Security Threat Response Manager

STRM Administration Guide

Release 2010.0

Juniper Networks, Inc.

1194 North Mathilda Avenue Sunnyvale, CA 94089 USA 408-745-2000

www.juniper.net
Published: 2011-10-10

Copyright Notice
Copyright 2011 Juniper Networks, Inc. All rights reserved. Juniper Networks and the Juniper Networks logo are registered trademarks of Juniper Networks Inc. in the United States and other countries. All other trademarks, service marks, registered trademarks, or registered service marks in this document are the property of Juniper Networks or their respective owners. All specifications are subject to change without notice. Juniper Networks assumes no responsibility for any inaccuracies in this document or for any obligation to update information in this document. Juniper Networks reserves the right to change, modify, transfer, or otherwise revise this publication without notice.

FCC Statement
The following information is for FCC compliance of Class A devices: This equipment has been tested and found to comply with the limits for a Class A digital device, pursuant to part 15 of the FCC rules. These limits are designed to provide reasonable protection against harmful interference when the equipment is operated in a commercial environment. The equipment generates, uses, and can radiate radio-frequency energy and, if not installed and used in accordance with the instruction manual, may cause harmful interference to radio communications. Operation of this equipment in a residential area is likely to cause harmful interference, in which case users will be required to correct the interference at their own expense. The following information is for FCC compliance of Class B devices: The equipment described in this manual generates and may radiate radio-frequency energy. If it is not installed in accordance with NetScreens installation instructions, it may cause interference with radio and television reception. This equipment has been tested and found to comply with the limits for a Class B digital device in accordance with the specifications in part 15 of the FCC rules. These specifications are designed to provide reasonable protection against such interference in a residential installation. However, there is no guarantee that interference will not occur in a particular installation. If this equipment does cause harmful interference to radio or television reception, which can be determined by turning the equipment off and on, the user is encouraged to try to correct the interference by one or more of the following measures: Reorient or relocate the receiving antenna. Increase the separation between the equipment and receiver. Consult the dealer or an experienced radio/TV technician for help. Connect the equipment to an outlet on a circuit different from that to which the receiver is connected. Caution: Changes or modifications to this product could void the user's warranty and authority to operate this device.

Disclaimer
THE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT ARE SET FORTH IN THE INFORMATION PACKET THAT SHIPPED WITH THE PRODUCT AND ARE INCORPORATED HEREIN BY THIS REFERENCE. IF YOU ARE UNABLE TO LOCATE THE SOFTWARE LICENSE OR LIMITED WARRANTY, CONTACT YOUR JUNIPER NETWORKS REPRESENTATIVE FOR A COPY. STRM Administration Guide Release 2010.0 Copyright 2011, Juniper Networks, Inc. All rights reserved. Printed in USA. Revision History October 2011 R1 STRM Administration Guide The information in this document is current as of the date listed in the revision history.

CONTENTS
ABOUT THIS GUIDE
Audience 1 Conventions 1 Technical Documentation 1 Contacting Customer Support

OVERVIEW
About the Interface 3 Using the Admin Interface 4 Deploying Changes 5 Updating User Details 5 Resetting SIM 5 About High Availability 6 Monitoring STRM Systems with SNMP

MANAGING USERS
Managing Roles 9 Viewing Roles 9 Creating a Role 10 Editing a Role 15 Deleting a Role 16 Managing User Accounts 16 Creating a User Account 16 Editing a User Account 18 Disabling a User Account 19 Authenticating Users 19 Configuring your SSL Certificate

23

MANAGING THE SYSTEM

Managing Your License Keys 25 Updating your License Key 26 Exporting Your License Key Information Restarting a System 28 Shutting Down a System 28 Configuring Access Settings 29 Configuring Firewall Access 29

27

Updating Your Host Set-up 31 Configuring Interface Roles 32 Changing Passwords 33 Updating System Time 34

MANAGING HIGH AVAILABILITY

Before You Begin 40 HA Deployment Overview 41 HA Clustering 41 Data Storage Strategies 42 Failovers 43 Adding an HA Cluster 44 Editing an HA Cluster 50 Removing an HA Host 52 Setting an HA Host Offline 53 Setting an HA Host Online 53 Restoring a Failed Host 53

SETTING UP STRM
Creating Your Network Hierarchy 55 Considerations 55 Defining Your Network Hierarchy 56 Scheduling Automatic Updates 60 Scheduling Automatic Updates 61 Updating Your Files On-Demand 64 Configuring System Settings 65 Using Event and Flow Retention Buckets 72 Configuring Event Retention Buckets 73 Configuring Flow Retention Buckets 76 Managing Retention Buckets 79 Configuring System Notifications 81 Configuring the Console Settings 84

MANAGING AUTHORIZED SERVICES

Viewing Authorized Services 89 Adding an Authorized Service 90 Revoking Authorized Services 91 Configuring the Customer Support Service Dismissing an Offense 91 Closing an Offense 92 Adding Notes to an Offense 92

91

MANAGING BACKUP AND RECOVERY

Managing Backup Archives 93 Viewing Backup Archives 93 Importing an Archive 94

Deleting a Backup Archive 95 Backing Up Your Information 95 Scheduling Your Backup 95 Initiating a Backup 98 Restoring Your Configuration Information 99 Restoring on a System with the Same IP Address Restoring to a System with a Different IP Address

100 101

USING THE DEPLOYMENT EDITOR

About the Deployment Editor 106 Accessing the Deployment Editor 107 Using the Editor 107 Building Your Deployment 109 Before you Begin 109 Configuring Deployment Editor Preferences 110 Building Your Event View 110 Adding Components 112 Connecting Components 114 Forwarding Normalized Events and Flows 116 Renaming Components 119 Managing Your System View 120 Setting Up Managed Hosts 120 Using NAT with STRM 126 Configuring a Managed Host 131 Assigning a Component to a Host 131 Configuring Host Context 132 Configuring an Accumulator 135 Configuring STRM Components 137 Configuring a QFlow Collector 137 Configuring an Event Collector 143 Configuring an Event Processor 146 Configuring the Magistrate 148 Configuring an Off-site Source 149 Configuring an Off-site Target 150

MANAGING FLOW SOURCES

About Flow Sources 151 NetFlow 152 sFlow 153 J-Flow 153 Packeteer 153 Flowlog File 154 Napatech Interface 154 Managing Flow Sources 154 Adding a Flow Source 155 Editing a Flow Source 158 Enabling/Disabling a Flow Source

158

Deleting a Flow Source 159 Managing Flow Source Aliases 159 Adding a Flow Source Alias 160 Editing a Flow Source Alias 160 Deleting a Flow Source Alias 161

10

CONFIGURING REMOTE NETWORKS AND SERVICES

Managing Remote Networks 163 Default Remote Network Groups 164 Adding a Remote Networks Object 164 Editing a Remote Networks Object 166 Managing Remote Services 167 Default Remote Service Groups 168 Adding a Remote Services Object 168 Editing a Remote Services Object 169 Using Best Practices 171

11

CONFIGURING RULES
Viewing Rules 174 Creating a Custom Rule 177 Creating an Anomaly Detection Rule 189 Managing Rules 198 Enabling/Disabling Rules 199 Editing a Rule 199 Copying a Rule 199 Deleting a Rule 200 Grouping Rules 200 Viewing Groups 201 Creating a Group 201 Editing a Group 202 Copying an Item to Another Group(s) 203 Deleting an Item from a Group 203 Assigning an Item to a Group 204 Editing Building Blocks 204

12 13

DISCOVERING SERVERS FORWARDING SYSLOG DATA

Adding a Syslog Destination Editing a Syslog Destination Delete a Syslog Destination 209 210 211

A B

JUNIPER NETWORKS MIB ENTERPRISE TEMPLATE

Default Rules 1 Default Building Blocks 20

RULE TESTS
Event Rule Tests 1 Host Profile Tests 2 IP/Port Tests 4 Event Property Tests 5 Common Property Tests 8 Log Source Tests 9 Function - Sequence Tests 10 Function - Counter Tests 19 Function - Simple Tests 23 Date/Time Tests 23 Network Property Tests 23 Function - Negative Tests 24 Flow Rule Tests 25 Host Profile Tests 26 IP/Port Tests 27 Flow Property Tests 28 Common Property Tests 34 Function - Sequence Tests 35 Function - Counters Tests 43 Function - Simple Tests 47 Date/Time Tests 47 Network Property Tests 47 Function - Negative Tests 48 Common Rule Tests 50 Host Profile Tests 50 IP/Port Tests 52 Common Property Tests 53 Functions - Sequence Tests 56 Function - Counter Tests 64 Function - Simple Tests 68 Date/Time Tests 68 Network Property Tests 68 Functions Negative Tests 69 Offense Rule Tests 70 IP/Port Tests 70 Function Tests 71 Date/Time Tests 71 Log Source Tests 72 Offense Property Tests 72 Anomaly Detection Rule Tests 75

Anomaly Rule Tests 75 Behavioral Rule Tests 77 Threshold Rule Tests 79

VIEWING AUDIT LOGS

Logged Actions 1 Viewing the Log File 5

EVENT CATEGORIES
High-Level Event Categories Recon 3 DoS 4 Authentication 6 Access 12 Exploit 14 Malware 15 Suspicious Activity 16 System 19 Policy 23 CRE 24 Potential Exploit 24 SIM Audit 25 VIS Host Discovery 26 Application 26 Audit 47 Risk 48 2

CONFIGURING FLOW FORWARDING FROM PRE-2010.0 OFF-SITE FLOW SOURCES

Configuring Flow Forwarding from pre-2010.0 Off-site Flow Sources 1 Adding a STRM 2010.0 Off-Site Target to a Pre-2010.0 Off-Site Flow Source Creating a Pre-2010.0 0ff-Site Flow Source 3 Reconfiguring Flow Forwarding from an Upgraded Off-site Flow Sources 5 Removing the Pre-2010.0 Off-Site Flow Source 5 Reconnecting the Off-site Target 5 Adding the Off-site Source 6 1

INDEX

ABOUT THIS GUIDE

The STRM Administration Guide provides you with information for managing STRM functionality requiring administrative access.

Audience

This guide is intended for the system administrator responsible for setting up STRM in your network. This guide assumes that you have STRM administrative access and a knowledge of your corporate network and networking technologies.

Documentation Conventions

Table 1 lists conventions that are used throughout this guide.

Table 1 Icons

Icon

Type Information note Caution

Description Information that describes important features or instructions. Information that alerts you to potential loss of data or potential damage to an application, system, device, or network. Information that alerts you to potential personal injury.

Warning

Technical Documentation

You can access technical documentation, technical notes, and release notes directly from the Juniper customer support website at https://www.juniper.net/support/. Once you access the Juniper customer support website, locate the product and software release for which you require documentation. Your comments are important to us. Please send your e-mail comments about this guide or any of the Juniper Networks documentation to: [email protected]. Include the following information with your comments:

Document title Page number

STRM Administration Guide

ABOUT THIS GUIDE

Requesting Technical Support

To help resolve any issues that you may encounter when installing or maintaining STRM, you can contact Customer Support as follows:

Open a support case using the Case Management link at http://www.juniper.net/support Call 1-888-314-JTAC (from the United States, Canada, or Mexico) or1-408-745-9500 (from elsewhere).

STRM Administration Guide

OVERVIEW

This chapter provides an overview of STRM administrative functionality, including:

About the Interface Using the Admin Interface Deploying Changes Resetting SIM Updating User Details About High Availability Monitoring STRM Systems with SNMP

About the Interface

You must have administrative privileges to access administrative functions. To access administrative functions, click the Admin tab in the STRM user interface. The Admin interface provides access to the following functions:

Manage users. See Chapter 2 - Managing Users. Manage your network settings. See Chapter 3 - Managing the System. Manage high availability. See Chapter 4 - Managing High Availability. Manage STRM settings. See Chapter 5 - Setting Up STRM. Manage authorized services. See Chapter 6 - Managing Authorized Services. Backup and recover your data. See Chapter 7 - Managing Backup and Recovery. Manage your deployment views. See Chapter 8 - Using the Deployment
Editor.

Manage flow sources. See Chapter 9 - Managing Flow Sources. Configure remote networks and remote services. See Chapter 10 - Configuring
Remote Networks and Services.

Configure rules. See Chapter 11 - Configuring Rules. Discover servers. See Chapter 12 - Discovering Servers. Configure syslog forwarding. See Chapter 13 - Forwarding Syslog Data.

STRM Administration Guide

OVERVIEW

Managing vulnerability scanners. For more information, see the Managing Vulnerability Assessment Guide. Configure plug-ins. For more information, see the associated documentation. Configure the STRM Risk Manager. For more information, see the STRM Risk Manager Users Guide. Manage log sources. For more information, see the Log Sources Users Guide.

All configuration updates using the Admin interface are saved to a staging area. Once all changes are complete, you can deploy the configuration changes or all configuration settings to the remainder of your deployment. For more information, see Deploying Changes.

Using the Admin Interface

The Admin interface provides several tab and menu options that allow you to configure STRM, including:

System Configuration - Provides access to administrative functionality, such as user management, automatic updates, license key, network hierarchy, system notifications, authorized services, backup and recovery, and Console configuration. Data Sources - Provides access to vulnerability scanners, log source management, custom event and flow properties, event and flow retention buckets, and flow sources. Remote Networks and Services Configuration - Provides access to STRM remote networks and services. Plugins - Provides access to plug-in components, such as the plug-in for the STRM Risk Manager. This option only appears if there are plug-ins installed on your Console.

The Admin interface also includes several menu options, including:

Table 2-1 Admin Interface Menu Options

Menu Option Deployment Editor

Sub-Menu

Description Opens the deployment editor interface. For more information, see Chapter 8 - Using the Deployment Editor. Deploys any configuration changes from the current session to your deployment.

Deploy Changes

Advanced

Clean SIM Model Deploy Full Configuration

Resets the SIM module. See Resetting SIM. Deploys all changes.

STRM Administration Guide

Deploying Changes

Deploying Changes

Once you update your configuration settings using the Admin interface, you must save those changes to the staging area. You must either manually deploy all changes using the Deploy Changes button or, upon exiting the Admin interface, a window is displayed, prompting you to deploy changes before you exit. All deployed changes are then applied throughout your deployment. Using the Admin interface menu, you can deploy changes as follows:

Advanced > Deploy Full Configuration - Deploys all configuration settings to your deployment. Deploy Changes - Deploys any configuration changes from the current session to your deployment.

Updating User Details

You can access your administrative user details through the main STRM interface. To access your user information, click Preferences. The User Details window is displayed. You can update your administrative user details, if required.

Note: For information on the pop-up notifications, see the STRM Users Guide.

Resetting SIM

Using the Admin interface, you can reset the SIM module, which allows you to remove all offenses, source IP address, and destination IP address information from the database and the disk. This option is useful after tuning your deployment to avoid receiving any additional false positive information. To reset the SIM module:
Step 1 Click the Admin tab. Step 2 From the Advanced menu, select Clean SIM Model.

The Reset SIM Data Module window is displayed.

STRM Administration Guide

OVERVIEW

Step 3 Read the information in the window. Step 4 Select one of the following options:

Soft Clean - Closes all offenses in the database. If you select the Soft Clean

option, you can also select the Deactivate all offenses check box. Hard Clean - Purges all current and historical SIM data including offenses, source IP addresses, and destination IP addresses.

Step 5 If you want to continue, select the Are you sure you want to reset the data

model? check box.

Step 6 Click Proceed.

A message is displayed, indicating that the SIM reset process has started. This process may take several minutes, depending on the amount of data in your system.
Step 7 Click Close. Step 8 Once the SIM reset process is complete, reset your browser.

Note: If you attempt to navigate to other areas of the user interface during the SIM reset process, an error message is displayed.

About High Availability

The High Availability (HA) feature ensures availability of STRM data in the event of a hardware or network failure. Each HA cluster consists of a primary host and a standby secondary host. The secondary host maintains the same data as the primary host by either replicating the data on the primary host or accessing a shared external storage. At regular intervals, every 10 seconds by default, the secondary host sends a heartbeat ping to the primary host to detect hardware or network failure. If the secondary host detects a failure, the secondary host automatically assumes all responsibilities of the primary host.

STRM Administration Guide

Monitoring STRM Systems with SNMP

Note: HA is not supported in an IPv6 environment. For more information on managing HA clusters, see Chapter 4 - Managing High
Availability.

Monitoring STRM Systems with SNMP

STRM supports the monitoring of our appliances through SNMP polling. STRM uses the Net-SNMP agent, which supports a variety of system resource monitoring MIBs that can be polled by Network Management solutions for the monitoring and alerting of system resources. For more information on Net-SNMP, refer to Net-SNMP documentation. Enabling SNMP support in 2009.1 and 2009.2: SNMP support was previously disabled in STRM versions prior to 2009.1. This was due to a security vulnerability. Solution: The security vulnerability that prevented STRM from using the SNMP Agent for system monitoring has been overcome. If you are running STRM 2009.1 or 2009.2 with the latest patch, then you can use the following instructions to re-enable support for SNMP. This functionality will be available by default in the 2010.1 release of STRM. Download the SNMP Agent RPM from here: http://download.juniper.net/software/strm/snmp_agent-20080205-6.2.0.530_ctrh.i3 86.rpm Connect to the STRM console box via ssh or console connection as the root user.

vi /store/configservices/staging/globalconfig/nva.conf change LINUX_AGENT_ENABLED to yes In the STRM Admin Tab, Deploy changes transfer the snmp agent rpm to the console through scp. rpm -Uvh snmp_agent-20080205-6.2.0.530_ctrh.i386.rpm Edit the crontab with the command crontab -e

Add the following at the bottom of the file:

# check snmp agent for death every minute * * * * * if [ -f /var/lock/subsys/snmp_agent ] ; then { if [ `service snmp_agent status 2>&1 | grep -c 'is running'` -eq 0 ] ; then { rm -f /var/lock/subsys/snmp_agent ; service snmp_agent start > /dev/null 2>&1 ; } fi ; } fi

Start the snmp_agent server with the command: service snmp_agent start.

STRM Administration Guide

MANAGING USERS

You can manage user accounts for all users that require access to STRM. Each user is associated with a role, which determines the privileges the user has to access functionality and information within STRM. You can add and remove user accounts, and restrict or allow access to certain areas of the network. This chapter provides information on managing STRM users, including:
Managing Roles Managing User Accounts Authenticating Users

Managing Roles

You must create a role before you can create user accounts. By default, STRM provides a default administrative role, which provides access to all areas of STRM. A user that is assigned administrative privileges (including the default administrative role) cannot edit their own account. Another administrative user must make any account changes. This section includes information on managing user roles, including:
Viewing Roles Creating a Role Editing a Role Deleting a Role

Viewing Roles

To view roles:

Step 1 Click the Admin tab. Step 2 In the navigation menu, click System Configuration.

The System Configuration panel is displayed.

Step 3 In the User Management section, click the User Roles icon.

The Manage Roles window is displayed.

STRM Administration Guide

10MANAGING USERS

The Manage Roles window provides the following information:

Table 3-1 Manage Roles Parameters

Parameter Role Log Sources

Description Specifies the defined user role. Specifies the log sources you want this role to access. Note: Log sources are external event log sources such as security equipment (for example, firewalls and IDSs) and network equipment (for example, switches and routers). This allows you to restrict or grant access for users assigned to the role to view logs, events, and offense data received from assigned security and network log sources or log source groups. For non-administrative users, this column indicates a link that allows an administrative user to edit the permissions for the role. For more information on editing a user role, see Editing a Role. To view the list of log sources that have been assigned to this role, move your mouse over the text in the Log Sources column. The list of log sources is displayed below the Manage Roles table.

Associated Users Action

Specifies the users associated with this role. Allows you to edit or delete the user role.

Creating a Role

To create a role:

Step 1 Click the Admin tab. Step 2 In the navigation menu, click System Configuration.

The System Configuration panel is displayed.

Step 3 Click the User Roles icon.

The Manage Roles window is displayed.

Step 4 Click Create Role.

The Manage Role Permissions window is displayed.

STRM Administration Guide

Managing Roles

11

Step 5 Enter values for the parameters. You must select at least one permission to

proceed to the next step.

Table 3-2 Create Roles Parameters

Parameter Role Name

Description Type a unique name for the role. The name can be up to 15 characters in length and must only contain integers and letters.

STRM Administration Guide

12MANAGING USERS

Table 3-2 Create Roles Parameters (continued)

Parameter Admin

Description Select this check box if you want to grant this user administrative access to the STRM interface. Once you select the Admin check box, all administrative access check boxes are selected by default. Within the Admin role, you can grant individual access to the following:

Administrator Manager - Select this check box if you want to allow users the ability to create and edit other administrative user accounts. If you select this check box, the System Administrator check box is automatically selected. System Administrator - Select this check box if you want to allow users access to all areas of STRM. Users with this access are not able to edit other administrator accounts. Remote Networks and Services Configuration- Select this check box if you want to allow users the ability to configure remote networks and services in the Admin interface.

Offenses

Select this check box if you want to grant this user access to all Offenses interface functionality. Within the Offenses role, you can grant individual access to the following:

Customized Rule Creation - Select this check box if you want to allow users to create custom rules. Assign Offenses to Users - Select this check box if you want to allow users to assign offenses to other users.

For more information on the Offenses interface, see the STRM Users Guide. Log Activity Select this check box if you want this user to have access to all Log Activity interface functionality. Within the Log Activity role, you can also grant users individual access to the following:

Manage Time Series - Select this check box if you want to allows users the ability to configure and view time series data charts. Customized Rule Creation - Select this check box if you want to allow users to create rules using the Log Activity interface. User Defined Event Properties - Select this check box if you want to allow users the ability to create custom event properties. For more information on custom event properties, see the STRM Users Guide.

For more information on the Log Activity interface, see the STRM Users Guide.

STRM Administration Guide

Managing Roles

13

Table 3-2 Create Roles Parameters (continued)

Parameter Assets

Description Select this check box if you want to grant this user access to all Assets interface functionality. Within the Assets role, you can grant individual access to the following:

Remove Vulnerabilities - Select this check box if you want to allows user to remove vulnerabilities from assets. Server Discovery - Select this check box if you want to allow users to discover servers. View VA Data - Select this check box if you want to allow users access to vulnerability assessment data. For more information on vulnerability assessment, see the Managing Vulnerability Assessment guide. Perform VA Scans - Select this check box if you want to allow users to perform vulnerability assessment scans. For more information on vulnerability assessment, see the Managing Vulnerability Assessment guide.

Network Activity

Select this check box if you want to grant this user access to all Network Activity interface functionality. Within the Network Activity role, you can grant individual access to the following:

View Flow Content - Select this check box if you want to allow users access to flow data. For more information on viewing flows, see the STRM Users Guide. Manage Time Series - Select this check box if you want to allow users to configure and view time series data charts. Customized Rule Creation - Select this check box if you want to allow users to create rules using the Log Activity interface. User Defined Flow Properties - Select this check box if you want to allow users the ability to create custom flow properties. For more information on custom flow properties, see the STRM Users Guide.

For more information, see the STRM Users Guide. Reports Select this check box if you want to grant this user access to all Reports interface functionality. Within the Reports role, you can grant users individual access to the following:

Maintain Templates - Select this check box if you want to allow users to maintain reporting templates. Distribute Reports via Email - Select this check box if you want to allow users to distribute reports through e-mail.

For more information, see the STRM Users Guide. IP Right Click Menu Extensions Select this check box if you want to grant this user access to options added to the right-click menu.

STRM Administration Guide

14MANAGING USERS

Table 3-2 Create Roles Parameters (continued)

Parameter Risks

Description This option is only available if the STRM Risk Manager is activated. Select this check box if you want to grant users access to STRM Risk Manager functionality. For more information, see the STRM Risk Manager Users Guide.

Step 6 Click Next. Step 7 Choose one of the following options: a

If you selected a role that includes Log Activity permissions, go to Step 8.

10.

b If you selected a role that does not include Log Activity permissions, go to Step

The Add Log Sources to User Role window is displayed.

Step 8 Select the log sources you want to add to the user role: a

From the Log Source Group drop-down list box, select a log source group. assigned to this role to have access to.

b From the Log Source list, locate and select the log source(s) you want the user

Hint: You can add an entire log source group by clicking the icon in the Log Source Group section. You can also select multiple log sources by holding the CTRL key while you select each log source you want to add.
c

Click the

icon.

The selected log source(s) moves to the Selected Log Source Objects field.
Step 9 Click Next.

A confirmation message is displayed.

STRM Administration Guide

Managing Roles

15

Step 10 Click Return. Step 11 Close the Manage Roles window.

The Admin interface is displayed.

Step 12 From the Admin interface toolbar, click Deploy Changes.

Editing a Role

To edit a role:

Step 1 Click the Admin tab. Step 2 In the navigation menu, click System Configuration.

The System Configuration panel is displayed.

Step 3 In the User Management section, click the User Roles icon.

The Manage Role window is displayed.

Step 4 For the role you want to edit, click the edit icon

The Manage Role Permissions window is displayed.

Step 5 Update the permissions (see Table 3-2), as necessary. Step 6 Click Next. Step 7 Choose one of the following options: a b

If you are editing a role that includes the Events permissions role, go to Step 8. If you are editing a role that does not include Events permissions, go to Step
11.

The Add Log Sources to User Role window is displayed.

Step 8 Update log source permissions, as desired: a

To remove a log source permission, select the log source(s) in the Selected Log Source Objects panel that you want to remove. Click Remove Selected Log Sources.

STRM Administration Guide

16MANAGING USERS

To add a log source permission, select an object you want to add from the left panel.

Step 9 Repeat for all log sources you want to edit for this role. Step 10 Click Next. Step 11 Click Return. Step 12 Close the Manage Roles window.

The Admin interface is displayed.

Step 13 From the Admin interface menu, click Deploy Changes.

Deleting a Role

To delete a role:

Step 1 Click the Admin tab. Step 2 In the navigation menu, click System Configuration.

The System Configuration panel is displayed.

Step 3 In the User Management section, click the User Roles icon.

The Manage Roles window is displayed.

Step 4 For the role you want to delete, click the delete icon

A confirmation window is displayed.

Step 5 Click OK. Step 6 Close the Manage Roles window.

The Admin interface is displayed.

Step 7 From the Admin interface menu, click Deploy Changes.

Managing User Accounts

You can create a STRM user account, which allows a user to access selected network components using the STRM interface. You can also create multiple accounts for your system that include administrative privileges. Only the main administrative account can create accounts that have administrative privileges. This section provides information on managing user accounts, including:
Creating a User Account Editing a User Account Disabling a User Account

Creating a User Account

To create an account for a STRM user:

Step 1 Click the Admin tab. Step 2 In the navigation menu, click System Configuration.

The System Configuration panel is displayed.

STRM Administration Guide

Managing User Accounts

17

Step 3 Click the Users icon.

The Manage Users window is displayed.

Step 4 In the Manage Users area, click Add.

The User Details window is displayed.

Step 5 Enter values for the following parameters:

Table 3-3 User Details Parameters

Parameter Username Password

Description Type a unique username for the new user. The username must not include spaces or special characters. Type a password for the user to gain access. The password must be at least five characters in length. Type the users e-mail address. From the drop-down list box, select the role you want to assign to this user. For information on roles, see Managing Roles. If you select Admin, this process is complete.

Confirm Password Type the password again for confirmation. Email Address Role

Step 6 Click Next. Step 7 Choose one of the following options: a b

If you select Admin as the user role, go to Step 10. If you select a non-administrative user role, go to Step 8. The Selected Network Objects window is displayed.

STRM Administration Guide

18MANAGING USERS

Step 8 From the menu tree, select the network objects you want this user to be able to

monitor. The selected network objects appear in the Selected Network Objects panel.
Step 9 Click Finish. Step 10 Close the Manage Users window.

The Admin interface is displayed. Editing a User Account To edit a user account:

Step 1 Click the Admin tab. Step 2 In the navigation menu, click System Configuration.

The System Configuration panel is displayed.

Step 3 Click the Users icon.

The Manage Users window is displayed.

Step 4 In the Manage Users section, click the name of the user account you want to edit.

The User Details window is displayed.

Step 5 Update values (see Table 3-3), as necessary. Step 6 Click Next.

If you are editing a non-administrative user account, the Selected Network Objects window is displayed. If you are editing an administrative user account, go to Step 10.
Step 7 From the menu tree, select the network objects you want this user to access.

The selected network objects appear in the Selected Network Object panel.

STRM Administration Guide

Authenticating Users

19

Step 8 For all network objects you want to remove access, select the object from the

Selected Network Objects panel. Click Remove.

Step 9 Click Finish. Step 10 Close the Manage Users window.

The Admin interface is displayed. Disabling a User Account To disable a user account:

Step 1 Click the Admin tab. Step 2 In the navigation menu, click System Configuration.

The System Configuration panel is displayed.

Step 3 Click the Users icon.

The Manage Users window is displayed.

Step 4 In the Manage Users area, click the user account you want to disable.

The User Details window is displayed.

Step 5 In the Role drop-down list box, select Disabled. Step 6 Click Next. Step 7 Close the Manage Users window.

The Admin interface is displayed. This user no longer has access to the STRM interface. If this user attempts to log in to STRM, the following message appears: This account has been disabled. After you delete a user, items, such as saved searches, reports, and assigned offenses, remain associated with the deleted user.

Authenticating Users

You can configure authentication to validate STRM users and passwords. STRM supports the following user authentication types:

System Authentication - Users are authenticated locally by STRM. This is the default authentication type. RADIUS Authentication - Users are authenticated by a Remote Authentication Dial-in User Service (RADIUS) server. When a user attempts to log in, STRM encrypts the password only, and forwards the username and password to the RADIUS server for authentication. TACACS Authentication - Users are authenticated by a Terminal Access Controller Access Control System (TACACS) server. When a user attempts to log in, STRM encrypts the username and password, and forwards this information to the TACACS server for authentication. Active Directory - Users are authenticated by a Lightweight Directory Access Protocol (LDAP) server using Kerberos. LDAP - Users are authenticated by a Native LDAP server.
STRM Administration Guide

20MANAGING USERS

If you want to configure RADIUS, TACACS, Active Directory, or LDAP as the authentication type, you must:

Configure the authentication server before you configure authentication in STRM. Make sure the server has the appropriate user accounts and privilege levels to communicate with STRM. See your server documentation for more information. Make sure the time of the authentication server is synchronized with the time of the STRM server. For more information on setting STRM time, see Chapter 5 - Setting Up STRM. Make sure all users have appropriate user accounts and roles in STRM to allow authentication with the third-party servers.

Once authentication is configured and a user enters an invalid username and password combination, a message appears indicating the login was invalid. If the user attempts to access the system multiple times using invalid information, the user must wait the configured amount of time before attempting to access the system again. For more information on configuring Console settings for authentication, see Chapter 5 - Setting Up STRM - Configuring the Console Settings. An administrative user can access STRM through a third-party authentication module or by using the local STRM Admin password. The STRM Admin password still functions if you have setup and activated a third-party authentication module, however, you can not change the STRM Admin password while the authentication module is active. If you want to change the STRM admin password, you need to temporarily disable the third-party authentication module, reset the password, and then reconfigure the third-party authentication module. To configure authentication:
Step 1 Click the Admin tab. Step 2 In the navigation menu, click System Configuration.

The System Configuration panel is displayed.

Step 3 Click the Authentication icon.

The Authentication window is displayed.

Step 4 From the Authentication Module drop-down list box, select the authentication

type you want to configure.

Step 5 Configure the selected authentication type: a

If you selected System Authentication, go to Step 6.

STRM Administration Guide

Authenticating Users

21

If you selected RADIUS Authentication, enter values for the following parameters:

Table 3-4 RADIUS Parameters

Parameter RADIUS Server RADIUS Port Authentication Type

Description Type the hostname or IP address of the RADIUS server. Type the port of the RADIUS server. From the drop-down list box, select the type of authentication you want to perform. The options are:

CHAP (Challenge Handshake Authentication Protocol) Establishes a Point-to-Point Protocol (PPP) connection between the user and the server. MSCHAP (Microsoft Challenge Handshake Authentication Protocol) - Authenticates remote Windows workstations. ARAP (Apple Remote Access Protocol) - Establishes authentication for AppleTalk network traffic. PAP (Password Authentication Protocol) - Sends clear text between the user and the server.

Shared Secret

Type the shared secret that STRM uses to encrypt RADIUS passwords for transmission to the RADIUS server.

If you selected TACACS Authentication, enter values for the following parameters:

Table 3-5 TACACS Parameters

Parameter TACACS Server TACACS Port Authentication Type

Description Type the hostname or IP address of the TACACS server. Type the port of the TACACS server. From the drop-down list box, select the type of authentication you want to perform. The options are:

ASCII PAP (Password Authentication Protocol) - Sends clear text between the user and the server. CHAP (Challenge Handshake Authentication Protocol) Establishes a PPP connection between the user and the server. MSCHAP (Microsoft Challenge Handshake Authentication Protocol) - Authenticates remote Windows workstations. MSCHAP2 (Microsoft Challenge Handshake Authentication Protocol version 2) - Authenticates remote Windows workstations using mutual authentication. EAPMD5 (Extensible Authentication Protocol using MD5 Protocol) - Uses MD5 to establish a PPP connection.

Shared Secret

Type the shared secret that STRM uses to encrypt TACACS passwords for transmission to the TACACS server.
STRM Administration Guide

22MANAGING USERS

If you selected Active Directory, enter values for the following parameters:
Active Directory Parameters

Table 3-6

Parameter Server URL LDAP Context LDAP Domain

e

Description Type the URL used to connect to the LDAP server. For example, ldap://<host>:<port> Type the LDAP context you want to use, for example, DC=Q1LABS,DC=INC. Type the domain you want to use, for example q1labs.inc.

If you selected LDAP, enter values for the following parameters:

Table 3-7 LDAP Parameters

Parameter Server URL

Description Type the URL used to connect to the LDAP server. For example, ldap://<host>:<port> You can use a space-separated list to specify multiple LDAP servers.

SSL Connection

From the drop-down list box, select True if you want to use Secure Socket Layer (SSL) encryption when connecting to the LDAP server. The default is True. Before enabling the SSL connection to your LDAP server, you must copy the SSL certificate from the LDAP server to the /opt/qradar/conf/trusted_certificates/ directory on your STRM system. For more information on how to configure the SSL certificate, see Configuring your SSL Certificate.

TLS Authentication Search Entire Base

From the drop-down list box, select True if you want to start Transport Layer Security (TLS) encryption when connecting to the LDAP server. The default is True. From the drop-down list box, select one of the following options:

True - Enables searching all subdirectories of the specified Directory Name (DN). False - Enables searching the immediate contents of the Base DN. The subdirectories are not searched.

The default is True. LDAP User Field Type the user field identifier you want to search on, for example, uid. You can use a comma-separated list to search for multiple user identifiers. Type the base DN for performing searches, for example, DC=Q1LABS,DC=INC.

Base DN

Step 6 Click Save.

Your authentication is now configured.

STRM Administration Guide

Authenticating Users

23

Configuring your SSL Certificate

If you use LDAP for user authentication and you want to enable SSL, you must configure your SSL certificate. To configure your SSL certificate for connection to your LDAP server:

Step 1 Log in to STRM as root. Step 2 Type the following command to create the /opt/qradar/conf/trusted_certificates/

directory:
mkdir -p /opt/qradar/conf/trusted_certificates
Step 3 Copy the SSL certificate from the LDAP server to the

/opt/qradar/conf/trusted_certificates/ directory on your STRM system.

Step 4 Verify that the certificate file name extension is .cert, which indicates that the

certificate is trusted. STRM only loads .cert files.

Step 5 Change the permissions of the directory by typing the following commands:

chmod 755 /opt/qradar/conf/trusted_certificates chmod 644 /opt/qradar/conf/trusted_certificates/*.cert

Step 6 Type the following command to restart the Tomcat service:

service tomcat restart

STRM Administration Guide

MANAGING THE SYSTEM

This chapter provides information for managing your system, including:

Managing Your License Keys Restarting a System Shutting Down a System Configuring Access Settings

Managing Your License Keys

For your STRM Console, a default license key provides you access to the interface for 5 weeks. You must manage your license key using the System and License Management window, which you can access using the Admin interface. This window provides the status of the license key for each system (host) in your deployment. Statuses include:

Valid - The license key is valid. Expired - The license key has expired. To update your license key, see Updating your License Key. Override Console License - This host is using the Console license key. You can use the Console key or apply a license key for this system. If you want to use the Console license for any system in your deployment, click Revert to Console in the Manage License window.

A license key allows a certain number of log sources to be configured in your system. If you exceed the limit of configured logs sources, as established by the license key, an error message is displayed in the interface. If additional log sources are auto-discovered, they are automatically disabled. To extend the number of log sources allowed, contact your sales representative. This section provides information on managing your license keys. including:
Updating your License Key Exporting Your License Key Information

STRM Administration Guide

26

MANAGING THE SYSTEM

Updating your License Key

For your STRM Console, a default license key provides you with access to the interface for 5 weeks. Choose one of the following options for assistance with your license key:

For a new or updated license key, contact your local sales representative. For all other technical issues, contact Juniper Networks Customer Support.

If you log in to STRM and your Console license key has expired, you are automatically directed to the System and License Management window. You must update the license key before you can continue. If one of your non-Console systems includes an expired license key, a message appears when you log in indicating a system requires a new license key. You must navigate to the System and License Management window to update that license key. To update your license key:
Step 1 Click the Admin tab. Step 2 In the navigation menu, click System Configuration.

The System Configuration panel is displayed.

Step 3 Click the System and License Management icon.

The System and License Management window is displayed, providing a list of all hosts in your deployment.

Step 4 Select the host for which you want to view the license key. Step 5 From the Actions menu, select Manage License.

The Current License Details window is displayed, providing the current license key limits. If you want to obtain additional licensing capabilities, please contact your sales representative.

STRM Administration Guide

Managing Your License Keys

27

Step 6 Click Browse beside the New License Key File field and select the license key. Step 7 Click Open.

The Current License Details window is displayed.

Step 8 Click Save. Step 9 In the System and License Management window, click Deploy License Key.

Note: If you want to revert back to the previous license key, click Revert to Deployed. If you revert to the license key used by the STRM Console system, click Revert to Console. The license key information is updated in your deployment. Exporting Your License Key Information To export your license key information for all systems in your deployment:

Step 1 Click the Admin tab. Step 2 In the navigation menu, click System Configuration.

STRM Administration Guide

28

MANAGING THE SYSTEM

The System Configuration panel is displayed.

Step 3 Click the System and License Management icon.

The System and License Management window is displayed, providing a list of all hosts in your deployment.

Step 4 Select the system that includes the license you want to export. Step 5 From the Actions menu, select Export Licenses.

The export window is displayed.

Step 6 Select one of the following options:

Open with - Opens the license key data using the selected application. Save File - Allows you to save the file to your desktop.

Step 7 Click OK.

Restarting a System

To restart a STRM system:

Step 1 Click the Admin tab. Step 2 In the navigation menu, click System Configuration.

The System Configuration panel is displayed.

Step 3 Click the System and License Management icon.

The System and License Management window is displayed.

Step 4 Select the system you want to restart. Step 5 From the Actions menu, select Restart System.

Note: Data collection stops while the system is shutting down and restarting.

Shutting Down a System

To shutdown a STRM system:

Step 1 Click the Admin tab. Step 2 In the navigation menu, click System Configuration.

The System Configuration panel is displayed.

Step 3 Click the System and License Management icon.

The System and License Management window is displayed.

Step 4 Select the system you want to shut down. STRM Administration Guide

Configuring Access Settings

29

Step 5 From the Actions menu, select Shutdown.

Note: Data collection stops while the system is shutting down.

Configuring Access Settings

The System and License Management window provides access to the web-based system administration interface, which allows you to configure firewall rules, interface roles, passwords, and system time. This section includes:

Firewall access. See Configuring Firewall Access. Update your host set-up. See Updating Your Host Set-up. Configure the interface roles for a host. See Configuring Interface Roles. Change password to a host. See Changing Passwords. Update the system time. See Updating System Time.

Configuring Firewall Access

You can configure local firewall access to enable communications between devices and STRM. Also, you can define access to the web-based system administration interface. To enable STRM managed hosts to access specific devices or interfaces:

Step 1 Click the Admin tab. Step 2 In the navigation menu, click System Configuration.

The System Configuration panel is displayed.

Step 3 Click the System and License Management icon.

The System and License Management window is displayed.

Step 4 Select the host for which you want to configure firewall access settings. Step 5 From the Actions menu, select Manage System. Step 6 Log in to the System Administration interface. The default is:

Username: root Password: <your root password> Note: The username and password are case sensitive.
Step 7 From the menu, select Managed Host Config > Local Firewall.

STRM Administration Guide

30

MANAGING THE SYSTEM

The Local Firewall window is displayed.

Step 8 In the Device Access box, you must include any STRM systems you want to have

access to this managed host. Only the listed managed hosts have access. For example, if you only enter one IP address, only that one IP address is granted access to the managed host. All other managed hosts are blocked. To configure access:
a b

In the IP Address field, type the IP address of the managed host you want to have access. From the Protocol drop-down list box, select the protocol you want to enable access for the specified IP address and port. Options include UDP - Allows UDP traffic. TCP - Allows TCP traffic. Any - Allows any traffic.

In the Port field, type the port on which you want to enable communications.

Note: If you change the External Flow Source Monitoring Port parameter in the QFlow configuration, you must also update your firewall access configuration. For more information about QFlow configuration, see Chapter 8 - Using the Deployment Editor.
d

Click Allow.
STRM Administration Guide

Configuring Access Settings

31

Step 9 In the System Administration Web Control box, type the IP address(es) of

managed host(s) that you want to allow access to the web-based system administration interface in the IP Address field. Only IP addresses listed have access to the interface. If you leave the field blank, all IP addresses have access. Click Allow. Note: Make sure you include the IP address of your client desktop you want to use to access the interface. Failing to do so may affect connectivity.
Step 10 Click Apply Access Controls. Step 11 Wait for the interface to refresh before continuing.

Updating Your Host Set-up

You can use the web-based system administration interface to configure the mail server you want STRM to use and the global password for STRM configuration: To configure your host set-up:

Step 1 Click the Admin tab. Step 2 In the navigation menu, click System Configuration.

The System Configuration panel is displayed.

Step 3 Click the System and License Management icon.

The System and License Management window is displayed.

Step 4 Select the host for which you want to update your host setup settings. Step 5 From the Actions menu, select Manage System. Step 6 Log in to the System Administration interface. The default is:

Username: root Password: <your root password> Note: The username and password are case sensitive.
Step 7 From the menu, select Managed Host Config > STRM Setup.

The STRM Setup window is displayed.

STRM Administration Guide

32

MANAGING THE SYSTEM

Step 8 In the Mail Server field, type the address for the mail server you want STRM to

use. STRM uses this mail server to distribute alerts and event messages. To use the mail server provided with STRM, type localhost.
Step 9 In the Enter the global configuration password, type the password you want to

use to access the host. Type the password again for confirmation. Note: The global configuration password does not accept special characters. The global configuration password must be the same throughout your deployment. If you edit this password, you must also edit the global configuration password on all systems in your deployment.
Step 10 Click Apply Configuration.

Configuring Interface Roles

You can assign specific roles to the network interfaces on each managed host. To assign roles:

Step 1 Click the Admin tab. Step 2 In the navigation menu, click System Configuration.

The System Configuration panel is displayed.

Step 3 Click the System and License Management icon.

The System and License Management window is displayed.

Step 4 Select the host for which you want to configure interface role settings. Step 5 From the Actions menu, select Manage System. Step 6 Log in to the System Administration interface. The default is:

Username: root Password: <your root password> Note: The username and password are case sensitive.
Step 7 From the menu, select Managed Host Config > Network Interfaces.

The Network Interfaces window is displayed, including a list of each interface on your managed host. Note: For assistance with determining the appropriate role for each interface, contact Juniper Networks Customer Support.

STRM Administration Guide

Configuring Access Settings

33

Step 8 For each interface listed, select the role you want to assign to the interface from

the Role drop-down list box.

Step 9 Click Save Configuration. Step 10 Wait for the interface to refresh before continuing.

Changing Passwords

To change the passwords:

Step 1 Click the Admin tab. Step 2 In the navigation menu, click System Configuration.

The System Configuration panel is displayed.

Step 3 Click the System and License Management icon.

The System and License Management window is displayed.

Step 4 Select the host for which you want to configure interface role settings. Step 5 From the Actions menu, select Manage System. Step 6 Log in to the System Administration interface. The default is:

Username: root Password: <your root password> Note: The username and password are case sensitive.
Step 7 From the menu, select Managed Host Config > Root Password.

The Root Passwords window is displayed.

STRM Administration Guide

34

MANAGING THE SYSTEM

Step 8 Update the passwords:

Note: Make sure you record the entered values. The root password does not accept the following special characters: apostrophe (), dollar sign ($), exclamation mark (!).

New Root Password - Type the root password necessary to access the web-based system administration interface. Confirm New Root Password - Type the password again for confirmation.

Step 9 Click Update Password.

Updating System Time

You are able to change the time for the following options:

System time Hardware time Time Zone Time Server

Note: All system time changes must be made within the System Time window. You can only change the system time information on the host operating the Console. The change is then distributed to all managed hosts in your deployment. You can configure time for your system using one of the following methods:
Configuring Your Time Server Using RDATE Manually Configuring Time Settings For Your System

Configuring Your Time Server Using RDATE To update the time settings using RDATE:
Step 1 Click the Admin tab. Step 2 In the navigation menu, click System Configuration.

The System Configuration panel is displayed.

Step 3 Click the System and License Management icon.

The System and License Management window is displayed.

Step 4 Select the host for which you want to configure system time settings.

STRM Administration Guide

Configuring Access Settings

35

Step 5 From the Actions menu, select Manage System. Step 6 Log in to the System Administration interface. The default is:

Username: root Password: <your root password> Note: The username and password are case sensitive.
Step 7 From the menu, select Managed Host Config > System Time.

The System Time window is displayed.

Step 8 Configure the time zone: a

Click Change time zone. The Time Zone window is displayed.

b c

From the Change timezone to drop-down list box, select the time zone in which this managed host is located. Click Save. Click Time server sync. The Time Server window is displayed.

Step 9 Configure the time server: a

STRM Administration Guide

36

MANAGING THE SYSTEM

Configure the following parameters:

Table 4-1 Time Server Parameters

Parameter Timeserver hostnames or addresses Set hardware time too Synchronize on schedule?

Description Type the time server hostname or IP address. Select the check box if you want to set the hardware time. Select one of the following options:

No - Select this option if you do not want to synchronize the time. Go to c. Yes - Select this option if you want to synchronize the time.

Simple Schedule

Select this option if you want the time update to occur at a specific time. Once you select this option, select a simple schedule from the drop-down list box. Select this option the time you want the time update to occur. Once you select this option, select the times and dates in the list boxes.

Times and dates are selected below

Click Sync and Apply.

STRM Administration Guide

Configuring Access Settings

37

Manually Configuring Time Settings For Your System To update the time settings for your system:
Step 1 Click the Admin tab. Step 2 In the navigation menu, click System Configuration.

The System Configuration panel is displayed.

Step 3 Click the System and License Management icon.

The System and License Management window is displayed.

Step 4 Select the host for which you want to configure system time settings. Step 5 From the Actions menu, select Manage System. Step 6 Log in to the System Administration interface. The default is:

Username: root Password: <your root password> Note: The username and password are case sensitive.
Step 7 From the menu, select Managed Host Config > System Time.

The System Time window is displayed. Caution: The time settings window is divided into two sections. You must save each setting before continuing. For example, when you configure system time, you must click Apply within the System Time section before continuing.
Step 8 Click Set time. Step 9 Set the system time:

Choose one of the following options: In the System Time panel, using the drop-down list boxes, select the current date and time you want to assign to the managed host. Click Set system time to hardware time.

Click Apply.

The Hardware Time window is displayed.

STRM Administration Guide

38

MANAGING THE SYSTEM

Step 10 Set the hardware time: a

Choose one of the following options: In the Hardware Time panel, using the drop-down list boxes, select the current date and time you want to assign to the managed host. Click Set hardware time to system time.

Click Save. Click Change time zone. The Time Zone window is displayed.

Step 11 Configure the time zone: a

b c

From the Change Timezone To drop-down list box, select the time zone in which this managed host is located. Click Save.

STRM Administration Guide

MANAGING HIGH AVAILABILITY

The High Availability (HA) feature ensures STRM data remains available in the event of a hardware or network failure. To achieve HA, STRM pairs a primary appliance with a secondary HA appliance to create an HA cluster. The HA cluster uses several monitoring functions, such as a heartbeat ping between the primary and secondary appliances, and network connectivity monitoring to other appliances in the STRM deployment. The secondary host maintains the same data as the primary host by one of two methods: data synchronization between the primary and secondary appliances or shared external storage. If the secondary host detects a failure, the secondary host automatically assumes all responsibilities of the primary host. Scenarios that cause failover include:

Network failure, as detected by network connectivity testing Management interface failure on the primary host Complete Redundant Array of Independent Disks (RAID) failure on the primary host Power supply failure Operating system malfunction that delays or stops the heartbeat ping

Note: Heartbeat messages do not monitor specific STRM processes. Note: You can manually force a failover from a primary host to a secondary host. This is useful for planned maintenance on the primary host. For more information on manually forcing a failover, see Setting an HA Host Offline. This chapter provides information for configuring and managing HA, including:
Before You Begin HA Deployment Overview Adding an HA Cluster Editing an HA Cluster Setting an HA Host Offline Setting an HA Host Online Restoring a Failed Host

STRM Administration Guide

40

MANAGING HIGH AVAILABILITY

Before You Begin

Before adding an HA cluster, confirm the following: Note: For more information on HA concepts, such as HA clustering and data storage strategies, see HA Deployment Overview.

If you plan to enable disk replication (see Disk Synchronization), we require that the connection between the primary host and secondary host have a minimum bandwidth of 1 gigabits per second (Gbps). Virtual LAN (VLAN) routing, which divides a physical network into multiple subnets, is not recommended. The secondary host is located on the same subnet as the primary host. The new primary host IP address is set up on the same subnet. The management interface only supports one Cluster Virtual IP address. Multihoming is not supported. The secondary host you want to add must have a valid HA activation key. The secondary host must use the same management interface specified as the primary host. For example, if the primary host uses ETH0 as the management interface, the secondary host must also use ETH0. The secondary host you want to add must not already be a component in another HA cluster. The primary and secondary host must have the same STRM software version and patch level installed. If you plan to share storage (see Shared Storage), the secondary host must be configured with the same external iSCSI devices (if any) as the primary host. For more information on configuring iSCSI, see the Configuring iSCSI technical note. The /store partition on the secondary host must be equal to or larger than the /store partition on the primary host. For example, do not pair an primary host with a 3 TB disk with a secondary host with a 2 TB disk. The appliances must be the same model and type, and have the same disk configuration. We recommend that you backup your configuration information and data on all hosts you intend to configure for HA. For more information on backing up your configuration information and data, see Chapter 7 - Managing Backup and Recovery.

Note: Disk replication is not enabled by default on QFlow Collectors and is not required for successful failover.

STRM Administration Guide

HA Deployment Overview

41

HA Deployment Overview

This overview provides information on the key HA deployment concepts, including:

HA Clustering Data Storage Strategies Failovers

HA Clustering

An HA cluster consists of the following:

Primary host - The primary host is the host for which you want to configure HA. You can configure HA for any system (Console or non-Console) in your deployment. When you configure HA, the IP address of the primary host automatically becomes the Cluster Virtual IP address; therefore, you must configure a new IP address for the primary host. Secondary host - The secondary host is the standby for the primary host. If the primary host fails, the secondary host automatically assumes all responsibilities of the primary host. Cluster Virtual IP address - When you configure HA, the current IP address of the primary host automatically becomes the Cluster Virtual IP address and you must assign a new IP address to the primary host. In the event that the primary host fails, the Cluster Virtual IP address is assumed by the secondary host. STRM uses the primary hosts IP address as the Cluster Virtual IP address to allow other hosts in your deployment to continue communicating with the HA cluster without requiring you to reconfigure the hosts to send data to a new IP address.

In the following figure, for example, the current IP address of the primary host is 10.100.1.1 and the IP address of the secondary host is 10.100.1.2.

When configured as an HA cluster, the current primary host IP address (10.100.1.1) automatically becomes the Cluster Virtual IP address. A new IP address must be assigned to the primary host. In this example, the assigned IP address for the primary host is 10.100.1.3.

STRM Administration Guide

42

MANAGING HIGH AVAILABILITY

Note: You can view the IP addresses for the HA cluster by pointing your mouse over the Host Name field in the System and License Management window. Data Storage Strategies STRM provides the following data storage strategies in an HA deployment:
Disk Synchronization Shared Storage

Disk Synchronization The hosts in an HA cluster must have access to the same data on the /store partition. When you install your secondary host and apply an HA license key, a /store partition is automatically installed and configured on the host. Once an HA cluster is configured with the Disable Disk Replication option cleared (default) and the /store partition is not mounted externally, data in the active hosts /store partition is automatically replicated to the standby hosts /store partition using a disk synchronization system. When you initially add an HA cluster, the first disk synchronization can take an extended period of time to complete, depending on size of your /store partition and your disk synchronization speed. For example, the initial disk synchronization can take an extended period of time, up to 24 hours or more, depending on your deployment. We require that the connection between the primary host and secondary host have a minimum bandwidth of 1 gigabits per second (Gbps). The secondary host only assumes the Standby status after the initial disk synchronization is complete. When the primary host fails over and the secondary host becomes the Active host, the secondary host continues to read and write data on the /store partition. When the primary host is restored, the two /store partitions are no longer synchronized. Therefore, before the primary host can resume the Active state, disk replication
STRM Administration Guide

HA Deployment Overview

43

automatically occurs. When disk replication is complete, the primary host is set to the Offline state and you must manually set the primary host to the Online state. The period of time to perform the post-failover disk synchronization is considerably less than the initial disk synchronization, unless the disk on the primary host disk was replaced or reformatted when the host was manually repaired. Shared Storage If the primary host has the /store partition mounted on an external storage device, the secondary host must also have the /store partition mounted on the same external storage device. Caution: You must configure the external storage on the secondary host before configuring the HA cluster. For more information on configuring external storage, see the Configuring iSCSI technical note. If the primary and secondary host access the shared storage at the same time, data corruption can occur. Before a failover occurs, the secondary host determines if the primary host is still accessing the shared storage. If the secondary host detects the primary host is still reading and writing to the shared storage, failover cannot occur. The secondary host is automatically set to the Offline state. Caution: If your primary host and secondary hosts are geographically isolated, failover may still occur while the primary host is reading or writing to the shared storage. Failovers When the primary host fails over, the secondary host performs the following actions in sequence:
1 Mounts any external shared storage devices, if required. 2 Creates a network alias for the management interface. For example, the network

alias for eth0 is eth0:0.

3 Assigns the Cluster Virtual IP address to the network alias. 4 Starts all STRM services. 5 Connects to the Console and downloads configuration files.

This section provides information on general failover scenarios, including:

Primary Network Failure Primary Disk Failure Secondary Network or Disk Failure

Primary Network Failure The primary host automatically pings all other managed hosts to test its network connection. If the primary host loses network connectivity to a managed host and the connection to the secondary host is still intact, the primary host requests the secondary host to verify that it has full connectivity to other managed hosts in the deployment. The secondary host performs a network connectivity test, testing all
STRM Administration Guide

44

MANAGING HIGH AVAILABILITY

hosts specified in the Advanced Settings of the HA wizard, (Table 5-2). If the test succeeds, the primary host performs a controlled shutdown and fails over to the secondary host. This prevents the primary host failover to a secondary host that is also experiencing network connectivity problems. Primary Disk Failure An HA cluster configured with disk replication monitors disks on which the /store partition is mounted. If RAID completely fails and all disks are unavailable, the primary host performs shuts down and fails over to the secondary host. Secondary Network or Disk Failure If the primary host detects that the secondary host has failed, the primary host generates an event to notify you that the secondary host is no longer providing HA protection.

Adding an HA Cluster

The System and License Management window allows you to manage your HA clusters. To add an HA cluster:
Step 1 Click the Admin tab. Step 2 In the navigation menu, click System Configuration.

The System Configuration panel is displayed.

Step 3 Click the System and License Management icon.

The System and License Management window is displayed.

Step 4 Select the host for which you want to configure HA. Step 5 From the Actions menu, select Add HA Host.

Note: If the primary host is a Console, a warning message is displayed to indicate that the user interface restarts after you add the HA host. Click OK to proceed. The HA Wizard is displayed.

STRM Administration Guide

Adding an HA Cluster

45

Note: If you do not want to view the Welcome to the High Availability window again, select the Skip this page when running the High Availability wizard check box.
Step 6 Read the introductory text. Click Next.

The Select the High Availability Wizard Options window appears, automatically displaying the Cluster Virtual IP address, which is the IP address of the primary host (Host IP).

Step 7 To configure the HA host information, configure the following parameters:

STRM Administration Guide

46

MANAGING HIGH AVAILABILITY

Table 5-1 HA Host Information Parameters

Parameter Primary Host IP Address

Description Type a new primary host IP address. The new primary host IP address is assigned to the primary host, replacing the previous IP address. The current IP address of the primary host becomes the Cluster Virtual IP address. If the primary host fails and the secondary host becomes active, the Cluster Virtual IP address is assigned to the secondary host. Note: The new primary host IP address must be on the same subnet as the Host IP.

Secondary Host IP Address

Type the IP address of the secondary host you want to add. The secondary host must be in the same subnet as the primary host. Type the root password for the secondary host. The password must not include special characters. Type the root password for the secondary host again for confirmation.

Enter the root password of the host Confirm the root password of the host

Step 8 Optional. To configure advanced parameters: a

Click the arrow beside Show Advanced Options. The advanced option parameters are displayed.

Configure the following parameters:

STRM Administration Guide

Adding an HA Cluster

47

Table 5-2 Advanced Options Parameters

Parameter Heartbeat Intervals (seconds)

Description Type the time, in seconds, you want to elapse between heartbeat messages. The default is 10 seconds. At the specified interval, the secondary host sends a heartbeat ping to the primary host to detect hardware and network failure. For more information on failover scenarios, see HA Deployment Overview.

Heartbeat Timeout (seconds)

Type the time, in seconds, you want to elapse before the primary host is considered unavailable if there is no heartbeat detected. The default is 30 seconds. If the secondary host detects a failure, the secondary host automatically assumes all responsibilities of the primary host. For more information on failover scenarios, see HA Deployment Overview.

Network Connectivity Test Type the IP address(es) of the host(s) you want the List peer IP addresses (comma secondary host to ping, as a means to test its own delimited) network connection. The default is all other managed hosts in your deployment. For more information on network connectivity testing, see Primary Network Failure. Disk Synchronization Rate (MB/s) Type or select the disk synchronization rate. The default is 100 MB/s. Note: When you initially add an HA cluster, the first disk synchronization can take an extended period of time to complete, depending on size of your /store partition and your disk synchronization speed. For example, the initial disk synchronization can take up to 24 hours or more. The secondary host only assumes the Standby status after the initial disk synchronization is complete. Note: We require that the connection between the primary host and secondary host have a minimum bandwidth of 1 gigabits per second (Gbps). Disable Disk Replication Select this option if you want to disable disk replication. Note: This option is only visible for non-Console hosts.
c

Click Next.

The HA Wizard connects to the primary and secondary host to perform the following validations:
STRM Administration Guide

48

MANAGING HIGH AVAILABILITY

Verifies that the secondary host has a valid HA activation key. Verifies that the secondary host is not already added to another HA cluster. Verifies that the software versions on the primary and secondary hosts are the same. Verifies that the primary and secondary hosts support the same Device Support Module (DSM), scanner, and protocol RPMs. Verifies if the primary host has an externally mounted storage system. If it does, the HA wizard then verifies that the secondary host also has an externally mounted storage system.

If any of these validations fail, the HA wizard displays an error message and then closes. The Confirm the High Availability Wizard Options window is displayed.

Caution: If the primary host is configured with external storage, you must configure the secondary host with the same external storage before continuing.
Step 9 Review the information. Click Finish.

Note: If Disk Synchronization is enabled, it can take 24 hours or more for the data to initially synchronize. Note: If required, click Back to return to the Confirm the High Availability Wizard options window to edit the information. The System and License Management window displays the HA cluster you added. Use the Arrow icon to display or hide the secondary host.

STRM Administration Guide

Adding an HA Cluster

49

The System and License Management window provides the status of your HA clusters, including:
Table 5-3 HA Status Descriptions

Status Active

Description Specifies that the host is acting as the active system with all services running. Either the primary or secondary host can display the Active status. If the secondary host is displaying the Active status, failover has occurred. Specifies that the host is acting as the standby system. This status will only display for a secondary host. The standby system has no services running. If disk replication is enabled, the standby system is replicating data from the primary host. If the primary host fails, the standby system automatically assumes the active role. Specifies that the host is in a failed state. Both the primary or secondary host can display the Failed status:

Standby

Failed

If the primary host displays the Failed status, the secondary host takes over the services and should now display the Active status. If the secondary host displays the Failed status, the primary host remains active, but is not protected by HA.

A system in the failed state must be manually repaired (or replaced), and then restored. See Restoring a Failed Host. Note: Depending on the type of failure that caused the failover, you may not be able to access a failed system from the Console. Synchronizing Specifies that the host is synchronizing data on the local disk of the host to match the currently active system. Note: This status only appears if disk replication is enabled. Online Specifies that the host is online.

STRM Administration Guide

50

MANAGING HIGH AVAILABILITY

Table 5-3 HA Status Descriptions (continued)

Status Offline

Description Specifies that the host is offline. All processes are stopped and the host is not monitoring the heartbeat from the active system. Both the primary and the secondary can display the Offline status. While in the Offline state, disk replication continues if it is enabled. Once you select High Availability > Restore System to restore a failed host (see Restoring a Failed Host), this status specifies that system is in the process of restoring. Specifies that a license key is required for the HA cluster. See Chapter 3 - Managing the System Updating your License Key. In the Needs License state, no processes are running. Specifies that the host is in the process of changing state from online to offline. Specifies that the host is in the process of changing state from offline to online. Specifies that the host requires a software upgrade, because the primary host has been upgraded to a newer software version. If the secondary host displays the Needs Upgrade status, the primary host remains active, but is not protected by HA. Heartbeat monitoring and disk replication, if enabled, continue to function. Note: Only a secondary host can display a Needs Upgrade status.

Restoring

Needs License

Setting Offline Setting Online Needs Upgrade

Upgrading

Specifies that the host is in the process of upgrading software. If the secondary host displays the Upgrading status, the primary host remains active, but is not protected by HA. Heartbeat monitoring and disk replication, if enabled, continue to function. Note: Only a secondary host can display an Upgrading status.

Editing an HA Cluster

Using the Edit HA Host feature, you can edit the advanced options for your HA cluster. To edit an HA cluster:
Step 1 Click the Admin tab. Step 2 In the navigation menu, click System Configuration.

The System Configuration panel is displayed.

STRM Administration Guide

Editing an HA Cluster

51

Step 3 Click the System and License Management icon.

The System and License Management window is displayed.

Step 4 Select the row for the HA cluster you want to edit. Step 5 From the High Availability menu, select Edit HA Host.

The HA Wizard is displayed.

Step 6 Edit the parameters in the advanced options section. See Table 5-2. Step 7 Click Next.

The Confirm the High Availability Wizard Options window is displayed.

STRM Administration Guide

52

MANAGING HIGH AVAILABILITY

Step 8 Review the information. Click Finish.

The secondary host restarts and your HA cluster continues functioning.

Removing an HA Host

You can remove an HA host from a cluster. You cannot remove a host from an HA cluster when the primary HA host is in the Failed, Offline, or Synchronizing state. To remove an HA host:

Step 1 Click the Admin tab. Step 2 In the navigation menu, click System Configuration.

The System Configuration panel is displayed.

Step 3 Click the System and License Management icon.

The System and License Management window is displayed.

Step 4 Select the HA host you want to set to remove. Step 5 From the High Availability menu, select Remove HA Host.

A confirmation message is displayed, indicating that removing an HA host reboots the user interface.
Step 6 Click OK.

Once you remove an HA host, the host restarts and becomes available to be added to another cluster.

STRM Administration Guide

Setting an HA Host Offline

53

Setting an HA Host Offline

You can set either the primary or secondary host to Offline from the Active or Standby state. If you set the active system to Offline, the standby system becomes the active system, thereby forcing a failover. If you set the standby system to Offline, the standby system no longer monitors the heartbeat of the active system, however, continues to synchronize data from the active system. To set an HA host offline:

Step 1 Click the Admin tab. Step 2 In the navigation menu, click System Configuration.

The System Configuration panel is displayed.

Step 3 Click the System and License Management icon.

The System and License Management window is displayed.

Step 4 Select the HA host you want to set to offline. Step 5 From the High Availability menu, select Set System Offline.

The status for the host changes to Offline.

Setting an HA Host Online

When you set the secondary host to online, the secondary host becomes the standby system. If you set the primary host to Online while the secondary system is currently the active system, the primary host becomes the active system and the secondary host automatically becomes the standby system. To set an HA host online:

Step 1 Click the Admin tab. Step 2 In the navigation menu, click System Configuration.

The System Configuration panel is displayed.

Step 3 Click the System and License Management icon.

The System and License Management window is displayed.

Step 4 Select the offline HA host you want to set to online. Step 5 From the High Availability menu, select Set System Online.

The status for the host changes to Online.

Restoring a Failed Host

If a host displays a status of Failed, a hardware or network failure occurred for that host. Before you can restore the host using the user interface, you must manually repair the host. For more information, see your network administrator. To restore a failed system:

Step 1 Recover the failed host.

STRM Administration Guide

54

MANAGING HIGH AVAILABILITY

Note: Recovering a failed host involves re-installing STRM. For more information on recovering a failed host, see the STRM Installation Guide. If you are recovering a primary host and your HA cluster uses shared storage, you must manually configure iSCSI. For more information on configuring iSCSI, see the Configuring iSCSI technical note.
Step 2 Click the Admin tab. Step 3 In the navigation menu, click System Configuration.

The System Configuration panel is displayed.

Step 4 Click the System and License Management icon.

The System and License Management window is displayed.

Step 5 Select the failed HA host you want to restore. Step 6 From the High Availability menu, select Restore System.

The system restores the HA configuration on the failed host. The status of the host changes through the following sequence:
a b c

Restoring Synchronizing (if disk synchronization is enabled) Standby (secondary host) or Offline (primary host)

If the restored host is the primary system, you must manually set the primary system to the Online state. See Setting an HA Host Online.

STRM Administration Guide

SETTING UP STRM

This chapter provides information on setting up STRM, including:

Creating Your Network Hierarchy Scheduling Automatic Updates Configuring System Settings Using Event and Flow Retention Buckets Configuring System Notifications Configuring the Console Settings

Creating Your Network Hierarchy

STRM uses the network hierarchy to understand your network traffic and provide you with the ability to view network activity for your entire deployment. When you develop your network hierarchy, you should consider the most effective method for viewing network activity. The network you configure in STRM does not have to resemble the physical deployment of your network. STRM supports any network hierarchy that can be defined by a range of IP addresses. You can create your network based on many different variables, including geographical or business units.

Considerations

Consider the following when defining your network hierarchy:

Group together systems and user groups that have similar behavior. This provides you with a clear view of your network. Create multiple top-level groups if your deployment is processing more than 600,000 flows. Organize your systems/networks by role or similar traffic patterns. For example, mail servers, departmental users, labs, or development groups. This allows you to differentiate network behavior and enforce network management security policies. Do not group together servers that have unique behavior with other servers on your network. For example, placing a unique server alone provides the server greater visibility in STRM, allowing you to enact specific policies.

STRM Administration Guide

56

SETTING UP STRM

Within a group, place servers with high volumes of traffic, such as mail servers, at the top of the group. This provides you a clear visual representation when a discrepancy occurs. We recommend that you extend this practice to all groups. Combine multiple Classless Inter-Domain Routings (CIDRs) or subnets into a single network/group to conserve disk space. For example:
Group 1 2 3 Description Marketing Sales Database Cluster IP Address 10.10.5.0/24 10.10.8.0/21 10.10.1.3/32 10.10.1.4/32 10.10.1.5/32

Note: We recommend that you do not configure a network group with more than 15 objects. This may cause you difficulty in viewing detailed information for each group. You may also want to define an all-encompassing group so when you define new networks, the appropriate policies and behavioral monitors are applied. For example:
Group Cleveland Cleveland Cleveland Subgroup Cleveland misc Cleveland Sales Cleveland Marketing IP Address 10.10.0.0/16 10.10.8.0/21 10.10.1.0/24

If you add a new network to the above example, such as 10.10.50.0/24, which is an HR department, the traffic appears as Cleveland-based and any rules applied to the Cleveland group are applied by default. Defining Your Network Hierarchy To define your network hierarchy:

Step 1 Click the Admin tab. Step 2 In the navigation menu, click System Configuration.

The System Configuration panel is displayed.

Step 3 Click the Network Hierarchy icon.

The Network Views window is displayed.

STRM Administration Guide

Creating Your Network Hierarchy

57

Step 4 From the menu tree, select the areas of the network in which you want to add a

network component. The Manage Group window appears for the selected network component.
Step 5 Click Add.

The Add Network Object window is displayed.

Step 6 Enter your network object values:

Table 6-1 Add New Object Parameters

Parameter Group Name Weight IP/CIDR(s)

Action From the drop-down list box, select a group for the new network object and click Add Group. Type a unique name for the object. Type or select the weight of the object. The range is 0 to 100 and indicates the importance of the object in the system. Type the CIDR range(s) for this object and click Add. For more information on CIDR values, see Accepted CIDR Values.
STRM Administration Guide

58

SETTING UP STRM

Table 6-1 Add New Object Parameters (continued)

Parameter Description Color Database Length

Step 7 Click Save.

Action Type a description for this network object. Click Select Color and select a color for this object. From the drop-down list box, select the database length.

Step 8 Repeat for all network objects. Step 9 Click Re-Order.

The Reorder Group window is displayed.

Step 10 Organize the network objects in the desired order. Step 11 Click Save.

Note: We recommend adding key servers as individual objects and grouping other major but related servers into multi-CIDR objects. Accepted CIDR Values The following table provides a list of the CIDR values that STRM accepts:
Table 6-2 Accepted CIDR Values

CIDR Length /1 /2 /3 /4 /5 /6 /7 /8

Mask 128.0.0.0 192.0.0.0 224.0.0.0 240.0.0.0 248.0.0.0 252.0.0.0 254.0.0.0 255.0.0.0

Number of Networks 128 A 64 A 32 A 16 A 8A 4A 2A 1A

Hosts 2,147,483,392 1,073,741,696 536,870,848 268,435,424 134,217,712 67,108,856 33,554,428 16,777,214

STRM Administration Guide

Creating Your Network Hierarchy

59

Table 6-2 Accepted CIDR Values (continued)

CIDR Length /9 /10 /11 /12 /13 /14 /15 /16 /17 /18 /19 /20 /21 /22 /23 /24 /25 /26 /27 /28 /29 /30 /31 /32

Mask 255.128.0.0 255.192.0.0 255.224.0.0 255.240.0.0 255.248.0.0 255.252.0.0 255.254.0.0 255.255.0.0 255.255.128.0 255.255.192.0 255.255.224.0 255.255.240.0 255.255.248.0 255.255.252.0 255.255.254.0 255.255.255.0 255.255.255.128 255.255.255.192 255.255.255.224 255.255.255.240 255.255.255.248 255.255.255.252 255.255.255.254 255.255.255.255

Number of Networks 128 B 64 B 32 B 16 B 8B 4B 2B 1B 128 C 64 C 32 C 16 C 8C 4C 2C 1C 2 subnets 4 subnets 8 subnets 16 subnets 32 subnets 64 subnets none 1/256 C

Hosts 8,388,352 4,194,176 2,097,088 1,048,544 524,272 262,136 131,068 65,534 32,512 16,256 8,128 4,064 2,032 1,016 508 254 124 62 30 14 6 2 none 1

For example, a network is called a supernet when the prefix boundary contains fewer bits than the network's natural (such as, classful) mask. A network is called a subnet when the prefix boundary contains more bits than the network's natural mask:

209.60.128.0 is a class C network address with a mask of /24. 209.60.128.0 /22 is a supernet that yields: 209.60.128.0 /24 209.60.129.0 /24 209.60.130.0 /24 209.60.131.0 /24

192.0.0.0 /25
STRM Administration Guide

60

SETTING UP STRM

Subnet Host Range 0 192.0.0.1-192.0.0.126 1 192.0.0.129-192.0.0.254

192.0.0.0 /26 Subnet Host Range 0 192.0.0.1 - 192.0.0.62 1 192.0.0.65 - 192.0.0.126 2 192.0.0.129 - 192.0.0.190 3 192.0.0.193 - 192.0.0.254

192.0.0.0 /27 Subnet Host Range 0 192.0.0.1 - 192.0.0.30 1 192.0.0.33 - 192.0.0.62 2 192.0.0.65 - 192.0.0.94 3 192.0.0.97 - 192.0.0.126 4 192.0.0.129 - 192.0.0.158 5 192.0.0.161 - 192.0.0.190 6 192.0.0.193 - 192.0.0.222 7 192.0.0.225 - 192.0.0.254

Scheduling Automatic Updates

STRM uses system configuration files to provide useful characterizations of network data flows. You can update your configuration files automatically or manually to make sure your configuration files contain the latest network security information. The updates, available on the Juniper customer support web site, include threats, vulnerabilities, and geographic information from various security-related web sites. Note: We do not guarantee the accuracy of the third-party information contained on the above-mentioned web sites. Note: In an HA deployment, once you update your configuration files on the primary host and deploy your changes, the updates are automatically performed on the secondary host. If you do not deploy your changes, the updates are performed on the secondary host through an automated process that runs hourly. You can configure the automatic updates to include minor updates (such as on-line Help or updated scripts), major updates (such as updated JAR files), or DSM updates. You can configure the automatic updates function to download and install minor updates. Major updates and DSM updates must be downloaded and

STRM Administration Guide

Scheduling Automatic Updates

61

installed manually. The Console must be connected to the Internet to receive the updates. STRM allows you to either replace your existing configuration files or integrate the updates with your existing files to maintain the integrity of your current configuration and information. You can also update the configuration files for all systems in your STRM deployment. However, the system and event views must be currently created in your deployment editor. For more information on using the deployment editor, see Chapter 8 - Using the Deployment Editor. Caution: Failing to build your deployment map before you configure automatic or manual updates results in your remote systems not being updated. This section includes:
Scheduling Automatic Updates Updating Your Files On-Demand

Scheduling Automatic Updates

To schedule automatic updates:

Step 1 Click the Admin tab. Step 2 In the navigation menu, click System Configuration.

The System Configuration panel is displayed.

Step 3 Click the Auto Update icon.

The Auto Update Configuration window is displayed.

Step 4 Configure the update method and types of updates you want to receive using the

Choose Updates box:

STRM Administration Guide

62

SETTING UP STRM

Table 6-3 Choose Updates Parameters

Parameter Update Method

Description From the drop-down list box, select the method you want to use for updating your system, including:

Auto Integrate - Select this option to integrate the new configuration files with your existing files and maintain the integrity of your information. This is the default. Auto Update - Select this option to replace your existing configuration files with the new configuration files.

Weekly Updates

Weekly updates include vulnerability, QID map updates, and security threat information. From the drop-down list box, select one of the following:

Enabled - Select this option to allow weekly updates to be installed on your system. This is the default. Disabled - Select this option to prevent weekly updates being installed on your system.

Minor Updates

Minor updates include items such as additional on-line Help content or updated scripts. From the drop-down list box, select one of the following options for minor updates:

Disabled - Select this option prevent minor updates being installed on your system. Download - Select this option to download the minor updates to the designated download path location. See the readme file in the download files for installation instructions. Install - Select this option to automatically install minor updates on your system. This is the default.

Major Updates

Major updates require service interruptions to install. Major updates include such items as updated JAR files. From the drop-down list box, select one of the following options for major updates:

Disabled - Select this option prevent major updates being installed on your system. This is the default. Download - Select this option to download the major updates to the designated download path location. See the readme file in the download files for installation instructions.

DSM Updates

From the drop-down list box, select one of the following options for DSM updates:

Disabled - Select this option prevent DSM updates being installed on your system. Download - Select this option to download the DSM updates to the designated download path location. This is the default. See the readme file in the download files for installation instructions.

Download Path

Type the directory path location to which you want to store DSM, minor, and major updates. The default is /store/configservices/staging/updates.
STRM Administration Guide

Scheduling Automatic Updates

63

Step 5 Configure the server settings:

Table 6-4 Server Configuration Parameters

Parameter Webserver

Description Type the web server from which you want to obtain the updates. The default web site is: www.juniper.net/support/ Type the directory location on which you want to store the updates. The default is autoupdates/. Type the URL for the proxy server. Type the port for the proxy server. Type the necessary username for the proxy server. A username is only required if you are using an authenticated proxy. Type the necessary password for the proxy server. A password is only required if you are using an authenticated proxy.

Directory Proxy Server Proxy Port Proxy Username Proxy Password

Step 6 Configure the update settings:

Table 6-5 Update Settings Parameters

Parameter Deploy changes

Description Select this check box if you want to deploy update changes automatically. If the check box is clear, a system notification appears in the Dashboard indicating that you must deploy changes. By default, the check box is clear. Select this check box if you want to send feedback to Juniper Networks regarding the update. Feedback is sent automatically using a web form if any errors occur with the update. By default, the check box is clear.

Send feedback

Backup Retention Using the up and down arrows, select the length of time, in days, Period (days) that you want to store files that may be replaced during the update process. The files are stored in the location specified in the Backup Location parameter. The default is 30 days. The minimum is 1 day and the maximum is 65535. Backup Location Type the location that you want to store backup files.

STRM Administration Guide

64

SETTING UP STRM

Step 7 Configure the schedule for updates:

Table 6-6 Schedule Update Parameters

Parameter Schedule Update Frequency

Description From the drop-down list box, select the frequency you want to receive updates. Option include:

Disabled Weekly Monthly Daily

The default is daily. Hour Week Day From the drop-down list box, select the time of day you want your system to update. The default is 1 am. This option is only available if you select Weekly as the update frequency. From the drop-down list box, select the day of the week you want to receive updates. The default is Monday. This option is only active when you select Monthly as the update frequency. From the drop-down list box, select the day of the month you want to receive updates. The default is 1.

Month Day

Step 8 Click Save.

If you selected the Deploy Changes, the updates are enforced through your deployment. Once the automatic update process is complete, a system notification appears in the Dashboard and information about the automatic update appears in the Log field. For more information on the Dashboard, see the STRM Users Guide. Updating Your Files On-Demand You can update your files, whenever necessary, using the Auto Update window. To update your files:
Step 1 Click the Admin tab. Step 2 In the navigation menu, click System Configuration.

The System Configuration panel is displayed.

Step 3 Click the Auto Update icon.

The Auto Update Configuration window is displayed.

Step 4 From the Update Method drop-down list box, select the method you want to use

for updating your files:

Auto Integrate - Select this option to integrate the new configuration files with your existing files and maintain the integrity of your information.

STRM Administration Guide

Configuring System Settings

65

Auto Update - Select this option to replace your existing configuration files with the new configuration files.

Step 5 Click Save and Update Now. Step 6 From the Admin interface menu, click Deploy Changes.

If you selected the Deploy Changes check box, the updates are enforced through your deployment. Once the automatic update process is complete, a system notification appears in the Dashboard. For more information, see the STRM Users Guide.

Configuring System Settings

To configure system settings:

Step 1 Click the Admin tab. Step 2 In the navigation menu, click System Configuration.

The System Configuration panel is displayed.

Step 3 Click the System Settings icon.

The System Settings window is displayed.

Step 4 Enter values for the parameters:

Table 6-7 System Settings Parameters

Parameter System Settings Administrative Email Address

Description Type the e-mail address of the designated system administrator. The default is root@localhost.

Alert Email From Address Type the e-mail address from which you want to receive e-mail alerts. This address appears in the From field of the e-mail alerts. A valid address is required by most e-mail servers. The default is root@<hostname.domain>. Resolution Interval Length Resolution interval length determines at what interval the QFlow Collectors and Event Collectors send bundles of information to the Console. From the drop-down list box, select the interval length, in minutes. The options include:

30 seconds 1 minute (default) 2 minutes

Note: If you select the 30 seconds option, results are displayed in the user interface as the data enters the system. However, with shorter intervals, the volume of time series data is larger and the system may experience delays in processing the information.

STRM Administration Guide

66

SETTING UP STRM

Table 6-7 System Settings Parameters (continued)

Parameter Delete Root Mail

Description Root mail is the default location for host context messages. From the drop-down list box, select one of the following options:

Yes - Delete the local administrator e-mail. This is the default. No - Do not delete local administrator e-mail.

Temporary Files Retention Period

From the drop-down list box, select the period of time you want to system to retain temporary files. The default storage location for temporary files is the /store/tmp directory. The default is 6 hours. The minimum is 6 hours and the maximum is 2 years. Type or select the interval, in seconds, that the database stores new asset profile information. The default is 900 seconds. The minimum is 0 and the maximum is 4294967294. From the drop-down list box, select the period, in seconds, for an asset search to process before a time-out occurs. The default is 86400. The minimum is 86400 and the maximum is 604800. Type or select the interval, in seconds, that the database stores all passive asset profile information. The default is 86400 seconds. The minimum is 0 and the maximum is 4294967294. Trusted Network Computing (TNC) recommendations enable you to restrict or deny access to the network based on user name or other credentials. From the drop-down list box, select one of the following:

Asset Profile Reporting Interval

Asset Profile Query Period

VIS passive Asset Profile Interval

TNC Recommendation Enable

Yes - Enables the TNC recommendation functionality. No - Disables the TNC recommendation functionality.

Coalescing Events

From the drop-down list box, select one of the following options:

Yes - Enables log sources to coalesce (bundle) events. No - Prevents log sources from coalescing (bundling) events.

This value applies to all log sources. However, if you want to alter this value for a specific log source, edit the Coalescing Event parameter in the log source configuration. For more information, see the Managing Log Sources Guide. The default is Yes.

STRM Administration Guide

Configuring System Settings

67

Table 6-7 System Settings Parameters (continued)

Parameter Store Event Payload

Description From the drop-down list box, select one of the following options:

Yes - Enables log sources to store event payload information. No - Prevents log sources from storing event payload information.

This value applies to all log sources. However, if you want to alter this value for a specific log source, edit the Event Payload parameter in the log source configuration. For more information, see the Log Sources Users Guide. The default is Yes. Global Iptables Access Type the IP address of a non-Console system that does not have iptables configuration to which you want to enable direct access. To enter multiple systems, enter a comma-separated list of IP addresses. Type or select the amount of time, in minutes, that the status of a syslog device is recorded as error if no events have been received within the timeout period. The status appears in the Log Sources window (for more information, see the Log Sources Users Guide). The default is 720 minutes (12 hours). The minimum value is 0 and the maximum value is 4294967294. Partition Tester Timeout (seconds) Type or select the amount of time, in seconds, for a partition test to perform before a time-out occurs. The default is 30. The minimum is 0 and the maximum is The default is 86400. Type the location of the user profiles. The default is /store/users. From the drop-down list box, select the period of time you want to retain minute-by-minute data accumulations. The default is 1 day. The minimum is 1 day and the maximum is 2 years. Every 60 seconds, the data is aggregated into a single dataset. Accumulator Retention Hourly From the drop-down list box, select the period of time you want to retain hourly data accumulations. The default is 2 weeks. The minimum is 1 day and the maximum is 2 years. At the end of every hour, the minute-by minute datasets are aggregated into a single hourly dataset.

Syslog Event Timeout (minutes)

Database Settings User Data Files Accumulator Retention Minute-By-Minute

STRM Administration Guide

68

SETTING UP STRM

Table 6-7 System Settings Parameters (continued)

Parameter Accumulator Retention Daily

Description From the drop-down list box, select the period of time you want to retain daily data accumulations. The default is 33 days. The minimum is 1 day and the maximum is 2 years. At the end of every day, the hourly datasets are aggregated into a single daily dataset.

Offense Retention Period

From the drop-down list box, select the period of time you want to retain closed offense information. The default is 3 days. The minimum is 1 day and the maximum is 2 years. After the offense retention period has elapsed, closed offenses are purged from the database. Note: Offenses can be retained indefinitely as long as they are not closed and they are still receiving events. The magistrate automatically closes an offense if the offense has not received an event for 5 days straight. This 5-day period is known as the dormant time. If an event is received during the dormant time, the dormant time is reset back to zero. Once an offense is closed either by you or the magistrate, the Offense Retention Period setting is applied.

Attacker History Retention From the drop-down list box, select the amount of time Period that you want to store the attacker history. The default is 6 months. The minimum is 1 day and the maximum is 2 years. Ariel Database Settings Flow Data Storage Location Type the location that you want to store the flow log information. The default location is /store/ariel/flows. Note: This is a global setting, applied to all Consoles and managed hosts in your deployment. Asset Profile Storage Location Asset Profile Retention Period Type the location that you want to store asset profile information. The default location is /store/ariel/hprof. From the drop-down list box, select the period of time, in days, that you want to store the asset profile information. The default is 30 days. The minimum is 1 day and the maximum is 2 years. Type the location that you want to store the log source information. The default location is /store/ariel/events. Note: This is a global setting, applied to Consoles and managed hosts in your deployment. Search Results Retention From the drop-down list box, select the amount of time Period you want to store event and flow search results. The default is 1 day. The minimum is 1 day and the maximum is 3 months.

Log Source Storage Location

STRM Administration Guide

Configuring System Settings

69

Table 6-7 System Settings Parameters (continued)

Parameter Reporting Max Matched Results

Description Type or select the maximum number of results you want a report to return. This value applies to the search results in the Offenses, Log Activity and Network Activity interfaces. The default is 1,000,000. The minimum value is 0 and the maximum value is 4294967294. Type or select the maximum number of results you want the AQL command line to return. The default is 0. The minimum value is 0 and the maximum value is 4294967294.

Command Line Max Matched Results

Web Execution Time Limit Type or select the maximum amount of time, in seconds, you want a query in the interface to process before a time-out occurs. This value applies to the search results in the Offenses, Log Activity and Network Activity interfaces. The default is 600 seconds. The minimum value is 0 and the maximum value is 4294967294. Reporting Execution Time Type or select the maximum amount of time, in seconds, Limit you want a reporting query to process before a time-out occurs. The default is 57,600 seconds. The minimum value is 0 and the maximum value is 4294967294. Command Line Execution Type or select the maximum amount of time, in seconds, Time Limit you want a query in the AQL command line to process before a time-out occurs. The default is 0 seconds. The minimum value is 0 and the maximum value is 4294967294. Web Last Minute (Auto refresh) Execution Time Limit Flow Log Hashing From the drop-down list box, select the maximum amount of time, in seconds, you want an auto refresh to process before a time-out occurs. The default is 10 seconds. The maximum is 40 seconds. From the drop-down list box, select one of the following options:

Yes - Enables STRM to store a hash file for every stored flow log file. No - Prevents STRM from storing a hash file for every stored flow log file.

The default is No. Event Log Hashing From the drop-down list box, select one of the following options:

Yes - Enables STRM to store a hash file for every stored event log file. No - Prevents STRM from storing a hash file for every stored event log file.

The default is No.

STRM Administration Guide

70

SETTING UP STRM

Table 6-7 System Settings Parameters (continued)

Parameter Hashing Algorithm

Description You can use a hashing algorithm for database storage and encryption. You can use one of the following hashing algorithms:

Message-Digest Hash Algorithm - Transforms digital signatures into shorter values called Message-Digests (MD). Secure Hash Algorithm (SHA) Hash Algorithm Standard algorithm that creates a larger (60 bit) MD.

From the drop-down list box, select the log hashing algorithm you want to use for your deployment. Options are:

MD2 - Algorithm defined by RFC 1319. MD5 - Algorithm defined by RFC 1321. SHA-1 - Algorithm defined by Secure Hash Standard (SHS), NIST FIPS 180-1. This is the default. SHA-256 - Algorithm defined by the draft Federal Information Processing Standard 180-2, SHS. SHA-256 is a 255-bit hash algorithm intended for 128 bits of security against security attacks. SHA-384 - Algorithm defined by the draft Federal Information Processing Standard 180-2, SHS. SHA-384 is a bit hash algorithm, created by truncating the SHA-512 output. SHA-512 - Algorithm defined by the draft Federal Information Processing Standard 180-2, SHS. SHA-512 is a bit hash algorithm intended to provide 256 bits of security.

Transaction Sentry Settings Transaction Max Time Limit A transaction sentry detects unresponsive applications using transaction analysis. If an unresponsive application is detected, the transaction sentry attempts to return the application to a functional state. From the drop-down list box, select the length of time you want the system to check for transactional issues in the database. The default is 10 minutes. The minimum is 1 minute and the maximum is 30 minutes. Resolve Transaction on Non-Encrypted Host From the drop-down list box, select whether you want the transaction sentry to resolve all erroneous conditions detected on the Console or non-encrypted managed hosts. If you select No, the conditions are detected and logged, but you must manually intervene and correct the error. The default is Yes.

STRM Administration Guide

Configuring System Settings

71

Table 6-7 System Settings Parameters (continued)

Parameter Resolve Transaction on Encrypted Host

Description From the drop-down list box, select whether you want the transaction sentry to resolve all erroneous conditions detected on the encrypted managed host. If you select No, the conditions are detected and logged but you must manually intervene and correct the error. The default is Yes.

SNMP Settings SNMP Version From the drop-down list box, choose one of the following options:

Disabled - Select this option if you do not want SNMP responses in the STRM custom rules engine. Disabling SNMP indicates that you do not want to accept events using SNMP. SNMPv3 - Select this option if you want to use SNMP version 3 in your deployment. SNMPv2c - Select this option if you want to use SNMP version 2 in your deployment.

SNMPv2c Settings Destination Host Destination Port Community SNMPv3 Settings Destination Host Destination Port Username Security Level Type the IP address to which you want to send SNMP notifications. Type the port to which you want to send SNMP notifications. The default is 162. Type the name of the user you want to access SNMP related properties. From the drop-down list box, select the security level for SNMP. The options are:

Type the IP address to which you want to send SNMP notifications. Type the port to which you want to send SNMP notifications. The default is 162. Type the SNMP community, such as public.

NOAUTH_NOPRIV - Indicates no authorization and no privacy. This the default. AUTH_NOPRIV - Indicates authorization is permitted but no privacy. AUTH_PRIV - Allows authorization and privacy.

Authentication Protocol Authentication Password

From the drop-down list box, select the algorithm you want to use to authenticate SNMP traps. Type the password you want to use to authenticate SNMP traps.

STRM Administration Guide

72

SETTING UP STRM

Table 6-7 System Settings Parameters (continued)

Parameter Privacy Protocol Privacy Password Enabled

Description From the drop-down list box, select the protocol you want to use to decrypt SNMP traps. Type the password used to decrypt SNMP traps. From the drop-down list box, select one of the following:

Embedded SNMP Agent Settings Yes - Enables access to data from the SNMP Agent using SNMP requests. No - Disables access to data from the SNMP Agent using SNMP requests.

The default is Yes. Community String Type the SNMP community, such as public. This parameter only applies if you are using SNMPv2 and SNMPv3. Type the systems that can access data from the SNMP agent using an SNMP request. If the Enabled option is set to Yes, this option is enforced.

IP Access List

Step 5 Click Save. Step 6 From the Admin interface menu, select Advanced > Deploy Full Configuration.

Using Event and Flow Retention Buckets

Using the Event Retention and Flow Retention features available on the Admin interface, you can configure retention buckets. Each retention bucket defines a retention policy for events and flows that match custom filter requirements. As STRM receives events and flows, each event and flow is compared against retention bucket filter criteria. When an event or flow matches a retention bucket filter, it is stored in that retention bucket until the retention policy time period is reached. This feature enables you to configure multiple retention buckets. Retention buckets are sequenced in priority order from the top row to the bottom row in the Event Retention and Flow Retention windows. A record is stored in the bucket that matches the filter criteria with highest priority. If the record does not match any of your configured retention buckets, the record is stored in the default retention bucket, which is always located below the list of configurable retention buckets. This section provides information on managing event and flow retention buckets, including:
Configuring Event Retention Buckets Configuring Flow Retention Buckets Managing Retention Buckets

STRM Administration Guide

Using Event and Flow Retention Buckets

73

Configuring Event Retention Buckets

By default, the Event Retention feature provides a default retention bucket and 10 unconfigured retention buckets. Until you configure an event retention bucket, all events are stored in the default retention bucket. To configure an event retention bucket:

Step 1 Click the Admin tab. Step 2 In the navigation menu, click Data Sources.

The Data Sources panel is displayed.

Step 3 Click the Event Retention icon.

The Event Retention window is displayed.

The Event Retention window provides the following information for each retention bucket:
Table 6-8 Event Retention Window Parameters

Parameter Order Name Retention Compression Deletion Policy Filters

Description Specifies the priority order of the retention buckets. Specifies the name of the retention bucket. Specifies the retention period of the retention bucket. Specifies the compression policy of the retention bucket. Specifies the deletion policy of the retention bucket. Specifies the filters applied to the retention bucket. Move your mouse pointer over the Filters parameter for more information on the applied filters. Specifies how many events are stored in the retention bucket.

Records

STRM Administration Guide

74

SETTING UP STRM

Table 6-8 Event Retention Window Parameters (continued)

Parameter Enabled Creation Date Modification Date

Description Specifies whether the retention bucket is enabled (true) or disabled (false). The default is true. Specifies the date and time the retention bucket was created. Specifies the date and time the retention bucket was last modified.

The Event Retention toolbar provides the following functions:

Table 6-9 Event Retention Window Toolbar

Icon

Function Click Edit to edit a retention bucket. For more information on editing a retention bucket, see Editing a Retention Bucket. Click Enable/Disable to enable or disable a retention bucket. For more information on enabling and disabling retention buckets, see Enabling and Disabling a Retention Bucket. Click Delete to delete a retention bucket. For more information on deleting retention buckets, see Deleting a Retention Bucket.

Step 4 Double-click the first available retention bucket.

The Retention Properties window is displayed.

STRM Administration Guide

Using Event and Flow Retention Buckets

75

Step 5 Configure the following parameters:

Table 6-10

Retention Properties Window Parameters

Parameter Name Keep data placed in this bucket for

Description Type a unique name for the retention bucket. From the drop-down list box, select a retention period. When the retention period is reached, events are deleted according to the Delete data in this bucket parameter. The minimum is 1 day and the maximum is 2 years. The default is 1 week. Select the check box to enable data compression, and then select a time frame from the drop-down list box. When the time frame is reached, all events in the retention bucket are compressed. The minimum is Never and the maximum is 2 weeks. The default is 2 weeks.

Allow data is this bucket to be compressed

Delete data is this From the drop-down list box, select a deletion policy. Options bucket include:

When storage space is required - Select this option if you want events that match the Keep data placed in this bucket for parameter to remain in storage until the disk monitoring system detects that storage is required. When storage is required, only events that match the Keep data placed in this bucket for parameter are deleted. Immediately after the retention period has expired - Select this option if you want events to be deleted immediately on matching the Keep data placed in this bucket for parameter. The events are deleted at the next scheduled disk maintenance process, which occurs hourly.

Description Current Filters

Type a description for the retention bucket. This field is optional. In the Current Filters section, configure your filter(s). To add a filter:
1 From the first drop-down list box, select an parameter you want to filter for. For example, Device, Source Port, or Event Name. 2 From the second drop-down list box, select the modifier you want to use for the filter. The list of modifiers that appear depends on the attribute selected in the first list. 3 In the text field, type specific information related to your filter. 4 Click Add Filter.

The filter(s) appears in the Current Filters text box. You can select a filter and click Remove Filter to remove a filter from the Current Filter text box.
Step 6 Click Save.

The Event Retention window is displayed. Your event retention bucket configuration is saved
Step 7 Click Save.

STRM Administration Guide

76

SETTING UP STRM

Your event retention bucket starts storing events that match the retention parameters immediately. Configuring Flow Retention Buckets By default, the Flow Retention feature provides a default retention bucket and 10 unconfigured retention buckets. Until you configure a flow retention bucket, all flows are stored in the default retention bucket. To configure a flow retention bucket:
Step 1 Click the Admin tab. Step 2 In the navigation menu, click Data Sources.

The Data Sources panel is displayed.

Step 3 Click the Flow Retention icon.

The Flow Retention window is displayed.

The Flow Retention window provides the following information for each retention bucket:
Table 6-11 Flow Retention Window Parameters

Parameter Order Name Retention Compression Deletion Policy

Description Specifies the priority order of the retention buckets. Specifies the name of the retention bucket. Specifies the retention period of the retention bucket. Specifies the compression policy of the retention bucket. Specifies the deletion policy of the retention bucket.

STRM Administration Guide

Using Event and Flow Retention Buckets

77

Table 6-11 Flow Retention Window Parameters (continued)

Parameter Filters

Description Specifies the filters applied to the retention bucket. Move your mouse pointer over the Filters parameter for more information on the applied filters. Specifies how many events are stored in the retention bucket. Specifies whether the retention bucket is enabled (true) or disabled (false). The default is true. Specifies the date and time the retention bucket was created. Specifies the date and time the retention bucket was last modified.

Records Enabled Creation Date Modification Date

The Event Retention toolbar provides the following functions:

Table 6-12 Event Retention Window Toolbar

Icon

Function Click Edit to edit a retention bucket. For more information on editing a retention bucket, see Editing a Retention Bucket. Click Enable/Disable to enable or disable a retention bucket. By default, retention buckets are enabled. For more information on disabling retention buckets, see Enabling and Disabling a Retention Bucket. Click Delete to delete a retention bucket. For more information on deleting retention buckets, see Deleting a Retention Bucket.

Step 4 Double-click the first available retention bucket.

The Retention Properties window is displayed.

STRM Administration Guide

78

SETTING UP STRM

Step 5 Configure the following parameters:

Table 6-13

Retention Properties Window Parameters

Parameter Name Keep data placed in this bucket for

Description Type a unique name for the retention bucket. From the drop-down list box, select a retention period. When the retention period is reached, flows are deleted according to the Delete data is this bucket parameter. The minimum is 1 day and the maximum is 2 years. The default is 1 week. Select the check box to enable data compression, and then select a time frame from the drop-down list box. When the time frame is reached, all flows in the retention bucket are compressed. The minimum is Never and the maximum is 2 weeks. The default is 2 weeks.

Allow data is this bucket to be compressed

Delete data is this From the drop-down list box, select a deletion policy. Options bucket include:

When storage space is required - Select this option if you want flows that match the Keep data placed in this bucket for parameter to remain in storage until the disk monitoring system detects that storage is required. When storage is required, only flows that match the Keep data placed in this bucket for parameter are deleted. Immediately after the retention period has expired - Select this option if you want flows to be deleted immediately on matching the Keep data placed in this bucket for parameter. The flows are deleted at the next scheduled disk maintenance process, which occurs hourly.

Description

Type a description for the retention bucket. This field is optional.

STRM Administration Guide

Using Event and Flow Retention Buckets

79

Table 6-13

Retention Properties Window Parameters (continued)

Parameter Current Filters

Description In the Current Filters section, configure your filter(s). To add a filter:
1 From the first drop-down list box, select an parameter you want to filter for. For example, Device, Source Port, or Event Name. 2 From the second drop-down list box, select the modifier you want to use for the filter. The list of modifiers that appear depends on the attribute selected in the first list. 3 In the text field, type specific information related to your filter. 4 Click Add Filter.

The filter(s) appears in the Current Filters text box. You can select a filter and click Remove Filter to remove a filter from the Current Filter text box. Note: This parameter does not appear when editing the default retention bucket.
Step 6 Click Save.

Your flow retention bucket is saved and starts storing flows that match the retention parameters immediately. Managing Retention Buckets After you configure your retention buckets, you can manage the buckets using the Event Retention and Flow Retention windows. This section provides information on managing retention buckets, including:
Managing Retention Bucket Sequence Editing a Retention Bucket Enabling and Disabling a Retention Bucket Deleting a Retention Bucket

Managing Retention Bucket Sequence Retention buckets are sequenced in priority order from the top row to the bottom row in the Event Retention and Flow Retention windows. A record is stored in the first retention bucket that matches the records parameters. You can change the order of the retention buckets to ensure that events and flows are being matched against the retention buckets in the order that matches your requirements. To manage the retention bucket sequence:
Step 1 Click the Admin tab. Step 2 In the navigation menu, click Data Sources.

The Data Sources panel is displayed.

Step 3 Choose one of the following:

STRM Administration Guide

80

SETTING UP STRM

a b

To manage the event retention bucket sequence, click the Event Retention icon. The Event Retention window is displayed. To manage the flow retention bucket sequence, click the Flow Retention icon. The Flow Retention window is displayed.

Step 4 Select the retention bucket you want to move, and then click one of the following

buttons:

Up - Click this button to move the selected retention bucket up one row in priority sequence. Down - Click this button to move the selected retention bucket down one row in priority sequence. Top - Click this button to move the selected retention bucket to the top of the priority sequence. Bottom - Click this button to move the selected retention bucket to the bottom of the priority sequence.

Note: You cannot move the default retention bucket. It always resides at the bottom of the list. Editing a Retention Bucket To edit a retention bucket:
Step 1 Click the Admin tab. Step 2 In the navigation menu, click Data Sources.

The Data Sources panel is displayed.

Step 3 Choose one of the following: a b

To edit an event retention bucket, click the Event Retention icon. The Event Retention window is displayed. To edit a flow retention bucket, click the Flow Retention icon. The Flow Retention window is displayed.

Step 4 Select the retention bucket you want to edit, and then click Edit.

The Retention Properties window is displayed.

Step 5 Edit the parameters. For more information on retention parameters, see

Table 6-10. For more information on flow retention parameters, see Table 6-13.

Note: In the Retention Parameters window, the Current Filters section does not appear when editing a default retention bucket.
Step 6 Click Save.

Your changes are saved. Enabling and Disabling a Retention Bucket Once you configure and save a retention bucket, it is enabled by default. You can tune your event or flow retention by disabling a bucket.
STRM Administration Guide

Configuring System Notifications

81

Note: Once you disable a bucket, any new events or flows that would have matched the requirements for the disabled bucket are stored in the next bucket that matches the event or flow properties. To enable or disable a retention bucket:
Step 1 Click the Admin tab. Step 2 In the navigation menu, click Data Sources.

The Data Sources panel is displayed.

Step 3 Choose one of the following: a b

To disable an event retention bucket, click the Event Retention icon. The Event Retention window is displayed. To disable a flow retention bucket, click the Flow Retention icon. The Flow Retention window is displayed.

Step 4 Select the retention bucket you want to disable, and then click Enable/Disable.

The retention bucket is disabled. You can click Enable/Disable to enable the retention bucket again. Deleting a Retention Bucket To delete a retention bucket: Note: Once you delete a retention bucket, the events or flows contained in the retention bucket are not removed from the system, only the criteria defining the bucket is deleted. All events or flows are maintained in storage.
Step 1 Click the Admin tab. Step 2 In the navigation menu, click Data Sources.

The Data Sources panel is displayed.

Step 3 Choose one of the following: a b

To delete an event retention bucket, click the Event Retention icon. The Event Retention window is displayed. To delete a flow retention bucket, click the Flow Retention icon. The Flow Retention window is displayed.

Step 4 Select the retention bucket you want to delete, and then click Delete.

The retention bucket is deleted

Configuring System Notifications

You can configure system performance alerts for thresholds using the Admin interface. This section provides information on configuring your system thresholds. To configure system thresholds:
Step 1 Click the Admin tab. Step 2 In the navigation menu, click System Configuration.

STRM Administration Guide

82

SETTING UP STRM

The System Configuration panel is displayed.

Step 3 Click the Global System Notifications icon.

The Global System Notifications window is displayed.

Step 4 Enter values for the parameters. For each parameter, you must select the following

options:

Enabled - Select the check box to enable the option. Respond if value is - From the drop-down list box, select one of the following options: Greater Than - An alert occurs if the parameter value exceeds the configured value. Less Than - An alert occurs if the parameter value is less than the configured value.

Resolution Message - Type a description of the preferred resolution to the alert.

Table 6-14 Global System Notifications Parameters

Parameter User CPU usage Nice CPU usage

Description Type the threshold percentage of user CPU usage. Type the threshold percentage of user CPU usage at the nice priority. During periods of high CPU usage, processes that are configured with the nice priority pause to enable other processes to continue uninterrupted.

System CPU usage Idle CPU usage Percent idle time Run queue length Number of processes in the process list System load over 1 minute System load over 5 minutes System load over 15 minutes Kilobytes of memory free

Type the threshold percentage of CPU usage while operating at the system level. Type the threshold percentage of idle CPU time. Type the threshold percentage of idle time. Type the threshold number of processes waiting for run time. Type the threshold number of processes in the process list. Type the threshold system load average over the last minute. Type the threshold system load average over the last 5 minutes. Type the threshold system load average over the last 15 minutes. Type the threshold amount, in kilobytes, of free memory.

Kilobytes of memory used Type the threshold amount, in kilobytes, of used memory. This does not consider memory used by the kernel.

STRM Administration Guide

Configuring System Notifications

83

Table 6-14 Global System Notifications Parameters (continued)

Parameter Percentage of memory used

Description Type the threshold percentage of used memory.

Kilobytes of cached swap Type the threshold amount of memory, in kilobytes, memory shared by the system. Kilobytes of buffered memory Type the threshold amount of memory, in kilobytes, used as a buffer by the kernel.

Kilobytes of memory used Type the threshold amount of memory, in kilobytes, used for disc cache to cache data by the kernel. Kilobytes of swap memory Type the threshold amount of free swap memory, in free kilobytes. Kilobytes of swap memory Type the threshold amount, in kilobytes, of used swap used memory. Percentage of swap used Type the threshold percentage of used swap space. Number of interrupts per second Received packets per second Transmitted packets per second Received bytes per second Transmitted bytes per second Received compressed packets Transmitted compressed packets Received multicast packets Receive errors Transmit errors Packet collisions Dropped receive packets Type the threshold number of received interrupts per second. Type the threshold number of packets received per second. Type the threshold number of packets transmitted per second. Type the threshold number of bytes received per second. Type the threshold number of bytes transmitted per second. Type the threshold number of compressed packets received per second. Type the threshold number of compressed packets transmitted per second. Type the threshold number of received Multicast packets per second. Type the threshold number of corrupt packets received per second. Type the threshold number of corrupt packets transmitted per second. Type the threshold number of collisions that occur per second while transmitting packets. Type the threshold number of received packets that are dropped per second due to a lack of space in the buffers.

Dropped transmit packets Type the threshold number of transmitted packets that are dropped per second due to a lack of space in the buffers. Transmit carrier errors Type the threshold number of carrier errors that occur per second while transmitting packets.

STRM Administration Guide

84

SETTING UP STRM

Table 6-14 Global System Notifications Parameters (continued)

Parameter Receive frame errors Receive fifo overruns

Description Type the threshold number of frame alignment errors that occur per second on received packets. Type the threshold number of First In First Out (FIFO) overrun errors that occur per second on received packets. Type the threshold number of First In First Out (FIFO) overrun errors that occur per second on transmitted packets. Type the threshold number of transfers per second sent to the system. Type the threshold number of sectors transferred to or from the system.

Transmit fifo overruns

Transactions per second Sectors written per second

Step 5 Click Save.

Step 6 From the Admin interface menu, click Deploy Changes.

Configuring the Console Settings

The STRM Console provides the user interface for STRM. The Console provides real-time views, reports, alerts, and in-depth investigation of flows for network traffic and security threats. You can configure the Console to manage distributed STRM deployments. You can access the Console from a standard web browser. When you access the system, a prompt appears for a user name and password, which must be configured in advance by the STRM administrator. STRM supports the following web browsers:

Internet Explorer 7.0 and 8.0 Mozilla Firefox 3.6 and above

To configure STRM Console settings:

Step 1 Click the Admin tab. Step 2 In the navigation menu, click System Configuration.

The System Configuration panel is displayed.

Step 3 Click the Console icon.

The STRM Console Settings window is displayed.

STRM Administration Guide

Configuring the Console Settings

85

Step 4 Enter values for the parameters:

Table 6-15 STRM Console Parameters

Parameter Console Settings ARP - Safe Interfaces Enable 3D graphs in the user interface

Description Type the interface(s) you want to be excluded from ARP resolution activities. From the drop-down list box, select one of the following:

Yes - Displays graphics in 3-dimensional format in the interface. No - Displays graphics in 2-dimensional format in the interface.

STRM Administration Guide

86

SETTING UP STRM

Table 6-15 STRM Console Parameters (continued)

Parameter Results Per Page

Description Type the maximum number of results you want to display in the main STRM interface. This parameter applies to the Offenses, Log Activity, Assets, Network Activity, and Reports interfaces. For example, if the Default Page Size parameter is configured to 50, the Offenses interface displays a maximum of 50 offenses. The default is 40. The minimum is 0 and the maximum is 4294967294.

Authentication Settings Persistent Session Timeout (in days) Maximum Login Failures Type the length of time, in days, that a user system will be persisted. The default is 0, which disables this feature. The minimum is 0 and the maximum is 4294967294. Type the number of times a login attempt may fail. The default is 5. The minimum is 0 and the maximum is 4294967294. Type the length of time during which a maximum number of login failures may occur before the system is locked. The default is 10 minutes. The minimum is 0 and the maximum is 4294967294. Type the length of time that the system is locked if the maximum login failures value is exceeded. The default is 30 minutes. The minimum is 0 and the maximum is 4294967294. Type a list of hosts who are exempt from being locked out of the system. Enter multiple entries using a comma-separated list. Type the amount of time that a user will be automatically logged out of the system if no activity occurs. The default is 0. The minimum is 0 and the maximum is 4294967294. Type the location and name of a file that includes content you want to appear on the STRM login window. This file may be in text or HTML format and the contents of the file appear below the current log in window.

Login Failure Attempt Window (in minutes)

Login Failure Block Time (in minutes)

Login Host Whitelist

Inactivity Timeout (in minutes) Login Message File

STRM Administration Guide

Configuring the Console Settings

87

Table 6-15 STRM Console Parameters (continued)

Parameter Event Permission Precedence

Description From the drop-down list box, select the level of network permissions you want to assign to users. This affects the events that appear in the Log Activity interface. The options include:

Network Only - A user must have access to either the source network or the destination network of the event to have that event appear in the Log Activity interface. Devices Only - A user must have access to either the device or device group that created the event to have that event appear in the Log Activity interface. Networks and Devices - A user must have access to both the source or the destination network and the device or device group to have an event appear in the Log Activity interface. None - All events appear in the Log Activity interface. Any user with Log Activity role permissions is able to view all events.

Note: For more information on managing users, see Chapter 2 - Managing Users. DNS Settings Enable DNS Lookups for Asset Profiles From the drop-down list box, select whether you want to enable or disable the ability for STRM to search for DNS information in asset profiles. When enabled, this information is available in the right-click menu for the IP address or host name located in the Host Name (DNS Name) field in the asset profile. The default is False. From the drop-down list box, select whether you want to enable or disable the ability for STRM to search for host identity information. When enabled, this information is available in the right-click menu for any IP address or asset name in the interface. The default is True. Type the location of the Windows Internet Naming Server (WINS) server. Type the period of time, in days, that you want the system to maintain reports. The default is 30 days. The minimum is 0 and the maximum is 4294967294. From the drop-down list box, select whether you want to include a header in a CSV export file. Type the maximum number of exports you want to occur at one time. The default is 1. The minimum is 0 and the maximum is 4294967294.

Enable DNS Lookups for Host Identity

WINS Settings WINS Server Reporting Settings Report Retention Period

Data Export Settings Include Header in CSV Exports Maximum Simultaneous Exports

STRM Administration Guide

88

SETTING UP STRM

Step 5 Click Save. Step 6 From the Admin interface menu, click Deploy Changes.

STRM Administration Guide

MANAGING AUTHORIZED SERVICES

You can configure authorized services in the Admin interface to pre-authenticate a customer support service for your STRM deployment. Authenticating a customer support service allows the service to connect to your STRM interface and either dismiss or update notes to an offense using a web service. You can add or revoke an authorized service at any time. This chapter provides information for managing authorized services, including:
Viewing Authorized Services Adding an Authorized Service Revoking Authorized Services Configuring the Customer Support Service

Viewing Authorized Services

To view authorized services for your STRM deployment:

Step 1 Click the Admin tab. Step 2 In the navigation menu, click System Configuration.

The System Configuration panel is displayed.

Step 3 Click the Authorized Services icon.

The Manage Authorized Services window appears providing the following information:
Table 7-1 Manage Authorized Services Parameters

Parameter Service Name Authorized By Authentication Token User Role Created

Description Specifies the name of the authorized service. Specifies the name of the user or administrator that authorized the addition of the service. Specifies the token associated with this authorized service. Specifies the user role associated with this authorized service. Specifies the date that this authorized service was created.

STRM Administration Guide

90

MANAGING AUTHORIZED SERVICES

Table 7-1 Manage Authorized Services Parameters (continued)

Parameter Expires

Description Specifies the date and time that the authorized service will expire. Also, this field indicates when a service has expired.

Step 4 To select a token from an authorized service, select the appropriate authorized

service. The token appears in the Selected Token field in the top bar. This allows you to copy the desired token into your third-party application to authenticate with STRM.

Adding an Authorized Service

To add an authorized service:

Step 1 Click the Admin tab. Step 2 In the navigation menu, click System Configuration.

The System Configuration panel is displayed.

Step 3 Click the Authorized Services icon.

The Manage Authorized Services window is displayed.

Step 4 Click Add Authorized Service.

The Add Authorized Service window is displayed.

Step 5 Enter values for the parameters:

Table 7-2 Add Authorized Services Parameters

Parameter Service Name User Role

Description Type a name for this authorized service. The name can be up to 255 characters in length. From the drop-down list box, select the user role you want to assign to this authorized service. The user roles assigned to an authorized service determines the functionality in the STRM interface this service can access. Type or select a date you want this service to expire or select the No Expiry check box if you do not want this service to expire. By default, the authorized service is valid for 30 days.

Expiry Date

STRM Administration Guide

Revoking Authorized Services

91

Step 6 Click Create Service.

A confirmation message is displayed. This message contains a token field that you must copy into your third-party application to authenticate with STRM. For more information on setting up your third-party application to integrate with STRM, contact your system administrator.

Revoking Authorized Services

To revoke an authorized service:

Step 1 Click the Admin tab. Step 2 In the navigation menu, click System Configuration.

The System Configuration panel is displayed.

Step 3 Click the Authorized Services icon.

The Manage Authorized Services window is displayed.

Step 4 Select the service you want to revoke. Step 5 Click Revoke Authorization.

A confirmation window is displayed.

Step 6 Click OK.

Configuring the Customer Support Service

After you have configured an authorized service in STRM, you must configure your customer support service to access STRM offense information. For example, you can configure STRM to send an SNMP trap that includes the offense ID information. Your service must be able to authenticate to STRM using the provided authorized token by passing the information through an HTTP query string. Once authenticated, the service should interpret the authentication token as the user name for the duration of the session. Your customer support service must use a query string to update notes, dismiss, or close an offense. This section includes:
Dismissing an Offense Closing an Offense Adding Notes to an Offense

Dismissing an Offense

To dismiss an offense, your customer support service must use the following query string:
https://<IP address >/console/do/sem/properties?appName=Sem& dispatch=updateProperties&id=<Offense ID>&nextPageId= OffenseList&nextForward=offensesearch&attribute=dismiss&daoName =offense&value=1&authenticationToken=<Token>

STRM Administration Guide

92

MANAGING AUTHORIZED SERVICES

Where:
<IP address> is the IP address of your STRM system. <Offense ID> is the identifier assigned to the STRM offense. To obtain the

offense ID, see the Offenses interface. For more information, see the STRM Users Guide.
<Token> is the token identifier provided to the authorized service in the STRM interface. For information on copying the token, see the STRM Administration Guide.

Closing an Offense

To close an offense, your customer support service must use the following query string:
https://<IP Address>/console/do/sem/propertiesappName=Sem& dispatch=updateProperties&id=<Offense ID>&nextPageId= OffenseList&nextForward=offensesearch&attribute=dismiss&daoName =offense&value=2&authenticationToken=<Token>

Where:
<IP address> is the IP address of your STRM system. <Offense ID> is the identifier assigned to the STRM offense. To obtain the

offense ID, see the Offenses interface. For more information, see the STRM Users Guide.
<Token> is the token identifier provided to the authorized service in the STRM interface. For information on copying the token, see the STRM Administration Guide.

Adding Notes to an Offense

To add notes to an offense, your customer support service must use the following query string:
https://<IP Address>/console/do/sem/properties?appName=Sem& dispatch=updateProperties&id=<Offense ID>&nextPageId= OffenseList&nextForward=offensesearch&attribute=notes&daoName =offense&value=<NOTES>&authenticationToken=<Token>

Where:
<IP address> is the IP address of your STRM system. <Offense ID> is the identifier assigned to the STRM offense. To obtain the

offense ID, see the Offenses interface. For more information, see the STRM Users Guide.
<Token> is the token identifier provided to the authorized service in the STRM

interface. For information on copying the token, see the STRM Administration Guide.

STRM Administration Guide

MANAGING BACKUP AND RECOVERY

You can backup and recover configuration information and data for STRM. Note: The restore process only restores your configuration information. For assistance in restoring your data, see the Restoring Your Data Technical Note. This chapter provides information on managing backup and recovery, including:
Managing Backup Archives Backing Up Your Information Restoring Your Configuration Information

Managing Backup Archives

Using the Admin interface, you can:

View your successful backup archives. See Viewing Backup Archives. Import an archive file. See Importing an Archive. Delete an archive file. See Deleting a Backup Archive.

Viewing Backup Archives

To view all successful backup archives:

Step 1 Click the Admin tab. Step 2 In the navigation menu, click System Configuration.

The System Configuration panel is displayed.

Step 3 Click the Backup and Recovery icon.

The Backup Archives window appears providing the following information, depending on the status of the backup processes:

If there are no backup archives, a message appears indicating no backup archives have been created. If a backup is in progress, a status window appears to indicate the duration of the current backup, which user/process initiated the backup, and provides you with the option to cancel the backup. If there are existing backup archives, the list of the successful backup archives that exists in the database is displayed. If a backup file is deleted, it is removed

STRM Administration Guide

94

MANAGING BACKUP AND RECOVERY

from the disk and from the database. Also, the entry is removed from this list and an audit event is generated to indicate the removal. Each archive file includes the data from the previous day. The list of archives is sorted by the Time Initiated column in descending order.

The Backup Archives window provides the following information for each backup archive:
Table 8-1 Backup Archive Window Parameters

Parameter Host Name Type

Description Specifies the host that initiated the backup process. Specifies the name of the backup archive. To download the backup file, click the name of the backup. Specifies the type of backup. The options are:

config - Configuration data data - Events, flows, and asset profile information

Size Time Initiated Duration Initialized By

Specifies the size of the archive file. Specifies the time that the backup file was initiated. Specifies the time to complete the backup process. Specifies whether the backup file was created by a user or through a scheduled process.

Importing an Archive

To import a STRM backup archive file:

Step 1 Click the Admin tab. Step 2 In the navigation menu, click System Configuration.

The System Configuration panel is displayed.

Step 3 Click the Backup and Recovery icon.

The Backup Archives window is displayed.

Step 4 In the Upload Archive field, click Browse.

The File Upload window is displayed.

Step 5 Select the archive file you want to upload. The archive file must include a .tgz

extension. Click Open.

Step 6 Click Upload. STRM Administration Guide

Backing Up Your Information

95

Deleting a Backup Archive

To delete a backup archive: Note: To delete a backup archive file, the backup archive file and the Host Context component must reside on the same system. The system must also be in communication with the Console and no other backup can be in progress.

Step 1 Click the Admin tab. Step 2 In the navigation menu, click System Configuration.

The System Configuration panel is displayed.

Step 3 Click the Backup and Recovery icon.

The Backup Archives window is displayed.

Step 4 Select the archive you want to delete. Step 5 Click Delete.

A confirmation window is displayed.

Step 6 Click OK.

Backing Up Your Information

You can backup your configuration information and data using the Backup Recovery Configuration window. By default, STRM creates a backup archive of your configuration information every night at midnight and the backup includes configuration and/or data from the previous day. You can backup your information using one of the following methods:

Creating a configuration only backup. See Initiating a Backup. Scheduling a nightly backup. See Scheduling Your Backup. Copying a backup archive file to the system on which you want to restore the archive. You can then restore the data. See Restoring Your Configuration Information.

This section provides information on both methods of backing up your data, including:
Scheduling Your Backup Initiating a Backup

Scheduling Your Backup

To schedule your backup process:

Step 1 Click the Admin tab. Step 2 In the navigation menu, click System Configuration.

The System Configuration panel is displayed.

Step 3 Click the Backup and Recovery icon.

The Backup Archives window is displayed.

STRM Administration Guide

96

MANAGING BACKUP AND RECOVERY

Step 4 Click Configure.

The Backup Recovery Configuration window is displayed.

Step 5 Enter values for the parameters:

Table 8-2 Backup Recovery Configuration Parameters

Parameter Backup Repository Path

Description Type the location you want to store your backup file. This path must exist before the backup process is initiated. If this path does not exist, the backup process aborts. The default is /store/backup. Note: If you modify this path, make sure the new path is valid on every system in your deployment.

General Backup Configuration

Hint: Active data is stored on the /store directory. If you have both active data and backup archives stored in the same directory, data storage capacity may easily be reached and your scheduled backups may fail. We recommend you specify a storage location on another system, or copy your backup archives to another system after the backup process is complete. You can use a Network File System (NFS) storage solution in your STRM deployment. For more information on using NFS, see the Using the NFS for STRM Backups technical note.

STRM Administration Guide

Backing Up Your Information

97

Table 8-2 Backup Recovery Configuration Parameters (continued)

Parameter

Description

Backup Retention Type or select the length of time, in days, that you want to store Period (days) backup files. The default is 2 days. Note: This period of time only affects backup files generated as a result of a scheduled process. Manually initiated or imported backup files are not affected by this value. Nightly Backup Schedule Select one of the following options:

No Nightly Backups - Disables the creation of a backup archive on a daily basis. Configuration Backup Only - Enables the creation of a daily backup at midnight that includes configuration information only. Configuration and Data Backups - Enables the creation of a daily backup at midnight that includes configuration information and data. If you select the Configuration and Data Backups option, you can select the hosts you want to backup. Once you select the host, you can select one of the following options: Event Data, Flow Data, and Asset Profile Data. Custom rules Flow and event searches Log sources Groups Flow sources Event categories Vulnerability data Device Support Modules (DSMs) User and user roles information License key information Custom logos Event data Flow data Asset profile data Report data Audit log information Data tables for offenses and assets

Configuration backups includes the following components:

Data backups include the following information:

Configuration Only Backup

STRM Administration Guide

98

MANAGING BACKUP AND RECOVERY

Table 8-2 Backup Recovery Configuration Parameters (continued)

Parameter

Description

Backup Time Limit Type or select the length of time, in minutes, that you want to (min) allow the backup to process. The default is 180 minutes. If the backup process exceeds the configured time limit, the backup will automatically be canceled. Backup Priority From the drop-down list box, select the level of importance that you want the system to place on the configuration information backup process compared to other processes. Options include:

LOW MEDIUM HIGH

A priority of medium or high have a greater impact on system performance. Data Backup Backup Time Limit Type or select the length of time, in minutes, that you want to (min) allow the backup to process. The default is 1020 minutes. If the backup process exceeds the configured time limit, the backup will automatically be canceled. Backup Priority From the drop-down list box, select the level of importance you want the system to place on the data backup process compared to other processes.

LOW MEDIUM HIGH

A priority of medium or high have a greater impact on system performance.

Step 6 Click Save. Step 7 From the Admin interface menu, click Deploy Changes.

Initiating a Backup

To manually initiate a backup for your configuration information:

Step 1 Click the Admin tab. Step 2 In the navigation menu, click System Configuration.

The System Configuration panel is displayed.

Step 3 Click the Backup and Recovery icon.

The Backup Archives window is displayed.

STRM Administration Guide

Restoring Your Configuration Information

99

Step 4 Click On Demand Backup.

The Create a Backup window is displayed.

Step 5 Enter values for the following parameters:

Name - Type a unique name you want to assign to this backup file. The name must be a maximum of 100 alphanumeric characters. Also, the name may contain following characters: underscore (_), dash (-), or period (.). Description - Type a description for this configuration backup. The name can
be up to 255 characters in length.

Step 6 Click Run Backup.

A confirmation window is displayed.

Step 7 Click OK.

Restoring Your Configuration Information

You can restore configuration information from existing backup archives using the Restore Backup window. You can only restore a backup archive created within the same release of software. For example, if you are running STRM 2010.0, the backup archive must of been created in STRM 2010.0. You can restore configuration information in the following scenarios:

Restore backup archive on a system that has the same IP address as the backup archive. See Restoring on a System with the Same IP Address. Restore backup archive on system with a different IP address than the backup archive. See Restoring to a System with a Different IP Address.
STRM Administration Guide

100

MANAGING BACKUP AND RECOVERY

Note: If the backup archive originated on a NATed Console system, you can only restore that backup archive on a NATed system. Restoring on a System with the Same IP Address To restore your configuration information on a system that has the same IP address as the backup archive:

Step 1 Click the Admin tab. Step 2 In the navigation menu, click System Configuration.

The System Configuration panel is displayed.

Step 3 Click the Backup and Recovery icon.

The Backup Archives window is displayed.

Step 4 Select the archive you want to restore. Step 5 Click Restore.

The Restore a Backup window is displayed.

Step 6 To restore specific items in the archive: a

Clear the All Items check box. The list of archived items is displayed. Select the check box for each item you want to restore.

Step 7 Click Restore.

A confirmation window is displayed. Each backup archive includes IP address information of the system from which the backup archive was created.
Step 8 Click OK.

The restore process begins. This process may take an extended period of time. When complete, a message is displayed.
Step 9 Click OK. Step 10 Choose one of the following options: a b

If the STRM interface was closed during the restore process, open a browser and log in to STRM. If the STRM interface has not been closed, the login window is displayed. Log in to STRM.

A window is displayed, providing the status of the restore process. This window provides any errors for each host and instructions for resolving the errors.
STRM Administration Guide

Restoring Your Configuration Information

101

Step 11 Follow the instructions on the status window.

Note: The restore process only restores your configuration information. For assistance in restoring your data, see the Restoring Your Data Technical Note. Note: If the backup archive originated on an HA cluster, you must click Deploy Changes to restore the HA cluster configuration after the restore is complete. If disk replication is enabled, the secondary host immediately synchronizes data once the system is restored. If the secondary host was removed from the deployment after backup was performed, the secondary host displays a Failed status in the System and License Management window. Restoring to a System with a Different IP Address To restore your configuration information on a system with a different IP address than the backup archive:

Step 1 Click the Admin tab. Step 2 In the navigation menu, click System Configuration.

The System Configuration panel is displayed.

Step 3 Click the Backup and Recovery icon.

The Backup Archives window is displayed.

Step 4 Select the archive you want to restore. Step 5 Click Restore.

The Restore a Backup window is displayed. Because the IP address of the system on which you want to restore the information does not match the IP address of the backup archive, a message appears indicating that you must stop iptables on each managed host in your deployment

Step 6 To restore specific items in the archive: a

Clear the All Items check box. The list of archived items is displayed.
STRM Administration Guide

102

MANAGING BACKUP AND RECOVERY

Select the check box for each item you want to restore. Log into the managed host, as root. Type the following command:
service iptables stop

Step 7 Stop IP tables: a b

Repeat for all managed hosts in your deployment.

Step 8 In the Restore a Backup window, click Test Host Access.

The Restore a Backup (Managed Hosts Accessibility) window is displayed.

Table 8-3 provides the following information:

Table 8-3 Restore a Backup (Managed Host Accessibility Parameters

Parameter Host Name IP Address Access Status

Description Specifies the managed host name. Specifies the IP address of the managed host. Specifies the access status to the managed host. The options include:

Testing Access - Specifies the test to determine access status is not complete. No Access - Specifies the managed host can not be accessed. OK - Specifies the managed host is accessible.

Step 9 When the accessibility of all hosts is determined and the status in the Access

Status column indicates a status of OK or No Access, click Restore. The restore process begins. Note: If the Access Status column indicates a status of No Access for a host, stop iptables (see Step 7) again and click Test Host Access to attempt a connection.
Step 10 Click OK.

The restore process begins. This process may take an extended period of time.
Step 11 Click OK. Step 12 Choose one of the following options:

STRM Administration Guide

Restoring Your Configuration Information

103

a b

If the STRM interface has been closed during the restore process, open a browser and log in to STRM. If the STRM interface has not been closed, the login window is displayed. Log in to STRM.

A window appears providing the status of the restore process. This window provides any errors for each host. This window also provides instructions for resolving errors that have occurred.
Step 13 Follow the instructions on the status window.

Note: The restore process only restores your configuration information. For assistance in restoring your data, see the Restoring Your Data Technical Note. Note: If the backup archive originated on an HA cluster, you must click Deploy Changes to restore the HA cluster configuration after the restore is complete. If disk replication is enabled, the secondary host immediately synchronizes data once the system is restored. If the secondary host was removed from the deployment after backup was performed, the secondary host displays a Failed status in the System and License Management window.

STRM Administration Guide

USING THE DEPLOYMENT EDITOR

Using the deployment editor, you can manage the individual components of your STRM SIEM deployment. Once you configure your deployment, you can access and configure the individual components of each managed host in your deployment. Note: The Deployment Editor requires Java Runtime Environment (JRE). You can download Java 1.6.0_u24 at the following web site: http://www.java.com. Also, If you are using the Firefox browser, you must configure your browser to accept Java Network Language Protocol (JNLP) files. Caution: Many third-party web browsers that use the Internet Explorer engine, such as Maxthon or MyIE, install components that may be incompatible with the Admin interface. You may be required to disable any third-party web browsers installed on your system. For further assistance, please contact Customer Support. To access the deployment editor from behind a proxy server or firewall, you must configure the appropriate proxy settings on your desktop. This allows the software to automatically detect the proxy settings from your browser. To configure the proxy settings: Open the Java configuration located in your Control Panel and configure the IP address of your proxy server. For more information on configuring proxy settings, see your Microsoft documentation. This chapter provides information on managing your views, including:
About the Deployment Editor Building Your Event View Managing Your System View Configuring STRM Components

STRM Administration Guide

106

USING THE DEPLOYMENT EDITOR

About the Deployment Editor

You can access the deployment editor using the Admin interface. You can use the deployment editor to create your deployment, assign connections, and configure each component. The deployment editor provides the following views of your deployment:

System View - Use the System View interface to assign software components, such as a QFlow Collector, to managed hosts in your deployment. The System View interface includes all managed hosts in your deployment. A managed host is a system in your deployment that has STRM software installed. By default, the System View interface also includes the following components: Host Context - Monitors all STRM components to ensure that each component is operating as expected. Accumulator - Analyzes flows, events, reporting, writing database data, and alerting a DSM. An accumulator resides on any host that contains an Event Processor.

Event View - Use the Event View interface to create a view of your components including QFlow Collectors, Event Processors, Event Collectors, Off-site Sources, Off-site Targets, and Magistrate components.

In the Event View interface, the left panel provides a list of components you can add to the view, and the right panel provides a view of your deployment. In the System View interface, the left panel provides a list of managed hosts, which you can view and configure. The deployment editor polls your deployment for
STRM Administration Guide

About the Deployment Editor

107

updates to managed hosts. If the deployment editor detects a change to a managed host in your deployment, a message appears notifying you of the change. For example, if you remove a managed host, a message is displayed, indicating that the assigned components to that host must be re-assigned to another host. Also, if you add a managed host to your deployment, the deployment editor displays a message indicating that the managed host has been added. Accessing the Deployment Editor In the Admin interface, click Deployment Editor. The deployment editor is displayed. Once you update your configuration settings using the deployment editor, you must save those changes to the staging area. You must manually deploy all changes using the Admin interface menu option. All deployed changes are then enforced throughout your deployment. The deployment editor provides you with several menu and toolbar options when configuring your views, including:
Menu Options Toolbar Options

Using the Editor

Menu Options The displayed menu options depend on the selected component in your view. Table 9-1 provides a list of the menu options.
Table 9-1 Deployment Editor Menu Options

Menu Option File

Sub Menu Option Save to staging Save and close Open staged deployment Open production deployment Close current deployment Revert Edit Preferences Close editor

Description Saves deployment to the staging area. Saves deployment to the staging area and closes the deployment editor. Opens a deployment that was previously saved to the staging area. Opens a deployment that was previously saved. Closes the current deployment. Reverts current deployment to the previously saved deployment. Opens the preferences window. Closes the deployment editor. Deletes a component, host, or connection.

Edit

Delete

STRM Administration Guide

108

USING THE DEPLOYMENT EDITOR

Table 9-1 Deployment Editor Menu Options (continued)

Menu Option Actions

Sub Menu Option Manage NATed Networks

Description Opens the Manage NATed Networks window, which allows you to manage the list of NATed networks in your deployment. This option is only available when a component is selected.

Add a managed host Opens the Add a Managed Host wizard.

Rename component Renames an existing component.

Configure

Configures STRM components. This option is only available when a QFlow Collector, Event Collector, Event Processor, or Magistrate is selected.

Assign

Assigns a component to a managed host. This option is only available when a QFlow Collector, Event Collector, Event Processor, or Magistrate is selected.

Unassign

Unassigns a component from a managed host. This option is only available when a QFlow Collector is selected. The host for the selected component must be running the version of STRM software as the managed host.

Toolbar Options The toolbar options include:

Table 9-2 Toolbar Options

Button

Description Saves deployment to the staging area and closes the deployment editor.

Opens current production deployment.

Opens a deployment that was previously saved to the staging area.

Discards recent changes and reloads last saved model.

Deletes selected item from the deployment view. This option is only available when the selected component has a managed host running a compatible version of STRM software.
STRM Administration Guide

About the Deployment Editor

109

Table 9-2 Toolbar Options (continued)

Button

Description Opens the Add a Managed Host wizard, which allows you to add a managed host to your deployment. Opens the Manage NATed Networks window, which allows you to manage the list of NATed networks in your deployment. Resets the zoom to the default.

Zooms in.

Zooms out.

Building Your Deployment

To build your deployment, you must:

1 Build your Event View. See Building Your Event View. 2 Build your System View. See Managing Your System View. 3 Configure components. See Configuring STRM Components. 4 Stage your deployment change. From the deployment editor menu, select File >

Save to Staging.
5 Deploy all configuration changes. From the Admin interface menu, select

Advanced > Deploy Changes. For more information on the Admin interface, see Chapter 1 - Overview. Before you Begin Before you begin, you must:

Install all necessary hardware and STRM software. Install the Java Runtime Environment (JRE). You can download Java 1.6.0_u24 at the following web site: http://www.java.com. If you are using the Firefox browser, you must configure your browser to accept Java Network Language Protocol (JNLP) files. Plan your STRM deployment, including the IP addresses and login information for all devices in your STRM deployment.

Note: If you require assistance, please contact Juniper Networks Customer Support.

STRM Administration Guide

110

USING THE DEPLOYMENT EDITOR

Configuring Deployment Editor Preferences

To configure the deployment editor preferences:

Step 1 Select File > Edit Preferences.

The Deployment Editor Settings window is displayed.

Step 2 Configure the parameters:

Presence Poll Frequency - Type how often, in milliseconds, you want the managed host to monitor your deployment for updates, for example, a new or updated managed host. Zoom Increment - Type the increment value when the zoom option is selected. For example. 0.1 indicates 10%.

Building Your Event View

The Event View interface allows you to create and manage the components for your deployment, including the following components:

QFlow Collector - Collects data from devices, and various live and recorded feeds, such as network taps, span/mirror ports, NetFlow, and STRM flow logs. Once the data is collected, the QFlow Collector groups related individual packets into a flow. STRM defines these flows as a communication session between two pairs of unique IP address/ports that use the same protocol. A flow starts when the QFlow Collector detects the first packet with a unique source IP address, destination IP address, source port, destination port, and other specific protocol options that determine the start of a communication. Each additional packet is evaluated. Counts of bytes and packets are added to the statistical counters in the flow record. At the end of an interval, a status record of the flow is sent to an Event Collector and statistical counters for the flow are reset. A flow ends when no activity for the flow is detected within the configured period of time. Flow reporting generates records of all active or expired flows during a specified period of time. If the protocol does not support port-based connections, STRM combines all packets between the two hosts into a single flow record. However, a QFlow Collector does not record flows until a connection is made to another STRM component and data is retrieved.

STRM Administration Guide

Building Your Event View

111

Event Collector - Collects security events from various types of security devices, known as log sources, in your network. The Event Collector gathers events from local and remote log sources. The Event Collector then normalizes the events and sends the information to the Event Processor. The Event Collector also bundles all virtually identical events to conserve system usage. Event Processor - An Event Processor processes event and flow data from the Event Collector. The events are bundled to conserve network usage. Once received, the Event Processor correlates the information from STRM and distributes to the appropriate area, depending on the type of event. The Event Processor also includes information gathered by STRM to indicate any behavioral changes or policy violations for that event. Rules are then applied to the events that allow the Event Processor to process according to the configured rules. Once complete, the Event Processor sends the events to the Magistrate. The Event Processor can be connected to the magistrate on a Console or connected to another Event Processor in your deployment. The Accumulator is responsible for gathering flow and event information from the Event Processor.

Note: The Event Processor on the Console is always connected to the magistrate. This connection cannot be deleted. See Figure 9-1 for an example STRM deployment that includes SIEM components.

Off-site Source - Indicates an off-site event or flow data source that forwards normalized data to an Event Collector. You can configure an off-site source to receive flows or events and allows the data to be encrypted before forwarding. Off-site Target - Indicates an off-site device that receives event or flow data. An off-site target can only receive data from an Event Collector. Magistrate - The Magistrate component provides the core processing components of the security information and event management (SIEM) system. You can add one Magistrate component for each deployment. The Magistrate provides views, reports, alerts, and analysis of network traffic and security events. The Magistrate processes the events or flows against the defined custom rules to create an offense. If no custom rules exist, the Magistrate uses the default rule set to process the offending event or flow. An offense is an event or flow that has been processed through STRM using multiple inputs, individual events or flows, and combined events or flows with analyzed behavior and vulnerabilities. Magistrate prioritizes the offenses and assigns a magnitude value based on several factors, including the amount of offenses, severity, relevance, and credibility. Once processed, Magistrate produces a list for each offense source, providing you with a list of attackers and their offense for each event or flow. Once the Magistrate establishes the magnitude, the Magistrate then provides multiple options for resolution.

By default, the Event View interface includes a Magistrate component. Figure 9-1 shows an example of a STRM deployment that includes SIEM components. The
STRM Administration Guide

112

USING THE DEPLOYMENT EDITOR

example shows a QFlow Collector, an Event Collector, and an Event Processor connected to the Magistrate, which allows for the collection, categorizing, and processing of flow and event information.

Figure 9-1 Example of SIEM Components in your STRM Deployment

To build your Event View:

1 Add SIEM components to your view. See Adding Components. 2 Connect the components. See Connecting Components. 3 Connect deployments. See Forwarding Normalized Events and Flows. 4 Rename the components so each component has a unique name. See Renaming

Components.

Adding Components

You can add the following STRM components to your Event View:

Event Collector Event Processor Off-site Source Off-site Target QFlow Collector

STRM Administration Guide

Building Your Event View

113

Note: The procedures in the section provide information on adding STRM components using the Event View interface. You can also add components using the System View interface. For information on the System View interface, see Managing Your System View. To add components to your Event View:
Step 1 In the Admin interface, click Deployment Editor.

The Event View interface is displayed.

Step 2 In the Event Tools panel, select a component you want to add to your

deployment. The Adding a New Component wizard is displayed.

Step 3 Type a unique name for the component you want to add. The name can be up to

20 characters in length and may include underscores or hyphens. Click Next. The Assign Component window is displayed.

STRM Administration Guide

114

USING THE DEPLOYMENT EDITOR

Step 4 From the Select a host to assign to drop-down list box, select a managed host

you want to assign the new component to. Click Next.

Step 5 Click Finish. Step 6 Repeat for each component you want to add to your view. Step 7 From the deployment editor menu, select File > Save to staging.

The deployment editor saves your changes to the staging area and automatically closes.
Step 8 From the Admin interface menu, select Deploy Changes.

Connecting Components

Once you add all the necessary components in your Event View interface, you must connect them. The Event View interface only allows you to connect appropriate components together. For example, you can connect an Event Collector to an Event Processor, but not a Magistrate component. To connect components:

Step 1 In the Event View interface, select the component for which you want to establish a

connection.
Step 2 From the menu, select Actions > Add Connection.

Note: You can also right-click a component to access the Action menu item. An arrow appears in your map. The arrow represents a connection between two components.
Step 3 Drag the end of the arrow to the component you want to establish a connection to.

Table 9-3 provides a list of components you are able to connect.

STRM Administration Guide

Building Your Event View

115

Table 9-3 Component Connections

You can connect a... QFlow Collector

To Event Collector

Connection Guide A QFlow Collector can only be connected to an Event Collector. The number of connections is not restricted.

Event Collector

Event Processor

An Event Collector can only be connected to one Event Processor. A Console Event Collector can only be connected to a Console Event Processor. This connection cannot be removed. A non-Console Event Collector can be connected to an Event Processor on the same system. A non-Console Event Collector can be connected to a remote Event Processor, but only if the Event Processor does not already exist on the Console.

Event Collector Off-site Source

Off-site Target Event Collector

The number of connections is not restricted. The number of connections is not restricted. An Event Collector connected to an Event-only appliance cannot receive an off-site connection from system hardware that has the Receive Flows feature enabled. For more information, see Forwarding Normalized Events and Flows. An Event Collector connected to a QFlow-only appliance cannot receive an off-site connection from a remote system if the system has the Receive Events feature enabled. For more information, see Forwarding Normalized Events and Flows.

Event Processor

Magistrate (MPC)

Only one Event Processor can connect to a Magistrate.

STRM Administration Guide

116

USING THE DEPLOYMENT EDITOR

Table 9-3 Component Connections (continued)

You can connect a... Event Processor

To Event Processor

Connection Guide A Console Event Processor cannot connect to a non-Console Event Processor. A non-Console Event Processor can be connected to another Console or non-Console Event Processor, but not both at the same time. A non-Console Event Processor is connected to a Console Event Processor when a non-Console managed host is added.

Step 4 Repeat for all remaining components that require connections.

Forwarding Normalized Events and Flows

To forward normalized events and flows, you must configure an off-site Event Collector (target) in your current deployment to receive events and flows from an associated off-site Event Collector in the receiving deployment (source). You can add the following components to your Event View interface:

Off-site Source - An off-site Event Collector from which you want to receive event and flow data. The off-site source must be configured with appropriate permissions to send event or flow data to the off-site target. Off-site Target - An off-site Event Collector to which you want to send event data.

For example: To forward normalized events between two deployments (A and B), where deployment B wants to receive events from deployment A:
1 Configure deployment A with an off-site target to provide the IP address of the

managed host that includes Event Collector B.

2 Connect Event Collector A to the off-site target. 3 In deployment B, configure an off-site source with the IP address of the managed

host that includes Event Collector A and the port that Event Collector A is monitoring. If you want to disconnect the off-site source, you must remove the connections from both deployments. From deployment A, remove the off-site target and in deployment B, remove the off-site source. To enable encryption between deployments, you must enable encryption on both off-site source and target. Also, you must ensure the SSH public key for the off-site source (client) is available to the target (server) to ensure appropriate access. For

STRM Administration Guide

Building Your Event View

117

example, if you want to enable encryption between the off-site source and Event Collector B, you must copy the public key (located at /root/.ssh/id_rsa.pub) from the off-site source to Event Collector B (add the contents of the file to /root/.ssh/authorized_keys).

Figure 9-2 Forwarding events between deployments using SSH.

Note: If the off-site source/target is an all-in-one system, the public key is not automatically generated, therefore, you must manually generate the public key. For more information on generating public keys, see your Linux documentation. To forward normalized events and flows:
Step 1 In the Admin interface, click Deployment Editor.

The Event View interface is displayed.

Step 2 In the Components panel, select one of the following options:

Off-site Source Off-site Target

The Adding a New Component wizard is displayed.

STRM Administration Guide

118

USING THE DEPLOYMENT EDITOR

Step 3 Type a unique name for the off-site source or off-site target. The name can be up

to 20 characters in length and may include underscores or hyphens. Click Next. The Add a New Off-site Source window is displayed.

Step 4 Enter values for the parameters:

Enter a name for the off-site host - Type the name of the off-site host. The name can be up to 20 characters in length and may include the underscores or hyphens characters.
STRM Administration Guide

Building Your Event View

119

Enter the IP address of the source server - Type the IP address of the managed host you want to connect the off-site host to. Receive Events - Select the check box to enable the off-site host to receive events. Receive Flows - Select the check box to enable the off-site host to receive flows. Encrypt traffic from off-site source - Select the check box to encrypt traffic from an off-site source. When enabling encryption, you must select this check box on the associated off-site source and target.

Step 5 Click Next. Step 6 Click Finish. Step 7 Repeat for all remaining off-site sources and targets. Step 8 From the deployment editor menu, select File > Save to staging.

The deployment editor saves your changes to the staging area and automatically closes.
Step 9 From the Admin interface menu, select Advanced > Deploy Changes.

Note: If you update your Event Collector configuration or the monitoring ports, you must manually update your source and target configurations to maintain the connection between deployments. Renaming Components You can rename a component in your view to uniquely identify components through your deployment. To rename a component:
Step 1 Select the component you want to rename. Step 2 From the menu, select Actions > Rename Component.

Note: You can also right-click a component to access the Action menu items. The Rename component window is displayed.

Step 3 Type a new name for the component. The name must be alphanumeric with no

special characters.
Step 4 Click OK.

STRM Administration Guide

120

USING THE DEPLOYMENT EDITOR

Managing Your System View

The System View interface allows you to manage all managed hosts in your network. A managed host is a component in your network that includes STRM software. If you are using a STRM appliance, the components for that appliance model are displayed in the System View interface. The System View interface allows you to select which component(s) you want to run on each managed host. Using the System View interface, you can:

Set up managed hosts in your deployment. See Setting Up Managed Hosts. Use STRM with NATed networks in your deployment. See Using NAT with STRM. Update the managed host port configuration. See Configuring a Managed Host. Assign a component to a managed host. See Assigning a Component to a Host. Configure Host Context. See Configuring Host Context. Configure an Accumulator. See Configuring an Accumulator.

Setting Up Managed Hosts

Using the deployment editor, you can manage all hosts in your deployment, including:

Add a managed host to your deployment. See Adding a Managed Host. Edit an existing managed host. See Editing a Managed Host. Remove a managed host. See Removing a Managed Host.

You cannot add, assign or configure components on a non-Console managed host when the STRM software version is incompatible with the software version that the Console is running. If a managed host has previously assigned components and is running an incompatible software version, you can still view the components, however, you are not able to update or delete the components. For more information, contact Juniper Networks Customer Support. Note: To enable SSH encryption between two managed hosts, each managed host must be running at least STRM 5.1. Encryption provides greater security for all STRM traffic between managed hosts. To provide enhanced security, STRM also provides integrated support for OpenSSH and attachmateWRQ Reflection SSH software. Reflection SSH software provides a FIPS 140-2 certified encryption solution. When integrated with STRM, Reflection SSH provides secure communication between STRM components. For information on Reflection SSH, see http://www.wrq.com/products. Note: You must have Reflection SSH installed on each managed host you want to encrypt using Reflection SSH. Also, Reflection SSH is not compatible with other SSH software, such as, OpenSSH.

STRM Administration Guide

Managing Your System View

121

Encryption occurs between managed hosts in your deployment, therefore, your deployment must consist of more than one managed host before encryption is possible. Encryption is enabled using SSH tunnels (port forwarding) initiated from the client. A client is the system that initiates a connection in a client/server relationship. When encryption is enabled for a managed host, encryption tunnels are created for all client applications on a managed host to provide protected access to the respective servers. If you enable encryption on a non-Console managed host, encryption tunnels are automatically created for databases and other support service connections to the Console.
Figure 9-3 shows the movement of traffic within a STRM deployment, including flows and event traffic and the client/server relationships within the deployment. When enabling encryption on a managed host, the encryption SSH tunnel is created on the client host. For example, if you enable encryption for the Event Collector in the deployment depicted in the figure below, the connection between the Event Processor and Event Collector and the connection between the Event Processor and Magistrate are encrypted. Figure 9-3 also displays the client/server relationship between the Console and the Ariel database. When you enable encryption on the Console, an encryption tunnel is used when performing event searches through the Offenses interface.

Note: You can right-click a component to enable encryption between components. Caution: Enabling encryption reduces the performance of a managed host by at least 50%.

Figure 9-3 Encryption Tunnels

Adding a Managed Host To add a managed host:

STRM Administration Guide

122

USING THE DEPLOYMENT EDITOR

Note: Before you add a managed host, make sure the managed host includes STRM software.
Step 1 From the menu, select Actions > Add a managed host.

The Add New Host wizard is displayed.

Step 2 Click Next.

The Enter the hosts IP window is displayed.

Step 3 Enter values for the parameters:

Enter the IP of the server or appliance to add - Type the IP address of the host you want to add to your System View. Enter the root password of the host - Type the root password for the host. Confirm the root password of the host - Type the password again. Host is NATed - Select the check box to use an existing Network Address Translation (NAT) on this managed host. For more information on NAT, see Using NAT with STRM.

Note: If you want to enable NAT for a managed host, the NATed network must be using static NAT translation. For more information on using NAT, see Using NAT with STRM.

Enable Encryption - Select the check box to create an SSH encryption tunnel for the host. To enable encryption between two managed hosts, each managed host must be running at least STRM 5.1. Enable Compression - Select the check box to enable data compression between two managed hosts, each managed host must be running at least STRM 5.1.
STRM Administration Guide

Managing Your System View

123

If you selected the Host is NATed check box, the Configure NAT Settings window is displayed. Go to Step 4. Otherwise, go to Step 5. Note: If you want to add a non-NATed managed host to your deployment when the Console is NATed, you must change the Console to a NATed host (see Changing the NAT Status for a Managed Host) before adding the managed host to your deployment.
Step 4 To select a NATed network, enter values for the following parameters:

Enter public IP of the server or appliance to add - Type the public IP address of the managed host. The managed host uses this IP address to communicate with other managed hosts in different networks using NAT. Select NATed network - From the drop-down list box, select the network you want this managed host to use. If the managed host is on the same subnet as the Console, select the Console of the NATed network. If the managed host is not on the same subnet as the Console, select the managed host of the NATed network.

Note: For information on managing your NATed networks, see Using NAT with STRM.
Step 5 Click Next. Step 6 Click Finish.

Note: If your deployment included undeployed changes, a window is displayed requesting you to deploy all changes. The System View is displayed, including the host in the Managed Hosts panel. Editing a Managed Host To edit an existing managed host:
Step 1 Click the System View tab. Step 2 Right-click the managed host you want to edit and select Edit Managed Host.

The Edit a managed host wizard is displayed. Note: This option is only available when the selected component has a managed host running a compatible version of STRM software.

STRM Administration Guide

124

USING THE DEPLOYMENT EDITOR

Step 3 Click Next.

The attributes window is displayed.

Step 4 Edit the following values, as necessary:

Host is NATed - Select the check box if you want to use existing Network Address Translation (NAT) on this managed host. For more information on NAT, see Using NAT with STRM.

Note: If you want to enable NAT for a managed host, the NATed network must be using static NAT translation. For more information on using NAT, see Using NAT with STRM.
STRM Administration Guide

Managing Your System View

125

Enable Encryption - Select the check box if you want to create an encryption tunnel for the host. To enable encryption between two managed hosts, each managed host must be running at least STRM 5.1.

If you selected the Host is NATed check box, the Configure NAT settings window is displayed. Go to Step 5. Otherwise, go to Step 6.
Step 5 To select a NATed network, enter values for the following parameters:

Enter public IP of the server or appliance to add - Type the public IP address of the managed host. The managed host uses this IP address to communicate with another managed host that belongs to a different network using NAT. Select NATed network - From the drop-down list box, select the network you want this managed host to use. For information on managing your NATed networks, see Using NAT with STRM.

Step 6 Click Next. Step 7 Click Finish.

The System View interface is displayed, including the updated host in the Managed Hosts panel. Removing a Managed Host You can remove non-Console managed hosts from your deployment. You cannot remove a managed host that is hosting the STRM Console. To remove a managed host:
Step 1 Click the System View tab. Step 2 Right-click the managed host you want to delete and select Remove host.

Note: This option is only available when the selected component has a managed host running a compatible version of STRM software. A confirmation window is displayed.
Step 3 Click OK. Step 4 From the Admin interface menu, select Advanced > Deploy Full Configuration.

Using NAT with STRM

Network Address Translation (NAT) translates an IP address in one network to a different IP address in another network. NAT provides increased security for your deployment since requests are managed through the translation process and essentially hides internal IP addresses. Before you enable NAT for a STRM managed host, you must set up your NATed networks using static NAT translation. This ensures communications between managed hosts that exist within different NATed networks. For example, in Figure 9-4, the QFlow 500 QFC in Network 1 has an internal IP address of 10.100.100.1. When the QFlow 500 QFC wants to communicate with the Event Collector in Network 2, the NAT router translates the IP address to 192.15.2.1.
STRM Administration Guide

126

USING THE DEPLOYMENT EDITOR

Figure 9-4 Using NAT with STRM

Note: Before you enable NAT using STRM, your static NATed networks must be set up and configured on your network. For more information, see your network administrator. You can add a non-NATed managed host using inbound NAT for a public IP address. You can also use a dynamic IP address for outbound NAT. However, both must be located on the same switch as the Console or managed host. You must configure the managed host to use the same IP address for the public and private IP addresses. When adding or editing a managed host, you can enable NAT for that managed host. You can also use the deployment editor to manage your NATed networks, including:
Adding a NATed Network to STRM Editing a NATed Network Deleting a NATed Network From STRM Changing the NAT Status for a Managed Host

Adding a NATed Network to STRM To add a NATed network to your STRM deployment:
Step 1 In the deployment editor, click the NATed networks icon

Note: You can also select the Actions > Manage NATed Networks menu option to access the Manage NATed Networks window. The Manage NATed Networks window is displayed.

STRM Administration Guide

Managing Your System View

127

Step 2 Click Add.

The Add New Nated Network window is displayed.

Step 3 Type a name for a network you want to use for NAT. Step 4 Click OK.

The Manage NATed Networks window is displayed, including the added NATed network.
Step 5 Click OK.

A confirmation window is displayed.

Step 6 Click Yes.

Editing a NATed Network To edit a NATed network:

Step 1 In the deployment editor, click the NATed networks icon

Note: You can also select the Actions > Manage NATed Networks menu option to access the Manage NATed Networks window. The Manage NATed Networks window is displayed.

STRM Administration Guide

128

USING THE DEPLOYMENT EDITOR

Step 2 Select the NATed network you want to edit. Click Edit.

The Edit NATed Network window is displayed.

Step 3 Type a new name for of the NATed network. Step 4 Click OK.

The Manage NATed Networks window is displayed, including the updated NATed networks.
Step 5 Click OK.

A confirmation window is displayed.

Step 6 Click Yes.

Deleting a NATed Network From STRM To delete a NATed network from your deployment:
Step 1 In the deployment editor, click the NATed networks icon

Note: You can also select the Actions > Manage NATed Networks menu option to access the Manage NATed Networks window. The Manage NATed Networks window is displayed.
Step 2 Select the NATed network you want to delete. Step 3 Click Delete.

A confirmation window is displayed.

Step 4 Click OK. Step 5 Click Yes.

Changing the NAT Status for a Managed Host To change your NAT status for a managed host, make sure you update the managed host configuration within STRM before you update the device. This prevents the host from becoming unreachable and allows you to deploy changes to that host. To change the status of NAT (enable or disable) for an existing managed host:
Step 1 In the deployment editor, click the System View tab. Step 2 Right-click the managed host you want to edit and select Edit Managed Host.

STRM Administration Guide

Managing Your System View

129

The Edit a managed host wizard is displayed.

Step 3 Click Next.

The Change the hosts networking and tunneling attributes window is displayed.

Step 4 Choose one of the following: a

If you want to enable NAT for the managed host, select the Host is NATed check box and click Next. Go to Step 5

Note: If you want to enable NAT for a managed host, the NATed network must be using static NAT translation.
b

If you want to disable NAT for the managed host, clear the Host is NATed check box. Go to Step 6 Change public IP of the server or appliance to add - Type the public IP address of the managed host. The managed host uses this IP address to communicate with another managed host that belongs to a different network using NAT. Select NATed network - From the drop-down list box, select the network you want this managed host to use. Manage NATs List - Click this icon to update the NATed network configuration. For more information, see Using NAT with STRM.

Step 5 To select a NATed network, enter values for the following parameters:

Step 6 Click Next. Step 7 Click Finish.

The System View interface is displayed, including the updated host in the Managed Hosts panel.

STRM Administration Guide

130

USING THE DEPLOYMENT EDITOR

Note: Once you change the NAT status for an existing managed host, error messages may be displayed. Ignore these error messages.
Step 8 Update the configuration for the device (firewall) to which the managed host is

communicating.
Step 9 From the Admin interface menu, select Advanced > Deploy Full Configuration.

Configuring a Managed Host

To configure a managed host:

Step 1 From the System View interface, right-click the managed host you want to

configure and select Configure. The Configure host window is displayed.

Step 2 Enter values for the parameters:

Minimum port allowed - Type the minimum port for which you want to establish communications. Maximum port allowed - Type the maximum port for which you want to establish communications. Ports to exclude - Type the port(s) you want to exclude from communications. Separate multiple ports using a comma.

Step 3 Click Save.

Assigning a Component to a Host

You can assign the STRM components that you added in the Event View interfaces to the managed hosts in your deployment. Note: This section provides information on assigning a component to a host using the System View interface, however, you can also assign components to a host in the Event View interface. To assign a host:

Step 1 Click the System View tab. Step 2 From the Managed Host list, select the managed host you want to assign a STRM

component to.
STRM Administration Guide

Managing Your System View

131

The System View of the host is displayed.

Step 3 Select the component you want to assign to a managed host. Step 4 From the menu, select Actions > Assign.

Note: You can also right-click a component to access the Actions menu items. The Adding a new component wizard is displayed.

Step 5 From the Select a host drop-down list box, select the host that you want to assign

to this component. Click Next. Note: The drop-down list box only displays managed hosts that are running a compatible version of STRM software.
Step 6 Click Finish.

Configuring Host Context

The Host Context component monitors all STRM components to make sure that each component is operating as expected. To configure the Host Context component:

Step 1 In the deployment editor, click the System View tab.

The System View interface is displayed.

Step 2 Select the managed host that includes the host context you want to configure. Step 3 Select the Host Context component. Step 4 From the menu, select Actions > Configure.

Note: You can also right-click a component to access the Actions menu item.

STRM Administration Guide

132

USING THE DEPLOYMENT EDITOR

The Host Context Configuration window is displayed.

STRM Administration Guide

Managing Your System View

133

Step 5 Enter values for the parameters:

Table 9-4 Host Context Parameters

Parameter Warning Threshold

Description When the configured threshold of disk usage is exceeded, an e-mail is sent to the administrator indicating the current state of disk usage. The default warning threshold is 0.75, therefore, when disk usage exceeds 75%, an e-mail is sent indicating that disk usage is exceeding 75%. If disk usage continues to increase above the configured threshold, a new e-mail is sent after every 5% increase in usage. By default, Host Context monitors the following partitions for disk usage:

Disk Usage Sentinel Settings

/ /store /store/tmp

Type the warning threshold for disk usage. Note: Notification e-mails are sent from the e-mail address specified in the Alert Email From Address parameter to the e-mail address specified in the Administrative Email Address parameter. These parameters are configured in the System Settings interface. For more information, see Chapter 5 - Setting Up STRM. Recovery Threshold Once the system has exceeded the shutdown threshold, disk usage must fall below the recovery threshold before STRM processes are restarted. The default is 0.90, therefore, processes are not restarted until disk usage is below 90%. Type the recovery threshold. Note: Notification e-mails are sent from the e-mail address specified in the Alert Email From Address parameter to the e-mail address specified in the Administrative Email Address parameter. These parameters are configured in the System Settings interface. For more information, see Chapter 5 - Setting Up STRM. Shutdown Threshold When the system exceeds the shutdown threshold, all STRM processes are stopped. An e-mail is sent to the administrator indicating the current state of the system. The default is 0.95, therefore, when disk usage exceeds 95%, all STRM processes stop. Type the shutdown threshold. Note: Notification e-mails are sent from the e-mail address specified in the Alert Email From Address parameter to the e-mail address specified in the Administrative Email Address parameter. These parameters are configured in the System Settings interface. For more information, see Chapter 5 - Setting Up STRM.
STRM Administration Guide

134

USING THE DEPLOYMENT EDITOR

Table 9-4 Host Context Parameters (continued)

Parameter Inspection Interval SAR Sentinel Settings Inspection Interval Alert Interval

Description Type the frequency, in milliseconds, that you want to determine disk usage. Type the frequency, in milliseconds, that you want to inspect SAR output. The default is 300,000 ms. Type the frequency, in milliseconds, that you want to be notified that the thresholds have been exceeded. The default is 7,200,000 ms. Type the time, in seconds, that you want the SAR inspection to be engaged. The default is 60 seconds. Type the frequency, in milliseconds, that you want to monitor the log files. The default is 60,000 ms. Type a filename for the SYSLOG file. The default is /var/log/qradar.error. Type the maximum number of lines you want to monitor from the log file. The default is 1000.

Time Resolution Log Monitor Settings Inspection Interval Monitored SYSLOG File Name Alert Size

Step 6 Click Save.

The System View interface is displayed. Configuring an Accumulator The accumulator component assists with data collection and anomaly detection for the Event Processor on a managed host. The accumulator component is responsible for receiving streams of flows and events from the local Event Processor, writing database data, and contains the Anomaly Detection Engine (ADE). To configure an accumulator:
Step 1 In the deployment editor, click the System View tab.

The System View interface is displayed.

Step 2 Select the managed host you want to configure. Step 3 Select the accumulator component. Step 4 From the menu, select Actions > Configure.

Note: You can also right-click a component to access the Actions menu item. The Accumulator Configuration window is displayed.

STRM Administration Guide

Managing Your System View

135

Table 9-5 Accumulator Parameters

Parameter Central Accumulator

Description Specifies if the current component is a central accumulator. A central accumulator only exists on a Console system. Options include:

True - Specifies that the component is a central accumulator on the Console and receives TCP data from non-central accumulators. False - Specifies that the component is not a central accumulator, but is deployed on the Event Processor and forwards data to a central accumulator on the Console.

Anomaly Detection Engine

Type the address and port of the ADE. The ADE is responsible for analyzing network data and forwarding the data to the rule system for resolution. For the central accumulator, type the address and port using the following syntax: <Console>:<port> For a non-central accumulator, type the address and port using the following syntax: <non-Console IP Address>:<port>

Streamer Accumulator Listen Port Alerts DSM Address

Type the listen port of the accumulator responsible for receiving streams of flows from the event processor. The default value is 7802. Type the DSM address for forwarding alerts from the accumulator using the following syntax: <DSM_IP address>:<DSM port number>.

Step 5 Click Save.

The System View interface is displayed.

STRM Administration Guide

136

USING THE DEPLOYMENT EDITOR

Configuring STRM Components

This section provides information on configuring STRM components, including:

Configuring a QFlow Collector Configuring an Event Collector Configuring an Event Processor Configuring the Magistrate Configuring an Off-site Source Configuring an Off-site Target

Configuring a QFlow Collector

This section provides information on how to configure a QFlow Collector. For an overview of the QFlow Collector component, see Building Your Event View. To configure a QFlow Collector:

Step 1 From either the Event View or System View interfaces, select the QFlow Collector

you want to configure.

Step 2 From the menu, select Actions > Configure.

Note: You can also right-click a component to access the Actions menu items. The QFlow Configuration window is displayed.

Step 3 Enter values for the parameters:

STRM Administration Guide

Configuring STRM Components

137

Table 9-6 QFlow Collector Parameters

Parameter Event Collector Connections

Description Specifies the Event Collector component connected to this QFlow Collector. The connection is displayed in the following format: <Host IP Address>:<Port>. If the QFlow Connector is not connected to an Event Collector, the parameter is empty.

QFlow Collector ID

Type a unique ID for the QFlow Collector.

Maximum Content Capture Type the capture length, in bytes, to attach to a flow. The range is from 0 to 65535. A value of 0 disables content capture. The default is 64 bytes. QFlow Collectors capture a configurable number of bytes at the start of each flow. Transferring large amounts of content across the network may affect network and STRM performance. On managed hosts where the QFlow Collectors are located on close high-speed links, you can increase the content capture length. Note: Increasing content capture length increases disk storage requirements for recommended disk allotment. Alias Autodetection Type one of the following values:

Yes - Enables the QFlow Collector to detect external flow source aliases. When a QFlow Collector receives traffic from a device with an IP address, but no current alias, the QFlow Collector attempts a reverse DNS lookup to determine the hostname of the device. If the lookup is successful, the QFlow Collector adds this information to the database and reports this information to all QFlow Collectors in your deployment. No - Prevents the QFlow Collector from detecting external flow sources aliases.

For more information on flow sources, see Chapter 9 Managing Flow Sources.
Step 4 In the toolbar, click Advanced to display the advanced parameters.

The advanced configuration parameters are displayed.

STRM Administration Guide

138

USING THE DEPLOYMENT EDITOR

Step 5 Enter values for the parameters, as necessary:

Table 9-7 QFlow Collector Parameters

Parameter Event Collector Connections

Description Type the Event Collector connected to this QFlow Collector. The connection is displayed in the following format: <Host IP Address>:<Port>. If the QFlow Collector is not connected to an Event Collector, the parameter is empty.

Flow Routing Mode

Type one of the following values:

0 - Type 0 to enable Distributor Mode, which allows QFlow Collector to group flows that have similar properties. 1 - Type 1 to enable Flow Mode, which prevents the bundling of flows.

Maximum Data Capture/Packet Time Synchronization Server IP Address Time Synchronization Timeout Period

Type the amount of bytes/packets you want the QFlow Collector to capture. Type the IP address or hostname of the time server. Type the length of time you want the managed host to continue attempting to synchronize the time before timing out. The default is 15 minutes.

STRM Administration Guide

Configuring STRM Components

139

Table 9-7 QFlow Collector Parameters (continued)

Parameter Endace DAG Interface Card Configuration

Description Type the Endace Network Monitoring Interface card parameters. For more information on the required input for this parameter, see the Juniper customer support web site or contact Customer Support. Type the amount of memory, in MB, that you want to reserve for flow storage. The default is 400 MB. Type the maximum number of flows you want to send from the QFlow Collector to an Event Collector.

Flow Buffer Size Maximum Number of Flows

Remove duplicate flows Type one of the following values: Yes - Enables the QFlow Collector to remove duplicate flows. No - Prevents the QFlow Collector from removing duplicate flows. Yes - Enables the QFlow Collector to check the incoming NetFlow sequence numbers to ensure that all packets are present and in the proper order. A notification appears if a packet is missing or received out-of-order. No - Prevents the QFlow Collector from checking the incoming NetFlow sequence numbers to ensure that all packets are present and in the proper order.

Verify NetFlow Sequence Numbers

Type one of the following values:

External Flow De-duplication method

Type the method you want to use to remove duplicate external flow sources (de-duplication). Options include:

Source - Enables the QFlow Collector to compare originating flow sources. This method compares the IP address of the device that exported the current external flow record to that of the IP address of the device that exported the first external record of the particular flow. If the IP addresses do not match, the current external flow record is discarded. Record - Enables the QFlow Collector to compare individual external flow records. This method logs a list of every external flow record detected by a particular device and compares each subsequent record to that list. If the current record is found in the list, that record is discarded.

Flow Carry-over Window

Type the number of seconds before the end of an interval that you want one-sided flows to be held over until the next interval if the flow. This allows time for the inverse side of the flow to arrive before being reported.

STRM Administration Guide

140

USING THE DEPLOYMENT EDITOR

Table 9-7 QFlow Collector Parameters (continued)

Parameter External flow record comparison mask

Description Note: This parameter is only valid if you typed Record in the External Flow De-duplication method parameter. Type the external flow record fields you want to use to remove duplicate flows. Valid options include:

D - Direction B - ByteCount P - (PacketCount

You can combine these options. Possible combinations of the options include:

DBP - Uses direction, byte count, and packet count when comparing flow records. XBP - Uses byte count and packet count when comparing flow records. DXP - Uses direction and packet count when comparing flow records. DBX - Uses direction and byte count when comparing flow records. DXX - Uses direction when comparing flow records. XBX - Uses byte count when comparing records. XXP - Uses packet count when comparing records. Yes - Enables the QFlow Collector to create Superflows from group flows that have similar properties. No - Prevents the creation of Superflows.

Create Superflows

Type one of the following options:

Type A Superflows

Type the threshold for type A superflows. A type A superflow is a group of flows from one host to many hosts. This is a unidirectional flow that is an aggregate of all flows that have the same different destination hosts, but following parameters are the same:

Protocol Source bytes Source hosts Destination network Destination port (TCP and UDP flows only) TCP flags (TCP flows only) ICMP type, and code (ICMP flows only)

STRM Administration Guide

Configuring STRM Components

141

Table 9-7 QFlow Collector Parameters (continued)

Parameter Type B Superflows

Description Type the threshold for type B superflows. A type B superflow is group of flows from many hosts to one host. This is unidirectional flow that is an aggregate of all flows that have different source hosts, but the following parameters are the same:

Protocol Source bytes Source packets Destination host Source network Destination port (TCP and UDP flows only) TCP flags (TCP flows only) ICMP type, and code (ICMP flows only)

Type CSuperflows

Type the threshold for type C superflows. Type C superflows are a group of flows from one host to another host. This is a unidirectional flow that is an aggregate of all non-ICMP flows have different source or destination ports, but the following parameters are the same:

Protocol Source host Destination host Source bytes Destination bytes Source packets Destination packets

Recombine In some networks, traffic is configured to take alternate Asymmetric Superflows paths for inbound and outbound traffic. This is called asymmetric routing. You can combine flows received from one or more QFlow Collectors. However, if you want to combine flows from multiple QFlow Collectors, you must configure flow sources in the Asymmetric Flow Source Interface(s) parameter in the QFlow Collector configuration. Choose one of the following options:

Yes - Enables the QFlow Collector to recombine asymmetric flows. No - Prevents the QFlow Collector from recombining asymmetric flows.

STRM Administration Guide

142

USING THE DEPLOYMENT EDITOR

Table 9-7 QFlow Collector Parameters (continued)

Parameter Ignore Asymmetric Superflows

Description Type one of the following options:

Yes - Enables the QFlow Collector to create superflows while asymmetric flows are enabled. No - Prevents the QFlow Collector from creating superflows while asymmetric flows are enabled.

Minimum Buffer Data

Type the minimum amount of data, in bytes, that you want the Endace Network Monitoring Interface Card to receive before the captured data is returned to the QFlow Collector process. For example, if this parameter is 0 and no data is available, the Endace Network Monitoring Interface Card allows non-blocking behavior. Type the maximum amount of time, in microseconds, that you want the Endace Network Monitoring Interface Card to wait for the minimum amount of data, as specified in the Minimum Buffer Data parameter. Type the interval, in microseconds, that you want the Endace Network Monitoring Interface Card to wait before checking for additional data. A polling interval avoids excessive polling traffic to the card and, therefore, conserves bandwidth and processing time.

Maximum Wait Time

Polling Interval

Step 6 Click Save.

The deployment editor is displayed.

Step 7 Repeat for all QFlow Collectors in your deployment you want to configure.

Configuring an Event Collector

This section provides information on how to configure an Event Collector. For an overview of the Event Collector component, see Building Your Event View. To configure an Event Collector:

Step 1 From either the Event View or System View interfaces, select the Event Collector

you want to configure.

Step 2 From the menu, select Actions > Configure.

Note: You can also right-click a component to access the Action menu items. The Event Collector Configuration window is displayed.

STRM Administration Guide

Configuring STRM Components

143

Step 3 Enter values for the parameters:

Table 9-8 Event Collector Parameters

Parameter Destination Event Processor

Description Specifies the Event Processor component connected to this QFlow Collector. The connection is displayed in the following format: <Host IP Address>:<Port>. If the QFlow Connector is not connected to an Event Processor, the parameter is empty.

Flow Listen Port Event Forwarding Listen Port Flow Forwarding Listen Port

Type the listen port for flows. Type the Event Collector event forwarding port. Type the Event Collector flow forwarding port.

Step 4 In the toolbar, click Advanced to display the advanced parameters.

The advanced configuration parameters are displayed.

STRM Administration Guide

144

USING THE DEPLOYMENT EDITOR

Step 5 Enter values for the parameters:

Table 9-9 Event Collector Advanced Parameters

Parameter Primary Collector

Description Specifies one of the following values:

True - Specifies that the Event Collector is located on a Console system. False - Specifies that the Event Collector is located on a non-Console system. Yes - Enables the Event Collector to automatically analyze and accept traffic from previously unknown log sources. The appropriate firewall ports are opened to enable Autodetection to receive events. This is the default. No - Prevents the Event Collector from automatically analyzing and accepting traffic from previously unknown log sources.

Autodetection Enabled Type of the following values:

For more information on configuring log sources, see the Managing Log Sources Guide. Flow Deduplication Filter Type the amount of time in seconds flows are buffered before they are forwarded.

Asymmetric Flow Filter Type the amount of time in seconds asymmetric flows will be buffered before they are forwarded.
Step 6 Click Save.

The deployment editor is displayed.

Step 7 Repeat for all Event Collectors in your deployment you want to configure.

STRM Administration Guide

Configuring STRM Components

145

Configuring an Event Processor

This section provides information on how to configure an Event Processor. For an overview of the Event Processor component, see Building Your Event View. To configure an Event Processor:

Step 1 From either the Event View or System View interfaces, select the Event Processor

you want to configure.

Step 2 From the menu, select Actions > Configure.

Note: You can also right-click a component to access the Action menu items. The Event Processor Configuration window is displayed.

Step 3 Enter values for the parameters:

Table 9-10 Event Processor Parameters

Parameter

Description

Event Collector Type the port that the Event Processor monitors for Connections Listen Port incoming Event Collector connections. The default value is port 32005. Event Processor Type the port that the Event Processor monitors for Connections Listen Port incoming Event Processor connections. The default value is port 32007.
Step 4 In the toolbar, click Advanced to display the advanced parameters.

The advanced configuration parameters are displayed.

STRM Administration Guide

146

USING THE DEPLOYMENT EDITOR

Step 5 Enter values for the parameters, as necessary:

Table 9-11 Event Processor Advanced Parameters

Parameter Test Rules

Description Note: The test rules drop-down list box in the Deployment Editor is available for non-Console Event Processors only. Type one of the following options:

Locally - Rules are tested on the Event Processor and not shared with the system. Testing rules locally is the default for Console Event Processors. Globally - Allows individual rules for every Event Processor to be shared and tested system wide. Each rule in Offenses > Rules can be toggled to Global for detection by any Event Processor on the system.

Note: If a rule is configured to test locally, the Globally option does not override the rules setting. For example, you create rule to alert you when there is five failed login attempts within 5 minutes. The default for the rule is set to local. When the Event Processor containing the local rule observes five failed login attempts, the rule generates a response. When the rule in the example above is set to Global, when five failed login attempts within 5 minutes is detected on any Event Processor, the rule generates a response. This means that when rules are shared globally, the rule can detect when one failed login attempt comes from five separate event processors. Testing rules globally is the default for non-Console Event Processors, with each rule on the Event Processor set to test locally.

STRM Administration Guide

Configuring STRM Components

147

Table 9-11 Event Processor Advanced Parameters (continued)

Parameter Overflow Event Routing Threshold Overflow Flow Routing Threshold Events database path Payloads database length

Description Type the events per second threshold that the Event Processor can manage. Events over this threshold are placed in the cache. Type the flows per minute threshold that the Event Processor can manage. Flows over this threshold are placed in the cache. Type the location you want to store events. The default is /store/ariel/events. Type the location you want to store payload information. The default is /store/ariel/payloads.

Step 6 Click Save.

The deployment editor is displayed.

Step 7 Repeat for all Event Processors in your deployment you want to configure.

Configuring the Magistrate

This section provides information on how to configure the Magistrate. For an overview of the Magistrate component, see Building Your Event View. To configure the Magistrate component:

Step 1 From either the Event View or System View interfaces, select the Magistrate

component you want to configure.

Step 2 From the menu, select Actions > Configure.

Note: You can also right-click a component to access the Action menu items. The Magistrate Configuration window is displayed.
Step 3 In the toolbar, click Advanced to display the advanced parameters.

The advanced configuration parameters are displayed.

Step 4 In the Overflow Routing Threshold field, type the events per second threshold that

the Magistrate can manage events. Events over this threshold are placed in the cache. The default is 20,000.
Step 5 Click Save.

The deployment editor is displayed.

STRM Administration Guide

148

USING THE DEPLOYMENT EDITOR

Configuring an Off-site Source

This section provides information on how to configure an off-site source. For an overview of the off-site source component, see Building Your Event View. Note: When configuring off-site source and target components, we recommend that you deploy the Console with the off-site source first and the Console with the off-site target second to prevent connection errors. To configure an off-site source component:

Step 1 From either the Event View or System View interfaces, select the off-site source

you want to configure.

Step 2 From the menu, select Actions > Configure.

Note: You can also right-click a component to access the Action menu items. The Off-site Source Configuration window is displayed.

Step 3 Enter values for the parameters:

Table 9-12 Off-site Source Parameters

Parameter Receive Events

Description Type one of the following values:

True - Enables the system to receive events from the off-site source host. False - Prevents the system from receiving events from the off-site source host. True - Enables the system to receive flows from the off-site source host. False - Prevents the system from receiving flows from the off-site source host.

Receive Flows

Type one of the following values:

Step 4 Click Save.

The deployment editor is displayed.

Step 5 Repeat for all off-site sources in your deployment you want to configure.

STRM Administration Guide

Configuring STRM Components

149

Configuring an Off-site Target

This section provides information on how to configure an off-site target. For an overview of the off-site target component, see Building Your Event View. Note: When configuring off-site source and target components, we recommend that you deploy the Console with the off-site source first and the Console with the off-site target second to prevent connection errors. To configure an off-site target component:

Step 1 From either the Event View or System View interfaces, select the off-site target

you want to configure.

Step 2 From the menu, select Actions > Configure.

Note: You can also right-click a component to access the Action menu items. The Off-site Target Configuration window is displayed.

Step 3 Enter values for the parameters:

Table 9-13 Off-site Target Parameters

Parameter Event Collector Listen Port

Description Type the Event Collector listen port for receiving event data. The default listen port for events is 32004. Note: If the off-site target system has been upgraded from a previous STRM software version, you must change the port from the default (32004) to the port specified in the Event Forwarding Listen Port parameter for the off-site target. For more information on how to access the Event Forwarding Listen port on the off-site target, see Configuring an Event Collector.

Flow Collector Listen Port

Step 4 Click Save.

Type the Event Collector listen port for receiving flow data. The default listen port for flows is 32000.

STRM Administration Guide

150

USING THE DEPLOYMENT EDITOR

STRM Administration Guide

MANAGING FLOW SOURCES

This chapter provides information on managing flows sources in your deployment, including:
About Flow Sources Managing Flow Sources Managing Flow Source Aliases

About Flow Sources

STRM allows you to integrate flow sources. Flow sources are classed as either internal or external:

Internal flow sources - Includes any additional hardware installed on a managed host, such as a Network Interface Card (NIC). Depending on the hardware configuration of your managed host, the internal flow sources may include: Network interface Card Endace Network Monitoring Interface Card
Napatech Interface

External flow sources - Includes any external flow sources that send flows to the QFlow Collector. If your QFlow Collector receives multiple flow sources, you can assign each flow source a distinct name, providing the ability to distinguish one source of external flow data from another when received on the same QFlow Collector. External flow sources may include: NetFlow sFlow J-Flow Packeteer Flowlog File

STRM can forward external flows source data using the spoofing or non-spoofing method: Spoofing - Resends the inbound data received from flow sources to a secondary destination. To ensure flow source data is sent to a secondary destination, configure the Monitoring Interface in the Flow Source

STRM Administration Guide

152

MANAGING FLOW SOURCES

configuration (see Adding a Flow Source) to the port on which data is being received (management port). When you use a specific interface, the QFlow Collector uses a promiscuous mode capture to obtain flow source data, rather than the default UDP listening port on port 2055. This allows the QFlow Collector to capture flow source packets and forward the data. Non-Spoofing - For the non-spoofing method, configure the Monitoring Interface parameter in the Flow Source Configuration (see Adding a Flow Source) as Any. The QFlow Collector opens the listening port, which is the port configured as the Monitoring Port to accept flow source data. The data is processed and forwarded to another flow source destination. The source IP address of the flow source data becomes the IP address of the STRM system, not the original router that sent the data.

NetFlow

A proprietary accounting technology developed by Cisco Systems Inc. that monitors traffic flows through a switch or router, interprets the client, server, protocol, and port used, counts the number of bytes and packets, and sends that data to a NetFlow collector. The process of sending data from NetFlow is often referred to as a NetFlow Data Export (NDE). You can configure STRM to accept NDE's and thus become a NetFlow collector. STRM supports NetFlow versions 1, 5, 7, and 9. For more information on NetFlow, see http://www.cisco.com. While NetFlow expands the amount of the network that is monitored, NetFlow uses a connection-less protocol (UDP) to deliver NDEs. Once an NDE is sent from a switch or router, the NetFlow record is purged. As UDP is used to send this information and does not guarantee the delivery of data, NetFlow records inaccurate recording and reduced alerting capabilities. This can result in inaccurate presentations of both traffic volumes and bi-directional flows. Once you configure an external flow source for NetFlow, you must:

Make sure the appropriate firewall rules are configured. If you change your External Flow Source Monitoring Port parameter in the QFlow Collector configuration, you must also update your firewall access configuration. For more information about QFlow Collector configuration, see Chapter 8 - Using the Deployment Editor. Make sure the appropriate ports are configured for your QFlow Collector.

If you are using NetFlow version 9, make sure the NetFlow template from the NetFlow source includes the following fields:

FIRST_SWITCHED LAST_SWITCHED PROTOCOL IPV4_SRC_ADDR IPV4_DST_ADDR L4_SRC_PORT

STRM Administration Guide

About Flow Sources

153

L4_DST_PORT IN_BYTES and/or OUT_BYTES IN_PKTS and/or OUT_PKTS TCP_FLAGS (TCP flows only)

sFlow

A multi-vendor and end-user standard for sampling technology that provides continuous monitoring of application level traffic flows on all interfaces simultaneously. sFlow combines interface counters and flow samples into sFlow datagrams that are sent across the network to an sFlow collector. STRM supports sFlow versions 2, 4, and 5. Note that sFlow traffic is based on sampled data and, therefore, may not represent all network traffic. For more information on sFlow, see http://www.sflow.org. sFlow uses a connection-less protocol (UDP). Once data is sent from a switch or router, the sFlow record is purged. As UDP is used to send this information and does not guarantee the delivery of data, sFlow records inaccurate recording and reduced alerting capabilities. This can result in inaccurate presentations of both traffic volumes and bi-directional flows. Once you configure an external flow source for sFlow, you must:

Make sure the appropriate firewall rules are configured. Make sure the appropriate ports are configured for your QFlow Collector.

J-Flow

A proprietary accounting technology used by Juniper Networks that allows you to collect IP traffic flow statistics. J-Flow enables you to export data to a UDP port on a J-Flow collector. Using J-Flow, you can also enable J-Flow on a router or interface to collect network statistics for specific locations on your network. Note that J-Flow traffic is based on sampled data and, therefore, may not represent all network traffic. For more information on J-Flow, see http://www.juniper.net. J-Flow uses a connection-less protocol (UDP). Once data is sent from a switch or router, the J-Flow record is purged. As UDP is used to send this information and does not guarantee the delivery of data, J-Flow records inaccurate recording and reduced alerting capabilities. This can result in inaccurate presentations of both traffic volumes and bi-directional flows. Once you configure an external flow source for J-Flow, you must:

Make sure the appropriate firewall rules are configured. Make sure the appropriate ports are configured for your QFlow Collector.

Packeteer

Packeteer devices collect, aggregate, and store network performance data. Once you configure an external flow source for Packeteer, you can send flow information from a Packeteer device to STRM.

STRM Administration Guide

154

MANAGING FLOW SOURCES

Packeteer uses a connection-less protocol (UDP). Once data is sent from a switch or router, the Packeteer record is purged. As UDP is used to send this information and does not guarantee the delivery of data, Packeteer records inaccurate recording and reduced alerting capabilities. This can result in inaccurate presentations of both traffic volumes and bi-directional flows. To configure Packeteer as an external flow source, you must:

Make sure the appropriate firewall rules are configured. Make sure that you configure Packeteer devices to export flow detail records and configure the QFlow Collector as the destination for the data export. Make sure the appropriate ports are configured for your QFlow Collector. Make sure the class IDs from the Packeteer devices can automatically be detected by the QFlow Collector. For additional information on mapping Packeteer applications into STRM, see the Mapping Packeteer Applications into STRM Technical Note.

Flowlog File Napatech Interface

A file generated from the STRM flow logs. If you have a Napatech Network Adapter installed on your STRM system, the Naptatech Interface option appears as a configurable packet-based flow source in the STRM interface. The Napatech Network Adapter provides next-generation programmable and intelligent network adapter for your network. For more information regarding Napatech Network Adapters, see your Napatech vendor documentation.

Managing Flow Sources

For STRM appliances, STRM automatically adds default flow sources for the physical ports on the appliance. Also, STRM also includes a default NetFlow flow source. Also, once you assign a QFlow Collector, STRM includes a default NetFlow flow source. This section includes:
Adding a Flow Source Editing a Flow Source Enabling/Disabling a Flow Source Deleting a Flow Source

STRM Administration Guide

Managing Flow Sources

155

Adding a Flow Source

To add a flow source:

Step 1 Click the Admin tab.

The Admin interface is displayed.

Step 2 In the navigation menu, click Data Sources.

The Data Sources panel is displayed.

Step 3 In the navigation menu, click Flows.

The Flows panel is displayed.

Step 4 Click the Flow Sources icon.

The Flow Source window is displayed.

Step 5 Click Add.

The Add Flow Source window is displayed.

Step 6 Enter values for the parameters:

Table 10-1 Add Flow Source Window Parameters

Parameter Build from existing flow source

Description Select the check box if you want to create this flow source using an existing flow source as a template. Once the check box is selected, use the drop-down list box to select the desired flow source and click Use as Template.

STRM Administration Guide

156

MANAGING FLOW SOURCES

Table 10-1 Add Flow Source Window Parameters (continued)

Parameter Flow Source Name

Description Type a name for the flow source. We recommend that for an external flow source that is also a physical device, use the device name as the flow source name. If the flow source is not a physical device, make sure you use a meaningful name. For example, if you want to use NetFlow traffic, type nf1. Using the drop-down list box, select the Event Collector you want to use for this flow source. Using the drop-down list box, select the flow source type for this flow source. The options are:

Target Collector Flow Source Type

Flowlog File JFlow Netflow v.1, v5, v7, or v9 Network Interface Packeteer FDR SFlow v.2, v.4, or v.5 Pre-2010.0 Off-site Flow Source Napatech, if applicable Endace, if applicable

Note: For more information on adding a pre-2010.0 off-site flow source running STRM 2009.2 or earlier, see Appendix F - Configuring Flow Forwarding From Pre-2010.0 Off-Site Flow Sources. Enable Asymmetric Flows In some networks, traffic is configured to take alternate paths for inbound and outbound traffic. This is asymmetric routing. Select this check box is you want to enable asymmetric flows for this flow source. Source File Path Type the source file path for the flowlog file.

Step 7 Choose one of the following: a

If you select the Flowlog File option in the Flow Source Type parameter, configure the Source File Path, which is the source path location for the flow log file. Source Type parameter, configure the following:

b If you select the JFlow, Netflow, Packeteer FDR, or sFlow options in the Flow

Table 10-2 External Flow parameters

Parameter Monitoring Interface

Description Using the drop-down list box, select the monitoring interface you want to use for this flow source.

STRM Administration Guide

Managing Flow Sources

157

Table 10-2 External Flow parameters (continued)

Parameter Monitoring Port

Description Type the port you want this flow source to use. For the first NetFlow flow source configured in your network, the default port is 2055. For each additional NetFlow flow source, the default port number increments by 1. For example, the default NetFlow flow source for the second NetFlow flow source is 2056.

Enable Flow Forwarding

Select the check box to enable flow forwarding for this flow source. Once the check box is selected, the following options appear:

Forwarding Port - Type the port you want to forward flows. The default is 1025. Forwarding Destinations - Type the destinations you want to forward flows to. You can add or remove addresses from the list using the Add and Remove buttons.

If you select the Pre-2010.0 Off-site Flow Source option in the Flow Source Type parameter, configure the Flow Source Address. For more information on adding a pre-2010.0 off-site flow source, see Appendix F - Configuring Flow Forwarding From Pre-2010.0 Off-Site Flow Sources. If you select the Napatech Interface option in the Flow Source Type parameter, type the Flow Interface you want to assign to this flow source.

Note: The Napatech Interface option only appears if you have a Napatech Network Adapter installed in your system.
e

If you select the Network Interface option as the Flow Source Type parameter, configure the following:

Table 10-3 Network Interface Parameters

Parameter Flow Interface

Description Using the drop-down list box, select the log source you want to assign to this flow source. Note: You can only configure one log source per Ethernet Interface. Also, you cannot send different flow types to the same port.

Filter String
Step 8 Click Save.

Type the filter string for this flow source.

Step 9 From the Admin interface menu, click Deploy Changes.

STRM Administration Guide

158

MANAGING FLOW SOURCES

Editing a Flow Source

To edit a flow source:

Step 1 Click the Admin tab.

The Admin interface is displayed.

Step 2 In the navigation menu, click Data Sources.

The Data Source panel is displayed.

Step 3 In the navigation menu, click Flows.

The Flows panel is displayed.

Step 4 Click the Flow Sources icon.

The Flow Source window is displayed.

Step 5 Select the flow source you want to edit. Step 6 Click Edit.

The Edit Flow Source window is displayed.

Step 7 Edit values, as necessary. For more information on values for flow source types,

see Adding a Flow Source.

Step 8 Click Save. Step 9 From the Admin interface menu, click Deploy Changes.

Enabling/Disabling a Flow Source

To enable or disable a flow source:

Step 1 Click the Admin tab. Step 2 In the navigation menu, click Data Sources.

The Data Sources panel is displayed.

Step 3 In the navigation menu, click Flows.

The Flows panel is displayed.

Step 4 Click the Flow Sources icon.

The Flow Source window is displayed.

STRM Administration Guide

Managing Flow Source Aliases

159

Step 5 Select the flow source you want to enable or disable. Step 6 Click Enable/Disable.

The Enabled column indicates if the flow source is enabled or disabled. If the flow source was previously disabled, the column now indicates True to indicate the flow source is now enabled. If the flow source was previously enabled, the column now indicates False to indicate the flow source is now disabled.
Step 7 From the Admin interface menu, click Deploy Changes.

Deleting a Flow Source

To delete a flow source:

Step 1 Click the Admin tab. Step 2 In the navigation menu, click Data Sources.

The Data Sources panel is displayed.

Step 3 In the navigation menu, click Flows.

The Flows panel is displayed.

Step 4 Click the Flow Sources icon.

The Flow Source window is displayed.

Step 5 Select the flow source you want to delete. Step 6 Click Delete.

A confirmation window is displayed.

Step 7 Click OK. Step 8 From the Admin interface menu, click Deploy Changes.

Managing Flow Source Aliases

You can configure a virtual name (or alias) for flow sources. You can identify multiple sources being sent to the same QFlow Collector, using the source IP address and virtual name. An alias allows a QFlow Collector to uniquely identify and process data sources being sent to the same port. When a QFlow Collector receives traffic from a device with an IP address but no current alias, the QFlow Collector attempts a reverse DNS lookup to determine the hostname of the device. If the lookup is successful, the QFlow Collector adds this information to the database and is reported to all QFlow Collectors in your deployment. Note: Using the deployment editor, you can configure the QFlow Collector to automatically detect flow source aliases. For more information, see Chapter 8 Managing Flow Sources.

STRM Administration Guide

160

MANAGING FLOW SOURCES

This section includes:

Adding a Flow Source Alias Editing a Flow Source Alias Deleting a Flow Source Alias

Adding a Flow Source Alias

To add a flow source alias:

Step 1 Click the Admin tab.

The Admin interface is displayed.

Step 2 In the navigation menu, click Data Sources.

The Data Sources panel is displayed.

Step 3 In the navigation menu, click Flows.

The Flows panel is displayed.

Step 4 Click the Flow Source Aliases icon.

The Flow Source Alias window is displayed.

Step 5 Click Add.

The Flow Source Alias Management window is displayed.

Step 6 Enter values for the parameters:

IP - Type the IP address of the flow source alias. Name - Type a unique name for the flow source alias.

Step 7 Click Save. Step 8 From the Admin interface menu, click Deploy Changes.

Editing a Flow Source Alias

To edit a flow source alias:

Step 1 Click the Admin tab.

The Admin interface is displayed.

Step 2 In the navigation menu, click Data Sources.

The Data Sources panel is displayed.

Step 3 In the navigation menu, click Flows.

STRM Administration Guide

Managing Flow Source Aliases

161

The Flows panel is displayed.

Step 4 Click the Flow Source Aliases icon.

The Flow Source Alias window is displayed.

Step 5 Select the flow source alias you want to edit. Step 6 Click Edit.

The Flow Source Alias Management window is displayed.

Step 7 Update values, as necessary. Step 8 Click Save. Step 9 From the Admin interface menu, click Deploy Changes.

Deleting a Flow Source Alias

To delete a flow source alias:

Step 1 Click the Admin tab.

The Admin interface is displayed.

Step 2 In the navigation menu, click Data Sources.

The Data Sources panel is displayed.

Step 3 In the navigation menu, click Flows.

The Flows panel is displayed.

Step 4 Click the Flow Source Aliases icon.

The Flow Source Aliases window is displayed.

Step 5 Select the flow source alias you want to delete. Step 6 Click Delete.

A confirmation window is displayed.

Step 7 Click OK. Step 8 From the Admin interface menu, click Deploy Changes.

STRM Administration Guide

10

CONFIGURING REMOTE NETWORKS AND SERVICES

In the Admin interface, you can group remote networks and services for use in the custom rules engine, flow and event searches, and in STRM Risk Manager (if available). Remote network and service groups enable you to represent traffic activity on your network for a specific profile. All remote network and service groups have group levels and leaf object levels. This chapter includes:
Managing Remote Networks Managing Remote Services Using Best Practices

You can edit remote network and service groups by adding objects to existing groups or changing pre-existing properties to suit your environment. Caution: If you move an existing object to another group (select a new group and click Add Group), the object name moves from the existing group to the newly selected group; however, when the configuration changes are deployed, the object data stored in the database is lost and the object ceases to function. We recommend that you create a new view and recreate the object (that exists with another group).

Managing Remote Networks

Remote networks groups display user traffic originating from named remote networks. Once you create remote network groups, you can aggregate flow and event search results on remote network groups, and create rules that test for activity on remote network groups. This section provides information on managing the remote networks, including:
Default Remote Network Groups Adding a Remote Networks Object Editing a Remote Networks Object

STRM Administration Guide

164

CONFIGURING REMOTE NETWORKS AND SERVICES

Default Remote Network Groups

STRM includes the following default remote network groups:

Table 11-1 Default Remote Network Groups

Group BOT Bogon

Description Specifies traffic originating from BOT applications. Specifies traffic originating from un-assigned IP addresses. Note: Bogon reference: http://www.team-cymru.org/Services/Bogons/

HostileNets

Specifies traffic originating from known hostile networks. HostileNets has a set of 20 (rank 1 to 20 inclusive) configurable CIDR ranges. This group is blank by default. You must configure this group to classify traffic originating from neighboring networks. Specifies traffic originating from Smurf attacks. A Smurf attack is a type of denial-of-service attack that floods a destination system with spoofed broadcast ping messages. This group is non-configurable. A superflow is a flow that is an aggregate of a number of flows that have a similar predetermined set of elements. This group is blank by default. You must configure this group to classify traffic originating from trusted networks. This group is blank by default. You can configure this group to classify traffic originating from networks you want monitor.

Neighbours Smurfs

Superflows

TrustedNetworks Watchlists

Note: Groups and objects that include superflows are for informational purposes only and cannot be edited. Groups and objects that include bogons are configured by the Automatic Update function. Adding a Remote Networks Object To add a remote network object:

Step 1 Click the Admin tab.

The Admin interface is displayed.

Step 2 In the navigation menu, click Remote Networks and Services Configuration.

The Remote Networks and Services Configuration panel is displayed.

Step 3 Click the Remote Networks icon Step 4 Click Add.

The Add New Object window is displayed.

STRM Administration Guide

Managing Remote Networks

165

Step 5 Enter values for the following parameters:

Table 11-2 Remote Networks - Add New Object Parameters

Parameter Group Name Weight IP/CIDR(s) Description Database Length

Step 6 Click Save. Step 7 Click Return.

Description From the drop-down list box, select a group for this object or click Add Group to add a new group. Type a unique name for the object. Type or select a weight for the object. Type the IP address or CIDR range for the object. Click Add. Type a description for the object. From the drop-down list box, select the database length.

Step 8 Close the Remote Networks View window. Step 9 From the Admin interface menu, click Deploy Changes.

All changes are deployed.

STRM Administration Guide

166

CONFIGURING REMOTE NETWORKS AND SERVICES

Editing a Remote Networks Object

To edit an existing Remote Networks object:

Step 1 Click the Admin tab.

The Admin interface is displayed.

Step 2 In the navigation menu, click Remote Networks and Services Configuration.

The Remote Networks and Services Configuration panel is displayed.

Step 3 Click the Remote Networks icon

The Manage Group window is displayed.

Table 11-3 Manage Group

Parameter Name Actions

Description Specifies the name assigned to the view. Specifies the action available for each group, including: Open view properties window.

Step 4 Click the group you want to display.

The Manage Group window is displayed.

Table 11-4 Manage Group

Parameter Name Value(s) Actions

Description Specifies the name assigned to the object. Specifies IP address(es) or CIDR ranges assigned to this object. Specifies the actions available for each object, including: Edit object properties. Delete object.

Step 5 Click the edit icon

The Properties window is displayed.

STRM Administration Guide

Managing Remote Services

167

Step 6 Edit values as necessary. See Table 11-2. Step 7 Click Save. Step 8 Click Return. Step 9 Close the Remote Networks View window. Step 10 From the Admin interface menu, click Deploy Changes.

All changes are deployed.

Managing Remote Services

Remote services groups organize traffic originating from user-defined network ranges or, if desired, the Juniper Networks automatic update server. Once you create remote service groups, you can aggregate flow and event search results, and create rules that test for activity on remote service groups. This section provides information on managing the Remote Services groups, including:
Default Remote Service Groups Adding a Remote Services Object Editing a Remote Services Object

STRM Administration Guide

168

CONFIGURING REMOTE NETWORKS AND SERVICES

Default Remote Service Groups

STRM includes the following default remote service groups:

Table 11-5 Default Remote Service Groups

Parameter IRC_Servers Online_Services Porn Proxies Reserved_IP_ Ranges Spam Spy_Adware Superflows Warez

Description Specifies traffic originating from addresses commonly known as chat servers. Specifies traffic originating from addresses commonly known online services that may involve data loss. Specifies traffic originating from addresses commonly known to contain explicit pornographic material. Specifies traffic originating from commonly known open proxy servers. Specifies traffic originating from reserved IP address ranges. Specifies traffic originating from addresses commonly known to produce SPAM or unwanted e-mail. Specifies traffic originating from addresses commonly known to contain spyware or adware. Specifies traffic originating from addresses commonly known to produce superflows. Specifies traffic originating from addresses commonly known to contain pirated software.

Adding a Remote Services Object

To add a Remote Services Object:

Step 1 Click the Admin tab.

The Admin interface is displayed.

Step 2 In the navigation menu, click Remote Networks and Services Configuration.

The Remote Networks and Services Configuration panel is displayed.

Step 3 Click the Remote Services icon

The Manage Group window is displayed.

Step 4 Click Add.

The Add New Object window is displayed.

STRM Administration Guide

Managing Remote Services

169

Step 5 Enter values for the following parameters:

Table 11-6 Remote Services - Add New Object Parameters

Parameter Group Name Weight IP/CIDR(s) Description Database Length

Step 6 Click Save. Step 7 Click Return.

Description From the drop-down list box, select a group for the object or click Add Group to add a new group. Type the name for the object. Type or select a weight for the object. Type the IP address/CIDR range for the object. Click Add. Type a description for the object. From the drop-down list box, select the database length.

Step 8 Close the Applications View window. Step 9 From the Admin interface menu, click Deploy Changes.

All changes are deployed. Editing a Remote Services Object To edit an existing Remote Services object:

Step 1 Click the Admin tab.

The Admin interface is displayed.

Step 2 In the navigation menu, click Remote Networks and Services Configuration.

The Remote Networks and Services Configuration panel is displayed.

Step 3 Click the Remote Services icon

STRM Administration Guide

170

CONFIGURING REMOTE NETWORKS AND SERVICES

The Manage Group window is displayed.

Table 11-7 Manage Group

Parameter Name Actions

Description Specifies the name assigned to the group. Specifies the action available for each group: Open view properties window.

Step 4 Click the group you want to display.

The Manage Group window is displayed.

Table 11-8 Manage Group

Parameter Name Value Actions

Description Specifies the name assigned to the object. Specifies ports assigned to this object. Specifies the actions available for each object, including: Edit view properties. Delete object.

Step 5 Click the edit icon

The Properties window is displayed.

Step 6 Edit values as necessary. See Table 11-6. Step 7 Click Save. Step 8 Click Return. STRM Administration Guide

Using Best Practices

171

Step 9 Close the Remote Services View window. Step 10 From the Admin interface menu, click Deploy Changes.

All changes are deployed.

Using Best Practices

Given the complexities and network resources required for STRM in large structured networks, we recommend the following best practices:

Bundle objects and use the Network Activity and Log Activity interfaces to analyze your network data. Fewer objects create less I/O to your disk. Typically, no more than 200 objects per group (for standard system requirements). More objects may impact your processing power when investigating your traffic.

STRM Administration Guide

11

CONFIGURING RULES

From the Log Activity, Network Activity, and Offenses interfaces, you can configure rules or building blocks. Rules perform tests on events, flows, or offenses, and if all the conditions of a test are met, the rule generates a response. For a complete list of rules, see Appendix B - Enterprise Template. The two rule categories are:

Custom Rules - Custom rules perform tests on events, flows, and offenses to detect unusual activity in your network. Anomaly Detection Rules - Anomaly detection rules perform tests on the results of saved flow or event searches as a means to detect when unusual traffic patterns occur in your network.

Possible responses to a rule include:

Creating an offense. Generating a response to an external system, including the following server types: syslog Simple Network Management Protocol (SNMP)

Sending an e-mail. Generating system notifications using the Dashboard feature.

The tests in each rule can also reference other building blocks and rules. You do not need to create rules in any specific order because the system checks for dependencies each time a new rule is added, edited, or deleted. If a rule that is referenced by another rule is deleted or disabled, a warning is displayed and no action is taken. Each rule may contain the following components:

Functions - With functions, you can use building blocks and other rules to create a multi-event, multi-flow, or multi-offense function. You can also connect rules using functions that support Boolean operators, such as OR and AND. For example, if you want to connect event rules, you can use the when an event matches any|all of the following rules function. For a complete list of functions, see Appendix C - Rule Tests.

STRM Administration Guide

174

CONFIGURING RULES

Building blocks - A building block is a rule without a response and is used as a common variable in multiple rules or to build complex rules or logic that you want to use in other rules. You can save a group of tests as building blocks for use with other functions. Building blocks allow you to re-use specific rule tests in other rules. For example, you can save a building block that includes the IP addresses of all mail servers in your network and then use that building block to exclude those hosts from another rule. The default building blocks are provided as guidelines, which should be reviewed and edited based on the needs of your network. For a complete list of building blocks, see Appendix B - Enterprise Template. Tests - You can run tests on the property of an event, flow, or offense, such as source IP address, severity of event, or rate analysis. For complete list of tests, see Appendix C - Rule Tests.

A user with non-administrative access can create rules for areas of the network that they can access. You must have the appropriate role permissions to manage rules. For more information on role permissions, see Chapter 2 - Managing Users. This chapter includes:
Viewing Rules Creating a Custom Rule Creating an Anomaly Detection Rule Copying a Rule Managing Rules Grouping Rules Editing Building Blocks

Viewing Rules

To view deployed rules:

Step 1 Click the Offenses tab.

The Offenses interface is displayed.

Step 2 In the navigation menu, click Rules.

The rules interface is displayed.

Step 3 From the Display drop-down list box, select Rules.

The list of deployed rules is displayed.

STRM Administration Guide

Viewing Rules

175

For more information on the default rules, see Appendix B - Enterprise Template. The Rules window provides the following information for each rule:
Table 12-1 Rules Window Parameters

Parameter Rule Name Group Rule Category

Description Specifies the name of the rule. Specifies the group to which this rule is assigned. For more information on groups, see Grouping Rules. Specifies the rule category for the rule. Options include:

Custom Rule Anomaly Detection Rule Event Flow Common Offense Anomaly Threshold Behavioral

Rule Type

Specifies the rule type. Custom rule types include:

Anomaly detection rule types include:

Enabled

Specifies whether the rule is enabled or disabled. For more information on enabling and disabling rules, see Enabling/Disabling Rules Specifies the rule response, if any. For more information on rule responses, see Table 12-3. Specifies the number of offenses generated by this rule.

Response

Event /Flow Count Specifies the number of events or flows associated with this rule. Offense Count

STRM Administration Guide

176

CONFIGURING RULES

Table 12-1 Rules Window Parameters (continued)

Parameter Origin Creation Date Modification Date

Description Specifies whether this rule is a default rule (System) or a custom rule (User). Specifies the date and time this rule was created. Specifies the date and time this rule was modified.

The Rules interface toolbar provides the following functions:

Table 12-2 Rules Interface Toolbar

Button Display Group

Function From the drop-down list box, select whether you want to display rules or building blocks in the rules list. From the drop-down list box, select which rule group you want to be displayed in the rules list. Click Groups to manage rule groups. For more information on grouping rules, see Grouping Rules. Click Actions and select one of the following options:

New Event Rule - Select this option to create a new event rule. See Creating a Custom Rule. New Flow Rule - Select this option to create a new flow rule. See Creating a Custom Rule. New Common Rule - Select this option to create a new common rule. See Creating a Custom Rule. New Offense Rule - Select this option to create a new offense rule. See Creating a Custom Rule. Enable/Disable - Select this option to enable or disable selected rules. See Enabling/Disabling Rules. Duplicate - Select this option to copy a selected rule. See Copying a Rule. Edit - Select this option to edit a selected rule. See Editing a Rule. Delete - Select this option to delete a selected rule. See Deleting a Rule. Assign Groups - Select this option to assign selected rules to rule groups. See Assigning an Item to a Group.

Revert Rule

Click Revert Rule to revert a modified system rule to the default value. Once you click Revert Rule, a confirmation window is displayed. When you revert a rule, any previous modifications are permanently removed. Note: If you want to maintain a version of your modified rule, we recommend you use the Duplicate option. Duplicate the rule, and then use the Revert Rule option on the modified rule.

STRM Administration Guide

Creating a Custom Rule

177

Table 12-2 Rules Interface Toolbar (continued)

Button Search Rules

Function Type your search criteria in the Search Rules field and click the search rules icon or press Enter on the keyboard. All rules that match your search criteria are displayed in the rules list. The following parameters are searched for a match with your search criteria:

Rule Name Rule (description) Notes Response

The Search Rule feature first attempts to locate a direct text string match. If no match is found, the Search Rule feature then attempts a regular expression (regex) match.
Step 4 Select the rule you want to view.

If you selected a rule that specifies Custom Rule as the rule category, the Custom Rules Wizard is displayed. If you selected a rule that specifies Anomaly Detection Rule as the rule category, the Anomaly Detection Wizard is displayed. In the Rule and Notes fields, descriptive information is displayed.

Creating a Custom Rule

Custom rules include the following rule types:

Event Rule - An event rule performs tests on events as they are processed in real-time by the Event Processor. You can create an event rule to detect a single event (within certain properties) or event sequences. For example, if you want to monitor your network for invalid login attempts, access multiple hosts, or a reconnaissance event followed by an exploit, you can create an event rule. It is common for event rules to create offenses as a response. Flow Rule - A flow rule performs tests on flows as they are processed in real-time by the QFlow Collector. You can create a flow rule to detect a single flow (within certain properties) or flow sequences. It is common for flow rules to create offenses as a response.
STRM Administration Guide

178

CONFIGURING RULES

Common Rule - A common rule performs tests on fields that are common to both event and flow records. For example, you can create a common rule to detect events and flows that have a specific source IP address. It is common for common rules to create offenses as a response. Offense Rule - An offense rule processes offenses only when changes are made to the offense, such as, when new events are added or the system scheduled the offense for reassessment. It is common for offense rules to email a notification as a response.

To create a new rule:

Step 1 Click the Offenses tab.

The Offenses interface is displayed.

Step 2 In the navigation menu, click Rules.

The Rules window is displayed.

Step 3 From the Actions drop-down list box, select one of the following options: a b

New Event Rule - Select this option to configure a rule for events. New Flow Rule - Select this option to configure a rule for flows. New Offense Rule - Select this option to configure a rule for offenses.

c New Common Rule - Select this option to configure a rule for events and flows. d

The Rule Wizard window is displayed.

Note: If you do not want to view the Welcome message on the Rules Wizard window again, select the Skip this page when running the rules wizard check box.
STRM Administration Guide

Creating a Custom Rule

179

Step 4 Read the introductory text. Click Next.

You are prompted to choose the source from which you want this rule to apply. The default is the rule type you selected in the Offenses interface.

Step 5 If required, select the rule type you want to apply to the rule. Click Next.

The Rules Test Stack Editor is displayed.

STRM Administration Guide

180

CONFIGURING RULES

Step 6 To add a test to a rule: a

From the Test Group drop-down list box, select the type of test you want to apply to this rule. The list of tests is displayed. For information on tests, see Appendix C - Rule Tests.

For each test you want to add to the rule, select the + sign beside the test. The selected test(s) are displayed in the Rule field. For each test added to the Rule field that you want to identify as an excluded test, click and at the beginning of the test. The and appears as and not. For each test added to the Rule field, you must customize the variables of the test. Click the underlined configurable parameter to configure. See Appendix C - Rule Tests.

Step 7 In the enter rule name here field, type a unique name you want to assign to this

rule.
Step 8 From the drop-down list box, select whether you want to test the rule locally or

globally:

Local - The rule is tested on the local Event Processor and not shared with the system. The default is Local. Global - The rule is shared and tested by any Event Processor on the system.

STRM Administration Guide

Creating a Custom Rule

181

Step 9 To export the configured rule as a building block to use with other rules: a

Click Export as Building Block. The Save Building Block dialog box is displayed. Type a unique name for this building block. Click Save.

b c

Step 10 In the groups area, select the check box(es) of the groups to which you want to

assign this rule. For more information on grouping rules, see Grouping Rules.
Step 11 In the Notes field, type any notes you want to include for this rule. Click Next.

In the Rules Wizard, the Rule Responses window is displayed, which allows you to configure the action STRM takes when the event or flow sequence is detected.

STRM Administration Guide

182

CONFIGURING RULES

Step 12 Choose one of the following: a

If you are configuring an Event Rule, Flow Rule, or Common Rule:

Table 12-3 Event/Flow/Common Rule Response Window Parameters

Parameter Rule Action Severity

Description Select this check box if you want this rule to set or adjust severity. Once selected, you can use the drop-down list boxes to configure the desired severity level. For more information about severity, see the STRM Users Guide. Select this check box if you want this rule to set or adjust credibility. Once selected, you can use the drop-down list boxes to configure the desired credibility level. For more information about credibility, see the STRM Users Guide. Select this check box if you want this rule to set or adjust relevance. Once selected, you can use the drop-down list boxes to configure the desired relevance level. For more information about relevance, see the STRM Users Guide. Select this check box if you want the event to be forwarded to the Magistrate component. If no offense has been created in the Offenses interface, a new offense is created. If an offense exists, this event is added to the offense. Once you select this check box, the following options are displayed:

Credibility

Relevance

Ensure the detected event is part of an offense

Index offense based on - From the drop-down list box, select the parameter on which you want to index the offense. The default is Source IP. For event rules, options include destination IP, destination IPv6, destination MAC address, destination port, event name, hostname, log source, rule, source IP, source IPv6, source MAC address, source port, or username. For flow rules, options include App ID, destination ASN, destination IP, destination IP Identity, destination port, event name, rule, source ASN, source IP, source IP identity, or source Port. For common rules, options include destination IP, destination IP identity, destination port, rule, source IP, source IP identity and source port.

STRM Administration Guide

Creating a Custom Rule

183

Table 12-3 Event/Flow/Common Rule Response Window Parameters (continued)

Parameter

Description

Annotate this offense - Select this check box to add an annotation to this offense and type the annotation. Include detected events by <index> from this point forward, for second(s), in the offense Select this check box and type the number of seconds you want to include detected events by <index> in the Offenses interface. This field indicates the parameter on which the offense is indexed. The default is Source IP.

Annotate event

Select this check box if you want to add an annotation to this event and type the annotation you want to add to the event. Select this check box to force an event, which would normally be sent to the Magistrate component, to be sent to the Ariel database for reporting or searching. This event does not display in the Offenses interface. Select this check box to dispatch a new event in addition to the original event or flow, which will be processed like all other events in the system. The Dispatch New Event parameters are displayed when you select this check box. By default, the check box is clear.

Drop the detected event

Rule Response Dispatch New Event

Event Name Event Description

Type a unique name for the event you want to be displayed in the Offenses interface. Type a description for the event. The description is displayed in the Annotations section of the event details. From the drop-down list box, select the severity for the event. The range is 0 (lowest) to 10 (highest) and the default is 0. The Severity is displayed in the Annotation section of the event details. For more information about severity, see the STRM Users Guide. From the drop-down list box, select the credibility of the event. The range is 0 (lowest) to 10 (highest) and the default is 10. Credibility is displayed in the Annotation section of the event details. For more information about credibility, see the STRM Users Guide.

Severity

Credibility

STRM Administration Guide

184

CONFIGURING RULES

Table 12-3 Event/Flow/Common Rule Response Window Parameters (continued)

Parameter Relevance

Description From the drop-down list box, select the relevance of the event. The range is 0 (lowest) to 10 (highest) and the default is 10. Relevance is displayed in the Annotations section of the event details. For more information about relevance, see the STRM Users Guide. From the drop-down list box, select the high-level event category you want this rule to use when processing events. For more information on event categories, see Appendix E - Event Categories.

High-Level Category

Low-Level Category

From the drop-down list box, select the low-level event category you want this rule to use when processing events. For more information on event categories, see Appendix E - Event Categories.

Annotate this offense Select this check box to add an annotation to this offense and type the annotation. Ensure the dispatched event is part of an offense Select this check box if you want, as a result of this rule, the event forwarded to the Magistrate component. If no offense has been created in the Offenses interface, a new offense is created. If an offense exists, this event is added. Once you select this check box, the following options are displayed:

Index offense based on - From the drop-down list box, select the parameter on which you want to index the offense. The default is Source IP. For event rules, options include destination IP, d destination IPv6,destination MAC address, destination port, event name, hostname, log source, rule, source IP, source IPv6, source MAC address, source port, or username. For flow rules, options include App ID, destination ASN, destination IP, destination IP Identity, destination port, event name, rule, source ASN, source IP, source IP identity, or source Port. For common rules, options include destination IP, destination IP identity, destination port, rule, source IP, source IP identity and source port.

STRM Administration Guide

Creating a Custom Rule

185

Table 12-3 Event/Flow/Common Rule Response Window Parameters (continued)

Parameter

Description

Include detected events by <index> from this point forward, for second(s), in the offense Select this check box and type the number of seconds you want to include detected events by <index> in the Offenses interface. This field indicates the parameter on which the offense is indexed. The default is Source IP. Offense Naming - Select one of the following options: This information should contribute to the name of the associated offense(s) - Select this option if you want the Event Name information to contribute to the name of the offense(s). This information should set or replace the name of the associated offense(s) - Select this option if you want the configured Event Name to be the name of the offense(s). This information should not contribute to the naming of the associated offense(s) - Select this option if you do not want the Event Name information to contribute to the name of the offense(s). This is the default.

Email Enter email addresses to notify

Select this check box to display the e-mail options. By default, the check box is clear. Type the e-mail address(es) to send notification if this rule generates. Separate multiple e-mail addresses using a comma.

STRM Administration Guide

186

CONFIGURING RULES

Table 12-3 Event/Flow/Common Rule Response Window Parameters (continued)

Parameter SNMP Trap

Description Note: This parameter is only displayed when the SNMP Settings parameters are configured in the STRM System Management window. For more information, see Chapter 5 - Setting Up STRM. Select this check box to send an SNMP trap. The SNMP trap output includes system time, the trap OID, and the notification data, as defined by the Juniper Networks MIB. For more information on the Juniper Networks MIB, see Appendix A - Juniper Networks MIB. For example, the SNMP notification may resemble: "Wed Sep 28 12:20:57 GMT 2005, QRADAR Custom Rule Engine Notification - Rule 'SNMPTRAPTest' Fired. 172.16.20.98:0 -> 172.16.60.75:0 1, Event Name: ICMP Destination Unreachable Communication with Destination Host is Administratively Prohibited, QID: 1000156, Category: 1014, Notes: Offense description"

Send to SysLog

Select this check box if you want to log the event or flow. By default, the check box is clear. For example, the syslog output may resemble: Sep 28 12:39:01 localhost.localdomain ECS: Rule 'Name of Rule' Fired: 172.16.60.219:12642 -> 172.16.210.126:6666 6, Event Name: SCAN SYN FIN, QID: 1000398, Category: 1011, Notes: Event description

Notify

Select this check box if you want events that generate as a result of this rule to be displayed in the System Notifications item in the Dashboard interface. For more information on the Dashboard interface, see the STRM Users Guide. Note: If you enable notifications, we recommend that you configure the Response Limiter parameter.

STRM Administration Guide

Creating a Custom Rule

187

Table 12-3 Event/Flow/Common Rule Response Window Parameters (continued)

Parameter Add to Reference Set

Description The Rules interface allows you to create rules to import event and flow data into a reference set. A reference set is a set of data, such as a list of IP addresses. Once you have created a reference set, you can create rules to detect when log or network activity associated with the reference set occurs on your network. Select this check box if you want events that generate as a result of this rule to add data to a reference set. To add data to a reference set:
1 Using the first drop-down list box, select the data you want to add. Options include all normalized or custom data. 2 Using the second drop-down list box, select the reference set to which you want to add the specified data.

The Add to Reference Set rule response provides the following functions:

STRM Administration Guide

188

CONFIGURING RULES

Table 12-3 Event/Flow/Common Rule Response Window Parameters (continued)

Parameter

Description

New -Click New to add a new reference set and configure the following parameters: Name - Type a unique name for the reference set. Type - From the drop-down list box, select the data type. Options include String, Numeric, IP, and Port. Maximum number of elements - Type the maximum number of data elements you want to store in this reference set. The default is 10,000 and the maximum is 500,000.

Edit - Click Edit to edit the reference set name and maximum number of data elements for the selected reference set. Delete - Click Delete to delete the reference set. Purge - Click Purge to delete the contents of the reference set while maintaining the reference set.

Hint: You can create a reference set to contain data derived from an external file. For example, you can create a reference set to retain data about terminated employees. First, you add a log source to import a text file containing terminated employee data, such as IP addresses and usernames. Then, using the Custom Rule Wizard, create a reference set specifying which data you want to retain from the external file. Once the reference set is created, you create a rule that generates a response when a reference set element, such as the IP address of a terminated employee, is detected on your network. For more information on adding a log source, see the Log Sources User Guide.
Response Limiter Select this check box and use the drop-down list boxes to configure the frequency in which you want this rule to respond. Select this check box to enable this rule. By default, the check box is selected.

Enable Rule

If you are configuring an Offense Rule:

Table 12-4 Offense Rule Response Window Parameters

Parameter Rule Action

Description

STRM Administration Guide

Creating a Custom Rule

189

Table 12-4 Offense Rule Response Window Parameters (continued)

Parameter Name / Annotate the detected offense New Offense Name Offense Annotation Offense Name

Description Select this check box to display Name options. Type the name you want to assign to the offense. Type the offense annotation you want to be displayed in the Offenses interface. Select one of the following options:

This information should contribute to the name of the offense - Select this option if you want the Event Name information to contribute to the name of the offense. This information should set or replace the name of the offense - Select this option if you want the configured Event Name to be the name of the offense.

Rule Response Email Enter email addresses to notify SNMP Trap Select this check box to display the e-mail options. By default, the check box is clear. Type the e-mail address(es) to send notification if the event generates. Separate multiple e-mail addresses using a comma. Note: This parameter is only displayed when the SNMP Enabled parameter is enabled in the STRM System Management window. For more information, see Chapter 5 - Setting Up STRM. Select this check box to send an SNMP trap. For an offense rule, the SNMP trap output includes system time, the trap OID, and the notification data, as defined by the Juniper Networks MIB. For more information on the Juniper Networks MIB, see Juniper Networks MIB. For example, the SNMP notification may resemble: "Wed Sep 28 12:20:57 GMT 2005, QRADAR Custom Rule Engine Notification - Rule 'SNMPTRAPTest' Fired. 172.16.20.98:0 -> 172.16.60.75:0 1, Event Name: ICMP Destination Unreachable Communication with Destination Host is Administratively Prohibited, QID: 1000156, Category: 1014, Notes: Offense description"

STRM Administration Guide

190

CONFIGURING RULES

Table 12-4 Offense Rule Response Window Parameters (continued)

Parameter Send to SysLog

Description Select this check box if you want to log the offense. By default, the check box is clear. For example, the syslog output may resemble: Sep 28 12:30:29 localhost.localdomain ECS: Offense CRE Rule SYSLOGTest fired on offense #59

Response Limiter

Select this check box and use the drop-down list boxes to configure the frequency in which you want this rule to respond. Select this check box to enable this rule. By default, the check box is selected.

Enable Rule

Step 13 Click Next.

The Rule Summary window is displayed.

Step 14 Review the configured rule. Click Finish.

Creating an Anomaly Detection Rule

Anomaly detection rules perform tests on the results of saved flow or event searches as a means to detect when unusual traffic patterns occur in your network. This rule category includes the following rule types:

Anomaly - An anomaly rule tests event and flow traffic for abnormal activity such as the existence of new or unknown traffic, which is traffic that suddenly ceases or a percentage change in the amount of time an object is active. For example, you can create an anomaly rule to compare the average volume of traffic for the last 5 minutes with the average volume of traffic over the last hour. If there is more than a 40% change, the rule generates a response. Threshold - A threshold rule tests event and flow traffic for activity that is less than, equal to, or greater than a configured threshold, or within a specified range. Thresholds can be based on any data collected by STRM. For example, you can create a threshold rule specifying that no more than 220 clients can log into the server between 8 am and 5 pm. The threshold rule generates an alert when the 221st client attempts to login. Behavioral - A behavioral rule tests event and flow traffic for volume changes in behavior that occurs in regular seasonal patterns. For example, if a mail server typically communicates with 100 hosts per second in the middle of the night and then suddenly starts communicating with 1,000 hosts a second, a behavioral rule generates an alert.

To create a new anomaly detection rule:

Step 1 Click the Log Activity or Network Activity tab.

The Log Activity or Network Activity interface is displayed.

Step 2 Perform a search. STRM Administration Guide

Creating an Anomaly Detection Rule

191

Note: Your search criteria must be aggregated. Anomaly detection rules uses all grouping and filter criteria from the saved search criteria, but does not use any time ranges from the search criteria. The Anomaly Detection Rule wizard allows you to apply time range criteria using Data and Time tests. For more information on the search feature, see the STRM Users Guide. The search results are displayed.
Step 3 From the Rules menu, select the rule type you want to create. Options include:

Add Anomaly Rule Add Threshold Rule Add Behavioral Rule

The Rule wizard is displayed.

Note: If you do not want to view the Welcome message on the Rules Wizard window again, select the Skip this page when running the rules wizard check box.
Step 4 Read the introductory text. Click Next.

You are prompted to choose the source from which you want this rule to apply. The default is the rule type you selected in the Network Activity or Log Activity interface.

STRM Administration Guide

192

CONFIGURING RULES

Step 5 If required, select the rule type you want to apply to the rule. Click Next.

The Rules Test Stack Editor is displayed.

STRM Administration Guide

Creating an Anomaly Detection Rule

193

The rule is prepopulated with default test(s). You can edit the default test(s) or add tests to the test stack. At least one Accumulated Property test must be included in the test stack.
Step 6 To add a test to a rule: a

From the Test Group drop-down list box, select the type of test you want to apply to this rule. The list of tests are displayed. For information on tests, see Appendix C - Rule Tests.

For each test you want to add to the rule, select the + sign beside the test. The selected test(s) are displayed in the Rule field. For each test added to the Rule field that you want to identify as an excluded test, click and at the beginning of the test. The and appears as and not. For each test added to the Rule field, you must customize the variables of the test. Click the underlined configurable parameter to configure. See Appendix C - Rule Tests.

By default, the rule tests the selected accumulated property for each event/flow group separately. For example, if the selected accumulated value is UniqueCount(sourceIP), the rule tests each unique source IP address for each event/flow group
Step 7 To test the total selected accumulated properties for each event/flow group, clear

the Test the [Selected Accumulated Property] value of each [group] separately check box. Note: This is a dynamic field. The [Selected Accumulated Property] value depends on what option you select for the this accumulated property test field. For information on tests, see Appendix C - Rule Tests. The [group] value depends on the grouping options specified in the saved search criteria. If multiple grouping options are included, the text may be truncated. Move your mouse pointer over the text to view all groups.
Step 8 In the enter rule name here field, type a unique name you want to assign to this

rule.
Step 9 In the groups area, select the check box(es) of the groups to which you want to

assign this rule. For more information on grouping rules, see Grouping Rules.
Step 10 In the Notes field, type any notes you want to include for this rule. Click Next.

The Rule Responses window is displayed, which allows you to configure the action STRM takes when the event or flow sequence is detected.

STRM Administration Guide

194

CONFIGURING RULES

Step 11 Configure the parameters:

Table 12-5 Anomaly Detection Rule Response Window Parameters

Parameter Rule Response Dispatch New Event

Description Specifies that this rule dispatches a new event in addition to the original event or flow, which is processed like all other events in the system. By default, the check box is selected and cannot be cleared.

Event Name Event Description

Type the unique name of the event you want to be displayed in the Offenses interface. Type a description for the event. The description is displayed in the Annotations section of the event details.

STRM Administration Guide

Creating an Anomaly Detection Rule

195

Table 12-5 Anomaly Detection Rule Response Window Parameters (continued)

Parameter Offense Naming

Description Select one of the following options:

This information should contribute to the name of the associated offense(s) - Select this option if you want the Event Name information to contribute to the name of the offense(s). This information should set or replace the name of the associated offense(s) - Select this option if you want the configured Event Name to be the name of the offense(s). This information should not contribute to the naming of the associated offense(s) - Select this option if you do not want the Event Name information to contribute to the name of the offense(s). This is the default.

Severity

Using the drop-down list boxes, select the severity for the event. The range is 0 (lowest) to 10 (highest) and the default is 5. The Severity is displayed in the Annotations section of the event details. For more information about severity, see the STRM Users Guide. Using the drop-down list boxes, select the credibility of the event. The range is 0(lowest) to 10 (highest) and the default is 5. Credibility is displayed in the Annotations section of the event details. For more information about credibility, see the STRM Users Guide. Using the drop-down list boxes, select the relevance of the event. The range is 0 (lowest) to 10 (highest) and the default is 5. Relevance is displayed in the Annotations section of the event details. For more information about relevance, see the STRM Users Guide. From the drop-down list box, select the high-level event category you want this rule to use when processing events. For more information on event categories, see Appendix E - Event Categories.

Credibility

Relevance

High-Level Category

Low-Level Category

From the drop-down list box, select the low-level event category you want this rule to use when processing events. For more information on event categories, see Appendix E - Event Categories.

Annotate this offense Select this check box to add an annotation to this offense and type the annotation.

STRM Administration Guide

196

CONFIGURING RULES

Table 12-5 Anomaly Detection Rule Response Window Parameters (continued)

Parameter Ensure the dispatched event is part of an offense

Description As a result of this rule, the event is forwarded to the Magistrate component. If no offense has been created in the Offenses interface, a new offense is created. If an offense exists, this event will be added. This parameter is enabled by default. The following options are displayed:

Index offense based on - Specifies that the new offense is based on event name. This parameter is enabled by default. Include detected events by Event Name from this point forward, for second(s), in the offense - Select this check box and type the number of seconds you want to include detected events or flows from the source in the Offenses interface.

Email Enter email addresses to notify SNMP Trap

Select this check box to display the e-mail options. By default, the check box is clear. Type the e-mail address(es) to send notification if this rule generates. Separate multiple e-mail addresses using a comma. This parameter is only displayed when the SNMP Settings parameters are configured in the STRM System Management window. For more information, see Chapter 5 -Setting Up STRM. Select this check box to send an SNMP trap. The SNMP trap output includes system time, the trap OID, and the notification data, as defined by the Juniper Networks MIB. For more information on the Juniper Networks MIB, see Appendix A - Juniper Networks MIB. For example, the SNMP notification may resemble: "Wed Sep 28 12:20:57 GMT 2005, QRADAR Custom Rule Engine Notification - Rule 'SNMPTRAPTest' Fired. 172.16.20.98:0 -> 172.16.60.75:0 1, Event Name: ICMP Destination Unreachable Communication with Destination Host is Administratively Prohibited, QID: 1000156, Category: 1014, Notes: Offense description"

STRM Administration Guide

Creating an Anomaly Detection Rule

197

Table 12-5 Anomaly Detection Rule Response Window Parameters (continued)

Parameter Send to SysLog

Description Select this check box if you want to log the event or flow. By default, the check box is clear. For example, the syslog output may resemble: Sep 28 12:39:01 localhost.localdomain ECS: Rule 'Name of Rule' Fired: 172.16.60.219:12642 -> 172.16.210.126:6666 6, Event Name: SCAN SYN FIN, QID: 1000398, Category: 1011, Notes: Event description

Notify

Select this check box if you want events that generate as a result of this rule to be displayed in the System Notifications item in the Dashboard interface. For more information on the Dashboard interface, see the STRM Users Guide. Note: If you enable notifications, we recommend that you configure the Response Limiter parameter.

STRM Administration Guide

198

CONFIGURING RULES

Table 12-5 Anomaly Detection Rule Response Window Parameters (continued)

Parameter Add to Reference Set

Description The Rules interface allows you to create rules to import event and flow data into a reference set. A reference set is a set of data, such as a list of IP addresses. Once you have created a reference set, you can create rules to detect when log or network activity associated with the reference set occurs on your network. Select this check box if you want events that generate as a result of this rule to add data to a reference set. To add data to a reference set:
1 Using the first drop-down list box, select the data you want to add. Options include all normalized or custom data. 2 Using the second drop-down list box, select the reference set to which you want to add the specified data.

The Add to Reference Set rule response provides the following functions:

New - Allows you to add a new reference set. Once you click New, you must configure the following: Name - Type a unique name for the reference set. Type - From the drop-down list box, select the data type. Options include String, Numeric, IP, and Port. Maximum number of elements - Type the maximum number of data elements you want to store in this reference set. The default is 10,000 and the maximum is 500,000.

Edit - Click Edit to edit the reference set name and maximum number of data elements for the selected reference set. Delete - Click Delete to delete the reference set. Purge - Click Purge to delete the contents of the reference set while maintaining the reference set.

STRM Administration Guide

Managing Rules

199

Table 12-5 Anomaly Detection Rule Response Window Parameters (continued)

Parameter

Description

Hint: You can create a reference set to contain data derived from an external file. For example, you can create a reference set to retain data about terminated employees. First, you would create a log source extension document to import a text file containing terminated employee data, such as IP addresses and usernames. Then, using the Custom Rule Wizard, create a reference set specifying which data you want to retain from the external file. Once the reference set is created, you create a rule that generates a response when a reference set element, such as the IP address of a terminated employee, is detected on your network. For more information on log source extension documents, see the Log Sources User Guide.
Response Limiter Select this check box and use the drop-down list boxes to configure the frequency in which you want this rule to respond. Select this check box to enable this rule. By default, the check box is selected.

Enable Rule

Step 12 Click Next.

The Rule Summary window is displayed.

Step 13 Review the configured rule. Click Finish.

Managing Rules

Using the Rules feature in the Offenses interface, you can manage custom and anomaly rules. This section provides information on managing rules, including:
Enabling/Disabling Rules Editing a Rule Copying a Rule Deleting a Rule

Note: The anomaly detection functionality in the Log Activity and Network interfaces only allows you to create anomaly detection rules. To manage default and previously created anomaly detection rules, you must use the Offenses interface.

STRM Administration Guide

200

CONFIGURING RULES

Enabling/Disabling Rules

To enable or disable a rule:

Step 1 Click the Offenses tab.

The Offenses interface is displayed.

Step 2 In the navigation menu, click Rules.

The rules interface is displayed.

Step 3 From the Display drop-down list box, select Rules.

The list of deployed rules is displayed.

Step 4 Select the rule you want to enable or disable.

For more information on each rule, see Appendix B - Enterprise Template.

Step 5 From the Actions drop-down list box, select Enable/Disable.

The Enabled column indicates the status. Editing a Rule To edit a rule: The Offenses interface is displayed.
Step 2 In the navigation bar, click Rules. Step 3 From the Display drop-down list box, select Rules. Step 4 Select the rule you want to edit. Step 5 From the Actions drop-down list box, select Edit.

Step 1 Click the Offenses tab.

The selected rule is displayed.

Step 6 Edit the parameters. See Table 12-1. Step 7 Click Next.

The Rule Response window is displayed.

Step 8 Edit the parameters:

See Table 12-3 for event, flow, or common rule parameters. See Table 12-4 for offense rule parameters. See Table 12-5 for anomaly detection rule parameters.

Step 9 Click Next.

The Rule Summary window is displayed.

Step 10 Review the edited rule. Click Finish.

Copying a Rule

To copy a rule: The Offenses interface is displayed.

Step 1 Click the Offenses tab.

Step 2 In the navigation bar, click Rules. STRM Administration Guide

Grouping Rules

201

Step 3 From the Display drop-down list box, select Rules. Step 4 Select the rule you want to duplicate. Step 5 From the Actions drop-down list box, select Duplicate. Step 6 In the Enter name for the copied rule field, type a name for the new rule. Click

OK. The duplicated rule is displayed.

Step 7 From the Actions drop-down list box, select Edit. Step 8 Edit the rule.

For more information on editing the rule, see Editing a Rule. Deleting a Rule To delete a rule: The Offenses interface is displayed.
Step 2 In the navigation bar, click Rules. Step 3 From the Display drop-down list box, select Rules. Step 4 Select the rule you want to delete. Step 5 From the Actions drop-down list box, select Delete.

Step 1 Click the Offenses tab.

Grouping Rules

You can group and view your rules and building blocks based on your chosen criteria. Categorizing your rules or building blocks into groups allows you to efficiently view and track your rules. For example, you can view all rules related to compliance. By default, the Rules interface displays all rules and building blocks. As you create new rules, you can assign the rule to an existing group. For information on assigning a group using the rule wizard, see Creating a Custom Rule or Creating an Anomaly Detection Rule. Note: You must have administrative access to create, edit, or delete groups. For more information on user roles, see Chapter 2 - Managing Users. This section provides information on grouping rules and building blocks, including:
Viewing Groups Creating a Group Editing a Group Copying an Item to Another Group(s) Deleting an Item from a Group Assigning an Item to a Group

STRM Administration Guide

202

CONFIGURING RULES

Viewing Groups

To view rules or building blocks using groups: The Offenses interface is displayed.

Step 1 Click the Offenses tab.

Step 2 In the navigation menu, click Rules. Step 3 From the Display drop-down list box, select whether you want to view Rules or

Building blocks.
Step 4 From the Filter drop-down list box, select the group category you want to view.

The list of items assigned to that group is displayed. Creating a Group To create a group: The Offenses interface is displayed.
Step 2 In the navigation menu, click Rules. Step 3 Click Groups.

Step 1 Click the Offenses tab.

The Group window is displayed.

Step 4 From the menu tree, select the group under which you want to create a new group.

Note: Once you create the group, you can drag and drop menu tree items to change the organization of the tree items.
Step 5 Click New Group.

The Group Properties window is displayed.

STRM Administration Guide

Grouping Rules

203

Step 6 Enter values for the parameters:

Name - Type a unique name to assign to the new group. The name can be up to 255 characters in length. Description - Type a description you want to assign to this group. The description can be up to 255 characters in length.

Step 7 Click OK. Step 8 If you want to change the location of the new group, click the new group and drag

the folder to the desired location in your menu tree.

Step 9 Close the Group window.

Editing a Group

To edit a group: The Offenses interface is displayed.

Step 1 Click the Offenses tab.

Step 2 In the navigation menu, click Rules. Step 3 Click Groups.

The Group window is displayed.

Step 4 From the menu tree, select the group you want to edit. Step 5 Click Edit.

The Group Properties window is displayed.

Step 6 Update values for the parameters, as necessary:

Name - Type a unique name to assign to the new group. The name can be up to 255 characters in length. Description - Type a description you want to assign to this group. The description can be up to 255 characters in length.

Step 7 Click OK. Step 8 If you want to change the location of the group, click the new group and drag the

folder to the desired location in your menu tree.

Step 9 Close the Group window.

STRM Administration Guide

204

CONFIGURING RULES

Copying an Item to Another Group(s)

Using the groups functionality, you can move a rule or building block to one or many groups. To move a rule or building block: The Offense interface is displayed.

Step 1 Click the Offenses tab.

Step 2 In the navigation menu, click Rules. Step 3 Click Groups.

The Group window is displayed.

Step 4 From the menu tree, select the rule or building block you want to move to another

group.
Step 5 Click Copy.

The Choose Group window is displayed.

Step 6 Select the check box for the group(s) to which you want to move the rule or

building block.
Step 7 Click Copy. Step 8 Close the Group window.

Deleting an Item from a Group

To delete a rule or building block from a group: Note: Deleting a group removes this rule or building block from the Rules interface. Deleting an item from a group does not delete the rule or building block from the Rules interface.

Step 1 Click the Offense tab.

The Offenses interface is displayed.

Step 2 In the navigation menu, click Rules.

STRM Administration Guide

Editing Building Blocks

205

Step 3 Click Groups.

The Group window is displayed.

Step 4 From the menu tree, select the top level group. Step 5 From the list of groups, select the group you want to delete. Step 6 Click Remove.

A confirmation window is displayed.

Step 7 Click OK. Step 8 If you want to change the location of the new group, click the new group and drag

the folder to the desired location in your menu tree.

Step 9 Close the Group window.

Assigning an Item to a Group

To assign a rule or building block to a group:

Step 1 Click the Offenses tab.

The Offenses interface is displayed.

Step 2 In the navigation menu, click Rules. Step 3 Select the rule or building block you want to assign to a group. Step 4 From the Actions drop-down list box, select Assign Groups.

The Choose Group window is displayed.

Step 5 Click Assign Groups.

Editing Building Blocks

Building blocks allow you to re-use specific rule tests in other rules. For example, you can save a building block that excludes the IP addresses of all mail servers in your deployment from the rule. For more information on the default building blocks, see Appendix B - Enterprise Template. To edit a building block:
Step 1 Click the Offenses tab.

The Offenses interface is displayed.

Step 2 In the navigation menu, click Rules.

The Rules window is displayed.

Step 3 From the Display drop-down list box, select Building Blocks.

The Building Blocks are displayed.

Step 4 Double-click the building block you want to edit.

The Custom Rules Wizard is displayed.

STRM Administration Guide

206

CONFIGURING RULES

Step 5 Update the building block, as necessary. Click Next. Step 6 Continue through the wizard. For more information, see Creating a Custom Rule.

The Rule Summary is displayed.

Step 7 Click Finish.

STRM Administration Guide

12

DISCOVERING SERVERS

The Server Discovery function uses STRMs Asset Profile database to discover different server types based on port definitions, and then allows you to select which servers to add to a server-type building block for rules. This feature makes the discovery and tuning process simpler and faster by providing a quick mechanism to insert servers into building blocks. The Server Discovery function is based on server-type building blocks. Ports are used to define the server type so that the server-type building block essentially functions as a port-based filter when searching the Asset Profile database. For more information on building blocks, see Chapter 11 - Configuring Rules. To discover servers:
Step 1 Click the Assets tab.

The Assets interface is displayed.

Step 2 In the navigation menu, click Server Discovery.

The Server Discovery panel is displayed.

Step 3 From the Server Type drop-down list box, select the server type you want to

discover.
Step 4 Select the option to determine the servers you want to discover, including:

All - Search all servers in your deployment with the currently selected Server Type. Assigned - Search servers in your deployment that have been previously assigned to the currently selected Server Type. Unassigned - Search servers in your deployment that have not been previously assigned.

Step 5 From the Network drop-down list box, select the network you want to search. Step 6 Click Discover Servers.

The discovered servers are displayed.

STRM Administration Guide

208

DISCOVERING SERVERS

Step 7 In the Matching Servers table, select the check box(es) of all servers you want to

assign to the server role. Note: If you want to modify the search criteria, click either Edit Port or Edit Definition. The Rules Wizard is displayed. For more information on the rules wizard, see Chapter 11 - Configuring Rules.
Step 8 Click Approve Selected Servers.

STRM Administration Guide

13

FORWARDING SYSLOG DATA

STRM allows you to forward received log data to other products. You can forward syslog data (raw log data) received from devices as well as STRM normalized event data. You can forward data on a per Event Collector/Event Processor basis and you can configure multiple forwarding destinations. Also, STRM ensures that all data that is forwarded is unaltered. This chapter includes:
Adding a Syslog Destination Editing a Syslog Destination Delete a Syslog Destination

Adding a Syslog Destination

To add a syslog forwarding destination:

Step 1 Click the Admin tab. Step 2 In the navigation menu, click Data Sources.

The Data Sources panel is displayed.

Step 3 Click the Syslog Forwarding Destinations icon.

The Syslog Forwarding Destinations window is displayed.

Step 4 Click Add.

The Syslog Forwarding Destinations window is displayed.

STRM Administration Guide

210

FORWARDING SYSLOG DATA

Step 5 Enter values for the parameters:

Forwarding Event Collector - From the drop-down list box, select the deployed Event Collector from which you want to forward log data. IP - Type the IP address of the system to which you want to forward log data. Port - Type or select the port number on the system to which you want to forward log data.

Step 6 Click Save.

Editing a Syslog Destination

To edit a syslog forwarding destination:

Step 1 Click the Admin tab. Step 2 In the navigation menu, click System Configuration.

The System Configuration panel is displayed.

Step 3 Click the Syslog Forwarding Destinations icon.

The Syslog Forwarding Destinations window is displayed.

Step 4 Select the entry you want to edit. Step 5 Click Edit.

The Syslog Forwarding Destinations window is displayed.

Step 6 Update values, as necessary:

Forwarding Event Collector - From the drop-down list box, select the deployed Event Collector from which you want to forward log data. IP - Type the IP address of the system to which you want to forward log data. Port - Type or select the port number on the system to which you want to forward log data.

Step 7 Click Save.

STRM Administration Guide

Delete a Syslog Destination

211

Delete a Syslog Destination

To delete a syslog forwarding destination:

Step 1 Click the Admin tab. Step 2 In the navigation menu, click System Configuration.

The System Configuration panel is displayed.

Step 3 Click the Syslog Forwarding Destinations icon.

The Syslog Forwarding Destinations window is displayed.

Step 4 Select the entry you want to delete. Step 5 Click Delete.

A confirmation window is displayed.

Step 6 Click OK.

STRM Administration Guide

JUNIPER NETWORKS MIB

This appendix provides information on the Juniper Networks Management Information Base (MIB). The Juniper Networks MIB allows you to send SNMP traps to other network management systems. The Juniper Networks OID is 1.3.6.1.4.1.20212. Note: For assistance with the Juniper Networks MIB, please contact Juniper Networks Customer Support. The Juniper Networks MIB includes:
Q1LABS-MIB DEFINITIONS ::= BEGIN IMPORTS OBJECT-TYPE, NOTIFICATION-TYPE, MODULE-IDENTITY, Integer32, Opaque, enterprises, Counter32 FROM SNMPv2-SMI DisplayString FROM SNMPv2-TC; q1Labs MODULE-IDENTITY LAST-UPDATED "200804110000Z" ORGANIZATION "Q1 Labs Inc" CONTACT-INFO " 890 Winter Street Suite 230 Waltham, MA 02451 USA Phone: 781-250-5800 email: [email protected] " DESCRIPTION "Q1 Labs MIB Definition" ::= { enterprises 20212 } notifications properties customProperties OBJECT IDENTIFIER ::= { q1Labs 1 } OBJECT IDENTIFIER ::= { q1Labs 2 } OBJECT IDENTIFIER ::= { q1Labs 3 }

STRM Administration Guide

JUNIPER NETWORKS MIB

-- Notifications eventCRENotification NOTIFICATION-TYPE STATUS current DESCRIPTION "QRADAR's Event CRE Notification" ::= { notifications 1 } offenseCRENotification NOTIFICATION-TYPE STATUS current DESCRIPTION "QRADAR's Offense CRE Notification" ::= { notifications 2 } -- Properties -- Misc Properties localHostAddress OBJECT-TYPE SYNTAX IpAddress MAX-ACCESS accessible-for-notify STATUS current DESCRIPTION "IP address of the local machine where the notification originated" ::= { properties 1 } timeString OBJECT-TYPE SYNTAX DisplayString (SIZE(0..64)) MAX-ACCESS accessible-for-notify STATUS current DESCRIPTION "Time offense was created or time the event rule fired. Example 'Mon Apr 28 10:14:49 GMT 2008'" ::= { properties 2 } timeInMillis OBJECT-TYPE SYNTAX Counter64 MAX-ACCESS accessible-for-notify STATUS current DESCRIPTION "Time offense was created or time the event rule fired in milliseconds" ::= { properties 3 } -- Offense Properties offenseID OBJECT-TYPE SYNTAX Integer32 MAX-ACCESS accessible-for-notify STATUS current DESCRIPTION "Offense ID" ::= { properties 4 }
STRM Administration Guide

offenseName OBJECT-TYPE SYNTAX DisplayString (SIZE(0..256)) MAX-ACCESS accessible-for-notify STATUS current DESCRIPTION "Name of the Offense" ::= { properties 5 } offenseDescription OBJECT-TYPE SYNTAX DisplayString (SIZE(0..1024)) MAX-ACCESS accessible-for-notify STATUS current DESCRIPTION "Description of the Offense" ::= { properties 6 } offenseLink OBJECT-TYPE SYNTAX DisplayString (SIZE(0..1024)) MAX-ACCESS accessible-for-notify STATUS current DESCRIPTION "HTTP link to the offense" ::= { properties 7 } magnitude OBJECT-TYPE SYNTAX Integer32 MAX-ACCESS accessible-for-notify STATUS current DESCRIPTION "Offense magnitude" ::= { properties 8 } severity OBJECT-TYPE SYNTAX Integer32 MAX-ACCESS accessible-for-notify STATUS current DESCRIPTION "Offense severity" ::= { properties 9 } creditibility OBJECT-TYPE SYNTAX Integer32 MAX-ACCESS accessible-for-notify STATUS current DESCRIPTION "Offense creditibility" ::= { properties 10 } relevance OBJECT-TYPE SYNTAX Integer32
STRM Administration Guide

JUNIPER NETWORKS MIB

MAX-ACCESS accessible-for-notify STATUS current DESCRIPTION "Offense relevance" ::= { properties 11 } -- Attacker Properties attackerIP OBJECT-TYPE SYNTAX IpAddress MAX-ACCESS accessible-for-notify STATUS current DESCRIPTION "Attacker IP" ::= { properties 12 } attackersUserName OBJECT-TYPE SYNTAX DisplayString (SIZE(0..1024)) MAX-ACCESS accessible-for-notify STATUS current DESCRIPTION "Attacker's User Name" ::= { properties 13 } attackerCount OBJECT-TYPE SYNTAX Integer32 MAX-ACCESS accessible-for-notify STATUS current DESCRIPTION "Total Number of Attackers" ::= { properties 14 } top5AttackerIPs OBJECT-TYPE SYNTAX DisplayString (SIZE(0..1024)) MAX-ACCESS accessible-for-notify STATUS current DESCRIPTION "Top 5 Attackers by Magnitude(comma separated)" ::= { properties 15 } topAttackerIP OBJECT-TYPE SYNTAX IpAddress MAX-ACCESS accessible-for-notify STATUS current DESCRIPTION "Top Attacker IPs" ::= { properties 16 } top5AttackerUsernames OBJECT-TYPE SYNTAX DisplayString (SIZE(0..1024)) MAX-ACCESS accessible-for-notify
STRM Administration Guide

STATUS current DESCRIPTION "Top 5 Attackers by Magnitude(comma separated)" ::= { properties 48 } topAttackerUsername OBJECT-TYPE SYNTAX DisplayString (SIZE(0..32)) MAX-ACCESS accessible-for-notify STATUS current DESCRIPTION "Top Attacker IPs" ::= { properties 49 } attackerNetworks OBJECT-TYPE SYNTAX DisplayString (SIZE(0..1024)) MAX-ACCESS accessible-for-notify STATUS current DESCRIPTION "Attacker Networks(comma separated)" ::= { properties 17 } -- Target Properties targetIP OBJECT-TYPE SYNTAX IpAddress MAX-ACCESS accessible-for-notify STATUS current DESCRIPTION "Target IP" ::= { properties 18 } targetsUserName OBJECT-TYPE SYNTAX DisplayString (SIZE(0..64)) MAX-ACCESS accessible-for-notify STATUS current DESCRIPTION "Target's User Name" ::= { properties 19 } targetCount OBJECT-TYPE SYNTAX Integer32 MAX-ACCESS accessible-for-notify STATUS current DESCRIPTION "Total Number of Targets" ::= { properties 20 } top5TargetIPs OBJECT-TYPE SYNTAX DisplayString (SIZE(0..1024)) MAX-ACCESS accessible-for-notify STATUS current
STRM Administration Guide

JUNIPER NETWORKS MIB

DESCRIPTION "Top 5 Target IPs by Magnitude" ::= { properties 21 } topTargetIP OBJECT-TYPE SYNTAX IpAddress MAX-ACCESS accessible-for-notify STATUS current DESCRIPTION "Top Target" ::= { properties 22 } top5TargetUsernames OBJECT-TYPE SYNTAX DisplayString (SIZE(0..1024)) MAX-ACCESS accessible-for-notify STATUS current DESCRIPTION "Top 5 Target IPs by Magnitude" ::= { properties 50 } topTargetUsername OBJECT-TYPE SYNTAX DisplayString (SIZE(0..32)) MAX-ACCESS accessible-for-notify STATUS current DESCRIPTION "Top Target" ::= { properties 51 } targetNetworks OBJECT-TYPE SYNTAX DisplayString (SIZE(0..1024)) MAX-ACCESS accessible-for-notify STATUS current DESCRIPTION "Target Networks(comma separated)" ::= { properties 23 } -- Category properties categoryCount OBJECT-TYPE SYNTAX Integer32 MAX-ACCESS accessible-for-notify STATUS current DESCRIPTION "Total Number of Categories" ::= { properties 24 } top5Categories OBJECT-TYPE SYNTAX DisplayString (SIZE(0..1024)) MAX-ACCESS accessible-for-notify STATUS current DESCRIPTION "Top 5 Categories(comma separated)"
STRM Administration Guide

::= { properties 25 } topCategory OBJECT-TYPE SYNTAX DisplayString (SIZE(0..64)) MAX-ACCESS accessible-for-notify STATUS current DESCRIPTION "Top Category" ::= { properties 26 } categoryID OBJECT-TYPE SYNTAX Integer32 MAX-ACCESS accessible-for-notify STATUS current DESCRIPTION "Category ID of Event that triggered the Event CRE Rule" ::= { properties 27 } category OBJECT-TYPE SYNTAX DisplayString (SIZE(0..64)) MAX-ACCESS accessible-for-notify STATUS current DESCRIPTION "Category of the Event that triggered the Event CRE Rule" ::= { properties 28 } -- Annontation Properties annotationCount OBJECT-TYPE SYNTAX Integer32 MAX-ACCESS accessible-for-notify STATUS current DESCRIPTION "Total Number of Annotations" ::= { properties 29 } topAnnotation OBJECT-TYPE SYNTAX DisplayString (SIZE(0..1024)) MAX-ACCESS accessible-for-notify STATUS current DESCRIPTION "Top Annotation" ::= { properties 30 } -- Rule Properties ruleCount OBJECT-TYPE SYNTAX Integer32 MAX-ACCESS accessible-for-notify

STRM Administration Guide

JUNIPER NETWORKS MIB

STATUS current DESCRIPTION "Total Number of Rules contained in the Offense" ::= { properties 31 } ruleNames OBJECT-TYPE SYNTAX DisplayString (SIZE(0..1024)) MAX-ACCESS accessible-for-notify STATUS current DESCRIPTION "Names of the Rules that contributed to the Offense(comma separated)" ::= { properties 32 } ruleID OBJECT-TYPE SYNTAX Integer32 MAX-ACCESS accessible-for-notify STATUS current DESCRIPTION "ID of the Rule that was triggered in the CRE" ::= { properties 33 } ruleName OBJECT-TYPE SYNTAX DisplayString (SIZE(0..256)) MAX-ACCESS accessible-for-notify STATUS current DESCRIPTION "Name of the Rules that was triggered in the CRE" ::= { properties 34 } ruleDescription OBJECT-TYPE SYNTAX DisplayString (SIZE(0..1024)) MAX-ACCESS accessible-for-notify STATUS current DESCRIPTION "Description/Notes of the Rules that was triggered in the CRE" ::= { properties 35 } -- Event Properties eventCount OBJECT-TYPE SYNTAX Integer32 MAX-ACCESS accessible-for-notify STATUS current DESCRIPTION "Total Number of Events contained in the Offense" ::= { properties 36 }

STRM Administration Guide

eventID OBJECT-TYPE SYNTAX Integer32 MAX-ACCESS accessible-for-notify STATUS current DESCRIPTION "ID of the Event that triggered the Event CRE Rule" ::= { properties 37 } qid OBJECT-TYPE SYNTAX Integer32 MAX-ACCESS accessible-for-notify STATUS current DESCRIPTION "QID of the Event that triggered the Event CRE Rule" ::= { properties 38 } eventName OBJECT-TYPE SYNTAX DisplayString (SIZE(0..256)) MAX-ACCESS accessible-for-notify STATUS current DESCRIPTION "Name of the Event that triggered the Event CRE Rule" ::= { properties 39 } eventDescription OBJECT-TYPE SYNTAX DisplayString (SIZE(0..1024)) MAX-ACCESS accessible-for-notify STATUS current DESCRIPTION "Description/Notes of the Event that triggered the Event CRE Rule" ::= { properties 40 } -- IP Properties sourceIP OBJECT-TYPE SYNTAX IpAddress MAX-ACCESS accessible-for-notify STATUS current DESCRIPTION "Source IP of the Event that triggered the Event CRE Rule" ::= { properties 41 } sourcePort OBJECT-TYPE SYNTAX Integer32 MAX-ACCESS accessible-for-notify

STRM Administration Guide

10

JUNIPER NETWORKS MIB

STATUS current DESCRIPTION "Source Port of the Event that triggered the Event CRE Rule" ::= { properties 42 } destinationIP OBJECT-TYPE SYNTAX IpAddress MAX-ACCESS accessible-for-notify STATUS current DESCRIPTION "Destination IP of the Event that triggered the Event CRE Rule" ::= { properties 43 } destinationPort OBJECT-TYPE SYNTAX Integer32 MAX-ACCESS accessible-for-notify STATUS current DESCRIPTION "Destination Port of the Event that triggered the Event CRE Rule" ::= { properties 44 } protocol OBJECT-TYPE SYNTAX Integer32 MAX-ACCESS accessible-for-notify STATUS current DESCRIPTION "Protocol of the Event that triggered the Event CRE Rule" ::= { properties 45 } attackerPort OBJECT-TYPE SYNTAX Integer32 MAX-ACCESS accessible-for-notify STATUS current DESCRIPTION "Source Port of the Event that triggered the Event CRE Rule" ::= { properties 46 } targetPort OBJECT-TYPE SYNTAX Integer32 MAX-ACCESS accessible-for-notify STATUS current DESCRIPTION "Destination Port of the Event that triggered the Event CRE Rule" ::= { properties 47 }

STRM Administration Guide

11

-- ===================== -- *** Obselete OIDs *** -- ===================== q1NotificationData OBJECT-TYPE SYNTAX DisplayString (SIZE(0..1024)) MAX-ACCESS accessible-for-notify STATUS current DESCRIPTION "Notification Data" ::= { q1Labs 100 } q1NotificationsOBJECT IDENTIFIER ::= { q1Labs 200 } q1CRENotification NOTIFICATION-TYPE STATUS current DESCRIPTION "QRADAR Custom Rule Engine Notification" ::= { q1Notifications 0 } q1EventRuleNotification NOTIFICATION-TYPE STATUS current DESCRIPTION "Notification Triggered by a QRadar Custom Event Rule" ::= { q1Notifications 1 } q1OffenseRuleNotification NOTIFICATION-TYPE STATUS current DESCRIPTION "Notification Triggered by a QRadar Custom Offense Rule" ::= { q1Notifications 2 } q1SentryNotification NOTIFICATION-TYPE STATUS current DESCRIPTION "Notification Triggered by a QRadar Sentry" ::= { q1Notifications 3 } END

STRM Administration Guide

ENTERPRISE TEMPLATE

The Enterprise template includes settings with emphasis on internal network activities. This appendix provides the default rules and building blocks for the Enterprise template, including:

Default Rules Default Building Blocks

Default Rules
Table B-1 Default Rules

Default rules for the Enterprise template include:

Rule Anomaly: Devices with High Event Rates

Group Anomaly

Rule Type Event

Enabl ed Description False Monitors devices for high event rates. Typically, the default threshold is low for most networks and we recommend that you adjust this value before enabling this rule. To configure which devices will be monitored, edit the BB:DeviceDefinition: Devices to Monitor for High Event Rates BB. Reports when connections are bridged across your networks Demilitarized Zone (DMZ). Reports when connections are bridged across your networks DMZ through a reverse tunnel. Reports an excessive number of successful database connections. Reports excessive firewall accepts across multiple hosts. More than 100 events were detected across at least 100 unique destination IP addresses in 5 minutes. Reports excessive firewall accepts from multiple hosts to a single destination. Detects more than 100 firewall accepts across more than 100 sources IP addresses within 5 minutes. Reports excessive firewall denies from a single host. Detects more than 400 firewall deny attempts from a single source to a single destination within 5 minutes.

Anomaly: DMZ Jumping Anomaly Anomaly: DMZ Reverse Anomaly Tunnel Anomaly: Excessive Database Connections Anomaly

Common False Common False Event Event True False

Anomaly: Excessive Anomaly Firewall Accepts Across Multiple Hosts Anomaly: Excessive Anomaly Firewall Accepts Across Multiple Sources to a Single Destination Anomaly: Excessive Firewall Denies from Single Source Anomaly

Event

False

Event

True

STRM Administration Guide

ENTERPRISE TEMPLATE

Table B-1 Default Rules (continued)

Rule

Group

Rule Type Flow

Enabl ed Description True Reports a flow communicating to or from the Internet with a sustained duration of more than 48 hours. Reports a flow communicating using ICMP with a sustained duration of more than 60 minutes. Reports successful logins or access from an IP address known to be in a country that does not have remote access right. Before you enable this rule, we recommend that you configure the BB:CategoryDefinition: Countries with no Remote Access BB. Reports an event that has a source or destination IP address defined as a honeypot or tarpit address. Before enabling this rule, you must configure the BB:HostDefinition: Honeypot like addresses BB. Reports successful logins or access from an IP address known to be in a country that does not have remote access right. Before you enable this rule, we recommend that you configure the BB:CategoryDefinition: Countries with no Remote Access BB. Reports a flow communicating from an IP address known to be in a country that does not have remote access right. Before you enable this rule, we recommend that you configure the BB:CategoryDefinition: Countries with no Remote Access BB. Reports when the MAC address of a single IP address changes multiple times over a period of time. Reports a host login failure message from a disabled user account. If the user is no longer a member of your organization, we recommend that you investigate other received authentication messages from the same user. Reports a host login failure message from an expired user account known. If the user is no longer a member of the organization, we recommend that you investigate any other received authentication messages from the same user. Reports multiple login failures to a single destination IP address, followed by a successful login to the destination IP address.

Anomaly: Long Duration Anomaly Flow Involving a Remote Host Anomaly: Long Duration Anomaly ICMP Flows Anomaly: Outbound Anomaly Connection to a Foreign Country

Flow Event

False False

Anomaly: Potential Honeypot Access

Anomaly

Event

False

Anomaly: Remote Access from Foreign Country

Anomaly

Event

False

Anomaly: Remote Anomaly Inbound Communication from a Foreign Country

Flow

False

Anomaly: Single IP with Anomaly Multiple MAC Addresses Authentication: Login Failure to Disabled Account

Event

False

Authentication Event

False

Authentication: Login Failure to Expired Account

Authentication Event

False

Authentication: Login Failures Followed By Success to the same Destination IP

Authentication Event

True

STRM Administration Guide

Default Rules

Table B-1 Default Rules (continued)

Rule Authentication: Login Failures Followed By Success From Single Source IP Authentication: Login Failures Followed By Success to the same Username Authentication: Login Successful After Scan Attempt

Group

Rule Type

Enabl ed Description True Reports multiple login failures from a single source IP address, followed by a successful login.

Authentication Event

Authentication Event

True

Reports multiple login failures followed by a successful login from the same user.

Authentication Common True

Reports a successful login to a host after reconnaissance has been detected on his network. Reports authentication failures for the same username. Reports authentication failures from the same source IP address to more than three destination IP address more than ten times within 5 minutes. Reports authentication failures to the same destination IP address from more than ten source IP addresses more than ten times within 10 minutes. Reports multiple login failures to a VoIP PBX host. Reports when the configured user(s) have not logged in to the host for over 60 days Reports when an account is shared. We recommend that you add system accounts, such as root and admin to the following negative test: and NOT when the event username matches the following. Reports when a source IP address causes an authentication failure event at least seven times to a single destination IP address within 5 minutes. Reports when a source IP address causes an authentication failure event at least nine times to a single Windows host within 1 minute. Reports when a source IP address is a member of a known Botnet CandC host. Reports when a local destination IP address is a member of a known Botnet CandC host. Reports a host connecting or attempting to connect to a DNS server on the Internet. This may indicate a host connecting to a Botnet.

Authentication: Multiple Authentication Event Login Failures for Single Username Authentication: Multiple Login Failures from the Same Source Authentication: Multiple Login Failures to the Same Destination Authentication: Multiple VoIP Login Failures Authentication: No Activity for 60 Days Authentication Event

True

True

Authentication Event

True

Authentication Event Authentication Event

False False False

Authentication: Possible Authentication Event Shared Accounts

Authentication: Repeat Non-Windows Login Failures

Authentication Event

False

Authentication: Repeat Authentication Event Windows Login Failures Botnet: Local Host on Botnet CandC List (SRC) Botnet: Local host on Botnet CandC List (DST) Botnet

False

Common True

Botnet

Common True

Botnet: Potential Botnet Botnet Connection (DNS)

Common False

STRM Administration Guide

ENTERPRISE TEMPLATE

Table B-1 Default Rules (continued)

Rule

Group

Rule Type Event

Enabl ed Description True Enable this rule if you want all events categorized as exploits to create an offense. Reports when a potential connection to a know BotNet CandC host is detected. To reduce false positive offenses, connections on ports 25 and 53 are removed from the rule. Reports when a successful inbound connection from a BotNet CandC host in detected.

Botnet: Potential Botnet Botnet Events Become Offenses Botnet: Potential connection to known Botnet CandC Botnet: Successful Inbound Connection from a Known Botnet CandC Policy: Remote: IRC Connections Compliance: Auditing Services Stopped on Compliance Host Botnet

Common True

Botnet

Common True

Botnet, Policy Compliance

Common True Event False

Reports a local host issuing an excessive number of IRC connections to the Internet. Reports when auditing services are stopped on a compliance host. Before enabling this rule, define the hosts in the compliance definition BBs and verify that the events for the audit service stopped for your host are in the BB: CategoryDefinition: Auditing Stopped building block. Reports compliance-based events, such as clear text passwords. Reports configuration change made to device in compliance network. Before you enable this rule, edit the device list to include the devices you want reported. Reports excessive authentication failures to a compliance server within 10 minutes. Reports multiple failed logins to a compliance asset.

Compliance: Compliance Events Become Offenses Compliance: Configuration Change Made to Device in Compliance network Compliance: Excessive Failed Logins to Compliance IS Compliance: Multiple Failed Logins to a Compliance Asset Compliance: Traffic from DMZ to Internal Network

Compliance

Event

False

Compliance

Event

False

Compliance

Event

False

Compliance

Event

False

Compliance

Common True

Reports traffic from the DMZ to an internal network. This is typically not allowed under compliance regulations. Before enabling this rule, make sure the DMZ object is defined in your network hierarchy. Reports traffic from an untrusted network to a trusted network. Before enabling this rule, edit the following BBs: BB:NetworkDefinition: Untrusted Network Segment and BB:NetworkDefinition: Trusted Network Segment. Reports when a configuration modification is attempted to a database server from a remote network.

Compliance: Traffic Compliance from Untrusted Network to Trusted Network

Common True

Database: Attempted Compliance Configuration Modification by a remote host

Event

True

STRM Administration Guide

Default Rules

Table B-1 Default Rules (continued)

Rule Database: Concurrent Logins from Multiple Locations Vulnerabilities: Vulnerability Reported by Scanner

Group Compliance

Rule Type Event

Enabl ed Description True Reports when several authentications to a database server occur across multiple remote IP addresses. Reports when a vulnerability is discovered on a local host. Reports when a configuration modification is attempted to a database server from a remote network. Reports when multiple remote IP addresses concurrently login to a database server. Reports when login failures are followed by the addition or change of a user account. Monitors changes to groups on a database when the change is initiated from a remote network. Reports when there are multiple database failures followed by a success within a short period of time. Reports when a login failure from a remote source IP address to a database server is detected. Reports when a successful authentication occurs to a database server from a remote network. Reports when changes to database user privileges are made from a remote network. Reports network Distributed Denial of Service (DDoS) attacks on a system. Reports when offenses are created for DoS-based events with high magnitude. Reports when more than 500 hosts send packets to a single destination using ICMP in one minute and there is no response. Reports when more than 500 hosts send packets to a single destination using IPSec or an uncommon protocol in one minute and there is no response. Reports when more than 500 hosts send packets to a single destination using TCP in one minute and there is no response.

Compliance

Event

False

Database: Attempted Database Configuration Modification by a remote host Database: Concurrent Logins from Multiple Locations Database: Failures Followed by User Changes Database: Groups changed from Remote Host Database: Multiple Database Failures Followed by Success Database: Remote Login Failure Database: Remote Login Success Database: User Rights Changed from Remote Host DDoS: DDoS Attack Detected DDoS: DDoS Events with High Magnitude Become Offenses DDoS: Potential DDoS Against Single Host (ICMP) DDoS: Potential DDoS Against Single Host (Other) DDoS: Potential DDoS Against Single Host (TCP) Database

Event

True

Event

True

Database

Event

True

Database

Event

True

Database

Event

True

Database Database Database

Event Event Event

True True True

D\DoS D\DoS

Event Event

True True

D\DoS

Flow

False

D\DoS

Flow

False

D\DoS

Flow

True

STRM Administration Guide

ENTERPRISE TEMPLATE

Table B-1 Default Rules (continued)

Rule DDoS: Potential DDoS Against Single Host (UDP) DoS: DoS Events from Darknet DoS: DoS Events with High Magnitude Become Offenses DoS: Local Flood (ICMP) DoS: Local Flood (Other)

Group D\DoS

Rule Type Flow

Enabl ed Description False Detects when more than 500 hosts send packets to a single destination using UPD in one minute and there is no response. Reports when DoS attack events are identified on Darknet network ranges. Rule forces the creation of an offense for DoS based events with a high magnitude. Reports when a single local host sends more than three flows containing 60,000 packets to an Internet destination using ICMP in 5 minutes. Reports when a single local host sends more than three flows containing 60,000 packets to an Internet destination using IPSec or an uncommon protocol in 5 minutes. Reports when a single local host sends more than 60,000 packets at a packet rate of 1,000 packets per second to an Internet destination using TCP. Reports when a single local host sends more than three flows containing 60,000 packets to an Internet destination using UDP in 5 minutes. Reports network Denial of Service (DoS) attacks on a system. Reports when a single host on the Internet containing than 60,000 packets to an Internet destination using ICMP in 5 minutes. Reports when a single host on the Internet sends more than three flows containing 60,000 packets to an Internet destination using IPSec or an uncommon protocol in 5 minutes. Reports when a single host on the Internet sends more than three flows containing than 60,000 packets to an Internet destination using TCP in 5 minutes. Reports when a single host on the Internet sends more than three flows containing 60,000 packets to an Internet destination using UDP in 5 minutes. Reports a DoS attack against a local destination IP address that is known to exist and the target port is open.

D/DoS D\DoS

Event Event

False True

D\DoS

Flow

False

D\DoS

Flow

False

DoS: Local Flood (TCP) D\DoS

Flow

True

DoS: Local Flood (UDP) D\DoS

Flow

False

DoS: Network DoS Attack Detected DoS: Remote Flood (ICMP) DoS: Remote Flood (Other)

D\DoS D\DoS

Event Flow

True False

D\DoS

Flow

False

DoS: Remote Flood (TCP)

D\DoS

Flow

False

DoS: Remote Flood (UDP) DoS: Service DoS Attack Detected

D\DoS

Flow

False

D\DoS

Event

True

STRM Administration Guide

Default Rules

Table B-1 Default Rules (continued)

Rule

Group

Rule Type

Enabl ed Description Reports a host connecting or attempting to connect to a DNS server on the Internet. This may indicate a host connecting to a Botnet. The host should be investigated for malicious code. Before you enable this rule, configure the BB:HostDefinition: DNS Servers BB. Note: Laptops that include wireless adapters may cause this rule to generate alerts since the laptops may attempt to communicate with another IDPs DNS server. If this occurs, define the ISPs DNS server in the BB:HostDefinition: DNS Servers BB.

Botnet: Potential Botnet Exploit Connection (DNS)

Common False

Exploit:All Exploits Become Offenses Exploit: Attack followed by Attack Response

Exploit

Event

False

Reports all exploit events. By default, this rule is disabled. Enable this rule if you want all events categorized as exploits to create an offense. Reports when exploit events are followed by typical responses, which may indicate a successful exploit. Reports exploit activity from a source IP address followed by suspicious account activity to a third host from the same destination IP address as the original exploit within 15 minutes. Reports an exploit against a vulnerable local destination IP address, where the destination IP address is known to exist, and the host is vulnerable to the exploit. Reports an exploit against a vulnerable local destination IP address, where the destination IP address is known to exist, and the host is vulnerable to the exploit on a different port. Reports an exploit against a vulnerable local destination IP address, where the target is known to exist, and the host is vulnerable to some exploit but not the one being attempted. Reports an exploit from a source IP address followed by suspicious account activity on the destination host within 15 minutes. Reports a source IP address generating multiple (at least five) exploits or malicious software (malware) events in the last 5 minutes. These events are not targeting hosts that are vulnerable and may indicate false positives generating from a device. Rule generates offenses for exploit-based events with a high magnitude.

Exploit

Event Event

False True

Exploit: Chained Exploit Exploit Followed by Suspicious Events Exploit: Destination Vulnerable to Detected Exploit Exploit: Destination Vulnerable to Detected Exploit on a Different Port Exploit: Destination Vulnerable to Different Exploit than Attempted on Targeted Port Exploit

Event

True

Exploit

Event

True

Exploit

Event

False

Exploit: Exploit Followed Exploit by Suspicious Host Activity Exploit: Exploit/Malware Exploit Events Across Multiple Destinations

Event

False

Event

True

Exploit: Exploits Events with High Magnitude Become Offenses

Exploit

Event

True

STRM Administration Guide

ENTERPRISE TEMPLATE

Table B-1 Default Rules (continued)

Rule Exploit: Exploits Followed by Firewall Accepts Exploit: Multiple Exploit Types Against Single Destination Exploit: Multiple Vector Attack Source Exploit: Potential VoIP Toll Fraud

Group Exploit

Rule Type Event

Enabl ed Description False Reports when exploit events are followed by firewall accept events, which may indicate a successful exploit. Reports a destination IP address being exploited using multiple types of exploit types from one or more source IP address. Reports when a source IP address attempts multiple attack vectors. This may indicate a source IP address specifically targeting an asset. Reports when at least three failed login attempts within 30 seconds followed by sessions being opened are detected on your VoIP hardware. This action could indicate that illegal users are executing VoIP sessions on your network. Reports reconnaissance events followed by an exploit from the same source IP address to the same destination port within 1 hour. Reports an exploit from a local host where the source IP address has at least one vulnerability to any exploit. It is possible the source IP address was a destination IP address in an earlier offense. Reports an attack from a local host where the source IP address has at least one vulnerability to the exploit being used. It is possible the source IP address was a destination IP address in an earlier offense. Reports events that include false positive rules and BBs, such as, BB:FalsePositive: Windows Server False Positive Events. Events that match the rule are stored and dropped from the event pipeline. If you add any new BBs or rules to remove events from becoming offenses, you must add these new rules or BBs to this rule. Adjusts the relevance of flows and events when there is local to local communication Adjusts the relevance of flows and events when there is local to remote communication. Adjusts the relevance of flows and events when there is remote to local communication. Adjusts the relevance and credibility of flows and events where the destination is a local asset.

Exploit

Event

True

Exploit

Event

False

Exploit

Event

False

Exploit: Recon followed by Exploit Exploit: Source Vulnerable to any Exploit Exploit: Source Vulnerable to this Exploit

Exploit

Event

True

Exploit

Event

False

Exploit

Event

False

FalsePositive: False Positive Rules and Building Blocks

False Positive

Event

True

Magnitude Adjustment: Magnitude Context is Local to Local Adjustment Magnitude Adjustment: Context is Local to Remote Magnitude Adjustment: Context is Remote to Local Magnitude Adjustment Magnitude Adjustment

Common True Common True

Common True

Magnitude Adjustment: Magnitude Destination Asset Exists Adjustment

Common True

STRM Administration Guide

Default Rules

Table B-1 Default Rules (continued)

Rule

Group

Rule Type

Enabl ed Description Adjusts the relevance and credibility of events and flows when the destination port is known to be active. Adjusts the relevance of events and flows if the destination network weight is high. Adjusts the relevance of events and flows if the destination network weight is low. Adjusts the relevance of events and flows if the destination network weight is medium. Adjusts the severity of events and flows when the source IP is a known bogon address. Traffic from known bogon addresses may indicate the possibility of the source IP address being spoofed. Adjusts the severity of events and flows when the source IP is a known questionable host. Adjusts the relevance and credibility of flows and events where the source is a local asset. Adjusts the relevance of events and flows if the source network weight is high. Adjusts the relevance of events and flows if the source network weight is low. Adjusts the relevance of events and flows if the source network weight is medium. Reports communication with a web site that has been involved in previous SQL injection.

Magnitude Adjustment: Magnitude Destination Asset Port is Adjustment Open Magnitude Adjustment: Destination Network Weight is High Magnitude Adjustment: Destination Network Weight is Low Magnitude Adjustment: Destination Network Weight is Medium Magnitude Adjustment: Source Address is a Bogon IP Magnitude Adjustment Magnitude Adjustment Magnitude Adjustment Magnitude Adjustment

Common True

Common True

Common True

Common True

Common True

Magnitude Adjustment: Magnitude Source Address is a Adjustment Known Questionable IP Magnitude Adjustment: Source Asset Exists Magnitude Adjustment

Common True

Common True Common True

Magnitude Adjustment: Magnitude Source Network Weight Adjustment is High Magnitude Adjustment: Magnitude Source Network Weight Adjustment is Low Magnitude Adjustment: Magnitude Source Network Weight Adjustment is Medium Malware: Communication with a site that has been involved in previous SQL injection Malware: Communication with a site that is listed on a known blacklist or uses fast flux Malware

Common True

Common True

Flow

False

Malware

Flow

True

Reports communication with a web site that is listed on a known blacklist or uses fast flux.

Malware: Malware Communication with a web site known to aid in distribution of malware

Flow

False

Reports communication with a web site known to aid in distribution of malware.

STRM Administration Guide

10

ENTERPRISE TEMPLATE

Table B-1 Default Rules (continued)

Rule Malware: Communication with a web site known to be a phishing or fraud side

Group Malware

Rule Type Flow

Enabl ed Description False Reports communication with a web site known to be a phishing or fraud site. Note: Phishing is the process of attempting to acquire information such as usernames, passwords and credit card details by pretending to be a trustworthy entity.

Malware: Communication with a web site known to be associated with the Russian business network Malware: Communication with a web site known to be delivering code which may be a trojan Malware: Communication with a web site known to be involved in botnet activity Malware: Local Host Sending Malware Malware: Remote: Client Based DNS Activity to the Internet Malware: Treat Backdoor, Trojans and Virus Events as Offenses Malware: Treat Key Loggers as Offenses Malware: Treat Non-Spyware Malware as Offenses

Malware

Flow

True

Reports communication with a web site known to be associated with the Russian business network.

Malware

Flow

False

Reports communication with a web site known to be delivering code which may be a trojan.

Malware

Flow

False

Reports communication with a web site known to be involved in botnet activity.

Malware Malware

Event Flow

False True

Reports malware being sent from local hosts. Reports when a host is attempting to connect to a DNS server that is not defined as a local network. Reports events categorized as backdoor, virus, and trojan. Enable this rule if you want all events categorized as backdoor, virus, and trojan to create an offense. Reports events categorized as key loggers. Enable this rule if you want all events categorized as key logger to create an offense. Reports non-spyware malware events. Enable this rule if you want all events categorized as malware to create an offense. Reports spyware and/or a virus events. Enable this rule if you want all events categorized as Virus or Spyware to create an offense. Reports events or flows associated with remote proxy and anonymization services.

Malware

Event

False

Malware

Event

False

Malware

Event

False

Malware: Treat Spyware Malware and Virus as Offenses Policy: Connection to a remote proxy or anonymization service Policy

Event

False

Common True

STRM Administration Guide

Default Rules

11

Table B-1 Default Rules (continued)

Rule Policy: Connection to Internet on Unauthorized Port

Group Policy

Rule Type

Enabl ed Description Reports events or flows connecting to the Internet on unauthorized ports. Reports flows associated with chat traffic.

Common False

Policy: Create Offenses Policy for All Chat Traffic based on Flows Policy: Create Offenses Policy for All Instant Messenger Traffic Policy: Create Offenses Policy for All P2P Usage Policy: Create Offenses Policy for All Policy Events Policy: Create Offenses Policy for All Porn Usage

Flow

False

Event

False

Reports Instant Messenger traffic or any event categorized as Instant Messenger traffic where the source is local and the destination IP address is remote. Reports Peer-to-Peer (P2P) traffic or any event categorized as P2P. Reports policy events. By default, this rule is disabled. Enable this rule if you want all events categorized as policy to create an offense. Reports any traffic that contains illicit materials or any event categorized as porn. By default, this rule is disabled. Enable this rule if you want all events categorized as porn to create an offense. Reports when an event is detected on an asset that is vulnerable to a vulnerability identified in the SANS Top 20 Vulnerabilities. (http://www.sans.org/top20/) Reports a single host sending more data out of the network than received. This rule detects over 2 MB of data transferred over 12 minutes. Reports a single host sending more data out of the network than received. This rule detects over 2 MB of data transferred over 2 hour. This is fairly slow and could indicate stealthy data leakage. Reports flows to or from the Internet where the application type uses clear text passwords. This may include applications such as Telnet or FTP. Reports a FTP server on a non-standard port. The default port for FTP is TCP port 21. Detecting FTP on other ports may indicate an exploited host, where this server provides backdoor access to the host. Reports a SSH or Telnet server on a non-standard port. The default port for SSH and Telnet servers is TCP ports 22 and 23. Detecting SSH or Telnet operating on other ports may indicate an exploited host, where these servers provide backdoor access to the host.

Event Event

False False

Event

False

Policy: Host has SANS Top 20 Vulnerability

Policy

Event

False

Policy: Large Outbound Policy Transfer High Rate of Transfer Policy: Large Outbound Policy Transfer Slow Rate of Transfer Policy: Local: Clear Text Policy Application Usage Policy: Local: Hidden FTP Server Policy

Flow

True

Flow

True

Flow

False

Flow

True

Policy: Local: SSH or Telnet Detected on Non-Standard Port

Policy

Flow

True

STRM Administration Guide

12

ENTERPRISE TEMPLATE

Table B-1 Default Rules (continued)

Rule Policy: New DHCP Server Discovered Policy: New Host Discovered Policy: New Host Discovered in DMZ Policy: New Service Discovered Policy: New Service Discovered in DMZ Policy: Possible Local IRC Server

Group Policy Policy Policy Policy Policy Policy

Rule Type Flow Event Event Event Event

Enabl ed Description False False False False False Reports when a DHCP server is discovered on the network. Reports when a new host has been discovered on the network. Reports when a new host has been discovered in the DMZ. Reports when a new service is discovered on an existing host. Reports when a new service has been discovered on an existing host in the DMZ. Reports a local host running a service on a typical IRC port or a flow that was detected as IRC. This is not typical for enterprises and should be investigated. Reports flows to or from the Internet where the application type uses clear text passwords. This may include applications such as Telnet or FTP. Reports an FTP server on a non-standard port. The default port for FTP is TCP port 21. Detecting FTP on other ports may indicate an exploited host, where this server to provide backdoor access to the host. Reports an excessive amount of IM/Chat traffic from a single source. Reports a local host issuing an excessive number of IRC connections to the Internet. Reports local hosts operating as a P2P client. This indicates a violation of local network policy and may indicate illegal activities, such as copyright infringement. Reports local hosts operating as a P2P client. This indicates a violation of local network policy and may indicate illegal activities, such as copyright infringement. Reports local hosts operating as a P2P server. This indicates a violation of local network policy and may indicate illegal activities, such as copyright infringement. Reports local hosts operating as a P2P server. This indicates a violation of local network policy and may indicate illegal activities, such as copyright infringement.

Common True

Policy: Remote: Clear Text Application Usage based on Flows

Policy

Flow

True

Policy: Remote: Hidden Policy FTP Server

Flow

True

Policy: Remote: IM/Chat Policy Policy: Remote: IRC Connections Policy: Remote: Local P2P Client Connected to more than 100 Servers Policy: Remote: Local P2P Client Detected Policy Policy

Flow

True

Common False Flow True

Policy

Flow

False

Policy: Remote: Local Policy P2P Server connected to more than 100 Clients Policy: Remote: Local P2P Server Detected Policy

Flow

True

Flow

False

STRM Administration Guide

Default Rules

13

Table B-1 Default Rules (continued)

Rule

Group

Rule Type Flow

Enabl ed Description True Reports a flow communicating to the Internet with a sustained duration of more than 48 hours. This is not typical behavior for most applications. Investigate the host for potential malware infections. Reports potential tunneling that can be used to bypass policy or security controls. Reports the Microsoft Remote Desktop Protocol from the Internet communicating to a local host. Most companies consider this a violation of corporate policy. If this is normal activity on your network, you should disable this rule. Reports a local host sending a large number of SMTP flows from the same source to the Internet in one interval. This may indicate a mass mailing, worm, or spam relay is present. Reports a SSH or Telnet server on a non-standard port. The default port for SSH and Telnet servers is TCP port 22 and 23. Detecting SSH or Telnet operating on other ports may indicate an exploited host, where these servers provide backdoor access to the host. Reports flows to or from a Usenet server. It is uncommon for legitimate business communications to use Usenet or NNTP services. The hosts involved may be violating corporate policy. Reports when VNC (a remote desktop access application) is communicating from the Internet to a local host. Many companies consider this a policy issue that should be addressed. If this is normal activity on your network, disable this rule. Reports potential file uploads to a local web server. To edit the details of this rule, edit the BB:CategoryDefinition: Upload to Local WebServer BB. Reports an aggressive scan from a local source IP address, scanning other local or remote IP addresses. More than 400 destination IP addresses received reconnaissance or suspicious events in less than 2 minutes. This may indicate a manually driven scan, an exploited host searching for other destination IP addresses, or a worm is present on the system.

Policy: Remote: Long Policy Duration Flow Detected

Policy: Remote: Potential Tunneling

Policy

Flow Flow

True True

Policy: Remote: Remote Policy Desktop Access from the Internet

Policy: Remote: SMTP Mail Sender

Policy

Flow

True

Policy: Remote: SSH or Policy Telnet Detected on Non-Standard Port

Flow

True

Policy: Remote: Usenet Usage

Policy

Flow

True

Policy: Remote: VNC Policy Access from the Internet to a Local Host

Flow

True

Policy: Upload to Local WebServer

Policy

Event

False

Recon: Aggressive Recon Local Scanner Detected

Common True

STRM Administration Guide

14

ENTERPRISE TEMPLATE

Table B-1 Default Rules (continued)

Rule Recon: Aggressive Remote Scanner Detected

Group Recon

Rule Type

Enabl ed Description Reports an aggressive scan from a remote source IP address, scanning other local or remote IP addresses. More than 50 destination IP addresses received reconnaissance or suspicious events in less than 3 minutes. This may indicate a manually driven scan, an exploited host searching for other destination IP addresses, or a worm on a system. Reports excessive attempts, from local hosts, to access the firewall and access is denied. More than 40 attempts are detected across at least 40 destination IP addresses in 5 minutes. Reports excessive attempts, from remote hosts, to access the firewall and access is denied. More than 40 attempts are detected across at least 40 destination IP addresses in 5 minutes. Reports when more than 400 ports are scanned from a single source IP address in under 2 minutes. If a high rate flow-based scanning attack is detected, this rule increases the magnitude of the current event. If a medium rate flow-based scanning attack is detected, this rule increases the magnitude of the current event. Reports a source IP address attempting reconnaissance or suspicious connections on common LDAP ports to more than 60 hosts in 10 minutes. Reports a scan from a local host against other local or remote destination IP addresses. At least 30 host were scanned in 10 minutes. Reports a source IP address attempting reconnaissance or suspicious connections on common DHCP ports to more than 60 hosts in 10 minutes. Reports a source IP address attempting reconnaissance or suspicious connections on common DNS ports to more than 60 hosts in 10 minutes. Reports a source IP address attempting reconnaissance or suspicious connections on common FTP ports to more than 30 hosts in 10 minutes.

Common True

Recon: Excessive Firewall Denies From Local Hosts Recon: Excessive Firewall Denies From Remote Hosts Recon: Host Port Scan Detected by Remote Host

Recon

Common True

Recon

Common True

Recon

Common True

Recon: Increase Recon Magnitude of High Rate Scans Recon: Increase Magnitude of Medium Rate Scans Recon: Local LDAP Server Scanner Recon

Event

True

Event

True

Recon

Common True

Recon: Local Database Scanner Recon: Local DHCP Scanner

Recon

Common True

Recon

Common True

Recon: Local DNS Scanner

Recon

Common True

Recon: Local FTP Scanner

Recon

Common True

STRM Administration Guide

Default Rules

15

Table B-1 Default Rules (continued)

Rule Recon: Local Game Server Scanner

Group Recon

Rule Type

Enabl ed Description Reports a source IP address attempting reconnaissance or suspicious connections on common game server ports to more than 60 hosts in 10 minutes. Reports a source IP address attempting reconnaissance or suspicious connections on common ICMP ports to more than 60 hosts in 10 minutes. Reports a source IP address attempting reconnaissance or suspicious connections on common IM server ports to more than 60 hosts in 10 minutes. Reports a source IP address attempting reconnaissance or suspicious connections on common IRC server ports to more than 10 hosts in 10 minutes. Reports a source IP address attempting reconnaissance or suspicious connections on common mail server ports to more than 60 hosts in 10 minutes. Reports a source IP address attempting reconnaissance or suspicious connections on common P2P server ports to more than 60 hosts in 10 minutes. Reports a source IP address attempting reconnaissance or suspicious connections on common proxy server ports to more than 60 hosts in 10 minutes. Reports a source IP address attempting reconnaissance or suspicious connections on common RPC server ports to more than 60 hosts in 10 minutes. Reports a scan from a local host against other hosts or remote destination IP addresses. At least 60 hosts were scanned within 20 minutes. This activity was using a protocol other than TCP, UDP, or ICMP. Reports a source IP address attempting reconnaissance or suspicious connections on common SNMP ports to more than 60 hosts in 10 minutes. Reports a source IP address attempting reconnaissance or suspicious connections on common SSH ports to more than 30 hosts in 10 minutes.

Common True

Recon: Local ICMP Scanner

Recon

Common True

Recon: Local IM Server Scanner

Recon

Common True

Recon: Local IRC Server Scanner

Recon

Common True

Recon: Local Mail Server Scanner

Recon

Common True

Recon: Local P2P Server Scanner

Recon

Common True

Recon: Local Proxy Server Scanner

Recon

Common True

Recon: Local RPC Server Scanner

Recon

Common True

Recon: Local Scanner Detected

Recon

Common True

Recon: Local SNMP Scanner

Recon

Common True

Recon: Local SSH Server Scanner

Recon

Common True

STRM Administration Guide

16

ENTERPRISE TEMPLATE

Table B-1 Default Rules (continued)

Rule Recon: Local Suspicious Probe Events Detected

Group Recon

Rule Type

Enabl ed Description Reports when various suspicious or reconnaissance events have been detected from the same local source IP address to more than five destination IP address in 4 minutes. This can indicate various forms of host probing, such as Nmap reconnaissance, which attempts to identify the services and operation systems of the host. Reports a source IP address attempting reconnaissance or suspicious connections on common TCP ports to more than 60 hosts in 10 minutes. Reports a source IP address attempting reconnaissance or suspicious connections on common UDP ports to more than 60 hosts in 10 minutes. Reports a source IP address attempting reconnaissance or suspicious connections on common local web server ports to more than 60 hosts in 10 minutes. Reports a source IP address attempting reconnaissance or suspicious connections on common Windows server ports to more than 60 hosts in 20 minutes. Reports a source IP address attempting reconnaissance or suspicious connections on common Windows server ports to more than 200 hosts in 20 minutes. Reports on potential local port scans. Reports on potential P2P traffic. Reports when a host that has been performing reconnaissance also has a firewall accept following the reconnaissance activity. Reports a scan from a remote host against other local or remote destination IP addresses. At least 30 hosts were scanned in 10 minutes. Reports a remote host attempting reconnaissance or suspicious connections on common DHCP ports to more than 30 hosts in 10 minutes. Reports a source IP address attempting reconnaissance or suspicious connections on common DNS ports to more than 60 hosts in 10 minutes.

Common False

Recon: Local TCP Scanner

Recon

Common True

Recon: Local UDP Scanner

Recon

Common True

Recon: Local Web Server Scanner

Recon

Common True

Recon: Local Windows Server Scanner to Internet Recon: Local Windows Server Scanner

Recon

Common True

Recon

Common True

Recon: Potential Local Port Scan Detected Recon: Potential P2P Traffic Detected

Recon Recon

Common True Common True Common False

Recon: Recon Followed Recon by Accept Recon: Remote Database Scanner Recon: Remote DHCP Scanner Recon: Remote DNS Scanner Recon

Common True

Recon

Common True

Recon

Common True

STRM Administration Guide

Default Rules

17

Table B-1 Default Rules (continued)

Rule Recon: Remote FTP Scanner Recon: Remote Game Server Scanner Recon: Remote ICMP Scanner Recon: Remote IM Server Scanner Recon: Remote IRC Server Scanner Recon: Remote LDAP Server Scanner Recon: Remote Mail Server Scanner Recon: Remote Proxy Server Scanner Recon: Remote RPC Server Scanner Recon: Remote Scanner Detected

Group Recon

Rule Type

Enabl ed Description Reports a remote host attempting reconnaissance or suspicious connections on common FTP ports to more than 30 hosts in 10 minutes. Reports a remote host attempting reconnaissance or suspicious connections on common game server ports to more than 30 hosts in 10 minutes. Reports a remote host attempting reconnaissance or suspicious connections on common ICMP ports to more than 60 hosts in 10 minutes. Reports a remote host attempting reconnaissance or suspicious connections on common IM server ports to more than 60 hosts in 10 minutes. Reports a remote host attempting reconnaissance or suspicious connections on common IRC server ports to more than 10 hosts in 10 minutes. Reports a scan from a remote host against other local or remote destination IP addresses. At least 30 hosts were scanned in 10 minutes. Reports a remote host attempting reconnaissance or suspicious connections on common mail server ports to more than 30 hosts in 10 minutes. Reports a remote host attempting reconnaissance or suspicious connections on common proxy server ports to more than 30 hosts in 10 minutes. Reports a remote host attempting reconnaissance or suspicious connections on common RPC server ports to more than 30 hosts in 10 minutes. Reports a scan from a remote host against other hosts or remote destination IP addresses. At least 60 hosts were scanned within 20 minutes. This activity was using a protocol other than TCP, UDP, or ICMP. Reports a remote host scans at least 30 local or remote hosts in 10 minutes. Reports a remote host attempting reconnaissance or suspicious connections on common SSH ports to more than 30 hosts in 10 minutes. Reports various suspicious or reconnaissance events from the same remote source IP address to more then five destination IP addresses in 4 minutes. This may indicate various forms of host probing, such as Nmap reconnaissance that attempts to identify the services and operating system of the destination IP addresses.

Common True

Recon

Common True

Recon

Common True

Recon

Common True

Recon

Common True

Recon

Common True

Recon

Common True

Recon

Common True

Recon

Common True

Recon

Common True

Recon: Remote SNMP Scanner Recon: Remote SSH Server Scanner Recon: Remote Suspicious Probe Events Detected

Recon Recon

Common True Common True

Recon

Common False

STRM Administration Guide

18

ENTERPRISE TEMPLATE

Table B-1 Default Rules (continued)

Rule Recon: Remote TCP Scanner Recon: Remote UDP Scanner Recon: Remote Web Server Scanner Recon: Remote Windows Server Scanner Recon: Single Merged Recon Events Local Scanner

Group Recon

Rule Type

Enabl ed Description Reports a remote host attempting reconnaissance or suspicious connections on common TCP ports to more than 60 hosts in 10 minutes. Reports a remote host attempting reconnaissance or suspicious connections on common UDP ports to more than 60 hosts in 10 minutes. Reports a remote host attempting reconnaissance or suspicious connections on common local web server ports to more than 60 hosts in 10 minutes. Reports a remote host attempting reconnaissance or suspicious connections on common Windows server ports to more than 60 hosts in 10 minutes. Reports merged reconnaissance events generated by local scanners. This rule causes all these events to create an offense. All devices of this type and their event categories should be added to the BB:ReconDetected: Devices which Merge Recon into Single Events BB. Reports merged reconnaissance events generated by remote scanners. This rule causes all these events to create an offense. All devices of this type and their event categories should be added to the BB:ReconDetected: Devices which Merge Recon into Single Events BB. Reports any offense matching the severity, credibility, and relevance minimums to e-mail. You must configure the e-mail address. You can limit the number of e-mails sent by tuning the severity, credibility, and relevance limits. This rule only sends one e-mail every hour, per offense. Reports any offense matching the severity, credibility, or relevance minimum to syslog. Rule identifies events that have common internal only ports, communicating outside of the local network. Reports events associated with known hostile networks. Reports events associated with networks identified as web sites that may involve data loss. Reports events associated with networks you want to monitor.

Common False

Recon

Common True

Recon

Common True

Recon

Common True

Recon

Common True

Recon: Single Merged Recon Events Remote Scanner

Recon

Common True

Default-ResponseE-mail: Offense E-mail Sender

Response

Offense

False

Default-ResponseSyslog: Offense SYSLOG Sender SuspiciousActivity: Common Non-Local to Remote Ports

Response

Offense

False

Suspicious

Common False

SuspiciousActivity: Suspicious Communication with Known Hostile Networks SuspiciousActivity: Communication with Known Online Services SuspiciousActivity: Communication with Known Watched Networks Suspicious

Common False

Common False

Suspicious

Common False

STRM Administration Guide

Default Rules

19

Table B-1 Default Rules (continued)

Rule SuspiciousActivity: Consumer Grade Equipment

Group Suspicious

Rule Type Event

Enabl ed Description False Reports when discovered assets appear to be consumer grade equipment. Before enabling this rule, you must configure the BB:DeviceDefinition: Consumer Grade Routers and BB:DeviceDefinition: Consumer Grade Wireless APs BBs. Creates an offense when an event matches a 100% accurate signature for successful compromises. Reports when STRM detects critical event. Reports when a log source has not sent an event to the system in over 1 hour. Edit this rule to add devices you want to monitor. Reports when a firewall, IPS, VPN or switch log source has not sent an event in over 30 minutes

System: 100% Accurate System Events System:Critical System Events System: Device Stopped Sending Events System: Device Stopped Sending Events (Firewall, IPS, VPN or Switch) System System

Event Event Event

True False False

System

Event

True

System: Flow Source System Stopped Sending Flows System: Host Based Failures System: Load Building Blocks System: Multiple System Errors System:Notification System: Service Stopped and not Restarted WormDetection: Local Mass Mailing Host Detected WormDetection: Possible Local Worm Detected System System System System System

Flow Event Event Event Event Event

True False True False True False

Reports when a flow interface stops generating flows for over 30 minutes. Reports when STRM detects events that indicate failures within services or hardware. Loads BBs that need to be run to assist with reporting. This rule has no actions or responses. Reports when a source IP address has 10 system errors within 3 minutes. Rule ensures that notification events shall be sent to the notification framework. Reports when a services has been stopped on a system and not restarted. Reports a local host sending more than 20 SMTP flows in 1 minute. This may indicate a host being used as a spam relay or infected with a form of mass mailing worm. Reports a local host generating reconnaissance or suspicious events across a large number of hosts (greater than 300) in 20 minutes. This may indicate the presence of a worm on the network or a wide spread scan. Reports when a host is connecting to many hosts on the Internet on ports commonly known for worm propagation. Reports exploits or worm activity on a system for local-to-local or local-to-remote traffic.

Worms

Event

True

Worms

Event

True

WormDetection: Worms Successful Connections to the Internet on Common Worm Ports WormDetection: Worm Detected (Events) Worms

Event

True

Event

True

STRM Administration Guide

20

ENTERPRISE TEMPLATE

Default Building Blocks

Default building blocks for the Enterprise template include:

Table B-2 Default Building Blocks

Building Block BB: CategoryDefinition: Application or Service Installed or Modified

Group Category Definitions

Block Type Event

Description Edit this BB to include event categories that are considered part of events detected when an application or service is installed or modified on a host. Edit this BB to include event categories that are considered part of events detected when auditing has stopped on a host. Edit this BB to include applications that indicate communication with file sharing sites. Edit this BB to include applications that indicate communication with free e-mail sites Edit the BB to include all event categories that indicate a service has started. Edit the BB to include all event categories that indicate a service has stopped. Edit this BB to include usernames associated with superuser accounts, such as admin, superuser, and root. Edit this BB is include event categories associated with system or device configuration changes. Edit this BB to include all unidirectional flows.

Associated Building Blocks, if applicable

BB: CategoryDefinition: Auditing Stopped

Category Definitions

Event

BB: CategoryDefinition: Communication with File Sharing Sites

Category Definitions

Flow

BB: CategoryDefinition: Category Communication with Free Definitions Email Sites BB: CategoryDefinition: Service Started Category Definition

Flow

Event

BB: CategoryDefinition: Service Stopped

Category Definition

Event

BB: CategoryDefinition: Superuser Accounts

Category Definition

Event

BB: CategoryDefinition: System or Device Configuration Change BB: CategoryDefinition: Unidirectional Flow

Category Definition

Event

Category Definition

Flow

BB: CategoryDefinition: Unidirectional Flow DST BB: CategoryDefinition: Unidirectional Flow SRC

STRM Administration Guide

Default Building Blocks

21

Table B-2 Default Building Blocks (continued)

Building Block BB: CategoryDefinition: Unidirectional Flow DST

Group Category Definition

Block Type Flow

Description Edit this BB to define unidirectional flow from the source IP address to the destination IP address. Edit this BB to define unidirectional flow from the destination IP address to the source IP address. Edit this BB to include event categories that are considered part of events detected during a typical compromise. Edit this BB to include event categories that are considered part of events detected after a typical compromise. Edit this BB to include all event categories that indicate access denied. Edit this BB to include all flow types. Edit this BB to include all events that indicate an unsuccessful attempt to access the network. Edit this BB to include all events that indicate successful attempts to access the network. Edit this BB to include all events that indicate failed attempts to access the network using a disabled account. Edit this BB to include all events that indicate failed attempts to access the network using an expired account. Edit this BB to include all events that indicate modification to accounts or groups.

Associated Building Blocks, if applicable

BB: CategoryDefinition: Unidirectional Flow SRC

Category Definition

Flow

BB:BehaviorDefinition: Compromise Activities

Category Definitions

Event

BB:BehaviorDefinition: Post Compromise Activities

Category Definitions

Event

BB:CategoryDefinition: Access Denied BB:CategoryDefinition: Any Flow BB:CategoryDefinition: Authentication Failures

Category Definition Category Definition

Event

Flow

Compliance Event

BB:CategoryDefinition: Authentication Success

Compliance Event

BB:CategoryDefinition: Authentication to Disabled Account

Compliance Event

BB:CategoryDefinition: Compliance Event Authentication to Expired Account

BB:CategoryDefinition: Compliance Event Authentication User or Group Added or Changed

STRM Administration Guide

22

ENTERPRISE TEMPLATE

Table B-2 Default Building Blocks (continued)

Building Block

Group

Block Type Event

Description Edit this BB to include any geographic location that typically would not be allowed remote access to the enterprise. Once configured, you can enable the Anomaly: Remote Access from Foreign Country rule. Edit this BB to include all events that indicates denied access to the database. Edit this BB to include all events that indicates permitted access to the database. Edit this BB to define successful logins to databases. You may need to add additional device types for this BB. Edit this BB to include all event categories that you want to categorize as a DDoS attack. Edit this BB to include all events that are typically exploits, backdoor, or trojans. Edit this BB that indicate failure within a service or hardware. Edit this BB to include all events that indicate access to the firewall. Edit this BB to include all events that indicate unsuccessful attempts to access the firewall.

Associated Building Blocks, if applicable

BB:CategoryDefinition: Category Countries with no Remote Definitions Access

BB:CategoryDefinition: Category Database Access Denied Definition BB:CategoryDefinition: Database Access Permitted BB:CategoryDefinition: Database Connections Category Definition

Event

Event

Category Definitions

Event

BB:CategoryDefinition: DDoS Attack Events

Category Definitions

Event

BB:CategoryDefinition: Exploits, Backdoors, and Trojans BB:CategoryDefinition: Failure Service or Hardware BB:CategoryDefinition: Firewall or ACL Accept BB:CategoryDefinition: Firewall or ACL Denies

Category Definitions

Event

Compliance Event

Category Definitions Category Definitions

Event

Event

STRM Administration Guide

Default Building Blocks

23

Table B-2 Default Building Blocks (continued)

Building Block BB:CategoryDefinition: Firewall System Errors

Group Category Definitions

Block Type Event

Description Edit this BB to include all events that may indicate a firewall system error. By default, this BB applies when an event is detected by one or more of the following devices:
Check Point Generic Firewall Iptables NetScreen Firewall Cisco Pix

Associated Building Blocks, if applicable

BB:CategoryDefinition: High Magnitude Events

Category Definitions

Event

Edit this BB to the severity, credibility, and relevance levels you want to generate an event. The defaults are:
Severity = 6 Credibility = 7 Relevance = 7

BB:CategoryDefinition: Inverted Flows BB:CategoryDefinition: IRC Detected Based on Application BB:CategoryDefinition: IRC Detected Based on Event Category BB:CategoryDefinition: IRC Detection Based on Firewall Events

Category Definitions Category Definitions

Flow Flow

Edit this BB to identify flows that may be inverted. This Building Block to BB:CategoryDefinition: include applications that are Successful Communication typically associated with IRC traffic. This Building Block to include event categories that are typically associated with IRC traffic. This Building Block to BB:CategoryDefinition: include event categories and Firewall or ACL Accept port definitions that are BB:PortDefinition: IRC Ports typically associated with IRC traffic. Edit this BB to include all events associated with key logger monitoring of user activities. Edit this BB to define mail policy violations. Edit this BB to include event categories that are typically associated with spyware infections.

Category Definitions

Event

Category Definitions

Event

BB:CategoryDefinition: KeyLoggers

Category Definitions

Event

BB:CategoryDefinition: Mail Policy Violation BB:CategoryDefinition: Malware Annoyances

Compliance Event Category Definitions Event

STRM Administration Guide

24

ENTERPRISE TEMPLATE

Table B-2 Default Building Blocks (continued)

Building Block BB:CategoryDefinition: Network DoS Attack

Group Category Definitions

Block Type Event

Description Edit this BB to include all event categories that you want to categorize as a network DoS attack. Edit this BB to include all event categories that may indicate a violation to network policy. Edit this BB to define actions that may be seen within a Remote-to-Local (R2L) and a DMZ host jumping scenario. Edit this BB to include all event categories that may indicate exploits to accounts. Edit this BB to define actions that may be seen within a Local-to-Local (L2L) and a DMZ host jumping scenario. Edit this BB to define actions that may be seen within a Pre DMZ jump followed by a reverse DMZ jump. Edit this BB to include all event categories that indicate reconnaissance activity. Edit this BB to include all events that indicate reconnaissance activity. Edit this BB to include all flows that indicate reconnaissance activity. Edit this BB to define actions that may be seen within a Remote-to-Local (R2L) and a DMZ host reverse jumping scenario. Edit this BB to define Denial of Service (DoS) attack events. Edit this BB to define all session closed events. Edit this BB to define all session opened events.

Associated Building Blocks, if applicable

BB:CategoryDefinition: Policy Events

Compliance Event

BB:CategoryDefinition: Post DMZ Jump

Category Definitions

Event

BB:CategoryDefinition: Post Exploit Account Activity BB:CategoryDefinition: Pre DMZ Jump

Category Definitions Category Definitions

Event

Event

BB:CategoryDefinition: Pre Reverse DMZ Jump

Category Definitions

Event

BB:CategoryDefinition: Recon Event Categories

Category Definitions

Event

BB:CategoryDefinition: Recon Events BB:CategoryDefinition: Recon Flows BB:CategoryDefinition: Reverse DMZ Jump

Category Definitions Category Definitions Category Definitions

Common

Flow

Common

BB:CategoryDefinition: Service DoS BB:CategoryDefinition: Session Closed BB:CategoryDefinition: Session Opened

Category Definitions Category Definition Category Definition

Event

Event Event

STRM Administration Guide

Default Building Blocks

25

Table B-2 Default Building Blocks (continued)

Building Block BB:CategoryDefinition: Successful Communication

Group Category Definitions

Block Type Flow

Description Edit this BB to include all flows that are typical of a successful communication. Tuning this BB to reduce the byte/packet ratio to 64 can cause excessive false positives. Further tuning using additional tests may be required. Edit this BB to include all event categories that indicate suspicious activity. Edit this BB to include all events that indicate suspicious activity. Edit this BB to include all flows that indicate suspicious activity. Edits this BB to define system configuration events. Edit this BB to define system errors and failures. Typically, most networks are configured to restrict applications that use the PUT method running on their web application servers. This BB detects if a remote host has used this method on a local server. The BB could be duplicated to also detect other unwanted methods or for local hosts using the method connecting to remote servers. This BB is referenced by the Policy: Upload to Local WebServer rule. Edit this BB to define all virus detection events. Edit this BB to include all events that indicate a VoIP login failure.

Associated Building Blocks, if applicable

BB:CategoryDefinition: Suspicious Event Categories BB:CategoryDefinition: Suspicious Events BB:CategoryDefinition: Suspicious Flows BB:CategoryDefinition: System Configuration BB:CategoryDefinition: System Errors and Failures BB:CategoryDefinition: Upload to Local WebServer

Category Definitions Category Definitions Category Definitions Category Definitions Category Definitions Category Definitions

Event

Common

Flow

Event Event

Event

BB:CategoryDefinition: Virus Detected BB:CategoryDefinition: VoIP Authentication Failure Events

Category Definition Category Definitions

Event Event

STRM Administration Guide

26

ENTERPRISE TEMPLATE

Table B-2 Default Building Blocks (continued)

Building Block BB:CategoryDefinition: VoIP Session Opened BB:CategoryDefinition: VPN Access Accepted BB:CategoryDefinition: VPN Access Denied BB:CategoryDefinition: Windows Compliance Events BB:CategoryDefinition: Windows SOX Compliance Events BB:CategoryDefinition: Worm Events

Group Category Definitions Category Definition Category Definition

Block Type Event

Description Edit this BB to include all events that indicate the start of a VoIP session. Edit this BB to include all events that indicates permitted access. Edit this BB to include all events that are considered Denied Access events. Edit this BB to include all event categories that indicate compliance events. Edit this BB to include all event categories that indicate SOX compliance events. Edit this BB to define worm events. This BB only applies to events not detected by a custom rule. Edit this BB to include your GLBA IP systems. You must then apply this BB to rules related to failed logins such as remote access. Edit this BB to include your HIPAA Servers by IP address. You must then apply this BB to rules related to failed logins such as remote access. Edit this BB to include your PCI DSS servers by IP address. You must apply this BB to rules related to failed logins such as remote access. Edit this BB to include your SOX IP Servers. You must then apply this BB to rules related to failed logins such as remote access. Edit this BB to include any events that indicates successful actions within a database.

Associated Building Blocks, if applicable

Event

Event

Compliance Event

Compliance Event

Category Definitions

Event

BB:ComplianceDefinition: Compliance Common GLBA Servers

BB:ComplianceDefinition: Compliance Common HIPAA Servers

BB:ComplianceDefinition: Response PCI DSS Servers

Common

BB:ComplianceDefinition: Compliance Common SOX Servers

BB:Database: System Action Allow

Compliance Event

STRM Administration Guide

Default Building Blocks

27

Table B-2 Default Building Blocks (continued)

Building Block BB:Database: System Action Deny

Group

Block Type

Description Edit this BB to include any events that indicate unsuccessful actions within a database. Edit this BB to include events that indicate the successful addition or change of user privileges Edit this BB to include all access, authentication, and audit devices. Edit this BB to include all antivirus services on the system. Edit this BB to include all application and OS devices on the network. Edit this BB to include MAC addresses of known consumer grade routers. Edit this BB to include MAC addresses of known consumer grade wireless access points. Edit this BB to define all databases on the system. Edit this BB to include devices you want to monitor for high event rates. The event rate threshold is controlled by the Anomaly: Devices with High Event Rates. Edit this BB to include all firewall (FW), routers, and switches on the network. Edit this BB to include all IDS and IPS devices on the network. Edit this BB to include all VPNs on the network.

Associated Building Blocks, if applicable

Compliance Event

BB:Database: User Addition or Change

Compliance Event

BB:DeviceDefinition: Access/Authentication/ Audit BB:DeviceDefinition: AntiVirus BB:DeviceDefinition: Application

Log Source Definitions Log Source Definitions Log Source Definitions

Event

Event

Event

BB:DeviceDefinition: Log Source Consumer Grade Routers Definitions BB:DeviceDefinition: Consumer Grade Wireless APs BB:DeviceDefinition: Database BB:DeviceDefinition: Devices to Monitor for High Event Rates Log Source Definitions

Common

Common

Log Source Definitions Log Source Definitions

Event Event

BB:DeviceDefinition: FW/Router/ Switch BB:DeviceDefinition: IDS/IPS

Log Source Definitions Log Source Definitions

Event

Event

BB:DeviceDefinition:VPN Log Source Definition

Event

STRM Administration Guide

28

ENTERPRISE TEMPLATE

Table B-2 Default Building Blocks (continued)

Building Block BB:DoS: Local: Distributed DoS Attack (High Number of Hosts)

Group D/DoS

Block Type Flow

Description Edit this BB to detect a high number of hosts (greater than 100,000) sending identical, non-responsive packets to a single destination IP address. Edit this BB to detect a low number of hosts (greater than 500) sending identical, non-responsive packets to a single destination IP address. Edit this BB to detect a medium number of hosts (greater than 5,000) sending identical, non-responsive packets to a single destination IP address. Edit this BB to detect flood attacks above 100,000 packets per second. This activity may indicate an attack. Edit this BB to detect flood attacks above 500 packets per second. This activity may indicate an attack. Edit this BB to detect flood attacks above 5,000 packets per second. This activity may indicate an attack. Edit this BB to detect flows that appear to be an ICMP DoS attack attempt. Edit this BB to detect flows that appear to be an TCP DoS attack attempt. Edit this BB to detect flows that appear to be an UDP DoS attack attempt.

Associated Building Blocks, if applicable

BB:DoS: Local: Distributed DoS Attack (Low Number of Hosts)

D/DoS

Flow

BB:DoS: Local: Distributed DoS Attack (Medium Number of Hosts)

D/DoS

Flow

BB:DoS: Local: Flood Attack (High))

D/DoS

Flow

BB:DoS: Local: Flood Attack (Low)

D/DoS

Flow

BB:DoS: Local: Flood Attack (Medium))

D/DoS

Flow

BB:DoS: Local: Potential ICMP DoS BB:DoS: Local: Potential TCP DoS BB:DoS: Local: Potential UDP DoS

D/DoS

Flow

D/DoS

Flow

D/DoS

Flow

STRM Administration Guide

Default Building Blocks

29

Table B-2 Default Building Blocks (continued)

Building Block BB:DoS: Local: Potential Unresponsive Server or Distributed DoS

Group D/DoS

Block Type Flow

Description Edit this BB to detect a low number of hosts sending identical, non-responsive packets to a single destination. In this case, the destination is treated as the source in the Offenses interface. Edit this BB to detect a high number of hosts (greater than 100,000) sending identical, non-responsive packets to a single destination IP address. Edit this BB to detect a low number of hosts (greater than 500) sending identical, non-responsive packets to a single destination IP address. Edit this BB to detect a medium number of hosts (greater than 5,000) sending identical, non-responsive packets to a single destination IP address. Edit this BB to detect flood attacks above 100,000 packets per second. This activity may indicate an attack. Edit this BB to detect flood attacks above 500 packets per second. This activity may indicate an attack. Edit this BB to detect flood attacks above 5,000 packets per second. This activity may indicate an attack. Edit this BB to detect flows that appear to be an ICMP DoS attack attempt. Edit this BB to detect flows that appear to be an TCP DoS attack attempt.

Associated Building Blocks, if applicable

BB:DoS: Remote: Distributed DoS Attack (High Number of Hosts)

D/DoS

Flow

BB:DoS: Remote: Distributed DoS Attack (Low Number of Hosts)

D/DoS

Flow

BB:DoS: Remote: Distributed DoS Attack (Medium Number of Hosts)

D/DoS

Flow

BB:DoS: Remote: Flood Attack (High)

D/DoS

Flow

BB:DoS: Remote: Flood Attack (Low)

D/DoS

Flow

BB:DoS:Remote: Flood Attack (Medium)

D/DoS

Flow

BB:DoS: Remote: Potential ICMP DoS BB:DoS: Remote: Potential TCP DoS

D/DoS

Flow

D/DoS

Flow

STRM Administration Guide

30

ENTERPRISE TEMPLATE

Table B-2 Default Building Blocks (continued)

Building Block BB:DoS: Remote: Potential UDP DoS

Group D/DoS

Block Type Flow

Description Edit this BB to detect flows that appear to be an UDP DoS attack attempt. Edit this BB to detect a low number of hosts sending identical, non-responsive packets to a single destination. In this case, the destination is treated as the source in the Offenses interface. Edit this BB to include events that indicate a successful compromise. These events generally have 100% accuracy. Edit this BB to include all false positive BBs. Edit this BB to define all the false positive categories that occur to or from the broadcast address space.

Associated Building Blocks, if applicable

BB:DoS: Remote: D/DoS Potential Unresponsive Server or Distributed DoS

Flow

BB:FalseNegative: Events That Indicate Successful Compromise

False Positive

Event

BB:FalsePositive: All Default False Positive BBs

False Positive

Common

All BB:False Positive BBs

BB:FalsePositive: False Broadcast Address False Positive Positive Categories BB:FalsePositive: Database Server False Positive Categories False Positive

Common

Common

Edit this BB to define all the BB:HostDefinition: Database false positive categories that Servers occur to or from database servers that are defined in the BB:HostDefinition: Database Servers BB. Edit this BB to define all the false positive QIDs that occur to or from database servers that are defined in the BB:HostDefinition: Database Servers BB. Edit this BB to include the devices and QID of devices that continually generate false positives. Edit this BB to define all the BB:HostDefinition: DHCP false positive categories that Servers occur to or from DHCP servers that are defined in the BB:HostDefinition: DHCP Servers BB. BB:HostDefinition: Database Servers

BB:FalsePositive: Database Server False Positive Events

False Positive

Event

BB:FalsePositive: Device False and Specific Event Positive

Event

BB:FalsePositive: DHCP Server False Positive Categories

False Positive

Common

STRM Administration Guide

Default Building Blocks

31

Table B-2 Default Building Blocks (continued)

Building Block BB:FalsePositive: DHCP Server False Positive Events

Group False Positive

Block Type Event

Description

Associated Building Blocks, if applicable

Edit this BB to define all the BB:HostDefinition: DHCP false positive QIDs that Servers occur to or from DHCP servers that are defined in the BB:HostDefinition: DHCP Servers BB. Edit this BB to define all the BB:HostDefinition: DNS false positive categories that Servers occur to or from DNS based servers that are defined in the BB:HostDefinition: DNS Servers BB. Edit this BB to define all the false positive QIDs that occur to or from DNS-based servers that are defined in the BB:HostDefinition: DNS Servers BB. Edit this BB to define firewall deny events that are false positives Edit this BB to define all the false positive QIDs that occur to or from FTP-based servers that are defined in the BB:HostDefinition: FTP Servers BB. BB:HostDefinition: FTP Servers BB:HostDefinition: DNS Servers

BB:FalsePositive: DNS Server False Positive Categories

False Positive

Common

BB:FalsePositive: DNS Server False Positive Events

False Positive

Event

BB:FalsePositive: Firewall Deny False Positive Events BB:FalsePositive: FTP False Positive Events

False Positive False Positive

Event

Event

BB:FalsePositive: FTP Server False Positive Categories

False Positive

Common

Edit this BB to define all the BB:HostDefinition: FTP false positive categories that Servers occur to or from FTP based servers that are defined in the BB:HostDefinition: FTP Servers BB. Edit this BB to include any event QIDs that you want to ignore. Edit this BB to define specific events that can create a large volume of false positives in general rules. Edit this BB to define all the BB:HostDefinition: LDAP false positive categories that Servers occur to or from LDAP servers that are defined in the BB:HostDefinition: LDAP Servers BB.

BB:FalsePositive: Global False Positive Events

False Positive

Event

BB:FalsePositive: Large False Volume Local FW Events Positive

Event

BB:FalsePositive: LDAP Server False Positive Categories

False Positive

Common

STRM Administration Guide

32

ENTERPRISE TEMPLATE

Table B-2 Default Building Blocks (continued)

Building Block BB:FalsePositive: LDAP Server False Positive Events

Group False Positive

Block Type Event

Description

Associated Building Blocks, if applicable

Edit this BB to define all the BB:HostDefinition: LDAP false positive QIDs that Servers occur to or from LDAP servers that are defined in the BB:HostDefinition: LDAP Servers BB. Edit this BB to define all the false positive QIDs that occur to or from Local-to-Local (L2L) based servers. Edit this BB to define all the false positive QIDs that occur to or from Local-to-Remote (L2R) based servers. Edit this BB to define all the BB:HostDefinition: Mail false positive categories that Servers occur to or from mail servers that are defined in the BB:HostDefinition: Mail Servers BB. Edit this BB to define all the BB:HostDefinition: Mail false positive QIDs that Servers occur to or from mail servers that are defined in the BB:HostDefinition: Mail Servers BB. Edit this BB to define all the BB:HostDefinition: Network false positive categories that Management Servers occur to or from network management servers that are defined in the BB:HostDefinition: Network Management Servers BB. Edit this BB to define all the BB:HostDefinition: Proxy false positive categories that Servers occur to or from proxy servers that are defined in the BB:HostDefinition: Proxy Servers BB. Edit this BB to define all the BB:HostDefinition: Proxy false positive QIDs that Servers occur to or from proxy servers that are defined in the BB:HostDefinition: Proxy Servers BB.

BB:FalsePositive: Local Source to Local Destination False Positives BB:FalsePositive: Local Source to Remote Destination False Positives BB:FalsePositive: Mail Server False Positive Categories

False Positive

Event

False Positive

Event

False Positive

Common

BB:FalsePositive: Mail Server False Positive Events

False Positive

Event

BB:FalsePositive: Network Management Servers Recon

False Positive

Event

BB:FalsePositive: Proxy Server False Positive Categories

False Positive

Common

BB:FalsePositive: Proxy Server False Positive Events

False Positive

Event

STRM Administration Guide

Default Building Blocks

33

Table B-2 Default Building Blocks (continued)

Building Block BB:FalsePositive: Remote Source to Local Destination False Positives BB:FalsePositive: RPC Server False Positive Categories

Group False Positive

Block Type Event

Description Edit this BB to define all the false positive QIDs that occur to or from Remote-to-Local (R2L) based servers.

Associated Building Blocks, if applicable

False Positive

Common

Edit this BB to define all the BB:HostDefinition: RPC false positive categories that Servers occur to or from RPC servers that are defined in the BB:HostDefinition: RPC Servers BB. Edit this BB to define all the BB:HostDefinition: RPC false positive QIDs that Servers occur to or from RPC servers that are defined in the BB:HostDefinition: RPC Servers BB. Edit this BB to define all the BB:HostDefinition: SNMP false positive categories that Servers occur to or from SNMP servers that are defined in the BB:HostDefinition: SNMP Servers BB. Edit this BB to define all the false positive QIDs that occur to or from SNMP servers that are defined in the BB:HostDefinition: SNMP Sender or Receiver BB. Edit this BB to include source IP addresses or specific events that you want to remove. Edit this BB to define all the BB:HostDefinition: SSH false positive categories that Servers occur to or from SSH servers that are defined in the BB:HostDefinition: SSH Servers BB. Edit this BB to define all the BB:HostDefinition: SSH false positive QIDs that Servers occur to or from SSH servers that are defined in the BB:HostDefinition: SSH Servers BB. BB:HostDefinition: SNMP Sender or Receiver

BB:FalsePositive: RPC Server False Positive Events

False Positive

Event

BB:FalsePositive: SNMP False Sender or Receiver False Positive Positive Categories

Common

BB:FalsePositive: SNMP False Sender or Receiver False Positive Positive Events

Event

BB:FalsePositive: Source False IP and Specific Event Positive

Event

BB:FalsePositive: SSH Server False Positive Categories

False Positive

Common

BB:FalsePositive: SSH Server False Positive Events

False Positive

Event

STRM Administration Guide

34

ENTERPRISE TEMPLATE

Table B-2 Default Building Blocks (continued)

Building Block BB:FalsePositive: Syslog Sender False Positive Categories BB:FalsePositive: Syslog Sender False Positive Events BB:FalsePositive: Virus Definition Update Categories

Group False Positive False Positive

Block Type Common

Description

Associated Building Blocks, if applicable

Edit this BB to define all false BB:HostDefinition: Syslog positive categories that occur Servers and Senders to or from syslog sources. Edit this BB to define all false BB:HostDefinitionBB:HostDef positive events that occur to inition: Syslog Servers and or from syslog sources or Senders destinations. Edit this BB to define all the BB:HostDefinition: Virus false positive QIDs that Definition and Other Update occur to or from virus Servers definition or other automatic update hosts that are defined in the BB:HostDefinition: Virus Definition and Other Update Servers BB. Edit this BB to define all the BB:HostDefinition: Web false positive categories that Servers occur to or from web servers that are defined in the BB:HostDefinition: Web Servers BB. Edit this BB to define all the BB:HostDefinition: Web false positive QIDs that Servers occur to or from Web servers that are defined in the BB:HostDefinition: Web Servers BB. Edit this BB to add addresses of Windows Authentication/ Active Directory (AD) servers. This BB prevents the AD servers from being the source of authentication messages. Edit this BB to define all the BB:HostDefinition: Windows false positive categories that Servers occur to or from Windows servers that are defined in the BB:HostDefinition: Windows Servers BB. Edit this BB to define all the false positive QIDs that occur to or from Windows servers that are defined in the BB:HostDefinition: Windows Servers BB. BB:HostDefinition: Windows Servers

Event

False Positive

Common

BB:FalsePositive: Web Server False Positive Categories

False Positive

Common

BB:FalsePositive: Web Server False Positive Events

False Positive

Event

BB:FalsePositive: Windows AD Source Authentication Events

False Positive

Event

BB:FalsePositive: False Windows Server False Positive Positive Categories Local

Common

BB:FalsePositive: Windows Server False Positive Events

False Positive

Event

STRM Administration Guide

Default Building Blocks

35

Table B-2 Default Building Blocks (continued)

Building Block

Group

Block Type Flow Flow

Description This BB detects flows that have a balanced flow bias. This BB detects flows that have an inbound only flow bias. This BB detects local flows that have a balanced flow bias. This BB detects unidirectional flows within the local network. This BB detects flows that have a mostly inbound flow bias. This BB detects flows that have a mostly outbound flow bias. This BB detects flows that have an outbound only flow bias. Edit this BB to define event categories that indicate critical events. Edit this BB to include any consultant assets, which includes any asset connected to your network that is supplied or owned by a consultant and not considered to be your enterprises asset. Edit this BB to define typical database servers.

Associated Building Blocks, if applicable

BB:Flowshape: Balanced Flowshape BB:Flowshape: Inbound Only BB:Flowshape: Local Balanced BB:Flowshape: Local Unidirectional BB:Flowshape: Mostly Inbound BB:Flowshape: Mostly Outbound Flowshape

Flowshape

Flow

Flowshape

Flow

Flowshape

Flow

Flowshape

Flow

BB:Flowshape: Outbound Flowshape Only BB:HostBased: Critical Events BB:HostDefinition: Consultant Assets

Flow

Compliance Event

Host Definitions

Common

BB:HostDefinition: Database Servers

Host Definitions

Common

BB:FalsePositive: Database Server False Positive Categories BB:FalsePositive: Database Server False Positive Events

BB:HostDefinition: DHCP Host Servers Definitions

Common

Edit this BB to define typical DHCP servers.

BB:False Positive: DHCP Server False Positives Categories BB:FalsePositive: DHCP Server False Positive Events

BB:HostDefinition: DMZ Assets

Host Definitions

Common

Edit this BB to include any DMZ assets.

STRM Administration Guide

36

ENTERPRISE TEMPLATE

Table B-2 Default Building Blocks (continued)

Building Block BB:HostDefinition: DNS Servers

Group Host Definitions

Block Type Common

Description Edit this BB to define typical DNS servers.

Associated Building Blocks, if applicable BB:False Positive: DNS Server False Positives Categories BB:FalsePositive: DNS Server False Positive Events

BB:HostDefinition: FTP Servers

Host Definitions

Common

Edit this BB to define typical FTP servers.

BB:False Positive: FTP Server False Positives Categories BB:FalsePositive: FTP Server False Positive Events

BB:HostDefinition: Host with Port Open BB:HostDefinition: LDAP Servers

Host Definitions Host Definitions

Common

Edit this BB to include a host and port that is actively or passively seen. Edit this BB to define typical LDAP servers. BB:False Positive: LDAP Server False Positives Categories BB:FalsePositive: LDAP Server False Positive Events

Common

BB:HostDefinition: Local Assets BB:HostDefinition: Mail Servers

Host Definitions Host Definitions

Common Common

Edit this BB to include any local assets. Edit this BB to define typical mail servers. BB:False Positive: Mail Server False Positives Categories BB:FalsePositive: Mail Server False Positive Events

BB:HostDefinition: MailServer Assets BB:HostDefinition: Network Management Servers BB:HostDefinition: Protected Assets BB:HostDefinition: Proxy Servers

Host Definitions Host Definitions Host Definitions Host Definitions

Common Common

Edit this BB to include any mail server assets. Edit this BB to define typical network management servers. Edit this BB to include any protected assets. Edit this BB to define typical proxy servers. BB:False Positive: Proxy Server False Positives Categories BB:FalsePositive: Proxy Server False Positive Events

Common Common

BB:HostDefinition: Regulatory Assets BB:HostDefinition: Remote Assets

Host Definitions Host Definitions

Common Common

Edit this BB to include any regulatory assets. Edit this BB to include any remote assets.

STRM Administration Guide

Default Building Blocks

37

Table B-2 Default Building Blocks (continued)

Building Block BB:HostDefinition: RPC Servers

Group Host Definitions

Block Type Common

Description Edit this BB to define typical RPC servers.

Associated Building Blocks, if applicable BB:False Positive: RPC Server False Positives Categories BB:FalsePositive: RPC Server False Positive Events

BB:HostDefinition: Servers

Host Definitions

Event Common Common

Edit this BB to define generic servers. Edit this BB to define SNMP senders or receivers. Edit this BB to define typical SSH servers. BB:PortDefinition: SNMP Ports BB:False Positive: SSH Server False Positives Categories BB:FalsePositive: SSH Server False Positive Events

BB:HostDefinition: SNMP Host Sender or Receiver Definitions BB:HostDefinition: SSH Servers Host Definitions

BB:HostDefinition: Syslog Host Servers and Senders Definitions

Common

Edit this BB to define typical host that send or receive syslog traffic.

BB:FalsePositive: Syslog Server False Positive Categories BB:FalsePositive: Syslog Server False Positive Events

BB:HostDefinition: VA Scanner Source IP

Host Definitions

Common

Edit this BB to include the source IP address of your VA scanner. By default, this BB applies when the source IP address is 127.0.0.2. Edit this BB to include all servers that include virus protection and update functions. Edit this BB to define typical VoIP IP PBX servers. Edit this BB to include any VPN assets. Edit this BB to define typical web servers. BB:False Positive: Web Server False Positives Categories BB:FalsePositive: Web Server False Positive Events

BB:HostDefinition: Virus Definition and Other Update Servers BB:HostDefinition: VoIP IP PBX Server BB:HostDefinition: VPN Assets BB:HostDefinition: Web Servers

Host Definitions

Common

Host Definitions Host Definitions Host Definitions

Common Common Common

BB:HostDefinition: Windows Servers

Host Definitions

Common

Edit this BB to define typical Windows servers, such as domain controllers or exchange servers.

BB:False Positive: Windows Server False Positives Categories BB:FalsePositive: Windows Server False Positive Events

STRM Administration Guide

38

ENTERPRISE TEMPLATE

Table B-2 Default Building Blocks (continued)

Building Block

Group

Block Type Common

Description Edit this BB to include the broadcast address space of your network. This is used to remove false positive events that may be caused by the use of broadcast messages. Edit this BB to include all networks that include client hosts. Edit this BB to include networks that you want to add to a Darket list. Edit this BB to include networks that you want to add to a Data Loss Prevention (DLP) list. Edit this BB to include networks that you want to add to a Demilitarized Zone (DMZ) list. Edit this BB by replacing other network with network objects defined in your network hierarchy that are currently not in use in your network or are used in a honeypot or tarpit installation. Once these have been defined, you must enable the Anomaly: Potential Honeypot Access rule. You must also add a security/policy BB to these network objects to generate events based on attempted access. Edit this BB to include all traffic from the Internet to you local networks. Edit this BB to include networks that you want to add to a multicast address space list.

Associated Building Blocks, if applicable

BB:NetworkDefinition: Network Broadcast Address Space Definition

BB:NetworkDefinition: Client Networks BB:NetworkDefinition: Darknet Addresses BB:NetworkDefinition: DLP Addresses

Network Definition Network Definition Network Definition

Common

Common

Common

BB:NetworkDefinition: DMZ Addresses

Network Definition

Common

BB:NetworkDefinition: Honeypot like Addresses

Network Definition

Common

BB:NetworkDefinition: Inbound Communication from Internet to Local Host BB:NetworkDefinition: Multicast Address Space

Network Definition

Common

Network Definition

Common

STRM Administration Guide

Default Building Blocks

39

Table B-2 Default Building Blocks (continued)

Building Block BB:NetworkDefinition: NAT Address Range

Group Network Definition

Block Type Common

Description Edit this BB to define typical Network Address Translation (NAT) range you want to use in your deployment. Edit this BB to include the networks where your servers are located. Edit this BB to include event categories that are trusted local networks. Edit this BB to include areas of your network that does not contain any valid hosts. Edit this BB to include untrusted local networks. Edit this BB to include any untrusted networks.

Associated Building Blocks, if applicable

BB:NetworkDefinition: Server Networks BB:NetworkDefinition: Trusted Network Segment BB:NetworkDefinition: Undefined IP Space

Network Definition Network Definition Network Definition

Common

Common

Common

BB:NetworkDefinition: Network Untrusted Local Networks Definition BB:NetworkDefinition: Untrusted Network Segment Network Definition

Common Common

BB:NetworkDefinition: Untrusted Local Network BB:NetworkDefinition: Inbound Communication from Internet to Local Host

BB:NetworkDefinition: Watch List Addresses BB:Policy Violation: Application Policy Violation: NNTP to Internet

Network Definition Policy

Common

Edit this BB to include networks that should be added to a watch list. Edit this BB to include applications that are commonly associated with NNTP traffic to the Internet Edit this BB to include applications that are commonly associated with potentially unknown local services. Edit this BB to include applications that are commonly associated with unencrypted protocols like telnet and FTP. Edit this BB to include applications that are commonly associated with social networking web sites.

Flow

BB:Policy Violation: Policy Application Policy Violation: Unknown Local Service BB:Policy Violation: Compliance Policy Violation: Clear Text Application Usage BB: Policy Violation: Connection to Social Networking Web Site Policy

Flow

Flow

Policy

Flow

STRM Administration Guide

40

ENTERPRISE TEMPLATE

Table B-2 Default Building Blocks (continued)

Building Block BB:Policy Violation: IRC IM Policy Violation: IM Communications

Group Policy

Block Type Flow

Description Edit this BB to include applications that are commonly associated with Instant Messaging communications. Edit this BB to include applications that are commonly associated with IRC connections to a remote host. Edit this BB to include applications that are commonly associated with significant transfer of data to outside the local network. This may indicate suspicious activity. Edit this BB to include applications that are commonly associated with a local host sending mail to remote hosts. Edit this BB to include applications that are commonly associated with potential unauthorized internal mail servers. Edit this BB to include applications that are commonly associated with local P2P clients. This BB detects flows coming from a local PSP server. Edit this BB to include applications that are commonly associated with local P2P clients. This BB detects flows coming from a local P2P client. Edit this BB to include applications that are commonly associated with remote access. This BB detects a remote access attempt from a remote host.

Associated Building Blocks, if applicable

BB:Policy Violation: IRC IM Policy Violation: IRC Connection to Internet

PolicyRecon Flow

BB:Policy Violation: Large Policy Outbound Transfer

Flow

BB:Policy Violation: Mail Policy Violation: Outbound Mail Sender

Policy

Flow

BB:Policy Violation: Mail Policy Violation: Remote Connection to Internal Mail Server BB:Policy Violation: P2P Policy Violation: Local P2P Client

Policy

Flow

Policy

Flow

BB:Policy Violation: P2P Policy Violation: Local P2P Server

Policy

Flow

BB:Policy Violation: Policy Remote Access Policy Violation: Remote Access Shell

Flow

STRM Administration Guide

Default Building Blocks

41

Table B-2 Default Building Blocks (continued)

Building Block BB:Policy: Application Policy Violation Events BB:Policy: IRC/IM Connection Violations BB:Policy: Policy P2P

Group Policy

Block Type Event

Description Edit this BB to define policy application and violation events. Edit this BB to define all policy IRC/IM connection violations. Edit this BB to include all events that indicate P2P events. Edit this BB to include ports that are commonly detected in Local-to-Remote (L2R) traffic. Edit this BB to include all ports that are generally not seen in L2R traffic. Edit this BB to include all common database ports. Edit this BB to include all common DHCP ports. Edit this BB to include all common DNS ports. Edit this BB to include all common FTP ports. Edit this BB to include all common game server ports. Edit this BB to include all common IM ports. Edit this BB to include all common IRC ports. Edit this BB to include all common ports used by LDAP servers. Edit this BB to include all common ports used by mail servers.

Associated Building Blocks, if applicable

Policy

Event

Policy

Event

BB:PortDefinition: Authorized L2R Ports

Port\ Protocol Definition Port\ Protocol Definition Port\ Protocol Definition Port\ Protocol Definition Port\ Protocol Definition Port\ Protocol Definition Port\ Protocol Definition

Common

BB:PortDefinition: Common Worm Ports BB:PortDefinition: Database Ports BB:PortDefinition: DHCP Ports BB:PortDefinition: DNS Ports BB:PortDefinition: FTP Ports BB:PortDefinition: Game Server Ports BB:PortDefinition: IM Ports BB:PortDefinition: IRC Ports BB:PortDefinition: LDAP Ports BB:PortDefinition: Mail Ports

Common

Common

Common

Common

Common

Common

Compliance Common Port\ Protocol Definition Port\ Protocol Definition Port\ Protocol Definition Common

Common

Common

STRM Administration Guide

42

ENTERPRISE TEMPLATE

Table B-2 Default Building Blocks (continued)

Building Block BB:PortDefinition: P2P Ports BB:PortDefinition: Proxy Ports BB:PortDefinition: RPC Ports BB:PortDefinition: SNMP Ports BB:PortDefinition: SSH Ports

Group Port\ Protocol Definition Port\ Protocol Definition Port\ Protocol Definition Port\ Protocol Definition Port\ Protocol Definition

Block Type Common

Description Edit this BB to include all common ports used by P2P servers. Edit this BB to include all common ports used by proxy servers. Edit this BB to include all common ports used by RPC servers. Edit this BB to include all common ports used by SNMP servers. Edit this BB to include all common ports used by SSH servers. Edit this BB to include all common ports used by the syslog servers. Edit this BB to include all common ports used by Web servers. Edit this BB to include all common ports used by Windows servers. Edit this BB to include all common protocols (not including TCP) used by Windows servers that will be ignored for false positive tuning rules.

Associated Building Blocks, if applicable

Common

Common

Common

Common

BB:PortDefinition: Syslog Port\ Ports Protocol Definition BB:PortDefinition: Web Ports BB:PortDefinition: Windows Ports BB:ProtocolDefinition: Windows Protocols Port\ Protocol Definition Port\ Protocol Definition Port\ Protocol Definition

Common

Common

Common

Common

BB:Recon: Local: ICMP Scan (High)

Recon

Flow

Edit this BB to identify BB:Threats: Scanning: ICMP applications and protocols Scan High commonly associated with ICMP traffic. This BB detects when a host is scanning more than 100,000 hosts per minute using ICMP. This activity indicates a host performing reconnaissance activity at an extremely high rate. This is typical of a worm infection or a standard scanning application.

STRM Administration Guide

Default Building Blocks

43

Table B-2 Default Building Blocks (continued)

Building Block BB:Recon: Local: ICMP Scan (Low)

Group Recon

Block Type Flow

Description

Associated Building Blocks, if applicable

Edit this BB to identify BB:Threats: Scanning: ICMP applications and protocols Scan Low commonly associated with ICMP traffic. This BB detects a host scanning more than 500 hosts per minute using ICMP. This may indicate a host configured for network management or normal server behavior on a busy internal network. If this behavior continues for extended periods of time, this may indicate classic behavior of worm activity. Edit this BB to identify BB:Threats: Scanning: ICMP applications and protocols Scan Medium commonly associated with ICMP traffic. This BB detects a host scanning more than 5,000 hosts per minute using ICMP. This indicates a host performing reconnaissance activity at an extremely high rate. This is typical of a worm infection or a host configured for network management purposes. This BB detects a host BB:Threats: Scanning: Empty performing reconnaissance Responsive Flows High activity at an extremely high rate (more than 100,000 hosts per minute), which is typical of a worm infection of a scanning application. This BB detects a host scanning more than 500 hosts per minute. This indicates a host performing reconnaissance activity at a high rate. This is typical of a worm infection or a host configured for network management purposes. BB:Threats: Scanning: Empty Responsive Flows Low

BB:Recon: Local: ICMP Scan (Medium)

Recon

Flow

BB:Recon: Local: Scanning Activity (High)

Recon

Flow

BB:Recon: Local: Scanning Activity (Low)

Recon

Flow

STRM Administration Guide

44

ENTERPRISE TEMPLATE

Table B-2 Default Building Blocks (continued)

Building Block BB:Recon: Local: Scanning Activity (Medium)

Group Recon

Block Type Flow

Description This BB detects a host scanning more than 5,000 hosts per minute. This indicates a host performing reconnaissance activity at a high rate. This is typical of a worm infection or a host configured for network management purposes.

Associated Building Blocks, if applicable BB:Threats: Scanning: Empty Responsive Flows Medium

BB:Recon: Remote: ICMP Scan (High)

Recon

Flow

This BB detects a host BB:Threats: Scanning: ICMP scanning more than 100,000 Scan High hosts per minute using ICMP. This indicates a host performing reconnaissance activity at an extremely high rate. This is typical of a worm infection or a standard scanning application. This BB detects a host BB:Threats: Scanning: ICMP scanning more than 500 Scan Low hosts per minute using ICMP. This may indicate a host configured for network management or normal server behavior on a busy internal network. If this behavior continues for extended periods of time, this may indicate classic behavior of worm activity. We recommend that you check the host of infection or malware installation. This BB detects a host B:Threats: Scanning: ICMP scanning more than 5,000 Scan Medium hosts per minute using ICMP. This indicates a host performing reconnaissance activity at an extremely high rate. This is typical of a worm infection or a host configured for network management purposes.

BB:Recon: Remote: ICMP Scan (Low)

Recon

Flow

BB:Recon: Remote: ICMP Scan (Medium)

Recon

Flow

STRM Administration Guide

Default Building Blocks

45

Table B-2 Default Building Blocks (continued)

Building Block BB:Recon: Remote: Potential Network Scan

Group Recon

Block Type Flow

Description

Associated Building Blocks, if applicable

This BB detects a host BB:Threats: Scanning: sending identical packets to Potential Scan a number of hosts that are not responding. This may indicate a host configured for network management or normal server behavior on a busy internal network. However, client hosts in your network should not be exhibiting this behavior for long periods of time. This BB detects a host BB:Threats: Scanning: Empty performing reconnaissance Responsive Flows High activity at an extremely high rate (more than 100,000 hosts per minute), which is typical of a worm infection of a scanning application. This BB detects a host scanning more than 500 hosts per minute. This indicates a host performing reconnaissance activity at a high rate. This is typical of a worm infection or a host configured for network management purposes. This BB detects a host scanning more than 5,000 hosts per minute. This indicates a host performing reconnaissance activity at a high rate. This is typical of a worm infection or a host configured for network management purposes. Edit this BB to define all Juniper Networks default reconnaissance tests. This BB is used to detect a host that has performed reconnaissance such that other follow on tests can be performed. For example, reconnaissance followed by firewall accept. BB:Threats: Scanning: Empty Responsive Flows Low

BB:Recon: Remote: Scanning Activity (High)

Recon

Flow

BB:Recon: Remote: Scanning Activity (Low)

Recon

Flow

BB:Recon: Remote: Scanning Activity (Medium)

Recon

Flow

BB:Threats: Scanning: Empty Responsive Flows Medium

BB:Recon Detected: All Recon Rules

Recon

Event

STRM Administration Guide

46

ENTERPRISE TEMPLATE

Table B-2 Default Building Blocks (continued)

Building Block BB:Recon Detected: Devices That Merge Recon into Single Events

Group Recon

Block Type Event

Description Edit this BB to include all devices that accumulate reconnaissance across multiple hosts or ports into a single event. This rule forces these events to become offenses. Edit this BB to define reconnaissance scans on hosts in your deployment. Edit this BB to indicate port scanning activity across multiple hosts. By default, this BB applies when a source IP address is performing reconnaissance against more than five hosts within 10 minutes. If internal, this may indicate an exploited machine or a worm scanning for destination IP addresses. This BB detects an excessive number of ICMP flows from one source IP address, where the applied ICMP types and codes are considered abnormal when seen entering or leaving the network. This BB detects an excessive rate (more than 1,000) of unidirectional flows within the last 5 minutes. This may indicate a scan is in progress, worms, DoS attack, or issues with your network configuration.

Associated Building Blocks, if applicable

BB:Recon Recon Detected: Host Port Scan BB:Recon Detected: Port Scan Detected Across Multiple Hosts Recon

Event

Event

BB:Suspicious: Local: Anomalous ICMP Flows

Suspicious

Flow

BB:Threats: Suspicious IP Protocol Usage: Suspicious ICMP Type Code

BB:Suspicious: Local: Inbound Unidirectional Flows Threshold

Suspicious

Flow

BB:Threats: Suspicious IP Protocol Usage:Unidirectional UDP and Misc Flows BB:Threats: Suspicious IP Protocol Usage:Unidirectional TCP Flows BB:Threats: Suspicious IP Protocol Usage: Unidirectional ICMP Flows

STRM Administration Guide

Default Building Blocks

47

Table B-2 Default Building Blocks (continued)

Building Block BB:Suspicious: Local: Invalid TCP Flag Usage

Group Suspicious

Block Type Flow

Description

Associated Building Blocks, if applicable

This BB detects flows that BB:Threats: Suspicious IP appear to have improper flag Protocol Usage: Illegal TCP combinations. This may Flag Combination indicate various behaviors, such as OS detection, DoS attacks, or even forms of reconnaissance. This BB detects an excessive rate of outbound unidirectional flows (remote host not responding) within 5 minutes. BB:Threats: Suspicious IP Protocol Usage:Unidirectional UDP and Misc Flows BB:Threats: Suspicious IP Protocol Usage:Unidirectional TCP Flows B:Threats: Suspicious IP Protocol Usage: Unidirectional ICMP Flows

BB:Suspicious: Local: Outbound Unidirectional Flows Threshold

Suspicious

Flow

BB:Suspicious: Local: Port 0 Flows Detected

Suspicious

Flow

This BB detects flows with Port 0 as the destination or source port. This may be considered suspicious. This BB detects flows that indicate a host is attempting to establish connections to other hosts and is being refused by the hosts. This BB detects suspicious IRC traffic.

BB:Threats: Suspicious IP Protocol Usage: TCP or UDP Port 0 BB:Threats: Suspicious IP Protocol Usage: Zero Payload Bidirectional Flows

BB:Suspicious: Local: Suspicious Rejected Communication Attempts

Flow

BB:Suspicious: Local: Suspicious IRC Traffic

Suspicious

Flow

BB:Threats: Suspicious Activity: Suspicious IRC Ports BB:Threats: Suspicious Activity: Suspicious IRC Traffic

BB:Suspicious: Local: Unidirectional ICMP Detected

Suspicious

Flow

This BB detects excessive unidirectional ICMP traffic from a single source. This may indicate an attempt to enumerate hosts on the network or other serious network issues.

BB:Threats: Suspicious IP Protocol Usage: Unidirectional ICMP Flows

BB:Suspicious: Local: Unidirectional ICMP Responses Detected

Suspicious

Flow

This BB detects excessive BB:Threats: Suspicious IP unidirectional ICMP Protocol Usage: responses from a single Unidirectional ICMP Replies source. This may indicate an attempt to enumerate hosts on the network or other serious network issues.

STRM Administration Guide

48

ENTERPRISE TEMPLATE

Table B-2 Default Building Blocks (continued)

Building Block

Group

Block Type Flow

Description This BB detects flows that indicate a host is sending an excessive quantity (at least 15) of unidirectional flows. These types of flows may be considered normal, however, client workstations and other devices, should not be seen emitting large quantities of such flows. This activity should be considered suspicious. This BB detects an excessive number of unidirectional UDP and miscellaneous flows from a single source. This BB detects an excessive number of ICMP flows from one source IP address and the applied ICMP types and codes are considered abnormal when seen entering or leaving the network. This BB detects an excessive rate (more than 1,000) of unidirectional flows within the last 5 minutes. This may indicate a scan is in progress, worms, DoS attack, or issues with your network configuration.

Associated Building Blocks, if applicable BB:Threats: Suspicious IP Protocol Usage:Unidirectional TCP Flows

BB:Suspicious: Local: Suspicious Unidirectional TCP Flows

BB:Suspicious: Local: Unidirectional UDP or Misc Flows

Suspicious

Flow

BB:Threats: Suspicious IP Protocol Usage:Unidirectional TCP Flows BB:Threats: Suspicious IP Protocol Usage: Suspicious ICMP Type Code

BB:Suspicious: Remote: Anomalous ICMP Flows

Suspicious

Flow

BB:Suspicious: Remote: Inbound Unidirectional Flows Threshold

Suspicious

Flow

BB:Threats: Suspicious IP Protocol Usage:Unidirectional UDP and Misc Flows BB:Threats: Suspicious IP Protocol Usage:Unidirectional TCP Flows BB:Threats: Suspicious IP Protocol Usage: Unidirectional ICMP Flows

BB:Suspicious: Remote: Invalid TCP Flag Usage

Suspicious

Flow

This BB detects flows that BB:Threats: Suspicious IP appear to have improper flag Protocol Usage: Illegal TCP combinations. This may Flag Combination indicate various troubling behaviors, such as OS detection, DoS attacks, or reconnaissance.

STRM Administration Guide

Default Building Blocks

49

Table B-2 Default Building Blocks (continued)

Building Block BB:Suspicious: Remote: Outbound Unidirectional Flows Threshold

Group Suspicious

Block Type Flow

Description This BB detects an excessive rate of outbound unidirectional flows (remote host not responding) within 5 minutes.

Associated Building Blocks, if applicable BB:Threats: Suspicious IP Protocol Usage:Unidirectional UDP and Misc Flows BB:Threats: Suspicious IP Protocol Usage:Unidirectional TCP Flows BB:Threats: Suspicious IP Protocol Usage: Unidirectional ICMP Flows

BB:Suspicious: Remote: Port 0 Flows Detected

Suspicious

Flow

This BB detects flows with Port 0 as the destination or source port. This may be considered suspicious. This BB detects flows that indicate a host is attempting to establish connections to other hosts and is being refused by the hosts. This BB detects suspicious IRC traffic.

BB:Threats: Suspicious IP Protocol Usage: TCP or UDP Port 0 BB:Threats: Suspicious IP Protocol Usage: Zero Payload Bidirectional Flows

BB:Suspicious: Remote: Rejected Communications Attempts BB:Suspicious: Remote: Suspicious IRC Traffic

Suspicious

Flow

Suspicious

Flow

BB:Threats: Suspicious Activity: Suspicious IRC Ports BB:Threats: Suspicious Activity: Suspicious IRC Traffic

BB:Suspicious: Remote: Unidirectional ICMP Detected

Suspicious

Flow

This BB detects excessive unidirectional ICMP traffic from a single source. This may indicate an attempt to enumerate hosts on the network or other serious network issues.

BB:Threats: Suspicious IP Protocol Usage: Unidirectional ICMP Flows

BB:Suspicious: Remote: Unidirectional ICMP Responses Detected

Suspicious

Flow

This BB detects excessive BB:Threats: Suspicious IP unidirectional ICMP Protocol Usage: responses from a single Unidirectional ICMP Replies source. This may indicate an attempt to enumerate hosts on the network or other serious network issues.

STRM Administration Guide

50

ENTERPRISE TEMPLATE

Table B-2 Default Building Blocks (continued)

Building Block

Group

Block Type Flow

Description This BB detects flows that indicate a host is sending an excessive quantity (at least 15) of unidirectional flows. These types of flows may be considered normal, however, client workstations and other devices, should not be seen emitting large quantities of such flows. This activity should be considered suspicious. This BB detects an excessive number of unidirectional UDP and miscellaneous flows from a single source. This BB detects a denial of service condition where the source packet count is greater than 6,000,000 and there is no response from the hosts being targeted. This BB detects a denial of service condition where the source packet count is greater than 30,000 and there is no response from the hosts being targeted. This BB detects a denial of service condition where the source packet count is greater than 300,000 and there is no response from the hosts being targeted. This BB detects a high number of hosts potentially performing a denial of service attack. This BB detects a lower number of hosts potentially performing a denial of service attack. This BB detects a medium number of hosts potentially performing a denial of service attack.

Associated Building Blocks, if applicable BB:Threats: Suspicious IP Protocol Usage:Unidirectional TCP Flows

BB:Suspicious: Remote: Suspicious Unidirectional TCP Flows

BB:Suspicious: Remote: Unidirectional UDP or Misc Flows

Suspicious

Flow

BB:Threats: Suspicious IP Protocol Usage:Unidirectional TCP Flows

BB:Threats: DoS: Inbound Flood with No Response High

Threats

Flow

BB:Threats: DoS: Inbound Flood with No Response Low

Threats

Flow

BB:Threats: DoS: Inbound Flood with No Response Medium

Threats

Flow

BB:Threats: DoS: Multi-Host Attack High

Threats

Flow

BB:Threats: DoS: Multi-Host Attack Low

Threats

Flow

BB:Threats: DoS: Threats Multi-Host Attack Medium

Flow

STRM Administration Guide

Default Building Blocks

51

Table B-2 Default Building Blocks (continued)

Building Block BB:Threats: DoS: Outbound Flood with No Response High

Group Threats

Block Type Flow

Description This BB detects a denial of service condition where the source packet count is greater than 6,000,000 and there is no response from the hosts being targeted. This BB detects a denial of service condition where the source packet count is greater than 30,000 and there is no response from the hosts being targeted. This BB detects a denial of service condition where the source packet count is greater than 300,000 and there is no response from the hosts being targeted. This BB detects potential a potential ICMP DoS attacks. This BB detects multiple hosts potentially performing a denial of service attack. This BB detects potential a potential TCP DoS attacks. This BB detects potential a potential UDP DoS attacks. This BB detects potential reconnaissance by flows. This BB detects UDP based port scans. This BB detects flows where a remote desktop application is being accessed from a remote host. This BB detects flows where a VNC service is being accessed from a remote host. This BB detects potential reconnaissance activity where the source packet count is greater than 100,000.

Associated Building Blocks, if applicable

BB:Threats: DoS: Outbound Flood with No Response Low

Threats

Flow

BB:Threats: DoS: Outbound Flood with No Response Medium

Threats

Flow

BB:Threats: DoS: Potential ICMP DoS

Threats

Flow Flow

BB:Threats: DoS: Threats Potential Multihost Attack BB:Threats: DoS: Potential TCP DoS BB:Threats: DoS: Potential UDP DoS BB:Threats: Port Scans: Host Scans BB:Threats: Port Scans: UDP Port Scan BB:Threats: Remote Access Violations: Remote Desktop Access from Remote Hosts BB:Threats: Remote Access Violations: VNC Activity from Remote Hosts Threats Threats Threats Threats Threats

Flow Flow Flow Flow Flow

Threats

Flow

BB:Threats: Scanning: Threats Empty Responsive Flows High

Flow

STRM Administration Guide

52

ENTERPRISE TEMPLATE

Table B-2 Default Building Blocks (continued)

Building Block

Group

Block Type Flow

Description This BB detects potential reconnaissance activity where the source packet count is greater than 500. This BB detects potential reconnaissance activity where the source packet count is greater than 5,000. This BB detects a high level of ICMP reconnaissance activity. This BB detects a low level of ICMP reconnaissance activity. This BB detects a medium level of ICMP reconnaissance activity. This BB detects potential reconnaissance activity. This BB detects a high level of potential reconnaissance activity. This BB detects a low level of potential reconnaissance activity. This BB detects a medium level of potential reconnaissance activity. This BB detects suspicious IRC traffic. This BB detects flows that have an illegal TCP flag combination. This BB detects abnormally large DNS traffic. This BB detects flows with abnormally large ICMP packets. This BB detects flows that have been active for more than 48 hours

Associated Building Blocks, if applicable

BB:Threats: Scanning: Threats Empty Responsive Flows Low BB:Threats: Scanning: Threats Empty Responsive Flows Medium BB:Threats: Scanning: ICMP Scan High BB:Threats: Scanning: ICMP Scan Low BB:Threats: Scanning: ICMP Scan Medium BB:Threats: Scanning: Potential Scan BB:Threats: Scanning: Scan High BB:Threats: Scanning: Scan Low BB:Threats: Scanning: Scan Medium BB:Threats: Suspicious Activity: Suspicious IRC Traffic Threats

Flow

Flow

Threats

Flow

Threats

Flow

Threats Threats

Flow Flow

Threats

Flow

Threats

Flow

Threats

Flow

BB:Threats: Suspicious Threats IP Protocol Usage: Illegal TCP Flag Combination BB:Threats: Suspicious Threats IP Protocol Usage: Large DNS Packets BB:Threats: Suspicious Threats IP Protocol Usage: Large ICMP Packets BB:Threats: Suspicious IP Protocol Usage: Long Duration Outbound Flow Threats

Flow

Flow

Flow

Flow

STRM Administration Guide

Default Building Blocks

53

Table B-2 Default Building Blocks (continued)

Building Block BB:Threats: Suspicious IP Protocol Usage: Suspicious ICMP Type Code BB:Threats: Suspicious IP Protocol Usage: TCP or UDP Port 0 BB:Threats: Suspicious IP Protocol Usage: Unidirectional ICMP Flows BB:Threats: Suspicious IP Protocol Usage: Unidirectional ICMP Replies BB:Threats: Suspicious IP Protocol Usage: Zero Payload Bidirectional Flows

Group Threats

Block Type Flow

Description This BB detects ICMP flows with suspicious ICMP type codes. This BB detects suspicious flows using port 0. This BB detects unidirectional ICMP flows.

Associated Building Blocks, if applicable

Threats

Flow

Threats

Flow

Threats

Flow

This BB detects traffic where ICMP replies are seen with no request. This BB detects bidirectional traffic that does not include payload. This BB detects unidirectional TCP flows.

Threats

Flow

BB:Threats: Suspicious Threats IP Protocol Usage:Unidirectional TCP Flows BB:Threats: Suspicious IP Protocol Usage:Unidirectional UDP and Misc Flows User-BB:FalsePositive: User Defined False Positives Tunings Threats

Flow

Flow

This BB detects unidirectional UDP and other miscellaneous flows. This BB contains any events that you have tuned using the False Positive tuning function. For more information, see the STRM Users Guide. Edit this BB to include any User-BB:HostDefinition: event categories you want to Server Type 1 - User Defined consider false positives for hosts defined in the associated BB. Edit this BB to include any User-BB:HostDefinition: events you want to consider Server Type 1 - User Defined false positives for hosts defined in the associated BB.

User Tuning Common

User-BB:FalsePositive: Server Type 1 - User Defined False Positive Categories User-BB:FalsePositive: Server Type 1 - User Defined False Positive Events

User Tuning Event

User Tuning Event

STRM Administration Guide

54

ENTERPRISE TEMPLATE

Table B-2 Default Building Blocks (continued)

Building Block

Group

Block Type

Description

Associated Building Blocks, if applicable

User-BB:FalsePositive: User Tuning Event User Defined Server Type 2 False Positive Categories User-BB:FalsePositive: User Tuning Event User Defined Server Type 2 False Positive Events User-BB:FalsePositive: User Tuning Event User Defined Server Type 3 False Positive Categories User-BB:FalsePositive: User Tuning Event User Defined Server Type 3 False Positive Events User-BB:HostDefinition: Server Type 1 - User Defined User Tuning Event

Edit this BB to include any User:BB:HostDefinition: event categories you want to Server Type 2 - User Defined consider false positives for hosts defined in the associated BB. Edit this BB to include any User:BB:HostDefinition: events you want to consider Server Type 2 - User Defined false positives for hosts defined in the associated BB. Edit this BB to include any User:BB:HostDefinition: event categories you want to Server Type 3 - User Defined consider false positives for hosts defined in the associated BB. Edit this BB to include any events you want to consider false positives for hosts defined the associated BB. Edit this BB to include the IP address of your custom server type. Once you have added the servers, add any events or event categories you want to consider false positives to these servers as defined in the associated BBs. Edit this BB to include the IP address of your custom server type. Once you have added the servers, add any events or event categories you want to consider false positives to these servers as defined in the associated BBs. Edit this BB to include the IP address of your custom server type. Once you have added the servers, add any events or event categories you want to consider false positives to these servers as defined in the as defined in the associated BBs. User:BB:HostDefinition: Server Type 3 - User Defined

User-BB:FalsePositives: Server Type 1 - User Defined False Positive Category User-BB:False Positives: Server Type 1 - User Defined False Positive Events

User-BB:HostDefinition: Server Type 2 - User Defined

User Tuning Event

User-BB:FalsePositives: User Defined Server Type 2 False Positive Category User-BB:False Positives: User Defined Server Type 2 False Positive Events

User-BB:HostDefinition: Server Type 3 - User Defined

User Tuning Event

User-BB:FalsePositives: User Defined Server Type 3 False Positive Category User-BB:False Positives: User Defined Server Type 3 False Positive Events

STRM Administration Guide

RULE TESTS

This section provides information on the tests you can apply to the rules, including:

Event Rule Tests Flow Rule Tests Common Rule Tests Offense Rule Tests Anomaly Detection Rule Tests

Event Rule Tests

This section provides information on the event rule tests you can apply to the rules, including:

Host Profile Tests IP/Port Tests Event Property Tests Common Property Tests Log Source Tests Function - Sequence Tests Function - Counter Tests Function - Simple Tests Date/Time Tests Network Property Tests Function - Negative Tests

STRM Administration Guide

RULE TESTS

Host Profile Tests

The host profile tests include:

Table C-1 Event Rule: Host Profile Tests

Test Host Profile Port

Description Valid when the port is open on the configured local source or destination. You can also specify if the status of the port is detected using one of the following methods:
Active - STRM actively searches for the configured port through scanning or vulnerability assessment. Passive - STRM passively monitors the network recording hosts previously detected.

Default Test Name

Parameters

when the local source Configure the following parameters: host destination port is source | destination - Specify if you open either actively want this test to apply to the source or or passively seen destination port. The default is
source. actively seen | passively seen | either actively or passively seen Specify if you want this test to consider active and/or passive scanning. The default is either actively or passively seen.

Host Existence Valid when the local source or destination host is known to exist through active or passive scanning. You can also specify if the status of the host is detected using one of the following methods:
Active - STRM actively searches for the configured host through scanning or vulnerability assessment. Passive - STRM passively monitors the network recording hosts previously detected.

when the local source Configure the following parameters: host exists either source | destination - Specify if you actively or passively want this test to apply to the source or seen destination host. The default is
source. actively seen | passively seen | either actively or passively seen Specify if you want this test to consider active and/or passive scanning. The default is either actively or passively seen.

Host Profile Age

Valid when the local source or destination host profile age is greater than the configured value within the configured time intervals.

when the local source Configure the following parameters: host profile age is source | destination - Specify if you greater than this want this test to apply to the source or number of time destination host. The default is intervals source.
greater than | less than - Specify if you want this test to consider values greater than or less than the profile host age. this number of - Specify the number of time intervals you want this test to consider. time intervals - Specify whether you want this test to consider minutes or hours.

STRM Administration Guide

Event Rule Tests

Table C-1 Event Rule: Host Profile Tests (continued)

Test Host Port Age

Description Valid when the local source or destination port profile age is greater than or less than a configured amount of time.

Default Test Name

Parameters

when the local source Configure the following parameters: host profile port age is source | destination - Specify if you greater than this want this test to apply to the source or number of time destination port. The default is intervals source.
greater than | less than - Specify if you want this test to consider values greater than or less than the profile port age. The default is greater than. this number of - Specify the number of time intervals you want this test to consider. time intervals - Specify whether you want this test to consider minutes or hours.

Asset Weight

Valid when the specified asset has an assigned weight greater than or less than the configured value.

when the destination asset has a weight greater than this weight

Configure the following parameters:

source | destination - Specify if want this test to consider the source or destination asset. The default is destination. greater than | less than | equal to Specify if you want the value to be greater than, less than, or equal to the configured value. this weight - Specify the weight you want this test to consider.

Host Vulnerable to Event

Valid when the specified host port is vulnerable to the current event.

when the destination Configure the following parameters: is vulnerable to destination | source | local host | current exploit on any remote host - Specify if want this test port to consider a destination, source,
local host, or remote host. The default is destination. current | any - Specify if you want this test to consider the current or any exploit. The default is current. any | current - Specify if you want this test to consider any or the current port. The default is any.

OSVDB IDs

Valid when an IP address (source, destination, or any) is vulnerable to the configured Open Source Vulnerability Database (OSVDB) IDs.

when the source IP is vulnerable to one of the following OSVDB IDs

Configure the following parameters:

source IP | destination IP | any IP Specify if you want this test to consider the source IP address, destination IP address, or any IP address. The default is source IP. OSVDB IDs - Specify any OSVDB IDs that you want this test to consider. For more information regarding OSVDB IDs, see http://osvdb.org/.

STRM Administration Guide

RULE TESTS

IP/Port Tests

The IP/Port tests include:

Table C-2 Event Rule: IP / Port Test Group

Test Source Port

Description Valid when the source port of the event is one of the configured source port(s).

Default Test Name

Parameters

when the source port is one ports - Specify the ports you want of the following ports this test to consider. when the destination port is ports - Specify the ports you want one of the following ports this test to consider.

Destination Port Valid when the destination port of the event is one of the configured destination port(s). Local Port

Valid when the local port of when the local port is one the event is one of the of the following ports configured local port(s). Valid when the remote port of the event is one of the configured remote port(s).

ports - Specify the ports you want this test to consider.

Remote Port

when the remote port is one ports - Specify the ports you want of the following ports this test to consider. IP addresses - Specify the IP address(es) you want this test to consider. IP addresses - Specify the IP address(es) you want this test to consider.

Source IP Address

Valid when the source IP when the source IP is one address of the event is one of the following IP of the configured IP addresses address(es). Valid when the destination IP address of the event is one of the configured IP address(es). when the destination IP is one of the following IP addresses

Destination IP Address

Local IP Address

Valid when the local IP when the local IP is one of IP addresses - Specify the IP address of the event is one the following IP addresses address(es) you want this test to of the configured IP consider. address(es). Valid when the remote IP when the remote IP is one address of the event is one of the following IP of the configured IP addresses address(es). Valid when the source or destination IP address of the event is one of the configured IP address(es). when either the source or destination IP is one of the following IP addresses IP addresses - Specify the IP address(es) you want this test to consider. IP addresses - Specify the IP address(es) you want this test to consider. these ports - Specify the ports you want this test to consider.

Remote IP Address

IP Address

Source or Valid when either the when the source or Destination Port source or destination port is destination port is any of one of the configured ports. these ports

STRM Administration Guide

Event Rule Tests

Event Property Tests

The event property test group includes:

Table C-3 Event Rule: Event Property Tests

Test

Description

Default Test Name

Parameters Configure the following parameters:

source | destination - Specify if you want this test to consider the source or destination IP address of the event. one of the following networks Specify the areas of the network you want this test to apply to.

Local Network Valid when the event occurs when the destination Object in the specified network. network is one of the following networks

IP Protocol

Valid when the IP protocol of when the IP protocol is the event is one of the one of the following configured protocols. protocols

protocols - Specify the protocols you want to add to this test. this string - Specify the text string you want to include for this test.

Event Payload Each event contains a copy when the Event Payload Search of the original unnormalized contains this string event. This test is valid when the entered search string is included anywhere in the event payload. QID of Event

A QID is a unique identifier when the event QID is one QIDs - Use one of the following for events. This test is valid of the following QIDs options to locate QIDs: when the event identifier is a Select the Browse By Category option configured QID. and from the drop-down list boxes,
select the high and low-level category QIDs you want to locate. Select the QID Search option and enter the QID or name you want to locate. Click Search.

Event Context

Event Context is the when the event context is relationship between the this context source IP address and destination IP address of the event. For example, a local source IP address to a remote destination IP address. Valid if the event context is one of the following:
Local to Local Local to Remote Remote to Local Remote to Remote

this context - Specify the context you want this test to consider. The options are:
Local to Local Local to Remote Remote to Local Remote to Remote

STRM Administration Guide

RULE TESTS

Table C-3 Event Rule: Event Property Tests (continued)

Test Event Category

Description Valid when the event category is the same as the configured category, for example, Denial of Service (DoS) attack.

Default Test Name when the event category for the event is one of the following categories

Parameters categories - Specify the event category you want this test to consider. For more information on event categories, see Appendix E - Event Categories.

Severity

Valid when the event when the event severity is Configure the following parameters: severity is greater than, less greater than 5 {default} greater than | less than | equal to than, or equal to the Specify whether the severity is greater configured value. than, less than, or equal to the
configured value. 5 - Specify the index, which is a value from 0 to 10. The default is 5.

Credibility

Valid when the event credibility is greater than, less than, or equal to the configured value.

when the event credibility is greater than 5 {default}

Configure the following parameters:

greater than | less than | equal to Specify whether the credibility is greater than, less than, or equal to the configured value. 5 - Specify the index, which is a value from 0 to 10. The default is 5.

Relevance

Valid when the event relevance is greater than, less than, or equal to the configured value.

when the event relevance Configure the following parameters: is greater than 5 greater than | less than | equal to {default} Specify whether the relevance is
greater than, less than, or equal to the configured value. 5 - Specify the index, which is a value from 0 to 10. The default is 5.

Source Location Destination Location Rate Analysis

Valid when the source IP address of the event is either local or remote. Valid when the destination IP address of the event is either local or remote.

when the source is local or remote {default: remote}

local | remote - Specify either local or remote traffic.

when the destination is local | remote - Specify either local or local or remote {default: remote traffic. remote}

STRM monitors event rates when the event has been of all source IP marked with rate analysis addresses/QIDs and destination IP addresses/QIDs and marks events that exhibit abnormal rate behavior. Valid when the event has been marked for rate analysis.

STRM Administration Guide

Event Rule Tests

Table C-3 Event Rule: Event Property Tests (continued)

Test False Positive Tuning

Description

Default Test Name

Parameters signatures - Specify the false positive signature you want this test to consider. Enter the signature in the following format: <CAT|QID|ANY>:<value>:<source IP>:<dest IP> Where: <CAT|QID|ANY> - Specify whether you want this false positive signature to consider a category (CAT), Juniper Networks Identifier (QID), or any value. <value> - Specify the value for the <CAT|QID|ANY> parameter. For example, if you specified QID, you must specify the QID value. <source IP> - Specify the source IP address you want this false positive signature to consider. <dest IP> - Specify the destination IP address you want this false positive signature to consider.

When you tune false when the false positive positive events in the Log signature matches one of Activity interface, the the following signatures resulting tuning values appear in this test. If you want to remove a false positive tuning, you can edit this test to remove the necessary tuning values.

Regex

Valid when the configured MAC address, username, hostname, or operating system is associated with a particular regular expressions (regex) string. Note: This test assumes knowledge of regular expressions (regex). When you define custom regex patterns, adhere to regex rules as defined by the Java programming language. For more information, you can refer to regex tutorials available on the web.

when the username matches the following regex

Configure the following parameters:

MAC | source MAC | destination MAC | username | source username | destination username | event username | hostname | source hostname | dest hostname | OS | source OS | dest OS | event payload - Specify the value you want to associate with this test. The default is username. regex - Specify the regex string you want this test to consider.

IPv6

Valid when the source or destination IPv6 address is the configured IP address.

when the source IP(v6) is Configure the following parameters: one of the following IPv6 source IP(v6) | destination IP(v6) addresses Specify whether you want this test to
consider the source or destination IPv6 address. IP(v6) addresses - Specify the IPv6 addresses you want this test to consider.

STRM Administration Guide

RULE TESTS

Table C-3 Event Rule: Event Property Tests (continued)

Test

Description

Default Test Name

Parameters

Reference Set Valid when any or all configured event properties are contained in any or all configured reference sets.

when any of these event Configure the following parameters: properties are contained any | all - Specify if you want this test to in any of these reference consider any or all of the configured set(s) event properties.
these event properties - Specify the event properties you want this test to consider. any | all - Specify if you want this test to consider any or all of the configured reference sets. these reference set(s) - Specify the reference set(s) you want this test to consider.

Search Filter

Valid when the event matches the specified search filter.

when the event matches this search filter

this search filter - Specify the search filter you want this test to consider.

Common Property Tests

Test CVSS Risk (Host)

The common property test group includes:

Table C-4 Event Rule: Common Property Tests

Description Valid when the specified host has a CVSS risk value that matches the configured value.

Default Test Name when the destination host has a CVSS risk value of greater than this amount

Parameters Configure the following parameters:

source | destination | either - Specify whether the test considers the source and/or destination host of the event. greater than | less than | equal to Specify if you want the CVSS risk value to be greater than, less than, or equal to the configured value. 0 - Specify the value you want this test to consider. The default is 0. source | destination | either - Specify whether the test considers the source and/or destination port of the event. greater than | less than | equal to Specify if you want the threat level to be greater than, less than, or equal to the configured value. 0 - Specify the value you want this test to consider. The default is 0.

CVSS Risk (Port)

Valid when the specified port has a CVSS risk value that matches the configured value.

when the destination port has a CVSS risk value of greater than this amount

Custom Rule Engines

Valid when the event is processed by the specified Custom Rule Engines.

when the event is processed by one of these Custom Rule Engines

these - Specify the Custom Rule Engine you want this test to consider.

STRM Administration Guide

Event Rule Tests

Table C-4 Event Rule: Common Property Tests (continued)

Test Regex

Description

Default Test Name

Parameters Configure the following parameters:

these properties - Specify the value you want to associate with this test. Options include all normalized, and custom flow and event properties. regex - Specify the regex string you want this test to consider.

Valid when the configured when any of these property is associated with a properties match the particular regular following regex expressions (regex) string. Note: This test assumes knowledge of regular expressions (regex). When you define custom regex patterns, adhere to regex rules as defined by the Java programming language. For more information, you can refer to regex tutorials available on the web.

Hexadecimal

Valid when the configured property is associated with particular hexadecimal values.

when any of these properties contain any of these hexadecimal values

Configure the following parameters:

these properties - Specify the value you want to associate with this test. Options include all normalized, and custom flow and event properties. these hexadecimal values - Specify the hexadecimal values you want this test to consider.

Log Source Tests

The log source tests include:

Table C-5 Event Rule: Log Source Tests

Test Source Log Sources

Description

Default Test Name

Parameters

Valid when one of the when the event(s) were these log sources - Specify the log configured log sources is the detected by one or sources that you want this test to source of the event. more of these log detect. sources Valid when one of the configured log source types is the source of the event. Valid when one of the configured log sources has not generated an event in the configured time. when the event(s) were these log source types - Specify detected by one or the log sources that you want this more of these log test to detect. source types when the event(s) have not been detected by one or more of these log sources for this many seconds Configure the following parameters: these log sources - Specify the log sources that you want this test to detect. this many - Specify the number of time intervals you want this test to consider.

Log Source Type

Inactive Log Sources

STRM Administration Guide

10

RULE TESTS

Table C-5 Event Rule: Log Source Tests (continued)

Test

Description

Default Test Name

Parameters

Log Source Groups Valid when an event is detected by the configured log source groups.

when the event(s) were these log source groups - Specify detected by one or the groups you want this rule to more of these log consider. source groups

Function - Sequence Tests

Table C-6

The function - sequence tests include:

Event Rule: Functions - Sequence Group

Test

Description

Default Test Name when all of these rules, in|in any order, from the same|any source IP to the same|any destination IP, over this many seconds

Parameters Configure the following parameters:

rules - Specify the rules you want this test to consider. in | in any - Specify whether you want this test to consider in or in any order. the same | any - Specify if you want this test to consider the same or any of the configured sources. username | source IP | source port | destination IP | destination port | QID | event ID | log source | category - Specify the source you want this test to consider. The default is source IP. the same | any - Specify if you want this test to consider the same or any of the configured destinations. destination IP | username | destination port - Specify whether you want this test to consider a destination IP address, username, or destination port. The default is destination IP. this many - Specify the number of time intervals you want this test to consider. seconds | minutes | hours | days Specify the time interval you want this test to consider. The default is seconds.

Multi-Rule You can use saved building Event Function blocks or other rules to populate this test. This function allows you to detect a specific sequence of selected rules involving a source and destination within a configured time period.

STRM Administration Guide

Event Rule Tests

11

Table C-6

Event Rule: Functions - Sequence Group (continued)

Test

Description

Default Test Name when at least this number of these rules, in|in any order, from the same|any source IP to the same|any destination IP, over this many seconds

Parameters Configure the following parameters:

this number - Specify the number of rules you want this function to consider. rules - Specify the rules you want this test to consider. in | in any - Specify whether you want this test to consider in or in any order. the same | any - Specify if you want this test to consider the same or any of the configured sources. username | source IP | source port | destination IP | destination port | QID | event ID | log sources | category - Specify the source you want this test to consider. The default is source IP. the same | any - Specify if you want this test to consider the same or any of the configured destinations. destination IP | username | destination port - Specify whether you want this test to consider a destination IP address, username, or destination port. The default is destination IP. this many - Specify the number of time intervals you want this test to consider. seconds | minutes | hours | days Specify the time interval you want this test to consider.

Multi-Rule Allows you to use saved Event Function building blocks or other rules to populate this test. You can use this function to detect a number of specified rules, in sequence, involving a source and destination within a configured time interval.

Multi-Event Sequence Function Between Hosts

Allows you to detect a sequence of selected rules involving the same source and destination hosts within the configured time interval. You can also use saved building blocks and other rules to populate this test.

when this sequence of Configure the following parameters: rules, involving the rules - Specify the rules you want this same source and test to consider destination hosts in this many - Specify the number of this many seconds
time intervals you want this test to consider. seconds | minutes | hours | days Specify the time interval you want this test to consider. The default is seconds.

STRM Administration Guide

12

RULE TESTS

Table C-6

Event Rule: Functions - Sequence Group (continued)

Test Multi-Rule Function

Description Allows you to detect a number of specific rules for a specific IP address or port followed by a number of specific rules for a specific port or IP address. You can also use building blocks or existing rules to populate this test.

Default Test Name when at least this many of these rules, in|in any order, with the same username followed by at least this many of these rules in| in any order to/from the same destination IP from the previous sequence, within this many minutes

Parameters Configure the following parameters:

this many - Specify the number of rules you want this test to consider. rules - Specify the rules you want this test to consider. in | in any - Specify if you want this test to consider rules in a specific order. username | source IP | source port | destination IP | destination port Specify whether you want this test to consider the username, source IP, source port, destination IP, or destination port. The default is username. this many - Specify the number of rules you want this test to consider. rules - Specify the rules you want this test to consider. in | in any - Specify if you want this test to consider rules in a specific order. to | from - Specify the direction you want this test to consider. username | source IP | source port | destination IP | destination port Specify whether you want this test to consider the username, source IP, source port, destination IP, or destination port. The default is destination IP. this many - Specify the number of time intervals you want this rule to consider. seconds | minutes | hours | days Specify the time interval you want this rule to consider. The default is minutes.

STRM Administration Guide

Event Rule Tests

13

Table C-6

Event Rule: Functions - Sequence Group (continued)

Test Rule Function

Description Allows you to detect a number of specific rules with the same event properties and different event properties within the configured time interval.

Default Test Name when these rules match at least this many times in this many minutes after these rules match

Parameters Configure the following parameters:

these rules - Specify the rules you want this test to consider. this many - Specify the number of times the configured rules must match the test. this many - Specify the number of time intervals you want this test to consider. seconds | minutes | hours | days Specify the time interval you want this test to consider. The default is minutes. these rules - Specify the rules you want this test to consider.

Event Property Allows you to detect a Function configured number of specific rules with the same event properties within the configured time interval.

when these rules match at least this many times with the same event properties in this many minutes after these rules match

Configure the following parameters:

these rules - Specify the rules you want this test to consider. this many - Specify the number of times the configured rules must match the test. event properties - Specify the event properties you want this test to consider. Options include all normalized and custom event properties. this many - Specify the number of time intervals you want this test to consider. seconds | minutes | hours | days Specify the time interval you want this test to consider. The default is minutes. these rules - Specify the rules you want this test to consider.

STRM Administration Guide

14

RULE TESTS

Table C-6

Event Rule: Functions - Sequence Group (continued)

Test

Description

Default Test Name when these rules match at least this many times with the same event properties and different event properties in this many minutes after these rules match

Parameters Configure the following parameters:

these rules - Specify the rules you want this test to consider. this many - Specify the number of times the configured rules must match the test. event properties - Specify the event properties you want this test to consider. Options include all normalized and custom event properties. this many - Specify the number of time intervals you want this test to consider. seconds | minutes | hours | days Specify the time interval you want this test to consider. The default is minutes. these rules - Specify the rules you want this test to consider.

Event Property Allows you to detect when Function specific rules occur a configured number of times with the same event properties, and different event properties within the configured time interval after a series of specific rules.

Rule Function

Allows you to detect when specific rules occur a configured number of times in a configured time interval and after a series of specific rules occur with the same event properties.

when these rules match at least this many times in this many minutes after these rules match with the same event properties

Configure the following parameters:

these rules - Specify the rules you want this test to consider. this many - Specify the number of times the configured rules must match the test. this many - Specify the number of time intervals you want this test to consider. seconds | minutes | hours | days Specify the time interval you want this test to consider. The default is minutes. these rules - Specify the rules you want this test to consider. event properties - Specify the event properties you want this test to consider. Options include all normalized and custom event properties.

STRM Administration Guide

Event Rule Tests

15

Table C-6

Event Rule: Functions - Sequence Group (continued)

Test

Description

Default Test Name when these rules match at least this many times with the same event properties in this many minutes after these rules match with the same event properties

Parameters Configure the following parameters:

these rules - Specify the rules you want this test to consider. this many - Specify the number of times the configured rules must match the test. event properties - Specify the event properties you want this test to consider. Options include all normalized and custom event properties. this many - Specify the number of time intervals you want this test to consider. seconds | minutes | hours | days Specify the time interval you want this test to consider. The default is minutes. these rules - Specify the rules you want this test to consider. event properties - Specify the event properties you want this test to consider. Options include all normalized and custom event properties.

Event Property Allows you to detect when Function specific rules occur a configured number of times with the same event properties in a configured time interval and after a series of specific rules occur with the same event properties.

STRM Administration Guide

16

RULE TESTS

Table C-6

Event Rule: Functions - Sequence Group (continued)

Test

Description

Default Test Name when these rules match at least this many times with the same event properties and different event properties in this many minutes after these rules match with the same event properties

Parameters Configure the following parameters:

these rules - Specify the rules you want this test to consider. this many - Specify the number of times the configured rules must match the test. event properties - Specify the event properties you want this test to consider. Options include all normalized and custom event properties. event properties - Specify the event properties you want this test to consider. Options include all normalized and custom event properties. this many - Specify the number of time intervals you want this test to consider. seconds | minutes | hours | days Specify the time interval you want this test to consider. The default is minutes. these rules - Specify the rules you want this test to consider. event properties - Specify the event properties you want this test to consider. Options include all normalized and custom event properties.

Event Property Allows you to detect when Function specific rules occur a configured number of times with the same event properties and different event properties in a configured time interval after a series of specific rules occur with the same event properties.

STRM Administration Guide

Event Rule Tests

17

Table C-6

Event Rule: Functions - Sequence Group (continued)

Test

Description

Default Test Name

Parameters

Event Property Allows you to detect when a Function specific number of events occur with the same event properties and different event properties in a configured time interval after a series of specific rules occur.

when at least this Configure the following parameters: many events are seen this many - Specify the number of with the same event events you want this test to consider. properties and event properties - Specify the event different event properties you want this test to properties in this consider. Options include all many minutes after normalized and custom event these rules match properties.
event properties - Specify the event properties you want this test to consider. Options include all normalized and custom event properties. this many - Specify the number of time intervals you want this test to consider. seconds | minutes | hours | days Specify the time interval you want this test to consider. The default is minutes. these rules - Specify the rules you want this test to consider.

Event Property Allows you to detect when a Function specific number of events occur with the same event properties in a configured time interval after a series of specific rules occur with the same event properties.

when at least this Configure the following parameters: many events are seen this many - Specify the number of with the same event events you want this test to consider. properties in this event properties - Specify the event many minutes after properties you want this test to these rules match consider. Options include all with the same event normalized and custom event properties properties.
this many - Specify the number of time intervals you want this test to consider. seconds | minutes | hours | days Specify the time interval you want this test to consider. The default is minutes. these rules - Specify the rules you want this test to consider. event properties - Specify the event properties you want this test to consider. Options include all normalized and custom event properties.

STRM Administration Guide

18

RULE TESTS

Table C-6

Event Rule: Functions - Sequence Group (continued)

Test

Description

Default Test Name when at least this many events are seen with the same event properties and different event properties in this many minutes after these rules match with the same event properties

Parameters Configure the following parameters:

this many - Specify the number of events you want this test to consider. event properties - Specify the event properties you want this test to consider. Options include all normalized and custom event properties. event properties - Specify the event properties you want this test to consider. Options include all normalized and custom event properties. this many - Specify the number of time intervals you want this test to consider. seconds | minutes | hours | days Specify the time interval you want this test to consider. The default is minutes. these rules - Specify the rules you want this test to consider. event properties - Specify the event properties you want this test to consider. Options include all normalized and custom event properties.

Event Property Allows you to detect when a Function specific number of events occur with the same event properties and different event properties in a configured time interval after a series of specific rules occur with the same event properties.

STRM Administration Guide

Event Rule Tests

19

Function - Counter Tests

Table C-7

The function - counter tests include:

Event Rule: Functions - Counters Group

Test Multi-Event Counter Function

Description Allows you to test the number of events from configured conditions, such as, source IP address. You can also use building blocks and other rules to populate this test.

Default Test Name when a(n) source IP matches more than|exactly this many of these rules across more than|exactly this many destination IP, over this many minutes

Parameters Configure the following parameters:

username | source IP | source port | destination IP | destination port | QID | event ID | log sources | category - Specify the source you want this test to consider. The default is source IP. more than | exactly - Specify if you want this test to consider more than or exactly the number of rules. this many - Specify the number of rules you want this test to consider. rules - Specify the rules you want this test to consider. more than | exactly - Specify if you want this test to consider more than or exactly the number of destination IP address(es), destination port(s), QID(s), log source event ID(s), or log source(s) that you selected in the source above. this many - Specify the number of IP addresses, ports, QIDs, events, log sources, or categories you want this test to consider. username | destination IP | source IP | source port | destination port | QID | event ID | log sources | category - Specify the destination you want this test to consider. The default is destination IP. this many - Specify the time value you want to assign to this test. seconds | minutes | hours | days Specify the time interval you want this rule to consider. The default is minutes.

STRM Administration Guide

20

RULE TESTS

Table C-7

Event Rule: Functions - Counters Group (continued)

Test Multi-Rule Function

Description Allows you to detect a series of rules for a specific IP address or port followed by a series of specific rules for a specific port or IP address. You can also use building blocks or existing rules to populate this test.

Default Test Name when any of these rules with the same source IP more than this many times, across more than| exactly this many destination IP within this many minutes

Parameters Configure the following parameters:

rules - Specify the rules you want this test to consider. username | source IP | source port | destination IP | destination port | QID | event ID | log sources | category - Specify the source you want this test to consider. The default is source IP. this many - Specify the number of times the configured rules must match the test. more than | exactly - Specify if you want this test to consider more than or exactly the number of destination IP address(es), destination port(s), QID(s), log source event ID(s), or log source(s) that you selected in the source option. this many - Specify the number you want this test to consider, depending on the option you configured in the source IP parameter. username | destination IP | source IP | source port | destination port | QID | event ID | log sources | category - Specify the destination you want this test to consider. The default is destination IP. this many - Specify the time interval you want to assign to this test. seconds | minutes | hours | days Specify the time interval you want this rule to consider. The default is minutes.

Username Function

Allows you to detect multiple updates to usernames on a single host.

when the username Configure the following parameters: changes more than MAC | username | hostname this many times within Specify if you want this test to consider this many hours on a username, MAC address, or single host. hostname. The default is username.
this many - Specify the number of changes you want this test to consider. this many - Specify the number of time intervals you want this test to consider. seconds | minutes | hours | days Specify the time interval you want this test to consider. The default is hours.

STRM Administration Guide

Event Rule Tests

21

Table C-7

Event Rule: Functions - Counters Group (continued)

Test

Description

Default Test Name

Parameters

Event Property Allows you to detect a series of Function events with the same event properties within the configured time interval. For example, you can use this test to detect when 100 events with the same source IP address occurs within 5 minutes.

when at least this Configure the following parameters: many events are seen this many - Specify the number of with the same event events you want this test to consider. properties in this event properties - Specify the event many minutes
properties you want this test to consider. Options include all normalized and custom event properties.

this many - Specify the number of time intervals you want this test to consider. seconds | minutes | hours | days Specify the time interval you want this test to consider. The default is minutes.

Event Property Allows you to detect a series of Function events with the same event properties and different event properties within the configured time interval. For example, you can use this test to detect when 100 events with the same source IP address and different destination IP address occurs within 5 minutes.

when at least this Configure the following parameters: many events are seen this many - Specify the number of with the same event events you want this test to consider. properties and event properties - Specify the event different event properties you want this test to properties in this consider. Options include all many minutes normalized and custom event
properties. event properties - Specify the event properties you want this test to consider. Options include all normalized and custom event properties. this many - Specify the number of time intervals you want this test to consider. seconds | minutes | hours | days Specify the time interval you want this test to consider. The default is minutes.

Rule Function

Allows you to detect a number of specific rules with the same event properties within the configured time interval.

when these rules match at least this many times in this many minutes

Configure the following parameters:

these rules - Specify the rules you want this test to consider. this many - Specify the number of times the configured rules must match the test. this many - Specify the number of time intervals you want this test to consider. seconds | minutes | hours | days Specify the time interval you want this test to consider. The default is minutes.

STRM Administration Guide

22

RULE TESTS

Table C-7

Event Rule: Functions - Counters Group (continued)

Test

Description

Default Test Name when these rules match at least this many times with the same event properties in this many minutes

Parameters Configure the following parameters:

these rules - Specify the rules you want this test to consider. this many - Specify the number of times the configured rules must match the test. event properties - Specify the event properties you want this test to consider. Options include all normalized and custom event properties. this many - Specify the number of time intervals you want this test to consider. seconds | minutes | hours | days Specify the time interval you want this test to consider. The default is minutes.

Event Property Allows you to detect a number Function of specific rules with the same event properties within the configured time interval.

Event Property Allows you to detect a number Function of specific rules with the same event properties and different event properties within the configured time interval.

when these rules match at least this many times with the same event properties and different event properties in this many minutes

Configure the following parameters:

these rules - Specify the rules you want this test to consider. this many - Specify the number of times the configured rules must match the test. event properties - Specify the event properties you want this test to consider. Options include all normalized and custom event properties. event properties - Specify the event properties you want this test to consider. Options include all normalized and custom event properties. this many - Specify the number of time intervals you want this test to consider. seconds | minutes | hours | days Specify the time interval you want this test to consider. The default is minutes.

STRM Administration Guide

Event Rule Tests

23

Function - Simple Tests

Table C-8

The function - simple tests include:

Event Rule: Functions - Simple Group

Test

Description

Default Test Name

Parameters

Multi-Rule Allows you to use saved when an event Configure the following parameters: Event Function building blocks and other rules matches any|all of the any | all - Specify either any or all of to populate this test. The event following rules the configured rules that should apply has to match either all or any of to this test. the selected rules. If you want to rules - Specify the rules you want this create an OR statement for this test to consider. rule test, specify the any parameter.

Date/Time Tests

The date and time tests include:

Table C-9 Event Rule: Date/Time Tests

Test Event Day

Description Valid when the event occurs on the configured day of the month.

Default Test Name

Parameters

when the event(s) Configure the following parameters: occur on the selected on | after | before - Specify if you day of the month want this test to consider on, after, or
before the configured day. The default is on. selected - Specify the day of the month you want this test to consider.

Event Week

Valid when the event occurs when the event(s) these days of the week - Specify on the configured days of the occur on any of these the days of the week you want this week. days of the week test to consider. Valid when the event occurs at, before, or after the configured time. when the event(s) occur after this time Configure the following parameters:
after | before | at - Specify if you want this test to consider after, before, or at the configured time. The default is after. this time - Specify the time you want this test to consider.

Event Time

Network Property Tests

Test Local Networks

The network property test group includes:

Table C-10 Event Rule: Network Property Tests

Description Valid when the event occurs in the specified network.

Default Test Name when the local network is one of the following networks

Parameters one of the following networks Specify the areas of the network you want this test to apply to.

STRM Administration Guide

24

RULE TESTS

Table C-10 Event Rule: Network Property Tests (continued)

Test Remote Networks

Description Valid when an IP address is part of any or all of the configured remote network locations.

Default Test Name

Parameters

when the source IP is a Configure the following parameters: part of any of the source IP | destination IP | any IP following remote Specify if you want this test to consider network locations the source IP address, destination IP
address, or any IP address. remote network locations - Specify the network locations you want this test to consider.

Remote Services Networks

Valid when an IP address is part of any or all of the configured remote services network locations.

when the source IP is a Configure the following parameters: part of any of the source IP | destination IP | any IP following remote Specify if you want this test to consider services network the source IP address, destination IP locations address, or any IP address.
remote services network locations Specify the services network locations you want this test to consider.

Geographic Networks

Valid when an IP address is part of any or all of the configured geographic network locations.

when the Source IP is a Configure the following parameters: part of any of the source IP | destination IP | any IP following geographic Specify if you want this test to consider network locations the source IP address, destination IP
address, or any IP address. geographic network locations - Specify the network locations you want this test to consider.

Function - Negative Tests

Table C-11

The function - negative tests include:

Event Rule: Functions - Negative Group

Test

Description

Default Test Name when none of these rules match in this many minutes after these rules match with the same event properties

Parameters Configure the following parameters:

these rules - Specify the rules you want this test to consider. this many - Specify the number of time intervals you want this test to consider. seconds | minutes | hours | days Specify the time interval you want this test to consider. The default is minutes. these rules - Specify the rules you want this test to consider. event properties - Specify the event properties you want this test to consider. Options include all normalized and custom event properties.

Event Property Allows you to detect when none Function of the specified rules in a configured time interval after a series of specific rules occur with the same event properties.

STRM Administration Guide

Flow Rule Tests

25

Table C-11

Event Rule: Functions - Negative Group (continued)

Test Rule Function

Description Allows you to detect when none of the specified rules in a configured time interval after a series of specific rules occur.

Default Test Name when none of these rules match in this many minutes after these rules match

Parameters Configure the following parameters:

these rules - Specify the rules you want this test to consider. this many - Specify the number of time intervals you want this test to consider. seconds | minutes | hours | days Specify the time interval you want this test to consider. The default is minutes. these rules - Specify the rules you want this test to consider.

Flow Rule Tests

This section provides information on the flow rule tests you can apply to the rules, including:

Host Profile Tests IP/Port Tests Flow Property Tests Common Property Tests Function - Sequence Tests Function - Counters Tests Function - Simple Tests Date/Time Tests Network Property Tests Function - Negative Tests

STRM Administration Guide

26

RULE TESTS

Host Profile Tests

The host profile tests include:

Table C-12 Flow Rules: Host Profile Tests

Test Host Profile Port

Description Valid when the port is open on the configured local source or destination. You can also specify if the status of the port is detected using one of the following methods:
Active - STRM actively searches for the configured port through scanning or vulnerability assessment. Passive - STRM passively monitors the network recording hosts previously detected.

Default Test Name

Parameters

when the local source Configure the following parameters: host destination port is source | destination - Specify if you open either actively want this test to apply to the source or or passively seen destination port. The default is
source. actively seen | passively seen | either actively or passively seen Specify if you want this test to consider active and/or passive scanning. The default is either actively or passively seen.

Host Existence Valid when the local source or destination host is known to exist through active or passive scanning. You can also specify if the status of the host is detected using one of the following methods:
Active - STRM actively searches for the configured port through scanning or vulnerability assessment. Passive - STRM passively monitors the network recording hosts previously detected.

when the local source Configure the following parameters: host exists either source | destination - Specify if you actively or passively want this test to apply to the source or seen destination port. The default is
source. actively seen | passively seen | either actively or passively seen Specify if you want this test to consider active and/or passive scanning. The default is either actively or passively seen.

Host Profile Age

Valid when the local source or destination host profile age is greater than the configured value within the configured time intervals.

when the local source Configure the following parameters: host profile age is source | destination - Specify if you greater than this want this test to apply to the source or number of time destination host. The default is intervals source.
greater than | less than - Specify if you want this test to consider values greater than or less than the profile host age. this number of - Specify the number of time intervals you want this test to consider. time intervals - Specify whether you want this test to consider minutes or hours.

STRM Administration Guide

Flow Rule Tests

27

Table C-12 Flow Rules: Host Profile Tests (continued)

Test Host Port Age

Description Valid when the local source or destination port profile age is greater than or less than a configured amount of time.

Default Test Name

Parameters

when the local source Configure the following parameters: host profile port age is source | destination - Specify if you greater than this want this test to apply to the source or number of time destination port. The default is intervals source.
greater than | less than - Specify if you want this test to consider values greater than or less than the profile port age. The default is greater than. this number of - Specify the number of time intervals you want this test to consider. time intervals - Specify whether you want this test to consider minutes or hours.

Asset Weight

Valid when the device being attacked (destination) or the host that is the attacker (source) has an assigned weight greater than or less than the configured value.

when the destination asset has a weight greater than this weight

Configure the following parameters:

source | destination - Specify if want this test to consider the source or destination asset. The default is destination. greater than | less than | equal to Specify if you want the value to be greater than, less than, or equal to the configured value. this weight - Specify the weight you want this test to consider.

OSVDB IDs

Valid when an IP address (source, destination, or any) is vulnerable to the configured Open Source Vulnerability Database (OSVDB) IDs.

when the source IP is vulnerable to one of the following OSVDB IDs

Configure the following parameters:

source IP | destination IP | any IP Specify if you want this test to consider the source IP address, destination IP address, or any IP address. The default is source IP. OSVDB IDs - Specify any OSVDB IDs that you want this test to consider. For more information regarding OSVDB IDs, see http://osvdb.org/.

IP/Port Tests

The IP/Port tests include:

Table C-13 Flow Rules: IP / Port Test Group

Test Source Port

Description Valid when the source port of the flow is one of the configured source port(s).

Default Test Name

Parameters

when the source port is one ports - Specify the ports you want of the following ports this test to consider.

STRM Administration Guide

28

RULE TESTS

Table C-13 Flow Rules: IP / Port Test Group (continued)

Test

Description

Default Test Name

Parameters

Destination Port Valid when the destination when the destination port is ports - Specify the ports you want port of the flow is one of the one of the following ports this test to consider. configured destination port(s). Local Port Valid when the local port of when the local port is one the flow is one of the of the following ports configured local port(s). Valid when the remote port of the flow is one of the configured remote port(s). ports - Specify the ports you want this test to consider.

Remote Port

when the remote port is one ports - Specify the ports you want of the following ports this test to consider. IP addresses - Specify the IP address(es) you want this test to consider. IP addresses - Specify the IP address(es) you want this test to consider.

Source IP Address

Valid when the source IP when the source IP is one address of the flow is one of of the following IP the configured IP addresses address(es). Valid when the destination IP address of the flow is one of the configured IP address(es). when the destination IP is one of the following IP addresses

Destination IP Address

Local IP Address

Valid when the local IP when the local IP is one of IP addresses - Specify the IP address of the flow is one of the following IP addresses address(es) you want this test to the configured IP consider. address(es). Valid when the remote IP when the remote IP is one address of the flow is one of of the following IP the configured IP addresses address(es). Valid when the source or destination IP address of the flow is one of the configured IP address(es). when either the source or destination IP is one of the following IP addresses IP addresses - Specify the IP address(es) you want this test to consider. IP addresses - Specify the IP address(es) you want this test to consider. these ports - Specify the ports you want this test to consider.

Remote IP Address

IP Address

Source or Valid when either the when the source or Destination Port source or destination port is destination port is any of one of the configured ports. these ports

Flow Property Tests

The flow property test group includes:

Table C-14 Flow Rules: Flow Property Tests

Test IP Protocol

Description

Default Test Name

Parameters protocols - Specify the protocols you want to add to this test.

Valid when the IP protocol of when the IP protocol is the flow is one of the one of the following configured protocols. protocols

STRM Administration Guide

Flow Rule Tests

29

Table C-14 Flow Rules: Flow Property Tests (continued)

Test Flow Context

Description

Default Test Name

Parameters this context - Specify the context you want this test to consider. The options are:
Local to Local Local to Remote Remote to Local Remote to Remote

Flow Context is the when the flow context is relationship between the this context source IP address and destination IP address of the flow. For example, a local source IP address to a remote destination IP address. Valid if the flow context is one of the following:
Local to Local Local to Remote Remote to Local Remote to Remote

Source Location Destination Location Regex

Valid when the source IP address of the flow is either local or remote. Valid when the destination IP address of the flow is either local or remote. Valid when the configured MAC address, username, hostname, or operating system is associated with a particular regular expressions (regex) string. Note: This test assumes knowledge of regular expressions (regex). When you define custom regex patterns, adhere to regex rules as defined by the Java programming language. For more information, you can refer to regex tutorials available on the web.

when the source is local or remote {default: remote}

local | remote - Specify either local or remote traffic. The default is remote.

when the destination is local | remote - Specify either local or local or remote {default: remote traffic. The default is remote. remote} when the username matches the following regex Configure the following parameters:
hostname | source hostname |destination hostname | source payload | destination payload Specify the value you want to associate with this test. The default is username. regex - Specify the regex string you want this test to consider.

IPv6

Valid when the source or destination IPv6 address is the configured IP address.

when the source IP(v6) is Configure the following parameters: one of the following IP(v6) source IP(v6) | destination IP(v6) addresses Specify whether you want this test to
consider the source or destination IPv6 address. IP(v6) addresses - Specify the IPv6 addresses you want this test to consider.

STRM Administration Guide

30

RULE TESTS

Table C-14 Flow Rules: Flow Property Tests (continued)

Test

Description

Default Test Name

Parameters

Reference Set Valid when any or all configured flow properties are contained in any or all configured reference sets.

when any of these flow Configure the following parameters: properties are contained any | all - Specify if you want this test to in any of these reference consider any or all of the configured set(s) event properties.
these flow properties - Specify the flow properties you want this test to consider. any | all - Specify if you want this test to consider any or all of the configured reference sets. these reference set(s) - Specify the reference set(s) you want this test to consider.

Flow Bias

Valid when flow direction when the flow bias is any matches the configured flow of the following bias bias.

inbound | outbound | mostly inbound | mostly outbound | balanced - Specify the flow bias you want this test to consider. The default is inbound.

Byte / Packet Count

Valid when the number of bytes or packets matches the configured amount.

when the source bytes is Configure the following parameters: greater than this amount source | destination | local | remote Specify whether you want this test to consider the source, destination, local or remote bytes or packets. The default is source. bytes | packets - Specify whether you want this test to consider bytes or packets. The default is bytes. greater than | less than | equal to Specify whether the number of bytes or packets is greater than, less than, or equal to the configured value. 0 - Specify the value you want this test to consider. The default is 0.

Host Count

Valid when the number of hosts matches the configured amount.

When the number of source hosts is greater than this amount.

Configure the following parameters:

source | destination | local | remote Specify whether you want this test to consider the source, destination, local or remote hosts. The default is source. greater than | less than | equal to Specify whether the number of hosts is greater than, less than, or equal to the configured value. 0 - Specify the value you want this test to consider. The default is 0.

STRM Administration Guide

Flow Rule Tests

31

Table C-14 Flow Rules: Flow Property Tests (continued)

Test Packet Rate

Description Valid when the packet rate matches the configured amount.

Default Test Name

Parameters

when the source packet Configure the following parameters: rate is greater than value source | destination | local | remote packets/second Specify whether you want this test to
consider the source, destination, local or remote packet rate. The default is source. greater than | less than | equal to Specify whether the packet rate is greater than, less than, or equal to the configured value. 0 - Specify the value you want this test to consider. The default is 0.

Flow Duration

Valid when the flow duration when flow duration is matches the configured time greater than value interval. seconds

Configure the following parameters:

greater than | less than | equal to Specify whether the flow duration is greater than, less than, or equal to the configured value. 0 - Specify the value you want this test to consider. The default is 0. seconds | minutes | hours | days Specify the time interval you want this test to consider. The default is minutes.

Flow Payload Search

Each flow contains a copy of when the source payload Configure the following parameters: the original unnormalized matches the regex source | destination | local | remote event. This test is valid string Specify whether you want this test to when the entered search consider the source, destination, local string is included anywhere or remote payload. The default is in the flow payload. source.
matches the regex | matches the hexadecimal - Specify whether you want to match a regex or hexadecimal string. The default is regex. string - Specify the text string you want to include for this test.

Flow Source Name Flow Interface

Valid when the flow source name matches the configured value(s).

when the name of the flow these sources - Specify the flow source is one of these source names you want this test to sources consider. these interfaces - Specify the flow interface you want this test to consider. these flow types - Specify the flow type you want this test to consider.

Valid when the flow interface when the flow interface is matches the configured one of these interfaces value(s). Valid when the flow type matches the configured value. when the flow type is one of these flow types

Flow Type

STRM Administration Guide

32

RULE TESTS

Table C-14 Flow Rules: Flow Property Tests (continued)

Test Byte/Packet Ratio

Description

Default Test Name

Parameters Configure the following parameters:

source | destination | local | remote Specify whether you want this test to consider the source, destination, local or remote byte/packet ratio. The default is source. greater than | less than | equal to Specify whether the flow duration is greater than, less than, or equal to the configured value. value - Specify the ratio you want this test to consider.

Valid when the byte/packet when the source ratio matches the configured byte/packet ratio is value. greater than value bytes/packet

ICMP Type

Valid when the Internet Control Message Protocol (ICMP) type matches the configured value(s). Valid when the ICMP code matches the configured value(s).

when the ICMP type is any of these types

these types - Specify the ICMP type(s) you want this test to consider.

ICMP Code

when the ICMP code is any of these codes

these codes - Specify the ICMP code(s) you want this test to consider. Configure the following parameters:
source | destination | local | remote | either - Specify whether you want this test to consider the source, destination, local, remote, or either DSCP. The default is destination. these values - Specify the DSCP value(s) you want this test to consider.

DSCP

Valid when the differentiated when the destination services code point (DSCP) DSCP is any of these matches the configured values value(s).

IP Precedence Valid when the IP precedence matches the configured value(s)

when the destination IP precedence is any of these values

Configure the following parameters:

source | destination | local | remote | either - Specify whether you want this test to consider the source, destination, local, remote, or either DSCP. The default is destination. these values - Specify the IP precedence values you want this test to consider.

Packet Ratio

Valid when the configured packet ratio matches the configured value. This test allows you to specify the values in the packet ratio.

when the source/destination packet ratio is greater than this value

Configure the following parameters:

source | destination | local | remote Specify which direction you want this test to consider as the preceding value in the ratio. The default is source. greater than | less than | equal to Specify whether the packet ratio is greater than, less than, or equal to the configured value. value - Specify the ratio you want this test to consider.

STRM Administration Guide

Flow Rule Tests

33

Table C-14 Flow Rules: Flow Property Tests (continued)

Test TCP Flags

Description Valid when the TCP flags match the configured value(s).

Default Test Name when the destination TCP flags are exactly these flags

Parameters Configure the following parameters:

source | destination | local | remote Specify whether you want this test to consider the source, destination, local, or remote, TCP flags. The default is destination. are exactly | includes all of | includes any of - Specify whether you want this test to consider exactly, all of, or any of the configured TCP flags. The default is are exactly. these flags - Specify the TCP flags you want this test to consider.

IF Index

Valid when the IF Index matches the configured value(s)

when the list of input IF (interface) indexes includes all of these values

Configure the following parameters:

input | output | either - Specify which direction you want this test to consider. The default is input. all | any - Specify whether you want this test to consider all or any configured IF Index values. these values - Specify the IF Indexes you want this test to consider.

TCP Flag Combination

Valid when the TCP flags match the configured flag combinations.

When the destination Configure the following parameters: TCP flags are any of source | destination | local | remote these flag combinations Specify whether you want this test to
consider the source, destination, local, or remote, TCP flags. The default is destination. these flag combinations - Specify the flag combinations you want this test to consider. Separate flags with commas.

Search Filter Flow Payload

Valid when the flow matches when the flow matches the specified search filter. this search filter Valid when the specified side of the flow has or does not have a payload. when the destination side of the flow has payload data

this search filter - Specify the search filter you want this test to consider. Configure the following parameters:
the source | the destination | the local | the remote | either - Specify whether you want this test to consider the source, destination, local, remote, or either side of the flow. The default is destination. has | has not - Specify whether you want this test to consider flows that have a payload or does not have a payload.

STRM Administration Guide

34

RULE TESTS

Common Property Tests

Test CVSS Risk (Host)

The date and time tests include:

Table C-15 Flow Rules: Common Property Tests

Description Valid when the specified host has a CVSS risk value that matches the configured value.

Default Test Name

Parameters

when the destination Configure the following parameters: host has a CVSS risk source | destination | either value of greater than Specify whether the test considers this amount the source and/or destination host of
the flow. greater than | less than | equal to Specify if you want the CVSS risk value to be greater than, less than, or equal to the configured value. 0 - Specify the value you want this test to consider. The default is 0.

CVSS Risk (Port)

Valid when the specified port has a CVSS risk value that matches the configured value.

when the destination source | destination | either Specify whether the test considers port has a CVSS risk the source and/or destination port of value of greater than the flow. this amount
greater than | less than | equal to Specify if you want the threat level to be greater than, less than, or equal to the configured value. 0 - Specify the value you want this test to consider. The default is 0.

Custom Rule Engine

Valid when the flow is processed by the specified custom rule engine.

when the flow is processed by one of these Custom Rule Engines

these - Specify the Custom Rule Engine ID number(s) you want this test to consider.

Regex

Valid when the configured when these Configure the following parameters: property is associated with a properties match the these properties - Specify the value particular regular expressions following regex you want to associate with this test. (regex) string. Options include all normalized, and Note: This test assumes knowledge of regular expressions (regex). When you define custom regex patterns, adhere to regex rules as defined by the Java programming language. For more information, you can refer to regex tutorials available on the web.
custom flow and event properties. regex - Specify the regex string you want this test to consider.

STRM Administration Guide

Flow Rule Tests

35

Table C-15 Flow Rules: Common Property Tests (continued)

Test Hexadecimal

Description Valid when the configured property is associated with particular hexadecimal values.

Default Test Name when any of these properties contain any of these hexadecimal values

Parameters Configure the following parameters:

these properties - Specify the value you want to associate with this test. Options include all normalized, and custom flow and event properties. these hexadecimal values - Specify the hexadecimal values you want this test to consider.

Function - Sequence Tests

Table C-16

The function - sequence tests include:

Flow Rules: Functions Sequence Group

Test Multi-Rule Flow Function

Description Allows you to use saved building blocks or other rules to populate this test. This function allows you to detect a specific sequence of selected rules involving a source and destination within a configured time period.

Default Test Name when all of these rules, in|in any order, from the same|any source IP to the same|any destination IP, over this many seconds

Parameters Configure the following parameters:

rules - Specify the rules you want this test to consider. in | in any - Specify whether you want this test to consider in or in any order. the same | any - Specify if you want this test to consider the same or any of the configured sources. source IP | source port | destination IP | destination port | QID | category - Specify the source you want this test to consider. The default is the source IP. the same | any - Specify if you want this test to consider the same or any of the configured destinations. destination IP | destination port Specify whether you want this test to consider a destination IP address, username, or destination port. The default is destination IP. this many - Specify the number of time intervals you want this test to consider. seconds | minutes | hours | days Specify the time interval you want this test to consider. The default is seconds.

STRM Administration Guide

36

RULE TESTS

Table C-16

Flow Rules: Functions Sequence Group (continued)

Test Multi-Rule Flow Function

Description Allows you to use saved building blocks or other rules to populate this test. You can use this function to detect a number of specified rules, in sequence, involving a source and destination within a configured time interval.

Default Test Name when at least this number of these rules, in|in any order, from the same| any source IP to the same|any destination IP, over this many seconds

Parameters Configure the following parameters:

this number - Specify the number of rules you want this function to consider. rules - Specify the rules you want this test to consider. in | in any - Specify whether you want this test to consider in or in any order. the same | any - Specify if you want this test to consider the same or any of the configured sources. source IP | source port | destination IP | destination port | QID | category - Specify the source you want this test to consider. The default is source IP. the same | any - Specify if you want this test to consider the same or any of the configured destinations. destination IP | destination port Specify whether you want this test to consider a destination IP address, username, or destination port. The default is destination IP. this many - Specify the number of time intervals you want this test to consider. seconds | minutes | hours | days Specify the time interval you want this test to consider.

Multi-Flow Sequence Function Between Hosts

Allows you to detect a sequence of selected rules involving the same source and destination hosts within the configured time interval. You can also use saved building blocks and other rules to populate this test.

when this sequence of Configure the following parameters: rules, involving the rules - Specify the rules you want this same source and test to consider destination hosts in this many - Specify the number of this many seconds
time intervals you want this test to consider. seconds | minutes | hours | days Specify the time interval you want this test to consider. The default is seconds.

STRM Administration Guide

Flow Rule Tests

37

Table C-16

Flow Rules: Functions Sequence Group (continued)

Test Rule Function

Description Allows you to detect a number of specific rules with the same flow properties and different flow properties within the configured time interval.

Default Test Name when these rules match at least this many times in this many minutes after these rules match

Parameters Configure the following parameters:

these rules - Specify the rules you want this test to consider. this many - Specify the number of times the configured rules must match the test. this many - Specify the number of time intervals you want this test to consider. seconds | minutes | hours | days Specify the time interval you want this test to consider. The default is minutes. these rules - Specify the rules you want this test to consider.

Flow Property Function

Allows you to detect a configured number of specific rules with the same flow properties within the configured time interval.

when these rules Configure the following parameters: match at least this these rules - Specify the rules you many times with the want this test to consider. same flow properties this many - Specify the number of in this many minutes times the configured rules must match after these rules the test. match
flow properties - Specify the flow properties you want this test to consider. Options include all normalized and custom flow properties. this many - Specify the number of time intervals you want this test to consider. seconds | minutes | hours | days Specify the time interval you want this test to consider. The default is minutes. these rules - Specify the rules you want this test to consider.

STRM Administration Guide

38

RULE TESTS

Table C-16

Flow Rules: Functions Sequence Group (continued)

Test Flow Property Function

Description Allows you to detect when specific rules occur a configured number of times with the same flow properties and different flow properties within the configured time interval after a series of specific rules.

Default Test Name when these rules match at least this many times with the same flow properties and different flow properties in this many minutes after these rules match

Parameters Configure the following parameters:

these rules - Specify the rules you want this test to consider. this many - Specify the number of times the configured rules must match the test. flow properties - Specify the flow properties you want this test to consider. Options include all normalized and custom flow properties. this many - Specify the number of time intervals you want this test to consider. seconds | minutes | hours | days Specify the time interval you want this test to consider. The default is minutes. these rules - Specify the rules you want this test to consider.

Rule Function

Allows you to detect when specific rules occur a configured number of times in a configured time interval after a series of specific rules occur with the same flow properties.

when these rules match at least this many times in this many minutes after these rules match with the same flow properties

Configure the following parameters:

these rules - Specify the rules you want this test to consider. this many - Specify the number of times the configured rules must match the test. this many - Specify the number of time intervals you want this test to consider. seconds | minutes | hours | days Specify the time interval you want this test to consider. The default is minutes. these rules - Specify the rules you want this test to consider. flow properties - Specify the flow properties you want this test to consider. Options include all normalized and custom flow properties.

STRM Administration Guide

Flow Rule Tests

39

Table C-16

Flow Rules: Functions Sequence Group (continued)

Test Flow Property Function

Description Allows you to detect when specific rules occur a configured number of times with the same flow properties in a configured time interval after a series of specific rules occur with the same flow properties.

Default Test Name when these rules match at least this many times with the same flow properties in this many minutes after these rules match with the same flow properties

Parameters Configure the following parameters:

these - Specify the rules you want this test to consider. this many - Specify the number of times the configured rules must match the test. flow properties - Specify the flow properties you want this test to consider. Options include all normalized and custom flow properties. this many - Specify the number of time intervals you want this test to consider. seconds | minutes | hours | days Specify the time interval you want this test to consider. The default is minutes. these - Specify the rules you want this test to consider. flow properties - Specify the flow properties you want this test to consider. Options include all normalized and custom flow properties.

STRM Administration Guide

40

RULE TESTS

Table C-16

Flow Rules: Functions Sequence Group (continued)

Test Flow Property Function

Description Allows you to detect when specific rules occur a configured number of times with the same flow properties and different flow properties in a configured time interval after a series of specific rules occur with the same flow properties.

Default Test Name when these rules match at least this many times with the same flow properties and different flow properties in this many minutes after these rules match with the same flow properties

Parameters Configure the following parameters:

these rules - Specify the rules you want this test to consider. this many - Specify the number of times the configured rules must match the test. flow properties - Specify the flow properties you want this test to consider. Options include all normalized and custom flow properties. flow properties - Specify the flow properties you want this test to consider. Options include all normalized and custom flow properties. this many - Specify the number of time intervals you want this test to consider. seconds | minutes | hours | days Specify the time interval you want this test to consider. The default is minutes. these rules - Specify the rules you want this test to consider. flow properties - Specify the flow properties you want this test to consider. Options include all normalized and custom flow properties.

STRM Administration Guide

Flow Rule Tests

41

Table C-16

Flow Rules: Functions Sequence Group (continued)

Test Flow Property Function

Description Allows you to detect when a specific number of flows occur with the same flow properties and different flow properties in a configured time interval after a series of specific rules occur.

Default Test Name when at least this many flows are seen with the same flow properties and different flow properties in this many minutes after these rules match

Parameters Configure the following parameters:

this many - Specify the number of flows you want this test to consider. flow properties - Specify the flow properties you want this test to consider. Options include all normalized and custom flow properties. flow properties - Specify the flow properties you want this test to consider. Options include all normalized and custom flow properties. this many - Specify the number of time intervals you want this test to consider. seconds | minutes | hours | days Specify the time interval you want this test to consider. The default is minutes. these rules - Specify the rules you want this test to consider.

Flow Property Function

Allows you to detect when a specific number of flows occur with the same flow properties in a configured time interval after a series of specific rules occur with the same flow properties.

when at least this many flows are seen with the same flow properties in this many minutes after these rules match with the same flow properties

Configure the following parameters:

this many - Specify the number of flows you want this test to consider. flow properties - Specify the flow properties you want this test to consider. Options include all normalized and custom flow properties. this many - Specify the number of time intervals you want this test to consider. seconds | minutes | hours | days Specify the time interval you want this test to consider. The default is minutes. these rules - Specify the rules you want this test to consider. flow properties - Specify the flow properties you want this test to consider. Options include all normalized and custom flow properties.

STRM Administration Guide

42

RULE TESTS

Table C-16

Flow Rules: Functions Sequence Group (continued)

Test Flow Property Function

Description Allows you to detect when a specific number of flows occur with the same flow properties and different flow properties in a configured time interval after a series of specific rules occur with the same flow properties.

Default Test Name when at least this many flows are seen with the same flow properties and different flow properties in this many minutes after these rules match with the same flow properties

Parameters Configure the following parameters:

this many - Specify the number of flows you want this test to consider. flow properties - Specify the flow properties you want this test to consider. Options include all normalized and custom flow properties. flow properties - Specify the flow properties you want this test to consider. Options include all normalized and custom flow properties. this many - Specify the number of time intervals you want this test to consider. seconds | minutes | hours | days Specify the time interval you want this test to consider. The default is minutes. these rules- Specify the rules you want this test to consider. flow properties - Specify the flow properties you want this test to consider. Options include all normalized and custom flow properties.

STRM Administration Guide

Flow Rule Tests

43

Function - Counters Tests

Table C-17

The functions - counters tests include:

Flow Rules: Functions - Counters Group

Test Multi-Flow Counter Function

Description Allows you to test the number of flows from configured conditions, such as, source IP address. You can also use building blocks and other rules to populate this test.

Default Test Name when a(n) source IP matches more than|exactly this many of these rules across more than|exactly this many destination IP, over this many minutes

Parameters Configure the following parameters:

source IP | source port | destination IP | destination port | QID | category - Specify the source you want this test to consider. The default is source IP. more than |exactly - Specify if you want this test to consider more than or exactly the number of rules. this many - Specify the number of rules you want this test to consider. rules - Specify the rules you want this test to consider. more than | exactly - Specify if you want this test to consider more than or exactly the number of destination IP address(es), destination port(s), QID(s), log source event ID(s), or log source(s) that you selected in the source above. this many - Specify the number of IP addresses, ports, or usernames you want this test to consider. username | destination IP | source IP | source port | destination port | QID | event ID | log sources | category - Specify the destination you want this test to consider. The default is destination IP. this many - Specify the time value you want to assign to this test. seconds | minutes | hours | days Specify the time interval you want this rule to consider. The default is minutes.

STRM Administration Guide

44

RULE TESTS

Table C-17

Flow Rules: Functions - Counters Group (continued)

Test Multi-Rule Function

Description Allows you to detect a series of rules for a specific IP address or port followed by a series of specific rules for a specific port or IP address. You can also use building blocks or existing rules to populate this test.

Default Test Name when any of these rules with the same source IP more than this many times, across more than| exactly this many destination IP within this many minutes

Parameters Configure the following parameters:

rules - Specify the rules you want this test to consider. source IP | source port | destination IP | destination port | QID | category - Specify the source you want this test to consider. The default is source IP. this many - Specify the number of times the configured rules must match the test. more than | exactly - Specify if you want this test to consider more than or exactly the number of destination IP address(es), destination port(s), QID(s), log source event ID(s), or log source(s) that you selected in the source option. this many - Specify the number you want this test to consider, depending on the option you configured in the source IP parameter. username | destination IP | source IP | source port | destination port | QID | event ID | log sources | category - Specify the destination you want this test to consider. The default is destination IP. this many - Specify the time interval you want to assign to this test. seconds | minutes | hours | days Specify the time interval you want this rule to consider. The default is minutes.

Flow Property Function

Allows you to detect a series of events with the same flow properties within the configured time interval. For example, you can use this test to detect when 100 flows with the same source IP address occurs within 5 minutes.

when at least this many flows are seen with the same flow properties in this many minutes

Configure the following parameters:

this many - Specify the number of flows you want this test to consider. flow properties - Specify the flow properties you want this test to consider. Options include all normalized and custom flow properties. this many - Specify the number of time intervals you want this test to consider. seconds | minutes | hours | days Specify the time interval you want this test to consider. The default is minutes.

STRM Administration Guide

Flow Rule Tests

45

Table C-17

Flow Rules: Functions - Counters Group (continued)

Test Flow Property Function

Description Allows you to detect a series of events with the same flow properties and different flow properties within the configured time interval. For example, you can use this test to detect when 100 flows with the same source IP address and different destination IP address occurs within 5 minutes.

Default Test Name when at least this many flows are seen with the same flow properties and different flow properties in this many minutes

Parameters Configure the following parameters:

this many - Specify the number of flows you want this test to consider. flow properties - Specify the flow properties you want this test to consider. Options include all normalized and custom flow properties. flow properties - Specify the flow properties you want this test to consider. Options include all normalized and custom flow properties. this many - Specify the number of time intervals you want this test to consider. seconds | minutes | hours | days Specify the time interval you want this test to consider. The default is minutes.

Rule Function

Allows you to detect a number of specific rules with the same flow properties within the configured time interval.

when these rules match at least this many times in this many minutes

Configure the following parameters:

these rules - Specify the rules you want this test to consider. this many - Specify the number of times the configured rules must match the test. this many - Specify the number of time intervals you want this test to consider. seconds | minutes | hours | days Specify the time interval you want this test to consider. The default is minutes.

STRM Administration Guide

46

RULE TESTS

Table C-17

Flow Rules: Functions - Counters Group (continued)

Test Flow Property Function

Description Allows you to detect a number of specific rules with the same flow properties within the configured time interval.

Default Test Name

Parameters

when these rules Configure the following parameters: match at least this these rules - Specify the rules you many times with the want this test to consider. same flow properties this many - Specify the number of in this many minutes
flow properties - Specify the flow properties you want this test to consider. Options include all normalized and custom flow properties. this many - Specify the number of time intervals you want this test to consider.

times the configured rules must match the test.

seconds | minutes | hours | days Specify the time interval you want this test to consider. The default is minutes.

Flow Property Function

Allows you to detect a number of specific rules with the same flow properties and different flow properties within the configured time interval.

when these rules Configure the following parameters: match at least this these rules - Specify the rules you many times with the want this test to consider. same flow properties this many - Specify the number of and different flow times the configured rules must match properties in this the test. many minutes
flow properties - Specify the flow properties you want this test to consider. Options include all normalized and custom flow properties. flow properties - Specify the flow properties you want this test to consider. Options include all normalized and custom flow properties. this many - Specify the number of time intervals you want this test to consider. seconds | minutes | hours | days Specify the time interval you want this test to consider. The default is minutes.

STRM Administration Guide

Flow Rule Tests

47

Function - Simple Tests

Table C-18

The function - simple tests include:

Flow Rules: Functions - Simple Group

Test Multi-Rule Flow Function

Description

Default Test Name

Parameters

Allows you to use saved when a flow matches Configure the following parameters: building blocks and other rules any|all of the following any | all - Specify either any or all of to populate this test. The flow rules the configured rules that should apply has to match either all or any of to this test. the selected rules. If you want to rules - Specify the rules you want this create an OR statement for this test to consider. rule test, specify the any parameter.

Date/Time Tests

The date and time tests include:

Table C-19 Flow Rules: Date/Time Tests

Test Flow Day

Description

Default Test Name

Parameters

Valid when the flow occurs on when the flow(s) occur Configure the following parameters: the configured day of the on the selected day on | after | before - Specify if you month. of the month want this test to consider on, after, or
before the configured day. The default is on. selected - Specify the day of the month you want this test to consider.

Flow Week

Valid when the flow occurs on when the flow(s) occur these days of the week - Specify the configured days of the on any of these days the days of the week you want this week. of the week test to consider. Valid when the flow occurs at, when the flow(s) occur Configure the following parameters: before, or after the configured after this time after | before | at - Specify if you time. want this test to consider after,
before, or at the configured time. The default is after. this time - Specify the time you want this test to consider.

Flow Time

Network Property Tests

Test Local Network Object

The network property test group includes:

Table C-20 Flow Rules: Network Property Tests

Description

Default Test Name

Parameters one of the following networks Specify the areas of the network you want this test to apply to.

Valid when the flow occurs in when the local network the specified network. is one of the following networks

STRM Administration Guide

48

RULE TESTS

Table C-20 Flow Rules: Network Property Tests (continued)

Test Remote Networks

Description Valid when an IP address is part of any or all of the configured remote network locations.

Default Test Name

Parameters

when the source IP is a Configure the following parameters: part of any of the source IP | destination IP | any IP following remote Specify if you want this test to consider network locations the source IP address, destination IP
address, or any IP address. The default is source IP. remote network locations - Specify the network locations you want this test to consider.

Remote Services Networks

Valid when an IP address is part of any or all of the configured remote services network locations.

when the source IP is a Configure the following parameters: part of any of the source IP | destination IP | any IP following remote Specify if you want this test to consider services network the source IP address, destination IP locations address, or any IP address. The default is
source IP. remote services network locations Specify the services network locations you want this test to consider.

Geographic Networks

Valid when an IP address is part of any or all of the configured geographic network locations.

when the source IP is a Configure the following parameters: part of any of the source IP | destination IP | any IP following geographic Specify if you want this test to consider network locations the source IP address, destination IP
address, or any IP address. The default is source IP. geographic network locations - Specify the network locations you want this test to consider.

Function - Negative Tests

The function - negative tests include:

STRM Administration Guide

Flow Rule Tests

49

Table C-21

Flow Rules: Functions - Negative Group

Test Flow Property Function

Description Allows you to detect when none of the specified rules occur in a configured time interval after a series of specific rules occur with the same flow properties.

Default Test Name when none of these rules match in this many minutes after these rules match with the same flow properties

Parameters Configure the following parameters:

these rules - Specify the rules you want this test to consider. this many - Specify the number of time intervals you want this test to consider. seconds | minutes | hours | days Specify the time interval you want this test to consider. The default is minutes. these rules Specify the rules you want this test to consider. flow properties - Specify the flow properties you want this test to consider. Options include all normalized and custom flow properties.

Rule Function

Allows you to detect when none of the specified rules occur in a configured time interval after a series of specific rules occur.

when none of these rules match in this many minutes after these rules match

Configure the following parameters:

these rules - Specify the rules you want this test to consider. this many - Specify the number of time intervals you want this test to consider. seconds | minutes | hours | days Specify the time interval you want this test to consider. The default is minutes. these rules - Specify the rules you want this test to consider.

STRM Administration Guide

50

RULE TESTS

Common Rule Tests

This section provides information on the common rule tests you can apply to both event and flow records, including:

Host Profile Tests IP/Port Tests Common Property Tests Functions - Sequence Tests Function - Counter Tests Function - Simple Tests Date/Time Tests Network Property Tests Functions Negative Tests

Host Profile Tests

The host profile tests include:

Table C-22 Common Rule: Host Profile Tests

Test Host Profile Port

Description Valid when the port is open on the configured local source or destination. You can also specify if the status of the port is detected using one of the following methods:
Active - STRM actively searches for the configured port through scanning or vulnerability assessment. Passive - STRM passively monitors the network recording hosts previously detected.

Default Test Name

Parameters

when the local source Configure the following parameters: host destination port is source | destination - Specify if you open either actively want this test to apply to the source or or passively seen destination port. The default is
source. actively seen | passively seen | either actively or passively seen Specify if you want this test to consider active and/or passive scanning. The default is either actively or passively seen.

Host Existence Valid when the local source or destination host is known to exist through active or passive scanning. You can also specify if the status of the host is detected using one of the following methods:
Active - STRM actively searches for the configured port through scanning or vulnerability assessment. Passive - STRM passively monitors the network recording hosts previously detected.

when the local source Configure the following parameters: host exists either source | destination - Specify if you actively or passively want this test to apply to the source or seen destination port. The default is
source. actively seen | passively seen | either actively or passively seen Specify if you want this test to consider active and/or passive scanning. The default is either actively or passively seen.

STRM Administration Guide

Common Rule Tests

51

Table C-22 Common Rule: Host Profile Tests (continued)

Test Host Profile Age

Description Valid when the local source or destination host profile age is greater than the configured value within the configured time intervals.

Default Test Name

Parameters

when the local source Configure the following parameters: host profile age is source | destination - Specify if you greater than this want this test to apply to the source or number of time destination port. The default is intervals source.
greater than | less than - Specify if you want this test to consider values greater than or less than the profile port age. this number of - Specify the number of time intervals you want this test to consider. time intervals - Specify whether you want this test to consider minutes or hours.

Host Port Age

Valid when the local source or destination host port profile age is greater than or less than a configured amount of time.

when the local source Configure the following parameters: host profile port age is source | destination - Specify if you greater than this want this test to apply to the source or number of time destination port. The default is intervals source.
greater than | less than - Specify if you want this test to consider values greater than or less than the profile port age. The default is greater than. this number of - Specify the number of time intervals you want this test to consider. time intervals - Specify whether you want this test to consider minutes or hours.

Asset Weight

Valid when the device being attacked (destination) or the host is that attacker (source) has an assigned weight greater than or less than the configured value.

when the destination asset has a weight greater than this weight

Configure the following parameters:

source | destination - Specify if want this test to consider the source or destination asset. The default is destination. greater than | less than | equal to Specify if you want the value to be greater than, less than, or equal to the configured value. this weight - Specify the weight you want this test to consider.

STRM Administration Guide

52

RULE TESTS

Table C-22 Common Rule: Host Profile Tests (continued)

Test OSVDB IDs

Description Valid when an IP address (source, destination, or any) is vulnerable to the configured Open Source Vulnerability Database (OSVDB) IDs.

Default Test Name when the source IP is vulnerable to one of the following OSVDB IDs

Parameters Configure the following parameters:

source IP | destination IP | any IP Specify if you want this test to consider the source IP address, destination IP address, or any IP address. The default is source IP. OSVDB IDs - Specify any OSVDB IDs that you want this test to consider. For more information regarding OSVDB IDs, see http://osvdb.org/.

IP/Port Tests

The IP/Port tests include:

Table C-23 Common Rule: IP / Port Test Group

Test Source Port

Description

Default Test Name

Parameters

Valid when the source port when the source port is one ports - Specify the ports you want of the event or flow is one of of the following ports this test to consider. the configured source port(s). when the destination port is ports - Specify the ports you want one of the following ports this test to consider.

Destination Port Valid when the destination port of the event or flow is one of the configured destination port(s). Local Port

Valid when the local port of when the local port is one the event or flow is one of of the following ports the configured local port(s).

ports - Specify the ports you want this test to consider.

Remote Port

Valid when the remote port when the remote port is one ports - Specify the ports you want of the event or flow is one of of the following ports this test to consider. the configured remote port(s). Valid when the source IP when the source IP is one address of the event or flow of the following IP is one of the configured IP addresses address(es). Valid when the destination when the destination IP is IP address of the event or one of the following IP flow is one of the configured addresses IP address(es). IP addresses - Specify the IP address(es) you want this test to consider. IP addresses - Specify the IP address(es) you want this test to consider.

Source IP Address

Destination IP Address

Local IP Address

Valid when the local IP when the local IP is one of IP addresses - Specify the IP address of the event or flow the following IP addresses address(es) you want this test to is one of the configured IP consider. address(es).

STRM Administration Guide

Common Rule Tests

53

Table C-23 Common Rule: IP / Port Test Group (continued)

Test Remote IP Address

Description

Default Test Name

Parameters IP addresses - Specify the IP address(es) you want this test to consider. IP addresses - Specify the IP address(es) you want this test to consider.

Valid when the remote IP when the remote IP is one address of the event or flow of the following IP is one of the configured IP addresses address(es). Valid when the source or destination IP address of the event or flow is one of the configured IP address(es). when either the source or destination IP is one of the following IP addresses

IP Address

Source or Valid when either the when the source or Destination Port source or destination port is destination port is any of one of the configured ports. these ports

these ports - Specify the ports you want this test to consider.

Common Property Tests

Test IP Protocol

The common property tests include:

Table C-24 Common Rules: Common Property Tests

Description

Default Test Name

Parameters

Valid when the IP protocol of when the IP protocol protocols - Specify the protocols the event or flow is one of the is one of the following you want to add to this test. configured protocols. protocols This test is valid when the entered search string is included anywhere in the event or flow source or destination payload. Context is the relationship between the source and destination of the event or flow. For example, a local source to a remote destination. Valid if the context is one of the following:
Local to Local Local to Remote Remote to Local Remote to Remote

Payload Search

when the Flow Source this string - Specify the text string or Destination you want to include for this test. Payload contains this string when the context is this context this context - Specify the context you want this test to consider. The options are:
Local to Local Local to Remote Remote to Local Remote to Remote

Context

Source Location

Valid when the source is either local or remote.

when the source is local or remote {default: Remote}

local | remote - Specify if you want the source to be local or remote. The default is remote local | remote - Specify either local or remote traffic.

Destination Location

Valid when the destination IP when the destination address of the event or flow is local or remote is either local or remote. {default: remote}

STRM Administration Guide

54

RULE TESTS

Table C-24 Common Rules: Common Property Tests (continued)

Test Regex

Description

Default Test Name

Parameters

Valid when the configured when the username Configure the following parameters: MAC address, username, matches the following hostname | source hostname hostname, or operating regex |destination hostname | source system is associated with a payload | destination payload particular regular expressions Specify the value you want to (regex) string. associate with this test. The default is Note: This test assumes knowledge of regular expressions (regex). When you define custom regex patterns, adhere to regex rules as defined by the Java programming language. For more information, you can refer to regex tutorials available on the web.
username. regex - Specify the regex string you want this test to consider.

IPv6

Valid when the source or destination IPv6 address is the configured IP address.

when the source IP(v6) is one of the following IPv6 addresses

Configure the following parameters:

source IP(v6) | destination IP(v6) Specify whether you want this test to consider the source or destination IPv6 address. IP(v6) addresses - Specify the IPv6 addresses you want this test to consider.

Reference Set

Valid when any or all configured event or flow properties are contained in any or all configured reference sets.

when any of these properties are contained in any of these reference set(s)

Configure the following parameters:

any | all - Specify if you want this test to consider any or all of the configured event properties. these properties - Specify the event or flow properties you want this test to consider. any | all - Specify if you want this test to consider any or all of the configured reference sets. these reference set(s) - Specify the reference set(s) you want this test to consider.

STRM Administration Guide

Common Rule Tests

55

Table C-24 Common Rules: Common Property Tests (continued)

Test CVSS Risk (Host)

Description Valid when the specified host has a CVSS risk value that matches the configured value.

Default Test Name

Parameters

when the destination Configure the following parameters: host has a CVSS risk source | destination | either value of greater than Specify whether the test considers this amount the source and/or destination host of
the flow. greater than | less than | equal to Specify if you want the CVSS risk value to be greater than, less than, or equal to the configured value. 0 - Specify the value you want this test to consider. The default is 0.

CVSS Risk (Port)

Valid when the specified port has a CVSS risk value that matches the configured value.

when the destination source | destination | either Specify whether the test considers port has a CVSS risk the source and/or destination port of value of greater than the flow. this amount
greater than | less than | equal to Specify if you want the threat level to be greater than, less than, or equal to the configured value. 0 - Specify the value you want this test to consider. The default is 0.

Search Filter

Valid when the event or flow when the event or flow this search filter - Specify the matches the specified search matches this search search filter you want this test to filter. filter consider. Valid when the configured when these Configure the following parameters: property is associated with a properties match the these properties - Specify the value particular regular expressions following regex you want to associate with this test. (regex) string. Options include all normalized, and Note: This test assumes knowledge of regular expressions (regex). When you define custom regex patterns, adhere to regex rules as defined by the Java programming language. For more information, you can refer to regex tutorials available on the web.
custom flow and event properties. regex - Specify the regex string you want this test to consider.

Regex

Custom Rule Engines

Valid when the event or flow when the event or flow these - Specify the Custom Rule is processed by the specified is processed by one of Engine you want this test to Custom Rule Engines. these Custom Rule consider. Engines

STRM Administration Guide

56

RULE TESTS

Table C-24 Common Rules: Common Property Tests (continued)

Test Hexadecimal

Description Valid when the configured property is associated with particular hexadecimal values.

Default Test Name when any of these properties contain any of these hexadecimal values

Parameters Configure the following parameters:

these properties - Specify the value you want to associate with this test. Options include all normalized, and custom flow and event properties. these hexadecimal values - Specify the hexadecimal values you want this test to consider.

Functions Sequence Tests

Table C-25

The functions - sequence tests include:

Common: Functions - Sequence Group

Test

Description

Default Test Name when all of these rules, in|in any order, from the same|any source IP to the same|any destination IP, over this many seconds

Parameters Configure the following parameters:

rules - Specify the rules you want this test to consider. in | in any - Specify whether you want this test to consider in or in any order. the same | any - Specify if you want this test to consider the same or any of the configured sources. source IP | source port | destination IP | destination port | QID | category - Specify the source you want this test to consider. The default is source IP. the same | any - Specify if you want this test to consider the same or any of the configured destinations. destination IP | destination port Specify whether you want this test to consider a destination IP address, username, or destination port. The default is destination IP. this many - Specify the number of time intervals you want this test to consider. seconds | minutes | hours | days Specify the time interval you want this test to consider. The default is seconds.

Multi-Rule Allows you to use saved Event Function building blocks or other rules to populate this test. This function allows you to detect a specific sequence of selected rules involving a source and destination within a configured time period.

STRM Administration Guide

Common Rule Tests

57

Table C-25

Common: Functions - Sequence Group (continued)

Test

Description

Default Test Name when at least this number of these rules, in|in any order, from the same| any source IP to the same|any destination IP, over this many seconds

Parameters Configure the following parameters:

this number - Specify the number of rules you want this function to consider. rules - Specify the rules you want this test to consider. in | in any - Specify whether you want this test to consider in or in any order. the same | any - Specify if you want this test to consider the same or any of the configured sources. source IP | source port | destination IP | destination port | QID | category - Specify the source you want this test to consider. The default is source IP. the same | any - Specify if you want this test to consider the same or any of the configured destinations. destination IP | destination port Specify whether you want this test to consider a destination IP address, username, or destination port. The default is destination IP. this many - Specify the number of time intervals you want this test to consider. seconds | minutes | hours | days Specify the time interval you want this test to consider. The default is seconds.

Multi-Rule Allows you to use saved Event Function building blocks or other rules to populate this test. You can use this function to detect a number of specified rules, in sequence, involving a source and destination within a configured time interval.

Multi-Event Sequence Function Between Hosts

Allows you to detect a sequence of selected rules involving the same source and destination hosts within the configured time interval. You can also use saved building blocks and other rules to populate this test.

when this sequence of Configure the following parameters: rules, involving the rules - Specify the rules you want this same source and test to consider destination hosts in this many - Specify the number of this many seconds
time intervals you want this test to consider. seconds | minutes | hours | days Specify the time interval you want this test to consider. The default is seconds.

STRM Administration Guide

58

RULE TESTS

Table C-25

Common: Functions - Sequence Group (continued)

Test Rule Function

Description Allows you to detect a number of specific rules with the same event properties and different event properties within the configured time interval.

Default Test Name when these rules match at least this many times in this many minutes after these rules match

Parameters Configure the following parameters:

these rules - Specify the rules you want this test to consider. this many - Specify the number of times the configured rules must match the test. this many - Specify the number of time intervals you want this test to consider. seconds | minutes | hours | days Specify the time interval you want this test to consider. The default is minutes. these rules - Specify the rules you want this test to consider.

Event Property Allows you to detect a Function configured number of specific rules with the same event properties occur within the configured time interval.

when these rules match at least this many times with the same event properties in this many minutes after these rules match

Configure the following parameters:

these rules - Specify the rules you want this test to consider. this many - Specify the number of times the configured rules must match the test. event properties - Specify the event properties you want this test to consider. Options include all normalized and custom event properties. this many - Specify the number of time intervals you want this test to consider. seconds | minutes | hours | days Specify the time interval you want this test to consider. The default is minutes. these rules - Specify the rules you want this test to consider.

STRM Administration Guide

Common Rule Tests

59

Table C-25

Common: Functions - Sequence Group (continued)

Test

Description

Default Test Name when these rules match at least this many times with the same event properties and different event properties in this many minutes after these rules match

Parameters Configure the following parameters:

these rules - Specify the rules you want this test to consider. this many - Specify the number of times the configured rules must match the test. event properties - Specify the event properties you want this test to consider. Options include all normalized and custom event properties. this many - Specify the number of time intervals you want this test to consider. seconds | minutes | hours | days Specify the time interval you want this test to consider. The default is minutes. these rules - Specify the rules you want this test to consider.

Event Property Allows you to detect when Function specific rules occur a configured number of times with the same event properties and different event properties occur within the configured time interval after a series of specific rules.

Rule Function

Allows you to detect when specific rules occur a configured number of times in a configured time interval after a series of specific rules occur with the same event properties.

when these rules match at least this many times in this many minutes after these rules match with the same event properties

Configure the following parameters:

these rules - Specify the rules you want this test to consider. this many - Specify the number of times the configured rules must match the test. this many - Specify the number of time intervals you want this test to consider. seconds | minutes | hours | days Specify the time interval you want this test to consider. The default is minutes. these rules - Specify the rules you want this test to consider. event properties - Specify the event properties you want this test to consider. Options include all normalized and custom event properties.

STRM Administration Guide

60

RULE TESTS

Table C-25

Common: Functions - Sequence Group (continued)

Test

Description

Default Test Name when these rules match at least this many times with the same event properties in this many minutes after these rules match with the same event properties

Parameters Configure the following parameters:

these rules - Specify the rules you want this test to consider. this many - Specify the number of times the configured rules must match the test. event properties - Specify the event properties you want this test to consider. Options include all normalized and custom event properties. this many - Specify the number of time intervals you want this test to consider. seconds | minutes | hours | days Specify the time interval you want this test to consider. The default is minutes. these rules - Specify the rules you want this test to consider. event properties - Specify the event properties you want this test to consider. Options include all normalized and custom event properties.

Event Property Allows you to detect when Function specific rules occur a configured number of times with the same event properties in a configured time interval after a series of specific rules occur with the same event properties.

STRM Administration Guide

Common Rule Tests

61

Table C-25

Common: Functions - Sequence Group (continued)

Test

Description

Default Test Name when these rules match at least this many times with the same event properties and different event properties in this many minutes after these rules match with the same event properties

Parameters Configure the following parameters:

these rules - Specify the rules you want this test to consider. this many - Specify the number of times the configured rules must match the test. event properties - Specify the event properties you want this test to consider. Options include all normalized and custom event properties. event properties - Specify the event properties you want this test to consider. Options include all normalized and custom event properties. this many - Specify the number of time intervals you want this test to consider. seconds | minutes | hours | days Specify the time interval you want this test to consider. The default is minutes. these rules - Specify the rules you want this test to consider. event properties - Specify the event properties you want this test to consider. Options include all normalized and custom event properties.

Event Property Allows you to detect when Function specific rules occur a configured number of times with the same event properties and different event properties in a configured time interval after a series of specific rules occur with the same event properties.

STRM Administration Guide

62

RULE TESTS

Table C-25

Common: Functions - Sequence Group (continued)

Test

Description

Default Test Name

Parameters

Event Property Allows you to detect when a Function specific number of events occur with the same event properties and different event properties in a configured time interval after a series of specific rules occur.

when at least this Configure the following parameters: many events are seen this many - Specify the number of with the same event events you want this test to consider. properties and event properties - Specify the event different event properties you want this test to properties in this consider. Options include all many minutes after normalized and custom event these rules match properties.
event properties - Specify the event properties you want this test to consider. Options include all normalized and custom event properties. this many - Specify the number of time intervals you want this test to consider. seconds | minutes | hours | days Specify the time interval you want this test to consider. The default is minutes. these rules - Specify the rules you want this test to consider.

Event Property Allows you to detect when a Function specific number of events occur with the same event properties in a configured time interval after a series of specific rules occur with the same event properties.

when at least this Configure the following parameters: many events are seen this many - Specify the number of with the same event events you want this test to consider. properties in this event properties - Specify the event many minutes after properties you want this test to these rules match consider. Options include all with the same event normalized and custom event properties properties.
this many - Specify the number of time intervals you want this test to consider. seconds | minutes | hours | days Specify the time interval you want this test to consider. The default is minutes. these rules - Specify the rules you want this test to consider. event properties - Specify the event properties you want this test to consider. Options include all normalized and custom event properties.

STRM Administration Guide

Common Rule Tests

63

Table C-25

Common: Functions - Sequence Group (continued)

Test

Description

Default Test Name when at least this many events are seen with the same event properties and different event properties in this many minutes after these rules match with the same event properties

Parameters Configure the following parameters:

this many - Specify the number of events you want this test to consider. event properties - Specify the event properties you want this test to consider. Options include all normalized and custom event properties. event properties - Specify the event properties you want this test to consider. Options include all normalized and custom event properties. this many - Specify the number of time intervals you want this test to consider. seconds | minutes | hours | days Specify the time interval you want this test to consider. The default is minutes. these rules - Specify the rules you want this test to consider. event properties - Specify the event properties you want this test to consider. Options include all normalized and custom event properties.

Event Property Allows you to detect when a Function specific number of events occur with the same event properties and different event properties in a configured time interval after a series of specific rules occur with the same event properties.

STRM Administration Guide

64

RULE TESTS

Function - Counter Tests

Table C-26

The function - counter tests include:

Common Rules: Functions - Counter Test Group

Test Multi-Event Counter Function

Description Allows you to test the number of events or flows from configured conditions, such as, source IP address. You can also use building blocks and other rules to populate this test.

Default Test Name when a(n) source IP matches more than|exactly this many of these rules across more than|exactly this many destination IP, over this many minutes

Parameters Configure the following parameters:

source IP | source port | destination IP | destination port | QID | category - Specify the source you want this test to consider. The default is source IP. more than | exactly - Specify if you want this test to consider more than or exactly the number of rules. this many - Specify the number of rules you want this test to consider. rules - Specify the rules you want this test to consider. more than | exactly - Specify if you want this test to consider more than or exactly the number of destination IP address(es), destination port(s), QID(s), log source event ID(s), or log source(s) that you selected in the source above. this many - Specify the number of IP addresses, ports, QIDs, events, log sources, or categories you want this test to consider. username | destination IP | source IP | source port | destination port | QID | event ID | log sources | category - Specify the destination you want this test to consider. The default is destination IP. this many - Specify the time value you want to assign to this test. seconds | minutes | hours | days Specify the time interval you want this rule to consider. The default is minutes.

STRM Administration Guide

Common Rule Tests

65

Table C-26

Common Rules: Functions - Counter Test Group (continued)

Test Multi-Rule Function

Description Allows you to detect a series of rules for a specific IP address or port followed by a series of specific rules for a specific port or IP address. You can also use building blocks or existing rules to populate this test.

Default Test Name when any of these rules with the same source IP more than this many times, across more than| exactly this many destination IP within this many minutes

Parameters Configure the following parameters:

rules - Specify the rules you want this test to consider. source IP | source port | destination IP | destination port | QID | category - Specify the source you want this test to consider. The default is source IP. this many - Specify the number of times the configured rules must match the test. more than | exactly - Specify if you want this test to consider more than or exactly the number of destination IP address(es), destination port(s), QID(s), log source event ID(s), or log source(s) that you selected in the source option. this many - Specify the number you want this test to consider, depending on the option you configured in the source IP parameter. username | destination IP | source IP | source port | destination port | QID | event ID | log sources | category - Specify the destination you want this test to consider. The default is destination IP. this many - Specify the time interval you want to assign to this test. seconds | minutes | hours | days Specify the time interval you want this rule to consider. The default is minutes.

Event Property Allows you to detect a series of Function events with the same event properties within the configured time interval. For example, you can use this test to detect when 100 events with the same source IP address occurs within 5 minutes.

when at least this Configure the following parameters: many events are seen this many - Specify the number of with the same event events you want this test to consider. properties in this event properties - Specify the event many minutes
properties you want this test to consider. Options include all normalized and custom event properties.

this many - Specify the number of time intervals you want this test to consider. seconds | minutes | hours | days Specify the time interval you want this test to consider. The default is minutes.

STRM Administration Guide

66

RULE TESTS

Table C-26

Common Rules: Functions - Counter Test Group (continued)

Test

Description

Default Test Name

Parameters

Event Property Allows you to detect a series of Function events with the same event properties and different event properties within the configured time interval. For example, you can use this test to detect when 100 events with the same source IP address and different destination IP address occurs within 5 minutes.

when at least this Configure the following parameters: many events are seen this many - Specify the number of with the same event events you want this test to consider. properties and event properties - Specify the event different event properties you want this test to properties in this consider. Options include all many minutes normalized and custom event
properties. event properties - Specify the event properties you want this test to consider. Options include all normalized and custom event properties. this many - Specify the number of time intervals you want this test to consider. seconds | minutes | hours | days Specify the time interval you want this test to consider. The default is minutes.

Rule Function

Allows you to detect when a number of specific rules with the same event properties occur within the configured time interval.

when these rules match at least this many times in this many minutes

Configure the following parameters:

these rules - Specify the rules you want this test to consider. this many - Specify the number of times the configured rules must match the test. this many - Specify the number of time intervals you want this test to consider. seconds | minutes | hours | days Specify the time interval you want this test to consider. The default is minutes.

STRM Administration Guide

Common Rule Tests

67

Table C-26

Common Rules: Functions - Counter Test Group (continued)

Test

Description

Default Test Name when these rules match at least this many times with the same event properties in this many minutes

Parameters Configure the following parameters:

these rules - Specify the rules you want this test to consider. this many - Specify the number of times the configured rules must match the test. event properties - Specify the event properties you want this test to consider. Options include all normalized and custom event properties. this many - Specify the number of time intervals you want this test to consider. seconds | minutes | hours | days Specify the time interval you want this test to consider. The default is minutes.

Event Property Allows you to detect a number Function of specific rules with the same event properties within the configured time interval.

Event Property Allows you to detect a number Function of specific rules with the same event properties and different event properties within the configured time interval.

when these rules match at least this many times with the same event properties and different event properties in this many minutes

Configure the following parameters:

these rules - Specify the rules you want this test to consider. this many - Specify the number of times the configured rules must match the test. event properties - Specify the event properties you want this test to consider. Options include all normalized and custom event properties. event properties - Specify the event properties you want this test to consider. Options include all normalized and custom event properties. this many - Specify the number of time intervals you want this test to consider. seconds | minutes | hours | days Specify the time interval you want this test to consider. The default is minutes.

STRM Administration Guide

68

RULE TESTS

Function - Simple Tests

Table C-27

The function - simple tests include:

Common Rules: Functions - Simple Test Group

Test

Description

Default Test Name

Parameters

Multi-Rule Allows you to use saved when a flow or an Configure the following parameters: Event Function building blocks and other rules event matches any|all any | all - Specify either any or all of to populate this test. The event of the following rules the configured rules that should apply has to match either all or any of to this test. the selected rules. If you want to rules - Specify the rules you want this create an OR statement for this test to consider. rule test, specify the any parameter.

Date/Time Tests

The date and time tests include:

Table C-28 Common Rule: Date/Time Tests

Test Event/Flow Day

Description

Default Test Name

Parameters Configure the following parameters:

on | after | before - Specify if you want this test to consider on, after, or before the configured day. The default is on. selected - Specify the day of the month you want this test to consider.

Valid when the event or flow when the flow(s) or occurs on the configured day event(s) occur on the of the month. selected day of the month

Event/Flow Week

Valid when the event or flow occurs on the configured days of the week.

when the flow(s) or these days of the week - Specify event(s) occur on any the days of the week you want this of these days of the test to consider. week Configure the following parameters:
after | before | at - Specify if you want this test to consider after, before, or at the configured time. The default is after. this time - Specify the time you want this test to consider.

Event/Flow Time

Valid when the event or flow when the flow(s) or occurs at, before, or after the event(s) occur after configured time. this time

Network Property Tests

Test Local Network Object

The network property test group includes:

Table C-29 Common Rule: Network Property Tests

Description Valid when the event occurs in the specified network.

Default Test Name when the local network is one of the following networks

Parameters one of the following networks Specify the areas of the network you want this test to apply to.

STRM Administration Guide

Common Rule Tests

69

Table C-29 Common Rule: Network Property Tests (continued)

Test Remote Networks

Description Valid when an IP address is part of any or all of the configured remote network locations.

Default Test Name when the source IP is part of any of the following remote network locations

Parameters Configure the following parameters:

source IP | destination IP | any IP Specify if you want this test to consider the source IP address, destination IP address, or any IP address. remote network locations - Specify the network locations you want this test to consider.

Remote Services Networks

Valid when an IP address is part of any or all of the configured remote services network locations.

when the source IP is a Configure the following parameters: part of any of the source IP | destination IP | any IP following remote Specify if you want this test to consider services network the source IP address, destination IP locations address, or any IP address.
remote services network locations Specify the remote services network locations you want this test to consider.

Geographic Networks

Valid when an IP address is part of any or all of the configured geographic network locations.

when the Source IP is a Configure the following parameters: part of any of the source IP | destination IP | any IP following geographic Specify if you want this test to consider network locations the source IP address, destination IP
address, or any IP address. geographic network locations - Specify the geographic network locations you want this test to consider.

Functions Negative Tests

Table C-30

The functions negative tests include:

Common Rules: Functions - Negative Test Group

Test Flow Property Function

Description Allows you to detect when none of the specified rules occur in a configured time interval after a series of specific rules occur with the same flow properties.

Default Test Name

Parameters

when none of these Configure the following parameters: rules match in this these rules - Specify the rules you many minutes after want this test to consider. these match with the same flow properties this many - Specify the number of
time intervals you want this test to consider. seconds | minutes | hours | days Specify the time interval you want this test to consider. The default is minutes. these - Specify the rules you want this test to consider. flow properties - Specify the flow properties you want this test to consider. Options include all normalized and custom flow properties.

STRM Administration Guide

70

RULE TESTS

Table C-30

Common Rules: Functions - Negative Test Group (continued)

Test Rule Function

Description Allows you to detect when none of the specified rules occur in a configured time interval after a series of specific rules occur.

Default Test Name when none of these rules match in this many minutes after these rules match

Parameters Configure the following parameters:

these rules - Specify the rules you want this test to consider. this many - Specify the number of time intervals you want this test to consider. seconds | minutes | hours | days Specify the time interval you want this test to consider. The default is minutes. these rules - Specify the rules you want this test to consider.

Offense Rule Tests

This section provides information on the tests you can apply to the offense rules, including:

IP/Port Tests Function Tests Date/Time Tests Log Source Tests Offense Property Tests

IP/Port Tests

The IP/Port tests include:

Table C-31 Offense Rules: IP/Port Test Group

Test Offense Index

Description Valid when the source IP address is one of the configured IP address(es).

Default Test Name when the offense is indexed by one of the following IP addresses.

Parameters IP addresses - Specify the IP address(es) you want this test to consider. You can enter multiple entries using a comma-separated list.

Destination IP Address

Valid when the destination list when the destination list Configure the following parameters: is any of the configured IP includes any of the any | all - Specify if you want this test adddress(es). following IP addresses to consider any or all of the listed
destinations. The default is any. IP addresses - Specify the IP address(es) you want this test to consider. You can enter multiple entries using a comma-separated list.

STRM Administration Guide

Offense Rule Tests

71

Function Tests

The function tests include:

Table C-32 Offense Rules: Offense Function Group

Test Multi-Rule Offense Function

Description

Default Test Name

Parameters

Allows you to use saved when the offense Configure the following parameters: building blocks and other matches any of the any | all - Specify either any or all of rules to populate this test. The following offense rules. the configured rules that should apply offense has to match either all to this test. The default is any. or any of the selected rules. If offense rules - Specify the rules you you want to create an OR want this test to consider. statement for this rule test, specify the any parameter.

Date/Time Tests

The date and time tests include:

Table C-33 Offense Rules: Date/Time Tests

Test Offense Day

Description

Default Test Name

Parameters Configure the following parameters:

on | after | before - Specify if you want this rule to consider on, after, or before the selected date. The default is on. selected - Specify the date you want this test to consider.

Valid when the offense when the offense(s) occurs on the configured day occur on the selected of the month. day of the month

Offense Week

Valid when the offense when the offense(s) occurs on the configured day occur on these days of of the week. the week

Configure the following parameters:

on | after | before - Specify if you want this rule to consider on, after, or before the selected day. The default is on. these days of the week - Specify the days you want this test to consider.

Offense Time

Valid when the offense when the offense(s) occurs after, before, or on the occur after this time configured time.

Configure the following parameters:

on | after | before - Specify if you want this test to consider after, before, or at a specified time. The default is after. this time - Specify the time you want this test to consider.

STRM Administration Guide

72

RULE TESTS

Log Source Tests

The log source tests include:

Table C-34 Offense Rules: Log Source Tests

Test Log Source Types

Description Valid when one of the configured log source types is the source of the offense.

Default Test Name when the log source type(s) that detected the offense is one of the following log source types

Parameters log source types - Specify the log source types that you want this test to detect.

Number of Log Source Type

Valid when the number of log when the number of Configure the following parameters: source types is greater than log source types that greater than | equal to - Specify if the configured value. detected the offense is you want the threat level to be greater than this greater than or equal to the number configured value.
this number - Specify the number of log source types that you want this test to consider.

Offense Property Tests

Test Network Object

The offense property tests include:

Table C-35 Offense Rules: Offense Property Tests

Description Valid when the network is affected by any or all of the configured networks.

Default Test Name when the networks affected are any of the following networks

Parameters Configure the following parameters:

any | all - Specify if you want this test to consider any or all networks. The default is any. the following networks - Specify the networks you want this test to consider.

Offense Category

Valid when the event when the categories of category is any or all of the the offense includes any configured event categories. of the following list of categories

Configure the following parameters:

any | all - Specify if you want this test to consider any or all categories. The default is any. list of categories - Specify the categories you want this test to consider.

For more information on event categories, see Appendix E Event Categories. Severity Valid when the severity is greater than, less than, or equal to the configured value. when the offense severity Configure the following parameters: is greater than 5 greater than | less than | equal to {default} Specify if you want the offense
severity to be greater than, less than, or equal to the configured value. 5 - Specify the value you want this test to consider. The default is 5.

STRM Administration Guide

Offense Rule Tests

73

Table C-35 Offense Rules: Offense Property Tests (continued)

Test Credibility

Description Valid when the credibility is greater than, less than, or equal to the configured value.

Default Test Name

Parameters

when the offense Configure the following parameters: credibility is greater than greater than | less than | equal to 5 {default} Specify if you want the offense
credibility to be greater than, less than, or equal to the configured value. 5 - Specify the value you want this test to consider.

Relevance

Valid when the relevance is greater than, less than, or equal to the configured value.

when the offense Configure the following parameters: relevance is greater than greater than | less than | equal to 5 {default} Specify if you want the offense
relevance to be greater than, less than, or equal to the configured value. 5 - Specify the value you want this test to consider.

Offense Context

Offense Context is the when the offense context relationship between the is this context source and destination of the offense. For example, a local attacker to a remote target. Valid if the offense context is one of the following:
Local to Local Local to Remote Remote to Local Remote to Remote

this context - Specify the context you want this test to consider. The options are:
Local to Local Local to Remote Remote to Local Remote to Remote

Source Location

Valid when the source is either local or remote.

when the source is local or local or remote {default: Remote}

local | remote - Specify if you want the source to be local or remote. The default is remote. locate IPs | remote IPs - Specify if you want the target to be local or remote. The default is remote IPs. Configure the following parameters:
greater than | equal to - Specify if you want the number of destinations to be greater than or equal to the configured value. this number - Specify the value you want this test to consider.

Destination Location

Valid when the destination is when the destination list either local or remote. includes local or remote IP addresses {default: remote} Valid when the number of destinations for an offense is greater than, less than, or equal to the configured value. when the number of destinations under attack is greater than this number

Destination Count in an Offense

STRM Administration Guide

74

RULE TESTS

Table C-35 Offense Rules: Offense Property Tests (continued)

Test Event Count in an Offense

Description Valid when the number of events for an offense is greater than, less than, or equal to the configured value.

Default Test Name when the number of events making up the offense is greater than this number

Parameters Configure the following parameters:

greater than | less than | equal to Specify if you want the event count to be greater than, less than, or equal to the configured value. this number - Specify the value you want this test to consider.

Flow Count in an Valid when the number of Offense flows for an offense is greater than, less than, or equal to the configured value.

when the number of flows Configure the following parameters: making up the offense is greater than | less than | equal to greater than this Specify if you want the flow count to number be greater than, less than, or equal
to the configured value. this number - Specify the value you want this test to consider.

Total Event/Flow Valid when the total number Count in an of events and flows for an Offense offense is greater than, less than, or equal to the configured value.

when the number of events and flows making up the offense is greater than this number

Configure the following parameters:

greater than | less than | equal to Specify if you want the event and flow count to be greater than, less than, or equal to the configured value. this number - Specify the value you want this test to consider.

Category Count in an Offense

Valid when the number of event categories for an offense is greater than, less than, or equal to the configured value.

when the number of Configure the following parameters: categories involved in the greater than | equal to - Specify if offense is greater than you want the number of categories to this number be greater than or equal to the
configured value. this number - Specify the value you want this test to consider.

For more information on event categories, see Appendix E Event Categories. Offense ID Valid when the Offense ID is when the offense ID is the configured value. this ID when a new offense is created this ID - Specify the offense ID you want this test to consider.

Offense Creation Valid when a new offense is created.

STRM Administration Guide

Anomaly Detection Rule Tests

75

Table C-35 Offense Rules: Offense Property Tests (continued)

Test Offense Change

Description Valid when the configured offense property has increased above the configured value.

Default Test Name when the offense property has increased by at least this percent

Parameters Configure the following parameters:

Magnitude | Severity | Credibility | Relevance| Destination count | Source count | Category count | Annotation count | Event count Specify the property you want this test to consider.The default is Magnitude. this - Specify the percent or unit value you want this test to consider. percent | unit(s) - Specify if you want this test to consider percentage or units.

Anomaly Detection Rule Tests

This section provides information on the tests you can apply to the anomaly detection rules, including:

Anomaly Rule Tests Behavioral Rule Tests Threshold Rule Tests

Anomaly Rule Tests

This section provides information on the anomaly rule tests you can apply to the rules, including:

Anomaly Tests Time Threshold Tests

Anomaly Tests The anomaly test group includes:

STRM Administration Guide

76

RULE TESTS

Table C-36 Anomaly Rules: Anomaly Tests

Test Anomaly

Description Valid when the accumulated property has increased or decreased by the specified percentage over a short period of time when compared against the specified larger period time.

Default Test Name

Parameters Configure the following parameters:

this accumulated property - Specify the accumulated property you want this test to consider. 1 min - Specify the time interval you want this test to consider. The default is 1 min. 40 - Specify the percentage you want this test to consider. The default is 40. 1 min - Specify the time interval this tests used to compare the interval length. The default is 1 min.

when the average value (per interval) of this accumulated property over the last 1 min is at least percentage% different from the average value (per For example, if your average interval of the same property over the last 1 destination bytes for the last min 24 hours is 100,000,000 bytes out for each minute and then over a 5 minute period, the average bytes out increases by 40 percent, this test is valid. Note: The Accumulator sends data to the Anomaly Detection Rule engine in one minute intervals. For more information the accumulator, see Chapter 8 - Using the Deployment Editor.

Minimum Value

Valid when the tested value for the accumulated interval exceeds the configured value.

when accumulation intervals are only considered if the tested value for that interval exceeds some value

some value - Specify the value you want to consider for the configured accumulation interval.

Time Threshold Tests The time threshold test group includes:

Table C-37 Anomaly Rules: Time Threshold Tests

Test Date Range

Description

Default Test Name

Parameters Configure the following parameters:

this date - Specify the start date for your date range. this date - Specify the end date for your date range.

Valid when anomalous when the date is activity is detected within the between this date and specified date range. this date

Day of the Week

Valid when anomalous activity is detected on the specified day of the week.

when the day of the week is any of these selected days

these selected days - Specify the days you want this test to consider.

STRM Administration Guide

Anomaly Detection Rule Tests

77

Table C-37 Anomaly Rules: Time Threshold Tests (continued)

Test Time Range

Description

Default Test Name

Parameters Configure the following parameters:

this time - Specify the start time for your date range. this time - Specify the end date for your date range.

Valid when anomalous when the time of day is activity is detected within the between this time and specified time range. this time

Behavioral Rule Tests

This section provides information on the behavioral rule tests you can apply to the rules, including:

Behavioral Tests Time Threshold Tests

Behavioral Tests The behavioral test group includes:

Table C-38 Behavioral Rules: Behavioral Tests

Test Accumulated Property Current Traffic Level

Description

Default Test Name

Parameters

Specifies which accumulated when this accumulated this accumulated property - Specify property this rule considers. property is the tested the accumulated property you want this property test to consider. Valid when the current traffic level represents specified seasonal change in data over the time period specified in the Season Length test. For example, the current traffic level test can compare current data with data from the same time period yesterday. when the importance of the current traffic level (on a scale of 0 to 100) is importance compared to learned traffic trends and behavior 70 - Specify the level of importance, on a scale of 0 to 100, you want this test to consider. The default is 70.

Current Traffic Trend

Valid when the current traffic trend represents the specified seasonal effect in data for each time interval. For example, the current traffic trend test can test for when data increases the same amount from week 2 to week 3 as it did from week 1 to week 2.

when the importance of the current traffic trend (on a scale of 0 to 100) is importance compared to learned traffic trends and behavior

30 - Specify the level of importance, on a scale of 0 to 100, you want this test to consider. The default is 30.

STRM Administration Guide

78

RULE TESTS

Table C-38 Behavioral Rules: Behavioral Tests (continued)

Test Current Traffic Behavior

Description

Default Test Name

Parameters

Valid when the current traffic when the importance of 30 - Specify the level of importance, on behavior changes in data for the current traffic a scale of 0 to 100, you want this test to each time interval. behavior (on a scale of 0 consider. The default is 30. to 100) is importance For example, the current compared to learned traffic behavior test can test traffic trends and for data changes when behavior comparing this minute to the minute before. Valid when accumulated property deviates from the predicted traffic pattern. when the actual field value deviates by a margin of at least deviation% of the extrapolated (predicted field value). when the season length is season 50 - Specify the percentage of deviation you want this test to consider. The default is 50.

Deviation

Season Length

Valid when the season length represents the time interval you want to test. Typically, for network traffic, you can set the season length as a week. When monitoring traffic from automated systems, we recommend setting the season length as day. Valid when the tested value for the accumulated interval exceeds the configured value.

a day | a week | a month - Specify the season length you want this test to consider.

Minimum Value

when accumulation intervals are only considered if the tested value for that interval exceeds 0

0 - Specify the value you want to consider for the configured accumulation interval.

Time Threshold Tests The time threshold test group includes:

Table C-39 Behavioral Rules: Time Threshold Tests

Test Date Range

Description

Default Test Name

Parameters Configure the following parameters:

this date - Specify the start date for your date range. this date - Specify the end date for your date range.

Valid when anomalous when the date is activity is detected within the between this date and specified date range. this date

Day of the Week

Valid when anomalous activity is detected on the specified day of the week.

when the day of the week is any of these selected days

these selected days - Specify the days you want this test to consider.

STRM Administration Guide

Anomaly Detection Rule Tests

79

Table C-39 Behavioral Rules: Time Threshold Tests (continued)

Test Time Range

Description

Default Test Name

Parameters Configure the following parameters:

this time - Specify the start time for your date range. this time - Specify the end date for your date range.

Valid when anomalous when the time of day is activity is detected within the between this time and specified time range. this time

Threshold Rule Tests

This section provides information on the threshold rule tests you can apply to the rules, including:

Field Threshold Tests Time Threshold Tests

Field Threshold Tests The field threshold test group includes:

Table C-40 Threshold Rules: Field Threshold Tests

Test Threshold Value

Description Valid when the accumulated property is greater than, less than, or equal to specified value. You can specify the interval, in minutes, you want to accumulate the property.

Default Test Name

Parameters

when this accumulated this accumulated property - Specify the accumulated property you want this test property is greater to consider. than this value (accumulated in 1 min greater than | less than | equal to intervals) Specify whether the accumulate property
value is greater than, less than, or equal to the configured value. 0 - Specify the value you want this test to consider. The default is 0. 1 min - Specify the interval, in minutes, you want to accumulate the property. The default is 1 min.

Threshold Range

Valid when the accumulated property is within a specified range. You can specify the interval, in minutes, you want to accumulate the property.

when this accumulated this accumulated property - Specify the accumulated property you want this test property is between to consider. this value and this value (accumulated in 1 0 - Specify the value you want this test to min intervals) consider as the start of the range. The
default is 0. 0 - Specify the value you want this test to consider as the end of the range. The default is 0. 1 min - Specify the interval, in minutes, you want to accumulate the property. The default is 1 min.

STRM Administration Guide

80

RULE TESTS

Time Threshold Tests The time threshold test group includes:

Table C-41 Threshold Rules: Time Threshold Tests

Test Date Range

Description

Default Test Name

Parameters Configure the following parameters:

this date - Specify the start date for your date range. this date - Specify the end date for your date range.

Valid when anomalous when the date is activity is detected within the between this date and specified date range. this date

Day of the Week Time Range

Valid when anomalous activity is detected on the specified day of the week.

when the day of the week is any of these selected days

these selected days - Specify the days you want this test to consider. Configure the following parameters:
this time - Specify the start time for your date range. this time - Specify the end date for your date range.

Valid when anomalous when the time of day is activity is detected within the between this time and specified time range. this time

STRM Administration Guide

VIEWING AUDIT LOGS

Changes made by STRM users are recorded in the audit logs. You can view the audit logs to monitor changes to STRM and the users performing those changes. All audit logs are stored in plain text and are archived and compressed once the audit log file reaches a size of 200 MB. The current log file is named audit.log. Once the file reaches a size of 200 MB, the file is compressed and renamed as follows: audit.1.gz, audit.2.gz, etc with the file number incrementing each time a log file is archived. STRM stores up to 50 archived log files. This appendix provides information on using the audit logs, including:

Logged Actions Viewing the Log File

Logged Actions

STRM logs the following categories of actions in the audit log file: Note: You can view audit log events using the Log Activity interface. Table D-1 provides a record of the logged actions.
Table D-1 Logged Actions

Category Administrator Authentication Assets Audit Log Access

Action Log in to the STRM Administration Console. Log out of the STRM Administration Console. Delete an asset. Delete all assets. Perform a search that includes events with a high-level event category of Audit.

STRM Administration Guide

VIEWING AUDIT LOGS

Table D-1 Logged Actions (continued)

Category Backup and Recovery

Action Edit the configuration. Initiate the backup. Complete the backup. Fail the backup. Delete the backup. Synchronize the backup. Cancel the backup. Initiate the restore. Upload a backup. Upload an invalid backup. Delete the backup. Purge the backup.

Custom Properties

Add a custom event property. Edit a custom event property. Delete a custom event property. Add a custom flow property. Edit a custom flow property. Delete a custom flow property.

Chart Configuration

Save flow or event chart configuration. Edit a custom event property expression. Delete a custom event property expression. Add a custom flow property expression. Edit a custom flow property expression. Delete a custom flow property expression.

Custom Property Expressions Add a custom event property expression.

Event and Flow Retention Buckets

Add a bucket. Delete a bucket. Edit a bucket. Enable or disable a bucket.

Flow Sources

Add a flow source. Edit a flow source. Delete a flow source.

Groups

Add a group. Delete a group. Edit a group.

STRM Administration Guide

Logged Actions

Table D-1 Logged Actions (continued)

Category High Availability

Action Add an HA host. Remove an HA host. Set an HA system offline. Set an HA system online. Restore an HA system.

Installation Log Sources

Install a .rpm package, such as a DSM update. Add a log source. Edit a log source. Delete a log source. Add a log source group. Edit a log source group. Delete a log source group. Edit the DSM parsing order.

License Log Source Extension

Add a license key. Edit a license key. Add an log source extension. Edit the log source extension. Delete a log source extension. Upload a log source extension. Upload a log source extension successfully. Upload an invalid log source extension. Download a log source extension. Report a log source extension. Modify a log sources association to a device or device type.

Offenses

Hide an offense. Close an offense. Close all offenses. Add a destination note. Add a source note. Add a network note. Add an offense note.

Protocol Configuration

Add a protocol configuration. Delete a protocol configuration. Edit a protocol configuration.

STRM Administration Guide

VIEWING AUDIT LOGS

Table D-1 Logged Actions (continued)

Category QIDmap Reference Sets

Action Add a QID map entry. Edit a QID map entry. Create a reference set. Edit a reference set. Purge elements in a reference set. Delete a reference set.

Reports

Add a template. Delete a template. Edit a template. Execute a template. Delete a report. Delete generated content. View a generated report. E-mail a generated report.

Root Login Rules

Log in to STRM, as root. Log out of STRM, as root. Add a rule. Delete a rule. Edit a rule.

Scanner

Add a scanner. Delete a scanner. Edit a scanner.

Scanner Schedule

Add a schedule. Edit a schedule. Delete a schedule.

Session Authentication

Create a new administration session. Terminate an administration session. Deny an invalid authentication session. Expire a session authentication. Create an authentication session. Terminate an authentication session.

SIM Syslog Forwarding

Clean a SIM model. Add a syslog forwarding. Delete a syslog forwarding. Edit a syslog forwarding.

STRM Administration Guide

Viewing the Log File

Table D-1 Logged Actions (continued)

Category System Management TNC Recommendations

Action Shutdown a system. Restart a system. Create a recommendation. Edit a recommendation. Delete a recommendation.

User Accounts

Add an account. Edit an account. Delete an account.

User Authentication User Authentication Ariel

Log in to STRM. Log out of STRM. Deny a login attempt. Add an Ariel property. Delete an Ariel property. Edit an Ariel property. Add an Ariel property extension. Delete an Ariel property extension. Edit an Ariel property extension.

User Roles

Add a role. Edit a role. Delete a role.

VIS

Discover a new host. Discover a new operating system. Discover a new port. Discover a new vulnerability.

Viewing the Log File

To view the audit logs:

Step 1 Log in to STRM, as root. Step 2 Go to the following directory:

/var/log/audit
Step 3 Open the desired audit log file.

Each entry in the log file displays using the following format: Note: The maximum size of any audit message (not including date, time, and host name) is 1024 characters.

STRM Administration Guide

VIEWING AUDIT LOGS

<date_time> <host name> <user>@<IP address> (thread ID) [<category>] [<sub-category>] [<action>] <payload>

Where:
<date_time> is the date and time of the activity in the format: Month Date

HH:MM:SS.
<host name> is the host name of the Console where this activity was logged. <user> is the name of the user that performed the action. <IP address> is the IP address of the user that performed the action. (thread ID) is the identifier of the Java thread that logged this activity. <category> is the high-level category of this activity. <sub-category> is the low-level category of this activity. <action> is the activity that occurred. <payload> is the complete record that has changed, if any. This may include a user record or an event rule.

For example:
Nov 6 12:22:31 localhost.localdomain [email protected] (Session) [Authentication] [User] [Login] Nov 6 12:22:31 localhost.localdomain [email protected] (0) [Configuration] [User Account] [Account Modified] username=james, password=/oJDuXP7YXUYQ, networks=ALL, [email protected], userrole=Admin Nov 13 10:14:44 localhost.localdomain [email protected] (0) [Configuration] [FlowSource] [FlowSourceModified] Flowsource( name="tim", enabled="true", deployed="false", asymmetrical="false", targetQflow=DeployedComponent(id=3), flowsourceType=FlowsourceType(id=6), flowsourceConfig=FlowsourceConfig(id=1))

STRM Administration Guide

EVENT CATEGORIES

This document provides information on the types of event categories and the processing of events. This document provides information on event categories, including:

High-Level Event Categories Recon DoS Authentication Access Exploit Malware Suspicious Activity System Policy CRE Potential Exploit SIM Audit VIS Host Discovery Application Audit Risk

Note: The Risk high-level category only appears in the interface when STRM Risk Manager is installed.

STRM Administration Guide

EVENT CATEGORIES

High-Level Event Categories

The high-level event categories include:

Table E-1 High-Level Event Categories

Category

Description Events relating to scanning and other techniques used to identify network resources, for example, network or host port scans. Events relating to Denial of Service (DoS) or Distributed Denial of Service (DDoS) attacks against services or hosts, for example, brute force network DoS attacks. Events relating to authentication controls, group, or privilege change, for example, log in or log out. Events resulting from an attempt to access network resources, for example, firewall accept or deny. Events relating to application exploits and buffer overflow attempts, for example, buffer overflow or web application exploits. Events relating to viruses, trojans, back door attacks, or other forms of hostile software. This may include a virus, trojan, malicious software, or spyware. The nature of the threat is unknown but behavior is suspicious including protocol anomalies that potentially indicate evasive techniques, for example, packet fragmentation or known IDS evasion techniques. Events related to system changes, software installation, or status messages. Events regarding corporate policy violations or misuse. Events generated from an offense or event rule. For more information on creating custom rules, see the STRM Administration Guide. overflow attempts.

Recon DoS

Authentication Access Exploit

Malware

Suspicious Activity

System Policy CRE

Potential Exploit Events relating to potential application exploits and buffer SIM Audit VIS Host Discovery Application Audit Risk
Events relating to user interaction with the Console and administrative functions. Events relating to the host, ports, or vulnerabilities that the VIS component discovers. Events relating to application activity. Events relating to audit activity in STRM Risk Manager. Events relating to risk activity in STRM Risk Manager.

STRM Administration Guide

Recon

Recon

The Recon category indicates events relating to scanning and other techniques used to identify network resources. The associated low-level event categories include:
Table E-2 Recon Categories

Low Level Event Category Unknown Form of Recon Application Query Host Query Network Sweep Mail Reconnaissance

Description Indicates an unknown form of reconnaissance. Indicates reconnaissance to applications on your system. Indicates reconnaissance to a host in your network. Indicates reconnaissance on your network. Indicates reconnaissance on your mail system. Indicates reconnaissance on your portmap or RPC request.

Severity Level (0 to 10) 2 3 3 4 3

Windows Reconnaissance Indicates reconnaissance for windows. 3 Portmap / RPC Request Host Port Scan RPC Dump DNS Reconnaissance Misc Reconnaissance Event Web Reconnaissance 3

Indicates a scan occurred on the hosts 4 ports. Indicates Remote Procedure Call (RPC) information is removed. Indicates reconnaissance on the DNS server. Indicates a miscellaneous reconnaissance event. Indicates web reconnaissance on your network. 3 3 2 3

Database Reconnaissance Indicates database reconnaissance on 3 your network. ICMP Reconnaissance UDP Reconnaissance SNMP Reconnaissance ICMP Host Query UDP Host Query NMAP Reconnaissance TCP Reconnaissance Indicates reconnaissance on ICMP traffic. Indicates reconnaissance on UDP traffic. Indicates reconnaissance on SNMP traffic. Indicates an ICMP host query. Indicates a UDP host query. Indicates NMAP reconnaissance. 3 3 3 3 3 3

Indicates TCP reconnaissance on your 3 network.

STRM Administration Guide

EVENT CATEGORIES

Table E-2 Recon Categories (continued)

Low Level Event Category Unix Reconnaissance FTP Reconnaissance

Description Indicates reconnaissance on your UNIX network. Indicates FTP reconnaissance.

Severity Level (0 to 10) 3 3

DoS

The DoS category indicates events relating to Denial Of Service (DoS) attacks against services or hosts. The associated low-level event categories include:
Table E-3 DoS Categories

Low Level Event Category Unknown DoS Attack ICMP DoS TCP DoS UDP DoS DNS Service DoS Web Service DoS Mail Service DoS Distributed DoS Misc DoS Unix DoS Windows DoS Database DoS FTP DoS Infrastructure DoS Telnet DoS Brute Force Login High Rate TCP DoS High Rate UDP DoS High Rate ICMP DoS High Rate DoS Medium Rate TCP DoS Medium Rate UDP DoS Medium Rate ICMP DoS Medium Rate DoS

Description Indicates an unknown DoS attack. Indicates an ICMP DoS attack. Indicates a TCP DoS attack. Indicates a UDP DoS attack. Indicates a DNS service DoS attack. Indicates a web service DoS attack. Indicates a mail server DoS attack. Indicates a distributed DoS attack. Indicates a miscellaneous DoS attack. Indicates a Unix DoS attack. Indicates a Windows DoS attack. Indicates a database DoS attack. Indicates an FTP DoS attack. Indicates a DoS attack on the infrastructure. Indicates a Telnet DoS attack. Indicates access to your system through unauthorized methods. Indicates a high rate TCP DoS attack. Indicates a high rate UDP DoS attack. Indicates a high rate DoS attack. Indicates a medium rate TCP attack. Indicates a medium rate UDP attack. Indicates a medium rate ICMP attack. Indicates a medium rate DoS attack.

Severity Level (0 to 10) 8 9 9 9 8 8 8 9 8 8 8 8 8 8 8 8 8 8 8 8 8 8 8

Indicates a high rate ICMP DoS attack. 8

STRM Administration Guide

DoS

Table E-3 DoS Categories (continued)

Low Level Event Category Medium Rate DoS Low Rate TCP DoS Low Rate UDP DoS Low Rate ICMP DoS Low Rate DoS

Description Indicates a medium rate DoS attack. Indicates a low rate TCP DoS attack. Indicates a low rate UDP DoS attack. Indicates a low rate ICMP DoS attack. Indicates a low rate DoS attack.

Severity Level (0 to 10) 8 8 8 8 8 8 8 8 8 8 8 8 8 8 8 8 8 8 8 8 8 8 8 8 8 8 8

Distributed High Rate TCP Indicates a distributed high rate TCP DoS DoS attack. Distributed High Rate UDP Indicates a distributed high rate UDP DoS DoS attack. Distributed High Rate ICMP DoS Indicates a distributed high rate ICMP DoS attack.

Distributed High Rate DoS Indicates a distributed high rate DoS attack. Distributed Medium Rate TCP DoS Distributed Medium Rate UDP DoS Distributed Medium Rate ICMP DoS Distributed Medium Rate DoS Distributed Low Rate TCP DoS Indicates a distributed medium rate TCP DoS attack. Indicates a distributed medium rate UDP DoS attack. Indicates a distributed medium rate ICMP DoS attack. Indicates a distributed medium rate DoS attack. Indicates a distributed low rate TCP DoS attack.

Distributed Low Rate UDP Indicates a distributed low rate UDP DoS DoS attack. Distributed Low Rate ICMP Indicates a distributed low rate ICMP DoS DoS attack. Distributed Low Rate DoS High Rate TCP Scan High Rate UDP Scan High Rate ICMP Scan High Rate Scan Medium Rate TCP Scan Medium Rate UDP Scan Medium Rate ICMP Scan Medium Rate Scan Low Rate TCP Scan Low Rate UDP Scan Indicates a distributed low rate DoS attack. Indicates a high rate TCP scan. Indicates a high rate UDP scan. Indicates a high rate ICMP scan. Indicates a high rate scan. Indicates a medium rate TCP scan. Indicates a medium rate UDP scan. Indicates a medium rate ICMP scan. Indicates a medium rate scan. Indicates a low rate TCP scan. Indicates a low rate UDP scan.

STRM Administration Guide

EVENT CATEGORIES

Table E-3 DoS Categories (continued)

Low Level Event Category Low Rate ICMP Scan Low Rate Scan VoIP DoS Flood TCP Flood UDP Flood ICMP Flood SYN Flood URG Flood SYN URG Flood SYN FIN Flood SYN ACK Flood

Description Indicates a low rate ICMP scan. Indicates a low rate scan. Indicates a VoIP DoS attack. Indicates a Flood attack. Indicates a TCP flood attack. Indicates a UDP flood attack. Indicates a ICMP flood attack. Indicates a SYN flood attack.

Severity Level (0 to 10) 8 8 8 8 8 8 8 8

Indicates a flood attack with the urgent 8 (URG) flag on. Indicates a SYN flood attack with the urgent (URG) flag on. Indicates a SYN FIN flood attack. Indicates a SYN ACK flood attack. 8 8 8

Authentication

The authentication category indicates events relating to authentication, sessions and access controls to monitor users on the network. The associated low-level event categories include:
Table E-4 Authentication Categories

Low Level Event Category Unknown Authentication Host Login Succeeded Host Login Failed Misc Login Succeeded Misc Login Failed

Description Indicates unknown authentication. Indicates a successful host login. Indicates the host login has failed. Indicates that the login sequence succeeded. Indicates that login sequence failed.

Severity Level (0 to 10) 1 1 3 1 3 3 1 1 3

Privilege Escalation Failed Indicates that the privileged escalation failed. Privilege Escalation Succeeded Mail Service Login Succeeded Mail Service Login Failed Auth Server Login Failed Indicates that the privilege escalation succeeded. Indicates that the mail service login succeeded. Indicates that the mail service login failed.

Indicates that the authentication server 3 login failed.

STRM Administration Guide

Authentication

Table E-4 Authentication Categories (continued)

Low Level Event Category Auth Server Login Succeeded Web Service Login Succeeded Web Service Login Failed Admin Login Successful Admin Login Failure Suspicious Username

Description

Severity Level (0 to 10)

Indicates that the authentication server 1 login succeeded. Indicates that the web service login succeeded. Indicates that the web service login failed. Indicates an administrative login has been successful. Indicates that a user attempted to access the network using an incorrect username. Indicates that a user accessed the network using the default username and password. Indicates that a user has been unsuccessful accessing the network using the default username and password. Indicates that the FTP login has been successful. Indicates that the FTP login failed. Indicates that the SSH login has been successful. Indicates that the SSH login failed. Indicates that user access to network resources has been successfully granted. Indicates that user access to network resources has been successfully removed. Indicates that a trusted domain has been successfully added to your deployment. 1 3 1

Indicates the administrative login failed. 3 4

Login with username/ password defaults successful Login with username/ password defaults failed

FTP Login Succeeded FTP Login Failed SSH Login Succeeded SSH Login Failed User Right Assigned

1 3 1 2 1

User Right Removed

Trusted Domain Added

Trusted Domain Removed Indicates that a trusted domain has been removed from your deployment. System Security Access Granted System Security Access Removed Policy Added Indicates that system security access has been successfully granted. Indicates that system security access has been successfully removed. Indicates that a policy has been successfully added.

1 1 1 1

STRM Administration Guide

EVENT CATEGORIES

Table E-4 Authentication Categories (continued)

Low Level Event Category Policy Change User Account Added User Account Changed Password Change Failed Password Change Succeeded User Account Removed Group Member Added Group Member Removed Group Added Group Changed Group Removed Computer Account Added Computer Account Changed Computer Account Removed Remote Access Login Succeeded Remote Access Login Failed General Authentication Successful General Authentication Failed Telnet Login Succeeded Telnet Login Failed Suspicious Password

Description Indicates that a policy has been successfully changed.

Severity Level (0 to 10) 1

Indicates that a user account has been 1 successfully added. Indicates a change to an existing user account. Indicates that an attempt to change an existing password failed. Indicates that a password change has been successful. 1 3 1

Indicates that a user account has been 1 successfully removed. Indicates that a group member has been successfully added. Indicates that a group member has been removed. Indicates that a group has been successfully added. Indicates a change to an existing group. Indicates a group has been removed. 1 1 1 1 1

Indicates a computer account has been 1 successfully added. Indicates a change to an existing computer account. 1

Indicates a computer account has been 1 successfully removed. Indicates that access to the network using a remote login has been successful. 1

Indicates that an attempt to access the 3 network using a remote login failed. Indicates that the authentication processes has been successful. Indicates that the authentication process failed. 1 3

Indicates that the telnet login has been 1 successful. Indicates that the telnet login failed. 3 Indicates that a user attempted to login 4 using a suspicious password.

STRM Administration Guide

Authentication

Table E-4 Authentication Categories (continued)

Low Level Event Category Samba Login Successful Samba Login Failed Auth Server Session Opened Auth Server Session Closed Firewall Session Closed Host Logout Misc Logout Auth Server Logout

Description

Severity Level (0 to 10)

Indicates a user successfully logged in 1 using Samba. Indicates user login failed using Samba. 3

Indicates that a communication session 1 with the authentication server has been started. Indicates that a communication session 1 with the authentication server has been closed. Indicates that a firewall session has been closed. Indicates that a host successfully logged out. Indicates that a user successfully logged out. Indicates that the process to log out of the authentication server has been successful. Indicates that the process to log out of the web service has been successful. Indicates that the administrative user successfully logged out. Indicates that the process to log out of the FTP service has been successful. Indicates that the process to log out of the SSH session has been successful. Indicates that the process to log out using remote access has been successful. Indicates that the process to log out of the Telnet session has been successful. Indicates that the process to log out of Samba has been successful. Indicates that the SSH login session has been initiated on a host. Indicates the termination of an SSH login session on a host. 1 1 1 1

Web Service Logout Admin Logout FTP Logout SSH Logout Remote Access Logout

1 1 1 1 1

Telnet Logout

Samba Logout SSH Session Started SSH Session Finished Admin Session Started

1 1 1

Indicates that a login session has been 1 initiated on a host by an administrative or privileged user.

STRM Administration Guide

10

EVENT CATEGORIES

Table E-4 Authentication Categories (continued)

Low Level Event Category Admin Session Finished

Description Indicates the termination of an administrator or privileged users login session on a host. Indicates a successful VoIP service login Indicates an unsuccessful attempt to access VoIP service. Indicates a user logout, Indicates the beginning of a VoIP session. Indicates the end of a VoIP session. Indicates a successful database login. Indicates a database login attempt failed. Indicates a failed Internet Key Exchange (IKE) authentication has been detected. Indicates a successful IKE authentication has been detected. Indicates an IKE session started. Indicates an IKE session ended. Indicates an IKE error message. Indicates IKE status message. Indicates a RADIUS session started. Indicates a RADIUS session ended. Indicates a RADIUS session has been denied. Indicates a RADIUS session status message. Indicates a RADIUS authentication failure. Indicates a RADIUS authentication succeeded. Indicates a TACACS session started. Indicates a TACACS session ended.

Severity Level (0 to 10) 1

VoIP Login Succeeded VoIP Login Failed VoIP Logout VoIP Session Initiated VoIP Session Terminated Database Login Succeeded Database Login Failure IKE Authentication Failed

1 1 1 1 1 1 3 3

IKE Authentication Succeeded IKE Session Started IKE Session Ended IKE Error IKE Status RADIUS Session Started RADIUS Session Ended RADIUS Session Denied RADIUS Session Status RADIUS Authentication Failed RADIUS Authentication Successful TACACS Session Started TACACS Session Ended TACACS Session Denied TACACS Session Status

1 1 1 1 1 1 1 1 1 3 1 1 1

Indicates a TACACS session has been 1 denied. Indicates a TACACS session status message. 1

STRM Administration Guide

Authentication

11

Table E-4 Authentication Categories (continued)

Low Level Event Category TACACS Authentication Successful TACACS Authentication Failed Deauthenticating Host Succeeded Deauthenticating Host Failed Station Authentication Succeeded Station Authentication Failed Station Association Succeeded Station Association Failed Station Reassociation Succeeded Station Reassociation Failed Disassociating Host Succeeded

Description Indicates a TACACS authentication succeeded. Indicates a TACACS authentication failure.

Severity Level (0 to 10) 1 1

Indicates that the deauthentication of a 1 host has been successful. Indicates that the deauthentication of a 3 host failed. Indicates that the station authentication 1 has been successful. Indicates that the station authentication 3 of a host failed. Indicates that the station association has been successful. Indicates that the station association failed. 1 3

Indicates that the station reassociation 1 has been successful. Indicates that the station association failed. 3

Indicates that the disassociating a host 1 has been successful.

Disassociating Host Failed Indicates that the disassociating a host 3 failed. SA Error SA Creation Failure SA Established SA Rejected Deleting SA Creating SA Certificate Mismatch Credentials Mismatch Admin Login Attempt User Login Attempt User Login Successful Indicates a Security Association (SA) error message. Indicates a Security Association (SA) creation failure. Indicates that a Security Association (SA) connection established. Indicates that a Security Association (SA) connection rejected. Indicates the deletion of a Security Association (SA). Indicates the creation of a Security Association (SA). Indicates a certificate mismatch. Indicates a credentials mismatch. Indicates an admin login attempt. Indicates a user login attempt. Indicates a successful user login. 5 3 1 3 1 1 3 3 2 2 1

STRM Administration Guide

12

EVENT CATEGORIES

Table E-4 Authentication Categories (continued)

Low Level Event Category User Login Failure

Description Indicates a failed user login.

Severity Level (0 to 10) 3

Access

The access category indicates authentication and access controls for monitoring network events. The associated low-level event categories include:
Table E-5 Access Categories

Low Level Event Category Unknown Network Communication Event Firewall Permit Firewall Deny Flow Context Response Misc Network Communication Event IPS Deny Firewall Session Opened Firewall Session Closed Dynamic Address Translation Successful No Translation Group Found Misc Authorization

Description Indicates an unknown network communication event. Indicates access to the firewall has been permitted. Indicates access to the firewall has been denied.

Severity Level (0 to 10) 3 0 4

Indicates events from the Classification 5 Engine in response to a SIM request. Indicates a miscellaneous communications event. 3

Indicates Intrusion Prevention Systems 4 (IPS) denied traffic. Indicates the firewall session has been 0 opened. Indicates the firewall session has been 0 closed. Indicates that dynamic address translation has been successful. Indicates that no translation group has been found. 0 2

Indicates that access has been granted 2 to a miscellaneous authentication server. Indicates that an Access Control List (ACL) permitted access. Indicates that an Access Control List (ACL) denied access. Indicates that access has been permitted. Indicates that a session has been opened 0 4 0

ACL Permit ACL Deny Access Permitted Access Denied Session Opened

Indicates that access has been denied. 4 1

STRM Administration Guide

Access

13

Table E-5 Access Categories (continued)

Low Level Event Category Session Closed Session Reset Session Terminated Session Denied Session in Progress Session Delayed Session Queued Session Inbound Session Outbound Unauthorized Access Attempt Misc Application Action Allowed Misc Application Action Denied Database Action Allowed Database Action Denied FTP Action Allowed FTP Action Denied Object Cached Object Not Cached Rate Limiting No Rate Limiting

Description Indicates that a session has been closed. Indicates that a session has been reset. Indicates that a session has been terminated. Indicates that a session has been denied. Indicates that a session is currently in progress. Indicates that a session has been delayed. Indicates that a session has been queued. Indicates that a session is inbound. Indicates that a session is outbound. Indicates that an unauthorized access attempt has been detected

Severity Level (0 to 10) 1 3 4 5 1 3 1 1 1 6

Indicates that an application action has 1 been permitted Indicates that an application action has 3 been denied Indicates that a database action has been permitted. Indicates that a database action has been denied. Indicates that a FTP action has been permitted. Indicates that a FTP action has been denied. Indicates an object cached. Indicates an object not cached. Indicates that the network is rate limiting traffic. Indicates that the network is not rate limiting traffic. 1 3 1 3 1 1 4 0

STRM Administration Guide

14

EVENT CATEGORIES

Exploit

The exploit category indicates events where a communication or access has occurred. The associated low-level event categories include:
Table E-6 Exploit Categories

Low Level Event Category Unknown Exploit Attack Buffer Overflow DNS Exploit Telnet Exploit Linux Exploit Unix Exploit Windows Exploit Mail Exploit Infrastructure Exploit Misc Exploit Web Exploit Session Hijack Worm Active Password Guess/Retrieve

Description Indicates an unknown exploit attack. Indicates a buffer overflow. Indicates a DNS exploit. Indicates a Telnet exploit. Indicates a Linux exploit. Indicates a Unix exploit. Indicates a Windows exploit. Indicates a mail server exploit. Indicates an infrastructure exploit. Indicates a miscellaneous exploit. Indicates a web exploit.

Severity Level (0 to 10) 9 9 9 9 9 9 9 9 9 9 9

Indicates a session in your network has 9 been interceded. Indicates an active worm. Indicates that a user has requested access to their password information from the database. Indicates an FTP exploit. Indicates an RPC exploit. Indicates an SNMP exploit. Indicates an NOOP exploit. Indicates an Samba exploit. Indicates a database exploit. Indicates an SSH exploit. Indicates an ICMP exploit. Indicates a UDP exploit. Indicates an exploit on your browser. Indicates a DHCP exploit Indicates a remote access exploit 10 9

FTP Exploit RPC Exploit SNMP Exploit NOOP Exploit Samba Exploit Database Exploit SSH Exploit ICMP Exploit UDP Exploit Browser Exploit DHCP Exploit Remote Access Exploit ActiveX Exploit SQL Injection

9 9 9 9 9 9 9 9 9 9 9 9

Indicates an exploit through an ActiveX 9 application. Indicates that an SQL injection has occurred. 9

STRM Administration Guide

Malware

15

Table E-6 Exploit Categories (continued)

Low Level Event Category Cross-Site Scripting

Description Indicates a cross-site scripting vulnerability.

Severity Level (0 to 10) 9 9

Format String Vulnerability Indicates a format string vulnerability. Input Validation Exploit Remote Code Execution Memory Corruption Command Execution

Indicates that an input validation exploit 9 attempt has been detected. Indicates that a remote code execution 9 attempt has been detected. Indicates that a memory corruption exploit has been detected. Indicates that a remote command execution attempt has been detected. 9 9

Malware

The malicious software (malware) category indicates events relating to application exploits and buffer overflow attempts. The associated low-level event categories include:
Table E-7 Malware Categories

Low Level Event Category Unknown Malware Backdoor Detected Hostile Mail Attachment Malicious Software

Description Indicates an unknown virus.

Severity Level (0 to 10) 4

Indicates that a backdoor to the system 9 has been detected. Indicates a hostile mail attachment. Indicates a virus. 6 6 6 8 4 7 6 3 8 3

Hostile Software Download Indicates a hostile software download to your network. Virus Detected Misc Malware Trojan Detected Spyware Detected Content Scan Content Scan Failed Content Scan Successful Content Scan in Progress Indicates a virus has been detected. Indicates miscellaneous malicious software Indicates a trojan has been detected. Indicates spyware has been detected on your system. Indicates that an attempted scan of your content has been detected. Indicates that a scan of your content has failed. Indicates that a scan of your content has been successful.

Indicates that a scan of your content is 3 currently in progress.

STRM Administration Guide

16

EVENT CATEGORIES

Table E-7 Malware Categories (continued)

Low Level Event Category Keylogger Adware Detected

Description Indicates that a key logger has been detected. Indicates that Ad-Ware has been detected.

Severity Level (0 to 10) 7 4

Suspicious Activity

The suspicious activity category indicates events relating to viruses, trojans, back door attacks, and other forms of hostile software. The associated low-level event categories include:
Table E-8 Suspicious Categories

Low Level Event Category Unknown Suspicious Event Suspicious Pattern Detected Content Modified By Firewall Invalid Command or Data Suspicious Packet Suspicious Activity Suspicious File Name Suspicious Port Activity Suspicious Routing Unknown Evasion Event IP Spoof IP Fragmentation IDS Evasion DNS Protocol Anomaly FTP Protocol Anomaly Mail Protocol Anomaly Routing Protocol Anomaly Web Protocol Anomaly SQL Protocol Anomaly

Description Indicates an unknown suspicious event. Indicates a suspicious pattern has been detected. Indicates that content has been modified by the firewall. Indicates an invalid command or data. Indicates a suspicious packet. Indicates suspicious activity. Indicates a suspicious file name. Indicates suspicious port activity. Indicates suspicious routing. Indicates an unknown evasion event. Indicates an IP spoof. Indicates IP fragmentation. Indicates an IDS evasion. Indicates a DNS protocol anomaly. Indicates an FTP protocol anomaly. Indicates a mail protocol anomaly. Indicates a routing protocol anomaly. Indicates a web protocol anomaly. Indicates an SQL protocol anomaly.

Severity Level (0 to 10) 3 3 3 3 3 3 3 3 3 3 5 5 3 5 5 3 3 3 3 3 3

Potential Web Vulnerability Indicates potential web vulnerability.

Overlapping IP Fragments Indicates overlapping IP fragments.

STRM Administration Guide

Suspicious Activity

17

Table E-8 Suspicious Categories (continued)

Low Level Event Category

Description

Severity Level (0 to 10) 5 3 1

Executable Code Detected Indicates that an executable code has been detected. Misc Suspicious Event Information Leak Indicates a miscellaneous suspicious event. Indicates an information leak.

Potential Mail Vulnerability Indicates a potential vulnerability in the 4 mail server. Potential Version Vulnerability Indicates a potential vulnerability in the 4 STRM version. 4

Potential FTP Vulnerability Indicates a potential FTP vulnerability.

Potential SSH Vulnerability Indicates a potential SSH vulnerability. 4 Potential DNS Vulnerability Indicates a potential vulnerability in the 4 DNS server. Potential SMB Vulnerability Indicates a potential SMB (Samba) vulnerability. Potential Database Vulnerability IP Protocol Anomaly Suspicious IP Address Invalid IP Protocol Usage Invalid Protocol 4

Indicates a potential vulnerability in the 4 database. Indicates a potential IP protocol anomaly Indicates a suspicious IP address has been detected. Indicates an invalid protocol. 3 2

Indicates an invalid IP protocol misuse. 2 4 2 2 4

Suspicious Window Events Indicates a suspicious event with a screen on your desktop. Suspicious ICMP Activity Indicates suspicious ICMP activity. Potential NFS Vulnerability Indicates a potential Network File System (NFS) vulnerability. Potential NNTP Vulnerability Potential Telnet Vulnerability Potential SNMP Vulnerability Illegal TCP Flag Combination Suspicious TCP Flag Combination

Indicates a potential Network News 4 Transfer Protocol (NNTP) vulnerability. Indicates a potential Telnet vulnerability 4 on your system. Indicates a potential SNMP vulnerability. Indicates an invalid TCP flag combination has been detected. Indicates a potentially invalid TCP flag combination has been detected. 4 5 4

Potential RPC Vulnerability Indicates a potential RPC vulnerability. 4

STRM Administration Guide

18

EVENT CATEGORIES

Table E-8 Suspicious Categories (continued)

Low Level Event Category Illegal ICMP Protocol Usage Suspicious ICMP Protocol Usage Illegal ICMP Type Illegal ICMP Code Suspicious ICMP Type Suspicious ICMP Code TCP port 0

Description Indicates an invalid use of the ICMP protocol has been detected.

Severity Level (0 to 10) 5

Indicates a potentially invalid use of the 4 ICMP protocol has been detected. Indicates an invalid ICMP type has been detected. Indicates an invalid ICMP code has been detected. Indicates a potentially invalid ICMP type has been detected. Indicates a potentially invalid ICMP code has been detected. Indicates a TCP packet using a reserved port (0) for source or destination. Indicates a UDP packets using a reserved port (0) for source or destination. 5 5 4 4 4

UDP port 0

Hostile IP Watch list IP Known offender IP RFC 1918 (private) IP

Indicates the use of a known hostile IP 4 address. Indicates the use of an IP address from 4 a watch list of IP addresses. Indicates the use of an IP address of a 4 known offender. Indicates the use of an IP address from 4 a private IP address range. Indicates that an IP address is on the black list. Indicates that the IP address is on the list of IP addresses being monitored. 8 7

Potential VoIP Vulnerability Indicates a potential VoIP vulnerability. 4 Blacklist Address Watchlist Address Darknet Address Botnet Address Suspicious Address Bad Content Invalid Cert

Indicates that the IP address is part of a 5 darknet. Indicates that the address is part of a botnet. 7

Indicates that the IP address should be 5 monitored. Indicates bad content has been detected. 7

Indicates an invalid certificate has been 7 detected.

STRM Administration Guide

System

19

Table E-8 Suspicious Categories (continued)

Low Level Event Category User Activity

Description Indicates that user activity has been detected.

Severity Level (0 to 10) 7 5 5

Suspicious Protocol Usage Indicates suspicious protocol usage has been detected. Suspicious BGP Activity Indicates that suspicious Border Gateway Protocol (BGP) usage has been detected. Indicates that route corruption has been detected. Indicates that ARP-cache poisoning has been detected. Indicates a rogue device has been detected.

Route Poisoning ARP Poisoning Rogue Device Detected

5 5 5

System

The system category indicates events relating to system changes, software installation, or status messages. The associated low-level event categories include:
Table E-9 System Categories

Low Level Event Category Unknown System Event System Boot System Configuration System Halt System Failure System Status System Error Misc System Event Service Started Service Stopped Service Failure Successful Registry Modification Successful Host-Policy Modification

Description Indicates an unknown system event. Indicates a system boot. Indicates a change in the system configuration. Indicates the system has been halted. Indicates a system failure. Indicates any information event. Indicates a system error. Indicates a miscellaneous system event. Indicates system services have stopped. Indicates a system failure. Indicates that a modification to the registry has been successful.

Severity Level (0 to 10) 1 1 1 1 6 1 3 1

Indicates system services have started. 1 1 6 1

Indicates that a modification to the host 1 policy has been successful.

STRM Administration Guide

20

EVENT CATEGORIES

Table E-9 System Categories (continued)

Low Level Event Category Successful File Modification Successful Stack Modification Successful Application Modification Successful Configuration Modification Successful Service Modification Failed Registry Modification Failed Host-Policy Modification Failed File Modification Failed Stack Modification Failed Application Modification Failed Configuration Modification

Description Indicates that a modification to a file has been successful. Indicates that a modification to the stack has been successful. Indicates that a modification to the application has been successful. Indicates that a modification to the configuration has been successful. Indicates that a modification to a service has been successful. Indicates that a modification to the registry has failed.

Severity Level (0 to 10) 1 1 1 1 1 1

Indicates that a modification to the host 1 policy has failed. Indicates that a modification to a file has failed. Indicates that a modification to the stack has failed. Indicates that a modification to an application has failed. Indicates that a modification to the configuration has failed. 1 1 1 1 1 1 1 1 1 1

Failed Service Modification Indicates that a modification to the service has failed. Registry Addition Host-Policy Created File Created Application Installed Service Installed Registry Deletion Host-Policy Deleted File Deleted Application Uninstalled Indicates that an new item has been added to the registry. Indicates that a new entry has been added to the registry. Indicates that a new has been created in the system. Indicates that a new application has been installed on the system. Indicates that a new service has been installed on the system.

Indicates that a registry entry has been 1 deleted. Indicates that a host policy entry has been deleted. Indicates that a file has been deleted. Indicates that an application has been uninstalled. 1 1 1

STRM Administration Guide

System

21

Table E-9 System Categories (continued)

Low Level Event Category Service Uninstalled System Informational System Action Allow System Action Deny Cron Cron Status Cron Failed Cron Successful Daemon Daemon Status Daemon Failed Daemon Successful Kernel Kernel Status Kernel Failed Kernel Successful Authentication Information Notice Warning Error Critical Debug Messages Privilege Access Alert Emergency SNMP Status FTP Status NTP Status

Description Indicates that a service has been uninstalled. Indicates system information. Indicates that an attempted action on the system has been authorized. Indicates that an attempted action on the system has been denied. Indicates a crontab message. Indicates a crontab status message. Indicates a crontab failure message. Indicates a crontab success message. Indicates a daemon message. Indicates a daemon status message. Indicates a daemon failure message. Indicates a kernel message. Indicates a kernel status message. Indicates a kernel failure message.

Severity Level (0 to 10) 1 3 3 4 1 1 4 1 1 1 4 1 1

Indicates a daemon success message. 1

Indicates a kernel successful message. 1 Indicates an authentication message. Indicates an informational message. Indicates a notice message. Indicates a warning message. Indicates an error message. Indicates a critical message. Indicates a debug message. Indicates a generic message. Indicates that privilege access has been attempted. Indicates an alert message. Indicates an emergency message. Indicates an SNMP status message. Indicates an FTP status message. Indicates an NTP status message. 1 2 3 5 7 9 1 1 3 9 9 1 1 1 3

Access Point Radio Failure Indicates an access point radio failure.

STRM Administration Guide

22

EVENT CATEGORIES

Table E-9 System Categories (continued)

Low Level Event Category Encryption Protocol Configuration Mismatch Client Device or Authentication Server Misconfigured Hot Standby Disable Failed Hot Standby Enabled Successfully Hot Standby Association Lost MainMode Initiation Succeeded MainMode Status QuickMode Initiation Failure Quickmode Initiation Succeeded Quickmode Status Invalid License License Expired New License Applied License Error License Status Configuration Error Service Disruption License Exceeded Performance Status Performance Degradation Misconfiguration

Description Indicates an encryption protocol configuration mismatch. Indicates a client device or authentication server has been not configured properly.

Severity Level (0 to 10) 3 5

Hot Standby Enable Failed Indicates a hot standby enable failure.

Indicates a hot standby disable failure. 5 Indicates hot standby has been enabled successfully. 1

Indicates a hot standby association has 5 been lost. 5 1 Indicates that the MainMode initiation has been successful.

MainMode Initiation Failure Indicates MainMode initiation failure.

Indicates a MainMode status message 1 has been reported. Indicates that the QuickMode initiation failed. Indicates that the QuickMode initiation has been successful. 5 1

Indicates a QuickMode status message 1 has been reported. Indicates an invalid license. Indicates an expired license. Indicates a new license applied. Indicates a license error. Indicates a license status message. 3 3 1 5 1

Indicates that a configuration error has 5 been detected. Indicates that a service disruption has been detected. Indicates that the license capabilities have been exceeded. Indicates that the performance status has been reported. 5 3 1

Indicates that the performance is being 4 degraded. Indicates that a incorrect configuration has been detected. 5

STRM Administration Guide

Policy

23

Policy

The policy category indicates events relating to administration of network policy and the monitoring network resources for policy violations. The associated low-level event categories include:
Table E-10 Policy Categories

Low Level Event Category Unknown Policy Violation Web Policy Violation Remote Access Policy Violation IRC/IM Policy Violation P2P Policy Violation IP Access Policy Violation Database Policy Violation Network Threshold Policy Violation Porn Policy Violation Games Policy Violation Misc Policy Violation Compliance Policy Violation Mail Policy Violation IRC Policy Violation IM Policy Violation VoIP Policy Violation Succeeded Failed

Description Indicates an unknown policy violation. Indicates a web policy violation. Indicates a remote access policy violation. Indicates an instant messenger policy violation. Indicates a Peer-to-Peer (P2P) policy violation.

Severity Level (0 to 10) 2 2 2 2 2

Indicates an IP access policy violation. 2 Indicates a database policy violation. Indicates a network threshold policy violation. Indicates a porn policy violation. Indicates a games policy violation. Indicates a miscellaneous policy violation. 2 2 2 2 2

Application Policy Violation Indicates an application policy violation. 2

Indicates a compliance policy violation. 2 Indicates a mail policy violation. Indicates an IRC policy violation Indicates a policy violation related to instant messaging (IM) activities. Indicates a VoIP policy violation Indicates a policy failure message. 2 2 2 2 4

Indicates a policy successful message. 1

STRM Administration Guide

24

EVENT CATEGORIES

CRE

The CRE category indicates events generated from a custom offense, flow or event rule. The associated low-level event categories include:
Table E-11 CRE Category

Low Level Event Category Unknown CRE Event Single Event Rule Match Event Sequence Rule Match Cross-Offense Event Sequence Rule Match Offense Rule Match

Description Indicates an unknown custom rules engine event. Indicates a single event rule match. Indicates an event sequence rule match. Indicates a cross-offense event sequence rule match. Indicates an offense rule match.

Severity Level (0 to 10) 5 5 5 5 5

Potential Exploit

The Potential Exploit category indicates events relating to potential application exploits and buffer overflow attempts. The associated low-level event categories include:
Table E-12 Potential Exploit Category

Low Level Event Category Unknown Potential Exploit Attack Potential Buffer Overflow Potential DNS Exploit

Description

Severity Level (0 to 10)

Indicates a potential exploitative attack 7 has been detected. Indicates a potential buffer overflow has been detected. Indicates a potentially exploitative attack through the DNS server has been detected. Indicates a potentially exploitative attack through Telnet has been detected. Indicates a potentially exploitative attack through Linux has been detected. 7 7

Potential Telnet Exploit

Potential Linux Exploit

Potential Unix Exploit Potential Windows Exploit

Indicates a potentially exploitative 7 attack through Unix has been detected. Indicates a potentially exploitative attack through Windows has been detected. 7

Potential Mail Exploit

Indicates a potentially exploitative 7 attack through mail has been detected.

STRM Administration Guide

SIM Audit

25

Table E-12 Potential Exploit Category (continued)

Low Level Event Category Potential Infrastructure Exploit Potential Misc Exploit Potential Web Exploit

Description

Severity Level (0 to 10)

Indicates a potential exploitative attack 7 on the system infrastructure has been detected. Indicates a potentially exploitative attack has been detected. Indicates a potentially exploitative attack through the web has been detected. 7 7

Potential Botnet connection Potential worm activity

Indicates a potentially exploitative 6 attack using Botnet has been detected. Indicates a potentially exploitive attack 6 using worm activity has been detected.

SIM Audit

The SIM Audit events category indicates events related to user interaction with the Console and administrative functionality . User login and configuration changes will generate events that are sent to the Event Collector, which correlates with other security events from the network. The associated low-level event categories include:
Table E-13 SIM Audit Event Category

Low Level Event Category SIM User Authentication

Description Indicates a user login or logout on the Console.

Severity Level (0 to 10) 5 3

SIM Configuration Change Indicates that a user has made a change to the SIM configuration or deployment. SIM User Action Indicates that a user has initiated a process in the SIM module. This may include starting a backup process or generated a report. Indicates a user session has been created. Indicates a user session has been destroyed. Indicates an admin session has been created. Indicates an admin session has been destroyed. Indicates an invalid session authentication.

Session Created Session Destroyed Admin Session Created Admin Session Destroyed Session Authentication Invalid

3 3

3 5

STRM Administration Guide

26

EVENT CATEGORIES

Table E-13 SIM Audit Event Category (continued)

Low Level Event Category Session Authentication Expired

Description Indicates a session authentication expired.

Severity Level (0 to 10) 3

VIS Host Discovery

When the VIS component discovers and stores new hosts, ports, or vulnerabilities detected on the network, the VIS component generates events. These events are sent to the Event Collector to be correlated with other security events. The associated low-level event categories include:
Table E-14 VIS Host Discovery Category

Low Level Event Category New Host Discovered New Port Discovered New Vuln Discovered New OS Discovered

Description Indicates that the VIS component has detected a new host. Indicates that the VIS component has detected a new open port. Indicates that the VIS component has detected a new vulnerability. Indicates that the VIS component has detected a new operating system on a host. Indicates that the VIS component has detected many new hosts in a short period of time.

Severity Level (0 to 10) 3 3 3 3

Bulk Host Discovered

Application

The Application category indicates events relating to application activity, such as e-mail or FTP activity. The associated low-level event categories include:
Table E-15 Application Category

Low Level Event Category Mail Opened Mail Closed Mail Reset Mail Terminated

Description

Severity Level (0 to 10)

Indicates that an e-mail connection has 1 been established. Indicates that an e-mail connection has 1 been closed. Indicates that an e-mail connection has 3 been reset. Indicates that an e-mail connection has 4 been terminated.

STRM Administration Guide

Application

27

Table E-15 Application Category (continued)

Low Level Event Category Mail Denied Mail in Progress Mail Delayed Mail Queued Mail Redirected FTP Opened FTP Closed FTP Reset FTP Terminated FTP Denied FTP In Progress FTP Redirected HTTP Opened HTTP Closed HTTP Reset HTTP Terminated HTTP Denied HTTP In Progress HTTP Delayed HTTP Queued

Description

Severity Level (0 to 10)

Indicates that an e-mail connection has 4 been denied. Indicates that an e-mail connection is being attempted. 1

Indicates that an e-mail connection has 4 been delayed. Indicates that an e-mail connection has 3 been queued. Indicates that an e-mail connection has 1 been redirected. Indicates that an FTP connection has been opened. Indicates that an FTP connection has been closed. Indicates that an FTP connection has been reset. Indicates that an FTP connection has been terminated. Indicates that an FTP connection has been denied. Indicates that an FTP connection is currently in progress. Indicates that an FTP connection has been redirected. 1 1 3 4 4 1 3

Indicates that an HTTP connection has 1 been established. Indicates that an HTTP connection has 1 been closed. Indicates that an HTTP connection has 3 been reset. Indicates that an HTTP connection has 4 been terminated. Indicates that an HTTP connection has 4 been denied. Indicates that an HTTP connection is currently in progress. 1

Indicates that an HTTP connection has 3 been delayed. Indicates that an HTTP connection has 1 been queued.

STRM Administration Guide

28

EVENT CATEGORIES

Table E-15 Application Category (continued)

Low Level Event Category HTTP Redirected HTTP Proxy HTTPS Opened HTTPS Closed HTTPS Reset HTTPS Terminated HTTPS Denied HTTPS In Progress HTTPS Delayed HTTPS Queued HTTPS Redirected HTTPS Proxy SSH Opened SSH Closed SSH Reset SSH Terminated SSH Denied SSH In Progress RemoteAccess Opened RemoteAccess Closed

Description

Severity Level (0 to 10)

Indicates that an HTTP connection has 1 been redirected. Indicates that an HTTP connection is being proxied. Indicates that an HTTPS connection has been established. Indicates that an HTTPS connection has been closed. Indicates that an HTTPS connection has been reset. Indicates that an HTTPS connection has been terminated. Indicates that an HTTPS connection has been denied. 1 1 1 3 4 4

Indicates that an HTTPS connection is 1 currently in progress. Indicates that an HTTPS connection has been delayed. Indicates that an HTTPS connection has been queued. Indicates that an HTTPS connection has been redirected. 3 3 3

Indicates that an HTTPS connection is 1 proxied. Indicates than an SSH connection has been established. Indicates that an SSH connection has been closed. Indicates that an SSH connection has been reset. Indicates that an SSH connection has been terminated. Indicates that an SSH session has been denied. Indicates that an SSH session is currently in progress. Indicates that a remote access connection has been established. Indicates that a remote access connection has been closed. 1 1 3 4 4 1 1 1

STRM Administration Guide

Application

29

Table E-15 Application Category (continued)

Low Level Event Category RemoteAccess Reset RemoteAccess Terminated RemoteAccess Denied RemoteAccess In Progress RemoteAccess Delayed

Description Indicates that a remote access connection has been reset. Indicates that a remote access connection has been terminated. Indicates that a remote access connection has been denied. Indicates that a remote access connection is currently in progress. Indicates that a remote access connection has been delayed.

Severity Level (0 to 10) 3 4 4 1 3 3 1 1 3 4 4 1 3 3 3 1 1 3 4 4

RemoteAccess Redirected Indicates that a remote access connection has been redirected. VPN Opened VPN Closed VPN Reset VPN Terminated VPN Denied VPN In Progress VPN Delayed VPN Queued VPN Redirected RDP Opened RDP Closed RDP Reset RDP Terminated RDP Denied Indicates that a VPN connection has been opened. Indicates that a VPN connection has been closed. Indicates that a VPN connection has been reset. Indicates that a VPN connection has been terminated. Indicates that a VPN connection has been denied. Indicates that a VPN connection is currently in progress. Indicates that a VPN connection has been delayed Indicates that a VPN connection has been queued. Indicates that a VPN connection has been redirected. Indicates that an RDP connection has been established. Indicates that an RDP connection has been closed. Indicates that an RDP connection has been reset. Indicates that an RDP connection has been terminated. Indicates that an RDP connection has been denied.

STRM Administration Guide

30

EVENT CATEGORIES

Table E-15 Application Category (continued)

Low Level Event Category RDP In Progress RDP Redirected FileTransfer Opened FileTransfer Closed FileTransfer Reset FileTransfer Terminated FileTransfer Denied FileTransfer In Progress FileTransfer Delayed FileTransfer Queued FileTransfer Redirected DNS Opened DNS Closed DNS Reset DNS Terminated DNS Denied DNS In Progress DNS Delayed DNS Redirected Chat Opened

Description Indicates that an RDP connection is currently in progress. Indicates that an RDP connection has been redirected.

Severity Level (0 to 10) 1 3

Indicates that a file transfer connection 1 has been established. Indicates that a file transfer connection 1 has been closed. Indicates that a file transfer connection 3 has been reset. Indicates that a file transfer connection 4 has been terminated. Indicates that a file transfer connection 4 has been denied. Indicates that a file transfer connection 1 is currently in progress. Indicates that a file transfer connection 3 has been delayed. Indicates that a file transfer connection 3 has been queued. Indicates that a file transfer connection 3 has been redirected. Indicates that a DNS connection has been established. Indicates that a DNS connection has been closed. Indicates that a DNS connection has been reset. Indicates that a DNS connection has been terminated. Indicates that a DNS connection has been denied. Indicates that a DNS connection is currently in progress. Indicates that a DNS connection has been delayed. Indicates that a DNS connection has been redirected. Indicates that a chat connection has been opened. 1 1 5 5 5 1 5 4 1

STRM Administration Guide

Application

31

Table E-15 Application Category (continued)

Low Level Event Category Chat Closed Chat Reset Chat Terminated Chat Denied Chat In Progress Chat Redirected Database Opened Database Closed Database Reset Database Terminated Database Denied Database In Progress Database Redirected SMTP Opened SMTP Closed SMTP Reset SMTP Terminated SMTP Denied SMTP In Progress SMTP Delayed

Description Indicates that a chat connection has been closed. Indicates that a chat connection has been reset. Indicates that a chat connection has been terminated. Indicates that a chat connection has been denied. Indicates that a chat connection is currently in progress. Indicates that a chat connection has been redirected. Indicates that a database connection has been established. Indicates that a database connection has been closed. Indicates that a database connection has been reset. Indicates that a database connection has been terminated. Indicates that a database connection has been denied.

Severity Level (0 to 10) 1 3 3 3 1 1 1 1 5 5 5

Indicates that a database connection is 1 currently in progress. Indicates that a database connection has been redirected. 3

Indicates that an SMTP connection has 1 been established. Indicates that an SMTP connection has 1 been closed. Indicates that an SMTP connection has 3 been reset. Indicates that an SMTP connection has 5 been terminated. Indicates that an SMTP connection has 5 been denied. Indicates that an SMTP connection is currently in progress. 1

Indicates that an SMTP connection has 3 been delayed.

STRM Administration Guide

32

EVENT CATEGORIES

Table E-15 Application Category (continued)

Low Level Event Category SMTP Queued SMTP Redirected Auth Opened Auth Closed Auth Reset Auth Terminated Auth Denied Auth In Progress Auth Delayed Auth Queued Auth Redirected P2P Opened P2P Closed P2P Reset P2P Terminated P2P Denied P2P In Progress Web Opened Web Closed Web Reset

Description

Severity Level (0 to 10)

Indicates that an SMTP connection has 3 been queued. Indicates that an SMTP connection has 3 been redirected. Indicates that an authorization server connection has been established. Indicates that an authorization server connection has been closed. Indicates that an authorization server connection has been reset. Indicates that an authorization server connection has been terminated. Indicates that an authorization server connection has been denied. Indicates that an authorization server connection is currently in progress. Indicates that an authorization server connection has been delayed. Indicates that an authorization server connection has been queued. Indicates that an authorization server connection has been redirected. Indicates that a Peer-to-Peer (P2P) connection has been established. Indicates that a P2P connection has been closed. Indicates that a P2P connection has been reset. Indicates that a P2P connection has been terminated. Indicates that a P2P connection has been denied. Indicates that a P2P connection is currently in progress. Indicates that a web connection has been established. Indicates that a web connection has been closed. Indicates that a web connection has been reset. 1 1 3 4 4 1 3 3 2 1 1 4 4 3 1 1 1 4

STRM Administration Guide

Application

33

Table E-15 Application Category (continued)

Low Level Event Category Web Terminated Web Denied Web In Progress Web Delayed Web Queued Web Redirected Web Proxy VoIP Opened VoIP Closed VoIP Reset VoIP Terminated VoIP Denied VoIP In Progress VoIP Delayed VoIP Redirected LDAP Session Started LDAP Session Ended LDAP Session Denied LDAP Session Status LDAP Authentication Failed LDAP Authentication Succeeded

Description Indicates that a web connection has been terminated. Indicates that a web connection has been denied. Indicates that a web connection is currently in progress. Indicates that a web connection has been delayed. Indicates that a web connection has been queued. Indicates that a web connection has been redirected. Indicates that a web connection has been proxied. Indicates that a Voice Over IP (VoIP) connection has been established. Indicates that a VoIP connection has been closed. Indicates that a VoIP connection has been reset. Indicates that a VoIP connection has been terminated. Indicates that a VoIP connection has been denied. Indicates that a VoIP connection is currently in progress. Indicates that a VoIP connection has been delayed. Indicates that a VoIP connection has been redirected. Indicates a LDAP session has started. Indicates a LDAP session has ended. Indicates a LDAP session has been denied. Indicates a LDAP session status message has been reported. Indicates a LDAP authentication has failed. Indicates a LDAP authentication has been successful.

Severity Level (0 to 10) 4 4 1 3 1 1 1 1 1 3 3 3 1 3 3 1 1 3 1 4 1

STRM Administration Guide

34

EVENT CATEGORIES

Table E-15 Application Category (continued)

Low Level Event Category AAA Session Started

Description Indicates that an Authentication, Authorization and Accounting (AAA) session has started. Indicates that an AAA session has ended. Indicates that an AAA session has been denied. Indicates that an AAA session status message has been reported. Indicates that an AAA authentication has failed. Indicates that an AAA authentication has been successful. Indicates that an Internet Protocol Security (IPSEC) authentication has failed.

Severity Level (0 to 10) 1

AAA Session Ended AAA Session Denied AAA Session Status AAA Authentication Failed AAA Authentication Succeeded IPSEC Authentication Failed IPSEC Authentication Succeeded IPSEC Session Started IPSEC Session Ended IPSEC Error IPSEC Status IM Session Opened IM Session Closed IM Session Reset IM Session Terminated IM Session Denied IM Session In Progress IM Session Delayed IM Session Redirected

1 3 1 4 1 4

Indicates that an IPSEC authentication 1 has been successful. Indicates that an IPSEC session has started. Indicates that an IPSEC session has ended. 1 1

Indicates that an IPSEC error message 5 has been reported. Indicates that an IPSEC session status 1 message has been reported. Indicates that an Instant Messenger (IM) session has been established. Indicates that an IM session has been closed. Indicates that an IM session has been reset. Indicates that an IM session has been terminated. Indicates that an IM session has been denied. Indicates that an IM session is in progress. Indicates that an IM session has been delayed Indicates that an IM session has been redirected. 1 1 3 3 3 1 3 3

STRM Administration Guide

Application

35

Table E-15 Application Category (continued)

Low Level Event Category WHOIS Session Opened WHOIS Session Closed WHOIS Session Reset WHOIS Session Terminated WHOIS Session Denied WHOIS Session In Progress WHOIS Session Redirected Traceroute Session Opened

Description Indicates that a WHOIS session has been established. Indicates that a WHOIS session has been closed. Indicates that a WHOIS session has been reset. Indicates that a WHOIS session has been terminated. Indicates that a WHOIS session has been denied. Indicates that a WHOIS session is in progress. Indicates that a WHOIS session has been redirected.

Severity Level (0 to 10) 1 1 3 3 3 1 3

Indicates that a Traceroute session has 1 been established.

Traceroute Session Closed Indicates that a Traceroute session has 1 been closed. Traceroute Session Denied Traceroute Session In Progress TN3270 Session Opened Indicates that a Traceroute session has 3 been denied. Indicates that a Traceroute session is in progress. TN3270 is a terminal emulation program, which is used to connect to an IBM 3270 terminal. This category indicates that a TN3270 session has been established. Indicates that a TN3270 session has been closed. Indicates that a TN3270 session has been reset. Indicates that a TN3270 session has been terminated. Indicates that a TN3270 session has been denied. Indicates that a TN3270 session is in progress. Indicates that a TFTP session has been established. Indicates that a TFTP session has been closed. 1 1

TN3270 Session Closed TN3270 Session Reset TN3270 Session Terminated TN3270 Session Denied TN3270 Session In Progress TFTP Session Opened TFTP Session Closed

1 3 3 3 1 1 1

STRM Administration Guide

36

EVENT CATEGORIES

Table E-15 Application Category (continued)

Low Level Event Category TFTP Session Reset

Description Indicates that a TFTP session has been reset.

Severity Level (0 to 10) 3 3 3 1 1 1 3 3 3 1 1 1 3 1 1

TFTP Session Terminated Indicates that a TFTP session has been terminated. TFTP Session Denied Indicates that a TFTP session has been denied.

TFTP Session In Progress Indicates that a TFTP session is in progress. Telnet Session Opened Telnet Session Closed Telnet Session Reset Indicates that a Telnet session has been established. Indicates that a Telnet session has been closed. Indicates that a Telnet session has been reset.

Telnet Session Terminated Indicates that a Telnet session has been terminated. Telnet Session Denied Indicates that a Telnet session has been denied.

Telnet Session In Progress Indicates that a Telnet session is in progress. Syslog Session Opened Syslog Session Closed Syslog Session Denied Syslog Session In Progress SSL Session Opened SSL Session Closed SSL Session Reset SSL Session Terminated SSL Session Denied SSL Session In Progress Indicates that a syslog session has been established. Indicates that a syslog session has been closed. Indicates that a syslog session has been denied. Indicates that a syslog session is in progress. Indicates that a Secure Socket Layer (SSL) session has been established.

Indicates that an SSL session has been 1 closed. Indicates that an SSL session has been 3 reset. Indicates that an SSL session has been 3 terminated. Indicates that an SSL session has been 3 denied. Indicates that an SSL session is in progress. 1

STRM Administration Guide

Application

37

Table E-15 Application Category (continued)

Low Level Event Category SNMP Session Opened

Description

Severity Level (0 to 10)

Indicates that a Simple Network 1 Management Protocol (SNMP) session has been established. Indicates that an SNMP session has been closed. Indicates that an SNMP session has been denied. Indicates that an SNMP session is in progress. 1 3 1

SNMP Session Closed SNMP Session Denied SNMP Session In Progress SMB Session Opened SMB Session Closed SMB Session Reset SMB Session Terminated SMB Session Denied SMB Session In Progress Streaming Media Session Opened Streaming Media Session Closed Streaming Media Session Reset Streaming Media Session Terminated Streaming Media Session Denied Streaming Media Session In Progress

Indicates that a Server Message Block 1 (SMB) session has been established. Indicates that an SMB session has been closed. Indicates that an SMB session has been reset. Indicates that an SMB session has been terminated. Indicates that an SMB session has been denied. Indicates that an SMB session is in progress. Indicates that a Streaming Media session has been established. Indicates that a Streaming Media session has been closed. Indicates that a Streaming Media session has been reset. Indicates that a Streaming Media session has been terminated. Indicates that a Streaming Media session has been denied. Indicates that a Streaming Media session is in progress. 1 3 3 3 1 1 1 3 3 3 1 1

RUSERS Session Opened Indicates that a (Remote Users) RUSERS session has been established. RUSERS Session Closed RUSERS Session Denied RUSERS Session In Progress Indicates that a RUSERS session has been closed. Indicates that a RUSERS session has been denied. Indicates that a RUSERS session is in progress.

1 3 1

STRM Administration Guide

38

EVENT CATEGORIES

Table E-15 Application Category (continued)

Low Level Event Category RSH Session Opened RSH Session Closed RSH Session Reset RSH Session Terminated RSH Session Denied RSH Session In Progress RLOGIN Session Opened

Description Indicates that a Remote Shell (RSH) session has been established. Indicates that an RSH session has been closed. Indicates that an RSH session has been reset. Indicates that an RSH session has been terminated. Indicates that an RSH session has been denied. Indicates that an RSH session is in progress. Indicates that a Remote Login (RLOGIN) session has been established. Indicates that an RLOGIN session has been closed. Indicates that an RLOGIN session has been reset. Indicates that an RLOGIN session has been terminated. Indicates that an RLOGIN session has been denied.

Severity Level (0 to 10) 1 1 3 3 3 1 1

RLOGIN Session Closed RLOGIN Session Reset RLOGIN Session Terminated RLOGIN Session Denied RLOGIN Session In Progress REXEC Session Opened REXEC Session Closed REXEC Session Reset REXEC Session Terminated REXEC Session Denied REXEC Session In Progress RPC Session Opened RPC Session Closed

1 3 3 3

Indicates that an RLOGIN session is in 1 progress. Indicates that a (Remote Execution) 1 REXEC session has been established. Indicates that an REXEC session has been closed. Indicates that an REXEC session has been reset. Indicates that an REXEC session has been terminated. Indicates that an REXEC session has been denied. Indicates that an REXEC session is in progress. 1 3 3 3 1

Indicates that a Remote Procedure Call 1 (RPC) session has been established. Indicates that an RPC session has been closed. 1

STRM Administration Guide

Application

39

Table E-15 Application Category (continued)

Low Level Event Category RPC Session Reset RPC Session Terminated RPC Session Denied RPC Session In Progress NTP Session Opened NTP Session Closed NTP Session Reset NTP Session Terminated NTP Session Denied NTP Session In Progress NNTP Session Opened

Description Indicates that an RPC session has been reset. Indicates that an RPC session has been terminated. Indicates that an RPC session has been denied. Indicates that an RPC session is in progress.

Severity Level (0 to 10) 3 3 3 1

Indicates that a Network Time Protocol 1 (NTP) session has been established. Indicates that an NTP session has been closed. Indicates that an NTP session has been reset. Indicates that an NTP session has been terminated. Indicates that an NTP session has been denied. Indicates that an NTP session is in progress. 1 3 3 3 1

Indicates that a Network News Transfer 1 Protocol (NNTP) session has been established. Indicates that an NNTP session has been closed. Indicates that an NNTP session has been reset. 1 3 3 3 1 1 1 3 3

NNTP Session Closed NNTP Session Reset

NNTP Session Terminated Indicates that an NNTP session has been terminated. NNTP Session Denied Indicates that an NNTP session has been denied.

NNTP Session In Progress Indicates that an NNTP session is in progress. NFS Session Opened NFS Session Closed NFS Session Reset NFS Session Terminated Indicates that a Network File System (NFS) session has been established. Indicates that an NFS session has been closed. Indicates that an NFS session has been reset. Indicates that an NFS session has been terminated.

STRM Administration Guide

40

EVENT CATEGORIES

Table E-15 Application Category (continued)

Low Level Event Category NFS Session Denied NFS Session In Progress NCP Session Opened

Description Indicates that an NFS session has been denied. Indicates that an NFS session is in progress. Indicates that a Network Control Program (NCP) session has been established. Indicates that an NCP session has been closed. Indicates that an NCP session has been reset. Indicates that an NCP session has been terminated. Indicates that an NCP session has been denied. Indicates that an NCP session is in progress.

Severity Level (0 to 10) 3 1 1

NCP Session Closed NCP Session Reset NCP Session Terminated NCP Session Denied NCP Session In Progress

1 3 3 3 1 1 1 3 3 3 1 1 1 3 3 3

NetBIOS Session Opened Indicates that a NetBIOS session has been established. NetBIOS Session Closed NetBIOS Session Reset NetBIOS Session Terminated NetBIOS Session Denied NetBIOS Session In Progress Indicates that a NetBIOS session has been closed. Indicates that a NetBIOS session has been reset. Indicates that a NetBIOS session has been terminated. Indicates that a NetBIOS session has been denied. Indicates that a NetBIOS session is in progress.

MODBUS Session Opened Indicates that a MODBUS session has been established. MODBUS Session Closed MODBUS Session Reset MODBUS Session Terminated Indicates that a MODBUS session has been closed. Indicates that a MODBUS session has been reset. Indicates that a MODBUS session has been terminated.

MODBUS Session Denied Indicates that a MODBUS session has been denied. MODBUS Session In Progress

Indicates that a MODBUS session is in 1 progress.

STRM Administration Guide

Application

41

Table E-15 Application Category (continued)

Low Level Event Category LPD Session Opened LPD Session Closed LPD Session Reset LPD Session Terminated LPD Session Denied LPD Session In Progress Lotus Notes Session Opened Lotus Notes Session Closed

Description Indicates that a Line Printer Daemon (LPD) session has been established. Indicates that an LPD session has been closed. Indicates that an LPD session has been reset. Indicates that an LPD session has been terminated. Indicates that an LPD session has been denied. Indicates that an LPD session is in progress. Indicates that a Lotus Notes session has been established. Indicates that a Lotus Notes session has been closed.

Severity Level (0 to 10) 1 1 3 3 3 1 1 1 3 3 3

Lotus Notes Session Reset Indicates that a Lotus Notes session has been reset. Lotus Notes Session Terminated Lotus Notes Session Denied Lotus Notes Session In Progress Indicates that a Lotus Notes session has been terminated. Indicates that a Lotus Notes session has been denied.

Indicates that a Lotus Notes session is 1 in progress. 1 1 3 3 3 1 1

Kerberos Session Opened Indicates that a Kerberos session has been established. Kerberos Session Closed Kerberos Session Reset Kerberos Session Terminated Kerberos Session Denied Kerberos Session In Progress IRC Session Opened IRC Session Closed Indicates that a Kerberos session has been closed. Indicates that a Kerberos session has been reset. Indicates that a Kerberos session has been terminated. Indicates that a Kerberos session has been denied. Indicates that a Kerberos session is in progress. Indicates that an Internet Relay Chat (IRC) session has been established.

Indicates that an IRC session has been 1 closed.

STRM Administration Guide

42

EVENT CATEGORIES

Table E-15 Application Category (continued)

Low Level Event Category IRC Session Reset IRC Session Terminated IRC Session Denied IRC Session In Progress IEC 104 Session Opened IEC 104 Session Closed IEC 104 Session Reset IEC 104 Session Terminated IEC 104 Session Denied IEC 104 Session In Progress Ident Session Opened

Description

Severity Level (0 to 10)

Indicates that an IRC session has been 3 reset. Indicates that an IRC session has been 3 terminated. Indicates that an IRC session has been 3 denied. Indicates that an IRC session is in progress. Indicates that an IEC 104 session has been established. Indicates that an IEC 104 session has been closed. Indicates that an IEC 104 session has been reset. Indicates that an IEC 104 session has been terminated. Indicates that an IEC 104 session has been denied. Indicates that an IEC 104 session is in progress. Indicates that a TCP Client Identity Protocol (Ident) session has been established. Indicates that an Ident session has been closed. Indicates that an Ident session has been reset. Indicates that an Ident session has been terminated. Indicates that an Ident session has been denied. Indicates that an Ident session is in progress. Indicates that an Inter-Control Center Communications Protocol (ICCP) session has been established. Indicates that an ICCP session has been closed. Indicates that an ICCP session has been reset. Indicates that an ICCP session has been terminated. 1 1 1 3 3 3 1 1

Ident Session Closed Ident Session Reset Ident Session Terminated Ident Session Denied Ident Session In Progress ICCP Session Opened

1 3 3 3 1 1

ICCP Session Closed ICCP Session Reset ICCP Session Terminated

1 3 3

STRM Administration Guide

Application

43

Table E-15 Application Category (continued)

Low Level Event Category ICCP Session Denied

Description Indicates that an ICCP session has been denied.

Severity Level (0 to 10) 3 1

ICCP Session In Progress Indicates that an ICCP session is in progress. Groupwise Session Opened

Indicates that a Groupwise session has 1 been established.

Groupwise Session Closed Indicates that a Groupwise session has 1 been closed. Groupwise Session Reset Groupwise Session Terminated Indicates that a Groupwise session has been reset. 3

Indicates that a Groupwise session has 3 been terminated.

Groupwise Session Denied Indicates that a Groupwise session has 3 been denied. Groupwise Session In Progress Gopher Session Opened Gopher Session Closed Gopher Session Reset Gopher Session Terminated Gopher Session Denied Gopher Session In Progress GIOP Session Opened Indicates that a Groupwise session is in 1 progress. Indicates that a Gopher session has been established. Indicates that a Gopher session has been closed. Indicates that a Gopher session has been reset. Indicates that a Gopher session has been terminated. Indicates that a Gopher session has been denied. Indicates that a Gopher session is in progress. Indicates that a General Inter-ORB Protocol (GIOP) session has been established. Indicates that a GIOP session has been closed. Indicates that a GIOP session has been reset. 1 1 3 3 3 1 1

GIOP Session Closed GIOP Session Reset

1 3 3 3 1

GIOP Session Terminated Indicates that a GIOP session has been terminated. GIOP Session Denied Indicates that a GIOP session has been denied.

GIOP Session In Progress Indicates that a GIOP session is in progress.

STRM Administration Guide

44

EVENT CATEGORIES

Table E-15 Application Category (continued)

Low Level Event Category Finger Session Opened Finger Session Closed Finger Session Reset

Description Indicates that a Finger session has been established. Indicates that a Finger session has been closed. Indicates that a Finger session has been reset.

Severity Level (0 to 10) 1 1 3 3 3 1 1 1 3 1 1 1

Finger Session Terminated Indicates that a Finger session has been terminated. Finger Session Denied Indicates that a Finger session has been denied.

Finger Session In Progress Indicates that a Finger session is in progress. Echo Session Opened Echo Session Closed Echo Session Denied Echo Session In Progress Remote .NET Session Opened Remote .NET Session Closed Remote .NET Session Reset Remote .NET Session Terminated Remote .NET Session Denied Remote .NET Session In Progress DNP3 Session Opened Indicates that an Echo session has been established. Indicates that an Echo session has been closed. Indicates that an Echo session has been denied. Indicates that an Echo session is in progress. Indicates that a Remote .NET session has been established. Indicates that a Remote .NET session has been closed.

Indicates that a Remote .NET session 3 has been reset. Indicates that a Remote .NET session has been terminated. Indicates that a Remote .NET session has been denied. Indicates that a Remote .NET session is in progress. Indicates that a Distributed Network Proctologic (DNP3) session has been established. Indicates that a DNP3 session has been closed. Indicates that a DNP3 session has been reset. 3 3 1 1

DNP3 Session Closed DNP3 Session Reset

1 3 3

DNP3 Session Terminated Indicates that a DNP3 session has been terminated.

STRM Administration Guide

Application

45

Table E-15 Application Category (continued)

Low Level Event Category DNP3 Session Denied

Description Indicates that a DNP3 session has been denied.

Severity Level (0 to 10) 3 1 1 1 3 3 3 1

DNP3 Session In Progress Indicates that a DNP3 session is in progress. Discard Session Opened Discard Session Closed Discard Session Reset Discard Session Terminated Discard Session Denied Discard Session In Progress DHCP Session Opened Indicates that a Discard session has been established. Indicates that a Discard session has been closed. Indicates that a Discard session has been reset. Indicates that a Discard session has been terminated. Indicates that a Discard session has been denied. Indicates that a Discard session is in progress.

Indicates that a Dynamic Host 1 Configuration Protocol (DHCP) session has been established. Indicates that a DHCP session has been closed. Indicates that a DHCP session has been denied. 1 3 1 1 3 1

DHCP Session Closed DHCP Session Denied

DHCP Session In Progress Indicates that a DHCP session is in progress. DHCP Success DHCP Failure CVS Session Opened Indicates that a DHCP lease has been successfully obtained Indicates that a DHCP lease could not be obtained. Indicates that a Concurrent Versions System (CVS) session has been established.

CVS Session Closed CVS Session Reset CVS Session Terminated CVS Session Denied CVS Session In Progress

Indicates that a CVS session has been 1 closed. Indicates that a CVS session has been 3 reset. Indicates that a CVS session has been 3 terminated. Indicates that a CVS session has been 3 denied. Indicates that a CVS session is in progress. 1

STRM Administration Guide

46

EVENT CATEGORIES

Table E-15 Application Category (continued)

Low Level Event Category CUPS Session Opened

Description

Severity Level (0 to 10)

Indicates that a Common Unix Printing 1 System (CUPS) session has been established. Indicates that a CUPS session has been closed. Indicates that a CUPS session has been reset. 1 3 3 3 1 1 1 3 3 3 1 1

CUPS Session Closed CUPS Session Reset

CUPS Session Terminated Indicates that a CUPS session has been terminated. CUPS Session Denied Indicates that a CUPS session has been denied.

CUPS Session In Progress Indicates that a CUPS session is in progress. Chargen Session Started Chargen Session Closed Chargen Session Reset Chargen Session Terminated Chargen Session Denied Chargen Session In Progress Misc VPN DAP Session Started DAP Session Ended DAP Session Denied DAP Session Status DAP Session in Progress Indicates that a Character Generator (Chargen) session has been started. Indicates that a Chargen session has been closed. Indicates that a Chargen session has been reset. Indicates that a Chargen session has been terminated. Indicates that a Chargen session has been denied. Indicates that a Chargen session is in progress. Indicates that a miscellaneous VPN session has been detected

Indicates that a DAP session has been 1 established. Indicates that a DAP session has ended. 1

Indicates that a DAP session has been 3 denied. Indicates that a DAP session status request has been made. Indicates that a DAP session is in progress. 1 1

DAP Authentication Failed Indicates that a DAP authentication has 4 failed. DAP Authentication Succeeded Indicates that DAP authentication has succeeded. 1

STRM Administration Guide

Audit

47

Table E-15 Application Category (continued)

Low Level Event Category TOR Session Started TOR Session Closed TOR Session Reset TOR Session Terminated TOR Session Denied TOR Session In Progress Game Session Started Game Session Closed Game Session Reset

Description

Severity Level (0 to 10)

Indicates that a TOR session has been 1 established. Indicates that a TOR session has been 1 closed. Indicates that a TOR session has been 3 reset. Indicates that a TOR session has been 3 terminated. Indicates that a TOR session has been 3 denied. Indicates that a TOR session is in progress. Indicates a game session has started. Indicates a game session has been closed. Indicates a game session has been reset. 1 1 1 3 3 3 1

Game Session Terminated Indicates a game session has been terminated. Game Session Denied Indicates a game session has been denied.

Game Session In Progress Indicates a game session is in progress. Admin Login Attempt User Login Attempt

Indicates that an attempt to log in as an 2 administrative user has been detected. Indicates that an attempt to log in as a non-administrative user has been detected. 2

Audit

The Audit category indicates audit related events. The associated low-level event categories include:
Table E-16 Audit Categories

Low Level Event Category General Audit Event Built-in Execution Bulk Copy

Description Indicates a general audit event has been started. Indicates that a built-in audit task has been executed. Indicates that a bulk copy of data has been detected.

Severity Level (0 to 10) 1 1 1

STRM Administration Guide

48

EVENT CATEGORIES

Table E-16 Audit Categories (continued)

Low Level Event Category Data Dump Data Import Data Selection Data Truncation Data Update Procedure/Trigger Execution Schema Change

Description Indicates that a data dump has been detected. Indicates that a data import has been detected. Indicates that a data selection process has been detected. Indicates that the data truncation process has been detected. Indicates that the data update process has been detected.

Severity Level (0 to 10) 1 1 1 1 1

Indicates that the database procedure 1 or trigger execution has been detected. Indicates that the schema for a procedure or trigger execution has been altered. 1

Risk

The Risk category indicates events related to STRM Risk Manager. The associated low-level event categories include:
Table E-17 Risk Categories

Low Level Event Category Compliance Violation Data Loss Possible Exposed Vulnerability Fraud Local Access Vulnerability Loss of Confidentiality Mis-Configured Rule Mis-Configured Device Mis-Configured Host No Password

Description Indicates a compliance violation has been detected. Indicates that the possibility of data loss has been detected. Indicates that the network or device has an exposed vulnerability. Indicates a host or device is susceptible to fraud. Indicates that the network or device has local access vulnerability. Indicates that a loss of confidentially has been detected. Indicates a rule is not configured properly.

Severity Level (0 to 10) 5 5 9 7 7 5 3

Indicates a device on the network is not 3 configured properly. Indicates a network host is not configured properly. Indicates no password exists. 3 7

STRM Administration Guide

Risk

49

Table E-17 Risk Categories (continued)

Low Level Event Category Open Wireless Access Policy Exposure Possible DoS Target Possible DoS Weakness Remote Access Vulnerability Un-Encrypted Data Transfer Un-Encrypted Data Store Weak Authentication Weak Encryption

Description Indicates that the network or device has open wireless access. Indicates a policy exposure has been detected.

Severity Level (0 to 10) 5 5

Indicates a host or device is a possible 3 DoS target. Indicates a host or device has a possible DoS weakness. Indicates that the network or device has a remote access vulnerability. Indicates that a host or device is transmitting data that is not encrypted. Indicates that the data store is not encrypted. Indicates a host or device is susceptible to fraud. Indicates that the host or device has weak encryption. 3 9 3 3 5 5

STRM Administration Guide

CONFIGURING FLOW FORWARDING FROM PRE-2010.0 OFF-SITE FLOW SOURCES

STRM 2010.0 introduced a new flow communication protocol, changing the way components communicate. We recommend that you upgrade all systems in your deployment to STRM 2010.0; however, if you do not upgrade systems in your deployment hosting off-site flow sources, additional configuration is required. You must add a single flow source configured with the Pre-2010.0 Off-site Flow Source option selected for the Flow Source Type parameter. This enables conversion of flows from pre-2010.0 off-site flow sources to the STRM 2010.0 off-site target. If you subsequently upgrade the off-site flow sources to STRM 2010.0, you must remove the flow converter and reconfigure flow forwarding from the upgraded off-site flow sources to the off-site target. This appendix provides information on configuring flow forwarding from pre-2010.0 off-site flow sources, including:

Configuring Flow Forwarding from pre-2010.0 Off-site Flow Sources Reconfiguring Flow Forwarding from an Upgraded Off-site Flow Sources

Configuring Flow Forwarding from pre-2010.0 Off-site Flow Sources

To configure flow forwarding from off-site flow sources running STRM 2009.2 or earlier to a off-site target running STRM 2010.0, you must:

Add an off-site target on each pre-2010.0 off-site flow source. See Adding a STRM 2010.0 Off-Site Target to a Pre-2010.0 Off-Site Flow Source. Create pre-2010.0 Off-Site Flow Source on the STRM 2010.0 Console. See Creating a Pre-2010.0 0ff-Site Flow Source.

Adding a STRM 2010.0 Off-Site Target to a Pre-2010.0 Off-Site Flow Source

To add the off-site target to the pre-2010.0 off-site flow source(s):

Note: You must repeat this procedure for each pre-2010.0 off-site flow source in your deployment.
Step 1 Log in to the system hosting pre-2010.0 off-site flow source.

STRM Administration Guide

CONFIGURING FLOW FORWARDING FROM PRE-2010.0 OFF-SITE FLOW SOURCES

Note: The following steps were documented using STRM 2009.2. If you are using an earlier version, the steps may vary.
Step 2 In the deployment editor, click the Flow View tab.

The Flow View interface is displayed.

Step 3 In the Flow Components panel, select the Off-site Target component.

The Name component window is displayed.

Step 4 Type a unique name for the off-site target you want to add. The name can be up to

15 characters in length and may include underscores or hyphens. Make sure you record the assigned name. Click Next. The flow source/target information window is displayed.
Step 5 Enter values for the parameters:

Enter a name for the off-site host - Type the name of the off-site target host. The name can be up to 15 characters in length and may include underscores or hyphens. Enter the IP address of the server - Type the IP address of the off-site target host to which you want to connect. Enter port of managed host - Type the off-site target host port number. For information on off-site target configuration, see Chapter 8 - Using the Deployment Editor. Encrypt traffic from off-site source - Select the check box if you want to encrypt traffic from an off-site source.

Step 6 Click Next. Step 7 Click Finish.

The component appears in your Flow View interface.

Step 8 Select the Flow Processor component. Step 9 From the menu, select Actions > Add Connection.

An arrow appears in your map.

Step 10 Drag the end of the arrow to the off-site target.

The arrow connects the two components.

Step 11 From the menu, select File > Save to staging. Step 12 From the Admin interface menu, click Deploy Changes.

Now you must access the STRM 2010.0 Console and configure the pre-2010.0 off-site flow source.

STRM Administration Guide

Configuring Flow Forwarding from pre-2010.0 Off-site Flow Sources

Creating a Pre-2010.0 0ff-Site Flow Source

Creating a pre-2010.0 off-site flow source enables conversion of flows from pre-2010.0 off-site flow sources to the STRM 2010.0 off-site target. To create a pre-2010.0 off-site flow source on the STRM 2010.0 Console:

Step 1 Log in to the STRM 2010.0 Console. Step 2 Click the Admin tab.

The Admin interface is displayed.

Step 3 In the navigation menu, click Data Sources.

The Data Sources panel is displayed.

Step 4 In the navigation menu, click Flows.

The Flows panel is displayed.

Step 5 Click the Flow Sources icon.

The Flow Sources window is displayed.

Step 6 Click Add.

The Add Flow Source window is displayed.

Step 7 Enter values for the parameters:

Table F-1 Add Flow Source Window Parameters

Parameter Build from existing flow source Flow Source Name

Description Select the check box if you want to create this flow source using an existing flow source as a template. Once the check box is selected, use the drop-down list box to select the desired flow source and click Use as Template. Type the name of the flow source. We recommend that for an external flow source that is also a physical device, use the device name as the flow source name. If the flow source is not a physical device, make sure you use a meaningful name. Note: Make sure you record the assigned name. From the drop-down list box, select the Event Collector you want to use for this flow source. From the drop-down list box, select Pre-2010.0 Off-site Flow Source. In some networks, traffic is configured to take alternate paths for inbound and outbound traffic. This is asymmetric routing. Select the check box is you want to enable asymmetric flows for this flow source.

Target Collector Flow Source Type Enable Asymmetric Flows

STRM Administration Guide

CONFIGURING FLOW FORWARDING FROM PRE-2010.0 OFF-SITE FLOW SOURCES

Table F-1 Add Flow Source Window Parameters (continued)

Parameter Flow Source Address

Description Type the address(es) of the off-site flow source host(s) in the following format: <IP address1>:<port1>[:<cidr1|cidr2|cidr3...>] [,<IP address2>:<port2>[:<cidr1|cidr2|cidr3...>] ... Where:

<IP address> specifies the IP address of the off-site flow source.

This is usually the system in the earlier STRM deployment running the Central Flow Processor, for example, your STRM 2500 FP appliance.

<port> is the off-site flow source listen port. On older STRM

systems, you can display the port number in the deployment editor by right-clicking the flow processor and selecting Configure. Typically, the port number is between 32001 and 32010.

<cidr> is the CIDR range for which you want to request flow traffic.
This is an optional parameter. The default is for all flows to be forwarded to the off-site target.

For examples of flow source addresses, see Sample Flow Source Addresses. Encrypt Traffic From Flow Source Select the check box if you want to encrypt traffic from the flow source. The default is clear. To ensure appropriate access, you must copy the public key (located at /root/.ssh/id_rsa.pub) from the STRM 2010.0 Console to the pre-2010.0 off-site flow source host (copy the file to /root/.ssh/authorized_keys). We also recommend copying the public key from the pre-2010.0 off-site flow source host to the STRM 2010.0 Console. This ensures encryption is maintained after upgrading the pre-2010.0 off-site flow source to STRM 2010.0. Note: If traffic is encrypted from the flow source, a tunneled channel is created for each pre-2010.0 off-site flow source IP address and port connected to the Event Collector.
Step 8 From the Admin interface menu, select Advanced > Deploy Full Configuration.

Sample Flow Source Addresses The following table provides examples of flow source addresses:
Table F-2 Example Pre-2010.0 Off-site Flow Source Addresses

Flow Source Address 10.10.10.10:32001 10.10.10.11/32001, 10.10.10.12/32002

Description STRM 2500 FP Flow Processor appliance running STRM 2009.2 software. Distributed STRM 2009.1 deployment with two STRM 2500 FP Flow Processor appliances.

STRM Administration Guide

Reconfiguring Flow Forwarding from an Upgraded Off-site Flow Sources

Table F-2 Example Pre-2010.0 Off-site Flow Source Addresses (continued)

Flow Source Address 10.10.10.10:32001:10.20.0.0/8

Description STRM 2500 FP Flow Processor appliance running STRM 2009.2 software and requesting flows from the CIDR range of 10.20.0.0/8

Reconfiguring Flow Forwarding from an Upgraded Off-site Flow Sources

After upgrading your off-site flow sources to STRM 2010.0, flow conversion is no longer required. To continue flow forwarding from these upgraded off-site flow sources, you must:

Remove the pre-2010.0 off-site flow source. See Removing the Pre-2010.0 Off-Site Flow Source. Add the off-site target to the off-site flow source(s). See Reconnecting the Off-site Target. Add the off-site source(s) to the off-site target. See Adding the Off-site Source.

Removing the Pre-2010.0 Off-Site Flow Source

To delete the pre-2010.0 off-site flow source:

Step 1 Log in to the STRM 2010.0 Console. Step 2 Click the Admin tab. Step 3 In the navigation menu, click Data Sources.

The Data Sources panel is displayed.

Step 4 In the navigation menu, click Flows.

The Flows panel is displayed.

Step 5 Click the Flow Sources icon.

The Flow Source window is displayed.

Step 6 Select the pre7-0 off-site flow source you want to delete. Step 7 Click Delete.

A confirmation window is displayed.

Step 8 Click OK. Step 9 From the Admin interface menu, select Advanced > Deploy Full Configuration.

Reconnecting the Off-site Target

To reconnect the off-site target to off-site flow source(s): Note: You must repeat this procedure for each upgraded off-site flow source.

STRM Administration Guide

CONFIGURING FLOW FORWARDING FROM PRE-2010.0 OFF-SITE FLOW SOURCES

Step 1 Log in to the system hosting the upgraded off-site flow source. Step 2 In the Admin interface, click Deployment Editor.

The Event View interface is displayed.

Step 3 In the right panel, reconnect the source Event Collector to the off-site target.

Note: Make sure the event/flow forwarding port is configured correctly for the off-site target. For information on connecting components, see Chapter 8 - Using the Deployment Editor - Connecting Components.
Step 4 From the menu, select File > Save to staging. Step 5 From the Admin interface menu, click Deploy Changes.

Adding the Off-site Source

To add the off-site source to off-site target:

Step 1 Log in to the Console. Step 2 In the Admin interface, click Deployment Editor.

The Event View interface is displayed.

Step 3 In the left panel, select the Off-site Source component.

The Adding a New Component wizard is displayed.

Step 4 Type a unique name for the off-site source you want to add. The name can be up

to 15 characters in length and may include underscores or hyphens. Make sure you record the assigned name. Click Next. The Assign Component window is displayed.
Step 5 From the Select a host drop-down list box, select the off-site flow source from

which you want to forward flows. Click Next. Note: You must repeat this step for all upgraded off-site flow sources. The Component ready to be added window is displayed.
Step 6 Click Finish.

The component appears in your Event View interface.

Step 7 From the menu, select File > Save to staging. Step 8 From the Admin interface menu, click Deploy Changes.

STRM Administration Guide

TROUBLESHOOTING HARD DRIVE

ERRORS

This chapter provides information pertaining to hard drive that shows alarm on STRM devices. The problem was that STRM does not recognize the hard drive, RAID fails to rebuild the hard drive. Solution For STRM 500:
Step 1 Login to STRM console as root user Step 2 Run #SIstatus

This command is available only on 2008.2 and above

# SIstatus -h

Usage: ./SIstatus [-i] [-s] [-a] [-c<0|1>] [-x] [-h] -i (print RAID information) -s (print RAID status) -a (clear alarms) -c<0|1> (Start consistency check on disk 0 or 1) -x<0|1> (Stop consistency check on disk 0 or 1) -h (print Usage information)

Note: Running this command more than once per 10 seconds impacts RAID performance. SIstatus: rev 1.2 For STRM 2500 and 5000:
Step 1 Login to STRM console as root user Step 2 Run #arcconf

This command is available only on 2008.3 and above versions.

[root@localhost ~]# /usr/StorMan/arcconf getstatus 1 Controllers found: 1

STRM Administration Guide

TROUBLESHOOTING HARD DRIVE ERRORS

Logical device Task: Logical device Task ID Current operation Status Priority Percentage complete Command completed successfully. [root@localhost ~]# /usr/StorMan/arcconf getlogs 1 event tabular : 0 : 101 : Rebuild : In Progress : High : 46

This command will give you the logs for RAID controller. The commands to view the STRM2500/5000/5000NEBS RAID status are as follows:

For Logical drive status, Logical drive should be Optimal, STRM5000NEBS should have 8 drive groups in the RAID10 LD:
/usr/StorMan/arcconf getconfig 1 ld

For Physical drives status:

/usr/StorMan/arcconf getconfig 1 pd

For full adapter status/logical/physical devices:

/usr/StorMan/arcconf getconfig 1

To view a drive rebuilding status/percent complete:

/usr/StorMan/arcconf getstatus 1

To silence an alarm on the Adaptec RAID controller (if its sounding):

/usr/StorMan/arcconf setalarm 1 silence

If you run into errors, similar to the error shown below, when running "arcconf"
[root@strm-2500-1 StorMan]# ./arcconf ./arcconf: error while loading shared libraries: libstdc++.so.5: cannot open shared object file: No such file or directory

Install the rpm "compat-libstdc++-33-3.2.3-61.x86_64.rpm". Download rpm from, http://download.juniper.net/software/strm/compat-libstdc++-33-3.2.3-61.x86_64.rp m

MD5SUM: 05c5f5e45ab44aceb6269bcaa532003b *compat-libstdc++-33-3.2.3-61.x86_64.rpm

STRM Administration Guide

Install the RPM using the command:

"#rpm Uvh compat-libstdc++-33-3.2.3-61.x86_64.rpm"

You can download Arcconf and SIStatus utilities from: SIstatus - http://download.juniper.net/software/strm/SIstatus-12.zip Arconf - This can be downloaded from http://www.adaptec.com/en-US/speed/raid/aac/sm/asm-linux_v2_12%28922%29_ rpm.htm Arconf Manager Guide https://download.juniper.net/software/strm/RAID/ArcconfUserGuide.pdf (RAID Users Guide.pdf)

STRM Administration Guide

TROUBLESHOOTING HARD DRIVE ERRORS

STRM Administration Guide

MONITORING UTILITIES FOR POWER

SUPPLY AND FAN

This chapter provides information how to monitor STRM 2010.0 power supply, CPU, and fan modules utilities. For Series I STRM 500/ STRM 2500/ STRM 5000: A utility "Supero Doctor" - sdt - can be used to monitor the Power supply, Fan, and CPU Temperature on STRM Devices. This utility is available for STRM devices beginning with version 2008.3 and above. To access the utility, login to the STRM as root user using SSH. Enter the following command:
[root@strm-2500-1 ~]# sdt

***************************************************************************** Supero Doctor II - Linux version 2.38j(080604) Copyright(c) 1993-2008 by Super Micro Computer, Inc. http://supermicro.com/ ***************************************************************************** Monitored Item High Limit Low Limit Status ---------------------------------------------------------------------Fan1 Fan Speed 712 2909 Fan2 Fan Speed 712 2960 Fan3 Fan Speed 712 3068 Fan4 Fan Speed 712 0 Warning! Fan5 Fan Speed 712 0 Warning! Power1 Fan 1 Speed 5954 8015 Power2 Fan 1 Speed 0 0 Warning! CPU Core Voltage 1.48 0.92 1.28 +1.5V Voltage 1.64 1.34 1.49 +12V Voltage 13.06 10.62 11.78 +3.3V Voltage 3.63 2.96 3.26 DIMM Voltage 1.98 1.62 1.84 +5V Voltage 5.50 4.51 4.99 System Temperature 60/140 30/86

STRM Administration Guide

MONITORING UTILITIES FOR POWER SUPPLY AND FAN

CPU Temperature 75/167 19/66 Power1 Temperature 75/167 35/95 Power2 Temperature 0/32 0/32 Warning! Chassis Intrusion Bad Warning! Power1 Supply Failure Good Power2 Supply Failure Good [root@strm-2500-1 ~]#

If you receive an error while running the utility, enter the following command, first and then re-run the utility again.
[root@strm500-2 ~]# mknod -m 600 /dev/i2c-0 c 89 0

For Series II STRM 500/ STRM 2500 use lm_sensors:

[root@strm2500_104 ~]# service lm_sensors start Starting lm_sensors: [ OK ] [root@strm2500_104 ~]# service lm_sensors status w83627dhg-isa-0290 Adapter: ISA adapter VCore: +1.29 V (min = +0.92 V, max = +1.48 V) in1: +9.82 V (min = +8.87 V, max = +10.82 V) AVCC: +3.25 V (min = +2.96 V, max = +3.63 V) 3VCC: +3.25 V (min = +0.10 V, max = +0.16 V) ALARM in4: +1.82 V (min = +1.62 V, max = +1.98 V) in5: +1.23 V (min = +1.13 V, max = +1.38 V) in6: +2.41 V (min = +2.12 V, max = +2.61 V) VSB: +3.25 V (min = +2.96 V, max = +3.63 V) VBAT: +3.25 V (min = +2.96 V, max = +3.63 V) Case Fan: 3013 RPM (min = 712 RPM, div = 8) CPU Fan: 2960 RPM (min = 712 RPM, div = 8) Aux Fan: 0 RPM (min = 753 RPM, div = 128) ALARM fan4: 3125 RPM (min = 712 RPM, div = 8) fan5: 0 RPM (min = 753 RPM, div = 128) ALARM Sys Temp: +28C (high = +60C, hyst = +55C) [thermistor] CPU Temp: +12.5C (high = +75.0C, hyst = +70.0C) [CPU diode ] AUX Temp: +99.0C (high = +75.0C, hyst = +70.0C) [CPU diode ] ALARM

For Series II STRM 50000/ STRM 5000 NEBS use ipmi: (only needs to be run once so the service starts automatically after reboot/power on)
[root@strmv2-107 ~]# chkconfig ipmi on [root@strmv2-107 ~]# service ipmi start Starting ipmi drivers: [ OK ] [root@strmv2-107 ~]# ipmitool sdr

STRM Administration Guide

CPU0 below Tmax | 59 degrees C | ok CPU1 below Tmax | 60 degrees C | ok DIMM0 Area(RT3) | 33 degrees C | ok PCI Area(RT2) | 37 degrees C | ok CPU0 VCORE. | 0.93 Volts | ok CPU1 VCORE | 0.90 Volts | ok 3.3V | 3.36 Volts | ok +12V | 12.10 Volts | ok VBAT | 3.20 Volts | ok 5V | 4.87 Volts | ok Sys.2(CPU 0) | 2250 RPM | ok Sys.3(Front 1) | 2250 RPM | ok Sys.4(Front 2) | 2250 RPM | ok PS1 Present | 0x02 | ok PS1 PG | 0x01 | ok OTP1 | 0x01 | ok PS1 FAN | 0x01 | ok PS2 Present | 0x02 | ok PS2 PG | 0x01 | ok OTP2 | 0x01 | ok PS2 FAN | 0x01 | ok [root@strmv2-107 ~]#

STRM Administration Guide

MONITORING UTILITIES FOR POWER SUPPLY AND FAN

STRM Administration Guide

INDEX

A
access category 12 accumulator about 106 retention settings 67 accumulator retention daily 68 hourly 67 admin interface about 3 using 4 administrative e-mail address 65 administrator role 12 aeriel database settings 68 alert e-mail from address 65 anomaly detection rules anomaly rules about 189 anomaly tests 75 time threshold tests 76 behavioral rules about 189 behavioral tests 77 time threshold tests 78 threshold rules about 189 field threshold tests 79 time threshold tests 80 asset profile query period 66 asset profile reporting interval 66 assets role 13 asymmetric flows 156 audience 1 audit log viewing 5 authentication active directory 19 configuring 20 LDAP 19 LDAP/active directory 19 RADIUS 19 system 19 TACACS 19 user 19 authentication category 6 authorized services about 89 adding 90 revoking 91 token 89 viewing 89 auto detection 138, 145 automatic update about 60

on demand 64 scheduling 61

B
backing up your information 95 backup and recovery about 93 deleting backup archives 95 importing backup archives 94 initiating backup 98 managing backup archives 93 restoring configuration information 99 scheduling backups 95 viewing backup archive 93 building blocks about 174 editing 204

C
changes deploying 5 coalescing events 66 command line max matched results 69 common rules about 178 common property tests 53 data/time tests 68 function counter tests 64 function negative tests 69 function sequence tests 56 function simple tests 68 host profile tests 50 IP/port tests 52 network property tests 68 components 137 configuring SSL for LDAP 23 console settings 84 content capture 138 conventions 1 CRE category 24 custom rules 173 customer support contacting 2

D
database settings 67 delete root mail setting 66 deleting backup archives 95 deploying changes 5 deployment editor about 105 STRM Administration Guide

INDEX

accessing 107 creating your deployment 109 event view 110 STRM components 137 requirements 109 system view 120 toolbar 108 using 107 device access 29 device management 32 discovering servers 207 DoS category 4

network property tests 23 event view about 106 adding components 112 building 110 renaming components 119 exploit category 14 external flow sources 151

F
firewall access 29 flow category 25, 26 flow configuration 155 flow retention configuring 76 deleting 81 editing 80 enabling and disabling 80 managing 79 sequencing 79 flow rules about 177 common property tests 34 data/time tests 47 flow property tests 28 function counter tests 43 function negative tests 48 function sequence tests 35 function simple tests 47 host profile tests 26 IP/port tests 27 network property tests 47 flow source about 151 adding aliases 160 adding flow source 155 deleting aliases 161 deleting flow source 159 editing aliases 160 editing flow source 158 enabling/disabling 158 external 151 internal 151 managing aliases 159 managing flow sources 151 virtual name 159 flowlog file 154 forwarding normalized events and flows 116 functions 173

E
encryption 119, 120 enterprise template 1 default building blocks 20 default rules 1 event categories 1 event category correlation access category 12 audit events category 25 authentication category 6 CRE category 24 DoS category 4 exploit category 14 flow category 24, 25, 26 high-level categories 2 malware category 15 policy category 23 potential exploit category 24 recon category 3 suspicious category 16 system category 19 Event Collector about 111 configuring 143 Event Collector Connections 138 Event Processor about 111 configuring 146 event retention configuring 73 deleting 81 editing 80 enabling and disabling 80 managing 79 sequencing 79 event rules about 177 common property tests 8 data/time tests 23 event property tests 5 function counter tests 19 function negative tests 24 function sequence tests 10 function simple tests 23 host profile tests 2 IP/port tests 4 log source tests 9

G
global IPtables access 67

H
hashing event log 69 flow log 69

STRM Administration Guide

INDEX

hashing algorithm settings 70 high availability about 39 adding 44 editing 50 restoring a failed host 53 setting HA host offline 53 setting HA host online 53 high-level categories 2 host adding 122 host context 106, 132

creating 55 network taps 137

O
offense rules about 178 date/time tests 71 function tests 71 IP/port tests 70 log source tests 72 offense property tests 72 offenses role 12 off-site source 117 off-site target 117

I
importing backup archives 94 initiating a backup 98 interface roles 32 internal flow sources 151 IP right click menu extension role 13

P
Packeteer 153 partition tester time-out 67 passwords changing 33 policy category 23 potential exploit category 24, 25 pre-2010.0 off-site flow sources 1 preferences 5

J
J-Flow 153

L
LDAP 19 license key exporting 27 managing 25 log activity role 12

Q
QFlow Collector configuring 137 QFlow Collector ID 138 STRM components 137

M
Magistrate about 111 configuring 148 malware category 15 managed host adding 122 assigning components 131 editing 124 removing 126 setting-up 31 managing backup archives 93 MIB 1

R
RADIUS authentication 19 RDATE 34 recon category 3 remote networks groups 163 remote networks object adding 164 editing 166 remote service groups 167 remote services object adding 168 editing 169 reporting max matched results 69 reporting roles 13 resetting SIM 5 resolution interval length 65 restarting system 28 restoring configuration information 99 different IP address 101 same IP address 100 retention buckets 72 retention period asset profile 68 attacker history 68 offense 68

N
NAT editing 128 enabling 126 removing 129 using with STRM 126 NetFlow 137, 152 Net-SNMP 7 network activity role 13 Network Address Translation. See NAT network hierarchy

STRM Administration Guide

INDEX

roles about 9 admin 12 assets 13 creating 10 deleting 16 editing 15 IP right click menu extension 13 log activity 12 managing 9 network activity 13 offenses 12 reporting 13 risks 14 rules about 173 copying 199 creating anomaly detection rules 189 creating custom rules 177 deleting 200 enabling/disabling 199 groups 200 assigning 204 copying 203 creating 201 deleting 203 editing 202 viewing 174

S
scheduling your backup 95 search results retention period 68 servers discovering 207 services authorized 89 sFlow 153 shutting down system 28 SIM resetting 5 SNMP settings 71 source off-site 117 storage location asset profile 68 flow data 68 log source 68 store event payload 67 suspicious category 16 syslog forwarding 209 adding 209 deleting 211 editing 210 syslog event timeout 67 system restarting 28 shutting down 28 system authentication 19 system category 19

system notifications 81 system settings administrative e-mail address 65 alert e-mail from address 65 asset profile query period 66 asset profile reporting interval 66 asset profile retention period 68 asset profile storage location 68 attacker history retention period 68 coalescing events 66 command line execution time limit 69 command line max matched results 69 configuring 65 daily accumulator retention 68 delete root mail 66 event log hashing 69 flow data storage location 68 flow log hashing 69 global IPtables access 67 hashing algorithm 70 hourly accumulator retention 67 log source storage location 68 partition tester time-out 67 reporting execution time limit 69 reporting max matched results 69 resolution interval length 65 retention period offense 68 search results retention period 68 store event payload 67 syslog event timeout 67 temporary files retention period 66 TNC recommendation enable 66 user data files 67 VIS passive host profile interval 66 web execution time limit 69 web last minute execution time limit 69 system time 34 system view about 106 adding a host 122 assigning components 131 Host Context 132 managed host 131 managing 120

T
TACACS authentication 19 target off-site 117 templates enterprise 1 temporary files retention period 66 tests about 174 thresholds 81 time 34 time limit command line execution 69 reporting execution 69

STRM Administration Guide

INDEX

web execution 69 web last minute execution 69 TNC recommendation enable 66 transaction sentry 70

U
updating user details 5 user accounts managing 16 user data files 67 user roles 9 users authentication 19 creating account 16 disabling account 19 editing account 18 managing 9

V
viewing backup archives 93 VIS passive host profile interval 66

STRM Administration Guide