managing Your System View.

Step 5 Click Next. Step 6 Click Finish. Step 7 Repeat for all remaining off-site sources and targets. Step 8 From the main menu, select File > Save to staging.

Note: If you update your Flow Processor configuration or the monitoring ports, you must manually update your source and target configurations to maintain the connection between deployments. Renaming Components You may want to rename a component in your view to uniquely identify components through your deployment. To rename a component:
Step 1 Select the component you want to rename. Step 2 From the menu, select Actions > Rename component.

Note: You can also use the right mouse button (right-click) to access the Actions menu items. The Rename component window appears.

Step 3 Enter a new name for the component. The name must be alphanumeric with no

special characters.
Step 4 Click Ok.

Building Your Event View

The Event View allows you to create and manage the SIM components for your deployment including:

Event Collector - Collects security events from various types of security devices in your network. The Event Collector gathers events from local, remote, and device sources. The Event Collector then normalizes the events and sends the information to the Event Processor. The Event Collector also bundles all virtually identical events to conserve system usage. Event Processor - An Event Processor processes flows collected from one or more Event Collector(s). The events are bundled once again to conserve network usage. Once received, the Event Processor correlates the information

STRM Administration Guide

100

USING THE DEPLOYMENT EDITOR

from STRM and distributes to the appropriate area, depending on the type of event. The Event Processor also includes information gathered by STRM to indicate any behavioral changes or policy violations for that event. Rules are then applied to the events that allow the Event Processor to process according to the configured rules. Once complete, the Event Processor sends the events to the Magistrate. You must connect the Event Processor to a Classification Engine or another Event Processor in your deployment. The Classification Engine is responsible for sending the latest event information to the Event Processor. See Figure 8-2 for an example.

Magistrate - The Magistrate component provides the core processing components of SIM. You can add one Magistrate component for each deployment. The Magistrate provides views, reports, alerts, and analysis of network traffic and security events. The Magistrate processes the event against the defined custom rules to create an offense. If no custom rules exist, the Magistrate uses the default rules to process the event. An offense is an event that has been processed through STRM using multiple inputs, individual events, and events combined with analyzed behavior and vulnerabilities. Magistrate prioritizes the offenses and assigns a magnitude value based on several factors, including number of events, severity, relevance, and credibility. Once processed, Magistrate also produces a list for each attacker, which provides you with a list of attackers for each event. By default, the Event View includes a Magistrate component. Figure 8-2 shows an example of STRM deployment that includes the SIM components. The example shows that the Event Processor is connected to the Classification Engine, which allows for the exchange of flow information.

Figure 8-2 Example of SIM Components in your STRM Deployment

STRM Administration Guide

Building Your Event View

101

To build your Event View, you must:
Step 1 Add SIM components to your view. See Adding Components. Step 2 Connect the components. See Connecting Components. Step 3 Forward normalized events. See Forwarding Normalized Events. Step 4 Rename the components so each component has a unique name. See Renaming

Components. Adding Components To add components to your Event View: The Event View appears.
Step 2 In the Event Tools panel, select a component you want to add to your deployment.

Step 1 In the deployment editor, click the Event View tab.

The Adding a New Component Wizard appears.

Step 3 Enter a unique name for the component you want to add. The name can be up to

15 characters in length and may include underscores or hyphens. Click Next. The Assign Component window appears.

STRM Administration Guide

102

USING THE DEPLOYMENT EDITOR

Step 4 From the Select a host to assign to list box, select a managed host to which you

want to assign the new component. Click Next.
Step 5 Click Finish. Step 6 Repeat for each component you want to add to your view. Step 7 From the main menu, select File > Save to staging.

STRM Administration Guide

Building Your Event View

103

Connecting Components

Once you add all the necessary components in your Event View, you must connect them together. The Event View only allows you to connect appropriate components together. For example, you can connect an Event Collector to an Event Processor and not a Magistrate component. To connect components:

Step 1 In the Event View, select the component for which you want to establish a

connection.
Step 2 From the menu, select Actions > Add Connection.

Note: You can also use the right mouse button (right-click) to access the Action menu item. An arrow appears in your map.
Step 3 Drag the end of the arrow to the component on which you want to establish a

connection. You can only connect appropriate components, for example, you can connect an Event Collector to an Event Processor. Table 8-4 provides a list of components you are able to connect.
Table 8-4 Component Connections

You can connect a... Event Processor Event Collector

To Magistrate Event Processor

The arrow connects the two components.
Step 4 Repeat for all remaining components that you want to establish a connection.

Forwarding Normalized Events

To forward normalized events, you must configure an off-site Event Collector (target) in your current deployment and the associated off-site Event Collector in the receiving deployment (source). You can add the following components to your Event View:

Off-site Source - Indicates an off-site Event Collector from which you want to receive data. The source must be configured with appropriate permissions to send events to the off-site target. Off-site Target - Indicates an off-site Event Collector to which you want to send data.

For example, if you want to forward normalized events between two deployments (A and B), where deployment B wants to receive events from deployment A you must configure deployment A with an off-site target to provide the IP address of the managed host that includes Event Collector B. You must then connect Event Collector A to the off-site target. In deployment B, you must configure an off-site source with the IP address of the managed host that includes Event Collector A and the port to which Event Collector A is monitoring.

STRM Administration Guide

104

USING THE DEPLOYMENT EDITOR

If you want to disconnect the off-site source, you must remove the connections from both deployments. From deployment A, you must remove the off-site target and in deployment B, you must remove the off-site source. If you want to enable encryption between deployments, you must enable encryption on both off-site source and target. Also, you must ensure the SSH public key for the off-site source (client) is available to the target (server) to ensure appropriate access. For example, in the example below, if you want to enable encryption between the off-site source and Event Collector B, you must copy the public key (located at /root/.ssh/id_rsa.pub) from the off-site source to Event Collector B (add the contents of the file to /root/.ssh/authorized_keys).

Event Collector A

Off-site Source

Event Collector B

Event Processor
Off-site Target

Event Processor

Magistrate

Magistrate

Figure 8-3 Example of Connecting Deployments

Note: If the off-site source/target is an all-in-one system, the public key is not automatically generated, therefore, you must manually generate the public key. For more information on generating public keys, see your Linux documentation. To forward normalized events:
Step 1 In the deployment editor, click the Event View tab.

The Event View appears.
Step 2 In the Components panel, select either Add Off-site Source or Add Off-site

Target. The Adding a New Component Wizard appears.

STRM Administration Guide

Building Your Event View

105

Step 3 Specify a unique name for the source or target. The name can be up to 15

characters in length and may include underscores or hyphens. Click Next. The event source/target information window appears.

Step 4 Enter values for the parameters:

Enter a name for the off-site host - Specify the name of the off-site host. The name can be up to 15 characters in length and may include underscores or hyphens. Enter the IP address of the server - Specify the IP address of the managed host to which you want to connect. Encrypt traffic from off-site source - Select the check box if you want to encrypt traffic from an off-site source. To enable encryption, you must select this check box on the associated off-site source and target.

• •

STRM Administration Guide

106

USING THE DEPLOYMENT EDITOR

Step 5 Click Next. Step 6 Click Finish. Step 7 Repeat for all remaining off-site sources and targets. Step 8 From the main menu, select File > Save to staging.

Note: If you update your Event Collector configuration or the monitoring ports, you must manually update your source and target configurations to maintain the connection between deployments. Renaming Components You may want to rename a component in your view to uniquely identify components through your deployment. To rename a component:
Step 1 Select the component you want to rename. Step 2 From the menu, select Actions > Rename Component.

Note: You can also use the right mouse button (right-click) to access the Action menu items. The Rename component window appears.

Step 3 Enter a new name for the component. The name must be alphanumeric with no

special characters.
Step 4 Click Ok.

Managing Your System View

The System View allows you to manage all managed hosts in your network. A managed host is a component in your network that includes STRM software. If you are using a STRM appliance, the components for that appliance model appear. If your STRM software is installed on your own hardware, the System View includes a Host Context component. The System View allows you to select which component(s) you want to run on each managed host. Using the System View, you can:
• • • •

Set up managed hosts in your deployment. See Setting Up Managed Hosts. Use STRM with NATed networks in your deployment. See Using NAT with STRM. Update the managed host port configuration. See Configuring a Managed Host. Assign a component to a managed host. See Assigning a Component to a Host.

STRM Administration Guide

Managing Your System View

107

Configure Host Context. See Configuring Host Context.

Setting Up Managed Hosts

Using the deployment editor, you can manage all hosts in your deployment including:
• • •

Add a managed host to your deployment. See Adding a Managed Host. Edit an existing managed host. See Editing a Managed Host. Remove a managed host. See Removing a Managed Host.

When adding a managed host, you can also enable encryption between managed hosts running at least STRM 5.1. The deployment editor determines the version of STRM software running on a managed host. You can only add a managed host to your deployment when the managed host is running a compatible version of STRM software. For more information, contact Juniper Networks customer support. You can not assign or configure components on a non-Console managed host when the STRM software version is incompatible with the software version that the Console is running. If a managed host has previously assigned components and is running an incompatible software version, you can still view the components, however, you are not able to update or delete the components. Note: To enable encryption between two managed hosts, each managed host must be running at least STRM 5.1. Encryption provides greater security for all STRM traffic between managed hosts. To provide enhanced security, STRM also provides integrated support for OpenSSH and attachmateWRQ® Reflection SSH software. Reflection SSH software provides a FIPS 140-2 certified encryption solution. When integrated with STRM, Reflection SSH provides secure communication between STRM components. For information on Reflection SSH, see the following web site: www.wrq.com/products/reflection/ssh Note: You must have Reflection SSH installed on each managed host you want to encrypt using Reflection SSH. Also, Reflection SSH is not compatible with other SSH software, such as, OpenSSH. Since encryption occurs between managed hosts in your deployment, your deployment must consist of more than one managed host before encryption is possible. Encryption is enabled using SSH tunnels (port forwarding) initiated from the client. A client is the system that initiates a connection in a client/server relationship. When encryption is enabled for a managed host, encryption tunnels are created for all client applications on a managed host to provide protected access to the respective servers. If you enable encryption on a non-Console managed host, encryption tunnels are automatically created for databases and other support service connections to the Console. Figure 8-4 shows the flow of traffic within a STRM deployment including flows, flow context, and event traffic. The figure also displays the client/server relationships
STRM Administration Guide

108

USING THE DEPLOYMENT EDITOR

within the deployment. When enabling encryption on a managed host, the encryption SSH tunnel is created on the client’s host. For example, if you enable encryption for the Event Collector in the deployment depicted in the figure below, the connection between the Event Processor and Classification Engine as well as the connection between the Event Processor and Magistrate would be encrypted. The below figure also displays the client/server relationship between the Console and the Ariel database. When you enable encryption on the Console, an encryption tunnel is used when performing event searches through the Offenses interface. Note: Enabling encryption reduces the performance of a managed host by at least 50%.

Figure 8-4 Encryption Tunnels

STRM Administration Guide

Managing Your System View

109

Adding a Managed Host To add a managed host: Note: Before you add a managed host, make sure the managed host includes STRM software.
Step 1 From the menu, select Actions > Add a managed host.

The Add new host wizard appears.

Step 2 Click Next.

The Enter the host’s IP window appears.

Step 3 Enter values for the parameters:

STRM Administration Guide

110

USING THE DEPLOYMENT EDITOR

• • • •

Enter the IP of the server or appliance to add - Specify the IP address of the host you want to add to your System View. Enter the root password of the host - Specify the root password for the host. Confirm the root password of the host - Specify the password again, for confirmation. Host is NATed - Select the check box if you want to use an existing Network Address Translation (NAT) on this managed host. For more information on NAT, see Using NAT with STRM.

Note: If you want to enable NAT for a managed host, the NATed network must be using static NAT translation. For more information on using NAT, see Using NAT with STRM.

Enable Encryption - Select the check box if you want to create an encryption tunnel for the host. To enable encryption between two managed hosts, each managed host must be running at least STRM 5.1.

If you selected the Host is NATed check box, the Configure NAT settings window appears. Go to Step 4. Otherwise, go to Step 5. Note: If you want to add a non-NATed managed host to your deployment when the Console is NATed, you must change the Console to a NATed host (see Changing the NAT Status for a Managed Host) before adding the managed host to your deployment.
Step 4 To select a NATed network, enter values for the following parameters:

Enter public IP of the server or appliance to add - Specify the public IP address of the managed host. The managed host uses this IP address to communicate with another managed host that belongs to a different network using NAT. Select NATed network - Using the drop-down list box, select the network you want this managed host to use. If the managed host is on the same subnet as the Console, make sure you select the Console of the NATed network. If the managed host is not on the same subnet as the Console, make sure select managed host of the NATed network.

Note: For information on managing your NATed networks, see Using NAT with STRM.
Step 5 Click Next. Step 6 Click Finish.

Note: If your deployment included undeployed changes, a window appears enabling you to deploy all changes. The System View appears with the host in the Managed Hosts panel.

STRM Administration Guide

Managing Your System View

111

Editing a Managed Host To edit an existing managed host:
Step 1 Click the System View tab. Step 2 Use the right mouse button (right-click) on the managed host you want to edit and

select Edit Managed Host. The Edit a managed host wizard appears. Note: This option is only available when the selected component has a managed host running a compatible version of STRM software.

Step 3 Click Next.

The attributes window appears.

STRM Administration Guide

112

USING THE DEPLOYMENT EDITOR

Step 4 Edit the following values, as necessary:

Host is NATed - Select the check box if you want to use existing Network Address Translation (NAT) on this managed host. For more information on NAT, see Using NAT with STRM.

Note: If you want to enable NAT for a managed host, the NATed network must be using static NAT translation. For more information on using NAT, see Using NAT with STRM.

Enable Encryption - Select the check box if you want to create an encryption tunnel for the host. To enable encryption between two managed hosts, each managed host must be running at least STRM 5.1.

If you selected the Host is NATed check box, the Configure NAT settings window appears. Go to Step 5. Otherwise, go to Step 6.
Step 5 To select a NATed network, enter values for the following parameters:

Enter public IP of the server or appliance to add - Specify the public IP address of the managed host. The managed host uses this IP address to communicate with another managed host that belongs to a different network using NAT. Select NATed network - Using the drop-down list box, select the network you want this managed host to use.

Note: For information on managing your NATed networks, see Using NAT with STRM.
Step 6 Click Next. Step 7 Click Finish.

The System View appears with the updated host in the Managed Hosts panel. Removing a Managed Host You can only remove non-Console managed hosts from your deployment. You can not remove a managed host that is hosting the STRM Console. To remove a managed host:
Step 1 Click the System View tab. Step 2 Use the right mouse button (right-click) on the managed host you want to delete

and select Remove host. Note: This option is only available when the selected component has a managed host running a compatible version of STRM software. A confirmation window appears.
Step 3 Click Ok. Step 4 From the Admin tab menu, select Advanced > Deploy Full Configuration.

Using NAT with STRM

Network Address Translation (NAT) translates an IP address in one network to a different IP address in another network. NAT provides increased security for your

STRM Administration Guide

Managing Your System View

113

deployment since requests are managed through the translation process and essentially hides internal IP addresses. Before you enable NAT for a STRM managed host, you must set up your NATed networks using static NAT translation. This ensures communications between managed hosts that exist within different NATed networks. For example, in Figure 8-5 the QFlow 1101 in Network 1 has an internal IP address of 10.100.100.1. When the QFlow 1101 wants to communicate with the Event Collector in Network 2, the NAT router translates the IP address to 192.15.2.1.
NAT Router

10 .1 00 .1 00 .1

19

2.

15

Network 1

.2

.1

Network 2

QFlow 1101

Event Collector

Classification Engine

Event Collector

Update Daemon

Magistrate

Figure 8-5 Using NAT with STRM

Note: Your static NATed networks must be set up and configured on your network before you enable NAT using STRM. For more information, see your network administrator. You can add a non-NATed managed host using inbound NAT for a public IP address. You can also use a dynamic IP address for outbound NAT. However, both must be located on the same switch as the Console or managed host. You must configure the managed host to use the same IP address for the public and private IP addresses. When adding or editing a managed host, you can enable NAT for that managed host. You can also use the deployment editor to manage your NATed networks including:
• • • •

Adding a NATed Network to STRM Editing a NATed Network Deleting a NATed Network From STRM Changing the NAT Status for a Managed Host

STRM Administration Guide

114

USING THE DEPLOYMENT EDITOR

Adding a NATed Network to STRM To add a NATed network to your STRM deployment:
Step 1 In the deployment editor, click

the NATed networks button.

Note: You can also use the Actions > Manage NATed Networks menu option to access the Manage NATed Networks window. The Manage NATed Networks window appears.

Step 2 Click Add.

The Add New Nated Network window appears.

Step 3 Enter a name of a network you want to use for NAT. Step 4 Click Ok.

The Manage NATed Networks window appears with the added NATed network.
Step 5 Click Ok.

A confirmation window appears.
Step 6 Click Yes.

Editing a NATed Network To edit a NATed network:
Step 1 In the deployment editor, click the

NATed networks icon.

Note: You can also use the Actions > Manage NATed Networks menu option to access the Manage NATed Networks window. The Manage NATed Networks window appears.

STRM Administration Guide

Managing Your System View

115

Step 2 Select the NATed network you want to edit. Click Edit.

The Edit NATed Network window appears.

Step 3 Update the name of the network you want to use for NAT. Step 4 Click Ok.

The Manage NATed Networks window appears with the updated NATed networks.
Step 5 Click Ok.

A confirmation window appears.
Step 6 Click Yes.

Deleting a NATed Network From STRM To delete a NATed network from your deployment:
Step 1 In the deployment editor, click the

NATed networks icon.

Note: You can also use the Actions > Manage NATed Networks menu option to access the Manage NATed Networks window. The Manage NATed Networks window appears.
Step 2 Select the NATed network you want to delete. Step 3 Click Delete.

A confirmation window appears.
Step 4 Click Ok. Step 5 Click Yes.

Changing the NAT Status for a Managed Host To change your NAT status for a managed host, make sure you update the managed host configuration within STRM before you update the device. This prevents the host from becoming unreachable and allows you to deploy changes to that host.

STRM Administration Guide

116

USING THE DEPLOYMENT EDITOR

To change the status of NAT (enable or disable) for an existing managed host:
Step 1 In the deployment editor, click the System View tab. Step 2 Use the right mouse button (right-click) on the managed host you want to edit and

select Edit Managed Host. The Edit a managed host wizard appears.
Step 3 Click Next.

The networking and tunneling attributes window appears.
Step 4 Choose one of the following: a

If you want to enable NAT for the managed host, select the check box. Go to Step 5

Note: If you want to enable NAT for a managed host, the NATed network must be using static NAT translation.
b

If you want to disable NAT for the managed host, clear the check box. Go to Step 6 Change public IP of the server or appliance to add - Specify the public IP address of the managed host. The managed host uses this IP address to communicate with another managed host that belongs to a different network using NAT. Select NATed network - Using the drop-down list box, select the network you want this managed host to use. Manage NATs List - Update the NATed network configuration. For more information, see Using NAT with STRM.

Step 5 To select a NATed network, enter values for the following parameters:

• •

Step 6 Click Next. Step 7 Click Finish.

The System View appears with the updated host in the Managed Hosts panel. Note: Once you change the NAT status for an existing managed host error messages may appear. Ignore all error messages.
Step 8 Update the configuration for the device (firewall) to which the managed host is

communicating.
Step 9 From the Admin tab menu, select Advanced > Deploy Full Configuration.

STRM Administration Guide

Managing Your System View

117

Configuring a Managed Host

To configure a managed host:

Step 1 From the System View, use the right mouse button (right-click) on the managed

host you want to configure and select Configure. The Configure host window appears.

Step 2 Enter values for the parameters:

• • •

Minimum port allowed - Specify the minimum port for which you want to establish communications. Maximum port allowed - Specify the maximum port for which you want to establish communications. Ports to exclude - Specify the port you want to exclude from communications. You can enter multiple ports you want to exclude. Separate multiple ports using a comma.

Step 3 Click Save.

Assigning a Component to a Host

You can assign the STRM components added in the Flow or Event Views to the managed hosts in your deployment. Note: This section provides information on assigning a component to a host using the System View, however, you can also assign components to a host in the Flow or Event Views. To assign a host:

Step 1 Click the System View tab. Step 2 From the Managed Host list, select the managed host to which you want to assign

a STRM component. The System View of the host appears.
Step 3 Select the component you want to assign to a managed host. Step 4 From the menu, select Actions > Assign.

Note: You can also use the right mouse button (right-click) to access the Actions menu items. The Assign component wizard appears.
STRM Administration Guide

118

USING THE DEPLOYMENT EDITOR

Step 5 From the Select a host to assign to drop-down list box, select the host that you

want to assign to this component. Click Next. Note: The drop-down list box only displays managed hosts that are running a compatible version of STRM software.
Step 6 Click Finish.

Configuring Host Context

The Host Context component monitors all STRM components to make sure that each component is operating as expected. To configure Host Context:

Step 1 In the deployment editor, click the System View tab.

The System View appears.
Step 2 Select the Managed Host that includes the Host Context you want to configure. Step 3 Select the Host Context component. Step 4 From the menu, select Actions > Configure.

Note: You can also use the right mouse button (right-click) to access the Actions menu item. The Host Context Configuration window appears.

STRM Administration Guide

Managing Your System View

119

Step 5 Enter values for the parameters:

Table 8-5 Host Context Parameters

Parameter Warning Threshold

Description When the configured threshold of disk usage is exceeded, an e-mail is sent to the administrator indicating the current state of disk usage. The default is 0.75, therefore, when disk usage exceeds 75%, an e-mail is sent indicating that disk usage is exceeding 75%. If disk usage continues to increase above the configured threshold, a new e-mail is sent after every 5% increase in usage. By default, Host Context monitors the following partitions for disk usage:
• • •

Disk Usage Sentinal Settings

/ /store /store/tmp

Specify the desired warning threshold for disk usage. Note: Notification e-mails are sent to the Administrative Email Address and are sent from the Alert Email From Address, which is configured in the System Settings. For more information, see Chapter 5 Setting Up STRM. Shutdown Threshold When the system exceeds the shutdown threshold, all STRM processes are stopped. An e-mail is sent to the administrator indicating the current state of the system. The default is 0.95, therefore, when disk usage exceeds 95%, all STRM processes stop. Specify the shutdown threshold. Note: Notification e-mails are sent to the Administrative Email Address and are sent from the Alert Email From Address, which is configured in the System Settings. For more information, see Chapter 5 Setting Up STRM.

STRM Administration Guide

120

USING THE DEPLOYMENT EDITOR

Table 8-5 Host Context Parameters (continued)

Parameter Recovery Threshold

Description Once the system has exceeded the shutdown threshold, disk usage must fall below the recovery threshold before STRM processes are restarted. The default is 0.90, therefore, processes will not be restarted until the disk usage is below 90%. Specify the recovery threshold. Note: Notification e-mails are sent to the Administrative Email Address and are sent from the Alert Email From Address, which is configured in the System Settings. For more information, see Chapter 5 Setting Up STRM.

Inspection Interval SAR Sentinel Settings Inspection Interval Alert Interval

Specify the frequency, in milliseconds, that you want to determine disk usage. Specify the frequency, in milliseconds, that you want to inspect SAR output. The default is 300,000 ms. Specify the frequency, in milliseconds, that you want to be notified that the thresholds have been exceeded. The default is 7,200,000 ms. Specify the time, in seconds, that you want the SAR inspection to be engaged. The default is 60 seconds. Specify the frequency, in milliseconds, that you want to monitor the log files. The default is 60,000 ms. Specify a filename for the SYSLOG file. The default is /var/log/qradar.error. Specify the maximum number of lines you want to monitor from the log file. The default is 1000.

Time Resolution Log Monitor Settings Inspection Interval Monitored SYSLOG File Name Alert Size

Step 6 Click Save.

The System View appears.

Configuring STRM Components

This section provides information on configuring STRM components and includes:
• • • • • • •

Configuring a Flow Collector Configuring a Flow Processor Configuring a Classification Engine Configuring an Update Daemon Configuring a Flow Writer Configuring an Event Collector Configuring an Event Processor

STRM Administration Guide

Configuring STRM Components

121

Configuring the Magistrate

Configuring a Flow Collector

The Flow Collector collects data from devices and various live and recorded feeds, such as network taps, span/mirror ports, NetFlow, and STRM flow logs. The Flow Collector then groups related individual packets into a flow. A flow starts when the Flow Collector detects the first packet with a unique source IP address, destination IP address, source port, and destination port as well as other specific protocol options, which may determine the start of a communication. Each additional packet is evaluated and counts of bytes and packets are added to the statistical counters in the flow record. At the end of an interval, a status record of the flow is sent to a Flow Processor and statistical counters for the flow are reset. A flow ends when no activity for the flow is seen within the configured period of time. Flow reporting generates records of all the active or expired flows during a specified period of time. STRM defines these flows as a communication session between two pairs of unique IP address/ports that use the same protocol. If the protocol does not support port-based connections, STRM combines all packets between the two hosts into a single flow record. However, a Flow Collector does not record flows until a connection is made to another STRM component and data is retrieved. To configure a Flow Collector:

Step 1 In either the Flow or System View, select the Flow Collector you want to configure. Step 2 From the menu, select Actions > Configure.

Note: You can also use the right mouse button (right-click) to access the Actions menu items. The QFlow Configuration window appears.

Step 3 Enter values for the parameters:

STRM Administration Guide

122

USING THE DEPLOYMENT EDITOR

Table 8-6 Flow Collector Parameters

Parameter Server Listen Port

Description The Flow Collector passes data to the next component in the process. Once the link is established, all collected data is passed for further processing. Specify the port that the Flow Collector monitors for incoming Flow Processor connections. The default range is from 32000 to 65535.

Flow Collector ID

In larger installations, several Flow Collectors can be installed throughout the deployment. As several Flow Collectors can function simultaneously, you must provide each Flow Collector a unique name. You can use that name to determine where data is originating from in the Collector View, if configured. Specify the Flow Collector ID.

Maximum Content Capture Flow Collectors capture a configurable number of bytes at the start of each flow. Transferring large amounts of content across the network may affect network and STRM performance. On managed hosts where the Flow Collectors are located on close high-speed links, you can increase the content capture length. Specify the capture length, in bytes, to attach to a flow. The range is from 0 to 65535. A value of 0 disables content capture. The default is 64 bytes. Note: Increasing content capture length will increase disk storage requirements for recommended disk allotment. Alias Autodetection Specify one of the following options:

Yes - Allows the Flow Collector to detect external flow source aliases. When a Flow Collector receives traffic from a device with an IP address but no current alias, the Flow Collector attempts a reverse DNS lookup to determine the hostname of the device. If the lookup is successful, the Flow Collector adds this information to the database and reports this information to all Flow Collector in your deployment. No - Disables the Flow Collector from detecting external flow sources aliases.

For more information on flow sources, see Chapter 9 Managing Flow Sources.
Step 4 In the toolbar, click Advanced to display the advanced parameters.

The advanced configuration parameters appear.

STRM Administration Guide

Configuring STRM Components

123

Step 5 Enter values for the parameters, as necessary:

Table 8-7 Flow Collector Parameters

Parameter Maximum Data Capture/Packet Time Synchronization Server IP Address Time Synchronization Timeout Period Endace DAG Interface Card Configuration Flow Buffer Size Maximum Number of Flows Verify NetFlow Sequence Numbers

Description Specify the amount of bytes/packets you want the Flow Collector to capture. Specify the IP address or hostname of the time server. Specify the length of time you want the managed host to continue attempting to synchronize the time before timing out. The default is 15 minutes. Specify the Endace Network Monitoring Interface card parameters. For more information, see the Qmmunity web site or contact Juniper Networks customer support. Specify the amount of memory, in MB, that you want to reserve for flow storage. The default is 400 MB. Specify the maximum number of flows you want to send from the Flow Collector to Flow Processors. Enables or disables the ability to check the incoming NetFlow sequence numbers to ensure that all packets are present and in the proper order. A notification appears if a packet is missing or received out-of-order.

Remove duplicate flows Enables or disables the ability to remove duplicate flows.

STRM Administration Guide

124

USING THE DEPLOYMENT EDITOR

Table 8-7 Flow Collector Parameters (continued)

Parameter External Flow De-duplication method

Description Specify the method you want to use to remove duplicate external flow sources (de-duplication). Options include:

Source - Compares originating flow sources. This method of removing duplicate external flows compares the IP address of the device that exported the current external flow record to that of the IP address of the device that exported the first external record of the particular flow. If the IP addresses do not match, the current external flow record is discarded. Record - Compares individual external flow records. This method of removing duplicate external flows logs a list of every external flow record detected by a particular device and compares each subsequent record to that list. If the current record is found in the list, that record is discarded.

External flow record comparison mask

This parameter is only valid if you configure the External Flow De-duplication method parameter to Record. Specify the external flow record fields you want to use to remove duplicate flows. Valid options include: D (Direction), B (ByteCount), or P (PacketCount). Possible combinations of the options include:
• • • • • • •

DBP - Uses direction, byte count, and packet count when comparing flow records. XBP - Uses byte count and packet count when comparing flow records. DXP - Uses direction and packet count when comparing flow records. DBX - Uses direction and byte count when comparing flow records. DXX - Uses direction when comparing flow records. XBX - Uses byte count when comparing records. XXP - Uses packet count when comparing records.

Flow Carry-over Window

Specify the number of seconds before the end of an interval that you want one-sided flows to be held over until the next interval if the flow. This allows time for the inverse side of the flow to arrive before being reported. Specify the minimum amount of data, in bytes, that you want the Endace Network Monitoring Interface Card to receive before the captured data is returned to the Flow Collector process. For example, if this parameter is 0 and no data is available, the Endace Network Monitoring Interface Card allows non-blocking behavior. Specify the maximum amount of time, in microseconds, that you want the Endace Network Monitoring Interface Card to wait for the minimum amount of data, as specified in the Minimum Buffer Data parameter.

Minimum Buffer Data

Maximum Wait Time

STRM Administration Guide

Configuring STRM Components

125

Table 8-7 Flow Collector Parameters (continued)

Parameter Polling Interval

Description Specify the interval, in microseconds, that you want the Endace Network Monitoring Interface Card to wait before checking for additional data. A polling interval avoids excessive polling traffic to the card and therefore conserves bandwidth and processing time.

Step 6 Click Save.

The deployment editor appears.
Step 7 Repeat for all Flow Collectors in your deployment you want to configure.

Configuring a Flow Processor

A Flow Processor collects and consolidates data from one or more Flow Collector(s). Flow Processors are located between the Classification Engine, Flow Collectors, and other Flow Processors. You can connect multiple Flow Processors in a series. A Flow Processor removes duplicate flows and creates superflows (aggregate flows) before the flows reach the main Classification Engine. A superflow is multiple flows with the same properties combined into one flow, which details one-sided communications and security events, such as scanning and attacks, without losing the information stored in the thousands of individual flows created by an infected host or attacker. The flow contains only the communications that received no response. Valid communications from the attacking or infected hosts are stored in the flow logs. Using superflows, STRM is able to scale to larger environments and manage large attacks without overloading. Superflows can last long periods of time, just like normal flows. STRM manages superflows in the same manner as regular flows. Superflows are logged every interval and detail the state of the flow during that time period. You can also investigate flows using the Network Surveillance interface to further expand superflows into more traditional flows, which allows for flexible analysis. Note: For more information on the Network Surveillance interface, see the STRM Users Guide. Some normally occurring network communications generate flows for which there are no responses, such as web requests to a failed web server or to a host that is down. One-sided flows are generally not a high risk threat and should not apply to superflows. For this reason, there is a configurable threshold for superflow generation, which a host has to breach before the flows are bundled into superflows. You can also configure branch filtering in the Flow Processor, which allows you to distribute network processing across multiple Classification Engines. A branch filter consists of a branch and a flow class definition. The branch filter configuration controls which flows a component receives. When configuring branch filtering, you must use groups located at the top of your network hierarchy. For the Flow
STRM Administration Guide

126

USING THE DEPLOYMENT EDITOR

Processor, the branch filter specifies which flows the Flow Processor receives from flow sources. To configure a Flow Processor:
Step 1 In either the Flow or System View, select the Flow Processor you want to

configure.
Step 2 From the menu, select Actions > Configure.

Note: You can also use the right mouse button (right-click) to access the Actions menu items. The Flow Processor window appears.

Step 3 Enter values for the parameters:

Table 8-8 Flow Processor Parameters

Parameter Flow Processor Listen Port

Description The Classification Engine connects to the Flow Processor to accept flows through a TCP/IP link. Specify the port that the Flow Processor monitors for incoming connections. The default range is from 32,000 to 65,535.

STRM Administration Guide

Configuring STRM Components

127

Table 8-8 Flow Processor Parameters (continued)

Parameter Flow Collectors

Description When the Flow Processor starts, it attempts to establish a link with one or more Flow Collector(s). If the Flow Collector cannot be reached, the Flow Processor attempts to establish the link periodically, until it succeeds. You can have multiple Flow Collectors in your deployment and each Flow Collector can be connected to a different time server. This parameter also indicates whether the Flow Collector either is local or remote. Specifies the list of default Flow Collectors to which the Flow Processor will connect. The information is entered in the following format: <hostname>:<port>:[L|R] Where: <hostname> is the hostname of the Flow Collector. <port> is the port on which communications are established. [L|R] indicates whether the Flow Collector is local (L) or remote (R). Where each Flow Collector is separated with a comma. The default is localhost:32000.

Flow Processors

Specifies the list of Flow Processors attached to this Flow Processor. You can have multiple Flow Processors in your deployment and each Flow Processor can be connected to a different time server. This parameter also indicates whether the Flow Processor is either local or remote. If a component is identified as remote, any flows sent to the local Flow Processor are tagged with local interval time. This parameter is for information purposes only and is not amendable. The values are entered in the following format: <hostname>:<port>:[L|R] Where: <hostname> is the hostname of the Flow Processor. <port> is the port on which communications are established. [L|R] indicates whether the Flow Collector is local (L) or remote (R). Each Flow Processor is separated with a comma.

Step 4 In the toolbar, click Advanced to display advanced parameters.

The configuration parameters appear.

STRM Administration Guide

128

USING THE DEPLOYMENT EDITOR

Step 5 Enter values for the parameters:

Table 8-9 Flow Processor Parameters

Parameter Create Flow Bundles

Description Specify one of the following options:
• •

Yes - Allows the Flow Processor to group flows that have similar properties. No - Disables the bundling of flows

Maximum Number of Flows Time Difference for Duplicate Flows Type A Superflows

Specify the maximum number of flows you want to send from the Flow Processor to the Classification Engines. If set to 0, the number of flows is unlimited. Specify the time difference threshold that determines if duplicate flows are present, in microseconds. The default is 500,000. Specify the threshold for type A superflows, which is one host sending data to many hosts. A unidirectional flow that is an aggregate of all flows that have the same protocol, source bytes, source hosts, destination network, destination port (TCP and UDP flows only), TCP flags (TCP flows only), ICMP type, and code (ICMP flows only) but different destination hosts. Specify the threshold for type B superflows, which is many hosts sending data to one host. A unidirectional flow that is an aggregate of all flows that have the same protocol, source bytes, source packets, destination host, source network, destination port (TCP and UDP flows only), TCP flags (TCP flows only), ICMP type, and code (ICMP flows only), but different source hosts.

Type B Superflows

STRM Administration Guide

Configuring STRM Components

129

Table 8-9 Flow Processor Parameters (continued)

Parameter Type C Superflows

Description Specify the threshold for type C superflows, which is one host sending data to another host. A unidirectional flow that is an aggregate of all non-ICMP flows that have the same protocol, source host, destination host, source bytes, destination bytes, source packets, and destination packets but different source or destination ports. Specify an IP address or CIDR range to convert to another IP address or CIDR range from the Flow Processor. This allows STRM to identify data sources on networks with similar IP addresses when a single Flow Processor is used to process many data sources. Enter the information in the following format: <IP address>:<convert> Where: <IP address> specifies the IP address or CIDR range to be converted. <convert> specifies the desired conversion range. This option is also available in the Flow Collector.

IP Address(es) Range Conversion

Maximum Content for Destination STRM Components

A content filter controls where content is denied/allowed. Apply filters in the following format: <CIDR>:<bytes of content> Where: <CIDR> is a CIDR range. <bytes of content> is the amount of content allowed. For example, 64 bytes of content or 128 bytes of content. The filter is case sensitive. You must use either all uppercase or lowercase characters. For example: If CIDR=10.100.100.0/24 and you want to allow 64 bytes of content, enter: 10.100.100.0/24:64 If CIDR=10.100.100.0/24 and you want to deny the content, enter: 10.100.100.0/24:0 If CIDR=10.100.100.0/24 and you want to allow content only to this CIDR, enter: default:0, 10.100.100.0/24:64

STRM Administration Guide

130

USING THE DEPLOYMENT EDITOR

Table 8-9 Flow Processor Parameters (continued)

Parameter Branch Filtering

Description By default, branch filtering is disabled and all traffic is forwarded to all Classification Engines. Filtering does not begin unless the Flow Processor receives a branch filter definition from the Classification Engine. Specify the branch filter using the following syntax: brc1,brc2,..,brc-N Where: brc-1,brc-2,....,brc-N specifies any branch of the local network hierarchy. If a specified branch does not belong to the network hierarchy, the branch is ignored. For example: ComputingServices,Manufacturing_facilites Corporate_HQ,other

Recombine Asymmetric Flows

In some networks, traffic is configured to take alternate paths for inbound and outbound traffic. This is asymmetric routing. You can combine flows received from either a single or multiple Flow Collectors. However, if you want to combine flows from multiple Flow Collectors, you must configure flow sources in the Asymmetric Flow Source Interface(s) parameters in the Flow Collector configuration. For more information, see Configuring a Flow Collector. Choose one of the following options:
• •

Yes - Asymmetric flows are combined. No - Asymmetric flows are not combined.

Ignore Asymmetric Superflows Enable Application Mapping

Specify whether you want to enable the creation of superflows while asymmetric flows are enabled. The default is Yes, which means superflows are created. Choose one of the following:

Yes - Application mapping is applied, as defined in your mapping file. For more information, see the STRM Default Application Configuration Guide. This is the default. No - Application mapping is not applied.

User Application Mapping Block Content

Specify the name of the file that contains your custom application mappings. For more information, see the STRM Default Application Configuration Guide. Choose one of the following options:
• •

Yes - All content captured in the flows is removed from the Flow Processor. No - Content capture is not removed from flows.

Payload Modification
Step 6 Click Save.

Specify a string to which you want all content to be changed.

STRM Administration Guide

Configuring STRM Components

131

The deployment editor appears.
Step 7 Repeat for all Flow Processors in your deployment you want to configure.

Configuring a Classification Engine

The Classification Engine receives inputs from one or more Flow Processor(s), classifies the flows into views and objects, and outputs the resulting database entries and flow logs to the Update Daemon to be stored on disk. Using the deployment map, you can either enable or disable views and configure a Classification Engine. To configure a Classification Engine:

Step 1 In either the Flow or System View, select the Classification Engine you want to

configure.
Step 2 From the menu, select Actions > Configure.

Note: You can also use the right mouse button (right-click) to access the Actions menu items. The Classification Engine window appears.

Step 3 Enter values for the parameters:

Table 8-10 Classification Engine Parameters

Parameter Classification Engine Server Listen Port Flow Processor Connections

Description Specify the port that the Classification Engine monitors for incoming connections.The default range is from 32,000 to 65,535. When the Classification Engine starts, it attempts to establish a TCP/IP communications link with one or more Flow Processor(s) to retrieve flows. If the Flow Processors cannot be reached, the Classification Engine attempts to establish the link periodically until it succeeds. This parameter is for information purposes only and is not amendable. Specifies the list of Flow Processor connections using the following format: <hostname>:<port> The default is localhost:32001. Each entry is separated with a comma.

STRM Administration Guide

132

USING THE DEPLOYMENT EDITOR

Table 8-10 Classification Engine Parameters (continued)

Parameter Update Daemon Connections

Description Specifies the hostname and port of the Update Daemon to which the Classification Engine sends data for storage. This parameter is for information purposes only and is not amendable. The information appears in the following format: <hostname>:<port> The default is localhost:32002.

Flow Writer connection Specifies the hostname and port of the Flow Writer that sends the Classification Engine data for storage. This parameter is for information purposes only and is not amendable. The information appears in the following format: <hostname>:<port> The default is localhost:32010. Event Collector Connections Specifies the hostname and port of the Event Collector that sends the Classification Engine data. This parameter is for information purposes only and is not amendable.

Step 4 In the toolbar, click Advanced to display advanced parameters.

The configuration parameters appear.

Step 5 Enter values for the parameters:

Table 8-11 Classification Engine Parameters

Parameter Forward Flow Data

Description Specify one of the following options:
• •

Yes - Process view data only and does not forward flows. This is the default. No - Process and forward all data.

STRM Administration Guide

Configuring STRM Components

133

Table 8-11 Classification Engine Parameters (continued)

Parameter

Description

Process Defined Views If you are using a distributed processing Console, specify Only the processing information. This requires each involved managed host to have a list of views to process. For assistance, contact Juniper Networks customer support. Branch Filtering By default, branch filtering is disabled and all traffic is forwarded to all Classification Engines. Filtering does not begin unless the Flow Processor receives a branch filter definition from the Classification Engine. Specify the branch filter using the following syntax: brc1,brc2,..,brc-N Where: brc-1,brc-2,....,brc-N specifies any branch of the local network hierarchy. If a specified branch does not belong to the network hierarchy, the branch is ignored. For example: ComputingServices,Manufacturing_facilites Corporate_HQ,other Network Object Limit Specify the maximum number of network objects you want to allow.

Asset Profile Threshold Specify the maximum number of asset profiles you want to monitor. The default is 25,000. Remote Host Cache Clear Interval Specify the period of time, in seconds, that you want to retain the log files, which are stored result of a remote view lookup.

Step 6 Click Save.

The deployment map appears.
Step 7 Repeat for all Classification Engines in your deployment you want to configure.

Configuring an Update Daemon

Once the Classification Engine has processed the flows for an interval, the Update Daemon stores the database and TopN data. Depending on the size of your deployment, you may have multiple Update Daemons. To configure an Update Daemon:

Step 1 In either the Flow or System View, select the Update Daemon you want to

configure.
Step 2 From the menu, select Actions > Configure.

Note: You can also use the right mouse button (right-click) to access the Actions menu items. The Update Daemon Configuration window appears.

STRM Administration Guide

134

USING THE DEPLOYMENT EDITOR

Step 3 For the Server listen port parameter, specify the Update Daemon listening port

values. Separate each entry with a comma. This port monitors requests from the Classification Engine. The entered values must match the values configured for the Classification Engine.
Step 4 In the toolbar, click Advanced to display advanced parameters.

The configuration parameters appear.

Step 5 Enter values for the parameters:

Table 8-12 Update Daemon Parameters

Parameter Database Storage Location TopN Database Storage Location
Step 6 Click Save.

Description Specify the directory that you want to store the database information. The default is /store/db. Specify the directory that you want to store the TopN database. The default is /store/qradar-tmp/topn.

The deployment map appears.
Step 7 Repeat for all Update Daemons in your deployment you want to configure.

Configuring a Flow Writer

Once the Classification Engine has processed the flows for an interval, the Flow Writer stores the flow and asset profile data. You can only have one Flow Writer per host, which must be connected to the Classification Engine. To configure a Flow Writer:

Step 1 In either the Flow or System View, select the Flow Writer you want to configure. Step 2 From the menu, select Actions > Configure.

Note: You can also use the right mouse button (right-click) to access the Actions menu items.
STRM Administration Guide

Configuring STRM Components

135

The Flow Writer Configuration window appears.

Step 3 For the Server listen port parameter, specify the Flow Writer listening port values.

Separate each entry with a comma. This port monitors requests from the Classification Engine. The entered values must match the values configured for the Classification Engine.
Step 4 In the toolbar, click Advanced to display the advanced parameters.

The advanced configuration parameter appear.

Step 5 Enter values for the parameters:

Table 8-13 Flow Writer Advanced Parameters

Parameter Maximums Hosts Count Before a Reset

Description Specify the maximum number of hosts you want the system to store before all counters are reset. The lower the reset threshold the more efficiency of disk space your system offers, however, the query time may be extended.

Step 6 Click Save.

The deployment map appears. Configuring an Event Collector The Event Collector collects security events from various types of security devices in your network. To configure an Event Collector:
Step 1 From either the Event View or System View, select the Event Collector you want to

configure.
Step 2 From the menu, select Actions > Configure.

Note: You can also use the right mouse button (right-click) to access the Action menu items. The Event Collector Configuration window appears.

STRM Administration Guide

136

USING THE DEPLOYMENT EDITOR

Step 3 Enter values for the parameters:

Table 8-14 Event Collector Parameters

Parameter Event Collector Server Listen Port Destination Event Processor Listen Port Event Targets

Description The Event Collector monitors at least one device per instance of the component. Specify the destination Event Processor for communications. Specifies the listening port for event forwarding. If the Event Collector includes an off-site target, this parameter specifies the normalized event forwarding device, separated by commas, using the following format: <device>:<type> This parameter is for informational purposes only and is not amendable.

Step 4 In the toolbar, click Advanced to display the advanced parameters.

The advanced configuration parameter appear.

Step 5 Enter values for the parameters:

STRM Administration Guide

Configuring STRM Components

137

Table 8-15 Event Collector Advanced Parameters

Parameter

Description

Receives Flow Context Specifies the first Event Collector installed in your deployment. This parameter is for informational purposes only and is not amendable. Auto Detection Enabled Specify if you want the Event Collector to auto analyze and accept traffic from previously unknown log sources. The default is true, which means that the Event Collector detects log sources in your network. Also, when set to True, the appropriate firewall ports are opened to enable auto detection to receive events. For more information on configuring log sources, see the Managing Log Sources Guide.

Step 6 Click Save.

The deployment editor appears.
Step 7 Repeat for all Event Collectors in your deployment you want to configure.

Configuring an Event Processor

The Event Processor processes flows collected from one or more Event Collector(s). To configure an Event Processor:

Step 1 From either the Event View or System View, select the Event Processor you want

to configure.
Step 2 From the menu, select Actions > Configure.

Note: You can also use the right mouse button (right-click) to access the Action menu items. The Event Processor Configuration window appears.

Step 3 Enter values for the parameters:

Table 8-16 Event Processor Parameters

Parameter Event Processor Server Listen Port

Description Specify the port that the Event Processor monitors for incoming connections. The default range is from 32,000 to 65535.

STRM Administration Guide

138

USING THE DEPLOYMENT EDITOR

Table 8-16 Event Processor Parameters (continued)

Parameter Destination Magistrate

Description Specifies the Magistrate to which events are sent. This parameter is for informational purposes only and is not amendable.

Classification Engines

All Event Processors are connected to all Classification Engines in your deployment. Specifies all Classification Engines in your deployment. This parameter is for informational purposes only and is not amendable.

ESA Server

Specifies the Event Statistical Aggregation (ESA) server to which the Event Processor is connected. This parameter is for informational purposes only and is not amendable.

Step 4 In the toolbar, click Advanced to display the advanced parameters.

The advanced configuration parameters appear.

Step 5 Enter values for the parameters, as necessary:

Table 8-17 Event Processor Parameters

Parameter Overflow Routing Threshold Events database path Payloads database length

Description Specify the events per second threshold that the Event Processor can manage events. Events over this threshold are placed in the cache. Specify the location you want to store events. The default is /store/ariel/events. Specify the location you want to store payload information. The default is /store/ariel/payloads.

Step 6 Click Save.

STRM Administration Guide

Configuring STRM Components

139

The deployment editor appears.
Step 7 Repeat for all Event Processors in your deployment you want to configure.

Configuring the Magistrate

The Magistrate component provides the core processing components of the SIM option. To configure the Magistrate component:

Step 1 From either the Event View or System View, select the Magistrate component you

want to configure.
Step 2 From the menu, select Actions > Configure.

Note: You can also use the right mouse button (right-click) to access the Action menu items. The Magistrate Configuration window appears.

Step 3 Enter values for the parameters:

Table 8-18 Magistrate Parameters

Parameter Magistrate Server Listen Port ESA Server

Description Specify the port that the Magistrate monitors for incoming connections. The default range is 32,000 to 65,535. Specifies the Event Statistical Aggregation (ESA) server to which the Magistrate is connected. This parameter is for informational purposes only and is not amendable.

Step 4 In the toolbar, click Advanced to display the advanced parameters.

The advanced configuration parameters appear.

STRM Administration Guide

140

USING THE DEPLOYMENT EDITOR

Step 5 For the Overflow Routing Threshold, specify the events per second threshold

that the Magistrate can manage events. Events over this threshold are placed in the cache. The default is 20,000.
Step 6 Click Save.

The deployment editor appears.

STRM Administration Guide

9

MANAGING FLOW SOURCES

This chapter provides information on managing flows sources in your deployment including:
• • •

About Flow Sources Managing Flow Sources Managing Flow Source Aliases

About Flow Sources

STRM allows you to integrate internal and external flow sources:

Internal flow sources - Includes any additional hardware installed on a managed host, such as a Network Interface Card (NIC). Depending on the hardware configuration of your managed host, the internal flow sources may include: Network interface card Endace Network Monitoring Interface Card Napatech Interface,

External flow sources - Configures an external flow source for the Flow Collector. If your Flow Collector receives multiple flow sources, you can assign each source a distinct name, providing the ability to distinguish one source of external flow data from another when received on the same Flow Collector. To assign names to multiple flow sources, you must configure the External Flow Source Interface Name parameter in the Flow Collector component. External flow sources may include: NetFlow sFlow J-Flow Packeteer Flowlog File

STRM can forward external flows source data using a spoofing or non-spoofing method: Spoofing - Resends the inbound data received from flow sources to a secondary destination. To ensure flow source data is sent to a secondary

STRM Administration Guide

142

MANAGING FLOW SOURCES

destination, configure the Monitoring Interface in the Flow Source configuration (see Adding a Flow Source) to the port on which data is being received (management port). When you use a specific interface, the QFlow Collector uses a promiscuous mode capture to obtain flow source data, rather than the default UDP listening port on port 2055. This allows the QFlow Collector to capture flow source packets and forward the data. Non-Spoofing - For the non-spoofing method, configure the Monitoring Interface in the Flow Source Configuration (see Adding a Flow Source) as Any. The QFlow Collector opens the listening port, which is the port configured as the Monitoring Port to accept flow source data. The data is processed and forwarded to another flow source destination. The source IP address of the flow source data becomes the IP address of the STRM system, not the original router that sent the data.

NetFlow

A proprietary accounting technology developed by Cisco Systems® Inc. that monitors traffic flows through a switch or router, interprets the client, server, protocol, and port used, counts the number of bytes and packets, and sends that data to a NetFlow collector. The process of sending data from NetFlow is often referred to as a NetFlow Data Export (NDE). You can configure STRM to accept NDE's and thus become a NetFlow collector. STRM supports NetFlow versions 1, 5, 7, and 9. For more information on NetFlow, see www.cisco.com. While NetFlow expands the amount of the network that is monitored, NetFlow uses a connection-less protocol (UDP) to deliver NDEs. Once an NDE is sent from a switch or router, the NetFlow record is purged. As UDP is used to send this information and does not guarantee the delivery of data, NetFlow records inaccurate recording and reduced alerting capabilities. This can result in inaccurate presentations of both traffic volumes and bi-directional flows. Once you configure an external flow source for NetFlow, you must:

Make sure the appropriate firewall rules are configured. Note that if you change your External Flow Source Monitoring Port parameter in the Flow Collector configuration, you must also update your firewall access configuration. Make sure the appropriate ports are configured for your Flow Collector.

If you are using NetFlow version 9, make sure the NetFlow template from the NetFlow source includes the following fields:
• • • • • • •

FIRST_SWITCHED LAST_SWITCHED PROTOCOL IPV4_SRC_ADDR IPV4_DST_ADDR L4_SRC_PORT L4_DST_PORT

STRM Administration Guide

About Flow Sources

143

• • •

IN_BYTES and/or OUT_BYTES IN_PKTS and/or OUT_BYTES TCP_FLAGS (TCP flows only)

sFlow

A multi-vendor and end-user standard for sampling technology that provides continuous monitoring of application level traffic flows on all interfaces simultaneously. sFlow combines interface counters and flow samples into sFlow datagrams that are sent across the network to an sFlow collector. STRM supports sFlow versions 2, 4, and 5. Note that sFlow traffic is based on sampled data and, therefore, may not represent all network traffic. For more information on sFlow, see www.sflow.org. sFlow uses a connection-less protocol (UDP). Once data is sent from a switch or router, the sFlow record is purged. As UDP is used to send this information and does not guarantee the delivery of data, sFlow records inaccurate recording and reduced alerting capabilities. This can result in inaccurate presentations of both traffic volumes and bi-directional flows. Once you configure an external flow source for sFlow, you must:
• •

Make sure the appropriate firewall rules are configured. Make sure the appropriate ports are configured for your Flow Collector.

J-Flow

A proprietary accounting technology used by Juniper® Networks that allows you to collect IP traffic flow statistics. J-Flow enables you to export data to a UDP port on a J-Flow collector. Using J-Flow, you can also enable J-Flow on a router or interface to collect network statistics for specific locations on your network. Note that J-Flow traffic is based on sampled data and, therefore, may not represent all network traffic. For more information on J-Flow, see www.juniper.net. J-Flow uses a connection-less protocol (UDP). Once data is sent from a switch or router, the J-Flow record is purged. As UDP is used to send this information and does not guarantee the delivery of data, J-Flow records inaccurate recording and reduced alerting capabilities. This can result in inaccurate presentations of both traffic volumes and bi-directional flows. Once you configure an external flow source for J-Flow, you must:
• •

Make sure the appropriate firewall rules are configured. Make sure the appropriate ports are configured for your Flow Collector.

Packeteer

Packeteer devices collect, aggregate, and store network performance data. Once you configure an external flow source for Packeteer, you can send flow information from a Packeteer device to STRM. Packeteer uses a connection-less protocol (UDP). Once data is sent from a switch or router, the Packeteer record is purged. As UDP is used to send this information and does not guarantee the delivery of data, Packeteer records inaccurate
STRM Administration Guide

144

MANAGING FLOW SOURCES

recording and reduced alerting capabilities. This can result in inaccurate presentations of both traffic volumes and bi-directional flows. To configure Packeteer as an external flow source, you must:
• • • • •

Make sure the appropriate firewall rules are configured. Make sure that you configure Packeteer devices to export flow detail records and configure the Flow Collector as the destination for the data export. Make sure the appropriate ports are configured for your Flow Collector. Make sure the class IDs from the Packeteer devices will automatically be detected by the Flow Collector. For additional information on mapping Packeteer applications into STRM, see the Mapping Packeteer Applications into STRM Technical Note.

Flowlog File Napatech Interface

A file generated from the STRM flow logs. If you have a Napatech Network Adapter installed on your STRM system, the Naptatech Interface option appears as a configurable packet-based flow source in the STRM interface. The Napatech Network Adapter provides next-generation programmable and intelligent network adapter for your network. For more information regarding Napatech Network Adapters, see your Napatech documentation.

Managing Flow Sources

For STRM appliances, STRM automatically adds default flow sources for the physical ports on the appliance. Also, STRM also includes a default NetFlow flow source. If STRM is installed on your own hardware, STRM attempts to automatically detect and add default flow sources for any physical devices (such as a Network Interface Card (NIC)). Also, once you assign a Flow Collector, STRM includes a default NetFlow flow source. This section includes:
• • • •

Adding a Flow Source Editing a Flow Source Enabling/Disabling a Flow Source Deleting a Flow Source

Adding a Flow Source

To add a flow source:

Step 1 Click the Admin tab.

The Admin interface appears.
Step 2 In the navigation menu, click Data Sources.

The Data Sources panel appears.
STRM Administration Guide

Managing Flow Sources

145

Step 3 In the navigation menu, click Flows.

The Flows panel appears.
Step 4 Click the Flow Sources icon.

The Flow Source window appears.

Step 5 Click Add.

The Add Flow Source window appears.

Step 6 Enter values for the parameters:

Table 9-1 Add Flow Source

Parameter Build from existing flow source

Description Select the check box if you want to create this flow source using an existing flow source as a template. Once the check box is selected, use the drop-down list box to select the desired flow source and click Use as Template. Specify the name of the flow source. We recommend that for an external flow source that is also a physical device, use the device name as the flow source name. If the flow source is not a physical device, make sure you use a meaningful name. For example, if you want to use NetFlow traffic, enter nf1.

Flow Source Name

STRM Administration Guide

146

MANAGING FLOW SOURCES

Table 9-1 Add Flow Source (continued)

Parameter Target Flow Collector Flow Source Type

Description Using the drop-down list box, select the Flow Collector you want to use for this flow source. Using the drop-down list box, select the flow source type for this flow source. The options are:
• • • • • • • •

Flowlog File JFlow Netflow v.1, v5, v7, or v9 Network Interface Packeteer FDR SFlow v.2, v.4, or v.5 Napatech, if applicable. Endace, if applicable.

Enable Asymmetric Flows In some networks, traffic is configured to take alternate paths for inbound and outbound traffic. This is asymmetric routing. Select the check box is you want to enable asymmetric flows for this flow source.
Step 7 Choose one of the following: a b

If you select Flowlog File as the Flow Source Type, configure the Source File Path, which is the source path location for the flow log file. If you select JFlow, Netflow, Packeteer FDR, or sFlow as the Flow Source Type, configure the following:

Table 9-2 External Flow parameters

Parameter Monitoring Interface Monitoring Port

Description Using the drop-down list box, select the monitoring interface you want to use for this flow source. Specify the port you want this flow source to use. For the first NetFlow flow source configured in your network the default port is 2055. For each additional NetFlow flow source, the default port number increments by 1. For example, the default NetFlow flow source for the second NetFlow flow source is 2056.

Enable Flow Forwarding

Select the check box to enable flow forwarding for this flow source. Once the check box is selected, the following options appear:
• •

Forwarding Port - Specify the port you want to forward flows. The default is 1025. Forwarding Destinations - Specify the destinations you want to forward flows. You can add or remove addresses from the list using the Add and Remove buttons.

STRM Administration Guide

Managing Flow Sources

147

c

If you select Napatech Interface as the Flow Source Type, select the Flow Interface you want to assign to this flow source.

Note: The Napatech Interface option only appears if you have a Napatech Network Adapter installed in your system.
d

If you select Network Interface as the Flow Source Type, configure the following:

Table 9-3 Network Interface Parameters

Parameter Flow Interface

Description Using the drop-down list box, select the log source you want to assign to this flow source. Note: You can only configure one log source per Ethernet Interface. Also, you cannot send different flow types to the same port.

Filter String
Step 8 Click Save.

Specify the filter string for this flow source.

Step 9 From the Admin tab menu, click Deploy Changes.

Editing a Flow Source

To edit a flow source:

Step 1 Click the Admin tab.

The Admin interface appears.
Step 2 In the navigation menu, click Data Sources.

The Data Source interface appears.
Step 3 In the navigation menu, click Flows.

The Flows panel appears.
Step 4 Click the Flow Sources icon.

The Flow Source window appears.

Step 5 Select the flow source you want to edit. Step 6 Click Edit.

The Edit Flow Source window appears.

STRM Administration Guide

148

MANAGING FLOW SOURCES

Step 7 Edit values, as necessary. For more information on values for flow source types,

see Adding a Flow Source.
Step 8 Click Save. Step 9 From the Admin tab menu, click Deploy Changes.

Enabling/Disabling a Flow Source

To enable or disable a flow source:

Step 1 Click the Admin tab. Step 2 In the navigation menu, click Data Sources.

The Data Sources panel appears.
Step 3 In the navigation menu, click Flows.

The Flows panel appears.
Step 4 Click the Flow Sources icon.

The Flow Source window appears.

Step 5 Select the flow source you want to enable or disable. Step 6 Click Enable/Disable.

The Enabled column indicates if the flow source is enabled or disabled. If the flow source was previously disabled, the column now indicates True to indicate the flow source is now enabled. If the flow source was previously enabled, the column now indicates False to indicate the flow source is now disabled.
Step 7 From the Admin tab menu, click Deploy Changes.

STRM Administration Guide

Managing Flow Source Aliases

149

Deleting a Flow Source

To delete a flow source:

Step 1 Click the Admin tab. Step 2 In the navigation menu, click Data Sources.

The Data Sources panel appears.
Step 3 In the navigation menu, click Flows.

The Flows panel appears.
Step 4 Click the Flow Sources icon.

The Flow Source window appears.
Step 5 Select the flow source you want to delete. Step 6 Click Delete.

A confirmation window appears.
Step 7 Click Ok. Step 8 From the Admin tab menu, click Deploy Changes.

Managing Flow Source Aliases

You can configure a virtual name (or alias) for flow sources. You can identify multiple sources being sent to the same Flow Collector, using the source IP address and virtual name. An alias allows a Flow Collector to uniquely identify and process data sources being sent to the same port. When a Flow Collector receives traffic from a device with an IP address but no current alias, the Flow Collector attempts a reverse DNS lookup to determine the hostname of the device. If the lookup is successful, the Flow Collector adds this information to the database and is reported to all Flow Collector in your deployment. Note: Using the deployment editor, you can configure the Flow Collector to automatically detect flow source aliases. For more information, see Chapter 8 Managing Flow Sources. This section includes:
• • •

Adding a Flow Source Alias Editing a Flow Source Alias Deleting a Flow Source Alias

Adding a Flow Source Alias

To add a flow source alias:

Step 1 Click the Admin tab.

The Admin interface appears.
Step 2 In the navigation menu, click Data Sources. STRM Administration Guide

150

MANAGING FLOW SOURCES

The Data Sources panel appears.
Step 3 In the navigation menu, click Flows.

The Flows panel appears.
Step 4 Click the Manage Flow Source Aliases icon.

The Flow Source Alias window appears.
Step 5 Click Add.

The Flow Source Alias Management window appears.

Step 6 Enter values for the parameters:

• •

IP - Specify the IP address of the flow source alias. Name - Specify the name of the flow source alias.

Step 7 Click Save. Step 8 From the Admin tab menu, click Deploy Changes.

Editing a Flow Source Alias

To edit a flow source alias:

Step 1 Click the Admin tab.

The Admin interface appears.
Step 2 In the navigation menu, click Data Sources.

The Data Sources panel appears.
Step 3 In the navigation menu, click Flows.

The Flows panel appears.
Step 4 Click the Manage Flow Source Aliases icon.

The Flow Source Alias window appears.
Step 5 Select the flow source alias you want to edit. Step 6 Click Edit.

The Flow Source Alias Management window appears.
Step 7 Update values, as necessary. Step 8 Click Save. Step 9 From the Admin tab menu, click Deploy Changes.

STRM Administration Guide

Managing Flow Source Aliases

151

Deleting a Flow Source Alias

To delete a flow source alias:

Step 1 Click the Admin tab.

The Admin interface appears.
Step 2 In the navigation menu, click Data Sources.

The Data Sources panel appears.
Step 3 In the navigation menu, click Flows.

The Flows panel appears.
Step 4 Click the Manage Flow Source Aliases icon.

The Flow Source Aliases window appears.
Step 5 Select the flow source alias you want to delete. Step 6 Click Delete.

A confirmation window appears.
Step 7 Click Ok. Step 8 From the Admin tab menu, click Deploy Changes.

STRM Administration Guide

10

MANAGING SENTRIES

Sentries provide an alerting function for your network. A sentry can monitor any number of views and generate an alert when traffic in one of the monitored views meets the specified criteria. A non-administrative user can create sentries, however, only an administrative user can configure advanced sentries on a system-wide basis. Note: For information on creating sentries using the Network Surveillance interface, see the STRM Users Guide. This chapter provides information on managing STRM sentries including:
• • • • •

About Sentries Viewing Sentries Editing Sentry Details Managing Packages Managing Logic Units

About Sentries

You can create sentries that perform actions when certain specified conditions are met. These actions may include sending an e-mail notification or storing sentry event information. You can also add sentry alerts for a specific traffic type. You can save Packages and Logic Units for use with other sentries. For example, if you create a DDoS package, you can create sentries at different locations in your network using the DDoS package. Similarly, an administrative user can create a package for other non-administrative users to use. Sentries contain the following components:
• •

Logic Unit - Includes specific algorithm used to test objects. The Logic Unit contains the default variables for the sentry. Package - Contains the view objects (default variables) that are forwarded to the Logic Unit and default variables to be used by the sentry. All variables in the Package configuration have priority over the Logic Unit variables. The objects are created from any defined STRM view, with the exception of the main network view. For example, a package may contain all applications that you want to monitor for inappropriate use.
STRM Administration Guide

154

MANAGING SENTRIES

Sentry - Specifies which network location you want the sentry to apply. The network location component of the sentry can also specify any restrictions that you want to enforce. The variables in the sentry component have priority over the Package and Logic Unit variables. For example, you can configure a sentry to monitor the accounting department network location between 8 am and 5 pm. However, you can also specify that you only want to be notified of any misuse if the activity continues for more than 10 minutes.

Viewing Sentries

To view the default or deployed sentries: The Admin interface appears.

Step 1 Click the Admin tab.

Step 2 In the navigation menu, click System Configuration.

The System Configuration panel appears.
Step 3 Click the Sentries icon.

If this is the first time you are accessing the Sentries window, the Sentry Initialization window appears. Go to Step 4.

If this is not your first time accessing the Sentries window, go to Step 5.
Step 4 Choose one of the following options: a

If you want to include default sentries in your sentry list, click Create Sentries. If you want to use the default sentries, you must tune these sentries for your system. The default sentries that appear depend on the template chosen during the installation process. For more information on the defaults, see: Enterprise Template - See Enterprise Template Defaults. University Template - See University Template Defaults.

b

If you do not want to include preconfigured sentries in your list, click Cancel.

The Sentries window appears.
Step 5 From the View By drop-down list box, select the desired view. The options are:

Objects - View the available sentries or sentry components including: Sentry Package Logical Units
STRM Administration Guide

Editing Sentry Details

155

Users - View the available sentries by the user who created the sentry.

Step 6 Select the sentry you want to view.

The following table provides the details of the Sentry List window:
Table 10-1 Sentry List

Parameter Name Owner Action

Description Specifies the name of the configured item. Specifies the name of the user who created the sentry. Provides one of the following options: Allows you to edit the details. You can only edit sentries that you have created. Allows you delete the selected item. You can only delete sentries that you have created.

Enabled

Allows you to enable or disable the sentry. To enable the sentry, select the check box. To disable the sentry, clear the check box.

Editing Sentry Details

To edit an existing sentry: Note: You must create a sentry using the Sentry Wizard. For more information, see the STRM Users Guide.
Step 1 Click the Admin tab.

The Admin interface appears.
Step 2 In the navigation menu, click System Configuration.

The System Configuration panel appears.
Step 3 Click the Sentries icon.

The Sentries window appears.
Step 4 From the View By drop-down list box, select Object.

The Sentry Objects menu tree appears.
Step 5 For the sentry you want to edit, click the

icon.

The Edit panel appears. The below window shows an example of the parameters available for a Internal - Scanning Activity (HIgh) Security/Policy sentry.

STRM Administration Guide

156

MANAGING SENTRIES

Step 6 Update values for the parameters, as necessary: a

If you are editing a Security/Policy sentry:

Table 10-2 Edit Security/Policy Sentry

Parameter Name Description

Description Specify a name for this sentry. Specify a description for this sentry. This description appears as an annotation in the Offenses interface if this sentry results in an offense being generated. Specify the minimum number of times, in flows, this activity must occur before an event generates. Specify the number of seconds, after the first occurrence of this event, before the next occurrence of this event. For example, if you set the value to 3, an event generates after three seconds of the first instance of the event.

Minimum number of flows before emitting events Delay between emitting events

Maximum emitted Specify the maximum number of times you want this event to events per IP generate per IP address. For example, if you set the maximum alerts to 2, only two alerts generate per event. Is Enabled Select the check box to enable this sentry. Clear the check box to disable the sentry.

STRM Administration Guide

Editing Sentry Details

157

Table 10-2 Edit Security/Policy Sentry (continued)

Parameter Options

Description Select the check box if you want this event to be included with other events to create an offense. Use the Address to mark as the target drop-down list box to identify if you want the destination or source IP address to be used as the target. Note: This option only appears for a Security/Policy sentry. Using the drop-down list box, select the sentry package you want to apply to this sentry. To edit an existing package, click Edit or to create a new package, click Create New. For more information on sentry packages, see Managing Packages. Specifies the details of the current view for this sentry.

Package

QRL
b

If you are editing a Behavior, Anomaly, or Threshold sentry:

Table 10-3 Edit Behavior, Anomaly, or Threshold Sentry

Parameter Name Description

Description Specify a name for this sentry. Specify a description for this sentry. This description appears as an annotation in the Offenses interface if this sentry results in an offense being generated. Specify the minimum number intervals this activity must occur before an alert generates. Specify the number of intervals after the first occurrence of this event, before the next occurrence of this event. Specify the maximum number of times you want this event to generate a response. Select the check box to enable this sentry. Clear the check box to disable the sentry. Specify the weight of the object. The range is 1 to 100 and indicates the importance of the object in the system. Select the check box if you want all objects to add together to be tested. Clear the check box if you want each object to be evaluated separately.

Minimum activations before alert Delay between alerts Maximum responses per events Is Enabled Weight Test as group

STRM Administration Guide

158

MANAGING SENTRIES

Table 10-3 Edit Behavior, Anomaly, or Threshold Sentry (continued)

Parameter Restrictions

Description Select the check box for one or more restrictions you want to enforce for an active sentry including:

Date is relevant - Select the check box to indicate that this sentry must consider the date. When selected, date fields appear. Enter the relevant dates you want this sentry to monitor. Day of week is relevant - Select the check box to indicate that this sentry must consider the day of the week. When selected, day of the week fields appear. Using the drop-down list boxes, select the relevant days you want this sentry to consider. Time of day is relevant - Select the check box to indicate that this sentry must consider time of day. When selected, time of day fields appear. Using the drop-down list box, select the time of day you want this sentry to consider.

Permissions Package

Specify the users you want to allow access to edit this sentry. Using the drop-down list box, select the sentry package you want to apply to this sentry. To edit an existing package, click Edit or to create a new package, click Create New. For more information on sentry packages, see Managing Packages. Specify the method you want to be notified if this sentry generates an event. The options are:
• •

Responses

Email Log - Sends event information to standard syslog on STRM Console.

QRL

Specifies the details of the current view for this sentry.

Step 7 Edit the variables, as necessary. The list of variables includes all configured values

for this sentry. Only the variables that apply to this sentry appear. When creating a custom sentry, you can create your own variable.
Table 10-4 Default Variables

Parameter $$Base

Description Specify the current traffic level weight that you want to assign to the current traffic levels against the learned behaviors and the current trend. This variable is for behavioral sentries. The higher the value indicates more weight on the previously recorded value. When you configure a sentry, you must enter a value between 0 to 100, however, when you view a sentry, this value appears in decimal format as 0.01 to 1.

STRM Administration Guide

Editing Sentry Details

159

Table 10-4 Default Variables (continued)

Parameter $$Trend

Description Specify the current traffic trend weight that you want to assign to current traffic trends against the calculated behavior. This variable is for behavioral sentries. The higher the value indicates more weight on traffic trends than the calculated behavior. When you configure a sentry, you must enter a value between 1 to 100, however, when you view a sentry, this value appears in decimal format as 0.01 to 1. Specify the weight applied to the seasonal component of the behavior sentry. The range is 1 to 100. This variable is for behavioral sentries. When you configure a sentry, you must enter a value between 1 to 100, however, when you view a sentry, this value appears in decimal format as 0.01 to 1. Specify the length of time, in seconds, you want this sentry to consider a season. A season indicates the cycle of data, which STRM uses to determine future data flow. This variable is for behavioral sentries. Specify the alert sensitivity level for this alert. This level indicates how far outside the predicted values before a violation generates. A value of zero indicates the measured value cannot be outside the predicted value and a value of 100 indicates the traffic is more than four times larger than the predicted value. When you configure a sentry, you must enter a value between 1 to 100, however, when you view a sentry, this value appears in decimal format as 0.01 to 1. Specify the layers you want this sentry to consider. This variable is for all sentry types. The options include: in (bytes in), out (bytes out), pin (packet in), pount (packet count), hlocal (host local), hremote (host remote), plocal (packet local), premote (packet remote), and count. Separate each entry with a colon. Specify 0 if you want all objects to add together to be tested. Specify 1 if you want each object to be evaluated seperately. This variable is for all sentry types. For each threshold, specify the number that must be exceeded for this sentry to generate an alert. This variable is for all sentry types. Specify the percentage change in behavior this view must experience before the sentry generates an alert. This variable is for anomaly sentries. Specify an extended period of time you want to the system to monitor flows in your network. This allows the system a basis of comparison for traffic over an extended period of time. If the large window and small window values exceed a certain threshold, the sentry generates an alert. This variable is for anomaly sentries.

$$Season

$$SeasonTime

$$Scale

$$Counter

$$AsSet

$$Value

$$Percent

$$SmallWindow

STRM Administration Guide

160

MANAGING SENTRIES

Table 10-4 Default Variables (continued)

Parameter $$LargeWindow

Description Specify a period of time you want to the system to monitor flows in your network. This allows the system a basis of comparison for traffic over an smaller period of time. If the large window and small window values exceed a certain threshold, the sentry generates an alert. For each threshold, specify the number that must be exceeded for this sentry to generate an alert. This variable is for threshold sentries.

$$Upperbound/ Lowerbound

$$AutoLearnTime Specify the time stamp of the time when you want the system to stop learning. This variable is for threshold sentries.
Step 8 Click Save. Step 9 Close the Sentries window. Step 10 From the Admin tab menu, click Deploy Changes.

Managing Packages

Sentries contain packages. You can create packages to reuse with multiple sentries. Using a saved package allows you to apply the same objects to multiple areas of your network. For example, you can create a package to monitor for network misuse. You can use the saved package to apply the same objects to all areas of your network. You must apply a package to a sentry through the sentry panel. For more information, see, Editing Sentry Details. By default, STRM does apply these packages. You must apply these packages to the appropriate area of your network. This section includes:
• •

Creating a Sentry Package Editing a Sentry Package

Creating a Sentry Package

To create a new sentry package:

Step 1 Click the Admin tab.

The Admin interface appears.
Step 2 In the navigation menu, click System Configuration.

The System Configuration panel appears.
Step 3 Click the Sentries icon.

The Sentries window appears.
Step 4 From the View By drop-down list box, select Objects.

The Sentry Objects menu tree appears.

STRM Administration Guide

Managing Packages

161

Step 5 From the menu tree, select Sentry Objects > Packages.

The Package List appears.
Step 6 Click Create New Package.

The Create New Package panel appears.

Step 7 Enter values for the parameters:

Table 10-5 Create Sentry Package Parameters

Parameter Name Description Weight

Description Specify the name of the sentry package. Specify a description for the sentry package. Specify the relative importance of this package. This determines the ranking of the offense that appears in the Offenses interface.
STRM Administration Guide

162

MANAGING SENTRIES

Table 10-5 Create Sentry Package Parameters (continued)

Parameter Components

Description In the menu tree, select the components you want this package to monitor. The added components appear under the Selected Components column. Specify the users you want to be able to use this package. For each event, you must select a high-level and low-level event category. From the High-Level Category drop-down list box, specify the high-level event category. Once you select the high-level event category, the appropriate low-level event categories appear. Using the Low-Level Category, select the low-level event category you want to apply to this event. Note: For detailed information on high-level and low-level event categories, see the Event Category Correlation Reference Guide.

Permissions Categories

Logic Unit

Using the drop-down list box, select the Logic Unit you want to apply to this sentry. To edit an existing Logic Unit, click Edit or to create a new Logic Unit, click Create New. For more information on sentry packages, see Managing Logic Units. Specifies the variable default values for this sentry package. These values are overwritten by variables of the same name in the sentry.

Variable Defaults

Step 8 Click Save.

Editing a Sentry Package

To edit a new sentry package:

Step 1 Click the Admin tab.

The Admin interface appears.
Step 2 In the navigation menu, click System Configuration.

The System Configuration panel appears.
Step 3 Click the Sentries icon.

The Sentries window appears.
Step 4 From the View By drop-down list box, select Object.

The Sentry Objects menu tree appears.
Step 5 From the menu tree, select Sentry Objects > Packages.

The Package List appears.
Step 6 For the package you want to edit, click the

icon.

The Edit panel appears.

STRM Administration Guide

Managing Logic Units

163

Step 7 Update parameters (see Table 10-5), as necessary. Step 8 Click Save.

Managing Logic Units

A Logic Unit determines if a violation has occurred and if an alert needs to be generated. A Logic Unit contains the algorithm that a sentry uses to monitor your network for suspicious behavior. You can use Logic Units to create custom sentries. You must apply a Logic Unit to a package through the package panel. For more information, see Managing Packages. This section includes:
• •

Creating a Sentry Package Editing a Sentry Package

Creating a Logic Unit

To create a Logic Unit: The Admin interface appears.

Step 1 Click the Admin tab.

Step 2 In the navigation menu, click System Configuration.

The System Configuration panel appears.
Step 3 Click the Sentries icon.

The Sentries window appears.
Step 4 From the View By drop-down list box, select Object.

The Sentry Objects menu tree appears.
Step 5 From the menu tree, select Sentry Objects > Logic Units.

The Logic Unit List appears.
STRM Administration Guide

164

MANAGING SENTRIES

Step 6 Click Create New Logic Unit.

The Create New Logic Unit panel appears.

Step 7 Enter values for the parameters:

Table 10-6 Create new Logic Unit Parameters

Parameter Name Description

Action Specify a name for this Logic Unit. Specify a description for this Logic Unit,

Step 8 Create your own equation in the Equation field using JavaScript code. The entry

must include the following format:
var testObj = new CustomFunction( $$Counter, other_custom_vars); function test() { return testObj.test(); }

You can use all the functions available with JavaScript functionality as well as the following functions:

STRM Administration Guide

Managing Logic Units

165

Table 10-7 JavaScript Functions

Function thresholdCheck

Description Monitors policy and threshold objects. By default, this value monitors each object separately. If you want to test objects as a group, you must add the value set. This function includes:
• • •

components - String of component names from one or more layers, separated by colons. For example, in:out. funcT - Instance of comparison object including above, greatThanEq, below, lessThanEq, Eq, notEq, and range. isTotal - Set this function to 0 if you want to test objects seperately. Set this function to 1 if you want to test all objects as a group. time - Indicates time to make a comparison. If no time is supplied, current time is used.

learnPolicy

During the learning period, this function selects only object that did not include traffic. The sentry then generates an alert on those objects. This function includes:
• •

components - String of component names from one or more layers, separated by colons. For example, in:out. lockTime - Indicates the time in which you want to stop the learning process.

activityAnomaly

Detects changes in the activity level for selected databases. This function includes:
• • • • • •

largewindowsize - Specifies the time range for the large observation window. smallwindowsize - Specifies the time range for small observation window. percentrequired - Specifies the required percentage change required before the sentry generates an alert. layer - Specifies the layer you want to monitor. type - Specifies the test objects as a group. intervalsize - Specifies the interval size, in seconds.

Step 9 Click Share Logic to access the Select Users window. This window allows you to

specify users you want to share this logic.
Step 10 Click Save.

Editing a Logic Unit

To edit a Logic Unit: The Admin interface appears.

Step 1 Click the Admin tab.

Step 2 In the navigation menu, click System Configuration.

The System Configuration panel appears.

STRM Administration Guide

166

MANAGING SENTRIES

Step 3 Click the Sentries icon.

The Sentries window appears.
Step 4 From the View By drop-down list box, select Object.

The Sentry Objects menu tree appears.
Step 5 From the menu tree, select Sentry Objects > Logic Units.

The Logic Unit List appears.
Step 6 For the Logic Unit you want to edit, click the

icon.

The Edit panel appears.

Step 7 Update parameters, as necessary. Step 8 Click Save.

STRM Administration Guide

11

MANAGING VIEWS

You can display network traffic with many different views. A view represents traffic activity on your network for a specific profile. The Local Network View has n-levels of depth that is specific to your network hierarchy. All views, with the exception of the Network View, have group levels and leaf object levels. You can also create Custom Views to display the types of traffic you want to identify, monitor, and be alerted to, when specific flows appear across your network. This chapter includes:
• • • • • • • • •

Using STRM Views Managing Ports View Managing Application Views Managing Remote Networks View Managing Remote Services Views Managing Collector Views Managing Custom Views Enabling and Disabling Views Using Best Practices

Using STRM Views

This section provides information regarding views including:
• • •

About Views About Global Views Defining Unique Objects

About Views

STRM includes default views that captures and displays your network activity. Each view filters traffic and displays the data from many perspectives. You can use these default views to display your network activity from various perspectives. You can configure views with an identifiable color scheme. Each color appearing on your graph represents the activity taking place on your network. Each color is also displayed in the dynamic legend beside the graph. You can point your mouse to the color on the legend to identify the traffic type.

STRM Administration Guide

168

MANAGING VIEWS

Each view is assigned a weight. Configured for traffic alerting purposes, weight is the numeric value assigned to a flow property. STRM adds the weight value to the sentry flow property weight value and assigns a sequence of ranking events. An alert may be signalled when STRM interprets the combination of the numerical weight values. For more information on weights, see Chapter 10 Managing Sentries. A view is a property of flows divided into the following:
• • •

Group - A collection of objects configured to display the network data that appears on the graphs in a specific view. Object - Assigned flow properties configured to identify specific traffic. Layer - Property used to count traffic.

You can create a Custom View to identify more complex traffic patterns. You must configure Custom Views with equations that identify your network activity and match the properties built into an equation. You can create Custom Views to:
• • •

Identify protocol misuse from any geographic location. Identify traffic from partner sites using applications you have deemed out-of-policy. Create an alternate network hierarchy.

You can also use equations to identify network traffic flows. When traffic flows match the assigned property-set, STRM identifies and displays the traffic on the graphs, enabling you to monitor and investigate the activity. An equation is constructed from the following:

Objects - Network objects that are currently present on your network. When choosing an object, you can select the network object, or any one of the leaf nodes that is associated with the object. The selected object (or leaf node) becomes part of an equation. Elements - Tests of specific flow properties, such as an IP address, protocol, or byte count. This specifies the criteria that the traffic flow must match to identify traffic flows. Traffic flows matching the assigned criteria are displayed when viewing the Custom View on the STRM graphs.

About Global Views

You can access Global Views using the Global Views menu option in the Network Surveillance interface. Configurable Global Views include:
• • • •

Local Networks View - Displays traffic by network objects. Ports View - Displays traffic originating from identified destination ports. Applications View - Displays traffic originating from the application layer by the client connection and the server connection. Remote Networks View - Displays user defined traffic originating from named remote networks.

STRM Administration Guide

Using STRM Views

169

• • •

Remote Services View - Displays traffic originating from user-defined network ranges or, if desired, the Juniper Networks automatic update server. Collector View - Displays traffic seen by each Flow Collector. Protocol - Displays traffic originating from protocol usage.

Note: For more information on default groups and objects, see the STRM Default Application Configuration Guide. You can edit several Global Views by adding objects to existing groups or changing pre-existing properties to suit your environment. The STRM interface does not allow you to configure Geographic (see the Changing Geographic Views Technical Note) or Protocol Views. Contact Juniper Networks customer support for assistance. Caution: You cannot move an existing object to another group (select a new group and click Add Group), the object name moves from the existing group to the newly selected group; however, when the configuration changes are deployed, the object data stored in the database is lost and the object ceases to function. You must create a new view and recreate the object (that exists with another group). Defining Unique Objects Some groups within views include objects that are unique to specific views. For example, InverseIsknown is unique to the Ports View. This group captures the server traffic when displaying the client view, and displays client traffic when displaying the server view. Some groups within views, such as superflows, are for informational purposes only and cannot be edited. However, you can create a Custom View based on an existing view and configure the Custom View properties to resemble the groups that cannot be edited. For more information, see Managing Custom Views. Unique groups include:

InverseIsKnown - Specifies traffic for both client and server application traffic activity. When displaying the client view, InverseIsKnown captures and displays the server traffic; when displaying the server view, captures and displays displays the client traffic. Other - Specifies traffic that does not match a property-set or is not defined in the configuration. Traffic that is classified as Other may be used to capture miscellaneous traffic. Unknown - Specifies traffic that is unidentifiable. Superflows - Specifies traffic that has been grouped into superflows; where one superflow is a group of aggregate flows that have a number of similar properties. Known_ to_ client_or_server - Similar to InverseIsKnown. When viewing client data, this group represents the server data. When viewing server data, this group represents the client data.

• •

STRM Administration Guide

170

MANAGING VIEWS

Managing Ports View

The Ports View displays traffic originating from identified destination ports. Using the Ports View, you can view traffic by port. This section provides information on managing the Ports View including:
• • •

Default Ports Views Adding a Ports Object Editing a Ports Object

Default Ports Views

Ports View includes the following default groups:
Table 11-1 Ports Views

Ports Groups InverseIsKnown

Description Specifies traffic for both client and server application traffic activity. When displaying client view, InverseIsKnown captures and displays the server traffic; when displaying server view, captures and displays displays the client traffic. Specifies e-mail traffic flows originating from each mail port. This group is non-configurable. A superflow is a flow that is an aggregate of a number of flows that have a similar pre-determined set of elements. Specifies traffic flows destined for specific ports. Specifies traffic flows not destined for a specific port. Specifies traffic flows destined for the port assigned for Internet traffic. Specifies traffic flows to and from ports assigned for Peer-to-Peer (P2P) traffic within your network.

MailPorts Superflows

TargetedPorts UnnamedPorts WebPorts p2pports

Adding a Ports Object

To add a ports object:

Step 1 Click the Admin tab.

The Admin interface appears.
Step 2 In the navigation menu, click Views Configuration.

The Views Configuration panel appears.
Step 3 Click the

Ports icon.

The Manage Group window appears.
Step 4 Click Add.

The Add New Object window appears.

STRM Administration Guide

Managing Ports View

171

Step 5 Enter values for the following parameters:

Table 11-2 Ports - Add New Object Parameters

Parameter Group Name Weight Ports Description Color Database Length
Step 6 Click Save. Step 7 Click Return.

Description Select the group for this object. Using the drop-down list box, select a group or click Add Group to add a new group. Specify object name. Specify the object weight or use the arrows to change the existing numeric value. The range is 1 to 100. Specify the port number for the object or use the arrows to change the existing numeric value. Click Add. Specify a description for this object. Specify a color for this object. Enter the RGB alpha-numeric value or click Select Color to access the color palette. Using the drop-down list box, select the database length.

Step 8 Close the Ports View window. Step 9 From the Admin tab menu, click Deploy Changes.

All changes are deployed.

STRM Administration Guide

172

MANAGING VIEWS

Editing a Ports Object

To edit an existing object:

Step 1 Click the Admin tab.

The Admin interface appears.
Step 2 In the navigation menu, click Views Configuration.

The Views Configuration panel appears.
Step 3 Click the Ports

icon.

The Manage Group window appears.
Table 11-3 Manage Group

Parameter Name Weight Color Actions

Description Specifies the name assigned to the object. Specifies the weight assigned to the object. Specifies the color displayed when viewed on the graphs. Specifies the action available for each group including: Open object properties window.

Step 4 Click the group you want to edit.

The Manage Group window appears.
Table 11-4 Manage Group

Parameter Name Value Weight Color Actions

Description Specifies the name assigned to the object. Specifies ports assigned to this object. Specifies the weight assigned to the object. Specifies the color displayed when viewed on the Network Surveillance graphs. Specifies the actions available for each object including: Edit view properties. Delete object.

Step 5 From the Manage Group table, or from the tree menu, click the name of the object

you want to edit. The Properties window appears.

STRM Administration Guide

Managing Application Views

173

Step 6 Edit values as necessary. See Table 11-2. Step 7 Click Save. Step 8 Click Return. Step 9 Close the Ports View window. Step 10 From the Admin tab menu, click Deploy Changes.

All changes are deployed.

Managing Application Views

The Application Views displays traffic originating from the application server by the client connection and the server connection. Using the Application Views, you can view traffic by application identification. This section provides information on managing Application Views including:
• • •

Default Application Views Adding an Applications Object Editing an Applications Object

Default Application Views

The Application View includes the following default groups:
Table 11-5 Application Views

Sub-Component Chat ClientServer ContentDelivery

Description Specifies traffic originating from chat sources, such as AOL, ICQ, IRC, MISN, and MSN. Specifies traffic originating from a client server such as Meeting Maker, NetIQ, FIX, MATIP, or CVSup. Specifies traffic originating from content delivery applications, such as, EntryPoint, BackWeb, or Webshots.

STRM Administration Guide

174

MANAGING VIEWS

Table 11-5 Application Views (continued)

Sub-Component DataTransfer

Description DataTransfer group displays traffic originating from data being transferred from traffic of common file/data transfer protocols, such as FTP, Misc-Transfer-Ports, NFS, NNTPNews, TFTP, WindowsFileSharing, WindowsNetworkPorts, and XFER. Specifies traffic originating from database applications. Specifies traffic originating from directory services, such as WINS, CRS, or RRP. Specifies traffic originating from file print applications, such as a printer or IPP. Specifies traffic originating from game applications, such as Doom, Quake, Half-Life, or Kali. Specifies traffic originating from health care related applications, such as, DICOM or HL7. Specifies traffic originating from the STRM application, such as Common Ports, Flowgen, and UpdateDaemon. Specifies traffic originating from Internet protocol related applications, such as ActiveX or SOAP-HTTP.

DataWarehousing DirectoryServices FilePrint Games Healthcare InnerSystem InternetProtocol

Known_to_client_or_ When viewing client data, this group captures the server data. server When viewing server data, this group captures the client data. Legacy Mail Specifies traffic originating from legacy applications, such as SNA, LAT, FNA, or SLP. Specifies all traffic originating from e-mail application traffic, such as ESMTP, IMAP, MISC-MAIL-Port, POP, POP-Port, SMTP, and SMTP-Port. Specifies identified miscellaneous application traffic, such as Appletalk-IP, Authentication, DHCP, DNS, DNS-Port, ManagementService, Misc-Ports, MiscApp, Network-Config-Ports, RPC, SNMP-Ports, Syslog, and Time. Specifies traffic originating from multimedia application traffic, such as WebEx, video frames, or Intellex.

Misc

Multimedia

NetworkManagement Specifies traffic originating from network management application traffic, such as ICMP, SMS, NetFlow, or flow records. No_Detect_Attempt P2P Specifies traffic that is void of content within a packet. Specifies traffic originating from Peer-to-Peer (P2P) application traffic, such as BitTorent, Blubster, Common P2P Port, DirectConnect, Gnutella, Kazaa, LimeWire, OpenNap, Peerenabler, Piolet, and eDonkey. Specifies traffic originating from applications accessed remotely, such as CitrixICA, PCAnywhere, SSH, SSH Ports, Telnet, Telnet-Port, and VNC. Specifies traffic originating from routing protocols, such as RIP, ICMP, ICP, or AURP.

Remote Access

RoutingProtocols

STRM Administration Guide

Managing Application Views

175

Table 11-5 Application Views (continued)

Sub-Component SecurityProtocol Streaming

Description Specifies traffic originating from security protocols, such as SOCKS, L2TP, SWIPE, or DPA. Specifies traffic originating from streaming applications, such as MicrosoftMediaServer, StreamingAudio, and WindowsMediaPlayer. Specifies pre-defined flows classed as Unknown traffic. Specifies traffic originating from Voice over IP (VoIP) applications, such as Skype, I-Phone, SIP, or Clarent-CC. Specifies traffic originating from web applications, such as HTTP, JAVA, SecureWeb, WebFile, WebMedia, and Web Port.

Unknown_apps VoIP Web

Note: The default views are automatically updated with the Automatic Update function. For more information regarding automatic updates, see Scheduling Automatic Updates. Adding an Applications Object To add an applications object:

Step 1 Click the Admin tab.

The Admin interface appears.
Step 2 In the navigation menu, click Views Configuration.

The Views Configuration panel appears.
Step 3 Click the Step 4 Click Add.

Application icon.

The Add New Object window appears.

STRM Administration Guide

176

MANAGING VIEWS

Step 5 Enter values for the following parameters:

Table 11-6 Applications - Add New Object Parameters

Parameter Group Name Weight AppsIDs

Description Select the group for this object. Using the drop-down list box, select a group or click Add Group to add a new group. Specify the name for the object. Specify the object weight or use the arrows to change the existing numeric value. The range is 1 to 100. Specify the application ID for the object or use the arrows to change the existing numeric value. Click Add. Note: The applications identification must be defined in the mapping file before adding to this object. For more information on the mapping file, see the STRM Default Application Configuration Guide.

Description Color Database Length
Step 6 Click Save.

Specify a description for this object. Specify a color for this object. Enter the RGB alpha-numeric value or click Select Color to access the color palette. Using the drop-down list box, select the database length.

Step 7 Click Return. Step 8 Close the Applications View window. Step 9 From the Admin tab menu, click Deploy Changes.

All changes are deployed. Editing an Applications Object To edit an applications object:

Step 1 Click the Admin tab.

The Admin interface appears.
Step 2 In the navigation menu, click Views Configuration.

The Views Configuration panel appears.
Step 3 Click the

Applications icon.

The Manage Group window appears.

STRM Administration Guide

Managing Application Views

177

Table 11-7 Manage Group

Parameter Name Weight Color Actions

Description Specifies the name assigned to the group. Specifies the weight assigned to the object. Specifies the color displayed when viewed on the Network Surveillance graphs. Specifies the action available for each group including: Open view properties window.

Step 4 Click the group you want to display.

The Manage Group window appears.
Table 11-8 Manage Group

Parameter Name Value Weight Color Actions

Description Specifies the group name. Specifies application IDs assigned to the group. Specifies the weight assigned to the object. Specifies the color displayed when viewed on the Network Surveillance graphs. Specifies the actions available for each object including: Edit view properties. Delete object.

Step 5 Click the name of the object you want to edit.

The Properties window appears.

STRM Administration Guide

178

MANAGING VIEWS

Step 6 Edit values as necessary, see Table 11-6. Step 7 Click Save.

Step 8 Click Return. Step 9 Close the Applications View window. Step 10 From the Admin tab menu, click Deploy Changes.

All changes are deployed.

Managing Remote Networks View

The Remote Networks View displays user traffic originating from named remote networks. Using the Remote Networks View, you can view traffic by known remote networks. This section provides information on managing the Remote Networks View including:
• • •

Default Remote Networks Views Adding a Remote Networks Object Editing a Remote Networks Object

Default Remote Networks Views

Remote Networks includes the following default groups:
Table 11-9 Remote Networks Views

Parameter BOT

Description Specifies traffic originating from BOT applications.

STRM Administration Guide

Managing Remote Networks View

179

Table 11-9 Remote Networks Views (continued)

Parameter Bogon

Description Specifies traffic originating from un-assigned IP addresses. Note: Bogon reference: http://www.team-cymru.org/Services/Bogons/

HostileNets

Specifies the traffic originating from known hostile networks. HostileNets has a set of 20 (Rank 1 to 20 inclusive) configurable CIDR ranges. This group is blank by default. You must configure this group to classify traffic originating from neighboring networks. This group is non-configurable. A superflow is a flow that is an aggregate of a number of flows that have a similar predetermined set of elements. This group is blank by default. You must configure this group to classify traffic originating from trusted networks.

Neighbours Superflows

TrustedNetworks

Note: Groups and objects that include superflows are for informational purposes only and cannot be edited. Groups and objects that include bogons are configured by the Automatic Update function. Adding a Remote Networks Object To add a Remote Networks object:

Step 1 Click the Admin tab.

The Admin interface appears.
Step 2 In the navigation menu, click Views Configuration.

The Views Configuration panel appears.
Step 3 Click the Remote Networks Step 4 Click Add.

icon.

The Add New Object window appears.

STRM Administration Guide

180

MANAGING VIEWS

Step 5 Enter values for the following parameters:

Table 11-10 Remote Networks - Add New Object Parameters

Parameter Group Name Weight IP/CIDR(s) Description Color Database Length
Step 6 Click Save.

Description Select the group for this object. Using the drop-down list box, select a group or click Add Group to add a new group. Specify the name for the object. Specify the object weight or use the arrows to change the existing numeric value. The range is 1 to 100. Specify the IP address or CIDR range for the object. Click Add. Specify a description for the object. Specify a color for this object. Enter the RGB alpha-numeric value or click Select Color to access the color palette. Using the drop-down list box, select the database length.

Step 7 Click Return. Step 8 Close the Remote Networks View window. Step 9 From the Admin tab menu, click Deploy Changes.

All changes are deployed.

STRM Administration Guide

Managing Remote Networks View

181

Editing a Remote Networks Object

To edit an existing Remote Networks object:

Step 1 Click the Admin tab.

The Admin interface appears.
Step 2 In the navigation menu, click Views Configuration.

The Views Configuration panel appears.
Step 3 Click the Remote Networks

icon.

The Manage Group window appears.
Table 11-11 Manage Group

Parameter Name Weight Color Actions

Description Specifies the name assigned to the view. Specifies the weight assigned to the object. Specifies the color displayed when viewed on the Network Surveillance graphs. Specifies the action available for each group including: Open view properties window.

Step 4 Click the group you want to display.

The Manage Group window appears.
Table 11-12 Manage Group

Parameter Name Value Weight Color Actions

Description Specifies the name assigned to the object. Specifies ports assigned to this object. Specifies the weight assigned to the object. Specifies the color displayed when viewed on the Network Surveillance graphs. Specifies the actions available for each object including: Edit view properties. Delete object.

Step 5 Click the object you want to edit.

The Properties window appears.

STRM Administration Guide

182

MANAGING VIEWS

Step 6 Edit values as necessary. See Table 11-10. Step 7 Click Save.

Step 8 Click Return. Step 9 Close the Remote Networks View window. Step 10 From the Admin tab menu, click Deploy Changes.

All changes are deployed.

Managing Remote Services Views

The Remote Services View displays traffic originating from user-defined network ranges or, if desired, the Juniper Networks automatic update server. Using the Remote Services Views, you can view remote service providers. This section provides information on managing the Remote Services Views including:
• • •

Default Remote Services Views Adding a Remote Services Object Editing a Remote Services Object

Default Remote Services Views

Remote Services view includes the following default groups:
Table 11-13 Remote Services - Manage Group Parameters

Parameter IRC_Servers Porn Proxies

Description Specifies traffic originating from addresses commonly known to produce superflows. Specifies traffic originating from addresses commonly known to contain explicit pornographic material. Specifies traffic originating from commonly known open proxy servers.

STRM Administration Guide

Managing Remote Services Views

183

Table 11-13 Remote Services - Manage Group Parameters (continued)

Parameter Reserved_IP_ Ranges Spam Spy_Adware Superflows Warez

Description Specifies traffic originating from reserved IP address ranges. Specifies traffic originating from addresses commonly known to produce SPAM or unwanted e-mail. Specifies traffic originating from addresses commonly known to contain spyware or adware. Specifies traffic originating from addresses commonly known to produce superflows. Specifies traffic originating from addresses commonly known to contain pirated software.

Adding a Remote Services Object

To add a Remote Services Object:

Step 1 Click the Admin tab.

The Admin interface appears.
Step 2 In the navigation menu, click Views Configuration.

The Views Configuration panel appears.
Step 3 Click the Remote Services

icon.

The Manage Group window appears.
Step 4 Click Add.

The Add New Object window appears.

Step 5 Enter values for the following parameters:

STRM Administration Guide

184

MANAGING VIEWS

Table 11-14 Remote Services - Add New Object Parameters

Parameter Group Name Weight IP/CIDR(s) Color Database Length
Step 6 Click Save.

Description Select the group for this object. Using the drop-down list box, select a group or click Add Group to add a new group. Specify the name for the object. Specify the object weight or use the arrows to change the existing numeric value. The range is 1 to 100. Specify the IP address/CIDR range for the object. Click Add. Specify a color for this object. Enter the RGB alpha-numeric value or click Select Color to access the color palette. Using the drop-down list box, select the database length.

Step 7 Click Return. Step 8 Close the Applications View window. Step 9 From the Admin tab menu, click Deploy Changes.

All changes are deployed. Editing a Remote Services Object To edit an existing Remote Services object:

Step 1 Click the Admin tab.

The Admin interface appears.
Step 2 In the navigation menu, click Views Configuration.

The Views Configuration panel appears.
Step 3 Click the Remote Services

icon.

The Manage Group window appears.
Table 11-15 Manage Group

Parameter Name Weight Color Actions

Description Specifies the name assigned to the group. Specifies the weight assigned to the object. Specifies the color displayed when viewed on the Network Surveillance graphs. Specifies the action available for each group: Open view properties window.

STRM Administration Guide

Managing Remote Services Views

185

Step 4 Click the group you want to display.

The Manage Group window appears.
Table 11-16 Manage Group

Parameter Name Value Weight Color Actions

Description Specifies the name assigned to the object. Specifies ports assigned to this object. Specifies the weight assigned to the object. Specifies the color displayed when viewed on the Network Surveillance graphs. Specifies the actions available for each object including: Edit view properties. Delete object.

Step 5 Click the object you want to edit.

The Properties window appears.

Step 6 Edit values as necessary. See Table 11-14. Step 7 Click Save.

Step 8 Click Return. Step 9 Close the Remote Services View window. STRM Administration Guide

186

MANAGING VIEWS

Step 10 From the Admin tab menu, click Deploy Changes.

All changes are deployed.

Managing Collector Views

The Collector View displays traffic seen from the Flow Collector and provides the AllCollectors group. This group specifies the traffic originating from all Flow Collectors that reside on your network. This section provides information on configuring the Flow Collector view including:
• •

Adding a Flow Collector Object Editing a Flow Collector Object

Adding a Flow Collector Object

To add a Flow Collector object:

Step 1 Click the Admin tab.

The Admin interface appears.
Step 2 In the navigation menu, click Views Configuration.

The Views Configuration panel appears.
Step 3 Click the Collector Step 4 Click Add.

icon.

The Add New Object window appears.

Step 5 Enter values for the following parameters:

Table 11-17 Add New Object Parameters

Parameter Group Name

Description Select the group for this object. Using the drop-down list box, select a group or click Add Group to add a new group. Specify the name for the object.

STRM Administration Guide

Managing Collector Views

187

Table 11-17 Add New Object Parameters (continued)

Parameter Weight Collector ID Color Database Length
Step 6 Click Save.

Description Specify the object weight or use the arrows to change the existing numeric value. The range is 1 to 100. Using the drop-down list box, select the Flow Collector you want to use as the source. Specify a color for this object. Enter the RGB alpha-numeric value or click Select Color to access the color palette. Using the drop-down list box, select the database length.

Step 7 Click Return. Step 8 Close the Collector View window. Step 9 From the Admin tab menu, click Deploy Changes.

All changes are deployed. Editing a Flow Collector Object To edit an existing Flow Collector object:

Step 1 Click the Admin tab.

The Admin interface appears.
Step 2 In the navigation menu, click Views Configuration.

The Views Configuration panel appears.
Step 3 Click the Collector

icon.

The Manage Group window appears.
Table 11-18 Manage Group

Parameter Name Weight Color Actions

Description Specifies the name assigned to the group. Specifies the weight assigned to the object. Specifies the color displayed when viewed on the Network Surveillance graphs. Specifies the action available for each group: Open view properties window.

Step 4 Click the group you want to display.

STRM Administration Guide

188

MANAGING VIEWS

The Manage Group window appears.
Table 11-19 Manage Group

Parameter Name Value Weight Color Actions

Description Specifies the name assigned to the object. Specifies ports assigned to this object. Specifies the weight assigned to the object. Specifies the color displayed when viewed on the Network Surveillance graphs. Specifies the actions available for each object including: Edit view properties. Delete object.

Step 5 Click the object you want to edit.

The Properties window appears.

Step 6 Edit values as necessary. See Table 11-17. Step 7 Click Save.

Step 8 Click Return. Step 9 Close the Collector View window. Step 10 From the Admin tab menu, click Deploy Changes.

All changes are deployed.

STRM Administration Guide

Managing Custom Views

189

Managing Custom Views

Custom Views uniquely identify specific traffic flows, such as SSH traffic on a non-standard port or traffic originating from another country. Each Custom View object must be configured with an equation, which creates a set of properties that applies a filter for each network flow. Custom Views provide you with several advantages. For example, you can use Custom Views for the following scenarios:
• • • • • • • •

Define a view to isolate and display traffic relevant to your enterprise. Rebuild any default view and configure to suit your enterprise. Use a view to remap data in different ways. Use a view for an alternate network hierarchy Apply Other traffic in a view for reporting purposes. Apply the Boolean Logic to the Equation Editor when creating a view. Classification Engine can interpret the view information as RPN. Build a Custom View object to detect the following sequence: Src (source) sends a Syn (synchronize) packet to a Dst (destination). Dst (destination) sends back an Ack (acknowledge) packet. Src (source) sends a Syn-Ack (synchronize-acknowledge) or a Syn-Rst (synchronize-reset) packet to the Dst (destination). The initial packet cannot have an empty payload.

This section provides information on creating and configuring Custom Views including:
• • • •

About Custom Views Editing Custom Views Editing the Operators Editing the Equation

About Custom Views

Custom Views includes the following default groups:
• • • • • • • •

IP Tracking Group Threats Group Attacker Target Analysis Group Target Analysis Group Policy Violations Group ASN Source ASN Destination IFIndex In

STRM Administration Guide

190

MANAGING VIEWS

• • •

IFIndex Out QoS FlowShape

The objects for the IP Tracking, Threats, Attacker Target Analysis, Target Analysis, and Policy Violations groups depend on the template chosen during the installation process. For more information on the defaults, see:
• •

Enterprise Template - See Enterprise Template Defaults. University Template - See University Template Defaults.

STRM detects the ASN and IFIndex values from network flows. When STRM detects ASN or IFIndex values in a flow, STRM creates a new object in the respective group. For example, if STRM detects an ASN 238 flow within the source traffic, the object ASN238 is created in the ASNSource group. However, for STRM to detect and create objects for ASN and IFIndex values in a flow, you must enable the respective views. For more information on enabling views, see Enabling and Disabling Views STRM also detects Quality of Service (QoS) values from your network flows. QoS provides priority for traffic enabling your network to provide various levels of service for flows. QoS provides the following basic levels of service:
• • •

Best Effort - This level of service does not guarantee delivery. The delivery of the flow is considered best effort. Differentiated Service - Certain flows are granted priority over other flows. This priority is granted by classification of traffic. Guaranteed Service - This level of service guarantees the reservation of network resources for certain flows.

To create Custom Views:
Step 1 Click the Admin tab.

The Admin interface appears.
Step 2 In the navigation menu, click Views Configuration.

The Views Configuration panel appears.
Step 3 Click the Custom Views

icon.

The Manage Group window appears.
Step 4 Click Create New View.

The Properties window appears.

STRM Administration Guide

Managing Custom Views

191

:

Step 5 Enter values for the following parameters:

Table 11-20 Custom View - Properties for New View: Staging/Globalconfig

Parameter Name Description
Step 6 Click Save.

Description Specify a name for the new view. Specify a description for the new view.

The Custom View Management window appears.

Step 7 Click Return.

Step 8 From the Manage Group Window, select the view and click Add Equation.

The Properties window appears.

STRM Administration Guide

192

MANAGING VIEWS

Step 9 Enter values for the following parameters:

Table 11-21 Properties Views

Parameter Group Name Weight Color Database Length Equation

Description Using the drop-down list box, select the group you want to add the object. Click Add Group. Specify the name for the object. Specify the object weight or use the arrows to change the existing numeric value. The range is 1 to 100. Specify a color for this object. Enter the RGB alpha-numeric value or click Select Color to access the color palette. Using the drop-down list box, select the database length. Click Equation Editor to specify your equation for this object.

Step 10 Click Equation Editor.

The Equation Editor window appears.

Step 11 From the Objects box, select the view you want to assign. STRM Administration Guide

Managing Custom Views

193

Step 12 From the Elements panel, select an element and enter the parameter values to

configure the element. See Table 11-22. The element is assigned to the selected object. This creates the first instance on the Equation Editor.
Step 13 Select another object from the Objects box and assign an associated element.

By default, the objects are joined with the AND operator.
Step 14 Continue selecting the objects and assigning elements until you have completed

your equation. Click Save. Note: If you want to calculate two values before STRM adds the next consecutive object, insert brackets around the values. For more information on operators, see Editing the Operators. Your equation should resemble this example:

Table 11-22 Element Options

Parameter Name Object

Description Specify the element name. Using the drop-down list box, select the targeted traffic flow. Options include: Src (source), Dst (destination), Local, Remote, and Total. Note: When ports are counted, the number of unique destination ports is returned.

Count Element Type

Parameter Test Value

Using the drop-down list box, select the parameter you are testing. Options include: Bytes, Packets, and ContentLength. Using the drop-down list box, select how to test the numeric value. Options include: Above, Below, and Equals. Enter a numeric value for the option you have selected. The number of bytes, number of packets or the content length. This value is based on a flow stats record reported in a single interval. Using the drop-down list box, select the byte size unit of measurement. Options include: K (kilobyte), M (megabyte), G (gigabyte), and T (terabyte). Click Add.

Protocol Element Type
STRM Administration Guide

194

MANAGING VIEWS

Table 11-22 Element Options (continued)

Parameter Name Protocol

Description Specify the element name. Specify the protocol identification number. You must enter the protocol number and not the name. Click Add. Note: For a list of default protocol identification numbers, see STRM Default Application Configuration Guide.

Super Flow Count Element Type Name Unit Test Value Name Object Unit Specify the element name. Using the drop-down list box, select the element unit. Options include: Hosts and Ports. Using the drop-down list box, select how to test the numeric Super Flow Count value. Options include: Above, Below, and Equals. Enter the number of hosts or ports. Click Add. Specify the element name. Using the drop-down list box, select the targeted traffic flow. Options include: Src (Source), Dst (Destination), Local, Remote, and Total. Using the drop-down list box, select the element unit. The unit is specific to the stats record in one interval. Options include: BytesPacketRatio, PacketArrivalRate, ByteArrivalRate, ByteRatio, and PacketRatio. Using the drop-down list box, select how to test the numeric Flow Stat value. Options include: Above, Below, and Equals. Specify the numeric value of unit measurements. Click Add. Specify the element name. Using the drop-down list box, select the targeted traffic flow. Options include: Src (Source), Dst (Destination), Local, Remote, and Total. Note: Only the content that is captured is counted. Value Name Object Enter the content string. Click Add. Specify the element name. Using the drop-down list box, select the targeted traffic flow. Options include: Src (Source), Dst (Destination), Local, Remote, and Total. Flags Element Type

Flow Stat Element Type

Test Value Name Object

Content Element Type

STRM Administration Guide

Managing Custom Views

195

Table 11-22 Element Options (continued)

Parameter Value

Description Enter the character that represents the TCP/IP flags element type you want to add. STRM accepts the following: A, ACK - (Acknowledge) - Receiver sends an acknowledgement that equals the senders sequence. S, SYN - (Synchronize) - Agreement on sequence numbers during session setup. Sequence numbers are random. F, FIN - (Finish) - Sender has no more data to send. R, RST - (Reset) - Instantaneous abort in both directions. This is an abnormal session disconnection. P, PSH - (Push) - Forces data delivery without waiting for buffers to fill. The data will also be delivered to the application on the receiving end without buffering. U, Urg - (Urgent) - Indicates the packet data should be processed as soon as possible. 7 - Illegal flag that represents the seventh bit of the TCP flag field. Typically, this flag is not used in normal operations and may be used by malicious users. 8 - Illegal flag that represents the eight bit of the TCP flag field. Typically, this flag is not used in normal operations and may be used by malicious users. Click Add. Note: The order in which you enter the TCP/IP Flags is not important; however, when viewing content capture, STRM displays the flags in the following order: FSRPAU78

Flow Properties Element Type Name Specify the element name.

STRM Administration Guide

196

MANAGING VIEWS

Table 11-22 Element Options (continued)

Parameter Property

Description Using the drop-down list box, select the flow property. Options include:
• • • •

ClassL2L - Traffic between two local objects on your network. ClassL2R - Traffic between one local object and one remote object. ClassOther - Traffic between hosts not defined in your network. SuperFlow - Flow of traffic that is an aggregate of the number of flows that have a similar predetermined set of elements, such as protocol, source bytes, source packets, source host, or destination network. In some cases, other properties may be similar, such as destination ports, TCP/IP flags, ICMP types, and code; however, the destination hosts can differ. SuperFlowTypeA - SuperFlow identified as one host destined to many host. SuperFlowTypeB - SuperFlow identified as many hosts destined to one host. SuperFlowTypeC - SuperFlow identified as one host to one host. StealthPorts - Traffic located outside the normal application ports. SrcLocal - Traffic originating from a local source. DstLocal - Traffic originating from a remote network destined for your network. NoAppDetect - Traffic with zero application detection that may be caused by not enough payload; or traffic originating from ICMP messages. UnknownApp - Non defined application traffic. FlowShapeInOnly - Traffic or flows destined in the network (from the Flowtype View). FlowShapeOutOnly - Traffic or flows destined out from the network (from the Flowtype View).

• • • • • • •

• • •

Click Add. Port Element Type Name Object Value Name Object Value Name Specify the element name. Using the drop-down list box, select the targeted traffic flow. Options include: Src (Source), Dst (Destination), Local, Remote, and Total. Specify the port number. Click Add. Specify the element name. Using the drop-down list box, select the targeted traffic flow. Options include: Src (Source), Dst (Destination), Local, Remote, and Total. Enter the IP address or CIDR range. Click Add. Specify the element name.

CIDR Element Type

Application ID Element Type

STRM Administration Guide

Managing Custom Views

197

Table 11-22 Element Options (continued)

Parameter Value Name Property Value

Description Specify the application identification number. Click Add. Specify the element name. Using the drop-down list box, select the element property. Options include: CollectorID and CollectorInterface. Specify the user-defined Flow Collector Identification or Collector Interface name. Click Add. Specify the element name. Using the drop-down list box, select when to test the value. Options include: After and Before. Click the Calendar icon and select a date. Click Add. The value default is the current date. Specify the element name. Using the drop-down list box, select when to test the value. Options include: After and Before. Using the drop-down list box, select the hour and minutes. Click Add. Specify the element name. Using the drop-down list box, select the amount of time. Options include: Week and Month. Specify the day of the week or enter the month. Click Add. Specify the element name. Using the drop-down list box, select how to test the numeric Flow Length value based on a single flow stat record. Options include: Above, Below, and Equals. Specify the numeric value for the precise flow length. Click Add. Specify the element name. Using the drop-down list box, select the ICMP Type property. Options include: Type and Code. Specify the numeric value for the ICMP Type or Code. Click Add. Note: For a list of STRM default ICMP Types or Codes, see the STRM Default Application Configuration Guide; or for a reference on the current RFC Standards, go to: http://www.erg.abdn.ac.uk/users/gorry/course/inet-pages/icmp-code.ht ml

Collector Element Type

Date Element Type Name Test Value

Time Element Type Name Test Value Name Type Value Name Test

Day Element Type

Flow Length Element Type

Value Name Property Value

ICMP Element Type

STRM Administration Guide

198

MANAGING VIEWS

Table 11-22 Element Options (continued)

Parameter Name Property

Description Specify the element name. Using the drop-down list box, select the flow text property. Options include: PortIsNew, TargetIsSrc, AttackerIsSrc, TargetIsDst, AttackerIsDst, TargetIsKnownLocal, AttackerIsKnownLocal, TargetIsLocal, AttackerIsLocal, TargetPort, AttackerPort, BeforeEvent, and AfterEvent. Click Add.

Flow Context Property

Flow Context Target Port Name Port Name Direction Value Name Side Field Specify the element name. Specify the port number. Click Add. Specify the element name. Specifies the direction of the traffic. The options are Input or Output. Specify the numeric value for the ifIndex. Click Add. Specify the element name. Using the drop-down list box, select the targeted traffic flow. Options include: Src (Source), Dst (Destination), Local, or Remote. Using the drop-down list box, select the Quality of Service (QoS) field you want to test. Options include: IP_Precedence, Type of Service (TOS), Differentiated Service Code Point (DSCP), or Explicit Congestion Notification (ECN). Using the drop-down list box, select how to test the QoS value. Options include: Above, Below, and Equals. Specify the numeric value for the QoS. Click Add.

Interface Index (ifIndex)

Quality of Service

Test Value

Editing Custom Views

To edit Custom Views:

Step 1 Click the Admin tab.

The Admin interface appears.
Step 2 In the navigation menu, click Views Configuration.

The Views Configuration panel appears.
Step 3 Click the Custom Views

icon.

The Manage Group window appears.
Step 4 Click the group <Name> or access the group from the navigation menu.

The Manage window appears.
Step 5 Click the object name to edit the object properties.

STRM Administration Guide

Managing Custom Views

199

The Properties window appears.

Step 6 Edit the necessary parameters, see Table 11-22. Step 7 Click Save. Step 8 Click Return. Step 9 Close the Custom View window. Step 10 From the Admin tab menu, click Deploy Changes.

All changes are deployed. Editing the Equation You can change how an equation is calculated, see Editing the Equation. The Drop Area of the Equation Editor features a drag and drop method of changing how the equation is calculated. To edit the equation using the same objects and elements:
Step 1 Select the object or element and hold the object or element. Step 2 Drag the item to another part of the equation.

As you pass over another item in the Drop Area of the panel, the item becomes highlighted. This signifies you can drop the item into the equation. This is placed ahead of the highlighted item and is joined with the AND operator. This affects the calculation in two places. The next logical calculation from where the item was moved and the logical calculation of where the item is placed.
Step 3 Click Save. Step 4 Close the Custom Views window. Step 5 From the Admin tab menu, click Deploy Changes.

All changes are deployed. Editing the Operators You can edit the operators as they appear in the Drop Area of the Equation Editor. You can access the following using the right mouse button (right-click) on each operator:
STRM Administration Guide

200

MANAGING VIEWS

• •

And Operator - To change the default AND operator to OR, use the right mouse button (right-click) on the operator and select OR from the menu. Excluding Objects - To exclude an object from part of an equation, use the right mouse button (right-click) on the object and select NOT from the menu. An exclamation mark (!) appears before the object. Excluding Elements - To exclude an element from part of an equation, use the right mouse button (right-click) on the object and select NOT from the menu. An exclamation mark (!) appears before the element. Removing Objects - To remove an object from an equation, use the right mouse button (right-click) on the object and select Remove Object. Click OK to confirm. Removing Elements - To remove an element from an equation, use the right mouse button (right-click) on the object and select Remove Element. Click OK to confirm. Group Objects - To create grouped objects to apply an action to, hold down on the Alt key and click the objects you want to include. Use the right mouse button (right-click) and select Group Selected Objects. You can also include elements in a group. Group Elements - To create grouped elements to apply an action to, hold down on the Alt key and click the elements you want to include. Use the right mouse button (right-click) and select Group Selected Objects. You can also include objects in a group. Remove Grouped Objects or Elements - Use the right mouse button (right-click) on a group and select Remove Brackets.

Enabling and Disabling Views

You can enable or disable views, which saves processing power on large structured networks. Depending on your current network activity, or the type of traffic you are monitoring traffic, some views may be of more value than others during specific times. To enable or disable views:
Step 1 Click the Admin tab.

The Admin interface appears.
Step 2 In the navigation menu, click Views Configuration.

The Views Configuration panel appears.
Step 3 Click Enable/Disable View

icon.

The View Management window appears.

STRM Administration Guide

Enabling and Disabling Views

201

Step 4 Using the drop-down list box, select one of the following for each view:

Table 11-23 View Management

Parameter Enabled

Description Using the drop-down list box, select Enabled to enable this view. This enables the Classification Engine, data collection, data storage, graphing capabilities, and enables access from the interface. Using the drop-down list box, select Virtual to allow the Classification Engine to classify each flow. This enables the Classification Engine to classify the flows; however, this disables data collection, data storage, graphing capabilities, and removes the view from the interface. Objects in a virtual view can still be referenced in a Custom View equation. Also, a Security/Policy sentry applied to a virtual view will generate events, as necessary. To enable access from the interface, select Enabled. Note: Selecting the Virtual mode can save processing power on your system.

Virtual

STRM Administration Guide

202

MANAGING VIEWS

Table 11-23 View Management (continued)

Parameter Disabled

Description Using the drop-down list box, select Disabled to disable the view. This disables the Classification Engine, data collection, data storage, graphing capabilities, and removes the view from the interface. To enable access from the interface, select Enabled. Note: Selecting the Disabled mode can save processing power on your system.

Step 5 From the Admin tab menu, click Deploy Changes.

Using Best Practices

Given the complexities and network resources required for STRM in large structured networks, we recommend the following best practices:

Disable views you are not required to access and display. Disabling views requires fewer CPU cycles and will not impact processing power in large structured networks. Bundle objects and use the Network Surveillance interface to analyze your network data. Fewer objects create less I/O to your disk. Bundled flows include bidirectional traffic with single source and destination hosts, multiple source and destination ports. All original flows are sent but marked as a bundle. One Flow Bundle record is sent every interval. Classify processes only the bundle and not the flows.

Typically, no more than 200 objects per view (for standard system requirements). More objects may impact your processing power when investigating your traffic.

STRM Administration Guide

12

CONFIGURING RULES

Rules match events or offenses by performing a series of tests. If all the conditions of a test are true, the rule generates a response. Using the Offenses interface, you can configure rules or building blocks. Building blocks are rules without a response. Possible responses to a rule include:
• • • •

Create an offense. Generate a response to an external system (syslog or SNMP). Send an e-mail. Generate system notifications using the Dashboard

The tests in each rule can also reference other building blocks and rules. You do not need to create rules in any specific order since the system will check for dependencies each time a new rule is added, edited, or deleted. If a rule that is referenced by another rule is deleted or disabled, a warning appears and action is not taken. Each rule may contain the following components:

Functions - With functions, you can use building blocks and other rules to create a multi-event or multi-offense function. You can also OR rules together, using the when we see an event match any of the following rules function. Building blocks - A building block is a rule without a response and is used as a common variable in multiple rules or to build complex rules or logic that you want to use in other rules. You can save a group of tests as building blocks for use with other functions. Building blocks allow you to re-use specific rule tests in other rules. For example, you can save a building block that includes the IP addresses of all mail servers in your network and then use that building block to exclude those hosts from another rule. The building block defaults are provided as guidelines, which should be reviewed and edited based on the needs of your network. Tests - Property of an event or an offense, such as source IP address, severity of event, or rate analysis.

A user with non-administrative access can create rules for areas of the network that they have access. You must have the appropriate role access to manage rules.

STRM Administration Guide

204

CONFIGURING RULES

You can configure the following rule types:

Event Rule - An event rule performs tests on events as they are processed in real-time by the Event Processor. You can create an event rule to detect a single event (within certain properties) or event sequences. For example, if you want to monitor your network for invalid login attempts, access multiple hosts, or a reconnaissance event followed by an exploit, you can create an event rule. It is common for event rules to create offenses as a response. Offense Rule - An offense rule processes offenses only when changes are made to the offense, such as, when new events are added or the system scheduled the offense for reassessment.

This chapter includes:
• • • • • • •

Viewing Rules Enabling/Disabling Rules Creating a Rule Copying a Rule Deleting a Rule Grouping Rules Editing Building Blocks

Viewing Rules

To view deployed rules, rule type, and status:
Step 1 Select the Offenses tab.

The Offenses interface window appears.
Step 2 In the navigation menu, click Rules.

The rules interface appears.
Step 3 In the Display drop-down list box, select Rules.

The list of deployed rules appear.

Step 4 Select the rule you want to view.

In the Rule and Notes fields, descriptive information appears.
STRM Administration Guide

Enabling/Disabling Rules

205

The default rules that appear depends on the template chosen during the installation process. For more information on the defaults, see:
• •

Enterprise Template - See Enterprise Template Defaults. University Template - See University Template Defaults.

Enabling/Disabling Rules

To enable or disable a rule:

Step 1 Select the Offenses tab.

The Offenses interface window appears.
Step 2 In the navigation menu, click Rules.

The rules interface appears.
Step 3 In the Display drop-down list box, select Rules.

The list of deployed rules appear.
Step 4 Select the rule you want to enable or disable.

For more information on each rule, see:
• •

Enterprise Template - See Enterprise Template Defaults. University Template - See University Template Defaults.

Step 5 Using the Actions drop-down list box, select Enable/Disable.

The Enabled column indicates the status.

Creating a Rule

To create a new rule:
Step 1 Select the Offenses tab.

The Offenses interface window appears.
Step 2 In the navigation menu, click Rules.

The rules window appears.
Step 3 Choose one of the following options: a b

Using the Actions drop-down list box, select New Event Rule to configure a rule for events. Using the Actions drop-down list box, click New Offense Rule to configure a rule for offenses.

The Custom Rule wizard appears.

STRM Administration Guide

206

CONFIGURING RULES

Note: If you do not want to view the Welcome to the Custom Rules Wizard window again, select the Skip this page when running the rules wizard check box.
Step 4 Read the introductory text. Click Next.

The Rules Test Stack Editor window appears.

Step 5 To add a test to a rule:

STRM Administration Guide

Creating a Rule

207

a In the Test Group drop-down list box, select the type of test you want to apply to

this rule. The resulting list of tests appear. For information on tests, see Event Rule Tests or Offense Rule Tests.
b

For each test you want to add to the rule, select the + sign beside the test. The selected test(s) appear in the Rule field. For each test added to the Rule field that you want to identify as an excluded test, click and at the beginning of the test. The and appears as and not. For each test added to the Rule field, you must customize the variables of the test. Click the underlined configurable parameter to configure. See Event Rule Tests or Offense Rule Tests.

c

d

Step 6 In the enter rule name here field, enter a name you want to assign to this rule. Step 7 To export the configured tests as building blocks to use with other rules: a

Click Export as Building Block. The Save Building Block window appears. Enter the name you want to assign to this building block. Click Save.

b c

Step 8 In the groups area, select the check box(es) of the groups to which you want to

assign this rule. For more information on grouping rules, see Grouping Rules.
Step 9 In the Notes field, enter any notes you want to include for this rule. Click Next.

The Rule Responses window appears, which allows you to configure the action STRM takes when the event sequence is detected.
Step 10 Choose one of the following: a

If you are configuring an Event Rule:

Table 12-1 Event Rule Response Parameters

Parameter Severity

Description Select the check box if you want this rule to set or adjust severity to the configured level. Once selected, you can configure the desired level. Select the check box if you want this rule to set or adjust credibility to the configured level. Once selected, you can configure the desired level. Select the check box if you want this rule to set or adjust relevance to the configured level. Once selected, you can configure the desired level.

Credibility

Relevance

STRM Administration Guide

208

CONFIGURING RULES

Table 12-1 Event Rule Response Parameters (continued)

Parameter Ensure the detected event is part of an offense.

Description Select the check box if you want the event to be forwarded to the Magistrate component. If no offense has been created in the Offenses interface, a new offense is created. If an offense exist, this event will be added. If you select the check box, the following options appear:

Index Offenses based on - Using the drop-down list box, select whether you want to index the offense based on the source or destination IP address. Include detected events from this attacker from this point forward, for second(s), in the offense - Select the check box and configure the number of seconds you want to include detected events from the attacker in the Offenses interface. Perform realtime flow analysis on flows between the attacker and target for seconds(s) - Select the check box and configure the number of seconds you want to perform realtime flow analysis on flows between the attacker and this target.

Drop the detected event

Select the check box to force an event, which would normally be sent to the Magistrate component to be sent to the Aerial database for reporting or searching. This event does not appear in the Offenses interface. Select the check box to dispatch a new event in addition to the original event, which will be processed like all other events in the system. The Dispatch New Event parameters appear when you select the check box. By default, the check box is clear.

Dispatch New Event

Event Name Event Description

Specify the name of the event you want to display in the Offenses interface. Specify a description for the event. The description appears in the Annotations of the event details.

STRM Administration Guide

Creating a Rule

209

Table 12-1 Event Rule Response Parameters (continued)

Parameter Offense Naming

Description Select one of the following options:

This information should contribute to the name of the associated offense(s) - Select this option if you want the Event Name information to contribute to the name of the offense(s). This information should set or replace the name of the associated offense(s) - Select this option if you want the configured Event Name to be the name of the offense(s). This information should not contribute to the naming of the associated offense(s) - Select this option if you do not want the Event Name information to contribute to the name of the offense(s).

Severity

Specify the severity for the event. The range is 1 (lowest) to 10 (highest) and the default is 1. The Severity appears in the Annotation of the event details. Specify the credibility of the event. The range is 1 (lowest) to 10 (highest) and the default is 10. Credibility appears in the Annotation of the event details. Specify the relevance of the event. The range is 1 (lowest) to 10 (highest) and the default is 1. Relevance appears in the Annotation of the event details. Specify the high-level event category you want this rule to use when processing events. For more information on event categories, see the Event Category Correlation Reference Guide.

Credibility

Relevance

High-Level Category

Low-Level Category

Specify the low-level event category you want this rule to use when processing events. For more information on event categories, see the Event Category Correlation Reference Guide.

Ensure the dispatched event is part of an offense

Select the check box if you want, as a result of this rule, the event is forwarded to the Magistrate component. If no offense has been created in the Offenses interface, a new offense is created. If an offense exists, this event will be added. If you select the check box, the following option appears: Include detected events from this attacker from this point forward, for second(s), in the offense Select the check box and configure the number of seconds you want to include detected events from the attacker in the Offenses interface.

STRM Administration Guide

210

CONFIGURING RULES

Table 12-1 Event Rule Response Parameters (continued)

Parameter Email Enter e-mail address to notify SNMP Trap

Description Select the check box to display the e-mail options. By default, the check box is clear. Specify the e-mail address(es) to send notification if the event generates. Separate multiple e-mail addresses using a comma. This parameter only appears when the SNMP Settings parameters are configured in the STRM System Management window. For more information, see Chapter 5 Setting Up STRM. Select the check box to send an SNMP trap. For an event rule, the SNMP trap output includes system time, the trap OID, and the notification data, as defined by the Juniper Networks MIB. For more information on the Juniper Networks MIB, see Appendix A Juniper Networks MIB. For example, the SNMP notification may resemble: "Wed Sep 28 12:20:57 GMT 2005, QRADAR Custom Rule Engine Notification - Rule 'SNMPTRAPTest' Fired. 172.16.20.98:0 -> 172.16.60.75:0 1, Event Name: ICMP Destination Unreachable Communication with Destination Host is Administratively Prohibited, QID: 1000156, Category: 1014, Notes: Offense description"

Send to SysLog

Select the check box if you want to log the event. By default, the check box is clear. For example, the syslog output may resemble: Sep 28 12:39:01 localhost.localdomain ECS: Rule 'Name of Rule' Fired: 172.16.60.219:12642 -> 172.16.210.126:6666 6, Event Name: SCAN SYN FIN, QID: 1000398, Category: 1011, Notes: Event description

Notify

Select the check box if you want events that generate as a result of this rule to appear in the System Notifications item in the Dashboard. For more information on the Events interface and the Dashboard, see the STRM Users Guide.

Response Limiter Enable Rule

Specify the frequency you want this rule to respond. Select the check box to enable this rule. By default, the check box is selected.

b

If you are configuring an Offense Rule:

STRM Administration Guide

Creating a Rule

211

Table 12-2 Offense Rule Response Parameters

Parameter Name New Offense Name Offense Annotation Offense Name

Description Select the check box to display Name options. Specify the name you want to assign to the offense. Specify the offense annotation you want to appear in the Offenses interface. Select one of the following options:

This information should contribute to the name of the associated offense(s) - Select this option if you want the Event Name information to contribute to the name of the offense(s). This information should set or replace the name of the associated offense(s) - Select this option if you want the configured Event Name to be the name of the offense(s).

Email Enter e-mail address to notify SNMP Trap

Select the check box to display the email options. By default, the check box is clear. Specify the e-mail address(es) to send notification if the event generates. Separate multiple e-mail addresses using a comma. This parameter only appears when the SNMP Enabled parameter is enabled in the STRM System Management window. For more information, see Chapter 5 Setting Up STRM. Select the check box to send an SNMP trap. For an offense rule, the SNMP trap output includes system time, the trap OID, and the notification data, as defined by the Juniper Networks MIB. For more information on the Juniper Networks MIB, see Juniper Networks MIB. For example, the SNMP notification may resemble: "Wed Sep 28 12:20:57 GMT 2005, QRADAR Custom Rule Engine Notification - Rule 'SNMPTRAPTest' Fired. 172.16.20.98:0 -> 172.16.60.75:0 1, Event Name: ICMP Destination Unreachable Communication with Destination Host is Administratively Prohibited, QID: 1000156, Category: 1014, Notes: Offense description"

Send to SysLog

Select the check box if you want to log the offense. By default, the check box is clear. For example, the syslog output may resemble: Sep 28 12:30:29 localhost.localdomain ECS: Offense CRE Rule SYSLOGTest fired on offense #59

STRM Administration Guide

212

CONFIGURING RULES

Table 12-2 Offense Rule Response Parameters (continued)

Parameter Response Limiter Enable Rule

Description Specify the frequency you want this rule to respond for each offense that the rules matches. Select the check box to enable this rule. By default, the check box is selected.

Step 11 Click Next.

The Rule Summary window appears.
Step 12 Review the configured rule. Click Finish.

STRM Administration Guide

Creating a Rule

213

Event Rule Tests

This section provides information on the tests you can apply to the rules including:
• • • • • • • •

Network Property Tests Event Source Tests Event Property Tests IP/Port Tests Function Tests Host Profile Tests Date/Time Tests Log Source Tests

Network Property Tests The network property test group includes:
Table 12-3 Network Property Tests

Test Network Vulnerability Risk

Description Valid when the source or destination Vulnerability Assessment risk is greater than, less than, or equal the configured value.

Default Test Name

Parameters

when the overall source Configure the following parameters: network VA risk is • source - Specify whether the test greater than this value considers a source or destination of the event.

greater than - Specify whether the risk is greater than, less than, or equal to the configured value. this value - Specify the Vulnerability Assessment risk value, which is a value from 0 to 10. greater than - Specify whether the risk is greater than, less than, or equal to the configured value. this value - Specify the amount of risk you want this test to consider. The range is from 0 to 10. greater than - Specify whether the risk is greater than, less than, or equal to the configured value. this value - Specify the amount of risk you want this test to consider. The range is from 0 to 10.

Network This test is valid when the Threat Posing amount of threat a network is posing to local and remote networks is greater than, less than, or equal to the configured value.

when the amount of threat the network is posing is greater than this value

Configure the following parameters:

Network Exposure

Threat under is the value applied to the threat a network is under over time. This is calculated based on the average weighted value of the threat under over time. This test is valid when the amount of threat a network is under to local and remote networks is greater than, less than, or equal to the configured value.

when the amount of threat the network is under is greater than this value

Configure the following parameters:

STRM Administration Guide

214

CONFIGURING RULES

Table 12-3 Network Property Tests (continued)

Test Remote Networks

Description Valid when an IP address is part of any or all of the configured remote network locations.

Default Test Name

Parameters

when the source IP is a Configure the following parameters: part of any of the • source IP - Specify if you want this following remote test to consider the source IP network location(s) address, destination IP address, or any IP address.

remote network location(s) Specify the network locations you want this test to consider.

Remote Services Networks

Valid when an IP address is part of any or all of the configured remote services network locations.

when the source IP is a Configure the following parameters: part of any of the • source IP - Specify if you want this following remote test to consider the source IP services network address, destination IP address, or location(s) any IP address.

remote services network location(s) - Specify the services network locations you want this test to consider.

Geographic Networks

Valid when an IP address is part of any or all of the configured geographic network locations.

when the Source IP is a Configure the following parameters: part of any of the • Source IP - Specify if you want this following geographic test to consider the source IP network location(s) address, destination IP address, or any IP address.

geographic network location(s) Specify the network locations you want this test to consider.

Event Source Tests The event source tests include:
Table 12-4 Event Source Tests

Test Log Source

Description

Default Test Name

Parameters Configure the following parameters:

Valid when the event(s) have when the event(s) not been detected by the have not been configured log sources. detected by one or more of these log sources for 300 seconds.

these log sources- Specify the log sources you want this test to consider. 300 - Specify the time, in seconds, you want this test to consider.

STRM Administration Guide

Creating a Rule

215

Event Property Tests The event property test group includes:
Table 12-5 Event Property Tests

Test

Description

Default Test Name

Parameters one of the following - Specify the areas of the network you want this test to apply. protocols - Specify the protocols you want to add to this test. this string - Specify the text string you want include for this test.

Local Network Valid when the event occurs when the local network is Object in the specified network. one of the following networks IP Protocol Valid when the IP protocol of when the IP protocol is the event is one of the one of the following configured protocols. protocols

Event Payload Each event contains a copy when the Event Payload Search of the original unnormalized contains this string event. This test is valid when the entered search string is included anywhere in the event payload. QID of Event

A QID is a unique identifier when the event QID is one QIDs - Use of the following options to for events. This test is valid of the following QIDs locate QIDs: when the event identifier is a • Select the Browse By Category configured QID. option and using the drop-down list boxes, select the high and low-level category QIDs you want to locate.

Select the QID Search option and enter the QID or name you want to locate. Click Search.

Attack Context Attack Context is the relationship between the attacker and target. For example, a local attacker to a remote target. Valid if the attack context is one of the following:
• • • •

when the attack context is this context - Specify the context you this context want this test to consider. The options are:
• • • •

Local to Local Local to Remote Remote to Local Remote to Remote

Local to Local Local to Remote Remote to Local Remote to Remote when the event category for the event is one of the following categories

Event Category

Valid when the event category is the same as the configured category, for example, Denial of Service (DoS) attack.

categories - Specify the event category you want this test to consider. For more information on event categories, see the Event Category Correlation Reference Guide.

STRM Administration Guide

216

CONFIGURING RULES

Table 12-5 Event Property Tests (continued)

Test Severity

Description

Default Test Name

Parameters

Valid when the event when the event severity is Configure the following parameters: severity is greater than, less greater than 5 {default} • greater than - Specify whether the than, or equal to the severity is greater than, less than, configured value. The or equal to the configured value. default is 5. • this value - Specify the index, which is a value from 0 to 10. Valid when the event credibility is greater than, less than, or equal to the configured value. The default is 5. when the event credibility is greater than 5 {default} Configure the following parameters:

Credibility

greater than - Specify whether the credibility is greater than, less than, or equal to the configured value. this value - Specify the index, which is a value from 0 to 10.

Relevance

Valid when the event relevance is greater than, less than, or equal to the configured value. The default is 5.

when the event relevance Configure the following parameters: is greater than 5 • greater than - Specify whether the {default} relevance is greater than, less than, or equal to the configured value.

this value - Specify the index, which is a value from 0 to 10.

Source Location Destination Location Rate Analysis

Valid when the source IP address of the event is either local or remote. Valid when the destination IP address of the event is either local or remote.

when the source is local or remote {default: remote}

local or remote - Specify either local or remote traffic.

when the destination is local or remote - Specify either local local or remote {default: or remote traffic. remote}

STRM monitors event rates when the event has been of all source IP marked with rate analysis addresses/QIDs and destination IP addresses/QIDs and marks events that exhibit abnormal rate behavior. Valid when the event has been marked for rate analysis.

STRM Administration Guide

Creating a Rule

217

Table 12-5 Event Property Tests (continued)

Test False Positive Tuning

Description

Default Test Name

Parameters signatures - Specify the false positive signature you want this test to consider. Enter the signature in the following format: <CAT|QID|ANY>:<value>:<source IP>:<dest IP> Where: <CAT|QID|ANY> - Specify whether you want this false positive signature to consider a category (CAT), Juniper Networks Identifier (QID), or any value. <value> - Specify the value for the <CAT|QID|ANY> parameter. For example, if you specified QID, you must specify the QID value. <source IP> - Specify the source IP address you want this false positive signature to consider. <dest IP> - Specify the destination IP address you want this false positive signature to consider.

When you tune false when the false positive positive events in the Events signature matches one of interface, the resulting the following signatures tuning values appear in this test. If you want to remove a false positive tuning, you can edit this test to remove the necessary tuning values.

Regex

Valid when the configured MAC address, username, hostname, or operating system is associated with a particular regular expressions (regex) string. Note: This test assumes knowledge of regular expressions (regex). When you define custom regex patterns, adhere to regex rules as defined by the Java programming language. For more information, see the following web site: http://java.sun.com/docs/bo oks/tutorial/extra/regex/

when the username matches the following regex

Configure the following parameters:

username - Specify the value you want to associate with this test. This test may consider the MAC address, username, hostname, or operating system. regex - Specify the regex string you want this test to consider.

STRM Administration Guide

218

CONFIGURING RULES

Table 12-5 Event Property Tests (continued)

Test IPv6

Description Valid when the source or destination IPv6 address is the configured IP address.

Default Test Name

Parameters

when the source IP(v6) is Configure the following parameters: one of the following IPv6 • source IP(v6) - Specify whether addresses you want this test to consider the source or destination IP(v6) address.

IPv6 addresses - Specify the IPv6 addresses you want this test to consider.

IP/Port Tests The IP/Port tests include:
Table 12-6 IP / Port Test Group

Test Source Port

Description Valid when the source port of the event is one of the configured source port(s).

Default Test Name

Parameters

when the source port is one ports - Specify the ports you want of the following ports this test to consider. when the destination port is ports - Specify the ports you want one of the following ports this test to consider.

Destination Port Valid when the destination port of the event is one of the configured destination port(s). Local Port

Valid when the local port of when the local port is one the event is one of the of the following ports configured local port(s). Valid when the remote port of the event is one of the configured remote port(s).

ports - Specify the ports you want this test to consider.

Remote Port

when the remote port is one ports - Specify the ports you want of the following ports this test to consider. IP addresses - Specify the IP address(es) you want this test to consider. IP addresses - Specify the IP address(es) you want this test to consider.

Source IP Address

Valid when the source IP when the source IP is one address of the event is one of the following IP of the configured IP addresses address(es). Valid when the destination IP address of the event is one of the configured IP address(es). when the destination IP is one of the following IP addresses

Destination IP Address

Local IP Address

Valid when the local IP when the local IP is one of IP addresses - Specify the IP address of the event is one the following IP addresses address(es) you want this test to of the configured IP consider. address(es). Valid when the remote IP when the remote IP is one address of the event is one of the following IP of the configured IP addresses address(es). IP addresses - Specify the IP address(es) you want this test to consider.

Remote IP Address

STRM Administration Guide

Creating a Rule

219

Table 12-6 IP / Port Test Group (continued)

Test IP Address

Description Valid when the source or destination IP address of the event is one of the configured IP address(es).

Default Test Name when either the source or destination IP is one of the following IP addresses

Parameters IP addresses - Specify the IP address(es) you want this test to consider.

STRM Administration Guide

220

CONFIGURING RULES

Function Tests The function tests include:
Table 12-7 Functions Group

Test

Description

Default Test Name

Parameters

Multi-Rule Allows you to use saved when an event Configure the following parameters: Event Function building blocks and other rules matches any|all of the • any|all - Specify either any or all to populate this test. The event following rules of the configured rules apply to this has to match either all or any of test. the selected rules. If you want to • rules - Specify the rules you want create an OR statement for this this test to consider. rule test, specify the any parameter. Multi-Rule Allows you to use saved Event Function building blocks or other rules to populate this test. This function allows you to detect a specific sequence of selected rules involving a source and destination within a configured time period. when all of these Configure the following parameters: rules, in|in any order, • these rules - Specify the rules you from the same|any want this test to consider. source IP to the same|any destination • in| in any - Specify whether you want this rule to consider in or in IP, over this many any order. seconds

the same|any - Specify if you want this rule to consider the same or any of the source to destination port or IP address. source IP - Specify the source you want this test to consider. The default is the source IP address, however, you can configure this test to consider other options, such as, source port, destination IP, destination port, QID, or event ID. the same|any - Specify if you want this rule to consider the same or any of the source to destination port or IP address. destination IP - Specify whether you want this rule to consider a destination IP address, username, or destination port. this many - Specify the number of time intervals you want this rule to consider. seconds - Specify the time interval you want this rule to consider. The options are: seconds, minutes, hours, or days.

STRM Administration Guide

Creating a Rule

221

Table 12-7

Functions Group (continued)

Test

Description

Default Test Name

Parameters

Multi-Rule Allows you to use saved Event Function building blocks or other rules to populate this test. You can use this function to detect a number of specified rules, in sequence, involving a source and destination within a configured time interval.

when at least this Configure the following parameters: number of these • this number - Specify the number rules, in|in any order, of rules you want this function to from the same| any consider. source IP to the same|any destination • in|in any - Specify whether you want this rule to consider in or in IP, over this many any order. seconds

the same|any - Specify if you want this rule to consider the same or any of the source to destination port or IP address. source IP - Specify the source you want this test to consider. The default is the source IP address, however, you can configure this test to consider other options, such as, source port, destination IP, destination port, QID, or event ID. the same| any - Specify if you want this rule to consider the same or any of the source to destination port or IP address. destination IP - Specify whether you want this rule to consider a destination IP address, username, or destination port. this many - Specify the number of time intervals you want this rule to consider. seconds - Specify the time interval you want this rule to consider. The options are: seconds, minutes, hours, or days.

Multi-Event Sequence Function Between Hosts

Allows you to detect a sequence of selected rules involving the same source and destination hosts within the configured time intervals. You can also use saved building blocks and other rules to populate this test.

when this sequence of Configure the following parameters: rules, involving the • of rules - Specify the rules you same source and want this test to consider destination hosts in • this many - Specify the number of this many seconds time intervals you want this test to consider.

seconds - Specify the time interval you want this rule to consider.

STRM Administration Guide

222

CONFIGURING RULES

Table 12-7

Functions Group (continued)

Test Multi-Event Counter Function

Description Allows you to test the number of events from configured conditions, such as, source IP address. You can also use building blocks and other rules to populate this test.

Default Test Name when a source IP emitting/receiving more than|exactly this many of these rules across more than| exactly this many destination IP, over this many minutes

Parameters Configure the following parameters:

source IP - Specify the source you want this test to consider. The default is the source IP address, however, you can configure this test to consider other options, such as, source port, destination IP, destination port, QID, or event ID. more than|exactly - Specify if you want this test to consider more than or exactly the number of rules. this many - Specify the number of rules you want this test to consider. these rules - Specify the rules you want this test to consider. more than|exactly - Specify if you want this test to consider more than or exactly the number of destination IP address(es), destination port(s), QID(s), log source event ID(s), or log source(s) that you selected in the source IP option above. this many - Specify the number of IP addresses, ports, QIDs, events, log sources, or categories you want this test to consider. destination IP - Specify the destination you want this test to consider. The default is destination IP, however, you can also configure this test to consider other options, such as, destination IP(s), destination port(s), QID(s), event ID(s), or log source(s). this many - Specify the time value you want to assign to this test. minutes - Specify the time interval you want this rule to consider.

• •

• •

STRM Administration Guide

Creating a Rule

223

Table 12-7

Functions Group (continued)

Test Multi-Rule Function

Description Allows you to detect a series of rules for a specific IP address or port followed by a series of specific rules for a specific port or IP address. You can also use building blocks or existing rules to populate this test.

Default Test Name when any of these rules with the same source IP more than this many times, across more than| exactly this many destination IP within this many minutes

Parameters Configure the following parameters:
• •

rules - Specify the rules you want this test to consider. source IP - Specify the source you want this test to consider. The default is the source IP address, however, you can configure this test to consider other options, such as, source port, destination IP, destination port, QID, or event ID. this many - Specify the number of time intervals you want this rule to consider. more than|exactly - Specify if you want this test to consider more than or exactly the number of destination IP address(es), destination port(s), QID(s), log source event ID(s), or log source(s) that you selected in the source IP option. this many - Specify the number you want this test to consider, depending on the option you configured in the source IP. destination IP - Specify the destination you want this test to consider. The default is destination IP, however, you can also configure this test to consider other options, such as, destination IP(s), destination port(s), QID(s), log source event ID(s), or log source(s). this many - Specify the time value you want to assign to this test. minutes - Specify the time interval you want this rule to consider.

• •

STRM Administration Guide

224

CONFIGURING RULES

Table 12-7

Functions Group (continued)

Test Multi-Rule Function

Description Allows you to detect a number of specific rules for a specific IP address or port followed by a number of specific rules for a specific port or IP address. You can also use building blocks or existing rules to populate this test.

Default Test Name when at least this many of these rules, in|in any order, with the same username followed by at least this many of these rules in| in any order with the same destination IP from the previous sequence, within this many minutes

Parameters Configure the following parameters:

this many - Specify the number of rules you want this test to consider. rules - Specify the rules you want this test to consider. in|in any - Specify if you want this test to consider rules in a specific order. username - Specify whether you want this test to consider the username, source IP, source port, destination IP, or destination port. this many - Specify the number of rules you want this test to consider. rules - Specify the rules you want this test to consider. in| in any - Specify if you want this test to consider rules in a specific order. destination IP - Specify whether you want this test to consider the username, source IP, source port, destination IP, or destination port. this many - Specify the number of time intervals you want this rule to consider. minutes - Specify the time interval you want this rule to consider.

• •

• •

Username Function

Allows you to detect multiple updates to usernames on a single host.

when the username Configure the following parameters: changes more than • username - Specify if you want this many times within this test to consider username, this many hours on a MAC address, or hostname. single host. • this many - Specify the number of changes you want this rule to consider.

this many - Specify the number of time intervals you want this rule to consider. hours - Specify the time interval you want this rule to consider. The options are: seconds, minutes, hours, or days.

STRM Administration Guide

Creating a Rule

225

Host Profile Tests The host profile tests include:
Table 12-8 Host Profile Tests

Test Host Profile Port

Description Valid when the port is open on the configured local source or destination. You can also specify if the status of the port is detected using one of the following methods:

Default Test Name

Parameters

when the local source Configure the following parameters: host destination port is • source - Specify if you want this open either actively test to apply to the source or or passively seen destination port. The default is source.

Active - STRM actively searches for the configured port through scanning or vulnerability assessment. Passive - STRM passively monitors the network recording hosts previously detected.

either actively or passively Specify if you want this test to consider active and/or passive scanning.

Host Existence Valid when the local source or destination host is known to exist through active or passive scanning.

when the local source Configure the following parameters: host exists either • source - Specify if you want this actively or passively test to apply to source or seen destination port. The default is You can also specify if the status source. of the host is detected using one • either actively or passively of the following methods: Specify if you want this test to consider active and/or passive • Active - STRM actively scanning. searches for the configured port through scanning or vulnerability assessment.

Passive - STRM passively monitors the network recording hosts previously detected. when the local source Configure the following parameters: host profile age is • source - Specify if you want this greater than this test to apply to source or number of time destination port. The default is intervals source.

Host Profile Age

Valid when the local source or destination host profile age is greater than the configured value within the configured time intervals.

greater than - Specify if you want this test to consider greater than or less than the profile port age. this number of - Specify the number of time intervals you want this test to consider. time intervals - Specify whether you want this test to consider minutes or hours.

STRM Administration Guide

226

CONFIGURING RULES

Table 12-8 Host Profile Tests (continued)

Test Host Port Age

Description Valid when the local source or destination host profile age is greater than or less than a configured amount of time.

Default Test Name

Parameters

when the local source Configure the following parameters: host profile port age is • source - Specify if you want this greater than this test to apply to the source or number of time destination port. The default is intervals source.

greater than - Specify if you want this test to consider greater than or less than the profile port age. this number of - Specify the time you want this test to consider. time intervals - Specify whether you want this test to consider minutes or hours. destination - Specify if you want this test to apply to the source or destination port. greater than - Specify if you want this test to be greater than or less than the vulnerability risk. 5 - Specify the value you want this test to consider. destination - Specify if you want this test to apply to the source or destination port. greater than - Specify if you want this test to consider greater than or less than the vulnerability risk. this value - Specify the value you want this test to consider.

• •

Host Vulnerability Assessment Risk Level

Valid when the local source or destination host vulnerability risk level is greater than or less than the configured value.

when the local destination host vulnerability risk level is greater than 5 {default}

Configure the following parameters:

Host Vulnerability Assessment Port Risk Level

Valid when the local source or destination host port vulnerability risk level is greater than or less than a configured amount of time.

when the local destination host port vulnerability risk level is greater than this value

Configure the following parameters:

Attacker Threat Threat Posing is the calculated Level value for this attacker over time, that indicates how severe the attacker is compared to all other attackers in your network. Valid when the amount of threat posed to the network by an attacker is greater than or less than the configured value.

when the amount of Configure the following parameters: threat the attacker is • greater than - Specify if you want posing is greater than the threat level to greater than or this value less than the configured value.

this value - Specify the value you want this test to consider.

STRM Administration Guide

Creating a Rule

227

Table 12-8 Host Profile Tests (continued)

Test

Description

Default Test Name when the threat delta of the attacker is greater than this value

Parameters Configure the following parameters:

Attacker Threat STRM calculates the long and short-term threat of an attacker and then calculates the difference between the two to provide information on changes in the attacker’s behavior. Valid when the threat delta posed by an attacker is greater than or less than the configured value. Target Threat Threat under is the value applied to the threat a network is under over time. This is calculated based on the average weighted value of the threat under over time. This test is valid when the amount of threat the target is under is greater than or less than the configured value. Target Threat STRM calculates the long and short-term threat of a target and then calculates the difference between the two to provide information on changes in the target’s behavior. Valid when the threat delta of the target is greater than or less than the configured value. Asset Valid when the device being attacked (destination) or if the host is that attacker (source) has an assigned weight greater than or less than the configured value.

greater than - Specify if you want the threat data to be greater than or less than the configured value. this value - Specify the value you want this test to consider.

when the amount of the threat the target is under is greater than this value

Configure the following parameters:

greater than - Specify if you want the threat level to be greater than or less than the configured value. this value - Specify the value you want this test to consider.

when the threat delta the target is greater than this value

Configure the following parameters:

greater than - Specify if you want the threat delta to be greater than or less than the configured value. this value - Specify the value you want this test to consider.

when the destination asset has a weight greater than this weight

Configure the following parameters:

destination - Specify if want this test to consider the source or destination asset. greater than - Specify if you want the value to be greater than or less than the configured value. this weight - Specify the weight you want this test to consider.

STRM Administration Guide

228

CONFIGURING RULES

Table 12-8 Host Profile Tests (continued)

Test Host Vulnerable to Event

Description Valid when the local host destination port is vulnerable to the current event.

Default Test Name when the target is vulnerable to current exploit on any port

Parameters Configure the following parameters:

target - Specify if want this test to consider a target, attacker, local host, or remote host. current - Specify if you want this test to consider current or any exploit. any - Specify if you want this test to consider any or the current port. source IP - Specify if you want this test to consider the source IP address, destination IP address, or any IP address. OSVDB IDs - Specify any OSVDB IDs that you want this test to consider. For more information regarding OSVDB IDs, see http://osvdb.org/.

OSVDB IDs

Valid when an IP address (source, destination, or any) is vulnerable to the configured Open Source Vulnerability Database (OSVDB) IDs.

when the source IP is vulnerable to one of the following OSVDB IDs

Configure the following parameters:

Date/Time Tests The date and time tests include:
Table 12-9 Date/Time Tests

Test Event Day

Description Valid when the event occurs on the configured day of the month.

Default Test Name

Parameters

when the event(s) Configure the following parameters: occur on the selected • on - Specify if you want this test day of the month to consider on, after, or before the configured day.

selected - Specify the day of the month you want this test to consider.

Event Week

Valid when the event occurs when the event(s) these days of the week - Specify on the configured days of the occur on any of these the days of the week you want this week. days of the week test to consider. Valid when the event occurs on the after the configured time. when the event(s) occur after this time Configure the following parameters:

Event Time

after - Specify if you want this test to consider after, before, or at the configured time. this time - Specify the time you want this test to consider.

STRM Administration Guide

Creating a Rule

229

Log Source Tests The log source tests include:
Table 12-10 Log Source Tests

Test Source Log Sources

Description Valid when one of the configured source log sources is the source of the event.

Default Test Name

Parameters

when the event(s) were these log sources- Specify the log detected by one or sources that you want this test to more of these log detect. sources when the event(s) were these log source types - Specify detected by one or the log sources that you want this more of these log test to detect. source types Configure the following parameters:

Source Log Source Valid when one of the Type configured log source types is the source of the event Log Sources

Valid when the event(s) have when the event(s) not been detected by the have not been configured devices. detected by one or more of these log sources for 300 seconds.

these log sources - Specify the log sources you want this test to consider. 300 - Specify the time, in seconds, you want this test to consider.

Log Source Groups Valid when an event is detected by the configured log source groups

when the event(s) were these log source groups - Specify detected by one or the groups you want this rule to more of these log consider. source groups

Offense Rule Tests

This section provides information on the tests you can apply to the rules including:
• • • • • •

IP/Port Tests Function Tests Host Profile Tests Date/Time Tests Log Source Tests Offense Property Tests

IP/Port Tests The IP/Port tests include:
Table 12-11 IP/Port Test Group

Test Attacker IP Address

Description Valid when the attacker IP address is one of the configured IP address(es).

Default Test Name when the attacker/violator IP is one of the following IP addresses.

Parameters IP addresses - Specify the IP address(es) you want this test to consider. You can enter multiple entries using a comma-separated list.

STRM Administration Guide

230

CONFIGURING RULES

Table 12-11 IP/Port Test Group (continued)

Test Target IP Address

Description Valid when the target list is any of the configured IP adddress(es).

Default Test Name when the target list includes any of the following IP addresses

Parameters Configure the following parameters:

any - Specify if you want this test to consider any or all of the listed targets. IP addresses - Specify the IP address(es) you want this test to consider. You can enter multiple entries using a comma-separated list.

Function Tests The function tests include:
Table 12-12 Offense Function Group

Test Multi-Rule Offense Function

Description

Default Test Name

Parameters

Allows you to use saved when the offense Configure the following parameters: building blocks and other matches any of the • any - Specify either any or all of rules to populate this test. The following offense rules. the configured rules apply to this offense has to match either all test. or any of the selected rules. If • rules - Specify the rules you want you want to create an OR this test to consider. statement for this rule test, specify the any parameter.

Host Profile Tests The host profile tests include:
Table 12-13 Host Profile Tests

Test Attacker Threat Level

Description Threat Posing is the calculated value for this attacker over time, that indicates how severe the attacker is compared to all other attackers in your network. Valid when the threat posed to the network by an attacker is greater or less than the configured value.

Default Test Name when the amount of threat the attacker is posing is greater than this value

Parameters Configure the following parameters:

greater than - Specify if you want the threat level to be greater than or less than the configured value. this value - Specify the value you want this test to consider.

STRM Administration Guide

Creating a Rule

231

Table 12-13 Host Profile Tests (continued)

Test Network Vulnerability Risk

Description

Default Test Name

Parameters

Valid when the overall VA risk when the overall network Configure the following parameters: on the network is greater or VA risk is greater than • greater than - Specify if you want less than the configured this value the threat to be greater or less value. than the configured value.

this value - Specify the value you want this test to consider. greater than - Specify if you want the value to be greater or less than the configured value. this value - Specify the value you want this test to consider. greater than - Specify if you want the network threat to be greater than or less than the configured value. this value - Specify the value you want this test to consider.

Network Threat Posing

Valid when the amount of threat a network is posing to local and remote networks is greater than, less than, or equal to the configured value.

when the amount of threat the network is posing is greater than this value

Configure the following parameters:

Network Threat Under

Threat under is the value applied to the threat a network is under over time. This is calculated based on the average weighted value of the threat under over time. This test is valid when the amount of threat a network is under to local and remote networks is greater than, less than, or equal to the configured value.

when the amount of threat the network is under is greater than this value

Configure the following parameters:

Date/Time Tests The date and time tests include:
Table 12-14 Date/Time Tests

Test Event Day

Description

Default Test Name

Parameters Configure the following parameters:

Valid when the offense when the offense(s) occurs on the configured day occur on the selected of the month. day of the month

on - Specify if you want this rule to consider on, after, or before the selected date. selected - Specify the date you want this test to consider. on - Specify if you want this rule to consider on, after, or before the selected day. these days of the week Specify the days you want this test to consider.

Event Week

Valid when the offense when the offense(s) occurs on the configured day occur on these days of of the week. the week

Configure the following parameters:

STRM Administration Guide

232

CONFIGURING RULES

Table 12-14 Date/Time Tests (continued)

Test Event Time

Description

Default Test Name

Parameters Configure the following parameters:

Valid when the offense when the offense(s) occurs after, before, or on the occur after this time configured time.

after - Specify if you want this test to consider after, before, or at a specified time. this time - Specify the time you want this test to consider.

Log Source Tests The log source tests include:
Table 12-15 Log Source Tests

Test Log Source Types

Description Valid when one of the configured log source types is the source of the event.

Default Test Name when the log source type(s) that detected the offense is one of the following device types

Parameters log source types - Specify the log source types that you want this test to detect.

Number of Log Source Type

Valid when the number of log when the number of greater than this number - Specify source types is greater than log source types that the number of log source types that the configured value. detected the offense is you want this test to consider. greater than this number

Offense Property Tests The offense property tests include:
Table 12-16 Offense Property Tests

Test Network Object

Description Valid when the network is affected are any or all of the configured networks.

Default Test Name

Parameters

when the networks Configure the following parameters: affected are any of one of • any - Specify if you want this test the following networks to consider any or all networks.

one of the following networks Specify the networks you want this test to consider. any - Specify if you want this test to consider any or all categories. list of categories - Specify the categories you want this test to consider.

Offense Category

Valid when the event when the categories of category is any or all of the the offense includes any configured event categories. of the following list of categories

Configure the following parameters:
• •

For more information on event categories, see the Event Category Correlation Reference Guide.

STRM Administration Guide

Creating a Rule

233

Table 12-16 Offense Property Tests (continued)

Test Severity

Description Valid when the severity is greater than, less than, or equal to the configured value.

Default Test Name

Parameters

when the offense severity Configure the following parameters: is greater than 5 • greater than - Specify if you {default} want the offense severity to be greater than, less than, or equal to the configured value.

5 - Specify the value you want this test to consider.

Credibility

Valid when the credibility is greater than, less than, or equal to the configured value.

when the offense Configure the following parameters: credibility is greater than • greater than - Specify if you 5 {default} want the offense credibility to be greater than, less than, or equal to the configured value.

5 - Specify the value you want this test to consider.

Relevance

Valid when the relevance is greater than, less than, or equal to the configured value.

when the offense Configure the following parameters: relevance is greater than • greater than - Specify if you 5 {default} want the offense relevance to be greater than, less than, or equal to the configured value.

5 - Specify the value you want this test to consider.

Attack Context

Attack Context is the relationship between the attacker and target. For example, a local attacker to a remote target. Valid if the attack context is one of the following:
• • • •

when the attack context is this context - Specify the context this context you want this test to consider. The options are:
• • • •

Local to Local Local to Remote Remote to Local Remote to Remote

Local to Local Local to Remote Remote to Local Remote to Remote

Attacker Location Valid when the attacker is either local or remote. The default is remote. Target Location Valid when the target is either local or remote. The default is remote.

when the attacker is local local or remote - Specify if you or remote IPs {default: want the attacker to be local or remote} remote. when the target list includes local or remote IP addresses {default: remote} local or remote IP addresses Specify if you want the target to be local or remote.

STRM Administration Guide

234

CONFIGURING RULES

Table 12-16 Offense Property Tests (continued)

Test Network Flow Analysis

Description Valid when STRM detects one of the configured behaviors in the Attacker Target analysis.

Default Test Name

Parameters

when real-time network Configure the following parameters: flow analysis has • any - Specify if you want this test detected any of the to consider any or all behaviors. following attacker target analysis behaviors listed. • listed - Specify the behaviors you want this test to consider. when real-time network flow analysis has detected any of the following target analysis behaviors listed. Configure the following parameters:
• •

Network Flow Analysis

Valid when STRM detects one of the configured behaviors in the Target analysis.

any - Specify if you want this test to consider any or all behaviors. listed - Specify the behaviors you want this test to consider.

Category Count in an Offense

Valid when the number of event categories for an offense greater than, less than, or equal to the configured value.

when the number of Configure the following parameters: categories involved in the • greater than - Specify if you offense is greater than want the number of categories to this number be greater than, less than, or equal to the configured value.

this number - Specify the value you want this test to consider.

For more information on event categories, see the Event Category Correlation Reference Guide. Target Count in an Offense Valid when the number of targets for an offense greater than, less than, or equal to the configured value. when the number of targets under attack is greater than this number Configure the following parameters:

greater than - Specify if you want the number of targets to be greater than, less than, or equal to the configured value. this number - Specify the value you want this test to consider. greater than - Specify if you want the number of events to be greater than, less than, or equal to the configured value. this number - Specify the value you want this test to consider.

Event Count in an Offense

Valid when the number of events for an offense is greater than, less than, or equal to the configured value.

when the number of events making up the offense is greater than this number

Configure the following parameters:

Offense ID

Valid when the Offense ID is when the offense ID is the configured value. this ID when a new offense is created

this ID - Specify the offense ID you want this test to consider.

Offense Creation Valid when a new offense is created.

STRM Administration Guide

Copying a Rule

235

Table 12-16 Offense Property Tests (continued)

Test Offense Change

Description Valid when the configured offense property has increased or decreases below the configured value.

Default Test Name when the offense property has increased by at least this percent

Parameters Configure the following parameters:

property - Specify the property you want this test to consider. The options are magnitude, severity, credibility, relevance, target count, attacker count, category count, annotation count, or event count. this - Specify the percent value you want this test to consider. percent - Specify if you want this test to consider percentage or units.

• •

Copying a Rule

To copy a rule:
Step 1 Select the Offenses tab.

The Offenses interface appears.
Step 2 In the navigation bar, click Rules. Step 3 In the Display drop-down list box, select Rules. Step 4 Select the rule you want to duplicate. Step 5 Using the Actions drop-down list box, select Duplicate. Step 6 In the Enter name for the copied rule, enter a name for the new rule. Click Ok.

The duplicated rule appears.
Step 7 Click Edit to edit the tests for the rule.

For more information on editing the rule, see Creating a Rule.

Deleting a Rule

To delete a rule:
Step 1 Select the Offenses tab.

The Offenses interface appears.
Step 2 In the navigation bar, click Rules. Step 3 In the Display drop-down list box, select Rules. Step 4 Select the rule you want to delete. Step 5 Using the Actions drop-down list box, select Delete.

STRM Administration Guide

236

CONFIGURING RULES

Grouping Rules

You can now group and view your rules and building blocks based on your chosen criteria. Categorizing your rules or building blocks into groups allows you to efficiently view and track your rules. For example, you can view all rules related to compliance. By default, the Rules interface displays all rules and building blocks. As you create new rules, you can assign the rule to an existing group. For information on assigning a group using the rule wizard, see Creating a Rule. Note: You must have administrative access to create, edit, or delete groups. For more information on user roles, see Chapter 2 Managing Users. This section provides information on grouping rules and building blocks including:
• • • • • •

Viewing Groups Creating a Group Editing a Group Copying an Item to Another Group(s) Deleting an Item from a Group Assigning an Item to a Group

Viewing Groups

To view rules or building blocks using groups: The Offenses interface appears.

Step 1 Click the Offenses tab.

Step 2 In the navigation menu, click Rules. Step 3 Using the Display drop-down list box, select whether you want to view Rules or

Building blocks.
Step 4 Form the Filter drop-down list box, select the group category you want to view. Step 5 The list of items assigned to that group appear.

Creating a Group

To create a group: The Offenses interface appears.

Step 1 Click the Offenses tab.

Step 2 In the navigation menu, click Rules. Step 3 Click Groups.

The Group window appears.

STRM Administration Guide

Grouping Rules

237

Step 4 From the menu tree, select the group under which you want to create a new group.

Note: Once you create the group, you can drag and drop menu tree items to change the organization of the tree items.
Step 5 Click New Group.

The Group Properties window appears.

Step 6 Enter values for the parameters:

• •

Name - Specify the name you want to assign to the new group. The name may be up to 255 characters in length. Description - Specify a description you want to assign to this group. The description may be up to 255 characters in length.

Step 7 Click Ok. Step 8 If you want to change the location of the new group, click the new group and drag

the folder to the desired location in your menu tree.
Step 9 Close the Groups window.

STRM Administration Guide

238

CONFIGURING RULES

Editing a Group

To edit a group: The Offenses interface appears.

Step 1 Click the Offenses tab.

Step 2 In the navigation menu, click Rules. Step 3 Click Groups.

The Group window appears.

Step 4 From the menu tree, select the group you want to edit. Step 5 Click Edit.

The Group Properties window appears.
Step 6 Update values for the parameters, as necessary:

• •

Name - Specify the name you want to assign to the new group. The name may be up to 255 characters in length. Description - Specify a description you want to assign to this group. The description may be up to 255 characters in length.

Step 7 Click Ok. Step 8 If you want to change the location of the group, click the new group and drag the

folder to the desired location in your menu tree.
Step 9 Close the Groups window.

STRM Administration Guide

Grouping Rules

239

Copying an Item to Another Group(s)

Using the groups functionality, you can copy a rule or building block to one or many groups. To copy a rule or building block: The Offense interface appears.

Step 1 Click the Offenses tab.

Step 2 In the navigation menu, click Rules. Step 3 Click Groups.

The Group window appears.

Step 4 From the menu tree, select the rule or building block you want to copy to another

group.
Step 5 Click Copy.

The Choose Group window appears.

STRM Administration Guide

240

CONFIGURING RULES

Step 6 Select the check box for the group(s) to which you want to copy the rule or building

block.
Step 7 Click Copy. Step 8 Close the Groups window.

Deleting an Item from a Group

To delete a rule or building block from a group: Note: Deleting a group removes this rule or building block from the Rules interface. Deleting an item from a group does not delete the rule or building block from the Rules interface.

Step 1 Click the Offense tab.

The Offenses interface appears.
Step 2 In the navigation menu, click Rules. Step 3 Click Groups.

The Group window appears.
Step 4 From the menu tree, select the top level group. Step 5 From the list of groups, select the group you want to delete. Step 6 Click Remove.

A confirmation window appears.
Step 7 Click Ok. Step 8 If you want to change the location of the new group, click the new group and drag

the folder to the desired location in your menu tree.
Step 9 Close the Groups window.

Assigning an Item to a Group

To assign a rule or building block to a group:

Step 1 Click the Offenses tab.

The Offenses interface appears.
Step 2 In the navigation menu, click Rules. Step 3 Select the rule or building block you want to assign to a group. Step 4 Using the Actions drop-down list box, select Assign Groups.

The Choose Group window appears.
Step 5 Click Assign Groups.

STRM Administration Guide

Editing Building Blocks

241

Editing Building Blocks

Building blocks allow you to re-use specific rule tests in other rules. For example, you can save a building block that excludes the IP addresses of all mail servers in your deployment from the rule. The default building blocks depend on the template chosen during the installation process. For more information on the defaults, see:
• •

Enterprise Template - See Appendix 1 Enterprise Template Defaults. University Template - See Appendix 2 University Template Defaults.

To edit a building block:
Step 1 Select the Offenses tab.

The Offenses interface appears.
Step 2 In the navigation menu, click Rules.

The rules window appears.
Step 3 In the Display drop-down list box, select Building Blocks.

The Building Blocks appear.
Step 4 Double-click the building block you want to edit.

The Custom Rules Wizard appears.

Step 5 Update the building block, as necessary. Click Next. Step 6 Continue through the wizard. For more information see, Creating a Rule.

The Rule Summary appears.

STRM Administration Guide

242

CONFIGURING RULES

Step 7 Click Finish.

STRM Administration Guide

Editing Building Blocks

243

STRM Administration Guide

Editing Building Blocks

245

STRM Administration Guide

246

CONFIGURING RULES

STRM Administration Guide

13

DISCOVERING SERVERS

The Server Discovery function uses STRM’s Asset Profile database to discover different server types based on port definitions, then allows you to select which servers should be added to a server-type building block. This feature makes the discovery and tuning process simpler and faster by allowing a quick mechanism to insert servers into building blocks. The Server Discovery function is based on server-type building blocks. Ports are used to define the server type so that the server-type building block essentially functions as a port-based filter when searching the Asset Profile database. For more information on building blocks, see Chapter 12 Configuring Rules. To discover servers:
Step 1 Click the Assets tab.

The Assets interface appears.
Step 2 In the navigation menu, click Server Discovery.

The Server Discovery panel appears.
Step 3 From the Server Type drop-down list box, select the server type you want to

discover.
Step 4 Select the option to determine the servers you want to discover including:

• • •

All - Search all servers in your deployment with the currently selected Server Type. Assigned - Search servers in your deployment that have been previously assigned to the currently selected Server Type. Unassigned - Search servers in your deployment that have not been previously assigned.

Step 5 From the Network drop-down list box, select the network you want to search. Step 6 Click Discover Servers.

The discovered servers appear.

STRM Administration Guide

248

DISCOVERING SERVERS

Step 7 In the Matching Servers table, select the check box(es) of all servers you want to

assign to the server role. Note: If you want to modify the search criteria, click either Edit Port or Edit Definition. The Rules Wizard appears. For more information on the rules wizard, see Chapter 12 Configuring Rules.
Step 8 Click Approve Selected Servers.

STRM Administration Guide

14

FORWARDING SYSLOG DATA

STRM allows you to forward received log data to other products. You can forward syslog data (raw log data) received from devices as well as STRM normalized event data. You can forward data on a per Event Collector/Event Processor basis and you can configure multiple forwarding destinations. Also, STRM ensures that all data that is forwarded is unaltered. This chapter includes:
• • •

Adding a Syslog Destination Editing a Syslog Destination Delete a Syslog Destination

Adding a Syslog Destination

To add a syslog forwarding destination:

Step 1 Click the Admin tab. Step 2 In the navigation menu, click Data Sources.

The Data Sources panel appears.
Step 3 Click the Syslog Forwarding Destinations icon.

The Syslog Forwarding Destinations window appears.

Step 4 Click Add.

The Syslog Forwarding Destinations window appears.

STRM Administration Guide

250

FORWARDING SYSLOG DATA

Step 5 Enter values for the parameters:

• • •

Forwarding Event Collector - Using the drop-down list box, select the deployed Event Collector from which you want to forward log data. IP - Enter the IP address of the system to which you want to forward log data. Port - Enter the port number on the system to which you want to forward log data.

Step 6 Click Save.

Editing a Syslog Destination

To edit a syslog forwarding destination:

Step 1 Click the Admin tab. Step 2 In the navigation menu, click System Configuration.

The System Configuration panel appears.
Step 3 Click the Syslog Forwarding Destinations icon.

The Syslog Forwarding Destinations window appears.
Step 4 Select the entry you want to edit. Step 5 Click Edit.

The Syslog Forwarding Destinations window appears.

Step 6 Update values, as necessary:

• • •

Forwarding Event Collector - Using the drop-down list box, select the deployed Event Collector from which you want to forward log data. IP - Enter the IP address of the system to which you want to forward log data. Port - Enter the port number on the system to which you want to forward log data.

Step 7 Click Save.

STRM Administration Guide

Delete a Syslog Destination

251

Delete a Syslog Destination

To delete a syslog forwarding destination:
Step 1 Click the Admin tab. Step 2 In the navigation menu, click System Configuration.

The System Configuration panel appears.
Step 3 Click the Syslog Forwarding Destinations icon.

The Syslog Forwarding Destinations window appears.
Step 4 Select the entry you want to delete. Step 5 Click Delete.

A confirmation window appears.
Step 6 Click Ok.

STRM Administration Guide

A

JUNIPER NETWORKS MIB

This appendix provides information on the Juniper Networks Management Information Base (MIB). The Juniper Networks MIB allows you to send SNMP traps to other network management systems. The Juniper Networks OID is 1.3.6.1.4.1.20212. Note: STRM does not support outbound SNMP traps. For assistance with the Juniper Networks MIB, please contact Juniper Networks customer support. The Juniper Networks MIB includes:
--- Juniper Enterprise Specific MIB: Security Threat Response Manager (STRM) trap MIB. --- Copyright (c) 2002-2006, Juniper Networks, Inc. -- All rights reserved. --- The contents of this document are subject to change without notice. -IMPORTS MODULE-IDENTITY, OBJECT-TYPE, NOTIFICATION-TYPE, IpAddress FROM SNMPv2-SMI jnxStrm FROM JUNIPER-SMI DisplayString, DateAndTime, TruthValue, TEXTUAL-CONVENTION FROM SNMPv2-TC; strmTrapInfo MODULE-IDENTITY

STRM Administration Guide

254

JUNIPER NETWORKS MIB

LAST-UPDATED "200811101100Z" ORGANIZATION "Juniper Networks, Inc" CONTACT-INFO " Juniper Technical Assistance Center Juniper Networks, Inc. 1194 N. Mathilda Avenue Sunnyvale, CA 94089 E-mail: support@juniper.net" DESCRIPTION "Security Threat Response Manger trap definitions for STRM" ::= { jnxStrm 1 } strmTrap OBJECT IDENTIFIER ::= { jnxStrm 0 } ----- Variables within the STRM Trap Info --- .2636.7.1.* --strmLocalHostAddress OBJECT-TYPE SYNTAX IpAddress MAX-ACCESS accessible-for-notify STATUS current DESCRIPTION "IP address of the local machine where the notification originated" ::= { strmTrapInfo 1 } strmTimeString OBJECT-TYPE SYNTAX DisplayString (SIZE(0..64)) MAX-ACCESS accessible-for-notify STATUS current DESCRIPTION "Time offense was created or time the event rule fired. Example 'Mon Apr 28 10:14:49 GMT 2008'" ::= { strmTrapInfo 2 } strmTimeInMillis OBJECT-TYPE SYNTAX Counter64 MAX-ACCESS accessible-for-notify STATUS current
STRM Administration Guide

255

DESCRIPTION "Time offense was created or time the event rule fired in milliseconds" ::= { strmTrapInfo 3 } ----- Offense Properties --strmOffenseID OBJECT-TYPE SYNTAX Counter64 MAX-ACCESS accessible-for-notify STATUS current DESCRIPTION "Offense ID" ::= { strmTrapInfo 4 } strmOffenseDescription OBJECT-TYPE SYNTAX DisplayString (SIZE(0..1024)) MAX-ACCESS accessible-for-notify STATUS current DESCRIPTION "Description of the Offense" ::= { strmTrapInfo 6 } strmOffenseLink OBJECT-TYPE SYNTAX DisplayString (SIZE(0..1024)) MAX-ACCESS accessible-for-notify STATUS current DESCRIPTION "HTTP link to the offense" ::= { strmTrapInfo 7 } strmMagnitude OBJECT-TYPE SYNTAX Integer32 MAX-ACCESS accessible-for-notify STATUS current DESCRIPTION "Offense magnitude" ::= { strmTrapInfo 8 } strmSeverity OBJECT-TYPE SYNTAX Integer32 MAX-ACCESS accessible-for-notify

STRM Administration Guide

256

JUNIPER NETWORKS MIB

STATUS current DESCRIPTION "Offense severity" ::= { strmTrapInfo 9 } strmCreditibility OBJECT-TYPE SYNTAX Integer32 MAX-ACCESS accessible-for-notify STATUS current DESCRIPTION "Offense creditibility" ::= { strmTrapInfo 10 } strmRelevance OBJECT-TYPE SYNTAX Integer32 MAX-ACCESS accessible-for-notify STATUS current DESCRIPTION "Offense relevance" ::= { strmTrapInfo 11 } ----- Attacker Properties --strmAttackerIP OBJECT-TYPE SYNTAX IpAddress MAX-ACCESS accessible-for-notify STATUS current DESCRIPTION "Attacker IP" ::= { strmTrapInfo 12 } strmAttackerUserName OBJECT-TYPE SYNTAX DisplayString (SIZE(0..1024)) MAX-ACCESS accessible-for-notify STATUS current DESCRIPTION "Attacker's User Name" ::= { strmTrapInfo 13 } strmAttackerCount OBJECT-TYPE SYNTAX Counter64 MAX-ACCESS accessible-for-notify
STRM Administration Guide

257

STATUS current DESCRIPTION "Total Number of Attackers" ::= { strmTrapInfo 14 } strmTop5AttackerIPs OBJECT-TYPE SYNTAX DisplayString (SIZE(0..1024)) MAX-ACCESS accessible-for-notify STATUS current DESCRIPTION "Top 5 Attackers by Magnitude(comma separated)" ::= { strmTrapInfo 15 } strmTopAttackerIP OBJECT-TYPE SYNTAX IpAddress MAX-ACCESS accessible-for-notify STATUS current DESCRIPTION "Top Attacker IPs" ::= { strmTrapInfo 16 } strmTop5AttackerUsernames OBJECT-TYPE SYNTAX DisplayString (SIZE(0..1024)) MAX-ACCESS accessible-for-notify STATUS current DESCRIPTION "Top 5 Attackers by Magnitude(comma separated)" ::= { strmTrapInfo 48 } strmTopAttackerUsername OBJECT-TYPE SYNTAX DisplayString (SIZE(0..32)) MAX-ACCESS accessible-for-notify STATUS current DESCRIPTION "Top Attacker IPs" ::= { strmTrapInfo 49 } strmAttackerNetworks OBJECT-TYPE SYNTAX DisplayString (SIZE(0..1024)) MAX-ACCESS accessible-for-notify STATUS current DESCRIPTION "Attacker Networks(comma separated)" ::= { strmTrapInfo 17 }
STRM Administration Guide

258

JUNIPER NETWORKS MIB

----- Target Properties --strmTargetIP OBJECT-TYPE SYNTAX IpAddress MAX-ACCESS accessible-for-notify STATUS current DESCRIPTION "Target IP" ::= { strmTrapInfo 18 } strmTargetUserName OBJECT-TYPE SYNTAX DisplayString (SIZE(0..64)) MAX-ACCESS accessible-for-notify STATUS current DESCRIPTION "Target's User Name" ::= { strmTrapInfo 19 } strmTargetCount OBJECT-TYPE SYNTAX Counter64 MAX-ACCESS accessible-for-notify STATUS current DESCRIPTION "Total Number of Targets" ::= { strmTrapInfo 20 } strmTop5TargetIPs OBJECT-TYPE SYNTAX DisplayString (SIZE(0..1024)) MAX-ACCESS accessible-for-notify STATUS current DESCRIPTION "Top 5 Target IPs by Magnitude" ::= { strmTrapInfo 21 } strmTopTargetIP OBJECT-TYPE SYNTAX IpAddress MAX-ACCESS accessible-for-notify STATUS current DESCRIPTION "Top Target"
STRM Administration Guide

259

::= { strmTrapInfo 22 } strmTop5TargetUsernames OBJECT-TYPE SYNTAX DisplayString (SIZE(0..1024)) MAX-ACCESS accessible-for-notify STATUS current DESCRIPTION "Top 5 Target Usernames by Magnitude" ::= { strmTrapInfo 50 } strmTopTargetUsername OBJECT-TYPE SYNTAX DisplayString (SIZE(0..32)) MAX-ACCESS accessible-for-notify STATUS current DESCRIPTION "Top Target" ::= { strmTrapInfo 51 } strmTargetNetworks OBJECT-TYPE SYNTAX DisplayString (SIZE(0..1024)) MAX-ACCESS accessible-for-notify STATUS current DESCRIPTION "Target Networks(comma separated)" ::= { strmTrapInfo 23 } ----- Category properties --strmCategoryCount OBJECT-TYPE SYNTAX Integer32 MAX-ACCESS accessible-for-notify STATUS current DESCRIPTION "Total Number of Categories" ::= { strmTrapInfo 24 } strmTop5Categories OBJECT-TYPE SYNTAX DisplayString (SIZE(0..1024)) MAX-ACCESS accessible-for-notify STATUS current DESCRIPTION "Top 5 Categories(comma separated)"
STRM Administration Guide

260

JUNIPER NETWORKS MIB

::= { strmTrapInfo 25 } strmTopCategory OBJECT-TYPE SYNTAX DisplayString (SIZE(0..64)) MAX-ACCESS accessible-for-notify STATUS current DESCRIPTION "Top Category" ::= { strmTrapInfo 26 } strmCategoryID OBJECT-TYPE SYNTAX Integer32 MAX-ACCESS accessible-for-notify STATUS current DESCRIPTION "Category ID of Event that triggered the Event CRE Rule" ::= { strmTrapInfo 27 } strmCategory OBJECT-TYPE SYNTAX DisplayString (SIZE(0..64)) MAX-ACCESS accessible-for-notify STATUS current DESCRIPTION "Category of the Event that triggered the Event CRE Rule" ::= { strmTrapInfo 28 } ----- Annontation Properties --strmAnnotationCount OBJECT-TYPE SYNTAX Integer32 MAX-ACCESS accessible-for-notify STATUS current DESCRIPTION "Total Number of Annotations" ::= { strmTrapInfo 29 } strmTopAnnotation OBJECT-TYPE SYNTAX DisplayString (SIZE(0..1024)) MAX-ACCESS accessible-for-notify

STRM Administration Guide

261

STATUS current DESCRIPTION "Top Annotation" ::= { strmTrapInfo 30 } ----- Rule Properties --strmRuleCount OBJECT-TYPE SYNTAX Integer32 MAX-ACCESS accessible-for-notify STATUS current DESCRIPTION "Total Number of Rules contained in the Offense" ::= { strmTrapInfo 31 } strmRuleNames OBJECT-TYPE SYNTAX DisplayString (SIZE(0..1024)) MAX-ACCESS accessible-for-notify STATUS current DESCRIPTION "Names of the Rules that contributed to the Offense(comma separated)" ::= { strmTrapInfo 32 } strmRuleID OBJECT-TYPE SYNTAX Integer32 MAX-ACCESS accessible-for-notify STATUS current DESCRIPTION "ID of the Rule that was triggered in the CRE" ::= { strmTrapInfo 33 } strmRuleName OBJECT-TYPE SYNTAX DisplayString (SIZE(0..256)) MAX-ACCESS accessible-for-notify STATUS current DESCRIPTION "Name of the Rules that was triggered in the CRE" ::= { strmTrapInfo 34 } strmRuleDescription OBJECT-TYPE SYNTAX DisplayString (SIZE(0..1024))

STRM Administration Guide

262

JUNIPER NETWORKS MIB

MAX-ACCESS accessible-for-notify STATUS current DESCRIPTION "Description/Notes of the Rules that was triggered in the CRE" ::= { strmTrapInfo 35 } ----- Event Properties --strmEventCount OBJECT-TYPE SYNTAX Counter64 MAX-ACCESS accessible-for-notify STATUS current DESCRIPTION "Total Number of Events contained in the Offense" ::= { strmTrapInfo 36 } strmEventID OBJECT-TYPE SYNTAX Integer32 MAX-ACCESS accessible-for-notify STATUS current DESCRIPTION "ID of the Event that triggered the Event CRE Rule" ::= { strmTrapInfo 37 } strmQid OBJECT-TYPE SYNTAX Integer32 MAX-ACCESS accessible-for-notify STATUS current DESCRIPTION "QID of the Event that triggered the Event CRE Rule" ::= { strmTrapInfo 38 } strmEventName OBJECT-TYPE SYNTAX DisplayString (SIZE(0..256)) MAX-ACCESS accessible-for-notify STATUS current DESCRIPTION "Name of the Event that triggered the Event CRE Rule" ::= { strmTrapInfo 39 }

STRM Administration Guide

263

strmEventDescription OBJECT-TYPE SYNTAX DisplayString (SIZE(0..1024)) MAX-ACCESS accessible-for-notify STATUS current DESCRIPTION "Description/Notes of the Event that triggered the Event CRE Rule" ::= { strmTrapInfo 40 } ----- IP Properties --strmSourceIP OBJECT-TYPE SYNTAX IpAddress MAX-ACCESS accessible-for-notify STATUS current DESCRIPTION "Source IP of the Event that triggered the Event CRE Rule" ::= { strmTrapInfo 41 } strmSourcePort OBJECT-TYPE SYNTAX Integer32 MAX-ACCESS accessible-for-notify STATUS current DESCRIPTION "Source Port of the Event that triggered the Event CRE Rule" ::= { strmTrapInfo 42 } strmDestinationIP OBJECT-TYPE SYNTAX IpAddress MAX-ACCESS accessible-for-notify STATUS current DESCRIPTION "Destination IP of the Event that triggered the Event CRE Rule" ::= { strmTrapInfo 43 } strmDestinationPort OBJECT-TYPE SYNTAX Integer32 MAX-ACCESS accessible-for-notify STATUS current
STRM Administration Guide

DESCRIPTION "Destination Port of the Event that triggered the Event CRE Rule" ::= { strmTrapInfo 44 } strmProtocol OBJECT-TYPE SYNTAX Integer32 MAX-ACCESS accessible-for-notify STATUS current DESCRIPTION "Protocol of the Event that triggered the Event CRE Rule" ::= { strmTrapInfo 45 } strmAttackerPort OBJECT-TYPE SYNTAX Integer32 MAX-ACCESS accessible-for-notify STATUS current DESCRIPTION "Source Port of the Event that triggered the Event CRE Rule" ::= { strmTrapInfo 46 } strmTargetPort OBJECT-TYPE SYNTAX Integer32 MAX-ACCESS accessible-for-notify STATUS current DESCRIPTION "Destination Port of the Event that triggered the Event CRE Rule" ::= { strmTrapInfo 47 } ----- STRM Trap Notifications --- .2636.7.0.* --strmEventCRENotification NOTIFICATION-TYPE OBJECTS { strmLocalHostAddress, strmTimeString, strmRuleName, strmRuleDescription, strmAttackerIP, strmAttackerPort, strmAttackerUserName, strmAttackerNetworks, strmTargetIP,

265

strmTargetPort, strmTargetUserName, strmTargetNetworks, strmProtocol, strmQid, strmEventName, strmEventDescription, strmCategory } STATUS current DESCRIPTION "Event CRE Notification" ::= { strmTrap 1 } strmOffenseCRENotification NOTIFICATION-TYPE OBJECTS { strmLocalHostAddress, strmTimeString, strmRuleName, strmRuleDescription, strmOffenseID, strmOffenseDescription, strmOffenseLink, strmMagnitude, strmSeverity, strmCreditibility, strmRelevance, strmEventCount, strmCategoryCount, strmTop5Categories, strmAttackerIP, strmAttackerUserName, strmAttackerNetworks, strmAttackerCount, strmTop5AttackerIPs, strmTargetIP, strmTargetUserName, strmTargetNetworks, strmTargetCount,
STRM Administration Guide

266

JUNIPER NETWORKS MIB

strmTop5TargetIPs, strmRuleCount, strmRuleNames, strmAnnotationCount, strmTopAnnotation.1, strmTopAnnotation.2, strmTopAnnotation.3, strmTopAnnotation.4, strmTopAnnotation.5, } STATUS current DESCRIPTION "Offense CRE Notification" ::= { strmTrap 2 }

END

STRM Administration Guide

1

ENTERPRISE TEMPLATE DEFAULTS

The Enterprise template includes settings with emphasis on internal network activities. This appendix provides the defaults for the Enterprise template including:
• • • •

Default Sentries Default Custom Views Default Rules Default Building Blocks

Default Sentries

The default sentries for the Enterprise template include:
Table 16-1 Default Sentries

Sentry Behavior - Flow Count Behavior Change Behavior - Host Count Behavior Change

Description Monitors the number of flows on your network and alerts when a change is detected. By default, this activity must occur 10 times before an alert generates. Learns the number of local and remote active hosts in the network over a weekly period. If the number of hosts increases dramatically outside the projected behavior for at least 5 intervals, an event generates. Detects a behavioral change, within the last 5 minutes, in the packet rate of traffic considered to be threatening, compared to what has been learned over the past weeks. This may indicate an attack is in progress. By default, the minimum number of times, in flows, this activity must occur before an event generates is 5. Detects a large number of hosts (100,000) sending identical, non-responsive packets to a single target. In this case, the target is treated as the attacker in the Offenses interface. Detects a low number of hosts (500) sending identical, non-responsive packets to a single target. In this case, the target is treated as the attacker in the Offenses interface.

Behavior - Threat Traffic Packet Rate Behavior Change

DoS - External - Distributed DoS Attack (High Number of Hosts) DoS - External - Distributed DoS Attack (Low Number of Hosts)

STRM Administration Guide

268

ENTERPRISE TEMPLATE DEFAULTS

Table 16-1 Default Sentries (continued)

Sentry

Description

DoS - External - Distributed Detects a medium number of hosts (5,000) sending DoS Attack (Medium Number identical, non-responsive packets to a single target. In of Hosts) this case, the target is treated as the attacker in the Offenses interface. DoS - External - Flood Attack Detects flood attacks above 100,000 packets per (High) second. This activity may indicate a serious attack. DoS - External - Flood Attack Detects flood attacks above 5,000 packets per (Medium) second. This activity typically indicates a serious attack. DoS - External - Flood Attack Detects flood attacks above 500 packets per second. (Low) This activity may indicate an attack. DoS - External - Potential ICMP DoS DoS - External - Potential TCP DoS DoS - External - Potential UDP DoS DoS - External - Potential Unresponsive Service or Distributed DoS DoS - Internal - Distributed DoS Attack (High Number of Hosts) DoS - Internal - Distributed DoS Attack (Low Number of Hosts) Detects flows that appear to be an ICMP Denial of Service (DoS) attack attempt. Detects flows that appear to be a TCP DoS attack attempt. Detects flows that appear to be a UDP DoS attack attempt. Detects a low number of hosts sending identical, non-responsive packets to a single target. Detects a large number of hosts (100,000) sending identical, non-responsive packets to a single target. In this case, the target is treated as the attacker in the Offenses interface. Detects a low number of hosts (500) sending identical, non-responsive packets to a single target. In this case, the target is treated as the attacker in the Offenses interface.

DoS - Internal - Distributed Detects a medium number of hosts (5,000) sending DoS Attack (Medium Number identical, non-responsive packets to a single target. In of Hosts) this case, the target is treated as the attacker in the Offenses interface. DoS - Internal - Flood Attack (Medium) Dos - Internal - Flood Attack (High) DoS - Internal - Flood Attack (Low) DoS - Internal - Potential ICMP DoS DoS - Internal - Potential TCP DoS Detects flood attacks above 5,000 packets per second. This activity typically indicates a serious attack. Detects flood attacks above 100,000 packets per section. This activity typically indicates a serious attack. Detects flood attacks above 500 packets per second. This activity may indicate an attack. Detects flows that appear to be an ICMP Denial of Service (DoS) attack attempt. Detects flows that appear to be a TCP DoS attack attempt.

STRM Administration Guide

Default Sentries

269

Table 16-1 Default Sentries (continued)

Sentry DoS - Internal - Potential UDP DoS DoS - Internal - Potential Unresponsive Service or Distributed DoS Policy-External - Large Outbound File Transfer Local Host Count Change Malware - External - Client Based DNS Activity to the Internet

Description Detects flows that appear to be a UDP DoS attack attempt. Detects a low number of hosts sending identical, non-responsive packets to a single target. Detects a possible information leak. Detects scanning activity or a worm infection. Detects a host attempting to connect to a DNS server that is not defined as a local network. With the exception of your DNS servers or other hosts specifically configured to communicate with external DNS servers, this is suspicious activity and may be the sign of a bot net connection. If this is a false positive, add the external DNS server to the BB DNS Servers building block in custom rules. By default, this sentry generates an event 30 seconds after the first instance of the event. Detects an IP address being communicated that was a control channel for a BOTNET. The local machine may be infected with a bot and should be investigated.

Malware - External Communication with BOT Control Channel

Policy - External - Clear Text Detects flows to or from the Internet where the Application Usage application types use clear text passwords. This many include application such as Telnet, FTP, and POP. Policy - External - Hidden FTP Server Detects an FTP server on a non-standard port. The default port for FTP is TCP port 21. Detecting FTP on other ports may indicate an exploited host, where the attacker has installed this server to provide backdoor access to the host. Detects flows to or from the Internet where the application types use clear text passwords. This many include application such as Telnet, FTP, and POP.

Policy - Internal - Clear Text Application Usage

Policy - Internal - Hidden FTP Detects an FTP server on a non-standard port. The Server default port for FTP is TCP port 21. Detecting FTP on other ports may indicate an exploited host, where the attacker has installed this server to provide backdoor access to the host. Policy - External - IM/Chat Detects an excessive amount of IM/Chat traffic from a single source. By default, the minimum number of times, in flows, this activity must occur before an event generates is 20. Detects a local host issuing an excessive number of IRC connections to the Internet. By default, the minimum number of times, in flows, this activity must occur before an event generates is 20.

Policy - External - IRC Connections

STRM Administration Guide

270

ENTERPRISE TEMPLATE DEFAULTS

Table 16-1 Default Sentries (continued)

Sentry Policy - Local P2P Server Detected

Description Detects local hosts operating as a Peer-to-Peer (P2P) server. This indicates a violation of local network policy and may indicate illegal activities, such as, copyright infringement. Detects a flow communicating to or from the Internet with a sustained duration of more than 48 hours. This is not typical behavior for most applications. We recommend that you investigate the host for potential malware infections. By default, this parameter is set to 3,600 seconds, which means that an event generates after 3,600 seconds of the first instance of the event. Detects Peer-to-Peer (P2P) communications. Detects possible tunneling, which can indicate a bypass of policy, or an infected system. Detects the Microsoft Remote Desktop Protocol from the Internet to a local host. Most companies consider this a violation of corporate policy. If this is normal activity on your network, you should remove this sentry.

Policy - External - Long Duration Flow Detected

Policy - External - P2P Communications Detected Policy - External - Possible Tunneling Policy - External - Remote Desktop Access from the Internet

Policy - External - SMTP Mail Detects an internal host sending a large number of Sender SMTP flows from the same source to the Internet, in one interval. This may indicate a mass mailing, worm, or spam relay is present. By default, the minimum number of times, in flows, this activity must occur before an event generates is 10. Policy - External - SSH or Telnet Detected on Non-Standard Ports Detects an SSH or Telnet server on a non-standard port. The default port for SSH and Telnet servers is TCP port 22 and 23. Detecting SSH or Telnet operating on other ports may indicate an exploited host, where the attacker has installed these servers to provide backdoor access to the host. Detects an SSH or Telnet server on a non-standard port. The default port for SSH and Telnet servers is TCP port 22 and 23. Detecting SSH or Telnet operating on other ports may indicate an exploited host, where the attacker has installed these servers to provide backdoor access to the host. Detects flows to or from a Usenet server. It is uncommon for legitimate business communications to use Usenet or NNTP services. The hosts involved may be violating corporate policy.

Policy - Internal - SSH or Telnet Detected on Non-Standard Ports

Policy - External - Usenet Usage

Policy - External - VNC Detects VNC (a remote desktop access application) Access From the Internet to a from the Internet to a local host. Many companies Local Host consider this an policy issue that should be addressed. If this is normal activity on your network, remove this sentry.

STRM Administration Guide

Default Sentries

271

Table 16-1 Default Sentries (continued)

Sentry Recon - External - ICMP Scan (High)

Description Detects a host scanning more than 100,000 hosts per minute using ICMP. This indicates a host performing reconnaissance activity at an extremely high rate. This is typical of a worm infection or a standard scanning application. Detects a host scanning more than 500 hosts per minute using ICMP. This may indicate a host configured for network management or normal server behavior on a busy internal network. However, typically client hosts in your network should not be exhibiting this behavior for long periods of time. If this behavior continues for long periods of time, this may indicate classic behavior of worm activity. We recommend that you check the host for infection or malware installation. Detects a host scanning more the 5,000 hosts per minute using ICMP. This indicates a host performing reconnaissance activity at a high rate. This is typical of a worm infection or a host configured for network management purposes. Detects a host sending identical packets to a number of hosts that have not responded. This may indicate a host configured for network management or normal server behavior on a busy internal network. However, client hosts in your network should not be exhibiting this behavior for long periods of time. Detects a host performing reconnaissance activity at an extremely high rate (100,000 hosts per minute), which is typical of a worm infection or a scanning application. Detects a host performing reconnaissance activity at a rate of 500 hosts per minute. This may indicate a host configured for network management or normal server behavior on a busy internal network. However, typically client hosts in your network should not be exhibiting this behavior for long periods of time. If this behavior continues for long periods of time, this may indicate classic behavior of worm activity. We recommend that you check the host for infection or malware installation. Detects a host performing reconnaissance activity at a high rate (5,000 hosts per minute), which is typical of a worm infection or a scanning application. This activity may also indicate network management hosts or even busy servers on internal networks.

Recon - External - ICMP Scan (Low)

Recon - External - ICMP Scan (Medium)

Recon - External - Potential Network Scan

Recon - External - Scanning Activity (High)

Recon - External - Scanning Activity (Low)

Recon - External - Scanning Activity (Medium)

STRM Administration Guide

272

ENTERPRISE TEMPLATE DEFAULTS

Table 16-1 Default Sentries (continued)

Sentry

Description

Recon - Internal - ICMP Scan Detects a host scanning more than 100,000 hosts per (High) minute using ICMP. This indicates a host performing reconnaissance activity at an extremely high rate. This is typical of a worm infection or a standard scanning application. Recon - Internal - ICMP Scan Detects a host scanning more than 500 hosts per (Low) minute using ICMP. This may indicate a host configured for network management or normal server behavior on a busy internal network. However, typically client hosts in your network should not exhibit this behavior for long periods of time. If this behavior continues for long periods of time, this may indicate classic behavior of worm activity. We recommend that you check the host for infection or malware installation. Recon - Internal - ICMP Scan Detects a host scanning more the 5,000 hosts per (Medium) minute using ICMP. This indicates a host performing reconnaissance activity at a high rate. This is typical of a worm infection or a host configured for network management purposes. Recon - Internal - Potential Network Scan Detects a host sending identical packets to a number of hosts that have not responded. This may indicate a host configured for network management or normal server behavior on a busy internal network. However, client hosts in your network should not be exhibiting this behavior for long periods of time. Detects a host performing reconnaissance activity at an extremely high rate (100,000 hosts per minute), which is typical of a worm infection or a scanning application. Detects a host performing reconnaissance activity at a rate of 500 hosts per minute. This may indicate a host configured for network management or normal server behavior on a busy internal network. However, typically client hosts in your network should not exhibit this behavior for long periods of time. If this behavior continues for long periods of time, this may indicate classic behavior of worm activity. We recommend that you check the host for infection or malware installation. Detects a host performing reconnaissance activity at a high rate (5,000 hosts per minute), which is typical of a worm infection or a scanning application. This activity may also indicate network management hosts or even busy servers on internal networks.

Recon - Internal - Scanning Activity (High)

Recon - Internal - Scanning Activity (Low)

Recon - Internal - Scanning Activity (Medium)

STRM Administration Guide

Default Sentries

273

Table 16-1 Default Sentries (continued)

Sentry Suspicious - Internal Outbound Unidirectional Flows Threshold

Description Detects an excessive rate (more than 1,000) of inbound unidirectional (local host not responding) flows within the last 5 minutes. This may indicate a scan is in progress, worms, DoS attack, or issues with your network configuration. By default, this activity must occur 5 times before an alert generates. Detects an excessive rate of outbound unidirectional (remote host not responding) flows within 5 minutes. By default, this activity must occur 5 times before an alert generates.

Suspicious- External Outbound Unidirectional Flows Threshold

Suspicious - External Detects an excessive rate (more than 1,000) of Inbound Unidirectional Flows inbound unidirectional (local host not responding) Threshold flows within the last 5 minutes. This may indicate a scan is in progress, worms, DoS attack, or issues with your network configuration. By default, this activity must occur 5 times before an alert generates. Suspicious - External Anomalous ICMP Flows Detects an excessive number of ICMP flows from one source IP address, where the applied ICMP types and codes are considered abnormal when seen entering or leaving the network. By default, the minimum number of times, in flows, this activity must occur before an event generates is 15.

Suspicious - External - Invalid Detects flows that appear to have improper flag TCP Flag usage combinations. This may indicate various troubling behaviors, such as OS detection, DoS attacks, or even forms of reconnaissance. By default, the minimum number of times, in flows, this activity must occur before an event generates is 10. Suspicious - External - Port 0 Detects flows whose destination or source ports are 0. Flows Detected This may be considered suspicious. Suspicious - External Rejected Communication Attempts Detects flows that indicate a host is attempting to establish connections to other hosts but is being refused or is responding with packets containing no payload. By default, the minimum number of times, in flows, this activity must occur before an event generates is 15.

Suspicious - External Detects excessive unidirectional ICMP traffic from a Unidirectional ICMP Detected single source. This may indicate an attempt to enumerate hosts on the network or other serious network issues. By default, the minimum number of times, in flows, this activity must occur before an event generates is 15. Suspicious - External Unidirectional ICMP Responses Detected Detects excessive unidirectional ICMP responses from a single source. This may indicate an attempt to enumerate hosts on the network, or can be an indicator of other serious network issues. By default, the minimum number of times, in flows, this activity must occur before an event generates is 15.

STRM Administration Guide

274

ENTERPRISE TEMPLATE DEFAULTS

Table 16-1 Default Sentries (continued)

Sentry Suspicious - External Unidirectional TCP Flows

Description Detects flows that indicate a host is sending an excessive quantity (at least 15) of unidirectional flows. These types of flows may be considered normal, however, client workstations and other devices, should not be seen emitting large quantities of such flows, and therefore should be considered suspicious. Detects an excessive number of UDP, non-TCP, or ICMP from a single source. By default, the minimum number of times, in flows, this activity must occur before an event generates is 20. Detects suspicious IRC traffic. Detects an excessive number of ICMP flows from one source IP address, where the applied ICMP types and codes are considered abnormal when seen entering or leaving the network. By default, the minimum number of times, in flows, this activity must occur before an event generates is 15.

Suspicious - External Unidirectional UDP or Misc Flows Suspicious - External Suspicious IRC Traffic Suspicious - Internal Anomalous ICMP Flows

Suspicious - Internal - Invalid Detects flows that appear to have improper flag TCP Flag usage combinations. This may indicate various troubling behaviors, such as OS detection, DoS attacks, or even forms of reconnaissance. By default, the minimum number of times, in flows, this activity must occur before an event generates is 10. Suspicious - Internal - Port 0 Flows Detected Suspicious - Internal Rejected Communication Attempts Detects flows whose destination or source ports are 0. This may be considered suspicious. Detects flows that indicate a host is attempting to establish connections to other hosts but is being refused or is responding with packets containing no payload. By default, the minimum number of times, in flows, this activity must occur before an event generates is 15.

Suspicious - Internal Detects excessive unidirectional ICMP traffic from a Unidirectional ICMP Detected single source. This may indicate an attempt to enumerate hosts on the network or other serious network issues. By default, the minimum number of times, in flows, this activity must occur before an event generates is 15. Suspicious - Internal Unidirectional ICMP Responses Detected Detects excessive unidirectional ICMP responses from a single source. This may indicate an attempt to enumerate hosts on the network, or can be an indicator of other serious network issues. By default, the minimum number of times, in flows, this activity must occur before an event generates is 15.

STRM Administration Guide

Default Custom Views

275

Table 16-1 Default Sentries (continued)

Sentry Suspicious - Internal Unidirectional TCP Flows

Description Detects flows that indicate a host is sending an excessive quantity (at least 15) of unidirectional flows. These types of flows may be considered normal, however, client workstations and other devices, should not be seen emitting large quantities of such flows, and therefore should be considered suspicious. Detects an excessive number of UDP, non-TCP, or ICMP from a single source. By default, the minimum number of times, in flows, this activity must occur before an event generates is 20.

Suspicious - Internal Unidirectional UDP or Misc Flows

Default Custom Views

This section provides the default custom views for the Enterprise template including:
• • • • • • • • • • •

IP Tracking Group Threats Group Attacker Target Analysis Group Target Analysis Group Policy Violations Group ASN Source Group ASN Destination Group IFIndexIn Group IFIndexOut Group QoS Group Flow Shape Group

IP Tracking Group

Pre-configured groups that specify traffic flows from your local and remote IP addresses including:
Table 16-2 Custom Views - IP Tracking View

IP Tracking Group Locals

Group Objects Specifies traffic flows originating from specific local IP addresses or CIDR ranges. Configure to specify traffic flows for your local IP addresses. Specifies traffic flows originating from specific remote IP addresses or CIDR ranges. Configure to specify traffic flows for your remote IP addresses.

Remotes

STRM Administration Guide

276

ENTERPRISE TEMPLATE DEFAULTS

Threats Group

Pre-configured groups that specify traffic flows from suspicious IP addresses, protocols, server ports, and network sweeps including:
Table 16-3 Custom Views - Threats View

Group Exceptions

Objects This group includes: Network_Management_Hosts - Defines network management servers or other system responsible for reconnaissance, SNMP, large numbers of ICMP requests, or other attacks, such as, traffic on your network such as vulnerability assessment (VA) scanners.

STRM Administration Guide

Default Custom Views

277

Table 16-3 Custom Views - Threats View (continued)

Group DoS

Objects The Denial of Service (DoS) group includes:

Inbound_Flood_NoResponse_High - Defines a remote source sending packets, which are not being responded to, at a rate greater than 100,000 packets per second. Inbound_Flood_NoResponse_Medium - Defines a remote source sending packets, which are not being responded to, at a rate greater than 5,000 packets per second. Inbound_Flood_NoResponse_Low - Defines a remote source sending packets, which are not being responded to, at a rate greater than 500 packets per second. Outbound_Flood_NoResponse_High - Defines a local source sending packets, which are not being responded to, at a rate greater than 100,000 packets per second. Outbound_Flood_NoResponse_Medium - Defines a local source sending packets, which are not being responded to, at a rate greater than 500 packets per second. Outbound_Flood_NoResponse_Low - Defines a local source sending packets, which are not being responded to, at a rate greater than 500 packets per second. Multihost_Attack_High - Defines a scan of more than 100,000 hosts per minute. Multihost_Attack_Medium - Defines a scan of more than 5,000 hosts per minute. Multihost_Attack_Low - Defines a scan of more than 500 hosts per minute. Potential_TCP_DoS - Detects TCP Syn flood flows with a packet arrival rate of more then 300 packets per second and have lasted for at least 5 seconds. This may indicate an attempted TCP DoS attack. Potential_UDP_DoS - Detects UDP Flows with a packet arrival rate of more then 750 packets per second and have lasted for at least 3 seconds. This may indicate an attempted ICMP DoS attack. Potential_ICMP_DoS - Detects ICMP flows with a packet arrival rate of more then 300 packets per second and have lasted for at least 2 seconds. This may indicate an attempted ICMP DoS attack. Potential_Multihost_Attack - Detects type B superflows. This may indicate a service failure or an attack.

• • • •

STRM Administration Guide

278

ENTERPRISE TEMPLATE DEFAULTS

Table 16-3 Custom Views - Threats View (continued)

Group Scanning

Objects This scanning group includes:
• • • • • • •

ICMPScan_High - Detects a host sending ICMP packets to more than 100,000 hosts more minute. ICMPScan_Medium - Detects a host sending ICMP packets to more than 5,000 hosts more minute. ICMPScan_Low - Detects a host sending ICMP packets to more than 500 hosts more minute. Scan_High - Defines a scan of more than 100,000 hosts per minute. Scan_Medium - Defines a scan of more than 5,000 hosts per minute. Scan_Low - Defines a scan of more than 500 hosts per minute. Empty_Responsive_Flows_High - Defines traffic with more than 100,000 packets per second that contain little, if any, payload. These can be the result of scans where the target responds to the attack. Empty_Responsive_Flows_Medium - Defines traffic with more than 5,000 packets per second that contain little, if any, payload. These can be the result of scans where the target responds to the attack. Empty_Responsive_Flows_Low - Defines traffic with more than 500 packets per second that contain little, if any, payload. These can be the result of scans where the target responds to the attack. Potential_Scan - Defines a type A superflow. This may indicate a host performing scanning activity. Host_Scans - Detects a host attempting to make multiple connections, using TCP, to another host targeting multiple unique ports. UDPPortScan - Detects a host attempting to make multiple connections, using UDP, to another host targeting multiple unique ports.

PortScans

This PortScans group includes:

STRM Administration Guide

Default Custom Views

279

Table 16-3 Custom Views - Threats View (continued)

Group Suspicious_IP_ Protocol_Usage

Objects This group includes:

Illegal_TCP_Flag_Combination - Detects flows with illegal TCP flag combinations. This may indicate malicious activity, such as port scanning or operating system detection. Suspicious_ICMP_Type_Code - Detects flows entering or leaving your network from the Internet, using ICMP types or codes generally accepted to be suspicious or malicious. For more information, see http://techrepublic.com.com /5100-1035_11-5087087.html TCP_UDP_Port_0 - Detects flows with a source or destination port of 0. This is illegal according to Internet RFCs and should be considered malicious. Unidirectional_TCP_Flows - Detects unidirectional TCP flows. This may indicate application failures to connect to a service, but an indicate other issues if the quantity or rate of these flows is high. Unidirectional_ICMP_Reply - Detects unidirectional ICMP replies or unreachable flows. This may be expected network behavior, however, an excessive quantity may indicate that a host is scanning the network attempting to enumerate hosts. Unidirectional_ICMP_Flows - Detects unidirectional ICMP flows. This may be expected network behavior, however, an excessive quantity of these flows from a single source may indicate a host scanning the network attempting to enumerate hosts. Unidirectional_UDP_And_Misc_Flows - Detects unidirectional UDP (or other flows not including TCP or ICMP) flows. This may be expected network behavior, however, an excessive quantity should be considered suspicious. Zero_Payload_Bidirectional_Flows - Detects flows that contain small amounts (if any) payload. This may be the result of scans where the target responds with reset packets. Long_Duration_Flow - Detects a flow communicating to or from the Internet with a sustained duration of more than 48 hours. This is not typical behavior for most applications. We recommend that you investigate the host for potential malware infections. Large_DNS_Packets - Detects UDP DNS packets that are larger than 1K in size. Large_ICMP_Packets - Detects ICMP packets that are larger than 1K in size.

• •

STRM Administration Guide

280

ENTERPRISE TEMPLATE DEFAULTS

Table 16-3 Custom Views - Threats View (continued)

Group Remote_Access_ Violation

Objects This group includes:

Hidden_Telnet_SSH - Detects flows where the application type is Telnet or SSH but the destination server port is not one of the common ports for this application. This may indicate that a system has been altered to provide a backdoor for unauthorized access. Hidden_FTP - Detects flows to a local host where the application type is FTP but the destination server port is not one of the common ports of this application. This may indicate that the server is hosting illegal data, such as pirated applications or other media. Remote_Desktop_Access_From_Internet - Detects Remote Desktop Protocol (RDP) access to the local network from the Internet. If you want to allow this activity on your network, delete this view. Otherwise, you should consider this activity suspicious and we recommend investigating the accessed server. VNC_Activity_From_Internet - Detects Virtual Network Computing (VNC) access to the local network from the Internet. If you want to allow this activity on your network, delete this view. Otherwise, you should consider this activity suspicious and we recommend investigating the accessed server.

Suspicious_IRC

Detects suspicious IRC activity.

Attacker Target Analysis Group

Pre-configured groups that specify traffic flows from attackers, responses, and events including:
Table 16-4 Custom Views - AttackerTargetAnalysis

Group AttackResponse Analysis

Objects This group includes:

Target_Did_Not_Respond - The network flow that appears to have carried the attack event that triggered this analysis indicates that the target host did not respond to the attack. Target_Responded - The network flow analysis indicates a target responded to the event from the attacker, and therefore increases the likelihood the attacker was successful.

STRM Administration Guide

Default Custom Views

281

Table 16-4 Custom Views - AttackerTargetAnalysis (continued)

Group

Objects

PeripheralComms This group includes: Analysis • Activity_Before_Event - The network flow analysis indicates a target and attacker were communicating prior to the event that generated this analysis. This can indicate a false positive, or that this attacker is concentrating on breaking this host. Many typical attacks fire an exploit at the target with little or no prior host investigation.

Activity_After_Event - The network flow analysis indicates a target and attacker were communicating after the event that triggered this analysis. This can indicate a false positive if the attacker/target were also seen communicating before the event, and the device emitting these events has a high false positive rate. Conversely, if this is a serious event and the device is credible, it can indicate a successful attack has occurred. Target_Initiating_Comms_To_Attacker - The network flow analysis indicates a target was seen initiating connections back to the attacker before or after the event. This may indicate that the attacker has successfully forced the target to communicate with the attacker, bypassing firewall rules.

Target Analysis Group

Pre-configured groups that specify traffic flows from back door entries, scanning behaviors, malicious software (malware), spam relay including:
Table 16-5 Custom Views - TargetAnalysis

Group BotNetAnalysis

Objects BotNet_Connect - The network flow analysis indicates a target host is connected to IRC servers on the Internet. This may indicate the attacker has installed an IRC Bot on the target requesting the target to connect to an IRC Channel, which is controlled by the attacker, to wait for further instructions. Large numbers of such exploited machines form a BotNet and can be used by the attacker to coordinate large scale Distributed Denial of Service attacker (DDoS). Malware_Server_Connection - Network flow analysis indicates a target is aggressively attempting (and failing) to connect to many other hosts on the network (or Internet). This behavior is seen in the presence of security events aimed at this host, and therefore is possible the attacker has infected the target with a worm, or other hostile malware, and it is attempting to spread from this host.

MalwareAnalysis

STRM Administration Guide

282

ENTERPRISE TEMPLATE DEFAULTS

Table 16-5 Custom Views - TargetAnalysis (continued)

Group

Objects

PeripheralComms This group includes: Analysis • Service_Unresponsive_After_Attack - The network flow analysis indicates that the service on the target that was attacked is unresponsive to other hosts on the network. This may indicate that the attack has intentionally, or inadvertently stopped the service running on this host.

Spam_Relay_Possible - The network flow analysis indicates that a target is accepting and servicing SMTP mail server connections. Given this activity is occurring in the presence of security events targeting this host, it is possible the attacker has installed an SMTP server to operate as a spam relay. If this target is a mail server, this behavior is to be expected. Outbound_Mail_Relay_Possible - The network flow analysis indicates that a target is sending mail to SMTP servers on the Internet. Given this activity is occurring in the presence of a security event targeting this host, it is possible the attacker has installed mass mailing malware on the target. This behavior is also to be expected if the target is a known mail server.

Policy Violations Group

Pre-configured groups that specify traffic flows from your internal and external policies, such as mail policies, web polices, P2P, games, applications, and compliance policies including:
Table 16-6 Custom Views - PolicyViolations

Group Mail_Policy_ Violation

Objects This group includes:

Outbound_Mail_Sender - Detects flows sent from local hosts to the Internet on port 25 (SMTP) or detected with the SMTP application signature. This may indicate hosts violating network mail policy, or that a host is infected with a mass mailing agent. We recommend updating this equation to not include network mail servers. Remote_Connection_to_Internal_Mail_Server - Detects bidirectional flows inbound into the local network on port 25 (SMTP). This indicates communication with a local SMTP server. Additionally, such servers may be the result of an infected host, which is inadvertently running a SPAM relay. We recommend updating this equation to not include network mail servers.

STRM Administration Guide

Default Custom Views

283

Table 16-6 Custom Views - PolicyViolations (continued)

Group IRC_IM_Policy_ Violation

Objects This group includes:

IRC_Connection_to_Internet - Detects bidirectional flows from local client hosts to the Internet on common IRC port or detected though an application signature. This indicates an active IRC connection. This can simply be a user disregarding corporate policy, or can indicate a host that has been exploited and is connected to an IRC botnet. IRC botnets are used to remotely control exploited hosts to perform DoS attacks and other illegal activities. IM_Communications - Detects bidirectional flows from client hosts on the network indicating the use of common Instant Messaging clients (IM), such as MSN.

Remote_Access_ Policy_Violation

Remote_Access_Shell - Detects bidirectional flows, where remote hosts were connecting to local remote access servers. Detection of any of the following access technologies include: Citrix, PCAnywhere, SSH, Telnet, or VNC. This group includes:

P2P_ Policy_Violation

Local_P2P__Server - Detects flows indicating a P2P server is operating on the local network. This can be in violation of local network policy. Local_P2P_Client - Detects flows indicating a P2P client is operating on the local network. This can be in violation of local network policy. NNTP_to_Internet - Detects flows indicating an NNTP news client is operating on the local network. This may be in violation of local network policy. Unknown_Local_Service - Detects an active service on a local host. Clear_Text_Application_Usage - Detects flows where the application types use clear text passwords. Applications that usage for this view include Telnet, FTP, and POP. We recommend that you tune this view to add or remove additional applications. Large_Outbound_Transfer - Detects large outbound file transfers.

Application_ Policy_Violation

This group includes:

Compliance_ Policy_Violations

This group includes:

ASN Source Group

STRM detects the ASN values from network flows. When STRM detects a ASN source values in a flow, STRM creates a new object in the ASN Source group. For example, if STRM detects an ASN 238 flow within the source traffic, the object ASN238 is created in the ASNSource group.

STRM Administration Guide

284

ENTERPRISE TEMPLATE DEFAULTS

ASN Destination Group

STRM detects the ASN values from network flows. When STRM detects a ASN destination values in a flow, STRM creates a new object in the ASN destination group. For example, if STRM detects an ASN 238 flow within the destination traffic, the object ASN238 is created in the ASNDestination group. STRM detects the IFIndex values from network flows. When STRM detects IFIndex values in a flow, STRM creates a new object in the respective group. STRM detects the IFIndex values from network flows. When STRM detects IFIndex values in a flow, STRM creates a new object in the respective group. Default QoS groups include:
Table 16-7 Custom Views - QoS View

IFIndexIn Group

IFIndexOut Group

QoS Group

QoS Group NetworkControl Object IPRoutingControl Expedited Class 4 Class 3 Class 2 Class 1 Best Effort

Group Objects Specifies QoS values related to link layer and routing protocols. Specifies QoS values used by IP routing protocols. Specifies values related to expedited forwarding, such as, a virtual leased line or premium service. Specifies values related to Class 4 traffic. Specifies values related to Class 3 traffic. Specifies values related to Class 2 traffic. Specifies values related to Class 1 traffic. Specifies traffic related to best effort QoS traffic. Best effort services does not guarantee delivery.

Flow Shape Group

Default FlowShape groups include:
Table 16-8 Custom Views - Flow Shape View

Flow Shape Group Inbound_Only Outbound_Only

Group Objects Specifies traffic flows originating from a host on the Internet and is not responded to by a local host. Specifies traffic flows originating from a local host attempting to communicate with a host on the Internet in which the remote host does not respond. Specifies traffic flows that sends 5 times more data into the network than received. Specifies traffic flows that sends 5 times more bytes out of the network than received. Specifies traffic to and from hosts on the Internet that have around the same amount of bytes sent and received.

Mostly_Inbound Mostly_Outbound NearSame_Internet

STRM Administration Guide

Default Rules

285

Table 16-8 Custom Views - Flow Shape View (continued)

Flow Shape Group Local_Unidirectional Local_SRC_Bias Local_DST_Bias NearSame_Internal

Group Objects Specifies a one-sided flow with a source and destination within the local network. Specifies internal traffic that has 5 times more bytes transferred by the source than the destination. Specifies internal traffic that has 5 times more bytes transferred by the destination than the source. Specifies internal traffic that has a balance of source and destination bytes.

Default Rules
Table 16-9 Default Rules

Default rules for the Enterprise template include:

Rule Default-ResponseE-mail: Offense E-mail Sender

Group Response

Rule Type Offense

Enabled Description False Reports any offense matching the severity, credibility, and relevance minimums to e-mail. You must configure the e-mail address. You can limit the number of e-mails sent by tuning the severity, credibility, and relevance limits. Also, this rule only sends one e-mail every hour, per offense. Reports any offense matching the severity, credibility, or relevance minimum to syslog. Monitors devices for high event rates. Typically, the default threshold is low for most networks and we recommend that you adjust this value before enabling this rule. To configure which devices will be monitored, edit the Default-BB-DeviceDefinition: Devices to Monitor for High Event Rates building block. Reports when connections are bridged across your network’s Demilitarized Zone (DMZ). Reports when connections are bridged across your network’s DMZ through a reverse tunnel. Reports an excessive number of successful database connections. Reports excessive firewall accepts across multiple hosts. More than 100 events were detected across at least 100 unique destination IP addresses in 5 minutes.

Default-ResponseSylog: Offense SYSLOG Sender

Response

Offense

False

Default-Rule-Anomaly: Anomaly Devices with High Event Rates

Event

False

Default-Rule-Anomaly: DMZ Jumping Default-Rule-Anomaly: DMZ Reverse Tunnel Default-Rule-Anomaly: Excessive Database Connections

Anomaly Anomaly Anomaly

Event Event Event

False False True

Default-RuleAnomaly Anomaly: Excessive Firewall Accepts Across Multiple Hosts

Event

False

STRM Administration Guide

286

ENTERPRISE TEMPLATE DEFAULTS

Table 16-9 Default Rules (continued)

Rule Default-RuleAnomaly: Excessive Firewall Denies from Single Source

Group Anomaly

Rule Type Event

Enabled Description True Reports excessive firewall denies from a single host. Detects more than 400 firewall deny attempts from a single source to a single destination within 5 minutes. Reports a flow communicating to or from the Internet with a sustained duration of more than 48 hours. This is not typical behavior for most applications. We recommend that you investigate the host for potential malware infections. Reports an event that was targeting or sourced from a honeypot or tarpit defined address. Before enabling this rule, you must configure the Default-BB-HostDefinition: Honeypot like addresses building block and create the appropriate sentry from the Network Surveillance interface. Reports a host emitting events at a rate greater than normal. This may be normal, but in some cases can be an early warning sign that the host has changed behavior. We recommend that you perform an event search and/or flow search to determine if the host is exhibiting other suspicious activity. Reports successful logins or access from an IP address known to be in a country that does not have remote access right. Before you enable this rule, we recommend that you configure the Default-BB-CategoryDefinition: Countries with no Remote Access building block. Reports when the MAC address of a single IP address changes multiple times over a period of time. Reports a host login message from a disabled user account. If the user is no longer a member of the organization, we recommend that you investigate any other received authentication messages from the same user. Reports a host login failure message from an expired user account known. If the user is no longer a member of the organization, we recommend that you investigate any other received authentication messages. Reports authentication failures on the same source IP address more than three times, across more than three destination IP addresses within 10 minutes.

Default-RuleAnomaly Anomaly: Long Duration Flow

Event

True

Default-RuleAnomaly: Potential Honeypot Access

Anomaly

Event

False

Default-RuleAnomaly Anomaly: Rate Analysis Marked Events

Event

False

Default-RuleAnomaly: Remote Access from Foreign Country

Anomaly

Event

False

Default-Rule-Anomaly: Single IP with Multiple MAC Addresses Default-RuleAuthentication: Login Failure to Disabled Account Default-RuleAuthentication: Login Failure to Expired Account

Anomaly

Event

False

Authentication

Event

True

Authentication

Event

True

Default-Rule Authentication Authentication: Login Failures Across Multiple Hosts

Event

True

STRM Administration Guide

Default Rules

287

Table 16-9 Default Rules (continued)

Rule Default-RuleAuthentication: Login Failures Followed By Success Default-RuleAuthentication: Login Successful After Scan Attempt Default-RuleAuthentication: Multiple VoIP Login Failures Default-RuleAuthentication: Repeated Login Failures, Single Host Default-Rule-Botnet: Potential Botnet Connection (DNS)

Group Authentication

Rule Type Event

Enabled Description True Reports multiple log in failures to a single host, followed by a successful log in to the host.

Authentication, Compliance

Event

True

Reports a successful log in to a host after reconnaissance has been performed against this network. Reports multiple log in failures to a VoIP PBX.

Authentication

Event

True

Authentication

Event

True

Reports when a source IP address causes an authentication failure event at least seven times to a single destination within 5 minutes. Reports a host connecting or attempting to connect to a DNS server on the Internet. This may indicate a host connecting to a Botnet. The host should be investigated for malicious code. Do not enable this rule until you have tuned the Default-BB-HostDefinition: DNS Servers building block. Note: Laptops that include wireless adapters may cause this rule to generate alerts since the laptops may attempt to communicate with another IDPs DNS server. If this occurs, define the ISPs DNS server in the Default-BB-HostDefinition: DNS Servers building block.

Botnet,Exploit

Event

False

Default-Rule-Botnet: Potential Botnet Connection (IRC) Default-Rule-Botnet: Potential Botnet Events Become Offenses Default-RuleCompliance: Compliance Events Become Offenses Default-RuleCompliance: Excessive Failed Logins to Compliance IS

Botnet

Event

True

Reports a host connecting or attempting to connect to an IRC server on the Internet. This may indicate a host connecting to a Botnet. The host should be investigated for malicious code. Reports exploit attacks on events. Enable this rule if you want all events categorized as exploits to create an offense. Reports compliance-based events, such as, clear text passwords.

Botnet

Event

True

Compliance

Event

False

Compliance

Event

False

Reports excessive authentication failures to a compliance server within 10 minutes.

STRM Administration Guide

288

ENTERPRISE TEMPLATE DEFAULTS

Table 16-9 Default Rules (continued)

Rule

Group

Rule Type Event

Enabled Description True Reports when a configuration modification is attempted to a database server from a remote network. Reports when several authentications to a database server occur across many remote IP addresses. Reports when there are failures followed by the addition or change of a user account. Monitors changes to groups on a database when the change is initiated from a remote network. Reports when there are multiple database failures followed by a success within a short period of time. Increases the severity of a failed login attempt to a database from a remote network. Reports when a successful authentication occurs to a database server from a remote network. Reports when changes to user privileges occurs to a database from a remote network. Reports network Distributed Denial of Service (DDoS) attacks on a system. Reports when offenses are created for DoS-based events with high magnitude.

Default-Rule-Database: Compliance, Attempted Configuration Database Modification by a remote host Default-Rule-Database: Compliance, Concurrent Logins from Database Multiple Locations Default-Rule-Database: Compliance, Failures Followed by Database User Changes Default-Rule-Database: Compliance, Groups changed from Database Remote Host Default-Rule-Database: Compliance, Multiple Database Database Failures Followed by Success Default-Rule-Database: Compliance, Remote Login Failure Database Default-Rule-Database: Compliance, Remote Login Success Database Default-Rule-Database: Compliance, User Rights Changed Database from Remote Host Default-Rule-DDoS Attack Detected Default-Rule-DDoS: DDoS Events with High Magnitude Become Offenses Default-Rule-DoS: Decrease Magnitude of Low Rate Attacks Default-Rule-DoS: DoS Events from Darknet Default-Rule-DoS: DoS Events with High Magnitude Become Offenses Default-Rule-DoS: Increase Magnitude of High Rate Attacks D\DoS D\DoS

Event

True

Event

True

Event

True

Event

True

Event Event

True True

Event

True

Event Event

True True

D\DoS

Event

True

If a low rate flow-based DoS attack is detected, this rule decreases the magnitude of the current event. Reports when DoS attack events are identified on Darknet network ranges. Rule forces the creation of an offense for DoS based events with a high magnitude.

D/DoS D\DoS

Event Event

False True

D\DoS

Event

True

If a high rate flow-based DoS attack is detected, this rule increases the magnitude of the current event.

STRM Administration Guide

Default Rules

289

Table 16-9 Default Rules (continued)

Rule Default-Rule-DoS: Network DoS Attack Detected Default-Rule-DoS: Service DoS Attack Detected Default-Rule-Exploit:All Exploits Become Offenses Default-Rule-Exploit: Attack followed by Attack Response Default-Rule-Exploit: Attacker Vulnerable to any Exploit Default-Rule-Exploit: Attacker Vulnerable to this Exploit

Group D\DoS

Rule Type Event

Enabled Description True Reports network Denial of Service (DoS) attacks on a system. Reports a DoS attack against a local target that is known to exist and the target port is open. Reports exploit attacks on events. By default, this rule is disabled. Enable this rule if you want all events categorized as exploits to create an offense. Reports when exploit or attack events are followed by typical responses, which may indicate a successful attack. Reports an attack from a local host where the attacker has at least one vulnerability. It is possible the attacker was a target in an earlier offense. Reports an attack from a local host where the attacker is vulnerable to the attack being used. It is possible that the attacker was a target in an earlier offense. Reports an exploit or attack type activity from a source IP address followed by suspicious account activity on the destination host within 15 minutes. Reports a source IP address generating multiple (at least 5) exploits or malicious software (malware) events in the last 5 minutes. These events are not targeting hosts that are vulnerable and may indicate false positives generating from a device. Rule forces the creation of offenses for exploit-based events with a high magnitude.

D\DoS

Event

True

Exploit

Event

False

Exploit

Event

False

Exploit

Event

False

Exploit

Event

False

Default-Rule-Exploit: Exploit Exploit Followed by Suspicious Host Activity Default-Rule-Exploit: Exploit Exploit/Malware Events Across Multiple Targets

Event

False

Event

True

Default-Rule-Exploit: Exploits Events with High Magnitude Become Offenses Default-Rule-Exploit: Exploits Followed by Firewall Accepts Default-Rule-Exploit: Multiple Exploit Types Against Single Target

Exploit

Event

True

Exploit

Event

False

Reports when exploit or attack events are followed by firewall accept events, which may indicate a successful attack. Reports a target attempting to be exploited using multiple types of attacks from one or more attackers. Reports when an attacker attempts multiple attack vectors. This may indicate an attacker specifically targeting an asset.

Exploit

Event

True

Default-Rule-Exploit: Exploit Multiple Vector Attacker

Event

False

STRM Administration Guide

290

ENTERPRISE TEMPLATE DEFAULTS

Table 16-9 Default Rules (continued)

Rule Default-Rule-Exploit: Potential VoIP Toll Fraud

Group Exploit

Rule Type Event

Enabled Description False Reports multiple failed logins to your VoIP hardware followed by sessions being opened. At least 3 events were detected within 30 seconds. This action could indicate that illegal users are executing VoIP sessions on your network. Reports reconnaissance followed by an exploit from the same source IP address to the same destination port within 1 hour. Reports an attack against a vulnerable local target, where the target is known to exist, and the host is vulnerable to the attack. Reports an attack against a vulnerable local target, where the target is known to exist, and the host is vulnerable to the attack on a different port. Reports an attack against a vulnerable local target, where the target is known to exist, and the host is vulnerable to some attack but not the one being attempted. Reports events that include false positive rules and building blocks, such as, Default-BB-FalsePositive: Windows Server False Positive Events. Events that match the above conditions are stored but also dropped. If you add any new building blocks or rules to remove events from becoming offenses, you must add these new rules or building blocks to this rule. Enable this rule if you want all events categorized as backdoor, viruses, and trojans to create an offense. Enable this rule if you want all events categorized as key loggers to create offenses. Reports non-spyware malware attacks on events. Enable this rule if you want all events categorized as malware to create an offense. Reports spyware and/or a virus on events. Enable this rule if you want all events categorized as Virus or Spyware to create an offense.

Default-Rule-Exploit: Recon followed by Exploit Default-Rule-Exploit: Target Vulnerable to Detected Exploit Default-Rule-Exploit: Target Vulnerable to Detected Exploit on a Different Port Default-Rule-Exploit: Target Vulnerable to Different Exploit than Attempted on Attacked Port Default-Rule-False Positive: False Positive Rules and Building Blocks

Exploit

Event

True

Exploit

Event

True

Exploit

Event

True

Exploit

Event

False

False Positive

Event

True

Default-Rule-Malware: Malware Treat Backdoor, Trojans and Virus Events as Offenses Default-Rule-Malware: Treat Key Loggers as Offenses Default-RuleMalware: Treat Non-Spyware Malware as Offenses Malware

Event

False

Event

False

Malware

Event

False

Default-RuleMalware Malware: Treat Spyware and Virus as Offenses

Event

False

STRM Administration Guide

Default Rules

291

Table 16-9 Default Rules (continued)

Rule Default-Rule-Malware: Local Host Sending Malware Default-Rule-Policy: Create Offenses for All Instant Messenger Traffic Default-Rule-Policy: Create Offenses for All P2P Usage Default-Rule-Policy: Create Offenses for All Policy Events Default-Rule-Policy: Create Offenses for All Porn Usage

Group

Rule Type

Enabled Description False Reports malware being sent from local hosts.

Malware, Policy Event

Policy

Event

False

Reports Instant Messenger traffic or any event categorized as Instant Messenger traffic where the source is local and the destination is remote. Reports P2P traffic or any event categorized as P2P. Reports policy events. By default, this rule is disabled. Enable this rule if you want all events categorized as policy to create an offense. Reports any traffic that contains illicit materials or any event categorized as Porn. By default, this rule is disabled. Enable this rule if you want all events categorized as Porn to create an offense. Rule acts as a warning that the asset in which an event identifies is vulnerable to a vulnerability identified in the SANS Top 20 Vulnerabilities. (www.sans.org/top20/) Reports local Peer-to-Peer (P2P) traffic or any event categorized as P2P. More than 10 hosts were detected connecting to a local host that appears to be operating as a P2P server. Reports when a new host has been discovered on the network. Reports when a new host has been discovered in the DMZ. Reports when an existing host has a newly discovered service. Reports when an existing host has a newly discovered service in the DMZ. Rule identifies potential tunneling that can be used to bypass policy or security controls. Reports potential file uploads to a local web server. To edit the details of this rule, edit the Default-BB-CategoryDefinition: Upload to Local WebServer building block.

Policy

Event

False

Policy

Event

False

Policy

Event

False

Default-Rule-Policy: Host has SANS Top 20 Vulnerability Default-Rule-Policy: Local P2P Server Detected Default-Rule-Policy: New Host Discovered

Policy

Event

False

Policy

Event

True

Policy

Event Event

False False

Default-Rule-Policy: Policy New Host Discovered in DMZ Default-Rule-Policy: New Service Discovered Default-Rule-Policy: New Service Discovered in DMZ Default-Rule-Policy: Potential Tunneling Default-Rule-Policy: Upload to Local WebServer Policy

Event

False

Policy

Event

False

Policy Policy

Event Event

False False

STRM Administration Guide

292

ENTERPRISE TEMPLATE DEFAULTS

Table 16-9 Default Rules (continued)

Rule Default-Rule-Recon: Aggressive Local Scanner Detected

Group Recon

Rule Type Event

Enabled Description True Reports an aggressive scan from a local source IP address, scanning other local or remote IP addresses. More than 400 targets received reconnaissance or suspicious events in less than 2 minutes. This may indicate a manually driven scan, an exploited host searching for other targets, or a worm is present on the system. Reports an aggressive scan from a remote source IP address, scanning other local or remote IP addresses. More than 50 targets received reconnaissance or suspicious events in less than 3 minutes. This may indicate a manually driven scan, an exploited host searching for other targets, or a worm on a system. Reports excessive attempts, from local hosts, to access the firewall and access is denied. More than 40 attempts are detected across at least 40 destination IP addresses in 5 minutes. Reports excessive attempts, from remote hosts, to access the firewall and access is denied. More than 40 attempts are detected across at least 40 destination IP addresses in 5 minutes. Reports a single source IP address scanning more than 50 ports in under 3 minutes. Reports when more than 400 ports were scanned from a single source IP address in under 2 minutes. If a high rate flow-based scanning attack is detected, this rule increases the magnitude of the current event. If a medium rate flow-based scanning attack is detected, this rule increases the magnitude of the current event. Reports a source IP address attempting reconnaissance or suspicious connections on common LDAP ports to more than 60 hosts in 10 minutes. Reports a scan from a local host against other local or remote targets. At least 30 host were scanned in 10 minutes.

Default-Rule-Recon: Aggressive Remote Scanner Detected

Recon

Event

True

Default-Rule-Recon: Excessive Firewall Denies From Local Hosts Default-Rule-Recon: Excessive Firewall Denies From Remote Hosts Default-Rule-Recon: Host Port Scan Detected by Local Host Default-Rule-Recon: Host Port Scan Detected by Remote Host Default-Rule-Recon: Increase Magnitude of High Rate Scans Default-Rule-Recon: Increase Magnitude of Medium Rate Scans Default-Rule-Recon: Local LDAP Server Scanner Default-Rule-Recon: Local Database Scanner

Recon

Event

True

Recon

Event

True

Recon

Event

True

Recon

Event

True

Recon

Event

True

Recon

Event

True

Recon

Event

True

Recon

Event

True

STRM Administration Guide

Default Rules

293

Table 16-9 Default Rules (continued)

Rule Default-Rule-Recon: Local DHCP Scanner

Group Recon

Rule Type Event

Enabled Description True Reports a source IP address attempting reconnaissance or suspicious connections on common DHCP ports to more than 60 hosts in 10 minutes. Reports a source IP address attempting reconnaissance or suspicious connections on common DNS ports to more than 60 hosts in 10 minutes. Reports a source IP address attempting reconnaissance or suspicious connections on common FTP ports to more than 30 hosts in 10 minutes. Reports a source IP address attempting reconnaissance or suspicious connections on common game server ports to more than 60 hosts in 10 minutes. Reports a source IP address attempting reconnaissance or suspicious connections on common ICMP ports to more than 60 hosts in 10 minutes. Reports a source IP address attempting reconnaissance or suspicious connections on common IM server ports to more than 60 hosts in 10 minutes. Reports a source IP address attempting reconnaissance or suspicious connections on common IRC server ports to more than 10 hosts in 10 minutes. Reports a source IP address attempting reconnaissance or suspicious connections on common mail server ports to more than 60 hosts in 10 minutes. Reports a source IP address attempting reconnaissance or suspicious connections on common Peer-to-Peer (P2P) server ports to more than 60 hosts in 10 minutes. Reports a source IP address attempting reconnaissance or suspicious connections on common proxy server ports to more than 60 hosts in 10 minutes. Reports a source IP address attempting reconnaissance or suspicious connections on common RPC server ports to more than 60 hosts in 10 minutes.

Default-Rule-Recon: Local DNS Scanner

Recon

Event

True

Default-Rule-Recon: Local FTP Scanner

Recon

Event

True

Default-Rule-Recon: Local Game Server Scanner Default-Rule-Recon: Local ICMP Scanner

Recon

Event

True

Recon

Event

True

Default-Rule-Recon: Local IM Server Scanner Default-Rule-Recon: Local IRC Server Scanner Default-Rule-Recon: Local Mail Server Scanner Default-Rule-Recon: Local P2P Server Scanner Default-Rule-Recon: Local Proxy Server Scanner Default-Rule-Recon: Local RPC Server Scanner

Recon

Event

True

Recon

Event

True

Recon

Event

True

Recon

Event

True

Recon

Event

True

Recon

Event

True

STRM Administration Guide

294

ENTERPRISE TEMPLATE DEFAULTS

Table 16-9 Default Rules (continued)

Rule

Group

Rule Type Event

Enabled Description True Reports a scan from a local host against other hosts or remote targets. At least 60 hosts were scanned within 20 minutes. This activity was using a protocol other than TCP, UDP, or ICMP. Reports a source IP address attempting reconnaissance or suspicious connections on common SNMP ports to more than 60 hosts in 10 minutes. Reports a source IP address attempting reconnaissance or suspicious connections on common SSH ports to more than 30 hosts in 10 minutes. Reports when various suspicious or reconnaissance events have been detected from the same local source IP address to more than 5 destination IP address in 4 minutes. This can indicate various forms of host probing, such as Nmap reconnaissance, which attempts to identify the services and operation systems of the target. Reports a source IP address attempting reconnaissance or suspicious connections on common TCP ports to more than 60 hosts in 10 minutes. Reports a source IP address attempting reconnaissance or suspicious connections on common UDP ports to more than 60 hosts in 10 minutes. Reports a source IP address attempting reconnaissance or suspicious connections on common local web server ports to more than 60 hosts in 10 minutes. Reports a source IP address attempting reconnaissance or suspicious connections on common Windows server ports to more than 60 hosts in 10 minutes. Reports on events that are detected by the system and when the attack context is Local-to-Local (L2L). Adds an additional event into the event stream when a host that has been performing reconnaissance also has a firewall accept following the reconnaissance activity. Reports a scan from a remote host against other local or remote targets. At least 30 hosts were scanned in 10 minutes.

Default-Rule-Recon: Recon Local Scanner Detected

Default-Rule-Recon: Local SNMP Scanner

Recon

Event

True

Default-Rule-Recon: Local SSH Server Scanner

Recon

Event

True

Default-Rule-Recon: Recon Local Suspicious Probe Events Detected

Event

False

Default-Rule-Recon: Local TCP Scanner

Recon

Event

True

Default-Rule-Recon: Local UDP Scanner

Recon

Event

True

Default-Rule-Recon: Local Web Server Scanner Default-Rule-Recon: Local Windows Server Scanner to Internet Default-Rule-Recon: Local Windows Server Scanner Default-Rule-Recon: Recon Followed by Accept Default-Rule-Recon: Remote Database Scanner

Recon

Event

True

Recon

Event

True

Recon

Event

True

Recon

Event

False

Recon

Event

True

STRM Administration Guide

Default Rules

295

Table 16-9 Default Rules (continued)

Rule

Group

Rule Type Event

Enabled Description True Reports a remote host attempting reconnaissance or suspicious connections on common DHCP ports to more than 30 hosts in 10 minutes. Reports a source IP address attempting reconnaissance or suspicious connections on common DNS ports to more than 60 hosts in 10 minutes. Reports a remote host attempting reconnaissance or suspicious connections on common FTP ports to more than 30 hosts in 10 minutes. Reports a remote host attempting reconnaissance or suspicious connections on common game server ports to more than 30 hosts in 10 minutes. Reports a remote host attempting reconnaissance or suspicious connections on common ICMP ports to more than 60 hosts in 10 minutes. Reports a remote host attempting reconnaissance or suspicious connections on common IM server ports to more than 60 hosts in 10 minutes. Reports a remote host attempting reconnaissance or suspicious connections on common IRC server ports to more than 10 hosts in 10 minutes. Reports a scan from a remote host against other local or remote targets. At least 30 hosts were scanned in 10 minutes. Reports a remote host attempting reconnaissance or suspicious connections on common mail server ports to more than 30 hosts in 10 minutes. Reports a remote host attempting reconnaissance or suspicious connections on common Peer-to-Peer (P2P) server ports to more than 60 hosts in 10 minutes. Reports a remote host attempting reconnaissance or suspicious connections on common proxy server ports to more than 30 hosts in 10 minutes.

Default-Rule-Recon: Recon Remote DHCP Scanner

Default-Rule-Recon: Remote DNS Scanner

Recon

Event

True

Default-Rule-Recon: Remote FTP Scanner

Recon

Event

True

Default-Rule-Recon: Remote Game Server Scanner Default-Rule-Recon: Remote ICMP Scanner

Recon

Event

True

Recon

Event

True

Default-Rule-Recon: Local IM Server Scanner Default-Rule-Recon: Local IRC Server Scanner Default-Rule-Recon: Remote LDAP Server Scanner Default-Rule-Recon: Remote Mail Server Scanner Default-Rule-Recon: Remote P2P Server Scanner Default-Rule-Recon: Remote Proxy Server Scanner

Recon

Event

True

Recon

Event

True

Recon

Event

True

Recon

Event

True

Recon

Event

True

Recon

Event

True

STRM Administration Guide

296

ENTERPRISE TEMPLATE DEFAULTS

Table 16-9 Default Rules (continued)

Rule Default-Rule-Recon: Remote RPC Server Scanner Default-Rule-Recon: Remote Scanner Detected

Group Recon

Rule Type Event

Enabled Description True Reports a remote host attempting reconnaissance or suspicious connections on common RPC server ports to more than 30 hosts in 10 minutes. Reports a scan from a remote host against other hosts or remote targets. At least 60 hosts were scanned within 20 minutes. This activity was using a protocol other than TCP, UDP, or ICMP. Reports scans from a remote host against local or remote targets. At least 30 hosts were scanned in 10 minutes. Reports a remote host attempting reconnaissance or suspicious connections on common SSH ports to more than 30 hosts in 10 minutes. Reports various suspicious or reconnaissance events from the same remote source IP address to more then 5 destination IP addresses in 4 minutes. This may indicate various forms of host probing, such as Nmap reconnaissance that attempts to identify the services and operating system of the targets. Reports a remote host attempting reconnaissance or suspicious connections on common TCP ports to more than 60 hosts in 10 minutes. Reports a remote host attempting reconnaissance or suspicious connections on common UDP ports to more than 60 hosts in 10 minutes. Reports a remote host attempting reconnaissance or suspicious connections on common local web server ports to more than 60 hosts in 10 minutes. Reports a remote host attempting reconnaissance or suspicious connections on common Windows server ports to more than 60 hosts in 10 minutes. Reports merged reconnaissance events generated by some devices. This rule causes all these events to create an offense. All devices of this type and their categories should be added to the Default-BB-ReconDetected: Devices which Merge Recon into Single Events building block.

Recon

Event

True

Default-Rule-Recon: Recon Remote SNMP Scanner Default-Rule-Recon: Remote SSH Server Scanner Default-Rule-Recon: Remote Suspicious Probe Events Detected Recon

Event

True

Event

True

Recon

Event

False

Default-Rule-Recon: Remote TCP Scanner

Recon

Event

True

Default-Rule-Recon: Remote UDP Scanner

Recon

Event

True

Default-Rule-Recon: Remote Web Server Scanner Default-Rule-Recon: Remote Windows Server Scanner Default-Rule-Recon: Single Merged Recon Events

Recon

Event

True

Recon

Event

True

Recon

Event

True

STRM Administration Guide

Default Rules

297

Table 16-9 Default Rules (continued)

Rule Default-Rule-Suspicious Activity: Common Non-Local to Remote Ports

Group

Rule Type Event

Enabled Description False Rule identifies events that have common internal only ports, communicating outside of the local network. Reports events that are involved with known hostile networks.

Default-Rule-Suspicious Anomaly Activity: Communication with Known Hostile Networks Default-Rule-Suspicious Anomaly Activity: Communication with Known Online Services Default-Rule-Suspicious Anomaly Activity: Communication with Known Watched Networks Default-Rule-Suspicious Compliance Activity: Consumer Grade Equipment Default-Rule-SystemNotification Default-Rule-System: 100% Accurate Events Default-Rule-System: Critical System Events Default-Rule-System: Device Stopped Sending Events Default-Rule-System: Host Based Failures Default-Rule-System: Load Building Blocks Default-Rule-Recon: Multiple System Errors Default-RuleVulnerabilities: Vulnerability Reported by Scanner Default-Rule-Worms Detection: Local Mass Mailing Host Detected System

Event

False

Event

False

Reports events that are involved with networks identified as possible sites that may involve data loss. Reports events that are involved with networks that are defined as networks you want to monitor. Reports assets that appear to be customer grade equipment. Rule ensures that notification events shall be sent to the notification framework. Creates an offense when an event matches a 100% accurate signature for successful comprises. Reports when STRM detects critical event. Reports when an event source has not sent an event to the system in over 1 hour. Edit this rule to add devices you want to monitor. Reports when STRM detects events that indicate failures within services or hardware. Loads BBs that need to be run to assist with reporting. This rule has no actions or responses. Reports when as source has 10 system errors within 3 minutes. Reports when a vulnerability is discovered on a local host.

Event

False

Event

False

Event Event

True True

System System

Event Event

False False

System System System Compliance

Event Event Event Event

False True False False

Worm

Event

True

Reports a local host sending more than 20 SMTP flows in 1 minute. This may indicate a host being used as a spam relay or infected with a form of mass mailing worm.

STRM Administration Guide

298

ENTERPRISE TEMPLATE DEFAULTS

Table 16-9 Default Rules (continued)

Rule Default-Rule-Worms Detection: Possible Local Worm Detected

Group Worm

Rule Type Event

Enabled Description True Reports a local host generating reconnaissance or suspicious events across a large number of hosts (greater than 300) in 20 minutes. This may indicate the presence of a worm on the network or a wide spread scan. Reports exploits or worm activity on a system for local-to-local or local-to-remote traffic.

Default-Rule-Worms Detection: Worm Detected (Events)

Worm

Event

True

Default Building Blocks

Default building blocks for the Enterprise template include:

Table 16-10 Default Building Blocks

Building Block Default-BB-Behavior Definition: Compromise Activities Default-BB-Behavior Definition: Post Compromise Activities Default-BB-Category Definitions: Access Denied Default-BB-Category Definition: Authentication Failures Default-BB-Category Definition: Authentication Success Default-BB-Category Definition: Authentication to Disabled Account Default-BB-Category Definition: Authentication to Expired Account Default-BB-Category Definition: Authentication User or Group Added or Changed

Group Category Definitions

Block Type Description Event Edit this BB to include categories that are considered part of events detected during a typical compromise. Edit this BB to include categories that are considered part of events detected after a typical compromise. Edit this BB to include all events categories that indicate access denied. Edit this BB to include all events that indicate an unsuccessful attempt to access the network. Edit this BB to include all events that indicate successful attempts to access the network. Edit this BB to include all events that indicate failed attempts to access the network using a disabled account. Edit this BB to include all events that indicate failed attempts to access the network using an expired account. Edit this building block to include all events that indicate modification to accounts or groups.

Associated Building Blocks, if applicable

Category Definitions

Event

Category Definition Category Definitions, Compliance Category Definitions, Compliance Category Definitions, Compliance Category Definitions, Compliance Category Definitions, Compliance

Event

Event

Event

Event

Event

Event

STRM Administration Guide

Default Building Blocks

299

Table 16-10 Default Building Blocks (continued)

Building Block Default-BB-Category Definition: Countries with no Remote Access

Group Category Definitions

Block Type Description Event Edit this BB to include any geographic location that typically would not be allowed remote access to the enterprise. Once configured, you can enable the Default-Rule-Anomaly: Remote Access from Foreign Country rule. Edit this BB to include all events that indicates denied access to the database. Edit this BB to include all events that indicates permitted access to the database. Edit this BB to define successful logins to databases. You may need to add additional device types for this BB. Edit this BB to include all event categories that you want to categorize as a DDoS attack. Edit this BB to include all events that are typically exploits, backdoor, or trojans. Edit this BB that indicate failure within a service or hardware. Edit this BB to include all events that indicate access to the firewall. Edit this BB to include all events that indicate unsuccessful attempts to access the firewall. Edit this BB to include all events that may indicate a firewall system error. By default, this BB applies when an event is detected by one or more of the following devices:
• • • • •

Associated Building Blocks, if applicable

Default-BB-Category Definitions: Database Access Denied Default-BB-Category Definitions: Database Access Permitted Default-BB-Category Definition: Database Connections Default-BB-Category Definition: DDoS Attack Default-BB-Category Definition: Exploits, Backdoors, and Trojans

Category Definition Category Definition Category Definitions

Event

Event

Event

Category Definitions Category Definitions

Event

Event

Default-BB-Category Category Definition: Failure Service Definitions, or Hardware Compliance Default-BB-Category Category Definition: Firewall or ACL Definitions Accept Default-BB-Category Category Definition: Firewall or ACL Definitions Denies Default-BB-Category Definition: Firewall System Errors Category Definitions

Event

Event

Event

Event

CheckPoint Generic Firewall Iptables NetScreen Firewall Cisco Pix

STRM Administration Guide

300

ENTERPRISE TEMPLATE DEFAULTS

Table 16-10 Default Building Blocks (continued)

Building Block Default-BB-Category Definition: Flow Events

Group Category Definitions

Block Type Description Event Edit this BB to include all events that indicate flow events within your network. By default, this BB applies to events detected by the Classification Engine. Edit this BB to the severity, credibility, and relevance levels you want to generate an event. The defaults are:
• • •

Associated Building Blocks, if applicable

Default-BB-Category Definition: High Magnitude Events

Category Definitions

Event

Severity = 6 Credibility = 7 Relevance = 7

Default-BB-Category Definitions: KeyLoggers Default-BB-Category Definition: Mail Policy Violation Default-BB-Category Definition: Malware Annoyances Default-BB-Category Definition: Network DoS Attack Default-BB-Category Definition: Policy Events Default-BB-Category Definition: Post DMZ Jump Default-BB-Category Definition: Post Exploit Account Activity

Category Definitions Category Definitions, Compliance Category Definitions

Event

Edit this BB to include all events that are typically exploits, backdoor, or trojans. Edit this BB to define mail policy violations. Edit this BB to include event categories that are typically associated with spyware infections. Edit this BB to include all event categories that you want to categorize as a network DoS attack. Edit this BB to include all event categories that may indicate a violation to network policy. Edit this BB to define actions that may be seen within a Remote-to-Local (R2L) and a DMZ host jumping scenario. Edit this BB to include all event categories that may indicate exploits to accounts. Edit this BB to define actions that may be seen within a Local-to-Local (L2L) and a DMZ host jumping scenario. Edit this BB to define actions that may be seen within a Pre DMZ jump followed by a reverse DMZ jump.

Event

Event

Category Definitions

Event

Category Definitions, Compliance Category Definitions

Event

Event

Category Definitions

Event

Default-BB-Category Category Definition: Pre DMZ Jump Definitions

Event

Default-BB-Category Definition: Pre Reverse DMZ Jump

Category Definitions

Event

STRM Administration Guide

Default Building Blocks

301

Table 16-10 Default Building Blocks (continued)

Building Block Default-BB-Category Definition: Rate Analysis Marked Events

Group Category Definitions

Block Type Description Event STRM monitors event rates of all source IP addresses/QIDs and destination IP addresses/QIDs and marks events that exhibit abnormal rate behavior. Edit this BB to include events that are marked with rate analysis.

Associated Building Blocks, if applicable

Default-BB-Category Definition: Recon Events Default-BB-Category Definition: Reverse DMZ Jump Default-BB-Category Definition: Service DoS Default-BB-Category Definitions: Session Closed Default-BB-Category Definitions: Session Opened Default-BB-Category Definition: Suspicious Events Default-BB-Category Definition: System Configuration

Category Definitions Category Definitions

Event

Edit this BB to include all events that indicate reconnaissance activity. Edit this BB to define actions that may be seen within a Remote-to-Local (R2L) and a DMZ host reverse jumping scenario. Edit this BB to define Denial of Service (DoS) attack events. Edit this BB to define all session closed events. Edit this BB to define all session opened events. Edit this BB to include all events that indicate suspicious activity. Edits this BB to define system configuration events. Edit this BB to define system errors and failures. Typically, most networks are configured to restrict applications that use the PUT method running on their web application servers. This BB detects if a remote host has used this method on a local server. The BB could be duplicated to also detect other unwanted methods or for local hosts using the method connecting to remote servers. This building block is referenced by the Default-Rule-Policy: Upload to Local WebServer rule.

Event

Category Definitions Category Definition, Malware Category Definition, Malware Category Definitions Category Definitions, Malware

Event Event

Event

Event

Event

Default-BB-Category Category Definitions: System Errors Definitions and Failures Default-BB-Category Category Definition: Upload to Local Definitions WebServer

Event

Event

STRM Administration Guide

Table 16-10 Default Building Blocks (continued)

Building Block Default-BB-Category Definitions: Virus Detected Default-BB-Category Definition: VoIP Authentication Failure Events Default-BB-Category Definition: VoIP Session Opened Default-BB-Category Definitions: VPN Access Denied Default-BB-Category Definitions: VPN Access Accepted Default-BB-Category Definition: Windows Compliance Events Default-BB-Category Definition: Worm Events Default-BB-Compliance Definition: GLBA Servers

Group Category Definition, Malware Category Definitions

Block Type Description Event Edit this BB to define all virus detection events. Edit this BB to include all events that indicate a VoIP login failure.

Associated Building Blocks, if applicable

Event

Category Definitions Category Definition Category Definition Category Definitions, Compliance Category Definitions

Event

Edit this BB to include all events that indicate the start of a VoIP session. Edit this BB to include all events that are considered Denied Access events. Edit this BB to include all events that indicates permitted access. Edit this BB to include all event categories that indicate compliance events. Edit this BB to define worm events. This BB only applies to events not detected by a custom rule. Edit this BB to include your GLBA IP systems. You must then apply this BB to rules related to failed logins, remote access, etc. Edit this BB to include your HIPAA Servers by IP address. You must then apply this BB to rules related to failed logins, remote access, etc. Edit this BB to include your SOX IP Servers. You must then apply this BB to rules related to failed logins, remote access, etc. Edit this BB to include your PCI DSS servers by IP address. You must apply this BB to rules related to failed logins, remote access, etc. Edit this BB to include any events that indicates successful actions within a database. Edit this BB to include any events that indicate unsuccessful actions within a database. Edit this BB to include events that indicate the successful addition or change of user privileges

Event

Event

Event

Event

Compliance, Event Host Definitions

Default-BB-Compliance Compliance, Event Definition: HIPAA Servers Host Definitions

Default-BB-Compliance Definition: SOX Servers

Compliance, Event Host Definitions Compliance, Event Host Definitions, Response Category Definitions, Compliance Category Definitions, Compliance Category Definitions, Compliance Event

Default-BB-Compliance Definition: PCI DSS Servers

Default-BB-Database: System Action Allow Default-BB-Database: System Action Deny Default-BB-Database: User Addition or Change

Event

Event

Default Building Blocks

303

Table 16-10 Default Building Blocks (continued)

Building Block Default-BB-Device Definition: Access/ Authentication/Audit Default-BB-Device Definition: AntiVirus Default-BB-Device Definition: Application Default-BB-Device Definition: Consumer Grade Routers Default-BB-Device Definition: Consumer Grade Wireless APs Default-BB-Device Definition: Database Default-BB-Device Definition: Devices to Monitor for High Event Rates

Group Device Definition Device Definition Device Definition Device Definitions Device Definitions Device Definitions Device Definitions

Block Type Description Event Edit this BB to include all access, authentication, and audit devices. Edit this BB to include all antivirus services on the system. Edit this BB to include all application and OS devices on the network. Edit this BB to include MAC addresses of known consumer grade routers. Edit this BB to include MAC addresses of known consumer grade wireless access points. Edit this BB to define all databases on the system. Edit this BB to include devices you want to monitor for high event rates. The event rate threshold is controlled by the Default-Rule-Anomaly: Devices with High Event Rates. Edit this BB to include all firewall (FW), routers, and switches on the network. Edit this BB to include all IDS and IPS devices on the network. Edit this BB to include all VPNs on the network. Edit this BB to include events that indicate a successful compromise. These events generally have 100% accuracy. Edit this BB to include all false positive building blocks. Edit this BB to define all the false positive categories that occur to or from the broadcast address space.

Associated Building Blocks, if applicable

Event Event

Event

Event

Event Event

Default-BB-Device Definition: FW/Router/ Switch Default-BB-Device Definition: IDS/IPS Default-BB-Device Definition:VPN Default-BB-False Negative: Events That Indicate Successful Compromise

Device Definition Device Definition Device Definition False Positive

Event

Event Event Event

Default-BB-FalsePositive: False All Default False Positive Positive BBs Default-BB-FalsePositive: False Broadcast Address False Positive Positive Categories Default-BB-FalsePositive: False Database Server False Positive Positive Categories

Event

All Default-BB-False Positive building blocks

Event

Event

Edit this BB to define all the false Default-BB-HostDefinition: positive categories that occur to or Database Servers from database servers that are defined in the Default-BB-HostDefinition: Database Servers building block.

STRM Administration Guide

304

ENTERPRISE TEMPLATE DEFAULTS

Table 16-10 Default Building Blocks (continued)

Building Block

Group

Block Type Description Event

Associated Building Blocks, if applicable

Default-BB-FalsePositive: False Database Server False Positive Positive Events

Edit this BB to define all the false Default-BB-HostDefinition: positive QIDs that occur to or from Database Servers database servers that are defined in the Default-BB-HostDefinition: Database Servers building block. Edit this BB to include the devices and QID of devices that continually generate false positives. Edit this BB to define all the false Default-BB-HostDefinition: positive categories that occur to or DHCP Servers from DHCP servers that are defined in the Default-BB-HostDefinition: DHCP Servers building block. Edit this BB to define all the false Default-BB-HostDefinition: positive QIDs that occur to or from DHCP Servers DHCP servers that are defined in the Default-BB-HostDefinition: DHCP Servers building block. Edit this BB to define all the false Default-BB-HostDefinition: positive categories that occur to or DNS Servers from DNS based servers that are defined in the Default-BB-HostDefinition: DNS Servers building block. Edit this BB to define all the false Default-BB-HostDefinition: positive QIDs that occur to or from DNS Servers DNS-based servers that are defined in the Default-BB-HostDefinition: DNS Servers building block. Edit this BB to define firewall deny events that are false positives Edit this BB to define all the false Default-BB-HostDefinition: positive categories that occur to or FTP Servers from FTP based servers that are defined in the Default-BB-HostDefinition: FTP Servers building block. Edit this BB to define all the false Default-BB-HostDefinition: positive QIDs that occur to or from FTP Servers FTP-based servers that are defined in the Default-BB-HostDefinition: FTP Servers building block.

Default-BB-FalsePositive: False Device and Specific Event Positive Default-BB-FalsePositive: False DHCP Server False Positive Positive Categories

Event

Event

Default-BB-FalsePositive: False DHCP Server False Positive Positive Events

Event

Default-BB-FalsePositive: False DNS Server False Positive Positive Categories

Event

Default-BB-FalsePositive: False DNS Server False Positive Positive Events

Event

Default-BB-FalsePositive: False Firewall Deny False Positive Positive Events Default-BB-FalsePositive: False FTP Server False Positive Positive Categories

Event

Event

Default-BB-FalsePositive: False FTP False Positive Events Positive

Event

STRM Administration Guide

Default Building Blocks

305

Table 16-10 Default Building Blocks (continued)

Building Block

Group

Block Type Description Event Edit this BB to include any event QIDs that you want to ignore. Edit this BB to define all the false positive QIDs that occur to or from Local-to-Local (L2L) based servers. Edit this BB to define all the false positive QIDs that occur to or from Local-to-Remote (L2R) based servers. Edit this BB to define specific events that can create a large volume of false positives in general rules.

Associated Building Blocks, if applicable

Default-BB-FalsePositive: False Global False Positive Positive Events Default-BB-FalsePositive: False Internal Attacker to Positive Internal Target False Positives Default-BB-FalsePositive: False Internal Attacker to Positive Remote Target False Positives Default-BB-FalsePositive: False Large Volume Local FW Positive Events Default-BB-FalsePositive: False LDAP Server False Positive Positive Categories

Event

Event

Event

Event

Edit this BB to define all the false Default-BB-HostDefinition: positive categories that occur to or LDAP Servers from LDAP servers that are defined in the Default-BB-HostDefinition: LDAP Servers building block. Edit this BB to define all the false Default-BB-HostDefinition: positive QIDs that occur to or from LDAP Servers LDAP servers that are defined in the Default-BB-HostDefinition: LDAP Servers building block. Edit this BB to define all the false Default-BB-HostDefinition: positive categories that occur to or Mail Servers from mail servers that are defined in the Default-BB-HostDefinition: Mail Servers building block. Edit this BB to define all the false Default-BB-HostDefinition: positive QIDs that occur to or from Mail Servers mail servers that are defined in the Default-BB-HostDefinition: Mail Servers building block. Edit this BB to define all the false Default-BB-HostDefinition: positive categories that occur to or Network Management from network management servers Servers that are defined in the Default-BB-HostDefinition: Network Management Servers building block.

Default-BB-FalsePositive: False LDAP Server False Positive Positive Events

Event

Default-BB-FalsePositive: False Mail Server False Positive Positive Categories

Event

Default-BB-FalsePositive: False Mail Server False Positive Positive Events

Event

Default-BB-FalsePositive: False Network Management Positive Servers Recon

Event

STRM Administration Guide

Table 16-10 Default Building Blocks (continued)

Building Block

Group

Block Type Description Event

Associated Building Blocks, if applicable

Default-BB-FalsePositive: False Proxy Server False Positive Positive Categories

Edit this BB to define all the false Default-BB-HostDefinition: positive categories that occur to or Proxy Servers from proxy servers that are defined in the Default-BB-HostDefinition: Proxy Servers building block. Edit this BB to define all the false Default-BB-HostDefinition: positive QIDs that occur to or from Proxy Servers proxy servers that are defined in the Default-BB-HostDefinition: Proxy Servers building block. Edit this BB to define all the false positive QIDs that occur to or from Remote-to-Local (R2L) based servers. Edit this BB to define all the false Default-BB-HostDefinition: positive categories that occur to or RPC Servers from RPC servers that are defined in the Default-BB-HostDefinition: RPC Servers building block. Edit this BB to define all the false Default-BB-HostDefinition: positive QIDs that occur to or from RPC Servers RPC servers that are defined in the Default-BB-HostDefinition: RPC Servers building block. Edit this BB to define all the false Default-BB-HostDefinition: positive categories that occur to or SNMP Servers from SNMP servers that are defined in the Default-BB-HostDefinition: SNMP Servers building block. Edit this BB to define all the false Default-BB-HostDefinition: positive QIDs that occur to or from SNMP Servers SNMP servers that are defined in the Default-BB-HostDefinition: SNMP Servers building block. Edit this BB to include source IP addresses or specific events that you want to remove. Edit this BB to define all the false Default-BB-HostDefinition: positive categories that occur to or SSH Servers from SSH servers that are defined in the Default-BB-HostDefinition: SSH Servers building block. Edit this BB to define all the false Default-BB-HostDefinition: positive QIDs that occur to or from SSH Servers SSH servers that are defined in the Default-BB-HostDefinition: SSH Servers building block. Edit this BB to define all false Default-BB-HostDefinition: positive categories that occur to or Syslog Servers and from syslog sources. Senders

Default-BB-FalsePositive: False Proxy Server False Positive Positive Events

Event

Default-BB-FalsePositive: False Remote Attacker to Positive Internal Target False Positives Default-BB-FalsePositive: False RPC Server False Positive Positive Categories

Event

Event

Default-BB-FalsePositive: False RPC Server False Positive Positive Events

Event

Default-BB-FalsePositive: False SNMP Sender or Positive Receiver False Positive Categories

Event

Default-BB-FalsePositive: False SNMP Sender or Positive Receiver False Positive Events Default-BB-FalsePositive: False Source IP and Specific Positive Event Default-BB-FalsePositive: False SSH Server False Positive Positive Categories

Event

Event

Event

Default-BB-FalsePositive: False SSH Server False Positive Positive Events

Event

Default-BB-FalsePositive: False Syslog Sender False Positive Positive Categories

Event

Default Building Blocks

307

Table 16-10 Default Building Blocks (continued)

Building Block

Group

Block Type Description Event Edit this BB to define all false positive events that occur to or from syslog sources or destinations.

Associated Building Blocks, if applicable Default-BB-HostDefinition: Syslog Servers and Senders

Default-BB-FalsePositive: False Syslog Sender False Positive Positive Events Default-BB-FalsePositive: False Virus Definition Update Positive Categories

Event

Edit this BB to define all the false Default-BB-HostDefinition: positive QIDs that occur to or from Virus Definition virus definition or other automatic update hosts that are defined in the Default-BB-HostDefinition: Virus Definition and Other Update Servers building block. Edit this BB to define all the false Default-BB-HostDefinition: positive categories that occur to or Web Servers from web servers that are defined in the Default-BB-HostDefinition: Web Servers building block. Edit this BB to define all the false Default-BB-HostDefinition: positive QIDs that occur to or from Web Servers Web servers that are defined in the Default-BB-HostDefinition: Web Servers building block. Edit this BB to define all the false Default-BB-HostDefinition: positive categories that occur to or Windows Servers from Windows servers that are defined in the Default-BB-HostDefinition: Windows Servers building block. Edit this BB to define all the false Default-BB-HostDefinition: positive QIDs that occur to or from Windows Servers Windows servers that are defined in the Default-BB-HostDefinition: Windows Servers building block. Edit this BB to define event categories that indicate critical events. Edit this BB to define typical database servers. Default-BB-FalsePositive: Database Server False Positive Categories Default-BB-FalsePositive: Database Server False Positive Events

Default-BB-FalsePositive: False Web Server False Positive Positive Categories

Event

Default-BB-FalsePositive: False Web Server False Positive Positive Events

Event

Default-BB-FalsePositive: False Windows Server False Positive Positive Categories Local

Event

Default-BB-FalsePositive: False Windows Server False Positive Positive Events

Event

Default-BB-HostBased: Critical Events Default-BB-Host Definition: Database Servers

Category Definitions, Compliance Host Definitions

Event

Event

STRM Administration Guide

308

ENTERPRISE TEMPLATE DEFAULTS

Table 16-10 Default Building Blocks (continued)

Building Block

Group

Block Type Description Event

Associated Building Blocks, if applicable

Default-BB-Host Host Definition: DHCP Servers Definitions

Edit this BB to define typical DHCP Default-BB-False Positive: servers. DHCP Server False Positives Categories Default-BB-FalsePositve: DHCP Server False Positive Events

Default-BB-Host Definition: DNS Servers

Host Definitions

Event

Edit this BB to define typical DNS servers.

Default-BB-False Positive: DNS Server False Positives Categories Default-BB-FalsePositve: DNS Server False Positive Events

Default-BB-Host Definition: FTP Servers

Host Definitions

Event

Edit this BB to define typical FTP servers.

Default-BB-False Positive: FTP Server False Positives Categories Default-BB-FalsePositve: FTP Server False Positive Events

Default-BB-Host Definition: Host with Port Open Default-BB-Host Definition: LDAP Servers

Host Definitions Host Definitions

Event

Edit this BB to include a host and port that is actively or passively seen. Edit this BB to define typical LDAP Default-BB-False Positive: servers. LDAP Server False Positives Categories Default-BB-FalsePositve: LDAP Server False Positive Events

Event

Default-BB-Host Definition: Mail Servers

Host Definitions

Event

Edit this BB to define typical mail servers.

Default-BB-False Positive: Mail Server False Positives Categories Default-BB-FalsePositve: Mail Server False Positive Events

Default-BB-Host Definition: Network Management Servers Default-BB-Host Definition: Proxy Servers

Host Definitions Host Definitions

Event

Edit this BB to define typical network management servers. Edit this BB to define typical proxy Default-BB-False Positive: servers. Proxy Server False Positives Categories Default-BB-FalsePositve: Proxy Server False Positive Events

Event

STRM Administration Guide

Default Building Blocks

309

Table 16-10 Default Building Blocks (continued)

Building Block Default-BB-Host Definition: RPC Servers

Group Host Definitions

Block Type Description Event Edit this BB to define typical RPC servers.

Associated Building Blocks, if applicable Default-BB-False Positive: RPC Server False Positives Categories Default-BB-FalsePositve: RPC Server False Positive Events

Default-BB-Host Definition: Servers Default-BB-Host Definition: SNMP Sender or Receiver Default-BB-Host Definition: SSH Servers

Host Definitions Host Definitions Host Definitions

Event Event

Edit this BB to define generic servers. Edit this BB to define SNMP senders or receivers. Edit this BB to define typical SSH servers. Default-BB-PortDefinition: SNMP Ports Default-BB-False Positive: SSH Server False Positives Categories Default-BB-FalsePositve: SSH Server False Positive Events

Event

Default-BB-Host Host Definition: Syslog Servers Definitions and Senders

Event

Edit this BB to define typical host that send or receive syslog traffic.

Default-BB-FalsePositive: Syslog Server False Positive Categories Default-BB-FalsePositive: Syslog Server False Positive Events

Default-BB-Host Definition: VA Scanner Source IP

Host Definitions

Event

Edit this BB to include the source IP address of your VA scanner. By default, this BB applies when the source IP address is 127.0.0.2. Edit this BB to include all servers that include virus protection and update functions. Edit this BB to define typical VoIP IP PBX servers. Edit this BB to define typical web servers. Default-BB-False Positive: Web Server False Positives Categories Default-BB-FalsePositve: Web Server False Positive Events

Default-BB-Host Host Definition: Virus Definition Definitions and Other Update Servers Default-BB-Host Definition: VoIP IP PBX Server Default-BB-Host Definition: Web Servers Host Definitions Host Definitions

Event

Event

Event

STRM Administration Guide

310

ENTERPRISE TEMPLATE DEFAULTS

Table 16-10 Default Building Blocks (continued)

Building Block Default-BB-Host Definition: Windows Servers

Group Host Definitions

Block Type Description Event

Associated Building Blocks, if applicable

Edit this BB to define typical Default-BB-False Positive: Windows servers, such as domain Windows Server False controllers or exchange servers. Positives Categories Default-BB-FalsePositve: Windows Server False Positive Events

Default-BB-Network Definition: Broadcast Address Space

Network Definition

Event

Edit this BB to include the broadcast address space of your network. This is used to remove false positive events that may be caused by the use of broadcast messages. Edit this BB to include all networks that include client hosts. Edit this BB to include networks that you want to add to a Darket list. Edit this BB to include networks that you want to add to a data loss prevention (DLP) list. Edit this BB to include addresses that are included in the DMZ. Edit this BB by replacing the other network with network objects defined in your network hierarchy that are currently not in use in your network or are used in a honeypot or tarpit installation. Once these have been defined, you must enable the Default-Rule-Anomaly: Potential Honeypot Access rule. You must also add a security/policy sentry to these network objects to generate events based on attempted access. Edit this BB to include events that are considered Local-to-Local (L2L). Edit this BB to include events that are considered Local-to-Remote (L2R). Edit this BB to define typical Network Address Translation (NAT) range you want to use in your deployment.

Default-BB-Network Definition: Client Networks Default-BB-Network Definition: Darknet Addresses

Network Definition Network Definition

Event

Event

Default-BB-Network Network Definition: DLP Addresses Definition Default-BB-Network DMZ Addresses Default-BB-Network Definition: Honeypot like Addresses Network Definition Network Definition

Event

Event Event

Default-BB-Network Definition: Local to Local Default-BB-Network Definition: Local to Remote Default-BB-Network Definition: NAT Address Range

Network Definition Network Definition Network Definition

Event

Event

Event

STRM Administration Guide

Default Building Blocks

311

Table 16-10 Default Building Blocks (continued)

Building Block Default-BB-Network Definition: Remote to Local Default-BB-Network Definition: Server Networks Default-BB-Network Definition: Undefined IP Space Default-BB-Network Definition: Watch List Addresses Default-BB-Policy: Application Policy Violation Events

Group Network Definition Network Definition Network Definition Network Definition Policy

Block Type Description Event Edit this BB to include events that are considered Remote-to-Local (R2L). Edit this BB to include the networks where your servers are located. Edit this BB to include areas of your network that does not contain any valid hosts. Edit this BB to include networks that should be added to a watch list. Edit this BB to define policy application and violation events. Edit this BB to define all policy IRC/IM connection violations. Edit this BB to include all events that indicate Peer-to-Peer (P2P) events. Edit this BB to include ports that are commonly detected in Local-to-Remote (L2R) traffic. Edit this BB to include all common database ports. Edit this BB to include all common DHCP ports. Edit this BB to include all common DNS ports. Edit this BB to include all common FTP ports. Edit this BB to include all common game server ports. Edit this BB to include all common IM ports.

Associated Building Blocks, if applicable

Event

Event

Event

Event

Default-BB-Policy: IRC/IM Policy Connection Violations Default-BB-Policy: Policy P2P Policy

Event Event

Default-BB-Port Port\ Definition: Authorized L2R Protocol Ports Definition Default-BB-PortDefinition: Port\ Database Ports Protocol Definition Default-BB-PortDefinition: Port\ DHCP Ports Protocol Definition Default-BB-PortDefinition: Port\ DNS Ports Protocol Definition Default-BB-PortDefinition: Port\ FTP Ports Protocol Definition Default-BB-PortDefinition: Port\ Game Server Ports Protocol Definition

Event

Event

Event

Event

Event

Event

Default-BB-PortDefinition: Compliance, Event IM Ports Port\ Protocol Definition

STRM Administration Guide

312

ENTERPRISE TEMPLATE DEFAULTS

Table 16-10 Default Building Blocks (continued)

Building Block

Group

Block Type Description Event Edit this BB to include all common IRC ports. Edit this BB to include all common ports used by LDAP servers. Edit this BB to include all common ports used by mail servers. Edit this BB to include all common ports used by Peer-to-Peer (P2P) servers. Edit this BB to include all common ports used by proxy servers. Edit this BB to include all common ports used by RPC servers. Edit this BB to include all common ports used by SNMP servers. Edit this BB to include all common ports used by SSH servers. Edit this BB to include all common ports used by the syslog servers. Edit this BB to include ports that are not typically detected in Local-to-Remote (L2R) traffic. Edit this BB to include all common ports used by Web servers. Edit this BB to include all common ports used by Windows servers. Edit this BB to include all common protocols (not including TCP) used by Windows servers that will be ignored for false positive tuning rules.

Associated Building Blocks, if applicable

Default-BB-PortDefinition: Port\ IRC Ports Protocol Definition Default-BB-PortDefinition: Port\ LDAP Ports Protocol Definition Default-BB-PortDefinition: Port\ Mail Ports Protocol Definition Default-BB-PortDefinition: Port\ P2P Ports Protocol Definition Default-BB-PortDefinition: Port\ Proxy Ports Protocol Definition Default-BB-PortDefinition: Port\ RPC Ports Protocol Definition Default-BB-PortDefinition: Port\ SNMP Ports Protocol Definition Default-BB-PortDefinition: Port\ SSH Ports Protocol Definition Default-BB-PortDefinition: Port\ Syslog Ports Protocol Definition Default-BB-PortDefinition: Port\ Unauthorized L2R Ports Protocol Definition Default-BB-PortDefinition: Port\ Web Ports Protocol Definition Default-BB-PortDefinition: Port\ Windows Ports Protocol Definition Default-BB-Protocol Definition: Windows Protocols Port\ Protocol Definition

Event

Event

Event

Event

Event

Event

Event

Event

Event

Event

Event

Event

STRM Administration Guide

Default Building Blocks

313

Table 16-10 Default Building Blocks (continued)

Building Block

Group

Block Type Description Event Define all Juniper Networks default reconnaissance tests. This BB is used to detect a host that has performed reconnaissance such that other follow on tests can be performed. For example, reconnaissance followed by firewall accept. Edit this BB to include all devices that accumulate reconnaissance across multiple hosts or ports into a single event. This rule forces these events to become offenses. Edit this BB to define reconnaissance scans on hosts in your deployment. Edit this BB to indicate port scanning activity across multiple hosts. By default, this BB applies when an attacker is performing reconnaissance against more than 5 hosts within 10 minutes. If internal, this may indicate an exploited machine or a worm scanning for targets. This BB contains any events that you have tuned using the False Positive tuning function. For more information, see the STRM Users Guide. Edit this BB to include any categories you want to consider false positives for hosts defined in the User-BB-HostDefinition: User Defined Server Type 1 building block. Edit this BB to include any events you want to consider false positives for hosts defined in the User-BB-HostDefinition: User Defined Server Type 1 building block.

Associated Building Blocks, if applicable

Default-BB-Recon Recon Detected: All Recon Rules

Default-BB-Recon Detected: Devices That Merge Recon into Single Events

Recon

Event

Default-BB-Recon Recon Detected: Host Port Scan Default-BB-Recon Detected: Port Scan Detected Across Multiple Hosts Recon

Event

Event

User-BB-FalsePositive: User Defined False Positives Tunings

User Tuning Event

User-BB-FalsePositive: User Tuning Event User Defined Server Type 1 False Positive Categories

User-BB-HostDefinition: User Defined Server Type 1

User-BB-FalsePositive: User Tuning Event User Defined Server Type 1 False Positive Events

User-BB-HostDefinition: User Defined Server Type 1

STRM Administration Guide

314

ENTERPRISE TEMPLATE DEFAULTS

Table 16-10 Default Building Blocks (continued)

Building Block

Group

Block Type Description Edit this BB to include any categories you want to consider false positives for hosts defined in the User-BB-HostDefinition: User Defined Server Type 2 building block. Edit this BB to include any events you want to consider false positives for hosts defined in the User-BB-HostDefinition: User Defined Server Type 2 building block. Edit this BB to include any categories you want to consider false positives for hosts defined in the User-BB-HostDefinition: User Defined Server Type 3 building block. Edit this BB to include any events you want to consider false positives for hosts defined in the User-BB-HostDefinition: User Defined Server Type 3 building block. Edit this BB to include the IP address of your custom server type. Once you have added the servers, add any events or categories you want to consider false positives to these servers as defined in the User-BB-FalsePositives: User Defined Server Type 1 False Positive Category or the User-BB-False Positives: User Defined Server Type 1 False Positive Events building blocks.

Associated Building Blocks, if applicable User-BB-HostDefinition: User Defined Server Type 2

User-BB-FalsePositive: User Tuning Event User Defined Server Type 2 False Positive Categories

User-BB-FalsePositive: User Tuning Event User Defined Server Type 2 False Positive Events

User-BB-HostDefinition: User Defined Server Type 2

User-BB-FalsePositive: User Tuning Event User Defined Server Type 3 False Positive Categories

User-BB-HostDefinition: User Defined Server Type 3

User-BB-FalsePositive: User Tuning Event User Defined Server Type 3 False Positive Events

User-BB-HostDefinition: User Defined Server Type 3

User-BB-Host Definition: User Defined Server Type 1

User Tuning Event

User-BB-FalsePositives: User Defined Server Type 1 False Positive Category User-BB-False Positives: User Defined Server Type 1 False Positive Events

STRM Administration Guide

Default Building Blocks

315

Table 16-10 Default Building Blocks (continued)

Building Block User-BB-Host Definition: User Defined Server Type 2

Group

Block Type Description Edit this BB to include the IP address of your custom server type. Once you have added the servers, add any events or categories you want to consider false positives to these servers as defined in the User-BB-FalsePositives: User Defined Server Type 2 False Positive Category or the User-BB-False Positives: User Defined Server Type 2 False Positive Events building blocks. Edit this BB to include the IP address of your custom server type. Once you have added the servers, add any events or categories you want to consider false positives to these servers as defined in the User-BB-FalsePositives: User Defined Server Type 3 False Positive Category or the User-BB-False Positives: User Defined Server Type 3 False Positive Events building blocks.

Associated Building Blocks, if applicable User-BB-FalsePositives: User Defined Server Type 2 False Positive Category User-BB-False Positives: User Defined Server Type 2 False Positive Events

User Tuning Event

User-BB-Host Definition: User Defined Server Type 3

User Tuning Event

User-BB-FalsePositives: User Defined Server Type 3 False Positive Category User-BB-False Positives: User Defined Server Type 3 False Positive Events

STRM Administration Guide

2

UNIVERSITY TEMPLATE DEFAULTS

The University template includes settings with emphasis on internal network activities. This appendix provides the defaults for the University template including:
• • • •

Default Sentries Default Custom Views Default Rules Default Building Blocks

Default Sentries

The default sentries for the University template include:
Table 17-1 Default Sentries

Sentry Behavior - Flow Count Behavior Change Behavior - Host Count Behavior Change

Description Monitors the number of flows on your network and alerts when a change is detected. By default, this activity must occur 10 times before an alert generates. Learns the number of local and remote active hosts in the network over a weekly period. If the number of hosts increases dramatically outside the projected behavior for at least 5 intervals, an event generates. Detects a behavioral change, within the last 5 minutes, in the packet rate of traffic considered to be threatening, compared to what has been learned over the past weeks. This may indicate an attack is in progress. By default, the minimum number of times, in flows, this activity must occur before an event generates is 5.

Behavior - Threat Traffic Packet Rate Behavior Change

Suspicious - Internal Detects an excessive rate (more than 1,000) of Inbound Unidirectional Flows inbound unidirectional (local host not responding) Threshold flows within the last 5 minutes. This may indicate a scan is in progress, worms, DoS attack, or issues with your network configuration. By default, this activity must occur 5 times before an alert generates. DoS - External - Distributed DoS Attack (High Number of Hosts) Detects a large number of hosts (100,000) sending identical, non-responsive packets to a single target. In this case, the target is treated as the attacker in the Offenses interface.

STRM Administration Guide

318

UNIVERSITY TEMPLATE DEFAULTS

Table 17-1 Default Sentries (continued)

Sentry DoS - External - Distributed DoS Attack (Low Number of Hosts)

Description Detects a low number of hosts (500) sending identical, non-responsive packets to a single target. In this case, the target is treated as the attacker in the Offenses interface.

DoS - External - Distributed Detects a medium number of hosts (5,000) sending DoS Attack (Medium Number identical, non-responsive packets to a single target. In of Hosts) this case, the target is treated as the attacker in the Offenses interface. DoS - External - Flood Attack Detects flood attacks above 100,000 packets per (High) second. This activity may indicate a serious attack. DoS - External - Flood Attack Detects flood attacks above 5,000 packets per (Medium) second. This activity typically indicates a serious attack. DoS - External - Flood Attack Detects flood attacks above 500 packets per second. (Low) This activity may indicate an attack. DoS - External - Potential ICMP DoS DoS - External - Potential TCP DoS DoS - External - Potential UDP DoS DoS - External - Potential Unresponsive Service or Distributed DoS Detects flows that appear to be an ICMP Denial of Service (DoS) attack attempt. Detects flows that appear to be a TCP DoS attack attempt. Detects flows that appear to be a UDP DoS attack attempt. Detects a low number of hosts sending identical, non-responsive packets to a single target. In this case, the target is treated as the attacker in the Offenses interface.

Suspicious - Internal Detects an excessive rate (more than 1,000) of Inbound Unidirectional Flows inbound unidirectional (local host not responding) Threshold flows within the last 5 minutes. This may indicate a scan is in progress, worms, DoS attack, or issues with your network configuration. By default, this activity must occur 5 times before an alert generates. DoS - Internal - Distributed DoS Attack (High Number of Hosts) DoS - Internal - Distributed DoS Attack (Low Number of Hosts) Detects a large number of hosts (100,000) sending identical, non-responsive packets to a single target. In this case, the target is treated as the attacker in the Offenses interface Detects a low number of hosts (500) sending identical, non-responsive packets to a single target. In this case, the target is treated as the attacker in the Offenses interface.

DoS - Internal - Distributed Detects a medium number of hosts (5,000) sending DoS Attack (Medium Number identical, non-responsive packets to a single target. In of Hosts) this case, the target is treated as the attacker in the Offenses interface. DoS - Internal - Flood Attack (High) Detects flood attacks above 100,000 packets per second. This activity may indicate a serious attack.

STRM Administration Guide

Default Sentries

319

Table 17-1 Default Sentries (continued)

Sentry DoS - Internal - Flood Attack (Medium) DoS - Internal - Flood Attack (Low) DoS - Internal - Potential ICMP DoS DoS - Internal - Potential TCP DoS DoS - Internal - Potential UDP DoS DoS - Internal - Potential Unresponsive Service or Distributed DoS Malware - External - Client Based DNS Activity to the Internet

Description Detects flood attacks above 5,000 packets per second. This activity typically indicates a serious attack. Detects flood attacks above 500 packets per second. This activity may indicate an attack. Detects flows that appear to be an ICMP Denial of Service (DoS) attack attempt. Detects flows that appear to be a TCP DoS attack attempt. Detects flows that appear to be a UDP DoS attack attempt. Detects a low number of hosts sending identical, non-responsive packets to a single target. Detects a host attempting to connect to a DNS server that is not defined as a local network. With the exception of your DNS servers or other hosts specifically configured to communicate with external DNS servers, this is suspicious activity and may be the sign of a bot net connection. If this is a false positive, add the external DNS server to the BB DNS Servers building block in custom rules. By default, this sentry generates an event 30 seconds after the first instance of the event. Detects an IP address being communicated with was a control channel for a BOTNET. The local machine may be infected with a bot and should be investigated.

Malware - External Communication with BOT Control Channel

Policy - External - Clear Text Detects flows to or from the Internet where the Application Usage application types use clear text passwords. This many include application such as Telnet, FTP, and POP. Policy - External - Hidden FTP Server Detects an FTP server on a non-standard port. The default port for FTP is TCP port 21. Detecting FTP on other ports may indicate an exploited host, where the attacker has installed this server to provide backdoor access to the host. Detects flows to or from the Internet where the application types use clear text passwords. This many include application such as Telnet, FTP, and POP.

Policy - Internal - Clear Text Application Usage

Policy - Internal - Hidden FTP Detects an FTP server on a non-standard port. The Server default port for FTP is TCP port 21. Detecting FTP on other ports may indicate an exploited host, where the attacker has installed this server to provide backdoor access to the host.

STRM Administration Guide

320

UNIVERSITY TEMPLATE DEFAULTS

Table 17-1 Default Sentries (continued)

Sentry Policy - External - IM/Chat

Description Detects an excessive amount of IM/Chat traffic from a single source. By default, the minimum number of times, in flows, this activity must occur before an event generates is 20. Detects a local host issuing an excessive number of IRC connections to the Internet. By default, the minimum number of times, in flows, this activity must occur before an event generates is 20. Detects local hosts operating as a Peer-to-Peer (P2P) server. This indicates a violation of local network policy and may indicate illegal activities, such as, copyright infringement. Detects a flow communicating to or from the Internet with a sustained duration of more than 48 hours. This is not typical behavior for most applications. We recommend that you investigate the host for potential malware infections. By default, this parameter is set to 3600 seconds, which means that an event generates after 3600 seconds of the first instance of the event. Detects Peer-to-Peer (P2P) communications. Detects possible tunneling, which can indicate a bypass of policy, or an infected system. Detects the Microsoft Remote Desktop Protocol from the Internet to a local host. Most companies consider this a violation of corporate policy. If this is normal activity on your network, you should remove this sentry.

Policy - External - IRC Connections

Policy - Local P2P Server Detected

Policy - External - Long Duration Flow Detected

Policy - External - P2P Communications Detected Policy - External - Possible Tunneling Policy - External - Remote Desktop Access from the Internet

Policy - External - SMTP Mail Detects an internal host sending a large number of Sender SMTP flows from the same source to the Internet, in one interval. This may indicate a mass mailing, worm, or spam relay is present. By default, the minimum number of times, in flows, this activity must occur before an event generates is 10. Policy - External - SSH or Telnet Detected on Non-Standard Ports Detects an SSH or Telnet server on a non-standard port. The default port for SSH and Telnet servers is TCP port 22 and 23. Detecting SSH or Telnet operating on other ports may indicate an exploited host, where the attacker has installed these servers to provide backdoor access to the host. Detects an SSH or Telnet server on a non-standard port. The default port for SSH and Telnet servers is TCP port 22 and 23. Detecting SSH or Telnet operating on other ports may indicate an exploited host, where the attacker has installed these servers to provide backdoor access to the host.

Policy - Internal - SSH or Telnet Detected on Non-Standard Ports

STRM Administration Guide

Default Sentries

321

Table 17-1 Default Sentries (continued)

Sentry Policy - External - Usenet Usage

Description Detects flows to or from a Usenet server. It is uncommon for legitimate business communications to use Usenet or NNTP services. The hosts involved may be violating corporate policy.

Policy - External - VNC Detects VNC (a remote desktop access application) Access From the Internet to a from the Internet to a local host. Many companies Local Host consider this an policy issue that should be addressed. If this is normal activity on your network, remove this sentry. Policy - P2P Policy Threshold Detects more than 100 KB/s of Peer-to-Peer (P2P) traffic within 5 minutes. Recon - External - ICMP Scan (High) Detects a host scanning more than 100,000 hosts per minute using ICMP. This indicates a host performing reconnaissance activity at an extremely high rate. This is typical of a worm infection or a standard scanning application. Detects a host scanning more than 500 hosts per minute using ICMP. This may indicate a host configured for network management or normal server behavior on a busy internal network. However, typically client hosts in your network should not be exhibiting this behavior for long periods of time. If this behavior continues for long periods of time, this may indicate classic behavior of worm activity. We recommend that you check the host for infection or malware installation. Detects a host scanning more the 5,000 hosts per minute using ICMP. This indicates a host performing reconnaissance activity at a high rate. This is typical of a worm infection or a host configured for network management purposes. Detects a host sending identical packets to a number of hosts that have not responded. This may indicate a host configured for network management or normal server behavior on a busy internal network. However, client hosts in your network should not be exhibiting this behavior for long periods of time. Detects a host performing reconnaissance activity at an extremely high rate (100,000 hosts per minute), which is typical of a worm infection or a scanning application.

Recon - External - ICMP Scan (Low)

Recon - External - ICMP Scan (Medium)

Recon - External - Potential Network Scan

Recon - External - Scanning Activity (High)

STRM Administration Guide

322

UNIVERSITY TEMPLATE DEFAULTS

Table 17-1 Default Sentries (continued)

Sentry Recon - External - Scanning Activity (Low)

Description Detects a host performing reconnaissance activity at a rate of 500 hosts per minute. This may indicate a host configured for network management or normal server behavior on a busy internal network. However, typically client hosts in your network should not be exhibiting this behavior for long periods of time. If this behavior continues for long periods of time, this may indicate classic behavior of worm activity. We recommend that you check the host for infection or malware installation. Detects a host performing reconnaissance activity at a high rate (5,000 hosts per minute), which is typical of a worm infection or a scanning application. This activity may also indicate network management hosts or even busy servers on internal networks.

Recon - External - Scanning Activity (Medium)

Recon - Internal - ICMP Scan Detects a host scanning more than 100,000 hosts per (High) minute using ICMP. This indicates a host performing reconnaissance activity at an extremely high rate. This is typical of a worm infection or a standard scanning application. Recon - Internal - ICMP Scan Detects a host scanning more than 500 hosts per (Low) minute using ICMP. This may indicate a host configured for network management or normal server behavior on a busy internal network. However, typically client hosts in your network should not exhibit this behavior for long periods of time. If this behavior continues for long periods of time, this may indicate classic behavior of worm activity. We recommend that you check the host for infection or malware installation. Recon - Internal - ICMP Scan Detects a host scanning more the 5,000 hosts per (Medium) minute using ICMP. This indicates a host performing reconnaissance activity at a high rate. This is typical of a worm infection or a host configured for network management purposes. Recon - Internal - Potential Network Scan Detects a host sending identical packets to a number of hosts that have not responded. This may indicate a host configured for network management or normal server behavior on a busy internal network. However, client hosts in your network should not be exhibiting this behavior for long periods of time. Detects a host performing reconnaissance activity at an extremely high rate (100,000 hosts per minute), which is typical of a worm infection or a scanning application.

Recon - Internal - Scanning Activity (High)

STRM Administration Guide

Default Sentries

323

Table 17-1 Default Sentries (continued)

Sentry Recon - Internal - Scanning Activity (Low)

Description Detects a host performing reconnaissance activity at a rate of 500 hosts per minute. This may indicate a host configured for network management or normal server behavior on a busy internal network. However, typically client hosts in your network should not exhibit this behavior for long periods of time. If this behavior continues for long periods of time, this may indicate classic behavior of worm activity. We recommend that you check the host for infection or malware installation. Detects a host performing reconnaissance activity at a high rate (5,000 hosts per minute), which is typical of a worm infection or a scanning application. This activity may also indicate network management hosts or even busy servers on internal networks. Detects an excessive number of ICMP flows from one source IP address, where the applied ICMP types and codes are considered abnormal when seen entering or leaving the network. By default, the minimum number of times, in flows, this activity must occur before an event generates is 40.

Recon - Internal - Scanning Activity (Medium)

Suspicious - External Anomalous ICMP Flows

Suspicious - External - Invalid Detects flows that appear to have improper flag TCP Flag usage combinations. This may indicate various troubling behaviors, such as OS detection, DoS attacks, or even forms of reconnaissance. By default, the minimum number of times, in flows, this activity must occur before an event generates is 10. Suspicious - External - Port 0 Detects flows whose destination or source ports are 0. Flows Detected This may be considered suspicious. Suspicious - External Rejected Communication Attempts Detects flows that indicate a host is attempting to establish connections to other hosts but is being refused or is responding with packets containing no payload. By default, the minimum number of times, in flows, this activity must occur before an event generates is 40.

Suspicious - External Detects excessive unidirectional ICMP traffic from a Unidirectional ICMP Detected single source. This may indicate an attempt to enumerate hosts on the network or other serious network issues. By default, the minimum number of times, in flows, this activity must occur before an event generates is 40. Suspicious - External Unidirectional ICMP Responses Detected Detects excessive unidirectional ICMP responses from a single source. This may indicate an attempt to enumerate hosts on the network, or can be an indicator of other serious network issues. By default, the minimum number of times, in flows, this activity must occur before an event generates is 40.

STRM Administration Guide

324

UNIVERSITY TEMPLATE DEFAULTS

Table 17-1 Default Sentries (continued)

Sentry Suspicious - External Unidirectional TCP Flows

Description Detects flows that indicate a host is sending an excessive quantity (at least 40) of unidirectional flows. These types of flows may be considered normal, however, client workstations and other devices, should not be seen emitting large quantities of such flows, and therefore should be considered suspicious. Detects an excessive number of ICMP flows from one source IP address, where the applied ICMP types and codes are considered abnormal when seen entering or leaving the network. By default, the minimum number of times, in flows, this activity must occur before an event generates is 40.

Suspicious - Internal Anomalous ICMP Flows

Suspicious - Internal - Invalid Detects flows that appear to have improper flag TCP Flag usage combinations. This may indicate various troubling behaviors, such as OS detection, DoS attacks, or even forms of reconnaissance. By default, the minimum number of times, in flows, this activity must occur before an event generates is 10. Suspicious - External Outbound Unidirectional Flows Threshold Suspicious - Internal - Port 0 Flows Detected Suspicious - Internal Rejected Communication Attempts Detects an excessive rate of outbound unidirectional (remote host not responding) flows within 5 minutes. Detects flows whose destination or source ports are 0. This may be considered suspicious. Detects flows that indicate a host is attempting to establish connections to other hosts but is being refused or is responding with packets containing no payload. By default, the minimum number of times, in flows, this activity must occur before an event generates is 40.

Suspicious - Internal Detects excessive unidirectional ICMP traffic from a Unidirectional ICMP Detected single source. This may indicate an attempt to enumerate hosts on the network or other serious network issues. By default, the minimum number of times, in flows, this activity must occur before an event generates is 40. Suspicious - Internal Unidirectional ICMP Responses Detected Detects excessive unidirectional ICMP responses from a single source. This may indicate an attempt to enumerate hosts on the network, or can be an indicator of other serious network issues. By default, the minimum number of times, in flows, this activity must occur before an event generates is 40. Detects flows that indicate a host is sending an excessive quantity (at least 40) of unidirectional flows. These types of flows may be considered normal, however, client workstations and other devices, should not be seen emitting large quantities of such flows, and therefore should be considered suspicious.

Suspicious - Internal Unidirectional TCP Flows

STRM Administration Guide

Default Custom Views

325

Table 17-1 Default Sentries (continued)

Sentry Excessive Unidirectional UDP or Misc Flows

Description Detects an excessive number of UDP, non-TCP, or ICMP from a single source. By default, the minimum number of times, in flows, this activity must occur before an event generates is 80.

Default Custom Views

This section provides the default custom views for the Enterprise template including:
• • • • • • • • • • •

IP Tracking Group Threats Group Attacker Target Analysis Group Target Analysis Group Policy Violations Group ASN Source Group ASN Destination Group IFIndexIn Group IFIndexOut Group QoS Group Flow Shape Group

IP Tracking Group

Pre-configured groups that specify traffic flows from your local and remote IP addresses including:
Table 17-2 Custom Views - IP Tracking View

IP Tracking Group Locals

Group Objects Specifies traffic flows originating from specific local IP addresses or CIDR ranges. Configure to specify traffic flows for your local IP addresses. Specifies traffic flows originating from specific remote IP addresses or CIDR ranges. Configure to specify traffic flows for your remote IP addresses.

Remotes

Threats Group

Pre-configured groups that specify traffic flows from suspicious IP addresses, protocols, server ports, and network sweeps including:

STRM Administration Guide

326

UNIVERSITY TEMPLATE DEFAULTS

Table 17-3 Custom Views - Threats View

Group Exceptions

Objects This group includes: Network_Management_Hosts - Defines network management servers or other system responsible for reconnaissance, SNMP, large numbers of ICMP requests, or other attacks, such as, traffic on your network such as vulnerability assessment (VA) scanners.

DoS

The Denial of Service (DoS) group includes:

Inbound_Flood_NoResponse_High - Defines a remote source sending packets, which are not being responded to, at a rate greater than 100,000 packets per second. Inbound_Flood_NoResponse_Medium - Defines a remote source sending packets, which are not being responded to, at a rate greater than 5,000 packets per second. Inbound_Flood_NoResponse_Low - Defines a remote source sending packets, which are not being responded to, at a rate greater than 500 packets per second. Outbound_Flood_NoResponse_High - Defines a local source sending packets, which are not being responded to, at a rate greater than 100,000 packets per second. Outbound_Flood_NoResponse_Medium - Defines a local source sending packets, which are not being responded to, at a rate greater than 500 packets per second. Outbound_Flood_NoResponse_Low - Defines a local source sending packets, which are not being responded to, at a rate greater than 500 packets per second. Multihost_Attack_High - Defines a scan of more than 100,000 hosts per minute. Multihost_Attack_Medium - Defines a scan of more than 5,000 hosts per minute. Multihost_Attack_Low - Defines a scan of more than 500 hosts per minute. Potential_TCP_DoS - Detects TCP Syn flood flows with a packet arrival rate of more then 300 packets per second and have lasted for at least 5 seconds. This may indicate an attempted TCP DoS attack. Potential_UDP_DoS - Detects UDP Flows with a packet arrival rate of more then 750 packets per second and have lasted for at least 3 seconds. This may indicate an attempted ICMP DoS attack. Potential_ICMP_DoS - Detects ICMP flows with a packet arrival rate of more then 300 packets per second and have lasted for at least 2 seconds. This may indicate an attempted ICMP DoS attack. Potential_Multihost_Attack - Detects type B superflows. This may indicate a service failure or an attack.

• • • •

STRM Administration Guide

Default Custom Views

327

Table 17-3 Custom Views - Threats View (continued)

Group Scanning

Objects This scanning group includes:
• • • • • • •

ICMPScan_High - Detects a host sending ICMP packets to more than 100,000 hosts more minute. ICMPScan_Medium - Detects a host sending ICMP packets to more than 5,000 hosts more minute. ICMPScan_Low - Detects a host sending ICMP packets to more than 500 hosts more minute. Scan_High - Defines a scan of more than 100,000 hosts per minute. Scan_Medium - Defines a scan of more than 5,000 hosts per minute. Scan_Low - Defines a scan of more than 500 hosts per minute. Empty_Responsive_Flows_High - Defines traffic with more than 100,000 packets per second that contain little, if any, payload. These can be the result of scans where the target responds to the attack. Empty_Responsive_Flows_Medium - Defines traffic with more than 5,000 packets per second that contain little, if any, payload. These can be the result of scans where the target responds to the attack. Empty_Responsive_Flows_Low - Defines traffic with more than 500 packets per second that contain little, if any, payload. These can be the result of scans where the target responds to the attack. Potential_Scan - Defines a type A superflow. This may indicate a host performing scanning activity. Host_Scans - Detects a host attempting to make multiple connections, using TCP, to another host targeting multiple unique ports. UDPPortScan - Detects a host attempting to make multiple connections, using UDP, to another host targeting multiple unique ports.

PortScans

This PortScans group includes:

STRM Administration Guide

328

UNIVERSITY TEMPLATE DEFAULTS

Table 17-3 Custom Views - Threats View (continued)

Group Suspicious_IP_ Protocol_Usage

Objects This group includes:

Illegal_TCP_Flag_Combination - Detects flows with illegal TCP flag combinations. This may indicate malicious activity, such as port scanning or operating system detection. Suspicious_ICMP_Type_Code - Detects flows entering or leaving your network from the Internet, using ICMP types or codes generally accepted to be suspicious or malicious. For more information, see http://techrepublic.com.com /5100-1035_11-5087087.html TCP_UDP_Port_0 - Detects flows with a source or destination port of 0. This is illegal according to Internet RFCs and should be considered malicious. Unidirectional_TCP_Flows - Detects unidirectional TCP flows. This may indicate application failures to connect to a service, but an indicate other issues if the quantity or rate of these flows is high. Unidirectional_ICMP_Reply - Detects unidirectional ICMP replies or unreachable flows. This may be expected network behavior, however, an excessive quantity may indicate that a host is scanning the network attempting to enumerate hosts. Unidirectional_ICMP_Flows - Detects unidirectional ICMP flows. This may be expected network behavior, however, an excessive quantity of these flows from a single source may indicate a host scanning the network attempting to enumerate hosts. Unidirectional_UDP_And_Misc_Flows - Detects unidirectional UDP (or other flows not including TCP or ICMP) flows. This may be expected network behavior, however, an excessive quantity should be considered suspicious. Zero_Payload_Bidirectional_Flows - Detects flows that contain small amounts (if any) payload. This may be the result of scans where the target responds with reset packets. Long_Duration_Flow - Detects a flow communicating to or from the Internet with a sustained duration of more than 48 hours. This is not typical behavior for most applications. We recommend that you investigate the host for potential malware infections. Large_DNS_Packets - Detects UDP DNS packets that are larger than 1K in size. Large_ICMP_Packets - Detects ICMP packets that are larger than 1K in size.

• •

STRM Administration Guide

Default Custom Views

329

Table 17-3 Custom Views - Threats View (continued)

Group Remote_Access_ Violation

Objects This group includes:

Hidden_Telnet_SSH - Detects flows where the application type is Telnet or SSH but the destination server port is not one of the common ports for this application. This may indicate that a system has been altered to provide a backdoor for unauthorized access. Hidden_FTP - Detects flows to a local host where the application type is FTP but the destination server port is not one of the common ports of this application. This may indicate that the server is hosting illegal data, such as pirated applications or other media. Remote_Desktop_Access_From_Internet - Detects Remote Desktop Protocol (RDP) access to the local network from the Internet. If you want to allow this activity on your network, delete this view. Otherwise, you should consider this activity suspicious and we recommend investigating the accessed server. VNC_Activity_From_Internet - Detects Virtual Network Computing (VNC) access to the local network from the Internet. If you want to allow this activity on your network, delete this view. Otherwise, you should consider this activity suspicious and we recommend investigating the accessed server.

Suspicious_IRC

Detects suspicious IRC activity.

Attacker Target Analysis Group

Pre-configured groups that specify traffic flows from attackers, responses, and events including:
Table 17-4 Custom Views - AttackerTargetAnalysis

Group AttackResponse Analysis

Objects This group includes:

Target_Did_Not_Respond - The network flow that appears to have carried the attack event that triggered this analysis indicates that the target host did not respond to the attack. Target_Responded - The network flow analysis indicates a target responded to the event from the attacker, and therefore increases the likelihood the attacker was successful.

STRM Administration Guide

330

UNIVERSITY TEMPLATE DEFAULTS

Table 17-4 Custom Views - AttackerTargetAnalysis (continued)

Group

Objects

PeripheralComms This group includes: Analysis • Activity_Before_Event - The network flow analysis indicates a target and attacker were communicating prior to the event that triggered this analysis. This can indicate a false positive, or that this attacker is concentrating on breaking this host. Many typical attacks fire an exploit at the target with little or no prior host investigation.

Activity_After_Event - The network flow analysis indicates a target and attacker were communicating after the event that triggered this analysis. This can indicate a false positive if the attacker/target were also seen communicating before the event, and the device emitting these events has a high false positive rate. Conversely, if this is a serious event and the device is credible, it can indicate a successful attack has occurred. Target_Initiating_Comms_To_Attacker - The network flow analysis indicates a target was seen initiating connections back to the attacker before or after the event. This can sometimes indicate the attacker has been able to force the target to communicate back to the attacker, therefore bypassing some firewall rules.

Target Analysis Group

Pre-configured groups that specify traffic flows from back door entries, scanning behaviors, malicious software (malware), spam relay including:
Table 17-5 Custom Views - TargetAnalysis

Group BotNetAnalysis

Objects BotNet_Connect - The network flow analysis indicates a target host is connected to IRC servers on the Internet. This may indicate the attacker has installed an IRC Bot on the target and instructed the target to connect to an IRC Channel that is under the control and await instructions. Large numbers of such exploited machines form a BotNet and can be used by the attacker to coordinate large scale Distributed Denial of Service attacker (DDoS). Malware_Server_Connection - Network flow analysis indicates a target is aggressively attempting (and failing) to connect to many other hosts on the network (or Internet). This behavior is being seen in the presence of security events aimed at this host, and therefore is possible the attacker has infected the target with a worm, or other hostile malware, and it is attempting to spread from this host.

MalwareAnalysis

STRM Administration Guide

Default Custom Views

331

Table 17-5 Custom Views - TargetAnalysis (continued)

Group

Objects

PeripheralComms This group includes: Analysis • Service_Unresponsive_After_Attack - The network flow analysis indicates that the service on the target that was attacked is unresponsive to other hosts on the network. This may indicate that the attack has intentionally, or inadvertently crashed the service running on this host.

Spam_Relay_Possible - The network flow analysis indicates that a target is accepting and servicing SMTP mail server connections. Given this activity is occurring in the presence of security events targeting this host, it is possible the attacker has installed an SMTP server to operate as a spam relay. If this target is a mail server, this behavior is to be expected. Outbound_Mail_Relay_Possible - The network flow analysis indicates that a target is sending mail to SMTP servers on the Internet. Given this activity is occurring in the presence of a security event targeting this host, it is possible the attacker has installed mass mailing malware on the target. This behavior is also to be expected if the target is a known mail server.

Policy Violations Group

Pre-configured groups that specify traffic flows from your internal and external policies, such as mail policies, web polices, P2P, games, applications, and compliance policies including:
Table 17-6 Custom Views - PolicyViolations

Group Mail_Policy_ Violation

Objects This group includes:

Outbound_Mail_Sender - Detects flows sent from local hosts to the Internet on port 25 (SMTP) or detected with the SMTP application signature. This may indicate hosts violating network mail policy, or that a host is infected with a mass mailing agent. We recommend updating this equation to not include network mail servers. Remote_Connection_to_Internal_Mail_Server - Detects bidirectional flows inbound into the local network on port 25 (SMTP). This indicates communication with a local SMTP server. Additionally, such servers may be the result of an infected host which is inadvertently running a SPAM relay. We recommend updating this equation to not include network mail servers.

STRM Administration Guide

332

UNIVERSITY TEMPLATE DEFAULTS

Table 17-6 Custom Views - PolicyViolations (continued)

Group IRC_IM_Policy_ Violation

Objects This group includes:

IRC_Connection_to_Internet - Detects bidirectional flows from local client hosts to the Internet on common IRC port or detected though an application signature. This indicates an active IRC connection. This can simply be a user disregarding corporate policy, or can indicate a host that has been exploited and is connected to an IRC botnet. IRC botnets are used to remotely control exploited hosts to perform DoS attacks and other illegal activities. IM_Communications - Detects bidirectional flows from client hosts on the network indicating the use of common Instant Messaging clients (IM), such as MSN.

Remote_Access_ Policy_Violation

Remote_Access_Shell - Detects bidirectional flows, where remote hosts were connecting to local remote access servers. Detection of any of the following access technologies include: Citrix, PCAnywhere, SSH, Telnet, or VNC. This group includes:

P2P_ Policy_Violation

Local_P2P__Server - Detects flows indicating a P2P server is operating on the local network. This can be in violation of local network policy. Local_P2P_Client - Detects flows indicating a P2P client is operating on the local network. This can be in violation of local network policy. NNTP_to_Internet - Detects flows indicating an NNTP news client is operating on the local network. This may be in violation of local network policy. Unknown_Local_Service - Detects an active service on a local host. Clear_Text_Application_Usage - Detects flows where the application types use clear text passwords. Applications that usage for this view include Telnet, FTP, and POP. We recommend that you tune this view to add or remove additional applications. Large_Outbound_Transfer - Detects large outbound file transfers.

Application_ Policy_Violation

This group includes:

Compliance_ Policy_Violations

This group includes:

ASN Source Group

STRM detects the ASN values from network flows. When STRM detects a ASN source values in a flow, STRM creates a new object in the ASN Source group. For example, if STRM detects an ASN 238 flow within the source traffic, the object ASN238 is created in the ASNSource group.

STRM Administration Guide

Default Custom Views

333

ASN Destination Group

STRM detects the ASN values from network flows. When STRM detects a ASN destination values in a flow, STRM creates a new object in the ASN destination group. For example, if STRM detects an ASN 238 flow within the destination traffic, the object ASN238 is created in the ASNDestination group. STRM detects the IFIndex values from network flows. When STRM detects IFIndex values in a flow, STRM creates a new object in the respective group. STRM detects the IFIndex values from network flows. When STRM detects IFIndex values in a flow, STRM creates a new object in the respective group. Default QoS groups include:
Table 17-7 Custom Views - QoS View

IFIndexIn Group

IFIndexOut Group

QoS Group

QoS Group NetworkControl Object IPRoutingControl Expedited Class 4 Class 3 Class 2 Class 1 Best Effort

Group Objects Specifies QoS values related to link layer and routing protocols. Specifies QoS values used by IP routing protocols. Specifies values related to expedited forwarding, such as, a virtual leased line or premium service. Specifies values related to Class 4 traffic. Specifies values related to Class 3 traffic. Specifies values related to Class 2 traffic. Specifies values related to Class 1 traffic. Specifies traffic related to best effort QoS traffic. Best effort services does not guarantee delivery.

Flow Shape Group

Default FlowShape groups include:
Table 17-8 Custom Views - Flow Shape View

Flow Shape Group Inbound_Only Outbound_Only

Group Objects Specifies traffic flows originating from a host on the Internet and is not responded to by a local host. Specifies traffic flows originating from a local host attempting to communicate with a host on the Internet in which the remote host does not respond. Specifies traffic flows that sends 5 times more data into the network than received. Specifies traffic flows that sends 5 times more bytes out of the network than received. Specifies traffic to and from hosts on the Internet that have around the same amount of bytes sent and received.

Mostly_Inbound Mostly_Outbound NearSame_Internet

STRM Administration Guide

334

UNIVERSITY TEMPLATE DEFAULTS

Table 17-8 Custom Views - Flow Shape View (continued)

Flow Shape Group Local_Unidirectional Local_SRC_Bias Local_DST_Bias NearSame_Internal

Group Objects Specifies a one-sided flow with a source and destination within the local network. Specifies internal traffic that has 5 times more bytes transferred by the source than the destination. Specifies internal traffic that has 5 times more bytes transferred by the destination than the source. Specifies internal traffic that has a balance of source and destination bytes.

Default Rules
Table 17-9 Default Rules

Default rules for the University template include:

Rule Default-ResponseE-mail: Offense E-mail Sender

Group Response

Rule Type Offense

Enabled Description False Reports any offense matching the severity, credibility, and relevance minimums to e-mail. You must configure the e-mail address. You can limit the number of e-mails sent by tuning the severity, credibility, and relevance limits. Also, this rule only sends one e-mail every hour, per offense. Reports any offense matching the severity, credibility, or relevance minimum to syslog. Monitors devices for high event rates. Typically, the default threshold is low for most networks and we recommend that you adjust this value before enabling this rule. To configure which devices will be monitored, edit the Default-BB-DeviceDefinition: Devices to Monitor for High Event Rates building block. Reports an excessive number of successful database connections. Reports excessive firewall accepts across multiple hosts. More than 100 events were detected across at least 100 unique destination IP addresses in 5 minutes. Reports excessive firewall denies from a single host. Detects more than 400 firewall deny attempts from a single source to a single destination within 5 minutes.

Default-ResponseSylog: Offense SYSLOG Sender

Response

Offense

False

Default-Rule-Anomaly: Anomaly Devices with High Event Rates

Event

False

Default-Rule-Anomaly: Excessive Database Connections

Anomaly

Event

True

Default-RuleAnomaly Anomaly: Excessive Firewall Accepts Across Multiple Hosts Default-RuleAnomaly: Excessive Firewall Denies from Single Source Anomaly

Event

False

Event

True

STRM Administration Guide

Default Rules

335

Table 17-9 Default Rules (continued)

Rule

Group

Rule Type Event

Enabled Description False Reports a flow communicating to or from the Internet with a sustained duration of more than 48 hours. This is not typical behavior for most applications. We recommend that you investigate the host for potential malware infections. Reports an event that was targeting or sourced from a honeypot or tarpit defined address. Before enabling this rule, you must configure the Default-BB-HostDefinition: Honeypot like addresses building block and create the appropriate sentry from the Network Surveillance interface. Reports a host emitting events at a rate greater than normal. This may be normal, but in some cases can be an early warning sign that the host has changed behavior. We recommend that you perform an event search and/or flow search to determine if the host is exhibiting other suspicious activity. Reports successful logins or access from an IP address known to be in a country that does not have remote access right. Before you enable this rule, we recommend that you configure the Default-BB-CategoryDefinition: Countries with no Remote Access building block. Reports a host login message from a disabled user account. If the user is no longer a member of the organization, we recommend that you investigate any other received authentication messages from the same user. Reports a host login failure message from an expired user account known. If the user is no longer a member of the organization, we recommend that you investigate any other received authentication messages. Reports authentication failures on the same source IP address more than three times, across more than three destination IP addresses within 10 minutes. Reports multiple log in failures to a single host, followed by a successful log in to the host.

Default-RuleAnomaly Anomaly: Long Duration Flow

Default-RuleAnomaly: Potential Honeypot Access

Anomaly

Event

False

Default-RuleAnomaly Anomaly: Rate Analysis Marked Events

Event

False

Default-RuleAnomaly: Remote Access from Foreign Country

Anomaly

Event

False

Default-RuleAuthentication: Login Failure to Disabled Account Default-RuleAuthentication: Login Failure to Expired Account

Authentication

Event

True

Authentication

Event

False

Default-Rule Authentication Authentication: Login Failures Across Multiple Hosts Default-RuleAuthentication: Login Failures Followed By Success Authentication

Event

True

Event

True

STRM Administration Guide

336

UNIVERSITY TEMPLATE DEFAULTS

Table 17-9 Default Rules (continued)

Rule Default-RuleAuthentication: Login Successful After Scan Attempt Default-RuleAuthentication: Multiple VoIP Login Failures Default-RuleAuthentication: Repeated Login Failures, Single Host Default-Rule-Botnet: Potential Botnet Connection (DNS)

Group Authentication, Compliance

Rule Type Event

Enabled Description True Reports on events detected by the system when at least one of the configured rules is detected with the same source IP address followed by successful authentication with the same IP address, within 30 minutes. Reports multiple log in failures to a VoIP PBX.

Authentication

Event

True

Authentication

Event

True

Reports when a source IP address causes an authentication failure event at least seven times to a single destination within 5 minutes. Reports a host connecting or attempting to connect to a DNS server on the Internet. This may indicate a host connecting to a Botnet. The host should be investigated for malicious code. Do not enable this rule until you have tuned the Default-BB-HostDefinition: DNS Servers building block. Note: Laptops that include wireless adapters may cause this rule to generate alerts since the laptops may attempt to communicate with another IDPs DNS server. If this occurs, define the ISPs DNS server in the Default-BB-HostDefinition: DNS Servers building block.

Botnet,Exploit

Event

False

Default-Rule-Botnet: Potential Botnet Connection (IRC) Default-Rule-Botnet: Potential Botnet Events Become Offenses Default-RuleCompliance: Compliance Events Become Offenses Default-RuleCompliance: Excessive Failed Logins to Compliance IS

Botnet

Event

False

Reports a host connecting or attempting to connect to an IRC server on the Internet. This may indicate a host connecting to a Botnet. The host should be investigated for malicious code. Reports exploit attacks on events. Enable this rule if you want all events categorized as exploits to create an offense. Reports compliance-based events, such as, clear text passwords.

Botnet

Event

True

Compliance

Event

False

Compliance

Event

False

Reports excessive authentication failures to a compliance server within 10 minutes.

Default-Rule-Database: Database, Attempted Configuration Compliance Modification by a remote host

Event

False

Reports when a configuration modification is attempted to a database server from a remote network.

STRM Administration Guide

Default Rules

337

Table 17-9 Default Rules (continued)

Rule

Group

Rule Type Event

Enabled Description True Reports when several authentications to a database server occur across many remote IP addresses. Reports when there are failures followed by the addition or change of a user account. Monitors changes to groups on a database when the change is initiated from a remote network. Reports when there are multiple database failures followed by a success within a short period of time. Increases the severity of a failed login attempt to a database from a remote network. Reports when a successful authentication occurs to a database server from a remote network. Reports when changes to user privileges occurs to a database from a remote network. Reports network Distributed Denial of Service (DDoS) attacks on a system. If a low rate flow-based DoS attack is detected, this rule decreases the magnitude of the current event. Reports when offenses are created for DoS-based events with high magnitude.

Default-Rule-Database: Database, Concurrent Logins from Compliance Multiple Locations Default-Rule-Database: Failures Followed by User Changes Database, Compliance

Event

True

Default-Rule-Database: Database, Groups Changed from Compliance Remote Host Default-Rule-Database: Database, Multiple Database Compliance Failures Followed by Success Default-Rule-Database: Database, Remote Login Failure Compliance Default-Rule-Database: Database, Remote Login Success Compliance Default-Rule-Database: Database, User Rights Changed Compliance from Remote Host Default-Rule-DDoS Attack Detected Default-Rule-DoS: Decrease Magnitude of Low Rate Attacks Default-Rule-DDoS: DDoS Events with High Magnitude Become Offenses Default-Rule-DoS: Decrease Magnitude of Low Rate Attacks Default-Rule-DoS: DoS Events from Darknet Default-Rule-DoS: DoS Events with High Magnitude Become Offenses Default-Rule-DoS: Increase Magnitude of High Rate Attacks D\DoS D\DoS

Event

True

Event

True

Event Event

True True

Event

True

Event Event

False True

D\DoS

Event

False

D\DoS

Event

True

If a low rate flow-based DoS attack is detected, this rule decreases the magnitude of the current event. Reports when DoS attack events are identified on Darknet network ranges. Rule forces the creation of an offense for DoS based events with a high magnitude.

D/DoS D\DoS

Event Event

False True

D\DoS

Event

True

If a high rate flow-based DoS attack is detected, this rule increases the magnitude of the current event.

STRM Administration Guide

338

UNIVERSITY TEMPLATE DEFAULTS

Table 17-9 Default Rules (continued)

Rule Default-Rule-DoS: Network DoS Attack Detected Default-Rule-DoS: Service DoS Attack Detected

Group D\DoS

Rule Type Event

Enabled Description True Reports network Denial of Service (DoS) attacks on a system. Reports a DoS attack against a local target that is known to exist and the target port is open. Reports exploit attacks on events. By default, this rule is disabled. Enable this rule if you want all events categorized as exploits to create an offense. Reports an attack from a local host where the attacker has at least one vulnerability. It is possible the attacker was a target in an earlier offense. Reports an attack from a local host where the attacker is vulnerable to the attack being used. It is possible that the attacker was a target in an earlier offense. Reports an exploit or attack type activity from a source IP address followed by suspicious account activity on the destination host within 15 minutes. Reports a source IP address generating multiple (at least 5) exploits or malicious software (malware) events in the last 5 minutes. These events are not targeting hosts that are vulnerable and may indicate false positives generating from a device. Rule forces the creation of offenses for exploit-based events with a high magnitude.

D\DoS

Event

True

Default-Rule-Exploit: All Exploit Exploits Become Offenses Default-Rule-Exploit: Attacker Vulnerable to any Exploit Default-Rule-Exploit: Attacker Vulnerable to this Exploit Exploit

Event

False

Event

False

Exploit

Event

False

Default-Rule-Exploit: Exploit Exploit Followed by Suspicious Host Activity Default-Rule-Exploit: Exploit Exploit/Malware Events Across Multiple Targets

Event

False

Event

True

Default-Rule-Exploit: Exploits Events with High Magnitude Become Offenses Default-Rule-Exploit: Exploits Followed by Firewall Accepts Default-Rule-Exploit: Multiple Exploit Types Against Single Target

Exploit

Event

False

Exploit

Event

False

Reports when exploit or attack events are followed by firewall accept events, which may indicate a successful attack. Reports a target attempting to be exploited using multiple types of attacks from one or more attackers. Reports when an attacker attempts multiple attack vectors. This may indicate an attacker specifically targeting an asset. Reports multiple failed logins to your VoIP hardware followed by sessions being opened. At least 3 events were detected within 30 seconds. This action could indicate that illegal users are executing VoIP sessions on your network.

Exploit

Event

True

Default-Rule-Exploit: Exploit Multiple Vector Attacker Default-Rule-Exploit: Potential VoIP Toll Fraud Exploit

Event

False

Event

False

STRM Administration Guide

Default Rules

339

Table 17-9 Default Rules (continued)

Rule Default-Rule-Exploit: Recon followed by Exploit Default-Rule-Exploit: Target Vulnerable to Detected Exploit Default-Rule-Exploit: Target Vulnerable to Detected Exploit on a Different Port Default-Rule-Exploit: Target Vulnerable to Different Exploit than Attempted on Attacked Port Default-Rule-False Positive: False Positive Rules and Building Blocks

Group Exploit

Rule Type Event

Enabled Description True Reports reconnaissance followed by an exploit from the same source IP address to the same destination port within 1 hour. Reports an attack against a vulnerable local target, where the target is known to exist, and the host is vulnerable to the attack. Reports an attack against a vulnerable local target, where the target is known to exist, and the host is vulnerable to the attack on a different port. Reports an attack against a vulnerable local target, where the target is known to exist, and the host is vulnerable to some attack but not the one being attempted. Reports events that include false positive rules and building blocks, such as, Default-BB-FalsePositive: Windows Server False Positive Events. Events that match the above conditions are stored but also dropped. If you add any new building blocks or rules to remove events from becoming offenses, you must add these new rules or building blocks to this rule. Reports malware being sent from local hosts.

Exploit

Event

True

Exploit

Event

True

Exploit

Event

False

False Positive

Event

True

Default-Rule-Malware: Local Host Sending Malware

Malware, Policy Event

False

Default-Rule-Malware: Malware Treat Backdoor, Trojans and Virus Events as Offenses Default-Rule-Malware: Treat Key Loggers as Offenses Default-RuleMalware: Treat Non-Spyware Malware as Offenses Malware

Event

False

Enable this rule if you want all events categorized as backdoor, viruses, and trojans to create an offense. Enable this rule if you want all events categorized as key loggers to create offenses. Reports non-spyware malware attacks on events. Enable this rule if you want all events categorized as malware to create an offense. Reports spyware and/or a virus on events. Enable this rule if you want all events categorized as Virus or Spyware to create an offense. Reports Instant Messenger traffic or any event categorized as Instant Messenger traffic where the source is local and the destination is remote.

Event

False

Malware

Event

False

Default-RuleMalware Malware: Treat Spyware and Virus as Offenses Default-Rule-Policy: Create Offenses for All Instant Messenger Traffic Policy

Event

False

Event

False

STRM Administration Guide

340

UNIVERSITY TEMPLATE DEFAULTS

Table 17-9 Default Rules (continued)

Rule Default-Rule-Policy: Create Offenses for All P2P Usage Default-Rule-Policy: Create Offenses for All Policy Events Default-Rule-Policy: Create Offenses for All Porn Usage

Group Policy

Rule Type Event

Enabled Description False Reports P2P traffic or any event categorized as P2P. Reports policy events. By default, this rule is disabled. Enable this rule if you want all events categorized as policy to create an offense. Reports any traffic that contains illicit materials or any event categorized as Porn. By default, this rule is disabled. Enable this rule if you want all events categorized as Porn to create an offense. Rule acts as a warning that the asset in which an event identifies is vulnerable to a vulnerability identified in the SANS Top 20 Vulnerabilities. (www.sans.org/top20/) Reports local Peer-to-Peer (P2P) traffic or any event categorized as P2P. More than 10 hosts were detected connecting to a local host that appears to be operating as a P2P server. Reports when a new host has been discovered on the network. Reports when a new host has been discovered in the DMZ. Reports when an existing host has a newly discovered service. Reports when a new service has been discovered in the DMZ. Rule identifies potential tunneling that can be used to bypass policy or security controls. Reports potential file uploads to a local web server. To edit the details of this rule, edit the Default-BB-CategoryDefinition: Upload to Local WebServer building block. Reports an aggressive scan from a local source IP address, scanning other local or remote IP addresses. This may indicate a manually driven scan, an exploited host searching for other targets, or a worm is present on the system.

Policy, Compliance Policy

Event

False

Event

False

Default-Rule-Policy: Host has SANS Top 20 Vulnerability Default-Rule-Policy: Local P2P Server Detected Default-Rule-Policy: New Host Discovered

Policy

Event

False

Policy

Event

False

Policy

Event Event

False False

Default-Rule-Policy: Authentication, New Host Discovered in Compliance DMZ Default-Rule-Policy: New Service Discovered Default-Rule-Policy: New Service Discovered in DMZ Default-Rule-Policy: Potential Tunneling Default-Rule-Policy: Upload to Local WebServer Default-Rule-Recon: Aggressive Local Scanner Detected Policy

Event

False

Authentication, Compliance Policy Policy

Event

False

Event Event

False False

Recon

Event

True

STRM Administration Guide

Default Rules

341

Table 17-9 Default Rules (continued)

Rule Default-Rule-Recon: Aggressive Remote Scanner Detected

Group Recon

Rule Type Event

Enabled Description True Reports an aggressive scan from a remote source IP address, scanning other local or remote IP addresses. This may indicate a manually driven scan, an exploited host searching for other targets, or a worm on a system. Reports excessive attempts, from a local host, to access the firewall and access is denied. More than 40 attempts are detected across at least 40 destination IP addresses in 5 minutes. Reports excessive attempts, from a remote host, to access the firewall and access is denied. More than 40 attempts are detected across at least 40 destination IP addresses in 5 minutes. Reports a single source IP address scanning more than 50 ports in under 3 minutes. Reports when more than 50 ports were scanned from a single source IP address in under 3 minutes. If a high rate flow-based scanning attack is detected, this rule increases the magnitude of the current event. If a medium rate flow-based scanning attack is detected, this rule increases the magnitude of the current event. Reports a source IP address attempting reconnaissance or suspicious connections on common LDAP ports to more than 60 hosts in 10 minutes. Reports a scan from a local host against other local or remote targets. At least 30 host were scanned in 10 minutes. Reports a source IP address attempting reconnaissance or suspicious connections on common DHCP ports to more than 60 hosts in 10 minutes. Reports a source IP address attempting reconnaissance or suspicious connections on common DNS ports to more than 60 hosts in 10 minutes. Reports a source IP address attempting reconnaissance or suspicious connections on common FTP ports to more than 30 hosts in 10 minutes.

Default-Rule-Recon: Recon Excessive Firewall Denies From Local Host Default-Rule-Recon: Excessive Firewall Denies From Remote Host Default-Rule-Recon: Host Port Scan Detected by Local Host Default-Rule-Recon: Host Port Scan Detected by Remote Host Default-Rule-Recon: Increase Magnitude of High Rate Scans Default-Rule-Recon: Increase Magnitude of Medium Rate Scans Default-Rule-Recon: Local LDAP Server Scanner Default-Rule-Recon: Local Database Scanner Default-Rule-Recon: Local DHCP Scanner Recon

Event

True

Event

True

Recon

Event

True

Recon

Event

True

Recon

Event

True

Recon

Event

True

Recon

Event

True

Recon

Event

True

Recon

Event

True

Default-Rule-Recon: Local DNS Scanner

Recon

Event

True

Default-Rule-Recon: Local FTP Scanner

Recon

Event

True

STRM Administration Guide

342

UNIVERSITY TEMPLATE DEFAULTS

Table 17-9 Default Rules (continued)

Rule Default-Rule-Recon: Local Game Server Scanner Default-Rule-Recon: Local ICMP Scanner

Group Recon

Rule Type Event

Enabled Description True Reports a source IP address attempting reconnaissance or suspicious connections on common game server ports to more than 60 hosts in 10 minutes. Reports a source IP address attempting reconnaissance or suspicious connections on common ICMP ports to more than 60 hosts in 10 minutes. Reports a source IP address attempting reconnaissance or suspicious connections on common IM server ports to more than 60 hosts in 10 minutes. Reports a source IP address attempting reconnaissance or suspicious connections on common IRC server ports to more than 10 hosts in 10 minutes. Reports a source IP address attempting reconnaissance or suspicious connections on common mail server ports to more than 60 hosts in 10 minutes. Reports a source IP address attempting reconnaissance or suspicious connections on common Peer-to-Peer (P2P) server ports to more than 60 hosts in 10 minutes. Reports a source IP address attempting reconnaissance or suspicious connections on common proxy server ports to more than 60 hosts in 10 minutes. Reports a source IP address attempting reconnaissance or suspicious connections on common RPC server ports to more than 60 hosts in 10 minutes. Reports a scan from a local host against other hosts or remote targets. At least 60 hosts were scanned within 10 minutes. This activity was using a protocol other than TCP, UDP, or ICMP. Reports a source IP address attempting reconnaissance or suspicious connections on common SNMP ports to more than 60 hosts in 10 minutes. Reports a source IP address attempting reconnaissance or suspicious connections on common SSH ports to more than 30 hosts in 10 minutes.

Recon

Event

True

Default-Rule-Recon: Local IM Server Scanner Default-Rule-Recon: Local IRC Server Scanner Default-Rule-Recon: Local Mail Server Scanner Default-Rule-Recon: Local P2P Server Scanner Default-Rule-Recon: Local Proxy Server Scanner Default-Rule-Recon: Local RPC Server Scanner

Recon

Event

True

Recon

Event

True

Recon

Event

True

Recon

Event

True

Recon

Event

True

Recon

Event

True

Default-Rule-Recon: Recon Local Scanner Detected

Event

True

Default-Rule-Recon: Local SNMP Scanner

Recon

Event

True

Default-Rule-Recon: Local SSH Server Scanner

Recon

Event

True

STRM Administration Guide

Default Rules

343

Table 17-9 Default Rules (continued)

Rule

Group

Rule Type Event

Enabled Description False Reports when various suspicious or reconnaissance events have been detected from the same local source IP address to more than 5 destination IP address in 4 minutes. This can indicate various forms of host probing, such as Nmap reconnaissance, which attempts to identify the services and operation systems of the target. Reports a source IP address attempting reconnaissance or suspicious connections on common TCP ports to more than 60 hosts in 10 minutes. Reports a source IP address attempting reconnaissance or suspicious connections on common UDP ports to more than 60 hosts in 10 minutes. Reports a source IP address attempting reconnaissance or suspicious connections on common local web server ports to more than 60 hosts in 10 minutes. Reports a source IP address attempting reconnaissance or suspicious connections on the same source IP address more than 5 times, across more than 60 destination IP address(es) within 20 minutes. Reports a source IP address attempting reconnaissance or suspicious connections on common Windows server ports with the same source IP address more than 5 times, across more than 200 destination IP address(es) within 20 minutes. Adds an additional event into the event stream when a host that has been performing reconnaissance also has a firewall accept following the reconnaissance activity. Reports a scan from a remote host against other local or remote targets. At least 30 hosts were scanned in 10 minutes. Reports a remote host attempting reconnaissance or suspicious connections on common DHCP ports to more than 30 hosts in 10 minutes. Reports a source IP address attempting reconnaissance or suspicious connections on common DNS ports to more than 60 hosts in 10 minutes.

Default-Rule-Recon: Recon Local Suspicious Probe Events Detected

Default-Rule-Recon: Local TCP Scanner

Recon

Event

True

Default-Rule-Recon: Local UDP Scanner

Recon

Event

True

Default-Rule-Recon: Local Web Server Scanner

Recon

Event

True

Default-Rule-Recon: Recon Local Windows Scanner to Internet

Event

True

Default-Rule-Recon: Local Windows Server Scanner

Recon

Event

True

Default-Rule-Recon: Recon Followed by Accept Default-Rule-Recon: Remote Database Scanner

Recon

Event

False

Recon

Event

True

Default-Rule-Recon: Recon Remote DHCP Scanner

Event

True

Default-Rule-Recon: Remote DNS Scanner

Recon

Event

True

STRM Administration Guide

344

UNIVERSITY TEMPLATE DEFAULTS

Table 17-9 Default Rules (continued)

Rule Default-Rule-Recon: Remote FTP Scanner

Group Recon

Rule Type Event

Enabled Description True Reports a remote host attempting reconnaissance or suspicious connections on common FTP ports to more than 30 hosts in 10 minutes. Reports a remote host attempting reconnaissance or suspicious connections on common game server ports to more than 30 hosts in 10 minutes. Reports a remote host attempting reconnaissance or suspicious connections on common ICMP ports to more than 60 hosts in 10 minutes. Reports a remote host attempting reconnaissance or suspicious connections on common IM server ports to more than 60 hosts in 10 minutes. Reports a remote host attempting reconnaissance or suspicious connections on common IRC server ports to more than 10 hosts in 10 minutes. Reports a scan from a remote host against other local or remote targets. At least 30 hosts were scanned in 10 minutes. Reports a remote host attempting reconnaissance or suspicious connections on common mail server ports to more than 30 hosts in 10 minutes. Reports a remote host attempting reconnaissance or suspicious connections on common Peer-to-Peer (P2P) server ports to more than 60 hosts in 10 minutes. Reports a remote host attempting reconnaissance or suspicious connections on common proxy server ports to more than 30 hosts in 10 minutes. Reports a remote host attempting reconnaissance or suspicious connections on common RPC server ports to more than 30 hosts in 10 minutes. Reports a scan from a remote host against other hosts or remote targets. At least 60 hosts were scanned within 20 minutes. This activity was using a protocol other than TCP, UDP, or ICMP. Reports scans from a remote host against local or remote targets. At least 30 hosts were scanned in 10 minutes.

Default-Rule-Recon: Remote Game Server Scanner Default-Rule-Recon: Remote ICMP Scanner

Recon

Event

True

Recon

Event

True

Default-Rule-Recon: Local IM Server Scanner Default-Rule-Recon: Local IRC Server Scanner Default-Rule-Recon: Remote LDAP Server Scanner Default-Rule-Recon: Remote Mail Server Scanner Default-Rule-Recon: Remote P2P Server Scanner Default-Rule-Recon: Remote Proxy Server Scanner Default-Rule-Recon: Remote RPC Server Scanner Default-Rule-Recon: Remote Scanner Detected

Recon

Event

True

Recon

Event

True

Recon

Event

True

Recon

Event

True

Recon

Event

True

Recon

Event

True

Recon

Event

True

Recon

Event

True

Default-Rule-Recon: Recon Remote SNMP Scanner

Event

True

STRM Administration Guide

Default Rules

345

Table 17-9 Default Rules (continued)

Rule Default-Rule-Recon: Remote SSH Server Scanner Default-Rule-Recon: Remote Suspicious Probe Events Detected

Group Recon

Rule Type Event

Enabled Description True Reports a remote host attempting reconnaissance or suspicious connections on common SSH ports to more than 30 hosts in 10 minutes. Reports various suspicious or reconnaissance events from the same remote source IP address to more then 5 destination IP addresses in 4 minutes. This may indicate various forms of host probing, such as Nmap reconnaissance that attempts to identify the services and operating system of the targets. Reports a remote host attempting reconnaissance or suspicious connections on common TCP ports to more than 60 hosts in 10 minutes. Reports a remote host attempting reconnaissance or suspicious connections on common UDP ports to more than 60 hosts in 10 minutes. Reports a remote host attempting reconnaissance or suspicious connections on common local web server ports to more than 60 hosts in 10 minutes. Reports a remote host attempting reconnaissance or suspicious connections on common Windows server ports to more than 60 hosts in 10 minutes. Reports merged reconnaissance events generated by some devices. This rule causes all these events to create an offense. All devices of this type and their categories should be added to the Default-BB-ReconDetected: Devices which Merge Recon into Single Events building block. Reports when an event that has common internal only ports communicates outside of the local network. Reports when an event is involved with networks that are defined has hostile.

Recon

Event

False

Default-Rule-Recon: Remote TCP Scanner

Recon

Event

True

Default-Rule-Recon: Remote UDP Scanner

Recon

Event

True

Default-Rule-Recon: Remote Web Server Scanner Default-Rule-Recon: Remote Windows Server Scanner Default-Rule-Recon: Single Merged Recon Events

Recon

Event

True

Recon

Event

True

Recon

Event

True

Default-Rule-Suspicious Anomaly Activity: Common Non-Local to Remote Ports Default-Rule-Suspicious Anomaly Activity: Communication with Known Hostile Networks Default-Rule-Suspicious Anomaly Activity: Communication with Known Online Services

Event

False

Event

False

Event

False

Reports when an event is involved with networks that are defined as possible sites that amy involve data loss.

STRM Administration Guide

346

UNIVERSITY TEMPLATE DEFAULTS

Table 17-9 Default Rules (continued)

Rule

Group

Rule Type Event

Enabled Description False Reports when an event is involved with networks that are defined as networks to be watched.

Default-Rule-Suspicious Anomaly Activity: Communication with Known Watched Networks Default-Rule-System: 100% Accurate Events Default-Rule-System: Critical System Events Default-Rule-System: Device Stopped Sending Events Default-Rule-System: Host Based Failures Default-Rule-System: Load Building Blocks Default-Rule-Recon: Multiple System Errors Default-RuleVulnerabilities: Vulnerability Reported by Scanner Default-Rule-Worms Detection: Local Mass Mailing Host Detected Default-Rule-Worms Detection: Possible Local Worm Detected System

Event

True

Creates an offense when an event matches a 100% accurate signature for successful comprises. Reports when STRM detects critical event. Reports when an event source has not sent an event to the system in over 1 hour. Edit this rule to add devices you want to monitor. Reports when STRM detects events that indicate failures within services or hardware. Loads BBs that need to be run to assist with reporting. This rule has no actions or responses. Reports when as source has 10 system errors within 3 minutes. Reports when a vulnerability is discovered on a local host.

System System

Event Event

False False

System System System Compliance

Event Event Event Event

False True False False

Worms

Event

False

Reports a local host sending more than 20 SMTP flows in 1 minute. This may indicate a host being used as a spam relay or infected with a form of mass mailing worm. Reports a local host generating reconnaissance or suspicious events across a large number of hosts (greater than 300) in 20 minutes. This may indicate the presence of a worm on the network or a wide spread scan. Reports exploits or worm activity on a system for local-to-local or local-to-remote traffic.

Worms

Event

True

Default-Rule-Worms Detection: Worm Detected (Events)

Worms

Event

True

STRM Administration Guide

Default Building Blocks

347

Default Building Blocks

Default building blocks for the University template include:

Table 17-10 Default Building Blocks

Building Block Default-BB-Behavior Definition: Compromise Activities Default-BB-Behavior Definition: Post Compromise Activities Default-Rule-Category Definitions: Access Denied Default-BB-Category Definition: Authentication Failures Default-BB-Category Definition: Authentication Success Default-BB-Category Definition: Authentication to Disabled Account Default-BB-Category Definition: Authentication to Expired Account Default-BB-Category Definition: Authentication User or Group Added or Changed Default-BB-Category Definition: Countries with no Remote Access

Group Category Definitions

Block Type Description Event Edit this BB to include categories that are considered part of events detected after a typical compromise. Edit this BB to include categories that are considered part of events detected after a typical compromise. Reports events in different Access Denied categories. Edit this BB to include all events that indicate an unsuccessful attempt to access the network. Edit this BB to include all events that indicate successful attempts to access the network. Edit this BB to include all events that indicate failed attempts to access the network using a disabled account. Edit this BB to include all events that indicate failed attempts to access the network using an expired account. Edit this building block to include all events that indicate modification to accounts or groups. Edit this BB to include any geographic location that typically would not be allowed remote access to the enterprise. Once configured, you can enable the Default-Rule-Anomaly: Remote Access from Foreign Country rule. Edit this BB to include events that indicate denied access activities. Edit this BB to include events that indicate permitted access.

Associated Building Blocks, if applicable

Category Definitions

Event

Category Definition Category Definitions, Compliance Category Definitions, Compliance Category Definitions, Compliance Category Definitions, Compliance Category Definitions, Compliance Category Definitions

Event

Event

Event

Event

Event

Event

Event

Default-BB-Category Definitions: Database Access Denied Default-BB-Category Definitions: Database Access Permitted

Category Definition Category Definition

Event

Event

STRM Administration Guide

348

UNIVERSITY TEMPLATE DEFAULTS

Table 17-10 Default Building Blocks (continued)

Building Block Default-BB-Category Definition: Database Connections Default-BB-Category Definition: DDoS Attack Default-BB-Category Definition: Exploits, Backdoors, and Trojans

Group Category Definitions

Block Type Description Event Edit this BB to define successful logins to databases. You may need to add additional device types for this BB. Edit this BB to include all event categories that you want to categorize as a DDoS attack. Edit this BB to include all events that are typically exploits, backdoor, or trojans. Edit this BB that indicate failure within a service or hardware. Edit this BB to include all events that indicate access to the firewall. Edit this BB to include all events that indicate unsuccessful attempts to access the firewall. Edit this BB to include all events that may indicate a firewall system error. By default, this BB applies when an event is detected by one or more of the following devices:
• • • • •

Associated Building Blocks, if applicable

Category Definitions Category Definitions

Event

Event

Default-BB-Category Category Definition: Failure Service Definitions, or Hardware Compliance Default-BB-Category Category Definition: Firewall or ACL Definitions Accept Default-BB-Category Category Definition: Firewall or ACL Definitions Denies Default-BB-Category Definition: Firewall System Errors Category Definitions

Event

Event

Event

Event

CheckPoint Generic Firewall Iptables NetScreen Firewall Cisco Pix

Default-BB-Category Definition: Flow Events

Category Definitions

Event

Edit this BB to include all events that indicate flow events within your network. By default, this BB applies to events detected by the Classification Engine. Edit this BB to the severity, credibility, and relevance levels you want to generate an event. The defaults are:
• • •

Default-BB-Category Definition: High Magnitude Events

Category Definitions

Event

Severity = 6 Credibility = 7 Relevance = 7

STRM Administration Guide

Default Building Blocks

349

Table 17-10 Default Building Blocks (continued)

Building Block Default-BB-Category Definitions: Key Loggers Default-BB-Category Definition: Mail Policy Violation Default-BB-Category Definition: Malware Annoyances Default-BB-Category Definition: Network DoS Attack Default-BB-Category Definition: Policy Events Default-BB-Category Definition: Post Exploit Account Activity Default-BB-Category Definition: Rate Analysis Marked Events

Group Category Definitions Category Definitions, Compliance Category Definitions

Block Type Description Event Edit this BB to include all events that are typically exploits, backdoor, or trojans. Edit this BB to define mail policy violations. Edit this BB to include event categories that are typically associated with spyware infections. Edit this BB to include all event categories that you want to categorize as a network DoS attack. Edit this BB to include all event categories that may indicate a violation to network policy. Edit this BB to include all event categories that may indicate exploits to accounts. STRM monitors event rates of all source IP addresses/QIDs and destination IP addresses/QIDs and marks events that exhibit abnormal rate behavior. Edit this BB to include events that are marked with rate analysis.

Associated Building Blocks, if applicable

Event

Event

Category Definitions

Event

Category Definitions, Compliance Category Definitions Category Definitions

Event

Event

Event

Default-BB-Category Definition: Recon Events Default-BB-Category Definition: Service DoS Default-BB-Category Definitions: Session Closed Default-BB-Category Definitions: Session Opened Default-BB-Category Definition: Suspicious Events Default-BB-Category Definition: System Configuration

Category Definitions Category Definitions Category Definition, Malware Category Definition, Malware Category Definitions Category Definitions, Malware

Event

Edit this BB to include all events that indicate reconnaissance activity. Edit this BB to define Denial of Service (DoS) attack events. Edit this BB to define all Session Closed events by categories. Edit this BB to define all Session Opened events by categories. Edit this BB to include all events that indicate suspicious activity. Edits this BB to define system configuration events.

Event Event

Event

Event

Event

STRM Administration Guide

350

UNIVERSITY TEMPLATE DEFAULTS

Table 17-10 Default Building Blocks (continued)

Building Block

Group

Block Type Description Event Edit this BB to include events that indicate a system error or failure. Typically, most networks are configured to restrict applications that use the PUT method running on their web application servers. This BB detects if a remote host has used this method on a local server. The BB could be duplicated to also detect other unwanted methods or for local hosts using the method connecting to remote servers. This building block is referenced by the Default-Rule-Policy: Upload to Local WebServer rule. Edit this BB to include all virus detection events. Edit this BB to include all events that indicate a VoIP login failure.

Associated Building Blocks, if applicable

Default-BB-Category Category Definitions: System Errors Definitions and Failures Default-BB-Category Category Definition: Upload to Local Definitions WebServer

Event

Default-BB-Category Definitions: Virus Detected Default-BB-Category Definition: VoIP Authentication Failure Events Default-BB-Category Definition: VoIP Session Opened Default-BB-Category Definitions: VPN Access Denied Default-BB-Category Definitions: VPN Access Accepted Default-BB-Category Definition: Windows Compliance Events Default-BB-Category Definition: Worm Events Default-BB-Compliance Definition: GLBA Servers

Category Definition, Malware Category Definitions

Event

Event

Category Definitions Category Definition Category Definition Category Definitions, Compliance Category Definitions

Event

Edit this BB to include all events that indicate the start of a VoIP session. Edit this BB to include VPN events that are considered Denied Access events. Edit this BB to include VPN events that indicate permitted access. Edit this BB to include all event categories that indicate compliance events. Edit this BB to define worm events. This BB only applies to events not detected by a custom rule. Edit this BB to include your GLBA IP systems. You must then apply this BB to rules related to failed logins, remote access, etc.

Event

Event

Event

Event

Compliance, Event Host Definitions

STRM Administration Guide

Default Building Blocks

351

Table 17-10 Default Building Blocks (continued)

Building Block

Group

Block Type Description Edit this BB to include your HIPAA Servers by IP address. You must then apply this BB to rules related to failed logins, remote access, etc. Edit this BB to include your SOX IP Servers. You must then apply this BB to rules related to failed logins, remote access, etc. Edit this BB to include your PCI DSS servers by IP address. You must apply this BB to rules related to failed logins, remote access, etc. Edit this BB to include any events that indicates successful actions within a database. Edit this BB to include any events that indicate unsuccessful actions within a database. Edit this BB to include events that indicate the successful addition or change of user privileges Edit this BB to include all access, authentication, and audit devices. Edit this BB to include all antivirus services on the system. Edit this BB to include all application and OS devices on the network. Edit this BB to include all databases on the system. Edit this BB to include devices you want to monitor for high event rates. The event rate threshold is controlled by the Default-Rule-Anomaly: Devices with High Event Rates. Edit this BB to include all firewall (FW), routers, and switches on the network. Edit this BB to include all IDS and IPS devices on the network.

Associated Building Blocks, if applicable

Default-BB-Compliance Compliance, Event Definition: HIPAA Servers Host Definitions

Default-BB-Compliance Definition: SOX Servers

Compliance, Event Host Definitions Compliance, Event Host Definitions, Response Category Definitions, Compliance Category Definitions, Compliance Category Definitions, Compliance Device Definition Device Definition Device Definition Device Definition Category Definitions Event

Default-BB-Compliance Definition: PCI DSS Servers

Default-BB-Database: System Action Allow Default-BB-Database: System Action Deny Default-BB-Database: User Addition or Change Default-BB-Device Definitions: Access/ Authentication/Audit Default-BB-Device Definitions: AntiVirus Default-BB-Device Definitions: Application Default-BB-Device Definitions: Database Default-BB-Device Definition: Devices to Monitor for High Event Rates

Event

Event

Event

Event Event

Event Event

Default-BB-Device Definitions: FW/Router/ Switch Default-BB-Device Definitions: IDS/IPS

Device Definition Device Definition

Event

Event

STRM Administration Guide

352

UNIVERSITY TEMPLATE DEFAULTS

Table 17-10 Default Building Blocks (continued)

Building Block Default-BB-Device Definitions:VPN Default-BB-False Negative: Events That Indicate Successful Compromise

Group Device Definition False Positive

Block Type Description Event Event Edit this BB to include all VPNs on the network. Edit this BB to include events that indicate a successful compromise. These events generally have 100% accuracy. Edit this BB to include all false positive building blocks. Edit this BB to define all the false positive categories that occur to or from the broadcast address space.

Associated Building Blocks, if applicable

Default-BB-FalsePositive: False All Default False Positive Positive Building Blocks Default-BB-FalsePositive: False Broadcast Address False Positive Positive Categories Default-BB-FalsePositive: False Database Server False Positive Positive Categories

Event

All Default-BB-False Positive building blocks

Event

Event

Edit this BB to define all the false Default-BB-HostDefinition: positive categories that occur to or Database Servers from database servers that are defined in the Default-BB-HostDefinition: Database Servers building block. Edit this BB to define all the false Default-BB-HostDefinition: positive QIDs that occur to or from Database Servers database servers that are defined in the Default-BB-HostDefinition: Database Servers building block. Edit this BB to include the devices and QID of devices that continually generate false positives. Edit this BB to define all the false Default-BB-HostDefinition: positive categories that occur to or DHCP Servers from DHCP servers that are defined in the Default-BB-HostDefinition: DHCP Servers building block. Edit this BB to define all the false Default-BB-HostDefinition: positive QIDs that occur to or from DHCP Servers DHCP servers that are defined in the Default-BB-HostDefinition: DHCP Servers building block. Edit this BB to define all the false Default-BB-HostDefinition: positive categories that occur to or DNS Servers from DNS based servers that are defined in the Default-BB-HostDefinition: DNS Servers building block.

Default-BB-FalsePositive: False Database Server False Positive Positive Events

Event

Default-BB-FalsePositive: False Device and Specific Event Positive Default-BB-FalsePositive: False DHCP Server False Positive Positive Categories

Event

Event

Default-BB-FalsePositive: False DHCP Server False Positive Positive Events

Event

Default-BB-FalsePositive: False DNS Server False Positive Positive Categories

Event

STRM Administration Guide

Default Building Blocks

353

Table 17-10 Default Building Blocks (continued)

Building Block

Group

Block Type Description Event

Associated Building Blocks, if applicable

Default-BB-FalsePositive: False DNS Server False Positive Positive Events

Edit this BB to define all the false Default-BB-HostDefinition: positive QIDs that occur to or from DNS Servers DNS-based servers that are defined in the Default-BB-HostDefinition: DNS Servers building block. Edit this BB to define firewall deny events that are false positives Edit this BB to define all the false Default-BB-HostDefinition: positive categories that occur to or FTP Servers from FTP based servers that are defined in the Default-BB-HostDefinition: FTP Servers building block. Edit this BB to define all the false Default-BB-HostDefinition: positive QIDs that occur to or from FTP Servers FTP-based servers that are defined in the Default-BB-HostDefinition: FTP Servers building block. Edit this BB to include any event QIDs that you want to ignore. Edit this BB to define all the false positive QIDs that occur to or from Local-to-Local (L2L) based servers. Edit this BB to define all the false positive QIDs that occur to or from Local-to-Remote (L2R) based servers. Edit this BB to define specific events that can create a large volume of false positives in general rules. Edit this BB to define all the false Default-BB-HostDefinition: positive categories that occur to or LDAP Servers from LDAP servers that are defined in the Default-BB-HostDefinition: LDAP Servers building block.

Default-BB-FalsePositive: False Firewall Deny False Positive Positive Events Default-BB-FalsePositive: False FTP Server False Positive Positive Categories

Event

Event

Default-BB-FalsePositive: False FTP False Positive Events Positive

Event

Default-BB-FalsePositive: False Global False Positive Positive Events Default-BB-FalsePositive: False Internal Attacker to Positive Internal Target False Positives Default-BB-FalsePositive: False Internal Attacker to Positive Remote Target False Positives Default-BB-FalsePositive: False Large Volume Local FW Positive Events Default-BB-FalsePositive: False LDAP Server False Positive Positive Categories

Event

Event

Event

Event

Event

STRM Administration Guide

354

UNIVERSITY TEMPLATE DEFAULTS

Table 17-10 Default Building Blocks (continued)

Building Block

Group

Block Type Description Event

Associated Building Blocks, if applicable

Default-BB-FalsePositive: False LDAP Server False Positive Positive Events

Edit this BB to define all the false Default-BB-HostDefinition: positive QIDs that occur to or from LDAP Servers LDAP servers that are defined in the Default-BB-HostDefinition: LDAP Servers building block. Edit this BB to define all the false Default-BB-HostDefinition: positive categories that occur to or Mail Servers from mail servers that are defined in the Default-BB-HostDefinition: Mail Servers building block. Edit this BB to define all the false Default-BB-HostDefinition: positive QIDs that occur to or from Mail Servers mail servers that are defined in the Default-BB-HostDefinition: Mail Servers building block. Edit this BB to define all the false Default-BB-HostDefinition: positive categories that occur to or Network Management from network management servers Servers that are defined in the Default-BB-HostDefinition: Network Management Servers building block. Edit this BB to define all the false Default-BB-HostDefinition: positive categories that occur to or Proxy Servers from proxy servers that are defined in the Default-BB-HostDefinition: Proxy Servers building block. Edit this BB to define all the false Default-BB-HostDefinition: positive QIDs that occur to or from Proxy Servers proxy servers that are defined in the Default-BB-HostDefinition: Proxy Servers building block. Edit this BB to define all the false positive QIDs that occur to or from Remote-to-Local (R2L) based servers. Edit this BB to define all the false Default-BB-HostDefinition: positive categories that occur to or RPC Servers from RPC servers that are defined in the Default-BB-HostDefinition: RPC Servers building block. Edit this BB to define all the false Default-BB-HostDefinition: positive QIDs that occur to or from RPC Servers RPC servers that are defined in the Default-BB-HostDefinition: RPC Servers building block.

Default-BB-FalsePositive: False Mail Server False Positive Positive Categories

Event

Default-BB-FalsePositive: False Mail Server False Positive Positive Events

Event

Default-BB-FalsePositive: False Network Management Positive Servers Recon

Event

Default-BB-FalsePositive: False Proxy Server False Positive Positive Categories

Event

Default-BB-FalsePositive: False Proxy Server False Positive Positive Events

Event

Default-BB-FalsePositive: False Remote Attacker to Positive Internal Target False Positives Default-BB-FalsePositive: False RPC Server False Positive Positive Categories

Event

Event

Default-BB-FalsePositive: False RPC Server False Positive Positive Events

Event

STRM Administration Guide

Default Building Blocks

355

Table 17-10 Default Building Blocks (continued)

Building Block

Group

Block Type Description Event

Associated Building Blocks, if applicable

Default-BB-FalsePositive: False SNMP Sender or Positive Receiver False Positive Categories

Edit this BB to define all the false Default-BB-HostDefinition: positive categories that occur to or SNMP Servers from SNMP servers that are defined in the Default-BB-HostDefinition: SNMP Servers building block. Edit this BB to define all the false Default-BB-HostDefinition: positive QIDs that occur to or from SNMP Servers SNMP servers that are defined in the Default-BB-HostDefinition: SNMP Servers building block. Edit this BB to include source IP addresses or specific events that you want to remove. Edit this BB to define all the false Default-BB-HostDefinition: positive categories that occur to or SSH Servers from SSH servers that are defined in the Default-BB-HostDefinition: SSH Servers building block. Edit this BB to define all the false Default-BB-HostDefinition: positive QIDs that occur to or from SSH Servers SSH servers that are defined in the Default-BB-HostDefinition: SSH Servers building block. Edit this BB to define all false Default-BB-HostDefinition: positive categories that occur to or Syslog Servers and from syslog sources. Senders Edit this BB to define all false positive events that occur to or from syslog sources or destinations. Default-BB-HostDefinition: Syslog Servers and Senders

Default-BB-FalsePositive: False SNMP Sender or Positive Receiver False Positive Events Default-BB-FalsePositive: False Source IP and Specific Positive Event Default-BB-FalsePositive: False SSH Server False Positive Positive Categories

Event

Event

Event

Default-BB-FalsePositive: False SSH Server False Positive Positive Events

Event

Default-BB-FalsePositive: False Syslog Sender False Positive Positive Categories Default-BB-FalsePositive: False Syslog Sender False Positive Positive Events Default-BB-FalsePositive: False Virus Definition Update Positive Categories

Event

Event

Event

Edit this BB to define all the false Default-BB-HostDefinition: positive QIDs that occur to or from Virus Definition virus definition or other automatic update hosts that are defined in the Default-BB-HostDefinition: Virus Definition and Other Update Servers building block. Edit this BB to define all the false Default-BB-HostDefinition: positive categories that occur to or Web Servers from web servers that are defined in the Default-BB-HostDefinition: Web Servers building block.

Default-BB-FalsePositive: False Web Server False Positive Positive Categories

Event

STRM Administration Guide

356

UNIVERSITY TEMPLATE DEFAULTS

Table 17-10 Default Building Blocks (continued)

Building Block

Group

Block Type Description Event

Associated Building Blocks, if applicable

Default-BB-FalsePositive: False Web Server False Positive Positive Events

Edit this BB to define all the false Default-BB-HostDefinition: positive QIDs that occur to or from Web Servers Web servers that are defined in the Default-BB-HostDefinition: Web Servers building block. Edit this BB to define all the false Default-BB-HostDefinition: positive categories that occur to or Windows Servers from Windows servers that are defined in the Default-BB-HostDefinition: Windows Servers building block. Edit this BB to define all the false Default-BB-HostDefinition: positive QIDs that occur to or from Windows Servers Windows servers that are defined in the Default-BB-HostDefinition: Windows Servers building block. Edit this BB to define event categories that indicate critical events. Edit this BB to define typical database servers. Default-BB-FalsePositive: Database Server False Positive Categories Default-BB-FalsePositive: Database Server False Positive Events

Default-BB-FalsePositive: False Windows Server False Positive Positive Categories Local

Event

Default-BB-FalsePositive: False Windows Server False Positive Positive Events

Event

Default-BB-HostBased: Critical Events Default-BB-Host Definition: Database Servers

Category Definitions, Compliance Host Definitions

Event

Event

Default-BB-Host Host Definition: DHCP Servers Definitions

Event

Edit this BB to define typical DHCP Default-BB-False Positive: servers. DHCP Server False Positives Categories Default-BB-FalsePositve: DHCP Server False Positive Events

Default-BB-Host Definition: DNS Servers

Host Definitions

Event

Edit this BB to define typical DNS servers.

Default-BB-False Positive: DNS Server False Positives Categories Default-BB-FalsePositve: DNS Server False Positive Events

Default-BB-Host Definition: FTP Servers

Host Definitions

Event

Edit this BB to define typical FTP servers.

Default-BB-False Positive: FTP Server False Positives Categories Default-BB-FalsePositve: FTP Server False Positive Events

STRM Administration Guide

Default Building Blocks

357

Table 17-10 Default Building Blocks (continued)

Building Block Default-BB-Host Definition: Host with Port Open Default-BB-Host Definition: LDAP Servers

Group Host Definitions Host Definitions

Block Type Description Event Edit this BB to include a host and port that is actively or passively seen.

Associated Building Blocks, if applicable

Event

Edit this BB to define typical LDAP Default-BB-False Positive: servers. LDAP Server False Positives Categories Default-BB-FalsePositve: LDAP Server False Positive Events

Default-BB-Host Definition: Mail Servers

Host Definitions

Event

Edit this BB to define typical mail servers.

Default-BB-False Positive: Mail Server False Positives Categories Default-BB-FalsePositve: Mail Server False Positive Events

Default-BB-Host Definition: Network Management Servers Default-BB-Host Definition: Proxy Servers

Host Definitions Host Definitions

Event

Edit this BB to define typical network management servers. Edit this BB to define typical proxy Default-BB-False Positive: servers. Proxy Server False Positives Categories Default-BB-FalsePositve: Proxy Server False Positive Events

Event

Default-BB-Host Definition: RPC Servers

Host Definitions

Event

Edit this BB to define typical RPC servers.

Default-BB-False Positive: RPC Server False Positives Categories Default-BB-FalsePositve: RPC Server False Positive Events

Default-BB-Host Definition: Servers Default-BB-Host Definition: SNMP Sender or Receiver Default-BB-Host Definition: SSH Servers

Host Definitions Host Definitions Host Definitions

Event Event

Edit this BB to define generic servers. Edit this BB to define SNMP senders or receivers. Edit this BB to define typical SSH servers. Default-BB-PortDefinition: SNMP Ports Default-BB-False Positive: SSH Server False Positives Categories Default-BB-FalsePositve: SSH Server False Positive Events

Event

STRM Administration Guide

358

UNIVERSITY TEMPLATE DEFAULTS

Table 17-10 Default Building Blocks (continued)

Building Block

Group

Block Type Description Event Edit this BB to define typical host that send or receive syslog traffic.

Associated Building Blocks, if applicable Default-BB-FalsePositive: Syslog Server False Positive Categories Default-BB-FalsePositive: Syslog Server False Positive Events

Default-BB-Host Host Definition: Syslog Servers Definitions and Senders

Default-BB-Host Definition: VA Scanner Source IP

Host Definitions

Event

Edit this BB to include the source IP address of your VA scanner. By default, this BB applies when the source IP address is 127.0.0.2. Edit this BB to include all servers that include virus protection and update functions. Edit this BB to define typical VoIP IP PBX servers. Edit this BB to define typical web servers. Default-BB-False Positive: Web Server False Positives Categories Default-BB-FalsePositve: Web Server False Positive Events

Default-BB-Host Host Definition: Virus Definition Definitions and Other Update Servers Default-BB-Host Definition: VoIP IP PBX Server Default-BB-Host Definition: Web Servers Host Definitions Host Definitions

Event

Event

Event

Default-BB-Host Definition: Windows Servers

Host Definitions

Event

Edit this BB to define typical Default-BB-False Positive: Windows servers, such as domain Windows Server False controllers or exchange servers. Positives Categories Default-BB-FalsePositve: Windows Server False Positive Events

Default-BB-Network Definition: Broadcast Address Space

Network Definition

Event

Edit this BB to include the broadcast address space of your network. This is used to remove false positive events that may be caused by the use of broadcast messages. Edit this BB to include all networks that include client hosts. Edit this BB to include networks that you want to add to a Darket list. Edit this BB to include networks that you want to add to a data loss prevention (DLP) list.

Default-BB-Network Definition: Client Networks Default-BB-Network Definition: Darknet Addresses

Network Definition Network Definition

Event

Event

Default-BB-Network Network Definition: DLP Addresses Definition

Event

STRM Administration Guide

Default Building Blocks

359

Table 17-10 Default Building Blocks (continued)

Building Block Default-BB-Network Definition: Honeypot like Addresses

Group Network Definition

Block Type Description Event Edit this BB by replacing the other network with network objects defined in your network hierarchy that are currently not in use in your network or are used in a honeypot or tarpit installation. Once these have been defined, you must enable the Default-Rule-Anomaly: Potential Honeypot Access rule. You must also add a security/policy sentry to these network objects to generate events based on attempted access. Edit this BB to include events that are considered Local-to-Local (L2L). Edit this BB to include events that are considered Local-to-Remote (L2R). Edit this BB to define typical Network Address Translation (NAT) range you want to use in your deployment. Edit this BB to include that are considered Remote-to-Local (R2L). Edit this BB to include the networks where your servers are located. Edit this BB to include areas of your network that does not contain any valid hosts. Edit this BB to include networks that should be added to a watch list. Edit this BB to define policy application and violation events. Edit this BB to define all policy IRC/IM connection violations. Edit this BB to include all events that indicate Peer-to-Peer (P2P) events. Edit this BB to include all common database ports.

Associated Building Blocks, if applicable

Default-BB-Network Definition: Local to Local Default-BB-Network Definition: Local to Remote Default-BB-Network Definition: NAT Address Range Default-BB-Network Definition: Remote to Local Default-BB-Network Definition: Server Networks Default-BB-Network Definition: Undefined IP Space Default-BB-Network Definition: Watch List Addresses Default-BB-Policy: Application Policy Violation Events

Network Definition Network Definition Network Definition

Event

Event

Event

Network Definition Network Definition Network Definition Network Definition Policy

Event

Event

Event

Event

Event

Default-BB-Policy: IRC/IM Policy Connection Violations Default-BB-Policy: Policy P2P Policy

Event Event

Default-BB-PortDefinition: Port\ Database Ports Protocol Definition

Event

STRM Administration Guide

360

UNIVERSITY TEMPLATE DEFAULTS

Table 17-10 Default Building Blocks (continued)

Building Block

Group

Block Type Description Event Edit this BB to include all common DHCP ports. Edit this BB to include all common DNS ports. Edit this BB to include all common FTP ports. Edit this BB to include all common game server ports. Edit this BB to include all common IM ports.

Associated Building Blocks, if applicable

Default-BB-PortDefinition: Port\ DHCP Ports Protocol Definition Default-BB-PortDefinition: Port\ DNS Ports Protocol Definition Default-BB-PortDefinition: Port\ FTP Ports Protocol Definition Default-BB-PortDefinition: Port\ Game Server Ports Protocol Definition

Event

Event

Event

Default-BB-PortDefinition: Compliance, Event IM Ports Port\ Protocol Definition Default-BB-PortDefinition: Port\ IRC Ports Protocol Definition Default-BB-PortDefinition: Port\ LDAP Ports Protocol Definition Default-BB-PortDefinition: Port\ Mail Ports Protocol Definition Default-BB-PortDefinition: Port\ P2P Ports Protocol Definition Default-BB-PortDefinition: Port\ Proxy Ports Protocol Definition Default-BB-PortDefinition: Port\ RPC Ports Protocol Definition Default-BB-PortDefinition: Port\ SNMP Ports Protocol Definition Default-BB-PortDefinition: Port\ SSH Ports Protocol Definition Default-BB-PortDefinition: Port\ Syslog Ports Protocol Definition Event

Edit this BB to include all common IRC ports. Edit this BB to include all common ports used by LDAP servers. Edit this BB to include all common ports used by mail servers. Edit this BB to include all common ports used by Peer-to-Peer (P2P) servers. Edit this BB to include all common ports used by proxy servers. Edit this BB to include all common ports used by RPC servers. Edit this BB to include all common ports used by SNMP servers. Edit this BB to include all common ports used by SSH servers. Edit this BB to include all common ports used by the syslog servers.

Event

Event

Event

Event

Event

Event

Event

Event

STRM Administration Guide

Default Building Blocks

361

Table 17-10 Default Building Blocks (continued)

Building Block

Group

Block Type Description Event Edit this BB to include all common ports used by Web servers. Edit this BB to include all common ports used by Windows servers. Edit this BB to include all common protocols (not including TCP) used by Windows servers that will be ignored for false positive tuning rules. Define all Juniper Networks default reconnaissance tests. This BB is used to detect a host that has performed reconnaissance such that other follow on tests can be performed. For example, reconnaissance followed by firewall accept. Edit this BB to include all devices that accumulate reconnaissance across multiple hosts or ports into a single event. This rule forces these events to become offenses. Edit this BB to define reconnaissance scans on hosts in your deployment. Edit this BB to indicate port scanning activity across multiple hosts. By default, this BB applies when an attacker is performing reconnaissance against more than 5 hosts within 10 minutes. If internal, this may indicate an exploited machine or a worm scanning for targets. This BB contains any events that you have tuned using the False Positive tuning function. For more information, see the STRM Users Guide. Edit this BB to include any categories you want to consider false positives for hosts defined in the User-BB-HostDefinition: User Defined Server Type 1 building block.

Associated Building Blocks, if applicable

Default-BB-PortDefinition: Port\ Web Ports Protocol Definition Default-BB-PortDefinition: Port\ Windows Ports Protocol Definition Default-BB-Protocol Definition: Windows Protocols Port\ Protocol Definition

Event

Event

Default-BB-Recon Recon Detected: All Recon Rules

Event

Default-BB-Recon Detected: Devices That Merge Recon into Single Event

Recon

Event

Default-BB-Recon Recon Detected: Host Port Scan Default-BB-Recon Detected: Port Scan Detected Across Multiple Hosts Recon

Event

Event

User-BB-FalsePositive: User Defined False Positives Tunings

User Tuning Event

User-BB-FalsePositive: User Tuning Event User Defined Server Type 1 False Positive Categories

User-BB-HostDefinition: User Defined Server Type 1

STRM Administration Guide

362

UNIVERSITY TEMPLATE DEFAULTS

Table 17-10 Default Building Blocks (continued)

Building Block

Group

Block Type Description Edit this BB to include any events you want to consider false positives for hosts defined in the User-BB-HostDefinition: User Defined Server Type 1 building block. Edit this BB to include any categories you want to consider false positives for hosts defined in the User-BB-HostDefinition: User Defined Server Type 2 building block. Edit this BB to include any events you want to consider false positives for hosts defined in the User-BB-HostDefinition: User Defined Server Type 2 building block. Edit this BB to include any categories you want to consider false positives for hosts defined in the User-BB-HostDefinition: User Defined Server Type 3 building block. Edit this BB to include any events you want to consider false positives for hosts defined in the User-BB-HostDefinition: User Defined Server Type 3 building block. Edit this BB to include the IP address of your custom server type. Once you have added the servers, add any events or categories you want to consider false positives to these servers as defined in the User-BB-FalsePositives: User Defined Server Type 1 False Positive Category or the User-BB-False Positives: User Defined Server Type 1 False Positive Events building blocks.

Associated Building Blocks, if applicable User-BB-HostDefinition: User Defined Server Type 1

User-BB-FalsePositive: User Tuning Event User Defined Server Type 1 False Positive Events

User-BB-FalsePositive: User Tuning Event User Defined Server Type 2 False Positive Categories

User-BB-HostDefinition: User Defined Server Type 2

User-BB-FalsePositive: User Tuning Event User Defined Server Type 2 False Positive Events

User-BB-HostDefinition: User Defined Server Type 2

User-BB-FalsePositive: User Tuning Event User Defined Server Type 3 False Positive Categories

User-BB-HostDefinition: User Defined Server Type 3

User-BB-FalsePositive: User Tuning Event User Defined Server Type 3 False Positive Events

User-BB-HostDefinition: User Defined Server Type 3

User-BB-Host Definition: User Defined Server Type 1

User Tuning Event

User-BB-FalsePositives: User Defined Server Type 1 False Positive Category User-BB-False Positives: User Defined Server Type 1 False Positive Events

STRM Administration Guide

Default Building Blocks

363

Table 17-10 Default Building Blocks (continued)

Building Block User-BB-Host Definition: User Defined Server Type 2

Group

Block Type Description Edit this BB to include the IP address of your custom server type. Once you have added the servers, add any events or categories you want to consider false positives to these servers as defined in the User-BB-FalsePositives: User Defined Server Type 2 False Positive Category or the User-BB-False Positives: User Defined Server Type 2 False Positive Events building blocks. Edit this BB to include the IP address of your custom server type. Once you have added the servers, add any events or categories you want to consider false positives to these servers as defined in the User-BB-FalsePositives: User Defined Server Type 3 False Positive Category or the User-BB-False Positives: User Defined Server Type 3 False Positive Events building blocks.

Associated Building Blocks, if applicable User-BB-FalsePositives: User Defined Server Type 2 False Positive Category User-BB-False Positives: User Defined Server Type 2 False Positive Events

User Tuning Event

User-BB-Host Definition: User Defined Server Type 3

User Tuning Event

User-BB-FalsePositives: User Defined Server Type 3 False Positive Category User-BB-False Positives: User Defined Server Type 3 False Positive Events

STRM Administration Guide

364

UNIVERSITY TEMPLATE DEFAULTS

STRM Administration Guide

3

VIEWING AUDIT LOGS

Changes made by STRM users are recorded in the audit logs. You can view the audit logs to monitor changes to STRM and the users performing those changes. All audit logs are stored in plain text and are archived and compressed once the audit log file reaches a size of 200 MB. The current log file is named audit.log. Once the file reaches a size of 200 MB, the file is compressed and renamed as follows: audit.1.gz, audit.2.gz, etc with the file number incrementing each time a log file is archived. STRM stores up to 50 archived log files. This appendix provides information on using the audit logs including:
• •

Logged Actions Viewing the Log File

Logged Actions

STRM logs the following categories of actions in the audit log file:
Table 18-1 Logged Actions

Category User Authentication Administrator Authentication System Management Session Authentication

Action Log in to STRM. Log out of STRM. Log in to the STRM Administration Console. Log out of the STRM Administration Console. Shutdown a system. Restart a system. Create a new administration session. Terminate an administration session. Deny an invalid authentication session. Expire a session authentication. Create an authentication session. Terminate an authentication session.

STRM Administration Guide

366

VIEWING AUDIT LOGS

Table 18-1 Logged Actions (continued)

Category User Authentication Ariel

Action Deny a login attempt. Add an Ariel property. Delete an Ariel property. Edit an Ariel property. Add an Ariel property extension. Delete an Ariel property extension. Edit an Ariel property extension.

Root Login Rules

Log in to STRM, as root. Log out of STRM, as root. Add a rule. Delete a rule. Edit a rule.

Sentry

Add a sentry. Edit a sentry. Delete a sentry. Edit a sentry package. Edit sentry logic.

User Accounts

Add an account. Edit an account. Delete an account.

User Roles

Add a role. Edit a role. Delete a role.

Log Sources

Add a log source. Edit a log source. Delete a log source. Add a log source group. Edit a log source group. Delete a log source group. Edit the DSM parsing order.

STRM Administration Guide

Logged Actions

367

Table 18-1 Logged Actions (continued)

Category Log Source Extension

Action Add an log source extension. Edit the log source extension. Delete a log source extension. Upload a log source extension. Upload a log source extension successfully. Upload an invalid log source extension. Download a log source extension. Report a log source extension. Modify a log sources association to a device or device type.

Protocol Configuration

Add a protocol configuration. Delete a protocol configuration. Edit a protocol configuration.

Flow Sources

Add a flow source. Edit a flow source. Delete a flow source.

Offenses

Hide an offense. Close an offense. Close all offenses.

TNC Recommendations

Create a recommendation. Edit a recommendation. Delete a recommendation.

Syslog Forwarding

Add a syslog forwarding. Delete a syslog forwarding. Edit a syslog forwarding.

Reports

Add a template. Delete a template. Edit a template. Execute a template. Delete a report.

Groups

Add a group. Delete a group. Edit a group.

STRM Administration Guide

368

VIEWING AUDIT LOGS

Table 18-1 Logged Actions (continued)

Category Backup and Recovery

Action Edit the configuration. Initiate the backup. Complete the backup. Fail the backup. Delete the backup. Synchronize the backup. Cancel the backup. Initiate the restore. Upload a backup. Upload an invalid backup. Delete the backup. Purge the backup.

VIS

Discover a new host. Discover a new operating system. Discover a new port. Discover a new vulnerability.

Scanner

Add a scanner. Delete a scanner. Edit a scanner.

Scanner Schedule

Add a schedule. Edit a schedule. Delete a schedule.

SIM High Availability

Clean a SIM model. Add an HA host. Remove an HA host. Set an HA system offline. Set an HA system online. Restore an HA system.

Asset QIDmap Ariel Properties

Delete all assets. Add a QID map entry. Edit a QID map entry. Add a custom event property. Edit a custom event property. Delete a custom property.

STRM Administration Guide

Viewing the Log File

369

Table 18-1 Logged Actions (continued)

Category Ariel Property Extensions

Action Add a custom event property expression. Edit a custom event property expression. Delete a custom event property expression.

Installation License

Install a .rpm package, such as a DSM update. Add a license key. Edit a license key.

Viewing the Log File

To view the audit logs:
Step 1 Log in to STRM, as root. Step 2 Go to the following directory:

/var/log/audit
Step 3 Open the desired audit log file.

Each entry in the log file displays using the following format: Note: The maximum size of any audit message (not including date, time, and host name) is 1024 characters.
<date_time> <host name> <user>@<IP address> (thread ID) [<category>] [<sub-category>] [<action>] <payload>

Where:
<date_time> is the date and time of the activity in the format: Month Date

HH:MM:SS.
<host name> is the host name of the Console where this activity was logged. <user> is the name of the user that performed the action. <IP address> is the IP address of the user that performed the action. (thread ID) is the identifier of the Java thread that logged this activity. <category> is the high-level category of this activity. <sub-category> is the low-level category of this activity. <action> is the activity that occurred. <payload> is the complete record that has changed, if any. This may include a user record or an event rule.

For example:
Nov 6 12:22:31 localhost.localdomain admin@10.100.100.15 (Session) [Authentication] [User] [Login] Nov 6 12:22:31 localhost.localdomain jsam@10.100.100.15 (0) [Configuration] [User Account] [Account Modified]
STRM Administration Guide

370

VIEWING AUDIT LOGS

username=james, password=/oJDuXP7YXUYQ, networks=ALL, email=sam@q1labs.com, userrole=Admin Nov 13 10:14:44 localhost.localdomain admin@10.100.45.61 (0) [Configuration] [FlowSource] [FlowSourceModified] Flowsource( name="tim", enabled="true", deployed="false", asymmetrical="false", targetQflow=DeployedComponent(id=3), flowsourceType=FlowsourceType(id=6), flowsourceConfig=FlowsourceConfig(id=1))

STRM Administration Guide

INDEX

A
Admin tab about 3 accessing 4 using 4 administrative e-mail address 57 administrator role 9 aeriel database settings 59 alert directory 61 alert e-mail from address 57 Ariel database 138 asset manager role 10 asset profile reporting interval 57 asset profile view 57 asymmetric flows 130, 146 audience 1 audit log 58 viewing 369 authentication configuring 17 LDAP 17 RADIUS 16 system 16 TACACS 16 user 16 authorized services 69 adding 70 revoking 71 token 69 viewing 69 auto detection 122, 137 automatic update about 52 on demand 56 scheduling 53

connecting 95 connecting deployments 96 console settings 65 content capture 122 content filter 129 conventions 1 Custom Views about 189 Attacker Target Analysis Group 280, 329 creating 190 editing 198 equation editing 199 equation editor 192 IP Tracking 275, 325 managing 189 operators editing 199 Policy Violations Group 282, 331 Target Analysis Group 281, 330 Threats Group 276, 325

D
database settings 58 database storage location 58 delete root mail 57 deploying changes 4 deployment editor 87 about 87 accessing 89 creating your deployment 91 event view 99 flow view 92 preferences 92 STRM components 120 requirements 91 system view 106 toolbar 90 using 89 deployments connecting 96 device access 25 device management 28 discover servers 247 dynamic custom view deploy interval 58

B
backup and recovery 75 branch filtering 130, 133 building blocks about 203 editing 242

C
changes deploying 4 Classification Engine 131 configuring 131 coalescing events 58 command line max matched results 60 components 120

E
element types 193 enabling and disabling views 200 encryption 96, 99, 104, 105, 107 enterprise template 267 STRM Administration Guide

372

INDEX

building blocks default 298, 347 rules default 285 equation editor 192 element type 193 equations editing 199 elements 168 objects 168 Event Collector about 99 configuring 135 Event Processor about 99 configuring 137 event rule 204 about 204 data/time tests 228 event property tests 214, 215 host profile tests 225 IP/port tests 218 network property tests 213 test 213 event view about 88 adding components 101 building 99 connecting components 103 renaming components 106 events role 10 external flow sources 141

configuring 134 flowlog file 144 functions 203

G
global IPtables access 58

H
hashing alogrithm 60 event log 60 flow log 60 high availability 35 adding 36 editing 42 overview 5 restoring a failed host 44 setting HA host offline 44 setting HA host online 44 hlocal 159 host adding 109 host context 88, 118 hremote 159

I
interface roles 28 internal flow sources 141 IP range conversion 129 IP right click menu extension role 11

F
firewall access 25 flow configuration 144 Flow Processor configuring 125 flow source about 141 adding 144 alias 149 adding 149 deleting 151 editing 150 deleting 149 editing 147 enabling/disabling 148 external 141 internal 141 managing 141 virtual name 149 flow view about 88 adding components 93 building 92 components 93, 96, 103 connecting components 95 renaming components 99 Flow Writer

J
JavaScript 164 J-Flow 143

L
LDAP/Active directory 17 license key exporting 24 managing 21 logic unit 153, 163

M
Magistrate about 100 configuring 139 managed host adding 109 assigning components 117 editing 111 removing 112 set-up 27 maximum real-time results 59

STRM Administration Guide

INDEX

373

MIB 253

group 59 object 59 role 7 Admin 9 asset manager 10 creating 8 deleting 13 editing 12 events 10 IP right click menu extension 11 managing 7 network surveillance 11 offenses 10 reporting 11 rules 203 copying 236 creating 205 deleting 236 enabling/disabling 205 group 237 assigning 241 copying 240 create 237 deleting 241 editing 239 viewing 204

N
NAT editing 114 enabling 112 removing 115 using with STRM 112 NetFlow 121, 142 Network Address Translation. See NAT network hierarchy creating 47 network surveillance role 11 network taps 121 network view graph retention period 59 NTP 32

O
offense rule about 204 date/time tests 231 host profile tests 230 IP/port tests 229 offense property tests 232 offenses role 10 off-site source 97, 104 off-site target 97, 104 operators editing 199

S
scripts default sentry 61 list of sentry 61 search results retention period 59 sentry 153 about 153 database location 61 editing 155 enterprise defaults 267 logic unit 153 creating 163 editing 165 package 153 creating 160 editing 162 managing 160 properties 61 response queue 61 university defaults 317 variables 158 viewing 154 sentry database location 59 sentry layers 159 sentry settings 60 servers discovering 247 services authorized 69 sFlow 143 SIM reset 4 STRM Administration Guide

P
package 153, 160 creating 160 Packeteer 143 passwords changing 29 pin 159 plocal 159 ports view 170 pount 159

R
RADIUS authentication 16 RDATE 30 recovery 75 reporting max matched results 59 reset SIM 4 retention period asset profile 59 attacker history 59 custom view 59 flow data 59 identity history 59 log source data 59 offense 59 views

374

INDEX

SNMP agent accessing 24 SNMP settings 61 source off-site 96, 97, 103, 104 storage 134 storage location asset profile 59 flow data 59 log source 59 store event payload 58 superflows 125, 128 syslog forwarding 249 adding 249 deleting 251 editing 250 system authentication 16 system settings configuring 57 system thresholds 63 system time 30 system view about 88 adding a host 109 assigning components 117 Host Context 118 managed host 117 managing 106

user accounts managing 14 user data files 58

V
views applications object editing 176 Applications View 173 adding 175 best practices 202 Custom Views 189 defining unique groups and objects 169 enable and disable 200 ports 170 ports object adding 170 editing 172 Ports View 170 QFlow Collector object adding 186 QFlow Collectors 186 Remote Networks 178 Remote Networks object adding 179 editing 181 Remote Services 182 Remote Services object adding 183 editing 184 VIS passive host profile interval 57

T
TACACS authentication 16 target off-site 96, 97, 103, 104 templates 154 enterprise 267 university 317 temporary files retention period 57 tests about 203 thresholds 63 time 30 time limit command like execution 60 reporting execution 60 web execution 60 TNC recommendation 58 transaction sentry 61

U
university template 317 Update Daemon configuring 133 user authentication 16 creating account 14 editing account 15, 16 managing 7 roles 7

STRM Administration Guide