RSA envision Event Source. Lancope StealthWatch Configuration Instructions and Release Notes

Transcription

1 Lancope StealthWatch Configuration Instructions and Release Notes Last Modified: Tuesday, October 04, 2011 Event Source (Device) Product Information Vendor Lancope Event Source (Device) Lancope StealthWatch Supported Versions 5.5, 5.6, 5.9, 5.10, 6.0 Supported Platforms StealthWatch Xe for NetFlow, StealthWatch Xe for sflow, StealthWatch NC, StealthWatch Management Console envision Product Information Version 3.7 and later Event Source (Device) Type stealthwatch, 89 Collection Method Syslog Event Source (Device) Class.Subclass Security.IDS Content 2.0 Table Intrusion Service NIC Collector Service This document contains the following information for the Lancope StealthWatch event source: Configuration Instructions Release Notes for Content 2.0 RSA envision Event Source Release Notes for Standard Content Lancope StealthWatch Configuration Instructions Copyright 2011 EMC Corporation. All Rights Reserved.

2 StealthWatch Overview The StealthWatch system by Lancope enables organizations to quickly resolve problems by providing actionable insight into network, security, and data center operations. StealthWatch delivers total network visibility from a single, integrated platform across both physical and virtual environments. 2 StealthWatch Overview

3 Configure StealthWatch You can configure Lancope StealthWatch version 5.x through the event source itself or through the StealthWatch Management Console. For version 6.0, you must use the StealthWatch Management Console. Configure StealthWatch From the Event Source Itself You can configure version 5.x by using a web UI from the event source itself. To configure the Lancope StealthWatch event source: 1. Log on to the StealthWatch web UI with administrative credentials. 2. Go to Administration > Data Management > System Logging. 3. In the Logging Configuration section, set the following values: Log Remotely: Type the IP address of envision. Log locally: Select the checkbox. Send messages securely: Deselect the checkbox. Enable zero padded IP addresses in syslog: Select the checkbox. 4. Click Apply. Configure StealthWatch Using the Management Console You can configure version 5.x or 6.0 by using the StealthWatch Management Console. To configure the Lancope StealthWatch device using the StealthWatch Management Console: 1. Log on to the StealthWatch Management Console, with administrative credentials. 2. In the Menu bar, select Configuration > Response Management. > Syslog Formats. a. Click b. In the Name field, enter a name. c. In the MSG Part section, select the following variables in the order that they are listed below. Separate each variable with a comma, except for the last two variables where you use a space instead: {start_active_time},{alarm_type_id},{alarm_type_name},"{details}",{source_ ip},{source_zone_name},{target_ip},{target_zone_ name},{port},{protocol},{device_ip},{end_active_time},{exporter_ip},{alarm_ category_name},{alarm_severity_name},{alarm_severity_id},{source_url} {target_ url} d. Click OK. 3. Select Actions. a. Click b. Select Syslog Message, and click Configure StealthWatch 3

4 d. Ensure that Enabled is selected. e. Set destination IP address for the RSA envision server and port = 514. f. In the Format drop-down list, select the format that you created in Step 2a. g. Click OK. 4. Select Rules and click a. Select Host Alarm, and click OK. b. Select Rule. d. Select Actions. e. Under the Execute the following action when the Alarm becomes active section, click f. Select the action that you created in Step 3, and click OK. g. Under the Execute the following action when the Alarm becomes inactive section, click h. Select the action that you created in Step 3, and click OK. i. Click Ok. 5. Click a. Select StealthWatch Appliance System Alarm and click OK. b. Select Rule. d. Select Actions. e. Under the Execute the following action when the Alarm becomes active section, click f. Select the action that you created in Step 3, and click OK. g. Under the Execute the following action when the Alarm becomes inactive section, click h. Select the action that you created in Step 3, and click OK. i. Click Ok. 6. Click a. Select Exporter or Interface Alarm and click OK. b. Select Rule. d. Select Actions. e. Under the Execute the following action when the Alarm becomes active section, click 4 Configure StealthWatch

5 f. Select the action that you created in Step 3, and click OK. g. Under the Execute the following action when the Alarm becomes inactive section, click h. Select the action that you created in Step 3, and click OK. i. Click Ok. 7. Click a. Select StealthWatch Management Console System Alarm, and click OK b. Select Rule. d. Select Actions. e. Under the Execute the following action when the Alarm becomes active section, click f. Select the action that you created in Step 3, and click OK. g. Under the Execute the following action when the Alarm becomes inactive section, click h. Select the action that you created in Step 3, and click OK. i. Click Ok. 8. Click Close. Configure StealthWatch 5

6 Content 2.0 Release Notes Lancope StealthWatch Release Notes ( ) New and Updated Event Messages in StealthWatch For complete details on new and updated messages, see the Event Source Update Help. 6 Content 2.0 Release Notes

7 Lancope StealthWatch Release Notes ( ) What's New in This Release RSA updated support for Lancope StealthWatch to Content 2.0 Content 2.0 features new tables and improvements to the parsing of event data into variables in those new tables. For rules and reports, note the following: For factory reports, as existing event sources are converted to Content 2.0, their device-specific reports are updated to work with the new content. In some cases, class-specific reports have replaced device-specific reports. Factory correlated rules have been modified to take advantage of the improved tables, variables and parsing. Custom rules, that involve event sources updated to work with Content 2.0, need to be rewritten. Custom reports may not produce the same results as previously. For guidance on updating custom reports, see the accompanying table documentation and the RSA envision Content Inspection Tool guide. Content 2.0 Release Notes 7

8 Standard Content Release Notes Lancope StealthWatch Release Notes ( ) New and Updated Event Messages in StealthWatch For complete details on new and updated messages, see the Event Source Update Help. 8 Standard Content Release Notes