Symantec Security Information Manager 4.5 Administrator's Guide

Transcription

1 Symantec Security Information Manager 4.5 Administrator's Guide

2 Symantec Security Information Manager 4.5 Administrator's Guide The software described in this book is furnished under a license agreement and may be used only in accordance with the terms of the agreement. Documentation version 4.5 Legal Notice Copyright 2007 Symantec Corporation. All rights reserved. Symantec and the Symantec Logo are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners. The product described in this document is distributed under licenses restricting its use, copying, distribution, and decompilation/reverse engineering. No part of this document may be reproduced in any form by any means without prior written authorization of Symantec Corporation and its licensors, if any. THE DOCUMENTATION IS PROVIDED "AS IS" AND ALL EXPRESS OR IMPLIED CONDITIONS, REPRESENTATIONS AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT, ARE DISCLAIMED, EXCEPT TO THE EXTENT THAT SUCH DISCLAIMERS ARE HELD TO BE LEGALLY INVALID. SYMANTEC CORPORATION SHALL NOT BE LIABLE FOR INCIDENTAL OR CONSEQUENTIAL DAMAGES IN CONNECTION WITH THE FURNISHING, PERFORMANCE, OR USE OF THIS DOCUMENTATION. THE INFORMATION CONTAINED IN THIS DOCUMENTATION IS SUBJECT TO CHANGE WITHOUT NOTICE. The Licensed Software and Documentation are deemed to be commercial computer software as defined in FAR and subject to restricted rights as defined in FAR Section "Commercial Computer Software - Restricted Rights" and DFARS , "Rights in Commercial Computer Software or Commercial Computer Software Documentation", as applicable, and any successor regulations. Any use, modification, reproduction release, performance, display or disclosure of the Licensed Software and Documentation by the U.S. Government shall be solely in accordance with the terms of this Agreement.

3 Symantec Corporation Stevens Creek Blvd. Cupertino, CA

4 Technical Support Symantec Technical Support maintains support centers globally. Technical Support s primary role is to respond to specific queries about product feature and function, installation, and configuration. The Technical Support group also authors content for our online Knowledge Base. The Technical Support group works collaboratively with the other functional areas within Symantec to answer your questions in a timely fashion. For example, the Technical Support group works with Product Engineering and Symantec Security Response to provide alerting services and virus definition updates. Symantec s maintenance offerings include the following: A range of support options that give you the flexibility to select the right amount of service for any size organization A telephone and web-based support that provides rapid response and up-to-the-minute information Upgrade insurance that delivers automatic software upgrade protection Global support that is available 24 hours a day, 7 days a week worldwide. Support is provided in a variety of languages for those customers that are enrolled in the Platinum Support program Advanced features, including Technical Account Management For information about Symantec s Maintenance Programs, you can visit our Web site at the following URL: Contacting Technical Support Customers with a current maintenance agreement may access Technical Support information at the following URL: Before contacting Technical Support, make sure you have satisfied the system requirements that are listed in your product documentation. Also, you should be at the computer on which the problem occurred, in case it is necessary to recreate the problem. When you contact Technical Support, please have the following information available: Product release level Hardware information

5 Available memory, disk space, and NIC information Operating system Version and patch level Network topology Router, gateway, and IP address information Problem description: Error messages and log files Troubleshooting that was performed before contacting Symantec Recent software configuration changes and network changes Licensing and registration Customer service If your Symantec product requires registration or a license key, access our technical support Web page at the following URL: Customer service information is available at the following URL: Customer Service is available to assist with the following types of issues: Questions regarding product licensing or serialization Product registration updates such as address or name changes General product information (features, language availability, local dealers) Latest information about product updates and upgrades Information about upgrade insurance and maintenance contracts Information about the Symantec Value License Program Advice about Symantec's technical support options Nontechnical presales questions Issues that are related to CD-ROMs or manuals

6 Maintenance agreement resources Additional Enterprise services If you want to contact Symantec regarding an existing maintenance agreement, please contact the maintenance agreement administration team for your region as follows: Asia-Pacific and Japan: Europe, Middle-East, and Africa: North America and Latin America: Symantec offers a comprehensive set of services that allow you to maximize your investment in Symantec products and to develop your knowledge, expertise, and global insight, which enable you to manage your business risks proactively. Enterprise services that are available include the following: Symantec Early Warning Solutions These solutions provide early warning of cyber attacks, comprehensive threat analysis, and countermeasures to prevent attacks before they occur. Managed Security Services Consulting Services Educational Services These services remove the burden of managing and monitoring security devices and events, ensuring rapid response to real threats. Symantec Consulting Services provide on-site technical expertise from Symantec and its trusted partners. Symantec Consulting Services offer a variety of prepackaged and customizable options that include assessment, design, implementation, monitoring and management capabilities, each focused on establishing and maintaining the integrity and availability of your IT resources. Educational Services provide a full array of technical training, security education, security certification, and awareness communication programs. To access more information about Enterprise services, please visit our Web site at the following URL: Select your country or language from the site index.

7 Contents Technical Support Section 1 Chapter 1 Section 2 Chapter 2 Product overview Introducing Symantec Security Information Manager About Symantec Security Information Manager What's new in Information Manager How Symantec Security Information Manager works About events, conclusions, and incidents Example: Information Manager automates incident management during a Blaster worm attack Incident identification Threat containment, eradication, and recovery Follow-up Where to find more information about Information Manager Accessing Help for the console Managing roles, permissions, users, and organizational units Managing roles and permissions Creating and managing roles About the administrator roles How to plan for role creation Creating a role Editing role properties Deleting a role Working with permissions About permissions Modifying permissions from the Permissions dialog box... 44

8 8 Contents Chapter 3 Chapter 4 Section 3 Chapter 5 Managing users and user groups About managing users and passwords Creating a new user Creating a user group Editing user properties Changing a user s password Specifying user business and contact information Managing role assignments and properties Managing user group assignments Specifying notification information Modifying user permissions Modifying a user group Deleting a user or user group Managing organizational units and computers About organizational units Managing organizational units Creating a new organizational unit Editing organizational unit properties About modifying organizational unit permissions Deleting an organizational unit Managing computers within organizational units Creating computers within organizational units Editing computer properties Distributing configurations to computers in an organizational unit Moving a computer to a different organizational unit Modifying computer permissions Deleting a computer from an organizational unit Managing your correlation environment Configuring the Correlation Manager About the Correlation Manager About the Correlation Manager Knowledge Base About the default rules set About the Default Processing rule Working with the Lookup Tables window Enabling and disabling rules Creating a custom rule... 91

9 Contents 9 Chapter 6 Chapter 7 Chapter 8 Chapter 9 Chapter 10 Defining a rules strategy About defining a rules strategy About creating the right rule set for your business Understanding rules components Understanding Correlation Rules About Rule conditions About Rule Types Event Criteria About the Event Count, Span, and Table Size rule settings About the Tracking Key and Conclusion Creation fields About the Correlate By and Resource fields Importing existing rules Understanding event normalization About event normalization About normalization (.norm) files Effects, Mechanisms, and Resources About Effects, Mechanisms, and Resources (EMR) About Effects values About Mechanisms values About Resources values EMR examples Working with the Assets table About the Assets table How event correlation utilizes Assets table entries Importing assets into the Assets table About vulnerability information in the Assets table About using a vulnerability scanner to populate Assets table About locked and unlocked assets in the Assets table Using the Assets table to help reduce false positives About filtering events based on the operating system About using CIA values to identify critical events About using Severity to identify events related to critical assets About using the Services tab About associating policies with assets to reduce false positives or escalate events to incidents

10 10 Contents Chapter 11 Chapter 12 Section 4 Chapter 13 Chapter 14 Chapter 15 Default Processing rule About the Default Processing rule Collector-based event filtering and aggregation About collector-based event filtering and aggregation About identifying common events for collector-based filtering or aggregation About preparing to create collector-based rules Accessing event data in the Information Manager console Creating collector-based filtering and aggregation specifications Examples of collector-based filtering and aggregation rules Filtering events generated by specific internal networks Filtering common firewall events Filtering common Symantec AntiVirus events Filtering or aggregating vulnerability assessment events Filtering Windows Event Log events Configuration options Configuring the appliance after installation About the Information Manager Web configuration interface Accessing the Security Information Manager configuration page Changing network settings Specifying date and time settings Specifying a network time protocol server Changing the password for Linux accounts Shutting down and restarting the appliance Configuring Symantec Security Information Manager About configuring Symantec Security Information Manager Adding a policy Specifying networks Identifying critical systems Forwarding events to an Information Manager appliance About forwarding events to an Information Manager appliance About registering with a security directory Registering security products

11 Contents 11 Registering with a security domain Forwarding events Forwarding events from a SESA Event Logger Chapter 16 Chapter 17 Chapter 18 Managing Global Intelligence Network content About managing Global Intelligence Network content Registering a Global Intelligence Network license Viewing Global Intelligence Network content status Receiving Global Intelligence Network content updates Exporting Global Intelligence Network content Importing Global Intelligence Network content Running LiveUpdate About running LiveUpdate Running LiveUpdate from the Information Manager Web configuration interface Running LiveUpdate from the Information Manager console Working with Symantec Security Information Manager Configurations Introducing the Symantec Security Information Manager configurations Manager configurations Increasing the minimum free disk space requirement in high logging volume situations Manager Components Configurations Modifying administrative settings Manager connection configurations Configuring Information Manager Directories Agent Connection Configurations Configuring Agent to Manager failover Agent configurations Managing the Manager Setting up blacklisting for logon failures

12 12 Contents Section 5 Chapter 19 Chapter 20 Chapter 21 Managing appliance data Managing the directory service About LDAP backup and restore Backing up the security directory Restoring the security directory Managing event archives About event archives Event archive viewer Specifying event archive settings Creating local event archives Viewing event archives About the event archive viewer right pane Manipulating the event data histogram Viewing event details Filtering event data Querying event archives Creating query groups Using the search templates Creating custom queries Editing queries Importing queries Exporting queries Publishing queries Deleting queries Maintaining the Symantec Security Information Manager database About data maintenance Checking database status About the health monitor service Backing up and restoring the database Enabling and scheduling automated backups Initiating a backup Restoring the database from a backup image Specifying a third-party backup solution About purging event summary and incident data Adjusting parameters for daily automated purges Adjusting the thresholds for size-based purges Initiating a purge

13 Contents 13 Reviewing maintenance history Section 6 Appendix A Appendix B Appendix C Appendix D Appendix E Appendix F Appendices Ports used by Information Manager Ports used by Information Manager Installing and configuring a Symantec Direct Attached Storage D10 device About the Symantec Direct Attached Storage D About using third-party DAS devices with Information Manager Installation overview Installation prerequisites Installing the DAS Rack mounting the Symantec Direct Attached Storage D10 device Installing the PERC 5/E adapter Configuring Information Manager to use the DAS Managing security certificates About managing security certificates Managing security certificate information for the appliance Antivirus Rules About the antivirus rules Additional antivirus rules examples Policy Compliance rules About the Policy Compliance rules Vulnerability Assessment rules About the Vulnerability Assessment rules Additional Vulnerability Assessment rules examples

14 14 Contents Appendix G Appendix H Appendix I Appendix J Appendix K Appendix L Firewall rules About the Firewall rules Network IDS (NIDS) rules About the Network IDS (NIDS) rules Host IDS (HIDS) rules About the Host IDS (HIDS) rules System Monitor rules About the System Monitor rules Windows event rules About the Windows event rules Event filters About the event filters Custom event filters example IIS RealSecure Smurf Attack false positive filter example Index

15 Section 1 Product overview Introducing Symantec Security Information Manager

16 16

17 Chapter 1 Introducing Symantec Security Information Manager This chapter includes the following topics: About Symantec Security Information Manager How Symantec Security Information Manager works About events, conclusions, and incidents Example: Information Manager automates incident management during a Blaster worm attack Where to find more information about Information Manager About Symantec Security Information Manager Symantec Security Information Manager provides real-time event correlation and data archiving to protect against security threats and to preserve critical security data. Information Manager collects, analyzes, and archives information from security devices, critical applications, and services, such as the following: Firewalls Routers, switches, and VPNs Enterprise Antivirus Intrusion detection and intrusion prevention

18 18 Introducing Symantec Security Information Manager About Symantec Security Information Manager Vulnerability scanners Authentication servers Windows and UNIX system logs Information Manager provides the following features to help you recognize and respond to threats in your enterprise: Normalization and correlation of events from multiple vendors to recognize threats from all areas of the enterprise. Event archives to retain events in both their original and normalized formats. Distributed event filtering and aggregation to ensure that only relevant security events are correlated. Real-time security intelligence updates from Symantec Global Intelligence Network to keep you apprised of global threats and to let you correlate internal security activity with external threats. Customizable event correlation rules to let you fine-tune threat recognition and incident creation for your environment. Security incident creation, ticketing, tracking, and remediation for quick response to security threats. Information Manager prioritorizes incidents based upon the security policies associated with the affected assets. A powerful event archive viewer that lets you easily mine large amounts of event data and perform network operations on the machines and users that are associated with each event. A console from which you can view all security incidents and drill down to the related event details, including affected targets, associated vulnerabilities, and recommended corrective actions. Pre-defined and customizable queries to help you demonstrate compliance with the security and data retention policies in your enterprise. What's new in Information Manager 4.5 Information Manager 4.5 provides large scale event management, an updated console, and a Web Services interface to Information Manager data. Large scale event management Information Manager 4.5 now supports attached storage for event archives. Attached storage archives provide for increased event data capacity and large scale data mining. Information Manager 4.5 provides the following event management features:

19 Introducing Symantec Security Information Manager About Symantec Security Information Manager 19 Optimized event storage Event data is now stored in compressed archives rather than in a relational database. The archive format allows for increased event capacity and high performance data queries. Raw event data In addition to normalized event data, you can now archive event data in its original format. The original format event data provides a historical context for security incidents. Flexible storage options Information Manager now has a logical volume manager that provides support for direct attached storage (DAS), storage area network (SAN), and network-attached storage (NAS). Event and incident viewer The Information Manager console provides a powerful graphical viewer for intuitive data mining. You can query event, incident, summary, and state data. The viewer has built-in network operations, such as ping and whois, to help you identify the machines and users that are referenced in the events and incidents. You can also add your own custom tools to the viewer. Enhanced reporting Event and incident reports are now accessible from the Information Manager web configuration interface. You can schedule report generation and post the reports to the web interface or the reports to users. Advanced data summarization for reporting Information Manager now processes events as they enter the system and stores summary records in a database. This feature allows for optimized reporting over very large amounts of data. Console enhancements The Information Manager console has been updated with the following new features: Rules Editor You can now configure rules that trigger when an expected event does not occur, or when a slow or low volume attack takes place. You can assign notification services to rules and organize rules into logical groups.

20 20 Introducing Symantec Security Information Manager How Symantec Security Information Manager works System view Incident management Event forwarding Antivirus statistics Reporting tile Detachable console pages You can now view a graphical representation of your Information Manager deployment. The system view shows the status of each appliance and collector in your enterprise and includes event collection and event forwarding statistics. You can now merge multiple incidents to create a new incident and assign multiple incidents to the same ticket. You can selectively forward events from one appliance to another, using the same event filtering interface that you use to configure reports and archives. You can now view Antivirus statistics on the Global Intelligence Network Integration Manager Utilities page. The improved report editor allows greater report layout flexibility. You can now "tear-off" console pages to view multiple pages simultaneously. Access and notification services Information Manager now provides programmatic access to individual Information Manager appliances. Using a standards-based Web Service, developers can securely access and update the data that is stored on an appliance. You can use the Web Service to publish event, asset, incident, and ticket information to external applications, such as help desks and dashboards. You can also use the Web Service to import Information Manager asset information from external asset management and inventory applications. For more information about how to integrate Information Manager with other enterprise applications, see the Symantec Security Information Manager Developer's Guide. How Symantec Security Information Manager works Event collectors gather events from Symantec and third-party point products, such as firewalls, Intrusion Detection Services (IDS), and antivirus scanners. The events are filtered and aggregated, and the Information Manager agent forwards both the raw and the processed events to the Information Manager appliance. The agent is a Java application that provides secure communications between the event collectors and the Information Manager appliance.

21 Introducing Symantec Security Information Manager About events, conclusions, and incidents 21 The Information Manager appliance stores the event data in event archives and correlates the events with threat and asset information. If a security event triggers a correlation rule, Information Manager creates a security incident. The Information Manager appliance also contains the following components: A downloadable installation program for the Information Manager console. A relational database to store incidents, conclusions, and related events. Event archives to store raw and normalized event data. An LDAP directory to store Information Manager deployment and configuration settings. About events, conclusions, and incidents Security products and operating systems generate many kinds of events. Some events are informational, such as a user logging on, and others may indicate a security threat, such as antivirus software being disabled. A conclusion occurs when one or more events match a correlation rule pattern. Information Manager normalizes events from multiple security products and looks for patterns that indicate potential threats. An incident is the result of one or more conclusions that are identified as a type of an attack. There can be many conclusions mapped to a single incident. For example, if a single attacker causes a number of different patterns to be matched, those are grouped into a single incident. Similarly, if a vulnerability scan uncovers a machine that suffers from a number of different vulnerabilities, these are all grouped into a single incident. Or, if a number of different machines report the same virus, Information Manager creates a single outbreak incident. Example: Information Manager automates incident management during a Blaster worm attack Symantec Security Information Manager tracks the entire incident response cycle through the following phases: Incident identification Threat containment, eradication, and recovery Follow-up

22 22 Introducing Symantec Security Information Manager Example: Information Manager automates incident management during a Blaster worm attack Incident identification The Blaster worm attack begins with a series of sweeps to ports 135, 445, and Using the default rules, Information Manager detects each of these sweeps as suspicious, and creates a conclusion for each. At the same time, events from intrusion detection software such as Symantec IDS, lead to other conclusions that are related to the source IP address. Information Manager may also create further conclusions if the source IP address for the attack is on the IP watch list. This list is updated automatically to provide up-to-date protection from computers that are known to be used in attacks. Based upon all of these conclusions that are related to the same IP address, Information Manager generates a security incident. A security analyst would find out about the new incident by alert, or while monitoring the Incidents tab in the Information Manager console. The incident contains all the information that the analyst needs to determine the source and target of the attack. Threat containment, eradication, and recovery When Information Manager alerts the security analyst about the incident, the analyst can use Information Manager to better understand the scope of the problem and to investigate eradication options. Information Manager facilitates the containment phase by providing the event data with the incident declaration. Rather than wading through countless log files, the analyst knows which events triggered the security incident, and which systems are affected. The incident also includes recommended corrective action from Symantec Global Intelligence Network Threat Management System. This enables the security analyst to quickly identify the corrective actions. The analyst can now create a ticket that describes the tasks necessary to eradicate the threat. The ticket includes the incident information, the event details and the recommended corrective actions. Ticket information can be made accessible to an external help desk via the Information Manager Web Service. Follow-up Once the threat has passed, the analyst can further analyze the impact of the incident. The analyst can fine-tune the correlation rules, event filters, and firewall rules to prevent the threat from occurring again. The analysts can also mine the event archive data if necessary and create reports that document the scope of the incident and the security team's efforts to resolve it.

23 Introducing Symantec Security Information Manager Where to find more information about Information Manager 23 Where to find more information about Information Manager For more information about Information Manager, visit the knowledge base that is available on the Symantec Technical Support Web site at: In the Security Management section of the Downloads page, you can obtain updated versions of the documentation, including the following: Accessing Help for the console Symantec Security Information Manager Administrator's Guide Symantec Security Information Manager Installation Guide Information Manager provides context-sensitive help for the console and for each of the views that are available in the View menu. To access Help for the console In any window, press F1.

24 24 Introducing Symantec Security Information Manager Where to find more information about Information Manager

25 Section 2 Managing roles, permissions, users, and organizational units Managing roles and permissions Managing users and user groups Managing organizational units and computers

26 26

27 Chapter 2 Managing roles and permissions This chapter includes the following topics: Creating and managing roles Working with permissions Creating and managing roles A role is a group of access rights for a product in a domain. Users who are members of a role have access to the event viewing and management capabilities that are defined for that role. A user can be a member of more than one role. You create new roles in the Symantec Security Information Manager console. When you click Roles on the System page of the console, you can perform the following tasks: Creating a role Editing role properties Deleting a role Note: Only members of the SES Administrator role and the Domain Administrator role can add or modify roles. See About the administrator roles on page 27. About the administrator roles When you install Information Manager, the following default roles are created:

28 28 Managing roles and permissions Creating and managing roles SES Administrator Domain Administrator This role has full authority over all of the domains in the environment. This role has full authority over one specific domain in the environment. How to plan for role creation If you have only one domain, the rights of the SES Administrator role and the Domain Administrator role are the same. If you have multiple domains, for example, one for each geographic region of your company, each domain has a Domain Administrator. Members of this role can perform functions such as creating users and additional roles within that domain. The SES Administrator role can perform these functions for all of the domains that you configure. The default user, administrator, is also created when Information Manager is installed. The administrator is automatically a member of the SES Administrator and Domain Administrator roles. To access Information Manager for the first time, you must log on as this default user. You can add users to the administrator roles, but you cannot change any other characteristics of these roles. If a user is a member of the SES Administrator role, that user does not need to be assigned to any other roles. Because roles control user access, before you create roles you should plan carefully. You need to identify the tasks that are done in your security environment, and who performs them. The tasks determine the kinds of roles that you must create. The users who perform these tasks determine which users should be members of each role. Ask yourself the following questions: Who allocates responsibilities within your security environment? If these users need to create roles, they must be members of the Domain Administrator role. Who administers your security network by creating management objects such as users and organizational units? These users must be members of roles that provide management access and the ability to access the System view. What products are installed, and who is responsible for configuring them? These users must be members of management roles for the products for which they are responsible. They may need access to the System page only. Who is responsible for monitoring events and incidents?

29 Managing roles and permissions Creating and managing roles 29 These users must be members of event viewing roles for the products for which they are responsible. Users who will monitor events must have access to the Events page. Users who will monitor incidents must have access to the Events page and the Incidents page. Who responds to problems and threats? These users must have access to the Events page and the Incidents page. Users who will create and manage help desk tickets must also have access to the Tickets page. Table 2-1 lists common roles in a security environment and the responsibilities that belong to each role. Table 2-1 Role name Typical roles and responsibilities Responsibilities Domain Administrator System Administrator Defines user roles and role authority. Manages Information Manager. Verifies that events are flowing into the system and that the system is functioning normally. User Administrator Creates correlation rules and collection filters. Performs user and device administration. Incident Manager Views all incidents, events, reports, and actions. Report Writer Views incidents, events, and reports for assigned devices. Reviews and validates incident response. Provides attestation of incident review and response by administrators to GAO and others. Report User Rule Editor Views events and reports for assigned devices. Creates, edits, and deploys roles. For information about the access requirements of each role, see Table 2-2. Creating a role You create all roles using the Role Wizard in the Information Manager console. Only a user who is a member of the Domain Administrator role or the SES Administrator role can create roles. See How to plan for role creation on page 28.

30 30 Managing roles and permissions Creating and managing roles To create a role 1 In the Information Manager console, click System. 2 On the Administration tab, in the left pane, navigate to the relevant domain, and then click Roles. 3 On the toolbar, click + (the plus icon). 4 In the first panel of the Role Wizard, click Next. 5 In the General panel, do the following, and then click Next: In the Role name text box, type a name for the role. In the Description text box, type a description of the role (optional). 6 In the Products panel, do one of the following actions: To give the role members access to all of the listed products, click Role members will have access to all products, and then click Next. To limit the role members' access to certain products, click Role members will have access to only the selected products. From the Products list, enable (check) at least one product, and then click Next. Consider the tasks that role members will perform as you select products from the list. 7 In the SIM Permissions panel, do one of the following actions: To give role members all permissions that apply to Information Manager, click Enable all Permissions, and then click Next. To give role members a limited set of permissions, click Enable specific Permissions. From the permissions list, enable at least one permission, and then click Next. 8 In the Console Access Rights panel, do one of the following actions: To give role members the ability to see all parts of the Information Manager console, click Role members will have all console access rights, and then click Next. To limit what role members can see when they display the console, click Role members will have only the selected console access rights. From the list, enable at least one console access right, and then click Next. See Modifying console access rights on page In the Organizational Units panel, do one of the following actions: To give role members access to all organizational units, click Role members will have access to all organizational units, and then click Next.

31 Managing roles and permissions Creating and managing roles 31 To give role members access to specific organizational units, click Role members will have access to only the selected organizational units. In the organizational units tree, select at least one organizational unit to associate with this role, and then click Next. When you select an organizational unit that has additional organizational units below it, users of the role are given access to those organizational units as well. If you add an organizational unit to a role, users who are role members and who have event viewing access can see events generated by security products that are installed on the computers that belong to that organizational unit. Role members can see events only from computers in organizational units that have been added to their roles. 10 In the Appliances panel, do one of the following actions: To give role members access to all of the Information Manager appliances in your security environment, click Role members will have access to all appliances, and then click Next. To limit role members' access to certain appliances, click Role members will have access to only the selected appliances. In the appliances tree, select at least one appliance to associate with this role, and then click Next. Members of the role will be able to modify configurations on the selected appliances. The role members will also be able to view event archives that reside on the selected appliances. 11 In the Members panel, do one of the following actions: To add users to the role now, click Add. In the Find Users dialog box, add one or more users, and then click OK. In the Members panel, click Next. To continue without adding users to the role, click Next. You can add users to the role later by editing the role s properties. See Making a user a member of a role on page 32. You can assign users to a role only if you have already created those users. See Creating a new user on page In the Role Summary panel, review the information that you have specified, and then click Finish. The list at the bottom of the panel shows the role properties that are created. A green check mark next to a task indicates that it was successfully accomplished. 13 Click Close.

32 32 Managing roles and permissions Creating and managing roles Editing role properties After you create a role, you can modify it by editing its properties. For example, as you create new organizational units or users, you can add them to existing roles. You can edit the properties of a role by selecting the role in the right pane or from any dialog box that lets you display the role s properties. To edit role properties 1 On the System page, in the left pane of the Administration tab, navigate to the relevant domain, and then click Roles. 2 In the right pane, right-click the role that you want to edit, and select Properties. 3 Use the tabs of the Editing Role Properties dialog box to make changes to the role. 4 To save changes and close the dialog box, click OK. For information about editing specific role properties, see any of the following sections: Making a user a member of a role Modifying console access rights Modifying product access Modifying SIM permissions Modifying access permissions in roles Making a user a member of a role When a user logs on to Information Manager, the user s role membership determines his or her access to the various products and event data. There are the following ways to assign a user to a role: Assign each user individually to one or more roles. Assign users to groups, and then assign user groups to roles. Note: Before you assign users and user groups to roles, you must create users and user groups in the database. See Creating a new user on page 49.

33 Managing roles and permissions Creating and managing roles 33 To make a user a member of a role 1 On the System page, in the left pane of the Administration tab, navigate to the relevant domain, and then click Roles. 2 In the right pane, right-click the role that you want to edit, and then select Properties. 3 In the Editing Role Properties dialog box, on the Members tab, click Add Members. 4 In the Find Users dialog box, in the list of available users, click a user name (or Ctrl + click multiple user names), and then click Add. The user name appears in the Selected users list. You can also search for a particular user by entering the logon name, last name, or first name on the left side of the dialog box. Then click Start Search. All of the users who meet the criteria you entered will appear in the available users list. 5 To view or edit the properties of a user, click the user name, and then click Properties. 6 In the User Properties dialog box, view or make changes to the properties, and then click OK. 7 In the Find Users dialog box, click OK. 8 In the Editing Role Properties dialog box, click OK. To make a user group a member of a role 1 On the System page, in the left pane of the Administration tab, navigate to the relevant domain, and then click Roles. 2 In the right pane, right-click the role that you want to edit, and then select Properties. 3 In the Editing Role Properties dialog box, on the Members tab, click Add Members From Groups. 4 In the Find User Groups dialog box, in the list of available user groups, click a user group name (or Ctrl + click multiple user names), and then click Add. The user group name appears in the Selected user groups list. 5 To view or edit the properties of a user group, click the user group name, and then click Properties. 6 In the User Group Properties dialog box, view or make changes to the properties, and then click OK.

34 34 Managing roles and permissions Creating and managing roles 7 In the Find User Groups dialog box, click OK. 8 In the Editing Role Properties dialog box, click OK. When you assign a user group to a role, all of the users who are currently in the group are assigned to that role. However, if you later add more users to the user group, those users are not automatically added to the role. You must assign each user to the role individually. Modifying console access rights Console access rights control what users who are members of a role can see when they log on to the Information Manager console. You can modify the console access rights you assigned when you created a role. Console access rights make the various features of the console visible to role members when they log on. To modify console access rights 1 On the System page, in the left pane of the Administration tab, navigate to the relevant domain, and then click Roles. 2 In the right pane, right-click the role that you want to edit, and select Properties. 3 On the Console Access Rights tab, do one of the following actions: To give members of the role the ability to see all components of the Information Manager console, click Role members will have all console access rights. To limit what members of the role can see when they display the Information Manager console, click Role members will have only the selected console access rights. From the list that appears, enable or disable console access rights as desired. The following table describes the tiles (that is, pages in the Information Manager console) that are available. Show Assets Tile Show Dashboard Tile Show Events Tile Show Incidents Tile Show Intelligence Tile Lets members view the Assets page in the console. Lets members view the Dashboard page in the console. Lets members view the Events page in the console. Lets members view the Incidents page in the console. Lets members view the Intelligence page in the console.

35 Managing roles and permissions Creating and managing roles 35 Show Reports Tile Show Rules Tile Show Statistics Tile Show System Tile Show Tickets Tile Lets members view the Reports page in the console. Lets members view the Rules page in the console. Lets members view the Statistics page in the console. Lets members view the System page in the console. Lets members view the Tickets page in the console. Table 2-2 lists the console access rights that are needed by users who perform specific functions. 4 Click OK. Modifying product access The Products tab lets you select the products to which role members have access. To modify product access 1 On the System page, in the left pane of the Administration tab, navigate to the relevant domain, and then click Roles. 2 In the right pane, right-click the role that you want to edit, and then select Properties. 3 On the Products tab, do one of the following actions: 4 Click OK. To give the role members access to all of the listed products, click Role members will have access to all products. To limit the role members' access to specified products, click Role members will have access to only the selected products. Enable (check) or disable (uncheck) access to individual products in the list. Consider the tasks that role members will perform as you select products from the list. Table 2-2 lists the product access that is needed by users who perform specific functions. Modifying SIM permissions Use the SIM Permissions tab to enable or disable several types of Information Manager permissions that are assigned to a role.

36 36 Managing roles and permissions Creating and managing roles To modify SIM permissions 1 On the System page, in the left pane of the Administration tab, navigate to the relevant domain, and then click Roles. 2 In the right pane, right-click the role that you want to edit, and select Properties. 3 On the SIM Permissions tab, do one of the following actions: 4 Click OK. To assign all SIM permissions to the role, click Enable all Permissions. To limit the permissions assigned to the role, click Enable specific Permissions. Then click the check boxes as needed to enable or disable permissions for the role. Table 2-2 lists the permissions that are needed by users who perform specific functions. Modifying appliance access The Appliances tab lets you select the appliances to which role members have access. The selections on this tab determine the appliances that the role members can see in the following console locations: The Testing tab on the Rules page, for use when testing a particular rule. The left pane of the Events page. The Appliance Configurations tab on the System page. To modify appliance access 1 On the System page, in the left pane of the Administration tab, navigate to the relevant domain, and then click Roles. 2 In the right pane, right-click the role that you want to edit, and select Properties. 3 On the Appliances tab, do one of the following actions: To give role members access to all Information Manager appliances in the network configuration, click Role members will have access to all appliances. To limit role members' access to certain appliances, click Role members will have access to only the selected appliances. In the appliances tree, select at least one appliance to associate with this role, and then click Next.

37 Managing roles and permissions Creating and managing roles 37 Modifying access permissions in roles Roles include permissions that determine the types of access (for example, Read and Delete) that role members have to objects that appear in the console. Role-specific permissions are assigned to the objects when you create each role. You can change the access permissions for the following types of objects: Container objects that were created when you installed Information Manager, such as organizational units. New objects that you create within the container objects. When you view the properties of a role, you can see and modify the permissions for the role by selecting tabs in the Editing Role Properties dialog box. Warning: Modifying permissions is an advanced feature. You should customize permissions only if you have a clear understanding of how access control works. See Working with permissions on page 42. Table 2-2 describes the access requirements of typical enterprise security roles. Table 2-2 Access requirements for roles Role Products SIM permissions Console access Access permissions SES Administrator and Domain Administrator All All All None required System Administrator Information Manager Allow Asset Edits Move Computers Show Dashboard Tile Show Intelligence Tile Show Statistics Tile Read and Search on Public/System Query groups Show System Tile User Administrator All Allow Dashboard Auto Refresh Move Computers Allow Asset Edits Manage Networks Manage Policies Manage Services Show Assets Tile Show Dashboard Tile Show Intelligence Tile Show Rules Tile Show System Tile Read and Search on Public/System Query groups Read and Write on Users and User Groups Read and Write on Rules and Roles

38 38 Managing roles and permissions Creating and managing roles Table 2-2 Access requirements for roles (continued) Role Products SIM permissions Console access Access permissions Incident Manager Information Manager Create Incidents Write My Incidents Write All Incidents Change Assignee and Team on My Incidents Change Assignee and Team on All Incidents Change Assignee/Team to self or own team on unassigned incidents Change Status My Incidents Change Status All Incidents Read My Incidents Show Assets Tile Show Dashboard Tile Show Events Tile Show Incidents Tile Show Intelligence Tile Show Reports Tile Show Tickets Tile Read All Incidents Read Unassigned Incidents Create new queries Create new reports Publish queries Publish reports Allow Dashboard Auto Refresh Move Computers Allow Asset Edits Manage Networks Manage Policies Manage Services

39 Managing roles and permissions Creating and managing roles 39 Table 2-2 Access requirements for roles (continued) Role Products SIM permissions Console access Access permissions Report Writer Information Manager Write My Incidents Write All Incidents Change Assignee and Team on My Incidents Change Assignee and Team on All Incidents Change Assignee/Team to self or own team on unassigned incidents Change Status My Incidents Change Status All Incidents Read My Incidents Show Dashboard Tile Show Events Tile Show Incidents Tile Show Intelligence Tile Show Reports Tile Show Tickets Tile Read and Write on Public/System Query groups Read and Write on Report groups Read All Incidents Read Unassigned Incidents Create new queries Create new reports Publish queries Publish reports Allow Dashboard Auto Refresh Move Computers Allow Asset Edits Manage Networks Manage Policies Manage Services Report User Information Manager Create new queries Create new reports Allow Dashboard Auto Refresh Show Dashboard Tile Show Events Tile Show Reports Tile Read and Search on Public/System Query groups Read and Search on Report groups

40 40 Managing roles and permissions Creating and managing roles Table 2-2 Access requirements for roles (continued) Role Products SIM permissions Console access Access permissions Rule Editor Information Manager Create new queries Show Events Tile Show Rules Tile Show Statistics Tile Read and Write on Rules and Roles Read and Search on Public/System Query groups Read and Search on Report groups Note: When you change a role s access permissions to a Public Query Group or a System Query Group, the role s database permissions may be incorrectly modified. If a user cannot view queries on the Events page, it may be because the user s role lacks the necessary database permissions. To correct this problem, do the following actions: Log on as a Domain Administrator or SES Administrator and open the Editing Role Properties dialog box for the user s role. On the DataStores tab, check the role s database permissions. If the role does not have both Read and Search permissions, add the missing permissions. See To modify permissions on page 40. To modify permissions 1 On the System page, in the left pane of the Administration tab, navigate to the relevant domain, and then click Roles. 2 In the right pane, right-click the role that you want to edit, and select Properties. 3 In the Editing Role Properties dialog box, click the tab of the type of permissions that you want to modify. For example, to change the role members' directory permissions, choose the Directories tab. 4 When you finish setting permissions, click OK. Examples of modifying permissions in roles You can modify permissions for the following purposes, among others: To hide a query group from members of a role When members of this role open the Query Chooser on the dashboard, they will not see the restricted query group in the query tree. To hide all users from members of a role

41 Managing roles and permissions Creating and managing roles 41 When members of this role view the System page, they do not see Users in the left pane. To prevent role members from adding and deleting user groups Role members will be able to view and modify user groups, but they will be unable to add and delete user groups. To hide a query group from members of a role 1 On the System page, in the left pane of the Administration tab, navigate to the relevant domain, and then click Roles. 2 In the right pane, right-click the role that you want to restrict, and select Properties. 3 On the System Query Groups tab, click Add. 4 In the Find System Query Groups window, select Product Queries.Symantec Client Security, and then click Add. 5 Click OK. 6 On the Product Queries.Symantec Client Security row, uncheck Read and Search. 7 Click OK. Members of this role will not be able to view Symantec Client Security queries. That is, if a role member selects System Queries > Product Queries in the Query Chooser on the dashboard, the role member will not see Symantec Client Security in the tree. To hide all users from members of a role 1 On the System page, in the left pane of the Administration tab, navigate to the relevant domain, and then click Roles. 2 In the right pane, right-click the role that you want to restrict, and then select Properties. 3 On the Users tab, under Default permissions for all users, uncheck all permission types (for example, Read and Add). 4 Click OK. When role members view the System page, they will not see Users in the left pane.

42 42 Managing roles and permissions Working with permissions Deleting a role To prevent role members from adding and deleting user groups 1 On the System page, in the left pane of the Administration tab, navigate to the relevant domain, and then click Roles. 2 In the right pane, right-click the role that you want to restrict, and then select Properties. 3 On the User Groups tab, on the top line of permissions, check Read, Write, and Search. Make sure that Add and Delete are not checked. 4 Click OK. Role members will be able to view, search, and modify all user groups in the domain. They will not be able to create new user groups or delete user groups. You can delete roles when they are no longer in use. Before you delete a role, you can view the properties of the role to ensure that none of your users requires it. To delete a role 1 On the System page, in the left pane of the Administration tab, navigate to the relevant domain, and then click Roles. 2 In the right pane, right-click the role that you want to delete, and select Properties. 3 Review the role properties to make sure that no users require this role. 4 Click Cancel. 5 If you still want to delete the role, on the toolbar, click - (the minus icon). A message warns you that all members of the selected role will be removed. This means that users will no longer have access to the role. The user accounts will not be deleted. 6 In the confirmation dialog box, click Yes to delete the role. Working with permissions Permissions define the access that members of a role have to specific objects. Along with other role properties, permissions control what users can see and do when they log on to the Information Manager console. As with roles, you can work with permissions only if you are a member of the SES Administrator or Domain Administrator role. The permissions of objects are

43 Managing roles and permissions Working with permissions 43 defined initially when you create roles and when you create new objects. You can then modify the permissions to fine-tune your roles. Warning: Modifying permissions is an advanced feature. You should customize permissions only if you have a clear understanding of how access control works in the security directory. About permissions Permissions are always associated with roles and are applied when a member of a role logs on to the console. Table 2-3 shows the permissions that role members can have to view and work with objects. Table 2-3 Permission Read Object permissions Description Lets role members see the attributes of objects. Read must be enabled for the other access permissions to work. Write Add Delete Search Lets role members modify objects. Lets role members create a new child object within the selected container. Lets role members delete objects. Lets role members search the database or security directory for objects. Search must be enabled for the other access permissions to work. For information about the access permissions of typical enterprise security roles, see Table 2-2. The following objects have permissions: Container objects Container objects are created when the DataStore (database) and Directory are installed. These objects contain all of the new objects that you create. In the console, container objects appear in the left pane of the Administration tab on the System page. Examples of container objects that have permissions are Users, Roles, and Organizational Units. Objects that you create within container objects

44 44 Managing roles and permissions Working with permissions When you create new objects to represent your security environment, they are stored within the container objects. On the System page, the objects that you create appear in the right pane when you select their container object in the left pane. For example, selecting Users in the left pane displays the individual users that you have created within the Users container. These created objects are sometimes known as child or leaf objects. Propagation of permissions As you create new management objects, it is important to understand the relationship between the permissions of container objects and the permissions of the objects you create within these containers. In most cases, the permissions of a container object propagate to all new objects that you create within the container. This means that on a role-by-role basis, when you create new objects, the current permissions of the container object are propagated to the new objects. For example, in Role A, on the Users tab, you disable Write permission for the Users container. In Role B, you disable Delete permission for the Users container. When you create new users, members of Role A do not have Write permission, so they cannot modify the properties of the new users. Members of Role B do not have Delete permission, so they cannot delete the new users. Note: Most roles should have at least Read and Search permissions for all objects. This allows role members to view information about the objects and perform searches for the objects. For example, if you enable Write access for a container object and disable Read access, the role members will not be able to modify the objects, because they will be unable to view the objects. Propagation occurs only when you create new objects. For example, you may create several users and assign them to Role A before you disable the Write permission in Role A. These permissions are not disabled for the original users unless you set them explicitly. Modifying permissions from the Permissions dialog box You can use the following methods to modify permissions: Edit the role using the Editing Role Properties dialog box. Use this method to modify permissions for several objects within one role. See Modifying access permissions in roles on page 37.

45 Managing roles and permissions Working with permissions 45 You cannot edit the permissions of software products and their configurations through the Editing Role Properties dialog box. Use the Permissions dialog box for a particular object. Use this method to modify the permissions for a specific object within one or more roles. Note: Some objects do not have permissions. To modify permissions for a container object 1 On the System page, in the left pane of the Administration tab, navigate to the relevant domain. 2 In the left pane, right-click the container object (for example, Users) and select Permissions. In the Permissions dialog box, roles are listed if they have already been assigned to this object. Note that some container objects do not have permissions. 3 You may do any of the following: To modify permissions for this object within the listed roles, check (enable) or uncheck (disable) the permissions, as needed. You should not disable the Search permission. To add a role to this object, click Add. In the Find Roles dialog box, select a role, then click Add, and then click OK. The role you added appears in the Permissions dialog box, where you can then enable or disable its permissions. To remove a role, click the role name, and then click Remove. To edit a role s properties, click the role name, and then click Properties. 4 Click OK when you finish modifying permissions. To modify permissions for a created object 1 On the System page, in the left pane of the Administration tab, navigate to the relevant domain. 2 In the left pane, click the container object that contains the created object. For example, click Users.

46 46 Managing roles and permissions Working with permissions 3 In the right pane, right-click the object whose permissions you want to modify, and then select Permissions. In the Permissions dialog box, roles are listed if they have already been assigned to this object. Note that some created objects do not have permissions, for example, Policies. 4 You may do any of the following actions: To modify permissions for this object within the listed roles, check (enable) or uncheck (disable) the permissions, as needed. You should not disable the Search permission. To add a role to this object, click Add. In the Find Roles dialog box, select a role, then click Add, and then click OK. The role you added appears in the Permissions dialog box, where you can then enable or disable its permissions. To remove a role, click the role name, and then click Remove. To edit a role s properties, click the role name, and then click Properties. 5 Click OK when you finish modifying permissions.

47 Chapter 3 Managing users and user groups This chapter includes the following topics: About managing users and passwords Creating a new user Creating a user group Editing user properties Modifying user permissions Modifying a user group Deleting a user or user group About managing users and passwords The Symantec Security Information Manager appliance uses accounts from Linux and the IBM Tivoli Directory Service. Both types of accounts use the password specified during installation. The default password is password. By default, the installation program creates these Linux accounts: root simuser sesuser db2admin default Linux administrative account used by the Information Manager text console process used by the http and Tomcat processes used by the database process

48 48 Managing users and user groups About managing users and passwords dasusr1 symcmgmt used by the directory service process used by the database process Warning: For security, change the Linux passwords periodically, according to your company's security policy. The password for all Linux accounts must be changed using the Change Password option from the Information Manager Web configuration interface. Do not change these account passwords or permissions via standard Linux commands as this may result in errors with appliance operation. Generally, you should not need to create new Linux accounts; however, you may want to create an account with limited permissions to a file share to allow a user or process to copy database and directory service backups. See your Linux documentation for information on creating Linux accounts. See the Symantec Security Information Manager Installation Guide for information on changing the password for the Linux accounts. By default, the installation program also creates the Administrator account in the directory service. It is this account that you use for logging in to the Information Manager console and Information Manager Web configuration interface initially. With the proper permissions, you can also create new directory service accounts for users who will be using the Information Manager console and Information Manager Web configuration interface. Directory service accounts are for the administrators of your security products, contacts for notifications, or both. Users who are administrators are members of roles that define their administrative permissions. Users who only receive notifications do not have to be members of a role. When you select Users from the Administration tab on the System page, you can do the following tasks: Creating a new user Editing user properties Modifying user permissions Deleting a user or user group The Administration tab also allows you to create, modify, and delete user groups. Creating a user group Modifying a user group Deleting a user or user group

49 Managing users and user groups Creating a new user 49 Creating a new user Use the Create a new User wizard to create a user. The wizard prompts you for required information that the user needs to log on to Symantec Security Information Manager. It also lets you specify notification information, permissions, and other user properties. The Create a new User wizard is designed for flexibility and to provide multiple ways to collect information. You can supply all pertinent user information at the time that you create the user; alternatively, you can provide only the required information and add more information later by editing the user s properties. See Editing user properties on page 51. To create a new user 1 In the Information Manager console, click System. 2 On the Administration tab, in the left pane, navigate to the relevant domain, and then click Users. 3 On the toolbar, click + (the plus icon). 4 In the first panel of the Create a new User wizard, click Next. 5 In the General panel, do the following, and then click Next: Logon name Last name First name Type the logon name for the new user. Type the user s last name. Type the user s first name. The other fields on this panel are optional. 6 In the Password panel, type a password in the Password text box and type the same characters in the Confirm password box. Then click Next. Use 8 to 24 characters. The characters can be alphanumeric and can also include any of the following non-alphanumeric characters:!?.@#$%^&*()-_=+{} :;,<> The password is case sensitive. Green check marks under Password rules indicate that your password meets the requirements. 7 In the Business panel, specify business information for the user (optional), and then click Next. See Specifying user business and contact information on page In the Contact Information panel, specify contact information for the user (optional), and then click Next.

50 50 Managing users and user groups Creating a user group 9 In the Notifications panel, specify addresses and pager numbers for the user, and times when those contacts can be used for notifications (optional). See Specifying notification information on page In the Roles panel, you can assign the user to one or more roles that define the user s permissions. You can also assign or change a user's roles later. See Managing role assignments and properties on page 53. Note that you must create roles before you can assign users to roles. If no roles appear on the Find Roles panel, you have not yet created any roles. See Creating a role on page In the User Groups panel, you can assign the user to one or more user groups. You can also assign users to groups later. See Managing user group assignments on page 54. Note that you must create user groups before you can assign users to groups. If no groups appear on the Find User Groups panel, you have not yet created any groups. See Creating a user group on page In the User Summary panel, review the information that you have specified, and then click Finish. The task status list at the bottom of the panel shows the user properties that are being created. A green check mark next to a task indicates that it was successfully accomplished. 13 Click Close. Creating a user group After you create users, you can assign them to groups. User groups are particularly useful when you have large numbers of users who need to have the same system roles. You can assign an entire user group to a role, and all of the users in the group will have the rights and permissions that are assigned to that role. Another reason to implement user groups is to facilitate the auto-assignment of incidents, using correlation rules. The Create a new User Group wizard enables you to create user groups and add users to the groups. You can assign users at the time you create a group, or you can add users to the group later.

51 Managing users and user groups Editing user properties 51 Note: If you create a user group, and then assign it to a role, all of the users who are currently in the group are assigned to that role. However, if you later add more users to the user group, those users are not automatically added to the role. You must assign each user to the role individually. To create a user group 1 In the Information Manager console, click System. 2 On the Administration tab, in the left pane, navigate to the relevant domain, and then click User Groups. 3 On the toolbar, click + (the plus icon). 4 In the first panel of the Create a new User Group wizard, click Next. 5 In the General panel, type a name and (optional) description for the user group, and then click Next. 6 In the Members panel, click Add. In the Find Users dialog box, the Available users list shows all users for the domain, up to the number of users that are indicated by the Maximum search count text box. 7 Select one or more users from the Available users list, and then click Add. The users appear in the Selected users list. 8 If you want to review information about a specific user, click the user name, and then click Properties. You can view or change the user's properties, and then click OK. 9 When you finish adding users to the group, click OK. 10 In the Members panel, click Next. 11 In the User Group Summary panel, click Finish. The task status list at the bottom of the panel shows the user group properties that are being created. A green check mark next to a task indicates that it was successfully accomplished. 12 Click Close. Editing user properties After you create a user, you can edit the user properties to perform the following tasks: Changing a user s password

52 52 Managing users and user groups Editing user properties Specifying user business and contact information Managing role assignments and properties Managing user group assignments Specifying notification information Changing a user s password Passwords can be changed in the following ways: Users can change their own passwords by using the Change Password option on the Tools menu in the Information Manager console. Administrators can change a user s password by editing the user s properties, as described here. To change a user s password 1 On the System page Administration tab, in the left pane, navigate to the relevant domain, and then click Users. 2 In the right pane, right-click the user whose password you want to change, and then select Properties. 3 In the User Properties dialog box, on the Password tab, in the Password text box, type a new password. Passwords are case sensitive and must be 8 to 24 characters in length. The characters can be alphanumeric and can also include any of the following non-alphanumeric characters:!?.@#$%^&*()-_=+{} :;,<> 4 In the Confirm password text box, type the password again to confirm it. 5 Click OK. Specifying user business and contact information In the User Properties dialog box, the Business tab and Contact Information tab let you supply detailed information about the user. You can specify this information when you create a user or by editing an existing user s properties. The choice of a preferred language is particularly important. The preferred language controls the format of currency, date, time, and the use of numerical separators when the user is logged into the Information Manager console.

53 Managing users and user groups Editing user properties 53 To specify user business and contact information 1 On the System page Administration tab, in the left pane, navigate to the relevant domain, and then click Users. 2 In the right pane, right-click the user whose information you want to change, and then select Properties. 3 In the User Properties dialog box, on the Business tab, type the business information for the user. 4 To specify the user s preferred language, in the Preferred language drop-down list, select a language. 5 To identify the user s manager, click the browse button (...) next to the Manager text box to display the Find Users dialog box. The manager must exist as a user in the database. 6 In the Find Users dialog box, select the user who is the manager, and then click OK. The Available users list shows all users for the domain, up to the number of users that are indicated by the Maximum search count text box. 7 To identify the user s administrative assistant, click the browse button (...) next to the Administrative assistant text box. In the Find Users dialog box, select the administrative assistant. The administrative assistant must exist as a user in the database. 8 On the Contact Information tab, type the contact information for the user. 9 Click OK. Managing role assignments and properties The roles a user is assigned define the user s administrative permissions in the console. Roles are product-specific and are created as one or both of the following: Roles that allow the management of policies and configurations for a product Users who are members of these roles can change the security configurations of an integrated product and distribute them to specific computers and organizational units. Roles that allow the viewing of events generated by a product Users who are members of these roles can view alerts and events for a product, and create alerts and customized reports.

54 54 Managing users and user groups Editing user properties Note: You must be a member of the Domain Administrator role to make a user a member of a role. Also, the role must exist in the database before you can add a user to the role. See Creating a role on page 29. To manage role assignments and properties 1 On the System page Administration tab, in the left pane, navigate to the relevant domain, and then click Users. 2 In the right pane, right-click the user whose information you want to change, and then select Properties. 3 In the User Properties dialog box, on the Roles tab, click Add. 4 In the Find Roles dialog box, from the Look in drop-down list, select the domain in which to find the role. Users can have access to roles in multiple domains. 5 In the Available roles list, select one or more roles, and then click Add. The Find Roles dialog box displays a list of roles only if you are a member of the Domain Administrator role. 6 Click OK. 7 To remove a user from a role, click the role name and then click Remove. This action does not remove the role from the database. 8 To view or edit the properties of a role, click the role name and then click Properties. 9 Use the Editing Role Properties dialog box to make changes to the role, if you wish. See Editing role properties on page Click OK until you return to the System page. Managing user group assignments You can modify the composition of a user group by adding users to the group and removing users from the group. You can also view and modify user group properties. You can manage user group assignments in the following ways: Manage one user's assignment by adding to or removing from one or more user groups.

55 Managing users and user groups Editing user properties 55 Manage a single user group by adding or removing multiple users at one time. To manage a single user's user group assignments 1 On the System page Administration tab, in the left pane, navigate to the relevant domain, and then click Users. 2 In the right pane, right-click the user whose user group assignment you want to manage, and then select Properties. 3 In the User Properties dialog box, on the User Groups tab, click Add. 4 In the Find User Groups dialog box, from the Look in drop-down list, select the domain in which to find the user group. 5 In the Available user groups list, select one or more user groups, and then click Add. The user groups that you selected appear in the Selected user groups list. 6 Click OK. 7 To remove a user from a user group, click the user group name and then click Remove. This action does not remove the user group from the database. 8 To view or edit the properties of a user group, click the user group name and then click Properties. 9 Use the User Group Properties dialog box to make changes to the user group, if you wish. For example, you can add members to the group and remove users from the group. 10 Click OK until you return to the System page. To manage multiple users' user group assignments 1 On the System page Administration tab, in the left pane, navigate to the relevant domain, and then click User Groups. 2 In the right pane, right-click the user group whose membership you want to manage, and then select Properties. 3 In the User Group Properties dialog box, on the User tab, click Add. 4 In the Find Users dialog box, from the Look in drop-down list, select the domain in which to find the users. 5 In the Available users list, select one or more users, and then click Add. The users that you selected appear in the Selected users list. 6 Click OK.

56 56 Managing users and user groups Editing user properties 7 To remove a user from a user group, click the user name and then click Remove. This action does not remove the user from the database. 8 To view or edit the user's properties, click the user name and then click Properties. 9 Use the User Properties dialog box to make changes to the user, if you wish. 10 Click OK until you return to the System page. Specifying notification information When you create custom correlation rules, you can identify users to notify when particular incidents or alerts occur. See Creating a custom rule on page 91. For each user, you can specify the addresses and pager numbers that are used to send these notifications. You can also specify when the user is notified. For example, you can specify one address to be used Monday through Friday from 8:00 A.M. to 5:00 P.M., and a pager to be used during off-hours, namely, Saturday and Sunday, and Monday through Friday after 5 P.M. You can specify the following: addresses Pager numbers The day and time ranges when the contact method can be used to send a user notifications of alerts The combined number of addresses and pager numbers cannot exceed five. To specify a user s address 1 On the System page Administration tab, in the left pane, navigate to the relevant domain, and then click Users. 2 In the right pane, right-click the user whose address you want to change, and then select Properties. 3 In the User Properties dialog box, on the Notifications tab, in the drop-down list, click . 4 Click Add. 5 In the dialog box, in the address text box, type an address.

57 Managing users and user groups Editing user properties 57 6 If the user receives on a device with a small screen, such as a handheld device, check Send shortened message. This option sends an abbreviated message that is easier to read. 7 Click OK. 8 Specify notification times if desired. 9 Do any of the following: To add additional addresses, repeat steps 4 through 8. To edit an existing address, click it and then click Properties. To remove an existing address, click it and then click Delete. 10 When you finish, click OK. To specify a user s pager number 1 On the System page Administration tab, in the left pane, navigate to the relevant domain, and then click Users. 2 In the right pane, right-click the user whose pager number you want to change, and then select Properties. 3 In the User Properties dialog box, on the Notifications tab, in the drop-down list, click Pager. 4 Click Add. 5 In the Pager dialog box, in the Number text box, type a pager number. 6 In the Notification service drop-down list, select the notification service to use. If you do not see the service that you want to select, you can add it using the Notification Services node in the left pane of the System page. 7 Click OK. 8 Specify notification times if desired. See To specify notification times on page Do any of the following: To add more pager numbers, repeat steps 4 through 8. To edit an existing pager number, click it and then click Properties. To remove an existing pager number, click it and then click Delete. 10 Click OK.

58 58 Managing users and user groups Modifying user permissions To specify notification times 1 In the User Properties dialog box, on the Notifications tab, click an address or pager number. 2 Using the Day controls, check the days when the contact method can be used to contact the user. 3 Using the From and To controls, specify the range of time when the contact method can be used. 4 Repeat these steps to establish notification times for other addresses and pager numbers. 5 When you finish, click OK. Modifying user permissions When you create a role, permissions are assigned for each user with regard to that role. These permissions control whether role members who log on to the console can view, modify, or delete the user. You can modify these permissions in the following ways: By displaying and editing the roles that contain the permissions. See Modifying access permissions in roles on page 37. By displaying the Permissions dialog for the User container object or an individual user. See Modifying permissions from the Permissions dialog box on page 44. Note: To modify permissions, you must be logged on as a member of the Domain Administrator role. Modifying a user group You can modify a user group by adding and removing members, and by changing the user group name and description. You can also modify individual group members' properties. To modify a user group 1 On the System page Administration tab, in the left pane, navigate to the relevant domain, and then click User Groups. 2 In the right pane, right-click the user group that you want to modify, and then click Properties.

59 Managing users and user groups Deleting a user or user group 59 3 On the General tab, you can add or change the user group's name and description. 4 On the Members tab, you can do the following: Add members Click Add. In the Find Users dialog box, select one or more users from the Available users list, and then click Add. When you finish adding members, click OK. Remove members Select the member name, and then click Remove. When you finish removing members, click OK. Modify a member's properties Select the member name, and then click Properties. In the User Properties dialog box, use the tabs to modify the properties of individual user group members. When you finish modifying properties, click OK. 5 Click OK. Deleting a user or user group You can delete users who are no longer participants in your security network. You can also delete user groups that are no longer needed. To delete a user or user group 1 On the System page Administration tab, in the left pane, navigate to the relevant domain, and then click Users or User Groups. 2 In the right pane, right-click the user or user group that you want to delete, and then click Delete. 3 In the confirmation dialog box, click Yes.

60 60 Managing users and user groups Deleting a user or user group

61 Chapter 4 Managing organizational units and computers This chapter includes the following topics: About organizational units Managing organizational units Managing computers within organizational units About organizational units Organizational units are the primary way that you can structure your security environment in Symantec Security Information Manager. Before you create organizational units, it is important that you understand your security network and create a security plan. Organizational units let you group the computers and appliances that you manage. You can then add configurations for the Information Manager components that may be installed on those computers. This enables the distribution of the configurations to all computers and appliances in the organizational unit. Managing organizational units On the Administration tab of the System page, when you select Organizational Units, you can perform the following tasks: Creating a new organizational unit Editing organizational unit properties About modifying organizational unit permissions

62 62 Managing organizational units and computers Managing organizational units Deleting an organizational unit Distributing configurations to computers in an organizational unit Creating a new organizational unit Organizational units are logical groupings. You can create them to organize computers that are in the same physical location or belong to structural groups within your corporation, such as divisions or task groups. However, it is not required that an organizational unit reflect these relationships. You can create all the organizational units that you require at a single level, or you can create a hierarchy of nested organizational units. The combined maximum length of the distinguished name of an organizational unit should be no longer than 170 bytes. Keep in mind that some characters, such as accented characters or Japanese characters, take more space to store. Since the distinguished name of an organizational unit is a concatenation of the names above it in the hierarchy, nesting organizational units with long names can exceed this limit. A screen message informs you if you exceed the limit. To create a new organizational unit 1 In the Information Manager console, click System. 2 On the Administration tab, in the left pane, navigate to the relevant domain, and then click Organizational Units. 3 Do one of the following: To create a new organizational unit at the top level of the tree, click + (the plus icon) on the toolbar. Go to step 4. To create a new organizational unit within an existing organizational unit, expand the organizational unit tree and select the desired level. Then click + (the plus icon) on the toolbar. Go to step 3. 4 In the Computer or Organizational Unit dialog box, click Organizational Unit, and then click OK. 5 In the first panel of the Create a new Organizational Unit wizard, click Next. 6 In the General panel, do the following: In the Organizational Unit name text box, type a name for the organizational unit. In the Description text box, type a description of the organizational unit (optional). 7 Click Next.

63 Managing organizational units and computers Managing organizational units 63 8 In the Organizational Unit Summary panel, review the information that you have specified, and then click Finish. 9 Click Close. Determining organizational unit name length Information Manager imposes limits on the length of the name of an organizational unit and on the total length of the distinguished name that is stored in the security directory. These limits become important when you nest organizational units. The distinguished name for a nested organizational unit includes the following: The name you give the organizational unit when you create it The names of each organizational unit above it in the hierarchy The name of the top node in the organizational unit tree The name of the domain within which you create the organizational unit hierarchy Additional bytes of overhead You can view the distinguished name of an organizational unit by looking at the organizational unit s properties. The maximum length of the name you assign in the Create a new Organizational Unit wizard is 64 UTF-8 bytes. For the Roman character set, this means that the name cannot exceed 64 characters. Some characters take more space to store. For example, accented characters take 2 bytes to store, and Japanese characters take 3 to 4 bytes to store. When these characters are used, fewer characters are allowed in the name. Because Information Manager adds additional information for internal use to the distinguished name, the maximum recommended length of the distinguished name of an organizational unit in the security directory is 170 bytes. If a distinguished name is longer than 256 characters, serious performance issues occur. Table 4-1 describes how to calculate the UTF-8 byte length of the distinguished name of the organizational unit.

64 64 Managing organizational units and computers Managing organizational units Table 4-1 Name string Calculating organizational unit name length Formula and example Domain name length sum(4+domain component name length) + 17 bytes Example: usa.ses 4 + length(usa) + 4 +length(ses) + 17 bytes overhead or = 31 bytes Organizational unit (OU) name length sum(4 + OU name length) + domain name length + 13 bytes For example: Paris OU under the Sales OU in the usa.ses domain 4 + length(paris) length(sales) + domain name length + 13 bytes overhead or = 53 bytes Editing organizational unit properties You can modify an existing organizational unit's description. You cannot change the name or distinguished name of the organizational unit. To edit organizational unit properties 1 In the Information Manager console, click System. 2 On the Administration tab, in the left pane, navigate to the relevant domain, and then expand the Organizational Units navigation tree. 3 Right-click the name of the organizational unit that you want to edit, and then click Properties. 4 In the Organizational Unit Properties dialog box, change the description. 5 When you finish, click OK. About modifying organizational unit permissions When you create a role, permissions are assigned for each organizational unit with regard to that role. These permissions control whether role members who log on to the Information Manager console can view, modify, or delete the organizational unit. You can modify these permissions in the following ways:

65 Managing organizational units and computers Managing computers within organizational units 65 By displaying and editing the roles that contain the permissions. See Modifying access permissions in roles on page 37. By displaying the Permissions dialog for the Organizational Unit container object or an individual organizational unit. See Modifying permissions from the Permissions dialog box on page 44. Note: To modify permissions, you must be logged on as a member of the SES Administrator role or the Domain Administrator role. Deleting an organizational unit Before you can delete an organizational unit, you must move or delete all computers that belong to the organizational unit. See Moving a computer to a different organizational unit on page 78. See Deleting a computer from an organizational unit on page 79. Note: When you delete an organizational unit, all of the organizational units that are below it in the navigational structure are also deleted. To delete an organizational unit 1 In the Information Manager console, click System. 2 On the Administration tab, in the left pane, navigate to the relevant domain, and then expand the Organizational Units navigation tree. 3 Right-click the name of the organizational unit that you want to delete, and then click Delete. 4 To confirm that you want to delete the organizational unit and its subgroups, click Yes. Managing computers within organizational units Organizational units contain computer objects that represent the computers that run your security products. Note: The term "computer" covers a variety of equipment, from traditional desktop computers, to appliances and handheld devices. In the context of the Information Manager console, a computer is any machine that you manage as part of your enterprise security environment.

66 66 Managing organizational units and computers Managing computers within organizational units Computers are placed in organizational units in the following ways: When an agent is installed When you install a collector on a computer, an agent is installed on the computer. It is represented in the Information Manager console as a computer within an organizational unit. In some cases, you can specify the organizational unit for the computer when the agent is installed. If an organizational unit is not specified, the computer is placed in the Default organizational unit. When you create the computer using the Create a new Computer wizard You can use this method to create computers for security products that do not install agents. Note: Do not create a computer using the wizard if you plan to install an Agent on the computer at a later time. If you do, a duplicate instance of the computer will be added to the security directory. A computer can belong to only one organizational unit at a time; however, depending on the requirements of your network, you can easily move computers from one organizational unit to another. When you select a computer in the right pane, you can perform the following tasks: Creating computers within organizational units Editing computer properties Distributing configurations to computers in an organizational unit Moving a computer to a different organizational unit Modifying computer permissions Deleting a computer from an organizational unit Creating computers within organizational units Computers are defined in the security directory as part of the organizational units in which you create them. If you delete a computer from an organizational unit, it is permanently removed from the security directory. To create a computer within an organizational unit 1 In the Information Manager console, click System. 2 On the Administration tab, in the left pane, navigate to the relevant domain, and then expand the Organizational Units navigation tree.

67 Managing organizational units and computers Managing computers within organizational units 67 3 Right-click the name of the organization unit, and then click New > Computer. 4 In the first panel of the Create a new Computer wizard, click Next. 5 In the General panel, do the following, and then click Next: In the Computer name text box, type the computer name. In the Description text box, type a description (optional). 6 In the Information panel, do one of the following: Type information in some or all of the optional text boxes, and then click Next. Click Next. You can supply the information later by editing the computer s properties. 7 In the Identification panel, do one of the following: Provide the host name, IP addresses, and MAC addresses of the computer now, and then click Next. Click Next. You can provide the identification information later by editing the computer s properties. 8 In the Configurations panel, do one of the following: To directly associate configurations with the computer now, click Add. When you are finished, click Next. Click Next. You can add configurations later by editing the computer s properties. 9 In the Computer summary panel, review the information that you have specified, and then click Finish. 10 Click Close. Editing computer properties The computer properties that you can view and change depend on whether an agent is installed on the computer. If the computer has an agent, you can associate configurations with the computer and view the services that are running on the computer. However, you cannot change the identification information for the computer. See Editing a computer that has an agent on page 68. See Viewing the services that are running on a computer on page 75.

68 68 Managing organizational units and computers Managing computers within organizational units If the computer does not have an agent, you can edit the network identification information for the computer. However, you cannot view services that are running on the computer. See Editing a computer that does not have an agent on page 69. See Providing identification information for a computer on page 70. Editing a computer that has an agent When a computer has an agent installed, much of the identification information about the computer is captured as a result of the installation of the agent. You can learn a lot about the computer by viewing the information that is provided by the agent. This information includes the state of the services that are running on the computer and the computer s heartbeat status. You can also specify configurations to be associated with the computer. If the computer is a Information Manager appliance, you can add access to other domains. To edit a computer that has an agent 1 In the Information Manager console, click System. 2 On the Administration tab, in the left pane, navigate to the relevant domain, and then expand the Organizational Units navigation tree. 3 Click the name of the organizational unit that contains the computer to be edited. 4 In the right pane, right-click the name of the computer, and then click Properties. 5 In the Computer Properties dialog box, on the General tab, you can type a new description. 6 On the Information tab, you can modify the Primary Owner and Owner contact information text boxes. The rest of the information is supplied by the agent installation. 7 On the Configurations tab, do any of the following: To directly associate configurations with the computer, click Add. See Associating configurations directly with a computer on page 74. To remove a configuration, select it, and then click Remove. To view a configuration s properties, select it, and then click Properties. See Agent configurations on page 195.

69 Managing organizational units and computers Managing computers within organizational units 69 8 On the Domain Access tab, you can add or remove domain access for the Information Manager appliance. See Adding domain access to an Information Manager appliance on page 76. You can do this only if the computer is an Information Manager appliance and you are logged on as a SES Administrator or a Domain Administrator. 9 You can view information on any of the following tabs: 10 Click OK. On the Identification tab, view the host name, IP addresses, and MAC addresses of the computer. On the Services tab, view information about the services that are running on the computer. See Viewing the services that are running on a computer on page 75. On the Heartbeat Monitor tab, view the heartbeat status of the services that are running on the computer. Editing a computer that does not have an agent When you create a computer using the Create a New Computer wizard, you can modify most of the computer s properties. Services are reported only if an agent is installed on the computer. To edit a computer that does not have an agent 1 In the Information Manager console, click System. 2 On the Administration tab, in the left pane, navigate to the relevant domain, and then expand the Organizational Units navigation tree. 3 Click the name of the organizational unit that contains the computer to be edited. 4 In the right pane, right-click the name of the computer, and then click Properties. 5 In the Computer Properties dialog box, on the General tab, you can type a new description. 6 On the Information tab, modify the text boxes as desired. To enable the Other OS text box, select OTHER from the Operating system type drop-down list. 7 On the Identification tab, change the host name and add or remove IP addresses and MAC addresses, as desired. See Providing identification information for a computer on page 70.

70 70 Managing organizational units and computers Managing computers within organizational units 8 On the Configurations tab, do any of the following: To directly associate configurations with the computer, click Add. See Associating configurations directly with a computer on page 74. To remove a configuration, select it, and then click Remove. To view a configuration s properties, select it, and then click Properties. See Agent configurations on page On the Services tab, view information about the services that are running on the computer. See Viewing the services that are running on a computer on page On the Heartbeat Monitor tab, view the heartbeat status of the services that are running on the computer. 11 Click OK. Providing identification information for a computer After you create a computer using the Create a new Computer wizard, you can provide the network identification information for the computer by editing its properties. When you create a computer by installing a collector, the identification information is supplied automatically by the installation. To provide identification information for a computer 1 In the Information Manager console, click System. 2 On the Administration tab, in the left pane, navigate to the relevant domain, and then expand the Organizational Units navigation tree. 3 Click the name of the organizational unit that contains the computer to be edited. 4 In the right pane, right-click the name of the computer, and then click Properties. 5 In the Computer Properties dialog box, on the Identification tab, in the Host name text box, type a fully qualified domain name or DNS hostname. 6 To add an IP address, under IP addresses, click Add. 7 In the IP addresses dialog box, type the IP address of the computer, and then click OK. 8 If the computer has multiple network interface cards, repeat steps 6 and 7 for each IP address.

71 Managing organizational units and computers Managing computers within organizational units 71 9 To add a MAC address, under MAC addresses, click Add. 10 In the MAC addresses dialog box, type the MAC address of the computer, and then click OK. The MAC address must consist of six hexadecimal pairs. 11 If the computer has multiple network interface cards, repeat steps 9 and 10 for each MAC address. 12 Click OK. Using the Visualizer The Visualizer provides a convenient way to view your Symantec Security Information Manager environment, including the computers that are assigned to organizational units. You can use it to monitor EPS rates and CPU usage on your network devices. You can also view and modify properties of elements such as Information Manager appliances and agents. About the Visualizer The Visualizer provides a graphical view of your Information Manager environment. When you click the Visualizer tab on the System page, you will see a set of icons that represent such elements as correlation appliances, collection appliances, agents, and directories. The Icons tab in the Legend pane illustrates and defines each type of icon that can appear in the diagram. Colored lines join elements to indicate the nature of their interactions. For example, a green line appears between an appliance and its event archive. A blue line indicates that event forwarding is configured between a collection appliance and the correlation appliance, and the arrow shows the direction in which the event data flows. To see an explanation of each color, click the Edges tab in the Legend pane. You can place the icons where you want them by dragging them with the mouse. The associated text moves with the icon. You can also move the text to a different position relative to its icon. Click and hold the mouse over the text, and then move the mouse. Empty text boxes appear on each side of the icon. Drag the text into one of the boxes and release the mouse. The toolbar includes tools to help you examine the graphic. These tools are defined in Table 4-2.

72 72 Managing organizational units and computers Managing computers within organizational units Table 4-2 Tool Layout menu Refresh Zoom in Zoom out Zoom selected Fit to window Save as Print Table view Visualizer tools Purpose Use this drop-down menu to select a display format, such as Organic or Circular. Click the Refresh icon to update the display after you make configuration changes. For example, after you add a collector, clicking Refresh to will re-draw the diagram and show a new icon for the added collector. Enlarge the diagram. Make the diagram smaller. Select a portion of the diagram by clicking the mouse and dragging a box around the desired area. Then click the Zoom selected icon to enlarge the area that you selected. This option returns the diagram to its original size, to fit the entire diagram in the right pane of the System page. This option lets you save the information in the diagram as an XML file. Symantec Technical Support may request this file to assist in troubleshooting. This option lets you print the diagram. On the Print Options dialog, you can select the height (Poster Rows) and width (Poster Columns) if you are printing a very large diagram. The default setting (1 poster row and 1 poster column) prints the entire diagram on a single page. This option displays a table with one row for each element that is involved in processing events. The table dynamically displays such information as events per second (EPS) and the total number of events that have been processed by the element since it was last started. A green check mark means that the element is running; a red X means that the element is not responding. The colored dots that appear next to some elements indicate the activity level of these elements. Some dots reflect the volume of events per second (EPS), and other dots reflect the percentage of appliance CPU in use. The meaning of each color is explained below. EPS Green = less than or equal to 2.5 K Yellow = 2.5 K to 5 K Red = greater than 5 K

73 Managing organizational units and computers Managing computers within organizational units 73 CPU usage Green = less than 60% Yellow = 60% to 80% Red = greater than 80% Viewing and modifying element properties You can view the properties of many of the elements in the Visualizer diagram. You can also modify some of these properties. The same properties are also accessible through other tabs on the System page. You use these tabs to add and delete elements, such as collectors. After you add an element, you distribute it, which makes the element appear in the Visualizer. Table 4-3 explains how to access each of the element categories on other System page tabs. Table 4-3 Category Computers Accessing element properties on System page tabs How to access This category includes appliances, agents, and collectors. Select Administration tab > Organizational Units. Select an organizational unit. In the list in the right pane, double-click the name of a computer. A dialog box displays the computer's properties. For more information about modifying these properties and about adding new computers, see the section on organizational units. Directories Select Administration tab > Directories. In the list in the right pane, double-click the name of a directory. A dialog box displays the directory's properties. Products This category includes products such as collectors and firewalls. Select Product Configurations tab. In the left pane, click the name of a product. The right pane displays the product's properties.

74 74 Managing organizational units and computers Managing computers within organizational units To view and modify element properties 1 On the System page of the Information Manager console, click the Visualizer tab. 2 Right-click on an icon in the diagram, and then click Properties. A dialog box displays a set of tabs that let you access the element's properties. The displayed properties depend on the type of element that you selected. For example, a collection appliance has different properties than an agent. 3 View and modify any of the available properties in the dialog box, using the tabs to navigate through the properties. 4 When you finish viewing and modifying properties, click OK. Associating configurations directly with a computer The behavior of Information Manager components is controlled by the configurations. To distribute configurations, you can associate a configuration with a computer. You can then distribute the configuration, either immediately or at a later date, depending on your needs. To associate configurations directly with the computer 1 In the Information Manager console, click System. 2 On the Administration tab, in the left pane, navigate to the relevant domain, and then expand the Organizational Units navigation tree. 3 Click the name of the organizational unit that contains the computer that you want to edit. 4 In the right pane, right-click the name of the computer, and then click Properties. 5 In the Computer Properties dialog box, on the Configurations tab, click Add. 6 In the Find Configurations dialog box, in the Look-in drop-down list, select the product whose configurations you want to associate with the organizational unit. The configurations are displayed in the Available configurations list. 7 In the Available configurations list, select a configuration, and then click Add. The selected configuration is listed in the Selected configuration list. If the computer already contains a configuration, and you now select a different configuration, the new configuration replaces the old one.

75 Managing organizational units and computers Managing computers within organizational units 75 8 To select a configuration for a different product, repeat steps 6 and 7. 9 When you finish adding configurations, click OK. 10 In the Organizational Unit Properties dialog box, do any of the following: 11 Click OK. To remove a configuration, select it, and then click Remove. To view a configuration s properties, select it, and then click Properties. Viewing the services that are running on a computer You can view information about the services that are running on a computer, such as what configurations are in use, and whether the configurations are up to date. To view the services that are running on a computer 1 In the Information Manager console, click System. 2 On the Administration tab, in the left pane, navigate to the relevant domain, and then expand the Organizational Units navigation tree. 3 In the left pane, select the organizational unit that contains the computer whose services you want to view. 4 In the right pane, right-click the computer name, and then click Properties. 5 In the Computer Properties dialog box, on the Services tab, review the In Sync column to determine whether the correct configurations are being used. If the value for a specific service is Yes, the current configuration and the expected configuration are synchronized, that is, they are identical. If the value for a specific service is No, the configurations are not synchronized. Double-click the row to view the information on the Configuration tab of the Service Properties dialog box. You may need to distribute the latest configurations to this computer. See step 6. If this field is blank, it is probably because the service is not configurable. Check the Configurable column; if the value is No, the In Sync field is always blank. 6 You may do either of the following: In the Computer Properties dialog box, to notify the computer that it should download new configurations, click Distribute. Then click Yes to confirm your intention to distribute configurations.

76 76 Managing organizational units and computers Managing computers within organizational units To refresh the Computer Properties dialog box display, click Refresh. 7 When you finish, click OK. Adding domain access to an Information Manager appliance By default, a computer has access to the domain in which it was created. If the computer is an Information Manager appliance, you can give it access to more than one domain. The following are examples of when you should grant domain access to an Information Manager appliance: If you create an alert configuration and add notification to users in another domain, you must give each Information Manager appliance in your top domain access to this domain so that it can do directory lookups. If you want to deploy Information Manager appliance extensions across domains, you must ensure that the Information Manager appliances in each domain have access to each other. If you monitor heartbeat for Information Manager appliances across domains, you must configure the Information Manager appliances in both the local and the remote domain to have access to each other. This is because the master heartbeat machines in different domains contact each other to share heartbeat information across domains. To add domain access to an Information Manager appliance 1 In the Information Manager console, click System. 2 On the Administration tab, in the left pane, navigate to the relevant domain, and then expand the Organizational Units navigation tree. 3 In the left pane, select the organizational unit that contains the desired appliance. 4 In the right pane, right-click the appliance name, and then click Properties. 5 In the Computer Properties dialog box, on the Domain Access tab, click Add. 6 In the Find Domains dialog box, do the following: In the Available domains list, select one or more domains. Click Add. The domains appear in the Selected domains list. Click OK. 7 In the Computer Properties dialog box, on the Domain Access tab, do any of the following, as needed:

77 Managing organizational units and computers Managing computers within organizational units 77 To remove a domain, select it, and then click Remove. You cannot remove domain access to the domain in which the computer resides. To view a domain s properties, select it, and then click Properties. 8 Click OK. Distributing configurations to computers in an organizational unit Information Manager includes a Distribute option, which sends a message to the computers in the organizational unit to check for new configurations. When a computer receives this message, it contacts Information Manager to request a download of the configurations. There are the following ways to distribute configurations to computers in an organizational unit: You can distribute the configurations that are associated with an organizational unit to all computers that belong to the organizational unit. You can select specific computers to receive the latest configurations. Note: The timing of configuration distribution varies depending on the amount of Information Manager traffic. To distribute configurations to all computers in an organizational unit 1 In the Information Manager console, click System. 2 On the Administration tab, in the left pane, navigate to the relevant domain, and then expand the Organizational Units navigation tree. 3 Right-click the name of the organizational unit to which you want to distribute configurations, and then click Distribute. To distribute configurations to selected computers in an organizational unit 1 In the Information Manager console, click System. 2 On the Administration tab, in the left pane, navigate to the relevant domain, and then expand the Organizational Units navigation tree. 3 In the left pane, select the organizational unit that contains the computer or computers to which you want to distribute configurations. 4 In the right pane, select only those computers that you want to notify. 5 Right-click on the selected computers, and then click Distribute. 6 To confirm your intention to distribute configurations, click Yes.

78 78 Managing organizational units and computers Managing computers within organizational units Moving a computer to a different organizational unit Although a computer can only belong to one organizational unit, you can move computers from one organizational unit to another. Warning: Before you move a computer, make sure that moving computers is supported by the security products that you are managing. To move a computer to a different organizational unit 1 In the Information Manager console, click System. 2 On the Administration tab, in the left pane, navigate to the relevant domain, and then expand the Organizational Units navigation tree. 3 In the left pane, select the organizational unit that contains the computer or computers that you want to move. 4 In the right pane, right-click a computer, and then click Move. You may select multiple computers if you want to move all of them to the same organizational unit. 5 To confirm that you want to move the computers, click Yes. 6 In the Find Organizational Units dialog box, select the organizational unit to which you want to move the computers, and then click OK. 7 To verify that the move was successful, in the left pane, select the organizational unit to which you moved the computers. Look at the right pane to see if the computers that you moved are now in the list. Modifying computer permissions If you move a computer that is an Information Manager appliance, you may have to log on again before you will see the computer in the organizational unit. Agents that connect to the Information Manager appliance may need to be restarted. When you create a role, permissions are assigned for each computer with regard to that role. These permissions control whether role members who log on to the Information Manager console can view, modify, or move the computer. To modify the permissions for a computer, you must display the Permissions dialog for the computer. You cannot modify permissions for computers using the Role Properties dialog box. See Modifying permissions from the Permissions dialog box on page 44.

79 Managing organizational units and computers Managing computers within organizational units 79 Note: To modify permissions, you must be logged on as a member of the Domain Administrator role. Deleting a computer from an organizational unit If you want to delete an organizational unit, you must first remove any computers within the organizational unit by moving them or deleting them. You may also want to delete a computer that you no longer want to have under Information Manager management. If the computer was created by installing an agent as part of a security product installation, you should uninstall the security product before you delete the computer. See Creating computers within organizational units on page 66. Deleting a computer from an organizational unit removes it from the security directory. Warning: Be aware that if you delete a computer that is an Information Manager appliance, you cannot add it to an organizational unit again without first doing some extra steps. To restore a deleted appliance to the security directory, you must either re-register the deleted appliance with the security directory in which it was previously registered or re-install the Information Manager appliance. To delete a computer from an organizational unit 1 In the Information Manager console, click System. 2 On the Administration tab, in the left pane, navigate to the relevant domain, and then expand the Organizational Units navigation tree. 3 In the left pane, select the organizational unit that contains the computer that you want to delete. 4 In the right pane, right-click the computer name, and then click Delete. 5 To confirm your intention to delete the computer from the organizational unit, click Yes.

80 80 Managing organizational units and computers Managing computers within organizational units

81 Section 3 Managing your correlation environment Configuring the Correlation Manager Defining a rules strategy Understanding rules components Understanding event normalization Effects, Mechanisms, and Resources Working with the Assets table Default Processing rule Collector-based event filtering and aggregation

82 82

83 Chapter 5 Configuring the Correlation Manager This chapter includes the following topics: About the Correlation Manager About the Correlation Manager Knowledge Base About the default rules set Working with the Lookup Tables window Enabling and disabling rules Creating a custom rule About the Correlation Manager The Correlation Manager component of Symantec Security Information Manager performs automated real-time event correlation, aggregation, filtering, and incident creation. To perform these functions, it uses a set of rule files and a Knowledge Base to compare events to patterns of common network security threats. To facilitate security analysis, the Correlation Manager filters false positive events from networks, including events that are permitted by your company security policy. The Correlation Manager also identifies attacks based on patterns of firewall, IDS, and antivirus activity across desktops, gateways, and servers to declare incidents that warrant further action and closure. The Correlation Manager can provide conclusions regarding the overall analysis or cause of attacks. It also aggregates information about source, destination, attack types, and all related events into the incident record for forensic analysis.

84 84 Configuring the Correlation Manager About the Correlation Manager Knowledge Base About the Correlation Manager Knowledge Base The Correlation Manager Knowledge Base consists of tables that contain information about the network, security policies, and normalized event categories and subcategories. This information is referenced by the Information Manager default rules to allow the correlation engine to make a more effective evaluation of incoming security events. Custom rules can also reference the information in the Correlation Manager Knowledge Base tables. The information in the Knowledge Base is a combination of updated information from DeepSight Threat Management Services and information that you can edit from the Lookup Tables view of the Rules page. If you have a valid DeepSight license, you can receive frequent updates directly from DeepSight. The option to update the DeepSight content appears whenever you start the Information Manager console. If you do not have a DeepSight license, you will receive updates to security content via regular LiveUpdate packages. See the Symantec Security Information Manager Installation Guide for information on managing DeepSight content and running LiveUpdate for the appliance. About the default rules set Symantec Security Information Manager includes a set of basic rules that identify the most common security threats. Information Manager also provides default filters to help reduce common false positives. New rules are developed regularly and are distributed through Symantec DeepSight Threat Management services, and LiveUpdate. You can also create your own rules with the Rules Editor. Table 5-1 lists the default rules and the types of security products that they are associated with. Table 5-1 Security product Correlation manager rules by security product type Associated rules Antivirus AntiVirus Disabled Critical Malicious Code Detection Default processing Malicious Code Not Quarantined Malicious Code Outbreak Malicious Code Propagation Spyware Not Quarantined Spyware Outbreak

85 Configuring the Correlation Manager About the default rules set 85 Table 5-1 Security product Correlation manager rules by security product type (continued) Associated rules Firewall NIDS Block Scan Check FTP Transfers DoS High Volume Distributed DoS High Volume External Port Sweep Internal Port Sweep IP Watchlist Rule IRC Bot Net Malicious URL Single Event DoS Ping Scan Detector Port Scan Detector Scan Followed By Exploit Smurf Attack Firewall Trojan Connections Attempted DNS Exploit Attempted FTP Exploit Attempted WWW Exploit Attempted Service Exploit Block Scan DoS High Volume Single Event DoS Distributed DoS High Volume Intrusion Threshold (disabled by default) IP Watchlist Rule IRC Bot Net NULL Login Authentication Violation Ping Scan Detector Return Trojan Traffic Scan Followed By Exploit Smurf Attack IDS TFTP from WebServer Malicious Code Propagation Vulnerability Scan Vulnerability Scan Detector Web Vulnerability Scan

86 86 Configuring the Correlation Manager Working with the Lookup Tables window Table 5-1 Security product Correlation manager rules by security product type (continued) Associated rules HIDS DoS High Volume IP Watchlist Rule Account Guessing Attack Password Guessing Attack Multiple Files Modified NULL Login Authentication Violation Single Event DoS Scan Followed By Exploit Trojan Connections Vulnerability Scan Vulnerability Scan Detector Web Vulnerability Scan Vulnerability assessment Vulnerability Scan Policy compliance Policy Compliance Violation Windows Events Account guessing attack Password guessing attack Windows Account Lockout (disabled by default) Windows Audit Log Cleared Windows Privileged Activities by user Windows Security Violation (disabled by default) About the Default Processing rule Events that are not processed by custom rules or Symantec Security Information Manager rules are handled by the Default Processing rule. The Default Processing rule uses the Effects, Mechanisms, and Resources (EMR) values to determine how an event should be processed. Working with the Lookup Tables window You can view and update the IP watchlist, sensitive files, sensitive URLs, services, and trojans information from the Rules window. List entries will change over time due to updates from DeepSight Threat Management Services and LiveUpdate.

87 Configuring the Correlation Manager Working with the Lookup Tables window 87 You can also create user-defined lookup tables under the User Lookup Tables folder. The Lookup Tables provide a set of configurable tables that allow you to describe the assets and resources of your network. For the proper functioning of the correlation rules, it is essential that you populate the Lookup Tables with information that is used to determine incident severity, including details ranging from the physical information about each computer to the Confidentiality, Integrity, and Availability (CIA) assessments of each resource. Key settings include specifying which systems host critical or sensitive information, and systems that require high availability. You can also specify the networks that exist in your organization so that you can increase the priority of incidents based on the affected network. For example, incidents that affect networks that reside within your firewall can be assigned a higher priority than those that reside outside the firewall. It's also helpful to specify which policies are used within your network. Information Manager includes default policies such as Sarbanes-Oxley and HIPAA. You can also add custom policies. After you have defined the available policies, you can associate them with network computers when you add entries to the Assets list. You should also create your list of response teams so that Information Manager can automatically assign incidents to these teams based on the rules settings. You use the Information Manager console to create the teams. The list of members that you can assign to those teams is maintained in the System Viewer. Another key factor in determining incident severity and the functioning of rules is the information that is stored in the knowledge base. Some of this information is provided by DeepSight Threat Management Services, and some settings you can configure. For example, you can add entries to the IP watchlist. Table 5-2 lists the Lookup Tables and the kinds of information that they contain. Table 5-2 Category ip watchlist Lookup Tables Description Lists the IP addresses of known attackers. An incident is created if an event is detected from one of these IP addresses. Note: The IP Watch List table is a user configurable table that is available for manually tracking known bad IP addresses. A separate internal IP Watch List is maintained via LiveUpdate and/or Symantec DeepSight updates, which contains a list of IP addresses that are known to be malicious in the larger Internet environment. Updates to this internal list do not affect the IP Watch List that is visible in the Information Manager Web configuration interface.

88 88 Configuring the Correlation Manager Working with the Lookup Tables window Table 5-2 Category sensitive files sensitive urls services trojans windows events Lookup Tables (continued) Description Lists the file names to monitor during FTP transfers. Lists text strings that are often included in malicious URLs. Lists the services that are associated with each port number. Lists known Trojan Horse exploits. Lists port addresses that are used by network services. To add an entry to the ip watchlist 1 From the Information Manager console, click Rules. 2 In the left navigation pane, expand the Lookup Tables folder. 3 Expand the System Lookup Tables folder. 4 Click ip watchlist (if it's not already selected). 5 Click New Record (+). 6 In the spaces that are provided, type the desired IP address and description. 7 Click Deploy. 8 When prompted, click OK to deploy the change. To add an entry to the sensitive files list 1 From the Information Manager console, click Rules. 2 In the left navigation pane, expand the Lookup Tables folder. 3 Expand the System Lookup Tables folder. 4 Click sensitive files. 5 Click New Record (+). 6 In the space that is provided, type the name of the file. 7 Click Deploy. 8 When prompted, click OK to deploy the change. To add an entry to the sensitive urls list 1 From the Information Manager console, click Rules. 2 In the left navigation pane, expand the Lookup Tables folder. 3 Expand the System Lookup Tables folder.

89 Configuring the Correlation Manager Working with the Lookup Tables window 89 4 Click sensitive urls. 5 Click New Record (+). 6 In the URL Substring column, type the URL. 7 In the Attack Type column, type the kind of attack that is associated with this URL. 8 Click Deploy. 9 When prompted, click OK to deploy the change. To add an entry to the services list 1 From the Information Manager console, click Rules. 2 In the left navigation pane, expand the Lookup Tables folder. 3 Expand the System Lookup Tables folder. 4 Click services. 5 Click New Record (+). 6 In the Service column, type a description. 7 In the Port column, type the port number that you want to add. 8 Click Deploy. 9 When prompted, click OK to deploy the change. To add an entry to the Trojans list 1 From the Information Manager console, click Rules. 2 In the left navigation pane, expand the Lookup Tables folder. 3 Expand the System Lookup Tables folder. 4 Click trojans. 5 Click New Record (+). 6 In the Port column, type the port number that is associated with the attack. 7 In the Protocol column, type the network protocol (such as TCP or UDP) that is associated with the attack. 8 In the Trojan Name(s) column, type the name of the Trojan horse. 9 Click Deploy. 10 When prompted, click OK to deploy the change.

90 90 Configuring the Correlation Manager Working with the Lookup Tables window To add an entry to the Windows Events list 1 From the Information Manager console, click Rules. 2 In the left navigation pane, expand the Lookup Tables folder. 3 Expand the System Lookup Tables folder. 4 Click windows events. 5 Click New Record (+). 6 In the ID column, type the desired Microsoft Windows event type. 7 In the Category column, type the kind of activity that is associated with the event. 8 In the Description column, type a description for this kind of event. 9 Click Deploy. 10 When prompted, click OK to deploy the change. To delete an entry from the Lookup Tables 1 From the Information Manager console, click Rules. 2 In the left navigation pane, expand the Lookup Tables folder. 3 Expand the System Lookup Tables folder. 4 Click the table with the entry that you want to delete. 5 Click Delete. 6 Click Yes to confirm the deletion. 7 Click Deploy. 8 When prompted, click OK to deploy the change. To create a user-defined lookup table 1 From the Information Manager console, click Rules. 2 In the left navigation pane, expand the User Lookup Tables folder. 3 In the Input dialog that appears, type the name of the table you want to create, and click OK. The name of the table must not match the name of an existing table or rule. 4 In the Content tab, click Add, and enter the Name, Type, and Description values. 5 When you are finished, click Deploy.

91 Configuring the Correlation Manager Enabling and disabling rules 91 Enabling and disabling rules By enabling or disabling rules in the Rules Editor, you can temporarily filter certain network events or change the way the Correlation Manager declares incidents. Note: In some cases, such as when the appliance is under a heavy event load, disabling or deleting a rule may not take effect immediately. To enable or disable a rule 1 From the Information Manager console, click Rules. 2 In the left navigation pane, check or uncheck the box next to a rule. 3 In the top toolbar, click Deploy. Creating a custom rule Complete the following steps to create a custom rule. Note that it's usually easier to start by copying a default rule, and then making changes. To create a custom rule 1 From the Information Manager console, click Rules. 2 In the left navigation pane, under the Correlation Rules folder, click the User Rules folder. 3 On the Rules tab, click Create new filter or rule (+). 4 In the Input dialog box, type a name for the rule. 5 On the Conditions tab, in the Description window, type a description for the rule. 6 On the Conditions tab, on the Rule Type menu, click the entry that best matches the type of event and target combination that applies to the new rule. For example, if you want an incident declared every time a specific event is detected, you would click Single Event. If you would like to declare an incident after a certain number of events are detected from a specific IP address, then you would click Many Events, One Source. 7 In the Event Criteria area, click Add. 8 Select the left-most column of the new entry, and then choose an event type. 9 Select the center column and specify the operator.

92 92 Configuring the Correlation Manager Creating a custom rule 10 Select the right-most column, and then specify the value that must be true for the event type, given the operator that you chose. 11 Repeat steps 7 through 10 for any other Event Criteria that you want applied to the rule. You can select multiple Event Criteria and apply logical operators (AND/OR) to them. 12 In the Event Count box, specify the number of times that the Event Criteria that you specified must be true for an incident to be declared. 13 In the Span box, specify the amount of time for the number of events that are specified in the Event Count to occur. For example, you can specify that 30 events of a specific type must occur within 60 minutes, before an incident is declared. 14 In the Table Size box, specify the maximum number of events that the rule can track at any one time. The table size should generally be a multiple of the Event Count setting. The Table Size setting divided by the Event Count setting is equal to the maximum number of event groups that can be managed by the rule. 15 In the Tracking Keys section, specify the fields to include in the incident. This can be any of the One-Many, Many-One, or Tracking Fields that are associated with the incident. 16 On the Actions tab, in the Conclusion Severity option, specify the severity that you want associated with the incident. 17 In the Conclusion Description area, type a description of the problem. This information will appear to users who are assigned incidents or tickets that are based upon incidents triggered by this rule. Note that you can click the Add (+) button and include the values of fields from the final event that triggered the conclusion. 18 In the Correlate By drop-down list, specify the method by which conclusions are grouped into incidents. 19 In the Resource Field menu, choose the desired event fields. Conclusions can be correlated together into incidents that are based on the value of this resource field. 20 To specify that a user or team is automatically assigned to incidents that are created by this rule, do the following: Turn on Enable Auto Assign. If you want to assign the incident based upon the IP address of the affected target computer, in the left column, type the IP address or netmask.

93 Configuring the Correlation Manager Creating a custom rule 93 In the User column, click the user that you want to assign the incidents to. In the Team column, click the Help Desk team that you want to assign the incidents to. 21 On the Testing tab, specify the location of a file containing event data, and then click Start. 22 When you are satisfied with the incidents and conclusions that are created by the rule, turn on the rule in the Rules list. 23 On the top toolbar, click Deploy.

94 94 Configuring the Correlation Manager Creating a custom rule

95 Chapter 6 Defining a rules strategy This chapter includes the following topics: About defining a rules strategy About creating the right rule set for your business About defining a rules strategy Developing a security plan that incorporates correlation rules and filters involves first gaining a thorough understanding of the business needs of your organization from a security perspective. The rules strategy that you derive from this understanding will be specific to the needs of your business. For example, if your implementation protects and monitors network resources that are related to financial transactions, you will need to develop and refine your rule set to focus on the security areas of highest concern, such as authentication on servers containing sensitive financial data. In addition, you may need to evaluate the rules that you deploy based on regulatory compliance concerns to ensure that the event data that is evaluated is handled in a way that meets the requirements of the policies in place. About creating the right rule set for your business A good approach to creating custom rules is to start with the generalized rules provided by Symantec and to fine-tune them or add new rules based upon real event data from your network. The customizations that you need usually fall into the following categories:

96 96 Defining a rules strategy About creating the right rule set for your business Incidents stemming from machine-generated events Incidents related to human events or policies These include all of the security devices on your network that generate events that you collect. For example, firewall products such as Symantec Gateway Security generate a huge amount of event data. In most cases, you should edit default rules or create new rules to filter out false positive incidents. In addition, correlation rules help to automatically map machine-generated events from multiple point products together that may indicate a security incident has occurred, which helps to minimize the manual analysis of each event. These include your corporate IT security policies, regulatory compliance requirements, and any unique characteristics about user activity in your network that machine-generated events would typically miss, or that result in false positive incidents. The rules that are included by default cannot be modified. To customize a rule, create a copy of the rule you want to customize, edit the rule settings, disable the default rule, and enable the new rule. The following is a general overview of the process for developing rules: Set up Information Manager in a lab environment. Update the Assets page to include the IP addresses of hosts that are mission-critical or that host sensitive information. Collect event data from your network for a week. This should include events from all of the security products that you want Information Manager to correlate (for example, antivirus, HIDS, NIDS, firewalls). Run the default rules and review the incidents that are created. Look for any false positives that you can easily filter out. Examples of good candidates for filtering are incidents from failed connections reported by a firewall, and Windows-only attacks reported by computers running Linux. Look at any known security incidents that occurred during the week that you collected the data. Adjust the filters and rules if there are any incidents that should have been created and were not. Look for incidents that are the result of firewall rules being too lax. Tuning firewall and Information Manager rules is an ongoing process based on the changes in your network. Opening a firewall port to enable an essential line-of-business application may suddenly result in a huge number of false positive incidents. When that occurs, you need to create a new rule to filter out events from an approved use of that application. Or you may discover that there is a port that is still open long after the application that required it has been retired.

97 Defining a rules strategy About creating the right rule set for your business 97 Create rules to support security practices in your company. For example, you could create a rule to assign a weekly help desk ticket for security IT to contact PC owners who are not running antivirus software. As you change rules, use the Information Manager rule test feature to see if the customizations are working. Of particular concern should be any rules that never create conclusions or those that create conclusions too often. With your Information Manager appliance still in a test environment, forward live network events to it. Continue to refine your rules. When you are satisfied with the incidents that are being declared, migrate the appliance to your live network.

98 98 Defining a rules strategy About creating the right rule set for your business

99 Chapter 7 Understanding rules components This chapter includes the following topics: Understanding Correlation Rules About Rule conditions About the Event Count, Span, and Table Size rule settings About the Tracking Key and Conclusion Creation fields About the Correlate By and Resource fields Importing existing rules Understanding Correlation Rules Correlation Rules describe logic that is applied to an event or set of events to detect possible security concerns. Conceptually, Correlation Rules can be thought of in the following general categories: An event identifies an attacker trying to intrude on a particular computer or resource. Some unknown system or number of systems are trying to cause a specific system to malfunction or cease functioning. The organization or analyst wants to group events into particular types of incidents to make viewing and analysis simpler. For example, these types of rules may aggregate events related to policies or products. Correlation Rules consist of the following sections:

100 100 Understanding rules components About Rule conditions Rule Type: Identifies the pattern that best describes the event Event Criteria: The specific values or threats that the rule applies to, including the number of events that take place over a specified period of time Rule Settings: The Event Count, Span, Table Size, Tracking Keys, and Descriptions for an event Conclusion and Correlation settings (Actions tab): The fields that are used to correlate existing event conclusions with new events as they occur within the specified time period. If the number of events specified in the Count field is met, the conclusion is escalated to an incident, and correlated with existing incidents where applicable. In addition, the severity of a match for the rule is determined. Additional details are also available via the variables that you can specify in the Description field. Auto Assignment and Notification settings: Describes how alerting and incident assignment tasks are handled when an incident is created. The Auto Assignment section is used to assign the incident to a specific user or user group (team). The Notification section provides a means of notifying additional recipients that the incident has occurred. For example, an Antivirus Disabled incident might be assigned to a response technician who is responsible for immediately assessing the event, and an additional notification could be sent to the network administrator who monitors the overall health of the network segment from which the incident occurred. About Rule conditions About Rule Types The Rule conditions describe the fields and conditions that the rule is processed against to determine if the event applies to a conclusion. The Rule Conditions panel provides access to all available event and schema field data that can be used to help the analyst to further identify and define events that should be escalated as a potential security threat. A rule type determines the underlying behavioral patterns that a rule uses to identify a match. For example, if the rule type is set to Single Event, the rule evaluates each event for a criteria match, and only requires a single event to trigger a conclusion. By contrast, a rule that uses the Many to One rule type will evaluate each event against the criteria, but will only create a conclusion when a specified number of matching events have aggregated over a predetermined period of time.

101 Understanding rules components About Rule conditions 101 Conclusions that involve more than one event use the One to Many and Many to One event correlation tables on the Actions tab. In addition, the Tracking field is provided to identify the element that is used as the basis for additional events to be correlated to existing events and conclusions. The Tracking field must be used for the following rule types: Many to One Single Event Table 7-1 Rule Types Rule Type Many Events, One Source Description Create a conclusion when the specified criteria have been detected multiple times from a single source IP address within the specified time period. Many Events, One Source rules utilize unique Symantec Signature IDs to indicate that different types of events have been generated by the same source computer. For example, a rule that detects a vulnerability scan could use the Many Events, One Source rule type. Within the criteria for that rule, EMR values could be set to identify multiple exploit events (such as Mechanism: Buffer Overflow, or Application Exploitation). In this example, since the criteria for this rule would include multiple types of Mechanisms, the rule would track multiple types of exploit events coming from the same source. Predefined rule example: Vulnerability Scan Detector Many Events, One Target Create a conclusion when events matching the specified criteria have been detected multiple times to a single destination IP address within the specified time period. For example, a rule that detects malicious IP hopping activity could use the Many Events, One Target rule type. In order to conceal scanning activity, an attacker may attempt one type of attack from one IP address, and then change to a different IP address to try a different attack, and so forth, until the most useful vulnerabilities have been identified. This is one method that is used by attackers to avoid detection as a vulnerability scan, since vulnerability scanners often operate from a single source. Using the Many Events, One Target rule type, you can detect conditions where multiple attack types are targeted at a single host, regardless of the attack origin. Many Sources, One Target Create a conclusion when events matching the specified criteria have been detected from multiple source IP addresses to a single target IP address within the specified time period. For example, Denial of Service events can often be identified using this rule type. A Smurf attack, for example, uses ICMP Echo Reply events from a large number of source computers to a single target. Predefined rule examples: Distributed DoS High Volume, Smurf Attack

102 102 Understanding rules components About Rule conditions Table 7-1 Rule Types (continued) Rule Type Many Targets, One Event Description Create a conclusion when the same event type matching the specified criteria has been detected on multiple target IP addresses within the specified time period. For example, a rule that detects a Malicious Code Outbreak could use this rule type. To identify a Malicious Code Outbreak, a rule could be configured to identify instances of a particular virus on multiple targets. Using the EMR fields, the criteria could be set to Virus. Since the rule is looking for the same event type, this rule would trigger only if it was the same virus event on each target. Many Targets, One Source Create a conclusion when the specified pattern of events is detected from a single source IP address to multiple unique target IP addresses within the specified time period. For example, a rule that identifies a reconnaissance attack on multiple targets, such as a port scan, could use this rule type. To configure this example, you would choose the Many Targets, One Source rule type, and then set the EMR criteria value to Portscan. Predefined rule examples: Block Scan, IRC Bot Net, Ping Scan Detector Many to One Create a conclusion when events matching the specified criteria have been detected in a pattern set using the ManyToOne Fields, and the OneToMany Field options. In addition to the Event Criteria, the fields that must contain the same information for each event (One-Many Fields) and the fields that can contain different values in each event (Many-One Fields) are used to correlate similar events that occur within a predetermined timeframe. Many to One rules require that the Tracking field be populated. For this type of rule, the Tracking field generally matches a One-Many Fields entry. For example, to create a port sweep rule, you could use the Many to One rule type. A port sweep is typically described as a single IP address that scans for a specific port on multiple computers. After you choose this rule type and set the basic event criteria for the rule, you set the One-Many and Many-One field options. On the Actions tab, in the One-Many Fields area you would select Source IP and Target Port (meaning that the event originates from the same IP address that is evaluating the same port), and in the Many-One Fields area you would select the Target IP option (the event destination can be a different IP address for each event). Predefined rule examples: Malicious Code Outbreak, Spyware Outbreak, DoS High Volume, External Port Sweep, Internal Port Sweep, Port Scan Detector, Intrusion Threshold, Multiple Files Modified, Account Guessing Attack, Password Guessing Attack Single Event Create a conclusion if an event matches the specified criteria. This rule type requires that the Tracking field be populated. Predefined rule examples: AntiVirus Disabled, Critical Virus Infection, Default Processing rule, Malicious Code Not Quarantined, Spyware Not Quarantined, ESM Critical Asset Policy Violation, ESM Policy Violation, Check FTP Transfers, IP Watchlist Rule, Malicious URL, One Shot DoS, Trojan Connections, Attempted DNS Exploit, Attempted FTP Exploit, Attempted WWW Exploit, TFTP from Web Server, Windows Security Violation, Windows Account Lockout, Windows Audit Log Cleared, Windows Privileged Activities by User

103 Understanding rules components About Rule conditions 103 Table 7-1 Rule Types (continued) Rule Type Symmetric Traffic Description Create a conclusion when the specified pattern of events is detected from a single source IP address to a single target IP address, then from that target IP address back to the original source IP address within the specified time period. For example, if you wanted to create a rule that identifies BackOrifice exploit traffic between a single target and source, you could use the Symmetric Traffic rule type. To monitor for BackOrifice symmetric traffic events, after choosing the Symmetric Traffic rule type, you would set the criteria to be the Symantec Signature for BackOrifice (attackid 1414). The rule would trigger if an IDS logs both the connection from a source to a target, and from that target back to the source as being BackOrifice traffic. Predefined rule example: Return Trojan Traffic Transitive Traffic Create a conclusion when the specified pattern of events is detected from a single source IP address to a single target IP address, then from that target IP address to a new target IP address within the specified time period. For example, if you wanted to create a rule that identifies BackOrifice exploit traffic that moves from one source to a target backdoor, and then the targeted computer becomes the source that accesses the backdoor of a new target, and so forth, you could use the Transitive Traffic rule type. To monitor for BackOrifice transitive traffic events, after choosing the Transitive Traffic rule type, you would set the criteria to be the Symantec Signature for BackOrifice (attackid 1414). The rule would trigger if an IDS logs both the connection from a source to a target as BackOrifice traffic and then identifies the target connecting to a new target with the same event signature. Predefined rule example: Malicious Code Propogation X followed by Y Create a conclusion when a specified pattern is detected from a single source IP address to a single target IP address, and is followed by a different pattern from the same source IP address to the same target IP address within the specified time period. Predefined rule examples: Scan Followed by Exploit, Null Login Authentication Violation Event Criteria The Event Criteria field contains a vast array of possible values that a rule can use to identify an event pattern. The Event Criteria field includes event data and schema information. Table 7-2 describes the tabs that are available in the drop-down list.

104 104 Understanding rules components About Rule conditions Table 7-2 Event Criteria tables Name Common Derived Events Other Fields Table Lookups Description Contains data from the Normalization fields, the DeepSight database (via the Symantec Signature), and the Asset and Network tables. Contains customized data from the Normalization fields, the DeepSight database (via the Symantec Signature), and the Asset and Network tables. The system applies logic to the source and destination IP addresses that results in several fields or flags being added to the event. For fields, this is primarily data from the Asset and Network table. For flags, information such as the traffic direction, Source is Internal, Destination is Internal, service info, Destination Port is Open, whether the Asset entry has the destination_port value listed as available, whether the asset is Vulnerable, or whether the Asset entry for the event s destination_ip value is listed as being vulnerable to one or more of the Bugtraq IDs associated with the event s Symantec Event Code. Includes all of the events that have been identified for each product that is associated with your installation of Information Manager, based on a combination of the default set of events (the Information Manager schema) and any SIPs that have been installed. These fields do not contain the Information Manager normalized values. Provides a means of creating a product-specific field that uses a string or integer value that may not be accessible through the schema provided. In some cases, event data is included with events that are sent to Information Manager that is used by a specific point product, but is not accounted for as an identified field in the Information Manager schema that is used by the collector (also known as out-of-band data). This data can be included either by the collector or it can be added during normalization. Provides access to the fields that are associated with the Knowledge Base tables that are populated by both Information Manager and the environment and resource-specific data that is provided by the user (such as the Asset and Network tables). These fields are dynamically generated based on the current state of each of the Knowledge Base tables. The Event Criteria rows include a logical decision field that provides the operator that is used to determine how the event criteria are evaluated. Table 7-3 describes the decision options that are available. Note: The available operators vary with each criteria type. Table 7-3 describes the Event Criteria operators. Table 7-3 Event Criteria operators Name Equal Description The field value is an exact match to the criteria value.

105 Understanding rules components About Rule conditions 105 Table 7-3 Event Criteria operators (continued) Name Not Equal Greater than Less than Greater than or equal to Less than or equal to Null Not Null Is in Is not in True False Contains Doesn't contain Matches Doesn't match Description The field value does not match the criteria value. The field value is greater than the specified value. The field value is less than the specified value. The field value is greater than or equal to the specified value. The field value is less than or equal to the specified value. The field is empty. The field contains a value. The field value matches a value that is contained in the specified table. The field value does not match a value that is contained in the specified table. The field value is True. The field value is False. The field value contains the specified string. The usage of this operator varies with the field that the data is being compared with. For example, if you are using EMR values, a drop-down list of possible values will appear. However, if you are evaluating the string data in a field such as target_resource, the value that you type will be used to perform a substring search. For example, if you wanted to find out if the string root.exe was contained in the target_resource field, if target_resource field contained root.exe would be identified, causing a match. The field value does not contain the specified string. The usage of this operator varies with the field that the data is being compared with. For example, if you are using EMR values, a drop-down list of possible values will appear. However, if you are evaluating the string data in a field such as target_resource, the value that you type will be used to perform a substring search. For example, if you wanted to verify that the string root.exe was not included in the target_resource field, if target_resource field contained root.exe would be identified, which indicates that the Doesn't contain condition has not be met. The field value matches the value specified as a regular expression. The field value does not match the value specified as a regular expression.

106 106 Understanding rules components About the Event Count, Span, and Table Size rule settings About the Event Count, Span, and Table Size rule settings The Rules Editor includes settings that allow you to specify how many events must occur within a specified period of time to meet the criteria for the rule. In addition, you can also determine the table size for the event data that is stored. Table 7-4 describes the Event Count, Span, and Table Size settings. Table 7-4 Event Count, Span, and Table Size rule settings Setting Event Count Span Table Size Description Determines the number of events that must occur within the time period specified in the Span settings in order for the rule to trigger an incident. This setting is used primarily in conjunction with the Many-One Field area on the Actions tab. Indicates the timeframe allotted for the number of events specified in the Event Count field to occur. Specifies the state table size, in rows, that is maintained in memory for each rule. For example, the Account Guessing Attack predefined rule requires that two events be identified within ten minutes for the rule to trigger an incident. After the first event matches the rule criteria, an internal aggregation table is created that contains the event details. When the second matching event occurs, data from the second event is added to the same aggregation table. In this case, the Table Size setting is relatively small. However, if the Event Count were raised to a much larger number, the aggregation table could potentially run out of space. In that case, the table wraps, meaning that the new event data begins to overwrite the original event data in sequential order. To prevent the data from being overwritten, the Table Size should be adjusted according to the event size expectations for the rule. Event data sizes vary widely with each implementation, but using the predefined rules as a starting point helps to identify general size parameters. About the Tracking Key and Conclusion Creation fields The Tracking Key and Conclusion Creation fields are used to further refine rules settings to establish whether an event should be correlated to existing events that are being tracked in aggregation tables. In addition, the Tracking Key and Conclusion Creation fields include the Severity and Description fields that provide a means for security analysts to escalate conclusions based on severity, and to include additional extracted information within the Conclusion Description. Table 7-5 describes the fields that are available.

107 Understanding rules components About the Tracking Key and Conclusion Creation fields 107 Table 7-5 Tracking Key fields (Conditions tab) Field One-Many Fields Description Used with the Many to One rule type. This field describes the elements that must remain consistent across each event in order for the event to be correlated to an existing event aggregation table. For example, if you want to define a rule that tracks a single user name connecting to multiple target IP addresses (in other words, one username to many IP addresses), after setting the rule type to One to Many, in the One-Many Fields area you would choose the User Name option since this field must be the same in each event for any subsequent events to be correlated with previous events. Many-One Fields Used with the Many to One rule type. This field describes the elements that must be different for each event in order for the event to be correlated to an existing event aggregation table. This field is used in conjunction with the Event Count field to determine when the conditions for a One to Many rule have been met. For example, if you want to define a rule that tracks a single user name connecting to multiple target IP addresses (in other words, one username to many IP addresses), after setting the rule type to One to Many, in the Many-One Fields area you would choose the Target IP option since the IP address in this field must be different in each event for any subsequent events to be correlated with previous events. Tracking Fields Required with the Many to One and Single Event rule types. This field describes the field upon which a matching event is correlated to an existing conclusion. If an event matches the criteria for a rule, it is compared against the tracking fields for any existing conclusion. If the event matches an existing conclusion it is correlated to that event rather then being considered for a new conclusion. In the case of One to Many rules, this field is typically used to track the same value as in the One-Many Field area, which indicates the event field data that must remain the same across each new event that is to be added to the aggregation table. Table 7-6 describes the Conclusion Creation fields that are available on the Actions tab. Table 7-6 Conclusion Creation fields (Actions tab) Field Alerting Incident Description Describes whether an incident should be treated as an alert rather than a security incident.

108 108 Understanding rules components About the Correlate By and Resource fields Table 7-6 Conclusion Creation fields (Actions tab) (continued) Field Severity Description Describes the severity of the event conclusion which can determine whether an incident is created. The Severity values include the following: 1- Informational: Purely informational events. 2 - Warning: User decides if any action is needed. 3 - Minor: Action is required, but the situation is not serious at this time. 4 - Major/Critical: Action is required immediately and the scope may be broad. 5 - Fatal: An error occurred, but it is too late to take remedial action. and the scope is broad. Description User input area that provides a means for security analysts to further define the conditions that led to the creation of the conclusion. This field also supports the use of field name variables that can be populated with event data. About the Correlate By and Resource fields The Correlate By field determines whether a conclusion that is created should be mapped to an existing incident. For example, if a Virus Outbreak incident is in progress, using the appropriate setting in the Correlate By field would cause each Virus Outbreak conclusion with the same virus name to be mapped to the existing incident. In addition, you can use the Resource Field drop-down list to further refine the characteristics of the correlation requirements for the incident. Table 7-7 describes the Correlation types that are available in the Correlate By field. Table 7-7 Correlate By fields Type None Resource and Conclusion Type Source and Destination Description Correlation does not occur for new incidents that match this rule. Correlation is based on the Resource and Conclusion Type. For example, if the same Virus Outbreak conclusion type occurs on the same host specified in the Resource field, then the new conclusion is correlated to an existing incident. Correlation is based on the Source and Destination fields. For example, if a new conclusion is created and the Source IP and Destination IP are the same, the conclusion is correlated to the existing incident.

109 Understanding rules components Importing existing rules 109 Table 7-7 Correlate By fields (continued) Type Source and Conclusion Type Source Destination and Conclusion Type Destination Conclusion Type Description Correlation is based on the Source and Conclusion Type. For example, if the same IP address is causing Port Scan conclusions, any new Port Scan conclusion that originates from the same source is mapped to the existing incident. Correlation is based on the Source field. If the Source matches, any conclusion that originates from that source is correlated to the existing incident. Correlation is based on the Destination and Conclusion Type. For example, if the conclusion is a Denial of Service attack that is targeting the same Destination IP, the conclusion is mapped to the existing incident. Correlation is based on the Destination field. If the Destination is the same, any conclusion that applies to that destination is correlated to the existing incident. Correlation is based on the Conclusion Type. For example, all AntiVirus Disabled conclusions would be mapped to the existing incident regardless of source or destination values. Importing existing rules You can import rules from previous versions of Symantec Security Information Manager using the Import and Export features that are available in each version. Note: If you are importing a rule from a previous supported version of Information Manager, you should use the Rules Editor to delete any imported policy information, and then apply the current policies. You can also import Java-based rules that are created by Symantec technical support into the System Monitors folder in the Rules Editor. Java-based rules are imported as.jar files. To import an existing rule 1 In the console from which you want to export the rules, navigate to the Rules Editor and export the rules you want to apply to the new console. 2 In the current Information Manager console, on the Rules page, expand the Correlation Rules folder. 3 Under the Correlation Rules folder, expand the User Rules folder.

110 110 Understanding rules components Importing existing rules 4 Click Import. 5 In the Select File(s) to Import dialog, locate the file or files that you want to import, and click Import... To import a Java-based rule 1 In the Information Manager console, on the Rules page, expand the System Monitors folder. 2 Click the User Monitors folder, and then click Import. 3 In the Select File(s) to Import dialog, locate the.jar file or files that you want to import, and click Import...

111 Chapter 8 Understanding event normalization This chapter includes the following topics: About event normalization About event normalization Normalization occurs when an event has been received by the appliance after the collector has harvested the raw data. The normalization process analyzes received event data and adjusts the fields where necessary to prepare the data to be interpreted by Information Manager, including any applicable rules. A normalization configuration file with a.norm file extension is used to adjust the fields where necessary. The.norm file maps the event fields provided by collectors to the event fields that Information Manager requires. Normalization accomplishes such tasks as populating empty fields and locating source/target information. For example, if you are trying to trap a consistent target IP address, the point product that harvested the data may have placed the IP address in a field that does not clearly indicate the nature of the contents of the field. The field name may be ip_address, for example, which may not indicate whether the IP is the address of the source or the target. Information Manager includes a set of mapping files that identify and parse the data in the fields that are provided by any supported product and maps these values to the appropriate database schema fields. Symantec creates and updates.norm files via LiveUpdate as more information from each of the point products becomes available. Normalization adds information to events using a standardized set of fields that can be used to refine rules processing. For example, a unique event identifier can be mapped to a Standard Event Code (Symantec Signature), allowing multiple product events to be correlated despite unique identifiers for each product.

112 112 Understanding event normalization About event normalization Normalization also uses the information you have provided in the Asset and Network tables to uniquely identify elements related to the event which can be used during rules creation. Additional fields from the Asset table include the assigned Confidentiality, Integrity, and Availability (CIA) values, Host name, who owns the system, the current operating system, what policies or roles apply to the machine, what services are open by that machine (populated by a vulnerability scanner), and what vulnerabilities are on that machine (for example, if specific patches have not been rolled out to a computer). For example, if a system has been assigned the role of a vulnerability scanner, events that are normally generated by vulnerability scanners (such as exploit and port scan events) can be filtered if they are associated with that computer. The Network table information is used to identify the location and directional flow of the event. Normalization can help to identify whether an event is internal only (contains IP addresses that are within your network), whether the traffic is inbound or outbound, or is traveling to or from specific locations. For example, if the source of a virus event is an internal source, the event can be flagged as an internal virus infection. Normalization also adds any information available with the Symantec Signature using the DeepSight database. For example, when a security incident occurs that is mapped to a Symantec Signature, the following pieces of information may be provided: About normalization (.norm) files The Symantec Event Code, which facilitates cross-product correlation EMR categorization, helping the analyst to aggregate attack data to better understand the outbreak Vulnerability IDs (BugTraq) that include information on vulnerabilities that are typical to this type of security threat Exposure IDs that include potential attack exposure information provided by Information Manager. For example, telnet being enabled or weak passwords being used. Malicious Code IDs that include information created by Symantec Security Response to describe known malicious code activity associated with an attack When you are creating a rule, it is often helpful to view the mapping that takes place during normalization using the normalization (.norm) files that are included in the file system of the appliance, and are not available from the Information Manager Web configuration interface. Collectors usually populate the event fields with data that matches the descriptive name specified in the schema, but there are occasions when the event fields provided by the collector contain additional

113 Understanding event normalization About event normalization 113 information that can be parsed by Information Manager. In these cases, it is helpful to view the normalization (.norm) file to understand where the event data is coming from, and how Information Manager interprets it. The Information Manager appliance will contain a default.norm file, as well as.norm files that are specific to the collectors that are used on your network. The mapping in a.norm file may be a direct one-to-one mapping, where the value in the collector field can be directly imported into the field that Information Manager expects. In other cases, the collector field may contain more data than the Information Manager field expects. In these cases, regular expressions are commonly used to parse the collector field for the data that Information Manager expects. Note: Although you can alter the contents of the.norm files, is strongly recommended that you do not rely on this method as a means of modifying how data is normalized and accessed through the rule set. If you have LiveUpdate or DeepSight updates enabled, the default.norm file is often refreshed during the update process. Any changes you make to the.norm file(s) will be lost. In the following example, the first line of each block specifies the schema used. The field name to the left is the field name used by the collector. The values on the right indicate the data and field name that is used by Information Manager. The parsed data may include a data type in parentheses, followed by the name of the field used by Information Manager. The right side may also include regular expressions that are used to parse the event data from the collector field. (intrusion_data ^ "Failure Audit") & (intrusion_data ^ "User Name") intrusion_symc_sig machine_ip machine intrusion_data -> (string)devicealert -> (ip)sourceip (ip)targetip -> (string)sourcehost (string)targethost -> /User\s+Name:\s+(\S+)/ (string)eventresource intrusion_target_type_id := intrusion_outcome_id := vendor_device_id := 36 For more information on the data provided in the schemas that collectors use, see the Collector Studio Event Reference documentation.

114 114 Understanding event normalization About event normalization

115 Chapter 9 Effects, Mechanisms, and Resources This chapter includes the following topics: About Effects, Mechanisms, and Resources (EMR) About Effects, Mechanisms, and Resources (EMR) Effects, Mechanisms, and Resources (EMR) values define the event classification scheme used by Information Manager. EMR replaces the Category and Subcategory fields that were used in previous versions of Information Manager. EMR classification is used by all events that are assigned a Symantec Signature. In addition, EMR has been established as a DMTF (Distributed Management Task Force) standard. EMR values provide security classification data that applies to each event type. However, EMR values only represent potential threat conditions; the process of determining whether an event is an actual attack is performed at the Rules processing, Event Correlation, and security analysis phase. The assigned EMR values should not be interpreted as conclusions as to whether any particular event is a security incident. For example, an incorrect login event may include EMR data that suggests a Guess Password mechanism. However, it is up to the security analyst to either create a rule that describes a Guess Password threat (such as a rule that triggers when 3 or more failed login attempts occurs over a specified period of time), or to analyze the event manually to determine whether the event constitutes a threat. EMR values are most useful when they are used in conjunction with other available fields to further identify whether a security incident has taken place.

116 116 Effects, Mechanisms, and Resources About Effects, Mechanisms, and Resources (EMR) About Effects values Effects values describe the effects of the event from the detector's point of view (for example, Degradation or Reconnaissance). Symantec Signatures can have more than one value in the Effects field (for example, Access and Reconnaissance). The Effects values reflect the Confidentiality, Integrity, and Availability (CIA) values that describe security events. For example, as far as the IDS is concerned, what is the effect of this event? The IDS will not evaluate whether the event is a false positive; it will only know the potential effects of the event that has occurred. Some security devices such as simple packet filters may not be able to detect the notion of an event's effect. In these cases, the Effects field is populated with "Unknown". Although in many cases the effect of an attack is intended, not all attacks have a known intent, such as viruses or other malicious code, which may have multiple varied effects. If there is more than one value in the Effects field, the first element in the list generally represents the most significant or most severe effect from the detector's point of view. Three of the values correspond exactly to the standard security attributes, Confidentiality, Integrity, and Availability. Table 9-1 describes the EMR Effects values that are available. Table 9-1 Effects value Access Degradation Reconnaissance System Compromised EMR Effects values Description Access has been attempted or made to data or services. An attempt was made to damage or impair usability, performance, service availability, and so forth. There was an attempt to gather information useful for attacks, or probe for vulnerabilities without necessarily exploiting them. The Integrity of the targeted system has been compromised. For example, a compromised system is likely to be susceptible to remote execution. Events that use this Effect type are events that may lead to an intruder gaining access to the system by either remote management (SNMP) or a shell prompt by bypassing or otherwise nullifying the required authentication scheme. Integrity Unknown There was an attempt to modify or delete data. The Effect of the event is unknown.

117 Effects, Mechanisms, and Resources About Effects, Mechanisms, and Resources (EMR) 117 About Mechanisms values Mechanisms values describe the method of attack that was used to generate an event from the detector's point of view (for example, Virus or Port Sweep). A Symantec Signature may have more than one mechanism (for example, SSH CRC32 Corruption has mechanisms Buffer Overflow, and Remote Execution). Mechanisms values can be used with any of the Effects values, depending on the method employed in an attack or probe. For example, a DoS attack using ICMP packets would have an Effects value of Degradation and a Mechanisms value of NetworkICMP. If the attack is a port sweep, the Effects value would be Reconnaissance and the Mechanisms value would be Port Sweep. In general, if the event contains more than one mechanism, the first element represents the most specific, most significant, or most severe mechanism from the detector's point of view. Note, however, that implementation of this guideline is not enforced, so the order should not be used as a determining factor of the characteristics of the mechanisms used by the event. Although the value map is a flat enumeration, there are hierarchical relationships that are selected in most-specific to most-general ascending order in the list of values. For example, Network Protocol is a parent value to Network ICMP. If Network ICMP is the desired value, Network Protocol is selected and placed as the next element in the list of mechanism values. Table 9-2 describes the Mechanisms values that are available. Table 9-2 EMR Mechanisms values Mechanisms value ARP Poisoning Description ARP poisoning (also known as ARP Spoofing) sends fake ARP requests to a LAN using a forged MAC address. Using this technique, a network device may send packets to a forged, sniffable address or may halt traffic across the device. Using IPv6, IPsec and static ARP records are used to combat ARP Poisoning attacks. Backdoor Rootkit The mechanism used appears to be a backdoor. A backdoor is a method that utilizes a hidden entry point to the program or algorithm that bypasses the front-end login system. Worms such as Mydoom and Sobig create backdoors on non-secure systems to propagate traffic. A backdoor may be an installed program (for example, BackOrifice) or an unintended modification to an existing program. A backdoor in a login system could take the form of a hard-coded user and password combination which gives access to the system. A rootkit is used for a variety of covert system activities including terminal and connection sniffing, keystroke monitoring, and cleaning up or obscuring login records, processes, and event logs. Kernel level rootkits replace system calls with binary code hidden in a trojan. Application level rootkits replace application code with replacement code hidden in a trojan.

118 118 Effects, Mechanisms, and Resources About Effects, Mechanisms, and Resources (EMR) Table 9-2 EMR Mechanisms values (continued) Mechanisms value Trojan Buffer Overflow Guess Password Replay attack SQL Injection Spoof Identity Description The mechanism used appears to be a Trojan. The mechanism used appears to be a Buffer Overflow attack. The mechanism used appears to be a Guess Password attack. For example, some point products log multiple failed login events, which may indicate a Guess Password condition. The mechanism used may be a Replay attack. The mechanism used may be a SQL Injection. Any technique that attempts to represent one end of a client-server relationship or network session as a different entity from the actual entity. This mechanism can be used to attack a network session in order to hijack the session, for example, a Man-in-the-Middle attack Port Sweep Host Sweep Network Sweep Network ICMP Network TCP Network UDP Worm Virus Non-Viral Malicious Spyware Adware Login Logout The mechanism used appears to be a port sweep. The mechanism used appears to be a host sweep. The mechanism used appears to be a network sweep. Child of Network Protocol. The event uses the ICMP protocol. For example, this mechanism is common in ping attacks and probes. Child of Network Protocol. The event uses the TCP protocol. Child of Network Protocol. The event uses the UDP protocol. The mechanism used appears to be a worm. The mechanism used appears to be a virus. The mechanism used appears to be malicious code of a non-viral (non-propagating) nature. The mechanism used matches spyware behavior. The mechanism used matches adware behavior. The mechanism used was a login event. The mechanism used was a logout event.

119 Effects, Mechanisms, and Resources About Effects, Mechanisms, and Resources (EMR) 119 Table 9-2 EMR Mechanisms values (continued) Mechanisms value Application Exploit Script Injection Stale Data Scan Overloading Congestion Overloading Saturation Overloading Port Scan Network Protocol Network HTTP Phishing Redirection Remote Execution Data Manipulation Description The mechanism used appears to take advantage of a flaw in the operation of a program or an unintended behavior of the program to compromise the program or host system in some way. This attack differs from a buffer overflow, for example, because it is not recompiling code; the application is being used to perform a task that is possible with the released version of the product or system. The mechanism used appears to be a script injection. The mechanism used appears to be a stale data scan. A stale data scan is defined as when a tool reads memory that has been deallocated but not erased. Confidential or secure information may still be present in the memory. The mechanism used appears to be a network flood or Denial of Service attack that is attempting to overload the available bandwidth for a network. For example, a Ping flood would trigger this condition, as the sheer number of packets involved prevents any other traffic from passing over the network. The mechanism used appears to be a host flood or Denial of Service attack that is attempting to (or has succeeded in) overload the available resources for a particular host. For example, a Syn flood would trigger this condition, as a Syn flood does not affect the network itself, but focuses on a particular host, preventing other machines from establishing connections with the targeted computer. Parent of the Overloading Congestion and Overloading Saturation types. This mechanism often indicates a generic Denial of Service condition. The mechanism used appears to be a Port Scan. The parent for any attack mechanism that uses a network protocol. Child of Network Protocol. The event uses the HTTP protocol. The mechanism used matches phishing behavior. The mechanism used seems to indicate that the attack has caused the redirection of the victim's session to a malicious server instead of the intended server. An example would be HTTP hijack sessions, where a malicious site can impersonate a bank site, causing the victim to connect to the impersonated site instead of the actual bank site. When the user types in their login information, the login information is collected, and then the customer is redirected to the authentic bank site. The event that is taking place is capable of being executed remotely. The mechanism used appears to have altered data with malicious intent. For example, a DNS Server cache is forced to update with a malicious IP mapping. This type of attack is typically performed as part of an HTTP hijack attack.

120 120 Effects, Mechanisms, and Resources About Effects, Mechanisms, and Resources (EMR) Table 9-2 EMR Mechanisms values (continued) Mechanisms value Cross-site Scripting Unknown Description The mechanism used appears to be code that has been executed within a URL or similar cross-site code execution. For example, Apache and IIS can detect this activity when a client requests a URL that contains the <script></script> tag set. The Mechanism of this event is unknown. About Resources values The EMR Resource value indicates the type or types of resources that are likely to have been affected by the event (for example, Mail or Host). A Symantec Signature may have more than one Resource value. For example, DB indicates that an attack was made against a database server, where Mail indicates that some type of server is affected. DB, DNS, and other values can indicate a server or service, meaning that there is no distinction between a DNS server resource and a DNS service resource. If there is more than one Resource value, the first element usually represents the most specific or most significant resource from the detector's point of view. Although the value map is a flat enumeration, there are hierarchical relationships that are selected in most-specific to most-general ascending order of values. For example, Remote Service is a parent value to DNS. If DNS is the desired value, Remote Service is the next element in the list. Table 9-3 describes the Resource values that are available. Table 9-3 EMR Resource values Resource value DB DNS FTP Mail Web Host Firewall Description Child of Remote Service. The resource that was affected was a Database server. Child of Remote Service. The resource that was affected was a DNS service. Child of Remote Service. The resource that was affected was an FTP service. Child of Remote Service. The resource that was affected was a mail server, such as an SMTP server. Child of Remote Service. The resource that was affected was an HTTP server. The resource that was affected was a Host computer. The resource that was affected was a firewall, which includes a packet filter or application proxy that discriminates and filters network packets and application sessions.

121 Effects, Mechanisms, and Resources About Effects, Mechanisms, and Resources (EMR) 121 Table 9-3 EMR Resource values (continued) Resource value Registry Network Device Hardware User Activity Cookies Network Data Application Data Application Configuration OS Kernel OS Configuration OS Session File System Process Service Network Session Description Child of OS. Requires OS and Host values. The resource that was affected was a registry value. Parent of Firewall, Router, Switch. The resource that was affected was a network device. The resource is a hardware device. The resource involved includes user activity. The resource affected is a cookie. The resource involved is network data. Child of Application. The resource affected is Application Data. Child of Application. The resource that was affected was an application configuration. Child of OS. The resource that was affected was the trusted computing base of the operating system. Requires OS and Host values. Child of OS. A particular configuration of the operating system based on settings and policies. Requires OS and Host values. Child of OS. A particular instance of an interactive or batch-running environment on the operating system. Requires OS and Host values. Child of OS. The subsystem of the operating system that allows basic persistence, inputs and output. Requires OS and Host values. Child of OS. Requires OS and Host values. The resource that was affected was a process on the target machine. Child of OS. Requires OS and Host values. The resource that was affected was a service on the target machine. Session Hijack target resource. A related set of packets traveling between two or more entities communicating from different endpoints on a network. For example, this is the target of a TCP spoofing mechanism like Spoof Identity for the purpose of a session hijack or a Man-in-the-Middle attack. URL User Account Privileges The resource that was used was a URL. Child of OS. Requires OS and Host values. The resource that was affected was a user account. Child of OS. Requires OS and Host values. The resource that was affected was the target of a privilege escalation attack (Integrity).

122 122 Effects, Mechanisms, and Resources About Effects, Mechanisms, and Resources (EMR) Table 9-3 EMR Resource values (continued) Resource value User Policy Group RPC SNMP Remote Service Remote Share Naming Service Application OS NFS SMB CIFS CPU Router Switch LDAP Unknown Description Child of OS. Requires OS and Host values. The resource that was affected was a user policy. Child of OS. Requires OS and Host values. The resource that was affected was a group policy. Child of Remote Service. The resource that was affected was a Remote Procedure Call service. Child of Remote Service. The resource that was affected was an SNMP Agent. Parent of Remote Share, Naming Service, DB, FTP, Mail, RPC, and Web. The resource that was affected was a remote service. Child of Remote Service. The resource that was affected was a remote share. Child of Remote Service. The resource that was affected was a naming service. Parent of Application Data and Application Configuration. The resource that was affected was a non-operating system program that runs on a single host computer. Parent of OS Kernel, OS Configuration, OS Session, File System, Process, Service, User Account, Privileges, User Policy, Group, Registry and File. The resource that was affected was an operating system that runs on a single host computer. This value requires the Host value to be provided. Child of Remote Share. The resource that was affected was a Network File System service. Child of Remote Share. The resource that was affected was a Windows fileshare, or Simple Message Blocks (SMB). Child of Remote Share. The resource that was affected was a Windows fileshare. CPU. Requires the Host value. The resource that was affected was a CPU. Child of Network Device. The resource is a router. Child of Network Device. The resource is a switch. Child of Naming Service. The resource that was affected was an LDAP directory service. The Resource type is unknown. EMR examples Table 9-4 provides examples of the application of EMR values for attacks.

123 Effects, Mechanisms, and Resources About Effects, Mechanisms, and Resources (EMR) 123 Table 9-4 EMR examples Attack Effect(s) Mechanism(s) Resource(s) DNS Exploit x86 Linux (Snort) Degradation Buffer Overflow DNS DNS Exploit x86 Freebsd (Snort) Access, Integrity Buffer Overflow DNS XS BIND TSIG attempt (Snort) Access, Integrity Buffer Overflow, NetworkUDP, NetworkTCP, NetworkProtocol DNS WEB-MISC sml3com access (Snort) Degradation NetworkHTTP, NetworkProtocol Network Device DOS Cisco null snmp Degradation NetworkSNMP, Network Protocol Network Device (BlackIce) Degradation NetworkHTTP, Network Protocol, Application Exploitation Network Device FTP:PASS-4DGIFTS (Dragon) Access Guess Password FTP FTP:PASS-LRKR0X (Dragon) Access Guess Password FTP FTP-rhosts (Snort) Access, Integrity Application Exploit FTP FTP-BOUNCE Access Application Exploit FTP

124 124 Effects, Mechanisms, and Resources About Effects, Mechanisms, and Resources (EMR)

125 Chapter 10 Working with the Assets table This chapter includes the following topics: About the Assets table About vulnerability information in the Assets table Using the Assets table to help reduce false positives About the Assets table The Assets table provides a centralized list of network assets that can be used by Information Manager for event correlation and rules processing. You can identify the Confidentiality, Integrity, and Availability (CIA) values for each asset, the applicable policies, the ports that are potentially vulnerable, and the specific vulnerabilities of each asset. You can also associate the host name of an asset with the IP address, as well as the operating system, operating system version, and distinguished name for each system. Assets can be added to the Assets table using the following techniques: Manually entering each asset in the Assets list Importing a list of assets that are stored in a comma separated value (.csv) file or an Extensible Markup Language (XML) file. For example, you can use Active Directory to generate a.csv file of the available assets. Adding the target to the Assets list through the Destination Details pane for an incident that occurs Automatically populating the table using a supported vulnerability scanner. This method will also populate the Services and Vulnerabilities tabs for each asset.

126 126 Working with the Assets table About the Assets table The Assets table provides an automated means of identifying vulnerabilities on the assets listed when used in conjunction with a supported vulnerability scan. By having this information available in the Information Manager console, an analyst can gain a quick and accurate understanding of the vulnerabilities of a target during an attack. By adding assets to the Assets table, you can use a variety of fields in the Rules Editor to correlate events with the specific characteristics of the target or source asset that is identified in the event. For example, the Destination Host Availability, Destination Host Confidentiality, and Destination Host Integrity fields access the Confidentiality, Integrity, and Availability settings that you select for each asset in the Assets table. This information can help to reduce the amount of data that must be evaluated by security analysts. If you do not add the assets that you want to track, with the corresponding details for each asset, these fields cannot be leveraged. How event correlation utilizes Assets table entries The Assets table provides a means for analysts to identify network assets that range from critical business assets to less important systems from a business or operations perspective. One of the primary benefits of using the Assets table is that the security analyst or network administrator can quantify the importance of the listed assets based on Confidentiality, Integrity, and Availability (CIA) values, which can be used by Information Manager to escalate security incidents related to a particular asset. You can also use the Assets table to identify the policies that are associated with each asset. You can use the Rules Editor to create rules that access the list of policies that you have assigned. You can configure a rule to either discard events that do not apply to the policies that are associated with the target, or escalate the event to an incident if the threat applies. You can utilize information on the Services and Vulnerabilities tabs to help further identify potential threats to the assets that you have listed. The Services tab includes a list of ports that are available on each asset. You can either manually choose these ports, or use a vulnerability scanner to automatically identify available ports. The Vulnerabilities tab is automatically populated by a vulnerability scanner, and is used primarily during the analysis phase to provide an immediate summary of the known vulnerabilities on a particular asset. Information in the Vulnerabilities tab can only be added through a vulnerability scanner, and is used during correlation to increase or decrease the priority of the incident. If any vulnerability is discovered during a vulnerability scan of a particular asset, the asset is automatically flagged as vulnerable.

127 Working with the Assets table About the Assets table 127 You can access the information that is entered for each asset through the Normalized fields that are accessible through the Rules Editor. By using these fields you can filter false positives or refine the incidents that are generated based on the asset information you provide. About CIA values in the Assets table The assignment of Confidentiality, Integrity, and Availability values should be an integral part of a network security audit. CIA values are unique to each network environment, and are typically determined as part of risk assessment. The CIA values can be used as components of event processing rules that you create in the Rules Editor. The CIA values are also used by the correlation engine to adjust the priority of an incident when appropriate. The CIA values that are available in the Assets table range from 1 (non-critical) to 5 (critical) for each CIA category, and determine the importance of the computer or device relative to other assets that are listed. For example, a savings and loan company might rate a publicly facing server that manages account information using the following: Confidentiality value of 5 (critical that the data stays secure and confidential) Integrity value of 5 (critical that the data is not altered in a way that is not intended) Availability value of 5 (critical that the publicly facing server is online all the time, and likely needs redundancy to prevent failure) In this example, the CIA values would be assigned because of the server s importance from a business perspective. By contrast, the administrator or analyst might list an internal, non-public FTP server that only hosts lightweight applications for internal download as a 1 or 2 for each CIA value, since that internal server is less important from a business perspective. After you have entered the CIA values for all of the assets you are tracking in the Asset table, you can export a backup copy of these assets by clicking the Export button in the Assets table and saving the list as a.csv file. Importing assets into the Assets table You can use a comma separated value (CSV) file or an XML file to import asset information into the Assets table. For example, if you are using Active Directory to manage the computers on your network, you can export a CSV file that contains a list of all of the assets that Active Directory is tracking. This list can be imported into Information Manager using the Import button in the Assets pane.

128 128 Working with the Assets table About vulnerability information in the Assets table Note: If you import assets using a CSV file, policy and services information is not included during import. To retain this information for assets already listed in the console, export the assets to an XML file and use the XML file to reimport the assets. XML files that are generated by Information Manager include any existing policy and services data that is available for each asset; CSV files do not include this information. To import assets into the Assets table 1 Create a CSV file that contains comma separated values using the appropriate format. To see the correct format, create an asset in the Asset table, and then export the asset list as a CSV file. Use the exported list as a template for adding assets to the file. If you are using the Active Directory Users and Computers snapin provided by Microsoft, export the list of computers that Active Directory is tracking. Save the file as a CSV file. 2 In the Information Manager console, on the Assets page, click Import. 3 In the Import Assets dialog box, navigate to the folder in which you saved the assets file, select the file, and click Open. 4 Follow the on-screen instructions. About vulnerability information in the Assets table In the Assets table, each asset includes a Vulnerable column with a boolean value and a Vulnerabilities tab that contains a list of any vulnerabilities that have been identified for that asset. By default, all assets listed in the Assets table have a vulnerable setting of No. The value is set to Yes if any vulnerability is identified during a supported vulnerability scan. If any vulnerability is discovered for that asset, the specific vulnerability is automatically added to the Vulnerabilities tab. For every asset listed, the vulnerability information is updated each time a vulnerability scan is performed. The Vulnerable setting is used by the correlation engine to further identify and correlate event data. In the Rules Editor, the Vulnerable field references the boolean Vulnerable setting in the Assets table for the asset involved. The information on the Vulnerabilities tab for each asset lists the CVE ID (Common Vulnerabilities and Exposures ID), the BugTraq ID, the date that the vulnerability was discovered, and a description of the vulnerability type if a description is available. The specific vulnerabilities listed can be used by a security analyst to gain a better understanding of the characteristics of a particular machine, but are not accessible by rules entries. If an incident is created, the vulnerabilities list

129 Working with the Assets table Using the Assets table to help reduce false positives 129 is used during event correlation to adjust the priority of the incident. For example, if an incident involves a vulnerability that is not on the list of vulnerabilities identified for the specific target, the priority of the incident is reduced. About using a vulnerability scanner to populate Assets table In many organizations, vulnerability scanners are an integral part of the defense and maintenance of the network, and can yield valuable information on the state of security. Information Manager integrates with supported vulnerability scanner data by automatically importing vulnerability information into the Assets table when a scan is performed. Every asset listed in the Assets table includes fields that describe the services that are running and the vulnerabilities associated with that asset. When a scan is performed, the services and vulnerabilities tabs are populated with the data that is specific to each asset. The primary requirement for automatically populating the Assets table with scan information is that you have the collector installed that corresponds to the supported scan. In some cases, such as when you are using the ESM collector, DNS resolution must be implemented to allow the collector to map IP addresses to host names. About locked and unlocked assets in the Assets table When you list an asset in the Assets table, you have the option of locking the asset information or leaving it in the default (unlocked) state. When a supported vulnerability scan is performed, the Assets table overwrites any unlocked assets (including settings that you have manually changed) that were identified in a previous scan. Table 10-1 describes the Locked and Unlocked states. Table 10-1 Setting Locked Unlocked Locked and Unlocked assets in the Assets table Description Prevents the asset from being overwritten when a new vulnerability scan is performed. The Services and Vulnerabilities tabs are updated. Allows the asset to be overwritten with current asset information when a supported vulnerability scan is performed. Using the Assets table to help reduce false positives You can use the Assets table to reduce false positives by affecting the priority of incidents that are generated.

130 130 Working with the Assets table Using the Assets table to help reduce false positives To use the Assets table to reduce false positives: 1 Populate the Assets table with the assets that you want to track. Include systems that may generate large amounts of traffic that can be filtered or aggregated, such as firewalls or Intrusion Detection devices. Include the IP Address, Host name, Distinguished name, and operating system details. 2 For each asset, assign the CIA values that have been determined as part of a network security audit or external risk assessment. Higher CIA values will generate incidents with higher priority. 3 Use a supported vulnerability scanner to scan the assets listed. The Services and Vulnerabilities tabs are automatically populated with the ports and services available and the potential vulnerabilities for each asset. If you are not using a supported vulnerability scanner, for each asset, select the Services that you want to identify for filtering and correlation purposes. 4 For each asset, on the Policies tab, choose any policies that apply to the asset. For example, if the asset is a firewall, add the Firewall policy to the list of policies that apply to that asset. 5 In the Rules Editor, create any new filters (or correlation rules) based on the settings in the Assets table for each asset. You can combine the fields that access the Assets table with other conditions, such as EMR values. For example, you can create a rule that checks to see if the asset has a Vulnerable value of True, and the Mechanism equals Buffer Overflow, then create an incident. 6 Save and distribute the new rules or filters. About filtering events based on the operating system An example of using the Assets table information to reduce false positives is to use the Destination Operating System field available in the Rules Editor in conjunction with a specific event ID. The Destination Operating System field accesses the information entered in the OS Name field in the Asset Details window. For example, events that are specific to a UNIX or Linux operating system often do not apply to a computer that is using Windows, and can be a source of false positives. For example, a BIND Transaction Signature Overflow event primarily applies to UNIX or Linux systems. If the Vendor Event Code field uses a BugTraq ID, for example, you could create a filter that uses the following logic: If the Vendor Event Code field contains 2302 (the BugTraq ID for this event), and the Destination Operating System field contains Windows, then filter the event.

131 Working with the Assets table Using the Assets table to help reduce false positives 131 About using CIA values to identify critical events After you have populated the Assets table with the assets you want to track, and you have assigned CIA values for each asset, you can use the CIA values associated with an asset to build rules that create incidents based on those values. For example, if you wanted to create a rule that would escalate ESM events on assets that had a CIA value of 3 or greater for any CIA category, you could create a rule that uses the following logic: If the Product equals ESM, and the Destination Host Confidentiality field, the Destination Host Availability field, or the Destination Host Integrity field has a value that is greater than or equal to 3, then create an incident. About using Severity to identify events related to critical assets About using the Services tab You can use the Severity setting for a rule in conjunction with the information you have provided in the Assets table to help identify critical events related to specific assets. By adjusting the severity of an incident, a security analyst can focus on the highest priority events from a security perspective. For example, using CIA values in conjunction with the Severity setting of a rule allows you to correlate more important systems on your network with a higher visibility for the analyst, as they are likely to analyze higher severity incidents first. Similarly, identifying systems with lower CIA values and correlating that information with a lower severity level helps to reduce the number of incidents that demand the immediate attention of an analyst. For example, if you use the Vulnerable field to identify whether a vulnerability exists on the Destination asset, and you want to escalate an incident that uses a Virus Mechanism, you could use the following logic: If Vulnerable equals Yes, and the Mechanism field contains Virus, then create an Incident. To increase the importance of this event for the analyst, on the Actions tab for this rule set the Severity to a high number, such as 5. You could further refine this rule by adding conditions that use the Destination Host Availability, Destination Host Confidentiality, and Destination Host Integrity fields. For each asset listed in the Assets table, the Services tab lists the ports that are available (and potentially vulnerable) for that asset. The services tab can be manually populated by choosing the ports from the provided list that you are interested in, or it can be automatically populated by a supported vulnerability scanner. Running a supported scan on an asset that is listed in the Assets table will automatically populate the Services pane with the available ports, and will overwrite any services you have added manually.

132 132 Working with the Assets table Using the Assets table to help reduce false positives The Services tab is used by a number of fields available in the Rules Editor to identify potential incidents. You can use the information in the Services tab to reduce false positives by creating rules and filters that access the list of ports that have been identified for each asset, and filter or aggregate based on this information. For example, the Attempted DNS Exploit rule uses the Destination Host Services field (which references the services information in the Assets table) to determine whether a buffer overflow event is associated with a target computer that is acting as a Domain Name Server (port 53). If the asset that is targeted has port 53 listed on the Services tab, this condition for the rule is met. If the other conditions listed in this rule also match this event, a security incident is created. You can customize the services that are available to choose from by editing the list that is contained in the System pane, under the Services tab. The Services tab of the Systems pane determines the list of services that you can choose from when describing an asset in the Assets table. About associating policies with assets to reduce false positives or escalate events to incidents When you populate the Assets table with the assets on your network, you can associate policies with each asset that help to describe each system with more granularity. In the Assets pane, on the Policies tab, you can choose from a predetermined set of policies that describe the use of the asset from a policy perspective. Policy association is used by several fields available in the Rules Editor to further identify the type of asset that is associated with an event. For example, the External Port Sweep rule uses the Source Host Policies field to determine whether the source host for the event is associated with the Firewall or Proxy policy. In this case, if the Source Host Policies field contains either value, the event does not match the correlation criteria for that rule. Assigning policies to assets helps to utilize the power of the Correlation Engine to reduce the number of events that must be reviewed by the security analyst. If you have a large number of assets that are used for a similar purpose such as a firewall or vulnerability scanner, you can create a rule that identifies events based on the policies that are associated with the assets involved with the event. Another example is if you have assets on your network that are required to be in compliance with a specific regulatory policy, such as the Visa Cardholder Information Security Program (Visa CISP). Using the Assets table, if you have identified servers or devices that are used to meet the compliance requirements for Visa CISP, you can add this policy to the description of the asset in the table. In the event of an attack that may relate to the potential compromise of data related to this policy (such as unauthorized login attempts detected by an IDS), you could develop a set of rules that immediately escalate these events as security incidents.

133 Working with the Assets table Using the Assets table to help reduce false positives 133 The set of policies that are available to choose from may be periodically updated via an update mechanism such as DeepSight or LiveUpdate. When the policies are updated, the policies that you have assigned to each asset are not affected. In addition, you can create custom policies that are added in the System pane under the Policies tab. When you add a policy to the list in the System pane, the policy can then be assigned to an asset in the Asset Details window under the Policies tab.

134 134 Working with the Assets table Using the Assets table to help reduce false positives

135 Chapter 11 Default Processing rule This chapter includes the following topics: About the Default Processing rule About the Default Processing rule Information Manager includes a set of predefined correlation rules that help to identify potential threats. Events that are not processed by custom rules or Information Manager rules are handled by the Default Processing rule. The default processing rule uses the severity of the event to determine how an event should be processed. You can either use the Default Processing rule with the default settings, customize the settings to your environment, or use the Default Processing rule as a template to create new, customized rules. For step-by-step instructions on customizing the rule set, see the Information Manager online Help. Table 11-1 describes the predefined Default Processing rule that is included with the default installation.

136 136 Default Processing rule About the Default Processing rule Predefined rule Table 11-1 Description Predefined Default Processing rule Customizations Default Processing Monitor for events that may indicate a threat but do not trigger default system rules. This rule uses a combination of the Effects and Mechanisms values. If the Effect includes System Compromised and the Mechanism used includes Application Exploit, Buffer Overflow, or Remote Execution, a Conclusion is logged. The following settings have been applied: Customizations for the Default Processing rule generally center around either creating new rules to specifically identify events declared by the Default Processing rule, or filtering false positives that have been declared by the Default Processing rule. In either case, this is usually accomplished using the Vendor Signature or the Symantec Event Code field. Rule type: Single Event Number of events required: 1 Conclusion Severity: 2

137 Chapter 12 Collector-based event filtering and aggregation This chapter includes the following topics: About collector-based event filtering and aggregation About identifying common events for collector-based filtering or aggregation About preparing to create collector-based rules Accessing event data in the Information Manager console Creating collector-based filtering and aggregation specifications Examples of collector-based filtering and aggregation rules About collector-based event filtering and aggregation Information Manager provides the ability to filter and aggregate security events before they are sent to the appliance by providing filtering and aggregation capabilities that can be used at the collector. Filtering and aggregating event data before it reaches the appliance can improve network and appliance performance. Collector-based filtering and aggregation can also effectively increase event storage capacity on the appliance by discarding unneccesary events, or storing summaries of events, which typically use less storage space. When events are gathered from security products by an Information Manager event collector, the collector parses the event for information that can be sent to the appliance. When relevant data is identified, it is translated into fields in the Information Manager schema, which are then used by Information Manager to correlate existing events, create incidents, and so forth.

138 138 Collector-based event filtering and aggregation About collector-based event filtering and aggregation In many cases, security products are not only responsible for identifying security breaches and threats, but also act as event identification and storage devices for any event that may be used for forensics research. Some products store these events locally, whereas others offload the event data to a storage device such as a Syslog server or a Windows event log. In general, Information Manager collectors monitor these devices, databases, and log files for security-related events, and forward all of these events to the Information Manager appliance. By default, event collectors gather all security-related events, and do not discriminate based on event severity or relevance. While this feature is useful for policy compliance, many organizations prefer to utilize the powerful event reporting and correlation features of Information Manager on security events that are more threat-related. You can limit (or restrict) the events that are sent to the appliance to those events that represent potential security threats and incidents. In contrast to event filtering and correlation at the appliance, collector-based filtering lets you exclude events from forwarding to Symantec Security Information Manager. Similarly, collector-based aggregation lets you group similar events to reduce event traffic, and to reduce the number of single events that are stored in the event database. Event aggregation groups events that contain identical event information into a single summary event which is forwarded to the appliance. This summary event includes a count of the events that matched the aggregation criteria. Note: When aggregation takes place, the summary event that is created and sent to the appliance does not contain the raw event data for each individual event. A summary event cannot be separated into the individual events that comprise the aggregated event. Collector-based event filtering and aggregation rules (also referred to as specifications) are created using the Information Manager console, and then deployed to the corresponding collectors. When you filter events at the collector, you remove the events from the event storage, correlation, and incident creation processes. Caution should be used when determining which events you want to filter at the collector. Note: In some cases, depending on the granularity of event data required, collector-based filtering or aggregation should not be used if you are using Information Manager as your primary tool for policy compliance. Filtering or aggregating event data may exclude events or event details that are not needed for security monitoring, but may be needed for compliance.

139 Collector-based event filtering and aggregation About identifying common events for collector-based filtering or aggregation 139 About identifying common events for collector-based filtering or aggregation Table 12-1 describes filtering and aggregation guidelines for specific security device types. Table 12-1 Filter and aggregation guidelines Device type All Firewall Suggestions Test networks can generate security events that do not indicate any actual threat. Consider filtering all events originating from isolated test networks. Firewalls generate many events that are not required for correlation. Consider filtering or aggregating the following types of events: Connection rejected Connection rejected events indicate that the firewall is operating as it is configured. These events do not ordinarily pose a security threat and can be filtered at the Event Collector. Connection accepted Connection accepted events are ordinarily generated by legitimate network traffic. These events can be filtered entirely or can be aggregated by IP address. If an individual unwanted connection is accepted, the intrusion detection system identifies and reports the attack. Possible attack Not all possible attack events indicate a true security threat. Consider filtering or aggregating possible attack events based upon specific attack IDs. Enterprise Antivirus Enterprise antivirus systems customarily report a number of informational events for each protected system. If you are using a product such as Symantec Client Security, consider filtering or aggregating the following types of events: Scan start and scan stop Scan start and scan stop events do not pose a security threat and can be filtered or aggregated. Virus repaired Virus repaired events indicate that the antivirus software is successfully repairing infected systems. If there are infections in your environment that are commonly repaired, consider aggregating virus repaired events by the virus name. Irreparable virus Many irreparable virus events may indicate a virus outbreak. The spread of a virus can generate many redundant events. To avoid unwanted event traffic during an outbreak, consider aggregating irreparable virus events. Vulnerability Intrusion Detection Typically, all vulnerability scan events should be sent to Information Manager for correlation. Vulnerability assessment events in some cases can be aggregated to reduce network traffic. Typically, all intrusion detection and intrusion prevention events should be sent to Information Manager for correlation.

140 140 Collector-based event filtering and aggregation About preparing to create collector-based rules Table 12-1 Filter and aggregation guidelines (continued) Device type Windows Event Log Suggestions The Windows Event Log stores both operating system events and application events. Because each Windows system may have different applications installed, broad filtering or aggregation is not advised. All Windows Event Log filtering and aggregation must be based upon specific event criteria. Consider filtering or aggregating the following types of events: Application Some applications generate an excessive number of informational and warning events; these events can be filtered or aggregated based upon the specific event source and event identifier. Security Success audit events do not indicate a security threat and can be aggregated based upon the specific user. System Some system event sources, such as the Service Control Manager, generate many informational events; these events can be filtered or aggregated based upon the event source and identifier. About preparing to create collector-based rules The first step in creating collector-based filtering and aggregation rules is to understand the event data that is generated on your network. Before deployment, it is advisable to gather event data over a period of time and evaluate the event fields that are included in each event. In the Information Manager console, you can use the Event Viewer to view a summary of the events that are identified by the collectors that are enabled. While the Event Viewer may give you an idea of the categories, or types of data, that can be used, the most accurate source of information for creating event filters is the event fields themselves. Each product has customized event fields that are specific to that product, so you should create filtering and aggregation rules based on the events that are specifically related to that product. You can view the event fields by double-clicking an event in the Event Viewer, and then analyzing the fields that appear in the Event Details window. An example of events that may be good filtering candidates are informational firewall events. Firewall events that are classified as informational can often be filtered at the collector to reduce traffic to the appliance. Firewall events that are categorized as informational are generally used for accounting purposes, and usually do not indicate an attempted security breach. However, these events are correctly detected by the collector as a security-related event, and are sent to Information Manager by default. If you decide that analyzing these events is unnecessary to maintain the security policies of your organization, you can filter these events at the collector to reduce event traffic. To filter these events, you

141 Collector-based event filtering and aggregation About preparing to create collector-based rules 141 should carefully analyze the event details to find the fields on which the filter for this specific event can be created. To understand the event data and create a filtering rule to filter informational firewall events, you would perform the following tasks: With the collector enabled, generate a series of informational firewall events. In most cases, bringing a firewall online and performing simple connection tasks through the firewall generates these types of events. To make the event data more useful, you can generate common firewall events such as FTP sessions, failed connection attempts, and other firewall events, that might more accurately resemble a live network environment. After you have generated a series of events, using the Event Viewer or an available event report in the Dashboard, double-click an event to open the Event Details window. In the Event Details window, analyze the field names that are included in the event. Note that many of these fields are added at the appliance rather than at the collection point as part of the normalization process, so the most effective fields to base a filter on are generally fields that are generated in the raw event data, such as fields that contain event IDs that are specific to the device that is being monitored. For example, if you are using the Cisco Pix collector, the firewall generates a unique value in the Event Info 4 field. Make note of the field/value pair that you want to base your filter on and open the configuration on the Product Configurations tab. In the Product Configurations tab, find the collector for the product that you are monitoring. For example, if you are using the Check Point Firewall, navigate to the settings for Check Point ) FireWall-1 Collector, and click default. In the right pane, on the Filter tab, create a new specification. In the new specification, either double-click the name field and find the field name in the list, or type the name of the field exactly as it appears in the event details. In the operator column, choose the appropriate operator. In most cases this will be the is equal to operator. In the Value field, type the value exactly as it appears in the event details. Enable the specification, save, and then distribute using the Distribute settings to computers button.

142 142 Collector-based event filtering and aggregation Accessing event data in the Information Manager console Accessing event data in the Information Manager console The Information Manager console provides several different ways to access event data that has been gathered by each collector. To gain an understanding of the events that can be filtered, you should analyze the event data that is viewable in the Event Details pane. You can also create custom reports for specific events. For more information on creating custom reports, see the documentation that is provided with each collector. Accessing event data using the Events page 1 In the Information Manager console, click Events. 2 In the Events page, expand the domain folder. 3 Under the domain folder, expand the Events folder, and click All Events. 4 Find the event you would like to analyze, and click View the event details. 5 In the Event Details window, analyze the event fields and data. Many events have unique event IDs that can be used to create filters that are specific to the event that you want to filter. Creating collector-based filtering and aggregation specifications After you analyze your event data, you can create filtering and aggregation specifications based on the fields that are viewable in the Event Details window. The Filters and Aggregation tabs let you create, enable, and edit rules to either exclude events from being forwarded to the appliance (filtering), or gather multiple events into a single event (aggregation). No event filtering or aggregation rules are configured by default. You must add rules before you can enable or configure them.

143 Collector-based event filtering and aggregation Creating collector-based filtering and aggregation specifications 143 To create a collector-side filtering rule 1 In the Information Manager console, on the System page, click the Product Configurations tab. 2 In the left pane, expand the product to which you want to add a filtering rule. Expand the folders until you reach the configurations that are available for the product. If the only configuration available is Default, you will need to create a new configuration. The Default configuration cannot be edited. If necessary, to create a new configuration, click the folder of the product, and then click Add. Follow the onscreen instructions. 3 Select the configuration you want to modify, and then in the right pane, on the Filter tab, under the list of rules, click Add. 4 Double-click Specification n (where n is 0, 1, 2, and so on), type a name for the rule, and then press Enter. 5 Under the rule properties table, click Add, and then do the following: In the Name column, double-click the name field and find the value in the event fields list that appears. If you know the exact name of the field that is created by the collector, you can also type a name for the event filter property. Fields are case-sensitive. In the Operator column, select an operator from the drop-down list. In the Value column, type a value for the event filter property. To add more event filtering information for the rule, repeat this step. 6 When you are finished, in the filter list, check the filter name. 7 Click Save. 8 In the left pane, right-click the appropriate Default folder, and then click Distribute. 9 When you are prompted to distribute the configuration, click Yes. To create a collector-based aggregation rule 1 In the Information Manager console, on the System page, click the Product Configurations tab. 2 In the left pane, expand the product to which you want to add an aggregation rule. Expand the folders until you reach the configurations that are available for the product. If the only configuration available is Default, you will need to create a new configuration. The Default configuration cannot be edited. If necessary, to create a new configuration, click the folder of the product, and then click Add. Follow the onscreen instructions. 3 In the right pane, on the Aggregator tab, under the list of rules, click Add.

144 144 Collector-based event filtering and aggregation Examples of collector-based filtering and aggregation rules 4 Double-click Specification n (where n is 0, 1, 2, and so on), type a name for the rule, and then press Enter. 5 Under the rule properties table, click Add, and then do the following: In the Name column, type a name for the event aggregation property. In the Operator column, select an operator from the drop-down list. In the Value column, type a value for the event aggregation property. To add more event aggregation information for the rule, repeat this step. 6 In the Aggregation time (ms) box, type the time (milliseconds) in which the aggregated events should correspond to the rule property. The default value is 0. This property applies to all aggregation rules. 7 When you are done, in the aggregation list, check the aggregation name. 8 Click Save. 9 In the left pane, right-click the appropriate Default folder, and then click Distribute. 10 When you are prompted to distribute the configuration, click Yes. Examples of collector-based filtering and aggregation rules As you begin to understand the details of the event fields that are populated, you will likely discover common filtering and aggregation candidates that can be safely implemented at the collector level. The following sections provide general guidelines for filtering and aggregation. Before you deploy these examples, each configuration should be carefully evaluated to ensure that the configuration conforms to the specific needs of your security environment. The examples provided are common to many deployments, but may not be in compliance with your security policies. Creating filtering and aggregation specifications should be an iterative process that is based on a careful evaluation of the event data that is specific to your security environment. Filtering at the collector prevents event data from being sent to the Information Manager appliance for evaluation. Consequently, analysts will not have access to this data for forensic analysis unless the events are stored separately from Information Manager. For example, events that are classified as informational can be good candidates for event filtering or aggregation at the collector. In some cases, a network may generate a large number of informational events that may not constitute an immediate security threat. From a threat perspective, these events may not be as useful in evaluating a high priority security incident in progress. However, from

145 Collector-based event filtering and aggregation Examples of collector-based filtering and aggregation rules 145 a forensic analysis perspective, the informational event details may subsequently help to gain a better understanding of the series of events that led to the security breach. For this reason, an event filter or aggregation specification at the collector should be carefully evaluated before it is deployed. When you are determining which events can be safely filtered or aggregated, a good general rule is to use very specific event criteria on which to base your collector-based filtering or aggregation specifications. Basing a filter on a broad field such as severity level may have unintended results. Specificity when creating filtering rules helps to prevent unexpected gaps in the information available to the analyst. For example, you should use the event IDs that are generated by the monitored product to control the information that is discarded from Information Manager. This option is more effective than using a broader severity category to control that information. Filtering events generated by specific internal networks You can filter events from particular subnets that generate a high volume of events that do not pose a threat. For example, a network that is dedicated to testing and developing software applications may generate a large number of events that do not threaten internal network resources. These events can be filtered at the collector to reduce this type of false positive. To filter network events that are generated by a specific subnet and acquired by the Windows Event Log collector 1 On the System page, on the Product Configurations tab, expand the default configuration for the Windows Event Log collector. On the Filters tab, add a new specification. Add a new entry for the specification, and then double-click the Name field. In the Event fields list, choose Machine Numeric Subnet. 2 After you have selected the field name, set the Operator to equal to, and then in the Value field enter the subnet that you would like to filter against. 3 Save and enable the rule, and then distribute the configuration. Filtering common firewall events Firewall products typically generate a large number of events, many of which are recorded primarily for lower priority, informational purposes. In many cases, depending on the security policies that you have in place, you can safely filter these events at the collector to reduce network traffic and increase overall performance.

146 146 Collector-based event filtering and aggregation Examples of collector-based filtering and aggregation rules Filtering Connection Rejected events Events that are classified as Connection Rejected events can often be filtered based on the severity of the event and the event ID. For example, in many cases, TCP Connection Rejected events detected by the Cisco PIX collector (PIX ) can be filtered at the collector. Depending on the security policies of your organization, you may decide to filter or aggregate these events to reduce the amount of data that must be evaluated. If you want to filter additional events that are similar (or carry a similar severity from an analyst's perspective), you can add additional event types to the specification. For example, you can use the Event Info 4 field to identify No route to dest_addr from src_addr (PIX ) or HTTP daemon interface int_name: connection denied from IP_addr (PIX ) PIX events. To filter Cisco PIX TCP Connection Rejected events 1 On the System page, on the Product Configurations tab, navigate to the product that you want to configure. 2 On the Filters tab, create a new specification. 3 In the new filtering specification, double-click the Name field, and in the Event fields list that appears, expand the list. From the list of categories, choose Network Event > Firewall Network Event > Event Info 4. For the Cisco PIX collector, the Event Info 4 field contains the name of the event that is used by PIX. 4 Set the Operator to equal to, and then in the Value field, enter the PIX event code (PIX ). 5 Save and enable the rule, and then distribute the configuration. Filtering Connection Accepted events Events that are classified as Connection Accepted events can often be filtered based on the severity of the event and specifically the event ID. For example, Connection Accepted events detected by the Cisco PIX collector such as user user_name executed cmd: command (PIX ) events can be filtered at the collector. PIX events are generally used for accounting purposes only, and indicate that the command entered by the user was not capable of modifying the configuration. Depending on the security policies of your organization, you may decide to filter or aggregate these events to reduce the amount of data that must be evaluated.

147 Collector-based event filtering and aggregation Examples of collector-based filtering and aggregation rules 147 To filter Cisco PIX Connection Accepted events 1 On the System page, on the Product Configurations tab, navigate to the product that you want to configure. 2 On the Filters tab, create a new specification. 3 In the new filtering specification, double-click the Name field, and in the Event fields list that appears, expand the list. From the list of categories, choose Network Event > Firewall Network Event > Event Info 4. For the Cisco PIX collector, the Event Info 4 field contains the name of the event that is used by PIX. 4 After you have selected the field name, set the Operator to equal to, and then in the Value field, enter the PIX event code (PIX ). 5 Save and enable the rule, and then distribute the configuration. Filtering Possible Attack events In many cases, events that are classified as possible attacks can be either filtered or aggregated. For example, if you are using the Cisco PIX collector, the collector will gather events such as failed telnet session attempts as possible attacks and display them in the console. Depending on the security policies of your organization, you may decide to filter or aggregate these events at the collector to reduce the amount of data that must be evaluated. If you want to filter additional events that are similar (or carry a similar severity from an analyst's perspective), you can add additional event types to the specification. For example, you can use the Event Info 4 field to identify Telnet Login Session Failed (PIX ) events, or Retrieved IP address for FTP session (PIX ). To filter Cisco PIX failed telnet session events 1 On the System page, on the Product Configurations tab, navigate to the product that you want to configure. 2 On the Filters tab, create a new specification. 3 In the new filtering specification, double-click the Name field, and in the Event fields list that appears expand the list. From the list of categories, choose Network Event > Firewall Network Event > Event Info 4. For the Cisco PIX collector, the Event Info 4 field contains the name of the event that is used by PIX. 4 After you have selected the field name, set the Operator to equal to, and then in the Value field, enter the PIX event code (PIX ). 5 Save and enable the rule, and then distribute the configuration.

148 148 Collector-based event filtering and aggregation Examples of collector-based filtering and aggregation rules Filtering Remote Management Connection events Remote Management Connection events can often be aggregated if you expect remote management connections to take place from trusted sources or on an expected host computer. Remote Management Connection events often include events that are classified as Informational, and in many cases can be safely aggregated. For example, if you are using the Juniper Netscreen Firewall collector, you can create an aggregation specification that gathers specific types of Remote Management Connection events into a single summary event that is sent to the appliance. For example, you may have a host computer that manages remote connections for which you expect many remote management events to take place. You can aggregate these events into a single event summary. To aggregate events for the Juniper Netscreen Firewall collector based on a specific host computer 1 On the System page, on the Product Configurations tab, navigate to the product that you want to configure. 2 Expand the default configuration for the Juniper Netscreen Firewall collector. 3 On the Aggregation tab, add a new specification. Add a new entry for the specification, and then double-click the Name field. In the Event fields list, navigate to Network Event > Firewall Network Event > Destination Host name. 4 After you select the field name, set the Operator to equal to, and then enter the host name in the value field. 5 In the Aggregation time (ms) box, type the time (milliseconds) in which the aggregated events should correspond to the rule property. 6 Save and enable the rule, and then distribute the configuration. Filtering common Symantec AntiVirus events Symantec AntiVirus generates events that can often be filtered or aggregated. For example, most antivirus products provide proactive event notifications of maintenance tasks such as data scan start and stop events. As these security-related events indicate expected behavior, they can often be safely filtered or aggregated at the collector. To filter events that are generated by Symantec AntiVirus, you need to edit the configuration file (.conf) that is included when the collector is installed on the Symantec AntiVirus parent server. The collector monitors the parent server for events, and uses the configuration files to determine which events are forwarded to the appliance.

149 Collector-based event filtering and aggregation Examples of collector-based filtering and aggregation rules 149 The following list of events are common Symantec AntiVirus events that can be filtered at the collector. Unscannable Violation Data Scan Start Data Scan End Data Scan Cancel Data Scan Pause Data Scan Resume Application Start Application Stop Note: Application Stop events can indicate that Symantec AntiVirus has been disabled, which is detected by the AntiVirus Disabled event correlation rule on the appliance. If you filter Application Stop events at the collector, this rule will not fire during correlation. Symantec AntiVirus and Symantec Client Security configuration files are stored on the parent server on which the collector is installed. The files are stored by default in the following locations: Symantec AntiVirus: C:\Program Files\Symantec\Collector\Plugins\SAVSesa\savsesa.cfg Symantec Client Firewall: C:\Program Files\Symantec\Collector\Plugins\SCFSesa\scfsesa.cfg Symantec Client Security: C:\Program Files\Symantec\Collector\Plugins\SCSState\scsstate.cfg You can also filter the events that are forwarded from individual clients or servers using the Log Event Forwarding wizard that is available through the Symantec System Center interface that is provided with Symantec AntiVirus and Symantec Client Security. The Log Event Forwarding wizard lists a complete set of events that can be forwarded to parent servers. For more information on using Symantec System Center, see the documentation provided with Symantec AntiVirus and Symantec Client Security.

150 150 Collector-based event filtering and aggregation Examples of collector-based filtering and aggregation rules To enable event filtering on a Symantec AntiVirus parent server 1 On the parent server you are monitoring, using a text editor such as Notepad, open the following file: C:\Program Files\Symantec\Collector\Plugins\SAVSesa\savsesa.cfg. 2 In the.conf file, find the ExcludeEvents section. 3 From the list of events that appears in this section, remove the comment symbol (;) from before the event type or types you want to filter. 4 Save the file as a.cfg file. You may need to restart the collector. Filtering or aggregating vulnerability assessment events Typically all vulnerability assessment scans should be sent to the Correlation Manager for analysis. However, vulnerability assessment events in some cases can be aggregated to reduce the number of events that are sent individually to the Information Manager appliance. For example, the Symantec ESM collector will detect vulnerability assessment events related to whether files are backed up on the systems that it scans (Backup Integrity events). This information is useful for a variety of network analysis tasks, but depending on the policies of your organization, may not represent an immediate security threat. Another potential candidate for aggregation of vulnerability assessment events is a Different ACL entry event. A Different ACL entry event typically indicates a permissions misconfiguration rather than an actual security breach. To aggregate Backup Integrity events for the Symantec ESM collector 1 On the System page, on the Product Configurations tab, navigate to the product that you want to configure. 2 On the Aggregation tab for that product, create a new specification. 3 In the new aggregation specification, double-click the Name field, and in the Event fields list that appears, expand the list. From the list of categories, choose Network Event > Vulnerability > Custom 2. For the Symantec ESM collector, the Custom 2 field contains the type of event generated by the vulnerability assessment scan. 4 After you have selected the field name, set the Operator to equal to, and then in the Value field, type Backup Integrity exactly as it appears in the Event Details entry for the Custom 2 field. 5 In the Aggregation time (ms) box, type the time (milliseconds) in which the aggregated events should correspond to the rule property. 6 Save and enable the rule, and then distribute the configuration.

151 Collector-based event filtering and aggregation Examples of collector-based filtering and aggregation rules 151 To aggregate Different ACL entry events 1 On the System page, on the Product Configurations tab, navigate to the product that you want to configure. 2 On the Aggregation tab for that product, create a new specification. 3 In the new aggregation specification, double-click the Name field, and in the Event fields list that appears, expand the list. From the list of categories, choose Network Event > Vulnerability > Short Descriptive Name. For the Symantec ESM collector, the Short Descriptive Name field contains a brief description of the event generated by the vulnerability assessment scan. 4 After you have selected the field name, set the Operator to equal to, and then in the Value field, type Different ACL entry exactly as it appears in the Event Details entry for the Short Descriptive Name field. 5 In the Aggregation time (ms) box, type the time (milliseconds) in which the aggregated events should correspond to the rule property. 6 Save and enable the rule, and then distribute the configuration. Filtering Windows Event Log events If you are using the Windows Event Log collector, you can reduce traffic by filtering common network events that generally do not pose a threat. The Windows event logs generate a large number of events that track a variety of activities, including those that are related to security. These events produce unique event codes that are included in the raw event data. You can use these event codes to create collector-based filters to reduce the number of events that are passed to the appliance. For example, Successful Network Logon events (Windows event ID 540) do not typically pose a security risk if the appropriate security measures are in place (for example, secure passwords, multiple layers of access defense, and limiting administrator privileges). Another example of a Windows Event Log event that can be filtered is the successful login Application event. As an alternative, you could also choose the Event ID field with a value of To filter Windows Successful Network Logon events (540) 1 On the System page, on the Product Configurations tab, navigate to the product that you want to configure. 2 On the Filters tab, create a new specification.

152 152 Collector-based event filtering and aggregation Examples of collector-based filtering and aggregation rules 3 In the new filtering specification, double-click the Name field, and in the Event fields list that appears, expand the list. From the list of categories, choose Windows and Novell Event > Option 8. For this type of event, Option 8 contains the event ID. Note that the option fields vary with each event for Windows Event Log entries. For more information on the Windows Event Log option fields, see the documentation provided by Microsoft. 4 After you have selected the field name, set the Operator to equal to, and then in the Value field type Security:540 exactly as it appears in the Event Details entry for the Option 8 field. As an alternative, you could also choose the Event ID field with a value of Save and enable the rule, and then distribute the configuration. To filter Windows successful login Application events 1 On the System page, on the Product Configurations tab, navigate to the product that you want to configure. 2 On the Filters tab, create a new specification. 3 In the new filtering specification, double-click the Name field, and in the Event fields list that appears, expand the list. From the list of categories, choose Windows and Novell Event > Option 8. For this type of event, Option 8 contains the event ID. Note that the option fields vary with each event for Windows Event Log entries. For more information on the Windows Event Log option fields, see the documentation provided by Microsoft. 4 After you have selected the field name, set the Operator to equal to, and then in the Value field type Application:17055 exactly as it appears in the Event Details entry for the Option 8 field. 5 Save and enable the rule, and then distribute the configuration.

153 Section 4 Configuration options Configuring the appliance after installation Configuring Symantec Security Information Manager Forwarding events to an Information Manager appliance Managing Global Intelligence Network content Running LiveUpdate Working with Symantec Security Information Manager Configurations

154 154

155 Chapter 13 Configuring the appliance after installation This chapter includes the following topics: About the Information Manager Web configuration interface Accessing the Security Information Manager configuration page Changing network settings Specifying date and time settings Specifying a network time protocol server Changing the password for Linux accounts Shutting down and restarting the appliance About the Information Manager Web configuration interface After you have rack-mounted the appliance and run the installation program, you can use the Information Manager Web configuration interface to change appliance settings, including the following: Network information such as IP address, DNS, and gateway servers Date and time NTP server Password for Linux accounts such as root Security certificates

156 156 Configuring the appliance after installation Accessing the Security Information Manager configuration page Shutting down or restarting the appliance You also use the Information Manager Web configuration interface to install the Information Manager console on a remote computer. Accessing the Security Information Manager configuration page Complete the following steps to access the Security Information Manager configuration page. To access the Security Information Manager configuration page 1 Open a Web browser, and in the address bar, type the IP address of the appliance. By default, this address is the following: By default, the appliance uses self-signed certificates, which cannot be verified by certificate authentication services such as VeriSign. If prompted, click Yes to accept the appliance certificate. 2 On the Security Information Manager page, click Click here to configure the server (login required). 3 Type a username and password in the spaces provided. The default username for the Information Manager Web configuration interface is administrator. The default password is password. Changing network settings You can use the Information Manager Web configuration interface to change network settings. Warning: Once you specify a domain name or accept the default name, you cannot change it without re-installing the appliance software. Changing the hostname or IP address of the primary Ethernet connection (eth0) creates a new self-signed certificate for the appliance. If you are using a signed certificate from a Certified Signing Authority, you must generate a new signed certificate using the CA, and then install it via the Certificate Management page after changing the hostname or IP address. If you change the host name or IP address of an Information Manager appliance, all remote agents that communicate with it must be configured to use the new

157 Configuring the appliance after installation Changing network settings 157 settings. This requirement does not apply to the agents that are running on the appliance. See your collector or agent documentation for information on reconfiguring to use the new settings. To change the network settings 1 From the Security Information Manager configuration page, click Network Settings. 2 In the General Settings section, type the host name. 3 In the Search Domain box, type the search domain for the appliance. 4 Optionally enter the names of up to three Domain Name Servers in the boxes that are provided. 5 In the Network Interface 0 (eth0) Settings section, do the following: In the box that is provided, type the IP address for the first Ethernet connection in the appliance. In the Netmask box, optionally type the mask that is used for addresses in the network or subnet where the appliance will be used. In the Gateway box, type the IP address of the gateway server for the appliance. 6 If you are using the second Ethernet connection on the appliance, do the following in the Network Interface 1 (eth1) Settings section: In the box that is provided, type the IP address for the second Ethernet connection in the appliance. In the Netmask box, optionally type the mask that is used for addresses in the network or subnet where the appliance will be used. In the Gateway box, type the IP address of the gateway server for the appliance. 7 If you changed IP address or the host name of Network Interface 0, complete the following steps. Otherwise, skip to step 8. Turn on Force hostname and eth0 IP address update. In the Username (DN) box, type a username with administrator rights for the current security directory that is used by the appliance. In the Password box, type a password. In the Domain box, type the domain that is used by the appliance.

158 158 Configuring the appliance after installation Specifying date and time settings The default username for the security directory is cn=root. The default password is password. 8 Click Change Settings. Specifying date and time settings You can use the Information Manager Web configuration interface to specify the appliance date and time settings. To specify the date and time settings 1 From the Security Information Manager configuration page, click Date/Time Settings. 2 Use the controls that are provided to specify the date, time, and time zone settings. 3 Click Update. Specifying a network time protocol server If you want the Information Manager appliance to get time settings from a network time protocol (NTP) server, you can specify that by using Information Manager Web configuration interface. By default, NTP synchronization is disabled. To add and specify an NTP server 1 From the Security Information Manager configuration page, click NTP Configuration. 2 Uncheck NTP Disabled. 3 Click Add NTP Server. 4 Type the path of the desired NTP server in the box provided, and then click Add. 5 Click Apply. To remove an NTP server 1 From the Security Information Manager configuration page, click NTP Configuration. 2 Click Delete NTP Server. 3 Select a server from the Current Servers list, and then click Apply.

159 Configuring the appliance after installation Changing the password for Linux accounts 159 Changing the password for Linux accounts You can use the Information Manager Web configuration interface to change the password that is used for Linux administrative accounts such as root and simuser. Console accounts, such as administrator, are changed in the Information Manager console. Note: To change system settings such as account passwords, do not attempt to manually run the scripts that are included on the appliance. You should be able to use the Information Manager Web configuration interface to accomplish most system level tasks. If you need to perform an operation on an appliance that is not available through the Web Configuration interface or the Information Manager console, contact technical support for assistance. To change the password for Linux accounts 1 From the Security Information Manager configuration page, click Change Password. 2 In the Username box, type the name of a user account on the appliance. Note that these are local user accounts on the appliance, and SESA domain user accounts, which are changed in the Information Manager console. 3 Type the current password for the account in the space that is provided. 4 Type the new password and then confirm the new password in the spaces that are provided. 5 Click Change Password. Shutting down and restarting the appliance The Information Manager Web configuration interface provides options for shutting down and restarting the appliance. It is recommended that you use these options rather than powering down the appliance, because the Information Manager Web configuration interface options shut down services and leave the on-board database in a stable state. To shut down or restart the appliance 1 From the Security Information Manager configuration page, click Shutdown / Restart. 2 Do one of the following: To restart the appliance, click Restart Now.

160 160 Configuring the appliance after installation Shutting down and restarting the appliance To shut down the appliance, click Shutdown Now.

161 Chapter 14 Configuring Symantec Security Information Manager This chapter includes the following topics: About configuring Symantec Security Information Manager Adding a policy Specifying networks Identifying critical systems About configuring Symantec Security Information Manager For the proper functioning of the correlation rules, it is essential that you specify information that is used to determine incident severity. Key settings include specifying systems that host critical or sensitive information and systems that require high availability. You can also specify the networks that exist in your organization so that you can increase the priority of incidents based on the affected network. For example, incidents that affect networks that reside within your firewall can be assigned a higher priority than those that reside outside the firewall. It is also helpful to specify which policies are used within your network. Information Manager includes default policies such as Sarbanes-Oxley or HIPAA. You can also add custom policies. Once you have defined the available policies, you can associate them with network computers when you add entries to the Assets list.

162 162 Configuring Symantec Security Information Manager Adding a policy You should also create your list of response teams so that Information Manager can automatically assign incidents to these teams based on the rules settings. You use the Information Manager console to create the teams; however, the list of members that you can assign to those teams is maintained on the System page. Another key factor in determining incident severity and the functioning of rules is the information that is stored in the knowledge base. Some of this information is provided by Global Intelligence Network Integration Manager, and some settings you can configure. For example, you can add entries to the IP watchlist. Note: When you add a new policy or service to the Policies or Services lists, the new entries will not appear in the Event Criteria in the Rules Editor until you have restarted the console. Adding a policy Complete these steps to add a policy. To add a policy 1 In the Information Manager console, click System. 2 On the Administration tab, click Policies. 3 On the toolbar, click + (the plus icon). 4 Type a name and description in the spaces that are provided. 5 Click OK. Specifying networks Complete these steps to specify the networks that exist in your organization. To specify a network 1 In the Information Manager console, click System. 2 On the Administration tab, click Networks. 3 On the toolbar, click + (the plus icon). 4 In the Create New Network dialog box, type a name for the network in the Name box. 5 In the Netmask box, type the address and subnet mask for the network. 6 Fill in the following optional information, if desired: In the Physical Location box, type the location of the network.

163 Configuring Symantec Security Information Manager Identifying critical systems 163 In the Logical Location box, type the logical location of the network. In the Description box, type a description of the network. Check Auto-Updateable if you want the new entry to be overwritten when new network information is imported from a vulnerability scanner, such as Nessus. 7 Click OK. Identifying critical systems Complete the following steps to identify critical systems in your organization. To identify critical systems 1 In the Information Manager console, click Assets. 2 On the toolbar, click + (the plus icon). 3 In the Asset Editor dialog box, in the IP Address box, type the IP address of the system. 4 Fill in the following optional information, if desired: In the Host Name box, type the host name of the system. In the MAC Address box, type the MAC address of the system. In the DN box, type the Distinguished Name of the system. In the Description box, type a description of the system. 5 In the Asset Priority area, select values for Confidentiality, Integrity, and Availability, if desired: Confidentiality Integrity Availability Value range 1 5, where level 5 means that the computer hosts content that must be maintained with the highest level of confidentiality. Value range 1 5, where level 5 means that the computer hosts content that must be maintained with the highest level of integrity. Value range 1 5, where level 5 means that the computer hosts applications and content that must always be available for your business. 6 In the Additional Information area, fill in the following information, if desired: The name of the organization that uses this system

164 164 Configuring Symantec Security Information Manager Identifying critical systems The physical location of the system The name of the operating system (OS) that is running on the system The version of the OS that is running on the system 7 Check Lock for Auto Update if you do not want the Assets list entry for this host to be overwritten when new information is imported from a vulnerability scanner, such as Nessus. 8 Click OK.

165 Chapter 15 Forwarding events to an Information Manager appliance This chapter includes the following topics: About forwarding events to an Information Manager appliance About registering with a security directory Registering security products Registering with a security domain Forwarding events Forwarding events from a SESA Event Logger About forwarding events to an Information Manager appliance Event forwarding allows you to create distributed configurations that can handle higher event loads more efficiently. For example, you can have multiple appliances store events from security products, and then forward only those events that are needed for determining security incidents to a correlation appliance. The collection appliances store the uncorrelated events to support compliance with policies such as Sarbanes-Oxley, while the correlation appliance processes the forwarded events to allow monitoring of the security incidents in your network.

166 166 Forwarding events to an Information Manager appliance About forwarding events to an Information Manager appliance You can also use event forwarding to support co-existence or event data migration between a legacy Symantec Enterprise Security Architecture (SESA) Event Logger and an Information Manager appliance. In this chapter, the term "collection appliance" refers to an Information Manager appliance that forwards events to another appliance. The terms "correlation appliance" and "destination appliance" refer to an Information Manager appliance that is the target of the event forwarding. Generally, this appliance is used for correlating events that are forwarded from SESA Event Loggers or collection appliances. During Information Manager installation, one default event forwarder is created on the appliance to forward events from the event service to the correlation manager. If you have multiple appliances, you may need to configure this forwarder to specify the destination appliance to which events will be forwarded. You may also choose to forward events to an event service on the destination appliance, instead of the correlation manager. You can create additional event forwarders, on a single Information Manager appliance, for backup purposes or if you want to store certain types of events separately. For example, you can set up one forwarder to send events to appliance A, and another forwarder to send events to appliance B. You can define event criteria to filter certain events to be forwarded to appliance A. Then you can specify that other types of events are forwarded to appliance B. To configure event forwarding from an Information Manager appliance or an external SESA Event Logger to an Information Manager appliance, you must do the following: Register each security product that you will be monitoring with the destination Information Manager appliance. See Registering security products on page 168. Use the Information Manager Web configuration interface to join the collection appliance with the security directory of the correlation appliance. You can also use the Information Manager Web configuration interface to import directory information from a legacy SESA security directory to enable event forwarding to a correlation appliance. See Registering with a security domain on page 169. Configure the collection appliance or SESA Event Logger to forward events. See Forwarding events on page 170. See Forwarding events from a SESA Event Logger on page 173. Note that you cannot create incidents manually on a collection appliance. To create a security incident manually, do so on the correlation appliance. Also, after

167 Forwarding events to an Information Manager appliance About registering with a security directory 167 you set up an Information Manager appliance as a collection appliance, you cannot reconfigure the appliance to correlate events using software settings. If you will be forwarding events through a firewall, make sure that the ports required for the Information Manager appliances to communicate are open. When the correlation appliance is unavailable, by default, the forwarding appliance will continue to queue events until the correlation appliance is available again. If the queue on the forwarding appliance fills up, the forwarding appliance will stop receiving events. When the forwarding appliance stops receiving events, the collectors will try to queue events until the forwarding appliance is able to accept events again. The Event Criteria determine which events are forwarded to the destination appliance. You set event criteria in the Information Manager console, on the System page, Appliance Configurations tab. If the Event Criteria pane is empty, all events are sent to the appliance. If you add a condition to the Event Criteria, only the events that match that criteria are sent. To view forwarded events, a user at the Information Manager console must have sufficient rights to view those types of events. If the product, domain, or organizational unit do not match those allowed by the Role assigned to the user, the events do not appear. Note: SESA Event Loggers cannot forward events to a correlation appliance if they cannot resolve the host name used to generate the correlation appliance's SSL certificate. To resolve this problem, add a domain name server (DNS) entry for the IP address and host name of the correlation appliance. Alternatively, you can add an entry for the IP address and host name of the appliance to the hosts file of the forwarding SESA Event Logger. However, this second option will not work on Microsoft Windows-based SESA Event Loggers due to a defect in the Sun Java Virtual Machine (JVM) for that platform. A third option is to generate a new certificate for the appliance that is based on its IP address. See Registering security products on page 168. If you forward events to an event service on the destination appliance, you can enable data encryption. The data encryption option is not available when you forward events to a correlation manager. About registering with a security directory Using the Register with remote appliance directory option configures a collection Information Manager appliance to use the same directory service as the correlation appliance. After registering, the collection appliance also inherits the same

168 168 Forwarding events to an Information Manager appliance Registering security products database configuration that the correlation appliance uses. If the correlation appliance is configured to use a local or remote database, then the collection appliance uses that same database to store event information. However, if the correlation appliance is configured as a correlation-only appliance (event pass-through enabled, events not stored), the collection appliance inherits those same settings as well. In that case, you must create a new database configuration on the collection appliance if you want it to store events in its database. For information on creating database configurations, see the Information Manager online help. Note also that after you register a collection appliance with a correlation appliance, the events stored in the collection appliance's database are no longer visible in queries and reports. Events stored in the collection appliance database are not copied into the database of the correlation appliance. To view the original collection appliance events, you can use the Register with remote appliance directory option to register the collection appliance back to itself. However, doing so results in the events that are stored in the correlation appliance database not being visible from the console in the collection appliance. When specifying the name of the remote directory to which you are registering, make sure you specify the correct domain name, using the correct case (for example, symantec.ses vs. symantec.ses). Directory service connections are not case sensitive, but database connections are. So entering the correct domain name with the wrong case results in the collection appliance being able to connect to the directory service of the correlation appliance, but not to the database. When this occurs, no events appear in queries and reports. When you use the Import legacy directory information option in the Information Manager Web configuration interface, the Information Manager appliance copies information from the SESA Event Logger to enable event forwarding. Because the off-appliance SESA Event Logger and Information Manager appliance do not share a security directory, features such as heartbeat monitoring and distributing configurations do not work across both directories. Registering security products The Information Manager Web configuration interface provides a page to register and unregister the configuration settings and event schemas that the Information Manager appliance requires to recognize and log events from a security product. To register a security product 1 In the Information Manager Web configuration interface, click Collector Registration. 2 Click Register a collector.

169 Forwarding events to an Information Manager appliance Registering with a security domain In one or more of the boxes provided, type the path to the collector.sip file provided with the collector. You can select up to five files at one time. See your collector implementation guide for more information. 4 Click Begin registration. To unregister a security product 1 In the Information Manager Web configuration interface, click Collector Registration. 2 On the page that appears, click Unregister a collector. 3 Check one or more boxes to specify the collectors that you want to unregister. 4 Click Unregister selected collector(s). Registering with a security domain The Directory Registration option of the Information Manager Web configuration interface lets you add the appliance to the security domain of the destination appliance. The process of registering an Information Manager appliance to a second appliance's security directory may take 10 minutes or more. To register an Information Manager appliance with a security domain 1 Log on to the Information Manager Web configuration interface configuration page as an administrator. 2 On the Directory Registration page, select one of the following options: If you are registering an external SESA Event Logger, click Import legacy directory information. If you are registering with another Information Manager appliance, click Register with remote appliance directory.

170 170 Forwarding events to an Information Manager appliance Forwarding events 3 Type the following information in the provided boxes: Hostname or IP Address LDAP port Logon name (DN) (external SESA Event Logger registration only) Administrator (appliance registration only) Password The host name or IP address of the external security directory. The LDAP communications port that is used by the security directory. The default is 636. The administrator account for the security directory. The default is cn=root. The administrator account on the remote appliance. The password for the appliance administrator account (external SESA Event Logger) or the SESA administrator password (external appliance). Domain (Source Domain in external SESA Event Logger registration) The name of the remote security directory, such as Symantec.SES. 4 Click Register. Forwarding events 5 Configure the Information Manager appliance to forward events to the destination Information Manager appliance. If you are forwarding events from a SESA Event Logger, use the SESA console to create this configuration. See Forwarding events on page 170. You can configure the default event forwarder, and you can create additional event forwarders. You can later modify any event forwarder's option settings. You can also delete an existing event forwarder. Note: Before completing the following steps, make sure that you have connected network cabling between the collection and correlation appliances. To configure the default event forwarder 1 Open the Information Manager console of the collection appliance. 2 In the Information Manager console, click System. 3 Click the Appliance Configurations tab.

171 Forwarding events to an Information Manager appliance Forwarding events In the Appliances list, expand the appliance that will be forwarding events to the correlation appliance. 5 Expand Event Routing. 6 Click Correlation Forwarding. The event forwarding option settings appear in the right pane. 7 In the Host box, type the host name or IP address of the correlation appliance. 8 In the Port section, select one of the following:. To forward events to the correlation manager on the destination appliance, select Correlation Manager. Go to step 10. To save the events in the destination appliance's event archive, select Event Service. If you want the forwarded event data to be encrypted between the collection and correlation appliances, go to step 9. 9 To encrypt the event data between the collection and correlation appliances, check Encrypt event data. Data encryption is available only when the collection appliance is forwarding events to an event archive, so you must select Event Service before this option is available. If you choose to encrypt event data, the data is sent using HTTPS (port 443). 10 By default, event forwarding rules block the event processing if the destination appliance is not available. If you do not want Information Manager to block the event processing, uncheck Block if host is unavailable. Even if you do not check this option, Information Manager may sometimes block the event processing. For example, if the destination appliance is busy, the forwarding appliance will not be able to forward events as fast as they arrive in the event service. Be aware that if you do not check this option, the destination appliance may not receive all events. Note that if blocking is enabled and you uncheck this option to stop blocking, you must restart the event service to make this setting take effect. 11 By default, all events are forwarded. To limit the types of events that are forwarded, complete these bulleted steps in the following order: In the tool bar of the Event Criteria pane, click the Add button. In the left column, click an entry in the Common, Events, Other Field, or Table Lookups tabs. In the middle column, specify a logical operator.

172 172 Forwarding events to an Information Manager appliance Forwarding events In the right column, specify the value that you are filtering on. Repeat the above bulleted steps for any other conditions that you want to include. 12 Click Apply. 13 Make sure that the appropriate event forwarder is checked in the left pane navigation tree. For example, if you want to enable the default event forwarder on a collection appliance named Denver, make sure that the Correlation Forwarding box under the Denver folder is checked. To create an event forwarder 1 Open the Information Manager console of the collection appliance. 2 In the Information Manager console, click System. 3 Click the Appliance Configuration tab. 4 In the Appliances list, expand the appliance to which you want to add an event forwarder. 5 Click Event Routing. 6 On the toolbar, click + (the plus symbol). 7 In the Forward Name dialog box, type the name that you want to assign to the new event forwarder, and then click OK. 8 To complete the configuration, use the steps in the procedure To configure the default event forwarder on page 170. To delete an event forwarder 1 Open the Information Manager console of the collection appliance. 2 In the Information Manager console, click System. 3 Click the Appliance Configuration tab. 4 In the Appliances list, expand the appliance for which you want to delete an event forwarder. 5 Expand Event Routing. 6 Select the event forwarder that you want to delete. 7 In the toolbar, click - (the minus symbol). 8 To confirm your intention to delete the event forwarder, click Yes.

173 Forwarding events to an Information Manager appliance Forwarding events from a SESA Event Logger 173 Forwarding events from a SESA Event Logger Complete the following steps to configure event forwarding from a legacy SESA Event Logger to an Information Manager appliance. To forward events from a SESA Event Logger to an Information Manager appliance 1 Open a Web browser, and type the address of the SESA console of the SESA Event Logger that will forward events to the appliance. Use the following syntax: where <ip_address> represents the IP address or host name of the remote SESA Event Logger. 2 When prompted, type a username and password to log on to the console. 3 In the Configurations view, in the left pane, click SESA Expand Manager Components Configurations, and then click the desired product configuration, or create a new one. Note that you cannot set up event forwarding with the default Manager Component Configuration. You must first create a new Manager Component Configuration, and then set up the new configuration for event forwarding. 5 In the right pane, on the Event Forwarding tab, click Add. 6 In the Name text box, type the name of the server to which you want to forward events. 7 In the Destination URL text box, type the URL of the Information Manager 4.5 server to which you are forwarding events, using the following format: where <hostname> is the host name or the IP address of the destination Information Manager appliance. If the server to which you forward events uses security certificates that were generated based upon its IP address, make sure you specify the IP address in this step, and not the host name. Likewise, if the security certificate was generated based upon the host name, type the host name and not the IP address. 8 Click Add to specify the events that are to be forwarded.

174 174 Forwarding events to an Information Manager appliance Forwarding events from a SESA Event Logger 9 In the Filter dialog box, specify the properties of the events to be forwarded. To determine the correct settings, look at the properties of existing events that you want forwarded. If you do not make any changes, all events are forwarded by default. 10 Click OK. 11 If you want to forward additional information that is not defined in the event schema, in the Event Forwarding dialog box, check Forward extra event information. 12 Click OK. 13 Click Save.

175 Chapter 16 Managing Global Intelligence Network content This chapter includes the following topics: About managing Global Intelligence Network content Registering a Global Intelligence Network license Viewing Global Intelligence Network content status Receiving Global Intelligence Network content updates Exporting Global Intelligence Network content Importing Global Intelligence Network content About managing Global Intelligence Network content Symantec Security Information Manager provides features that allow you to configure your appliance to use Global Intelligence Network (previously known as DeepSight) content. This content includes rules, virus definitions, recommended procedures for resolving known security vulnerabilities, and much more. From the Information Manager Web configuration interface, you can register a Global Intelligence Network license, import and export Global Intelligence Network content, and configure the appliance to get Global Intelligence Network updates from a proxy computer. The ability to import and export Global Intelligence Network content or to get updates from a proxy server allows the appliance to maintain current security content without being connected to the Internet.

176 176 Managing Global Intelligence Network content Registering a Global Intelligence Network license Registering a Global Intelligence Network license If you purchased Symantec Security Information Manager Platinum support, complete the following steps to activate your Global Intelligence Network content updates. Note: By default, the Microsoft Internet Explorer Enhanced Security Configuration feature is enabled in Internet Explorer in Windows Server To import the license, you may need to add the URL of the appliance to the list of Trusted Sites. See Microsoft Internet Explorer Help for more information. To register a Global Intelligence Network license 1 From the Information Manager Web configuration interface, click Global Intelligence Network Integration Manager Configuration. 2 Click License. The page displays the content of the current license file, if there is one, as well as options that let you import a license and remove a license. 3 Click Browse, and then navigate to the Global Intelligence Network license file. 4 When you locate the file, click Open. 5 Click Import License. Viewing Global Intelligence Network content status The Status page provides the following information: The status of the server that is providing updated security content The status of the Global Intelligence Network content license The status of the server database that caches Global Intelligence Network content The timestamps of any updates that have occurred To view Global Intelligence Network content status From the Information Manager Web configuration interface, click Global Intelligence Network Integration Manager Configuration. The Status page displays information about the security content server, the content license, and the server database. It also displays timestamps for the latest content updates.

177 Managing Global Intelligence Network content Receiving Global Intelligence Network content updates 177 In the Content License Status area, you can see the number of days before the license expires, along with the expiration date. If you have multiple licenses, the latest expiration date appears. Receiving Global Intelligence Network content updates The Global Intelligence Network Integration Manager Utilities page provides controls for you to specify the source for the following security content updates: Internet connection to Global Intelligence Network Another server inside your organization LiveUpdate packages See About running LiveUpdate on page 181. The Global Intelligence Network Integration Manager Utilities page also lets you specify proxy server settings, if you need to receive updates through a proxy server. To receive Global Intelligence Network content from an Internet connection 1 From the Information Manager Web configuration interface, click Global Intelligence Network Integration Manager Configuration. 2 Click Configuration. 3 In the Source of Security Content area, click Global Intelligence Network Internet Service. In order to select this option, you must have an active license. 4 In the Global Intelligence Network Server Settings area, make sure that the DataFeed Service URL is set to the following: Note that if you use an IP address instead of deepsightinfo.symantec.com, the proxy test will fail. 5 In the Global Intelligence Network Server Settings area, make sure that the IP Service URL is set to the following: Note that if you use an IP address instead of deepsightinfo.symantec.com, the proxy test will fail. 6 In the DataFeed Polling Interval box, specify how often the appliance will check for updates.

178 178 Managing Global Intelligence Network content Receiving Global Intelligence Network content updates 7 In the IP Polling Interval box, specify how often the appliance will check for updates to the IP watchlist. This is the list of IP addresses that are known to be associated with security exploits. 8 In the IP Address Limit box, specify how many IP addresses to download with each update. 9 Click Save. To receive Global Intelligence Network content updates from a network server 1 From the Information Manager Web configuration interface, click Global Intelligence Network Integration Manager Configuration. 2 Click Configuration. 3 In the Source of Security Content area, click Another Global Intelligence Network Integration Manager Server. 4 In the Global Intelligence Network Integration Manager Server Host box, type the hostname or IP address of the Information Manager appliance that will provide content updates. 5 In the Global Intelligence Network Integration Manager Polling Interval box, specify how often (in minutes) the appliance will check for updates. For example, if you want to update every hour, type 60. If you want to disable this function, type 0. 6 Click Save. To receive Global Intelligence Network content via LiveUpdate 1 From the Information Manager Web configuration interface, click Global Intelligence Network Integration Manager Configuration. 2 Click Configuration. 3 In the Source of Security Content area, click Static. 4 Click Save. To specify proxy server settings 1 From the Information Manager Web configuration interface, click Global Intelligence Network Integration Manager Configuration. 2 Click Configuration. 3 In the Proxy Server Settings area, ensure that Use Proxy Server is checked. 4 In the HTTPS/Secure Proxy Server box, type the URL of proxy server.

179 Managing Global Intelligence Network content Exporting Global Intelligence Network content In the HTTPS/Secure Proxy Port box, type the port that is used to communicate with the proxy server. 6 If the proxy server you are using requires a username and password to connect, type them in the HTTPS/Secure Proxy Username and HTTPS/Secure Proxy Password boxes, respectively. 7 Click Save. Exporting Global Intelligence Network content Complete the following steps to export Global Intelligence Network content from an Information Manager appliance so that you can use it on another Information Manager appliance. To export Global Intelligence Network content 1 From the Information Manager Web configuration interface, click Global Intelligence Network Integration Manager Configuration. 2 Click Export. 3 In the File Download window, click Save. 4 In the Save As window, specify the location where you want to save the file. 5 Click Save. Importing Global Intelligence Network content Complete the following steps to import Global Intelligence Network content that you have exported from an Information Manager appliance. To import Global Intelligence Network content 1 From the Information Manager Web configuration interface, click Global Intelligence Network Integration Manager Configuration. 2 Click Import. 3 Click Browse, and then navigate to the saved Global Intelligence Network content file. 4 When you locate the file, click Open. 5 Click Begin Import.

180 180 Managing Global Intelligence Network content Importing Global Intelligence Network content

181 Chapter 17 Running LiveUpdate This chapter includes the following topics: About running LiveUpdate Running LiveUpdate from the Information Manager Web configuration interface Running LiveUpdate from the Information Manager console About running LiveUpdate You can use LiveUpdate to obtain the latest Symantec Security Information Manager software updates. The LiveUpdate process requires that you run updates from the following places: The Information Manager Web configuration interface The Information Manager console Running LiveUpdate from the Information Manager Web configuration interface The options in the Information Manager Web configuration interface allow you to get updates for software components such as event collectors, relays, security content, rules, and filters. To run LiveUpdate from the Information Manager Web configuration interface 1 From the Security Information Manager configuration page, click LiveUpdate. 2 In the Update column, turn on the components that you want updated, and then click Update. By default all components are selected.

182 182 Running LiveUpdate Running LiveUpdate from the Information Manager console Running LiveUpdate from the Information Manager console The LiveUpdate options in the Information Manager console let you update other software components in the appliance that are not updated by the Information Manager Web configuration interface LiveUpdate options. To run LiveUpdate from the Information Manager console 1 From the Symantec Security Information Manager console, click System. 2 Click the Product Configurations tab. 3 Expand the SESA 2.5 node. 4 Click Manager Components Configurations. 5 Click New... to open the Create a new Configuration wizard. Follow the onscreen instructions to create a new configuration. You can also right-click Manager Components Configurations and choose New... 6 When you have finished creating the new configuration, In the left navigation pane, click the configuration you created. 7 On the LiveUpdate tab, check Enable. 8 Check Use local time. 9 In the DateTime box, click... to open the calendar. 10 In the boxes that are provided, specify the date and time to run LiveUpdate, and then click OK. If you want to run LiveUpdate as soon as possible, enter a time that is approximately three minutes in the future. This interval allows time for changes to distribute to any components that are connected to the appliance.

183 Chapter 18 Working with Symantec Security Information Manager Configurations This chapter includes the following topics: Introducing the Symantec Security Information Manager configurations Manager configurations Increasing the minimum free disk space requirement in high logging volume situations Manager Components Configurations Manager connection configurations Agent Connection Configurations Agent configurations Managing the Manager Introducing the Symantec Security Information Manager configurations Symantec Security Information Manager relies on Agents, a Symantec Security Information Manager Directory, a Symantec Security Information Manager DataStore, and a Manager to collect, store, process, and report security events to the Information Manager console. These components also distribute configuration changes to Information Manager and integrated products.

184 184 Working with Symantec Security Information Manager Configurations Manager configurations The Information Manager configurations let you configure these components. Note: You can create customized configurations for each of the collectors that are installed. For more information on creating collector configurations, see the documentation that is provided with each collector. Manager configurations Manager configurations hold common Manager settings that may affect one or more of the manager components across Managers. These common settings include selecting the Information Manager Directory and DataStore for the domain, and setting throttle options that control connection attempts to Managers. Table 18-1 lists the tabs on which you can change settings for Manager configurations. Table 18-1 Tab General Debug Manager Configuration tabs Description Contains the name, description, and modification date of the configuration. Lets you enable or disable debugging for specific systems, such as the Information Manager DataStore, HTTP, or the LDAP directory, and set the time stamp interval. Turning on these settings causes Information Manager to output more verbose debug information to the log files for tracking down potential problems. This information is useful for debugging purposes. You should not change these settings unless you are debugging a problem with the help of Symantec technical support. Throttle Lets you balance security and scalability issues on a Manager by controlling when or how often events are sent to the Information Manager DataStore. For example, you can set a threshold for all Managers, so that when an Agent tries to contact a Manager too many times in a given time period, the computer is denied access to the Manager for an allotted time. If you make the timeouts shorter, you protect yourself more against hyperactive clients, or denial-of-service attacks (DOS attacks), but if you make the time allotments longer, you may be able to increase the performance of the server and avoid problems with false positives for hyperactive clients.

185 Working with Symantec Security Information Manager Configurations Increasing the minimum free disk space requirement in high logging volume situations 185 Table 18-1 Tab Client Validation Manager Configuration tabs (continued) Description Controls how Information Manager handles the validation of clients. For example, on this tab, you can set how Information Manager reacts to clients who provide bogus passwords. If Information Manager attempts to validate a client and fails, the client is blacklisted until the entry times out. This tab lets you set how long those timeouts last. Web Server Provides your Web server settings to the Manager so that Information Manager components can contact other Information Manager components that are running on local or remote computers. Since you can modify the Web server settings independent of Information Manager, you must provide the Manager with your Web server configuration. If you change the port your Web server is listening on, or change the Information Manager Servlet Prefix for any reason, you must modify this setting so that Information Manager can locate its services. This is also where you configure Information Manager to use SSL communication. Other Contains miscellaneous settings that let you fine tune the operation of your Manager. For example, one setting lets you configure how much minimum disk space is required for the Manager before its logging and other functions are suspended. See Increasing the minimum free disk space requirement in high logging volume situations on page 185. Increasing the minimum free disk space requirement in high logging volume situations The Other tab of the Manager Configurations includes the Free Space Minimum Size property. This specifies the amount of free space that is needed for the Manager to function properly. The amount of free space is checked every two minutes and a warning is displayed if the free space is less than the minimum specified. In an environment that generates a high volume of log messages, you should increase the free space minimum size.

186 186 Working with Symantec Security Information Manager Configurations Manager Components Configurations To increase the free space minimum size 1 In the Information Manager console, on the System page, on the Product Configurations tab, expand SESA 2.5 > Manager Configuration. 2 Select the custom configuration that you want to edit. You cannot edit the Default configuration. 3 In the right pane, on the Other tab, for the Free space minimum size property, increase the value to meet the needs of your environment. By default, the free space minimum size is 50 MB. In an environment with a high volume of log messages, you should increase the minimum disk space to at least 100 MB or higher. If the Manager is installed on the operating system drive, you should set the free space minimum to at least 2 GB. 4 Click Save. Manager Components Configurations Manager Components Configurations contain specific settings for each of the Manager components. They let you configure the specific settings for each component individually, based on the component's configuration requirements. These components generally refer to specific services within the Manager, such as the Event Logging subsystem or the Configuration Service. Table 18-2 lists the tabs on which you can change settings for the Manager Components Configurations. Table 18-2 Tab General Notifications Manager Components Configurations tabs Description Contains the name, description, and modification date of the configuration. Contains and retry settings that are used by the alert servlet. These settings control how alerts are sent from Information Manager. Configuration Lets you configure the Information Manager Configuration Service by specifying how many times a client can request its configuration during a polling interval. If a client exceeds this value, it is flagged as hyperactive, and is not allowed to get its configuration again for a configured interval. Heartbeat Lets you adjust settings for the Heartbeat monitor.

187 Working with Symantec Security Information Manager Configurations Manager Components Configurations 187 Table 18-2 Tab Command Manager Components Configurations tabs (continued) Description Controls the settings for the command servlet. When you use the Distribute option to initiate the distribution of configurations, the Command Servlet contacts each computer using the configuration and notifies it to reload its configuration. These settings let you configure throttling information for how many Agents to notify in a given period of time. They can be adjusted based on your environment. If you make this setting too high, you run the risk of overloading your Managers. If the throttling is set too low, it could take a long time to push new settings to a large number of computers. Administrative Lets you modify administrative protections such as how long a console session should be idle before timing out, and how often to update when you set the console to auto-refresh. You can lengthen the session idle interval to keep the console from timing out quickly or shorten it to increase security. You can also specify the character set that the console uses to export information. This toggle lets you select US English ANSI exporting or Unicode encoding for most double-byte character sets, such as Japanese. For v2.0 Managers only, you can modify the following: The values that control the number of events that are downloaded when a user displays a table-formatted report The blacklist settings that control how Information Manager handles repeated failed attempts to log on the Information Manager console SNMP Contains the settings that control how alert notifications are sent to an SNMP server. You can specify the host, port, and community of the SNMP server to which alerts are forwarded, as well as the version of SNMP traps to send to that server. LiveUpdate Lets you schedule a one-time update for the Manager, as well as several retry and delay settings that are related to updating the Manager using LiveUpdate.

188 188 Working with Symantec Security Information Manager Configurations Manager Components Configurations Modifying administrative settings You can control the following behaviors of the Information Manager console by changing administrative settings: How long a console session is idle before timing out How often the Information Manager console is updated when you use auto-refresh The character set that is used when you export reports The number of event records that are initially downloaded for a report How Information Manager responds to repeated failed logon attempts To modify administrative settings 1 In the Information Manager console, on the System page, on the Product Configurations tab, expand SESA2.5>ManagerComponentsConfigurations. 2 Select the custom configuration that you want to edit. You cannot edit the Default configuration. 3 In the right pane, on the Administrative tab, next to Session idle interval, do one of the following: To increase the time before the Information Manager console times out, type a higher value. Increase the value if you do not want the Information Manager console session to time out so quickly. To decrease the time before the Information Manager console times out, type a lower value. Lower the value to increase security. 4 Next to Auto refresh update interval, type the value to control the frequency with which the Information Manager console display is refreshed. 5 If the DataStore contains double-byte characters for languages such as Japanese, next to Export character set selector, check the check box. This configures the Manager to export data in Unicode encoding, which lets you export reports with double-byte characters to HTML or CSV formats. 6 To set the number of event records that is initially downloaded for a report, change the value of the Number of report rows to load into console property. 7 Click Save.

189 Working with Symantec Security Information Manager Configurations Manager connection configurations 189 Manager connection configurations Manager connection configurations let you configure failover for Managers. Failover is the ability of Information Manager components to automatically switch to designated secondary resources if the primary resource fails or terminates abnormally. You can configure Manager to Directory failover. After you configure failover, distribute the configurations to Managers that require failover protection. Table 18-3 lists the tabs on which you can change the failover settings for the Manager. Table 18-3 Tab General Manager Connection Configurations tabs Description Contains the name, description, and modification date of the configuration. SSIM Directory Failover Lets you specify the primary Information Manager Directory and control how failover takes place when that Information Manager Directory becomes unavailable. See Configuring Manager to Information Manager Directory failover on page 189. Configuring Information Manager Directories Failover is the ability of the Manager to automatically switch to a standby Information Manager Directory if the primary Information Manager Directory fails or terminates abnormally. The Information Manager Directory Failover tab of the Manager Connection Configurations lets you do more than configure Information Manager Directory failover. You can use this tab for either of the following: Configuring Manager to Information Manager Directory failover Logging Information Manager Directory connection failures Configuring Manager to Information Manager Directory failover You configure Information Manager Directory Failover to identify a primary Information Manager Directory and specify how failover should occur, including

190 190 Working with Symantec Security Information Manager Configurations Manager connection configurations the number of retry attempts, time between retry attempts, and whether log messages are generated. The Information Manager Directories to which you failover must be installed and configured before you complete the Information Manager Directory failover configuration. These Directories should be read-only replicas. Note: Read-only replica Directories provide access to the Manager but cannot be edited. When a failover occurs, a message notifies users that the domain is using a read-only replica and that modifications cannot be made. To configure Manager to Information Manager Directory failover 1 In the Information Manager console, on the System page, on the Product Configurations tab, expand SESA 2.5 > Manager Connection Configurations. 2 Select the custom configuration that you want to edit. You cannot edit the Default configuration. 3 In the right pane, on the SSIM Directory Failover tab, next to the Primary Directory text box, click the browse button (...). 4 In the Find Directories dialog box, in the Available Directories list, select a directory to be the Primary Directory. 5 Click OK. 6 On the SSIM Directory Failover tab, check Enable automatic Directory failover. 7 Under Primary Directory Failover, do the following: In the Reconnect attempts before failover text box, type the number of times that the Manager should attempt to connect to the Primary Directory before it fails over to the Information Manager Directory with the nearest LDAP suffix. In the Seconds between reconnect attempts text box, type the time interval in seconds that will elapse between each reconnect attempt. 8 Under Secondary Directory Failover, do the following: In the Reconnect attempts before failover text box, type the number of times that the Manager should attempt to connect to the initial Secondary Directory before it fails over to the next Information Manager Directory. In the Seconds between reconnect attempts text box, type the time interval in seconds that will elapse between each reconnect attempt.

191 Working with Symantec Security Information Manager Configurations Manager connection configurations To have the Manager automatically attempt to failback to the primary Information Manager Directory, do the following: Ensure that Enable automatic failback recovery is checked. In the Seconds between failback connection attempts text box, type the number of seconds that should elapse between attempts to failback. 10 Click Save. Logging Information Manager Directory connection failures A connection failure event can cause a failover; however, connection failures are a broader category of events. They can also occur any time there is a problem with the connection between the Manager and the Information Manager Directory, regardless of whether the connection failure causes failover, or whether failover is enabled. To specify how Information Manager Directory connection failures are logged 1 In the Information Manager console, on the System page, on the Product Configurations tab, expand SESA 2.5 > Manager Connection Configurations. 2 Select the custom configuration that you want to edit. You cannot edit the Default configuration. You cannot edit the Default configuration. 3 In the right pane, on the SSIM Directory Failover tab, scroll to the bottom of the tab. 4 To configure what happens when connection failure events occur, do one or more of the following: Write an event to the SSIM DataStore when a connection failure occurs Write an event to the system log when a connection failure occurs Generate an SNMP trap when a connection failure occurs To log an Information Manager event when there is a connection failure, check here. To log a system event when there is a connection failure, check here. To generate an SNMP trap when there is a connection failure, check here.

192 192 Working with Symantec Security Information Manager Configurations Agent Connection Configurations Generate a Multiple Connection Failure Event To generate a single event when multiple connection failures occur, do the following: In the Number of connection failures that must occur text box, type a number. In the Time period (seconds) of connection failures text box, type a time period. When the specified number of failovers occurs within the specified time period, an event is logged. 5 Click Save. Agent Connection Configurations Agent Connection Configurations let you configure Agent to Manager failover. Failover is the ability of Information Manager components to automatically switch to designated secondary resources if the primary resource fails or terminates abnormally. After you configure failover, distribute the configurations to computers that require failover protection. Table 18-4 lists the tabs on which you can change the failover setting for the Agent. Table 18-4 Tab General Agent Connection Configurations tabs Description Contains the name, description, and modification date of the configuration. SSIM Manager Failover Lets you specify the primary Manager and an ordered list of Managers to which the Agent can failover if the primary Manager becomes unavailable. Configuring Agent to Manager failover You configure Manager failover to identify a primary Manager and provide an ordered list of failover Managers to which the Agent can connect if the primary Manager fails.

193 Working with Symantec Security Information Manager Configurations Agent Connection Configurations 193 To configure Agent to Manager failover 1 In the Information Manager console, on the System page, on the Product Configurations tab, expand SESA 2.5 > Agent Connection Configurations. 2 Select the custom configuration that you want to edit. You cannot edit the Default configuration. 3 In the right pane, on the SSIM Manager Failover tab, next to the Primary Manager text box, click the browse button (...). 4 In the Find Computers dialog box, do one of the following: 5 Click OK. To proceed without modifying the Available computers list, select a computer to be the primary manager, and then continue at step 6. The Available computers list shows all Managers for the domain, up to the number of computers indicated by the Maximum search count text box. To modify the Available computers list by specifying search criteria, in the revised Available computers list, select one or more computers. 6 On the SSIM Manager Failover tab, check EnableautomaticManagerFailover. 7 Under Primary Manager Failover, do the following: In the Reconnect attempts before failover text box, type the number of times that the Agent should attempt to connect to the Primary Manager before it fails over to the first Manager in the Secondary Managers list. In the Seconds between reconnect attempts text box, type the time interval in seconds that will elapse between each reconnect attempt. 8 Under Secondary Manager Failover, do the following: In the Reconnect attempts before failover text box, type the number of times that the Agent should attempt to connect to the initial Secondary Manager before it fails over to the next computer in the Secondary Manager list. In the Seconds between reconnect attempts text box, type the time interval in seconds that will elapse between each reconnect attempt. 9 To create an ordered list of failover Managers, do the following: Below the Secondary (failover) Managers list, click Add. In the Find Computers dialog box, in the Available computers list, select the computer that you want to make the first failover Manager.

194 194 Working with Symantec Security Information Manager Configurations Agent Connection Configurations If you cannot immediately find the computer that you want, on the left side of the dialog box, enter search criteria, click Start Search, and then, in the Available computers list, select a computer. Click Add. Continue selecting and adding computers in the order in which you want them to be used for failover. Click OK. The computers that you selected are added to the Secondary (failover) Managers list. To change the order of the failover Managers, select a Manager and use the Move Up and Move Down arrows to the right of the list to move the Manager relative to the other Managers in the list. 10 To have the Agent automatically attempt to failback to the primary Manager, do the following: Ensure that Enable automatic failback recovery is checked. In the Seconds between failback connection attempts text box, type the number of seconds that should elapse between attempts to failback. In the Maximum failback retry period text box, type the maximum amount of time to wait before all failback attempts end and a new permanent primary Manager is established. After a new permanent primary Manager is established, if you want to reset the connection between the Agent and the original Manager, you must do it manually, using the Primary Manager drop-down list. 11 To generate a single event when multiple connection failures occur, under Generate a Multiple Connection Failure Event, do the following: In the Number of connection failures that must occur text box, type a number. In the Time period (seconds) of connection failures, type a time period. When the specified number of failovers occurs within the specified time period, an event is logged. If you enable Manager failover, connection failure events occur with the same frequency as failovers, based on the values for reconnect attempts. If you do not enable failover, connection failures can still occur. The values you provide here determine how often events are logged for these occurrences. 12 Click Save.

195 Working with Symantec Security Information Manager Configurations Agent configurations 195 Agent configurations Agent configurations describe how Agents behave and how they communicate with their corresponding Managers. The settings include what primary and secondary server to connect to, how to get configuration information and report inventory, and how these computers should receive LiveUpdate information. Table 18-5 lists the tabs on which you can change settings for Agent Configurations. Table 18-5 Tab General Common Agent Configuration tabs Description Contains the name, description, and modification date of the configuration. Controls settings that are common to all Agent services. This tab lets you specify the location of Manager servlets, the batch logging interval, and whether debug is used. The other settings on this tab are only used when a product is installed that contains a 1.1 Agent. Configuration Lets you specify how often the Agent Configuration Provider should check with its Manager for configuration updates. This value is independent of using Distribute to send configurations to the Agent directly through the Command Servlet. This setting refers to how long the client waits before asking for new configurations, if it is not contacted sooner. Inventory Lets you configure the Agent Inventory Provider to report inventory information for each Agent. This inventory contains information as to what components are installed, and what version of those components reside on the Agent. You can set how often to report inventory, and how long to wait between failed inventory attempts. State Lets you configure the Agent State Provider to report state information for all Agent providers. Each provider is given the opportunity to report its operational state to its Manager. This information includes what Manager it is currently connected to, what its starting mode is, and what configuration it currently uses.

196 196 Working with Symantec Security Information Manager Configurations Managing the Manager Table 18-5 Tab Logging Agent Configuration tabs (continued) Description Manages the Information Manager Event Logging Provider so that all events that are logged through the Agent are sent reliably to its Manager. The logging provider stores events locally if it cannot forward them immediately to its Manager. You can specify the listening port, what Manager servlet to contact, and how to cache events before sending them to the Manager. Many of these settings control how events are forwarded to the Manager. If you change the Logging Servlet value to an incorrect value, you may not be able to forward events to the Agent s Manager. LiveUpdate Heartbeat Lets you schedule a one-time LiveUpdate for the Agent. You can also set several retry and delay settings that relate to running a LiveUpdate session on the Agent. Lets you enable and configure heartbeat for critical and non-critical services. Managing the Manager The Manager supports many common administrative tasks. Setting up blacklisting for logon failures When failed attempts to log on to the Information Manager console occur repeatedly, it may indicate an attempt to break in to the system. Information Manager blacklists computers from which repeated failed logon attempts are made. The Administrative tab lets you control how Information Manager responds to logon failures. To set up blacklisting for logon failures 1 In the Information Manager console, on the System page, on the Product Configurations tab, expand SESA2.5 > ManagerComponentsConfigurations. 2 Select the custom configuration that you want to edit. You cannot edit the Default configuration.

197 Working with Symantec Security Information Manager Configurations Managing the Manager On the Administrative tab, to control how Information Manager handles blacklisting for logon failures, do the following: Blacklist threshold time Adjust the window of time during which failed logon attempts are accumulated. When the accumulated count is larger than the blacklist threshold count, the IP address from which the logon attempts originate is added to the blacklist. Blacklist threshold count Blacklist entry duration Specify the number of failed logon attempts, within the blacklist threshold time, that causes an IP address to be placed on the blacklist. Specify the length of time that the IP address will remain on the blacklist before it is automatically removed and logons from the IP address are again permitted. 4 Click Save. Restricting access to the IBM HTTP Server You can restrict access to the IBM HTTP Server by allowing only certain IP addresses to connect to the server. When an IP address attempts to access the HTTP Server, the server displays a Web page containing the following error message: HTTP Error Forbidden. You are not authorized to view this page. To restrict access, you can use the Allow From parameter in the Httpd.conf file. You can configure the Httpd.conf file through the IBM HTTP Server. To restrict access to the HTTP Server 1 On the computer on which you installed the SESA Manager, in an Internet browser, type the following URL: address or FQDN of the SESA Manager computer> 2 On the IBM HTTP Server interface, click Configure server. 3 Log on to the IBM HTTP Server as the Administrator using the Web Server account. You supplied the Web Server user name and password when you used the SESA Installation Wizard to install the IBM HTTP Server. A wizard screen prompted you for an existing Windows user name and password.

198 198 Working with Symantec Security Information Manager Configurations Managing the Manager 4 In the left pane of the Internet browser, expand the Access Permissions folder, and then check Other Access. 5 In the Other Access right pane, ensure that <Global> is selected. 6 Select the appropriate restrictions. 7 Click Submit. Configuring SESA Manager servlet logs Servlet logs are configured by default to contain a minimal amount of information. However, you can configure them to log a great deal more. You configure the logs in the Symantec management console. You can specify the location of the Manager servlet logs when you install SESA. To configure SESA Manager servlet logs 1 In an Internet browser, type the following URL: address or FQDN of SESA Manager computer>/sesa/ssmc 2 Log on to the Symantec management console using a SESA user account that has sufficient rights to modify SESA configurations. 3 In the Symantec management console, on the Configurations tab, expand the desired SESA domain. 4 Under the SESA domain, expand SESA 2.5 > Manager Configurations. 5 Select the configuration that you want to edit. 6 In the right pane, on the Debug tab, enable one or more of the debugging types. Enabling the debugging options provides more robust logging of data in the SESA servlet logs. 7 Click Save.

199 Section 5 Managing appliance data Managing the directory service Managing event archives Maintaining the Symantec Security Information Manager database

200 200

201 Chapter 19 Managing the directory service This chapter includes the following topics: About LDAP backup and restore Backing up the security directory Restoring the security directory About LDAP backup and restore Symantec Security Information Manager provides utilities to perform Lightweight Directory Access Protocol (LDAP) backup and restore of the security directory on demand. Each utility calls a set of IBM tools in a script. You access these utilities through the Information Manager Web configuration interface. Backing up the security directory To perform an LDAP backup operation, you must be logged on with an account that has administrative privileges, such as root. To back up the security directory 1 From the Information Manager Web configuration interface, click Database Utilities. 2 Click LDAP Backup. 3 In the fields provided, enter the specified logon credentials. 4 Click Backup LDAP. At the bottom of the page, you can view the status of the job as it processes.

202 202 Managing the directory service Restoring the security directory Working with the console during backup may result in authentication errors, because the directory server shuts down during the process. The first time you perform a backup, a file called ldifbackup is created in this folder: dbsesa/backup/ldap Thereafter, each time you perform a backup, the following actions occur: The existing ldifbackup file is renamed ldifbackup.1. The new backup file is named ldifbackup. If you want to maintain more than two backup files, rename ldifbackup.1 before you perform the next backup. You may move the file to another location, if you wish. Restoring the security directory The tools in the LDAP Restore script use the ldifbackup file to restore the directory. If you want to use a different file, you must rename that file accordingly and make sure that the file resides in this folder: dbsesa/backup/ldap To execute the LDAP Restore script, you must be logged on with an account that has administrative privileges, such as root. To restore the security directory 1 Make sure that the data you want to restore is in this file: dbsesa/backup/ldap/ldifbackup If you want to restore from a file other than the current ldifbackup, rename that file, and then rename the backup file that you want to restore to ldifbackup. 2 From the Information Manager Web configuration interface, click Database Utilities.

203 Managing the directory service Restoring the security directory Click LDAP Restore. 4 On the Warning dialog box, click OK to confirm that you want to restore the directory. The script uses the file named ldifbackup to restore the directory. Working with the console during directory restore may result in authentication errors, because the directory server shuts down during the process.

204 204 Managing the directory service Restoring the security directory

205 Chapter 20 Managing event archives This chapter includes the following topics: About event archives Specifying event archive settings Creating local event archives Viewing event archives Querying event archives About event archives Event archives provide a compact, convenient way to store event data for regulatory compliance, forensic research, and long-term data retention. Event archives contain event data from the security products that are set up to forward events to a Symantec Security Information Manager appliance. Note: By default, event archives are stored for up to 60 days, but you can specify a longer retention period. However, when the available appliance disk space runs low, the appliance purges event archives. The two most recent event archive files are always preserved, even when disk space is low. If your company requires long-term retention of event data, you can use scp or rsync over an SSH connection to copy the event archives off of the appliance. The Symantec Direct Attached Storage D10 device (DAS) provides external storage for the Information Manager appliance. Symantec strongly recommends the use of the DAS with the 9500 and 9630 (2-disk) appliances. (Without the DAS, these appliances will quickly fill to capacity.) Depending on your storage requirements, you may also need the DAS with the 9550 and 9650 (6-disk) appliances.

206 206 Managing event archives Specifying event archive settings Event archive viewer The event archive viewer enables you to view and search for information about archived events in both graphical and text formats. You select the archive you want to research, and the viewer displays a histogram that represents the data stored in that archive. You can then narrow the display to a particular historical period (for example, the previous month or a specific one-hour period). You can display event details in a table and drill down to get all details about one event at a time. A filtering feature enables you to query for all events that have one or more common characteristics. You can also create incidents based on events. Specifying event archive settings The event archive feature has several settings that determine how much data is stored and how long the data is stored. You can change the default settings in the Information Manager console. Event archiving is automatically enabled during Information Manager installation. The name of the Information Manager appliance appears in the left pane of the System page. If you have multiple Information Manager appliances, each one appears in the tree. If you also use a DAS for off-box storage, use the Information Manager Web configuration interface to specify the event archive settings for the DAS. See the Symantec Security Information Manager Administrator's Guide for more information. To specify event archive settings 1 In the Information Manager console, click System. 2 In the left pane of the Appliance Configurations tab, expand the tree and click the name of the Information Manager appliance. 3 In the Correlation area of the right pane, do one of the following: Check Correlation Appliance if this appliance performs event correlation. Uncheck Correlation Appliance if this appliance is for event collection only.

207 Managing event archives Creating local event archives In the Archiving area of the right pane, specify the following settings: Purge After Max Archive Quota Specify how long event archives are stored on the appliance before they are automatically deleted. Specify the proportion of appliance disk space that can be used for storing event archives. Note: You should modify the default setting only under the guidance of Symantec personnel. Choosing the wrong setting could cause the appliance to run out of disk space. Free Space Quota Specify the proportion of appliance disk space that must be available to continue storing event archives. Note: You should modify the default setting only under the guidance of Symantec personnel. Choosing the wrong setting could cause the appliance to run out of disk space. 5 If you want to filter the events that are saved in the event archive, use the Event Criteria window in the right pane. See To filter with the advanced filter option on page Click Apply. Creating local event archives You can copy event archives from the Information Manager appliance to another computer, and then you can access these archives through the Information Manager console. Use the procedure in this section to create a local event archive. Warning: Do not attempt to copy individual files, because they will not work as expected. You must follow the steps in this procedure in order to preserve the directory structure, which contains necessary date information. To create a local event archive 1 Make sure that you have sufficient space on the Information Manager appliance for the.tar file that this procedure generates. 2 In a command window, type the following command, and then press Enter: # cd /

208 208 Managing event archives Viewing event archives 3 Type the following command, and then press Enter: # tar -cz eventarchive >eventarchive.tar.gz Information Manager creates a gzip.tar file in the root directory on the appliance. This file contains the event archive and its directory structure. 4 Transfer the gzip.tar file to the desired location, by using FTP or another method of your choice. 5 Unzip the gzip.tar file. Viewing event archives The events in the new local archive are now viewable in the Information Manager console, assuming that the user has access to the location where the local archive resides. See To view event archives on page 208. You can view the events that are stored on the appliance (the "live" archive) and events that are stored in other network-connected locations ("local" archives). For example, a local archive may be stored on a Windows-based workstation. There are two ways to view event archives: Use the Events page in the Information Manager console. You can browse various live and local archives, and you can explore data in various time ranges. This method is recommended when you are not sure of the exact range of data that you want to view. See To view event archives on page 208. Use the Query Wizard to create a query to be executed on a particular archive for a particular time period. This is the most efficient way to access information when you know exactly what you want to view. See Querying event archives on page 216. To view event archives 1 In the Information Manager console, click Events. The tree in the left pane displays the ID of the Information Manager appliance, where the live archive is stored. 2 Do one of these actions: To access the live archive, expand the tree under the Information Manager appliance ID, and then expand Events. Click All Events. To access a local archive, click Event Archives, click the + icon (the plus symbol) on the toolbar, and then navigate to the location of the archive.

209 Managing event archives Viewing event archives 209 After you select the archive, click All Events under the appropriate address in the left pane. Archived event data is displayed in a histogram in the right pane. To save displayed data to a file 1 Click the Export icon on the toolbar. 2 Navigate to the location where you want to save the file, and type a name in the File Name box. 3 Select the file type in the Files of Type drop-down list. You may save the screen image in Portable Document Format (PDF) or in HTML format. 4 Click Save. Information Manager saves an image of the event archive window. To remove a local archive from the viewer 1 In the left pane, click the name of the local archive that you want to remove. 2 Click the icon (the minus symbol) on the toolbar. Information Manager removes the event archive from the viewer. You can now use the left pane to navigate to a different event archive. About the event archive viewer right pane The right pane contains these components, which you can manipulate to display the data that you want: Event data histogram Event details table Manipulating the event data histogram The x-axis of the histogram is the time dimension, and the y-axis is the event count (by default). To identify specific time periods, move the mouse over the histogram and hover (without clicking) on one bar at a time. A label displays the date, time, and number of events that correspond to that bar. The toolbar above the histogram includes several tools to change the appearance of the histogram to help you access the information that you want. You can manipulate the histogram in the following ways: To change the timeframe of the view, select an option from the View drop-down list; for example, select Last 12 hours. You can also choose a custom view. See Setting a custom date and time range on page 210.

210 210 Managing event archives Viewing event archives To expand the amount of data that is displayed in the current view of the histogram, click the Zoom Out icon. If you keep clicking, you gradually display the entire dataset in this window. To gradually narrow the amount of data that is displayed in the current view of the histogram, click the Zoom In icon. To change the time resolution on the x-axis, make a selection from the Resolution drop-down list. For example, select Hours to group the data in hour-long units. To search for a specific time period and event type, click the Search for Events (magnifying glass) icon. The Event Filter dialog box appears to let you choose a time range and filter criteria. See To filter with the advanced filter option on page 215. To move forward and backward in time, click the right-facing and left-facing arrows beside the histogram. To change the y-axis to display events per second, select Events per second. To return to the event count, select Event Count. Setting a custom date and time range If you want to fine-tune the period of time that is displayed in the histogram, select a custom view. To set a custom date and time range 1 On the toolbar above the histogram, click the calendar icon, next to the View selection box. 2 In the Archive Time Range dialog box, in the Between: box, choose the start date and time of the time range. You can type the information in the box, or use the up and down arrows, or click the calendar icon and then set the date and time on the Calendar dialog box. 3 In the and: box, choose the end date and time of the time range. You can type the information in the box, or use the up and down arrows, or click the calendar icon and then set the date and time on the Calendar dialog box. 4 Click OK. The event data histogram now displays data for the time range that you selected.

211 Managing event archives Viewing event archives 211 Viewing event details In the lower area of the right pane, you can display a table that contains details for the entire range of events in the histogram or for a selected portion of the events. You can show details in the following ways: To display details for the entire set of events in the histogram, click the Select All (green check) icon on the toolbar. To remove all event details from the table, click the Deselect (red X) icon on the toolbar. Click one of the bars in the histogram to display event details for the time period contained in the bar. To select a time range, click any bar on the histogram, and then press the Shift key and click another bar on the histogram. The table displays details for all of the events in that time range. In the lower-right corner of the details table, you can see the total number of events in the selected time range and the number of events in the displayed subset, for example, the first 5,000 events. To view the next group of events, click the forward arrow in the lower-right corner of the table. To view all of the details in one event record, double-click one row in the table. Modifying the format of the event details table Each column in the event details table represents one field from the event record. You can add, delete, and reorganize the columns in the table. Note: An event record may include several date fields. Most events have a single event date, which is the time when the event occurred (not the date when Information Manager captured the event). In this case, the Event Date value and the Ending Event Date value are identical. If an event represents an aggregation of activity that takes place over a period of time, Event Date is the beginning of the time period, and Ending Event Date is the end time. Occasionally the event service registers an event with an incorrect Event Date or Ending Event Date. In these cases, Information Manager corrects the times in these fields and inserts the original (incorrect) times in the Original Event Date and Original Ending Event Date fields.

212 212 Managing event archives Viewing event archives To add, delete, and organize table columns 1 Right-click on a column heading, and then click Add Column. The Column Filter dialog box appears. The Selected Columns box shows all of the fields that are currently in the table. Occasionally a collector sends data to Information Manager that does not correspond to any fields that are defined in the existing schema. When this occurs, the Column Filter dialog box displays the raw field name from the collector, for example bugtraq_ids. This may also occur if a collector's SIP is not installed on the appliance. 2 Do any of the following actions: To add a column, click a field name in the Available Columns box, and then click Add. You may also use the Ctrl key to select multiple field names, and then click Add. To add all of the available columns, click Add All. To delete a column, click one or more field names in the Selected Columns box, and then click Remove. To delete all of the columns, click Remove All. To change the position of a column, click a field name and then click Move Up or Move Down until the name is in the desired position. You can also click Move To Top or Move To Bottom. 3 When you finish making changes, click OK. The changes appear in the event details table. Now that you have modified the event details table to display the data that you want, you must save it as a query if you want to see the same data and the same format the next time you log in to Information Manager. See To save the modified table format on page 212. To save the modified table format 1 After you finish modifying the table format, click the Save View icon above the table. 2 Type a query name, and then click OK. The query is saved in the My Queries folder in the left pane. The next time you log in to Information Manager, you can select that query, and the table format will be the way you modified and saved it.

213 Managing event archives Viewing event archives 213 Filtering event data You can filter event data in these ways: Filter on an individual cell in the event details table. You can filter on a cell that has data in it, and Information Manager displays only the rows that have the same value in that column. You can also filter on an empty cell, and Information Manager displays only the rows in which that column is not empty. Use the advanced filter option to select multiple filtering conditions in one operation. A third filtering method is a sort of hybrid of these two methods. It is called filtering manually on a cell, and it allows you to create a more complex query than the simple cell filtering method. But it presets the first filtering condition for you. See To filter manually on a table cell on page 214. To filter on a table cell 1 Right-click in the cell that you want use as the filter condition. For example, if you want the table to display only level 3 events, right-click in a cell with severity level 3 in the Severity ID column. 2 Click Filter on cell. If you right-clicked in an empty cell, click Filter where cell is not empty. One of the following happens: If you clicked Filter on cell, a new table displays only events that have the same value as the cell where you clicked, for example, severity level 3. The table has a tab at the top that is labeled Untitled. If you clicked Filter where cell is not empty, a new table displays all rows in which this cell is not empty. 3 Do any of the following actions: To save the displayed view as a query, click the Save View icon above the table. Then type the query name and click OK. If you are viewing event data from a local archive, you will not be able to save the view as a query. Saving a query works only when you are viewing event data from the live archive on the Information Manager appliance. To filter the displayed data even further, repeat steps 1 and 2, or use the advanced filter option. See To filter with the advanced filter option on page 215. To delete the table, click the red X in the right corner above the table.

214 214 Managing event archives Viewing event archives If no events meet the filter criteria, Information Manager displays a blank table. If a very large number of events meet the filter criteria, it may take a long time for the data to display. If you want to stop the search and view the events that Information Manager has found so far, click Cancel. To filter manually on a table cell 1 Right-click in a cell that you want use as a filter condition. For example, if you want the table to display only level 3 events, right-click in a cell with severity level 3 in the Severity ID column. 2 Click Manually filter on cell. If you right-clicked in an empty cell, click Manually filter where cell is not empty. The Event Filter dialog box appears. One of the following happens: If you clicked Manually filter on cell, the first condition in the Filter criteria area contains the value of the cell in which you clicked. In this example, the condition would display Severity ID = 3. If you clicked Manually filter where cell is not empty, the Filter criteria area displays the column name with the condition null. 3 To add more filter conditions, click the + icon (the plus symbol). 4 Click the first drop-down box, and then click an event field that you want to use as a filter. 5 Click the drop-down box to the right of the event field, and then click an operator, for example, the equals (=) symbol. 6 Click the drop-down box at the far right, and then click or type a value. 7 Do any of the following actions: To add more conditions, repeat steps 3 through 6. Use the AND and OR logical operators as needed. The default operator is AND. To change it to OR, press Ctrl and click on the desired boxes, then click OR. To remove a field, click on the row and then click the icon (the minus sign). To ungroup conditions, select two or more rows (Ctrl + click) and then click Ungroup. In the Time range area, select the desired time range. 8 Click Preview if you want to view the filtering statement that you created. Click Preview again if you want to add or change filtering criteria.

215 Managing event archives Viewing event archives When you finish creating the query, click OK. A new table displays only events that meet the criteria in the query. The table has a tab at the top that is labeled Untitled. 10 Do any of the following actions: To save the displayed view as a query, click the Save View icon above the table. Then type the query name and click OK. If you are viewing event data from a local archive, you will not be able to save the view as a query. Saving a query works only when you are viewing event data from the live archive on the Information Manager appliance. To filter the displayed data even further, repeat the previous steps, or use the procedure for filtering on a table cell. See To filter on a table cell on page 213. To delete the table, click the red X in the right corner above the table. If no events meet the filter criteria, Information Manager displays a blank table. If there is a very large number of events that meet the filter criteria, it may take a long time for the data to display. If you want to stop the search and view the events that Information Manager has found so far, click Cancel. To filter with the advanced filter option 1 Click Filter at the top of the table. 2 In the Event Filter dialog box, select the desired time range. 3 In the Filter criteria area, click the + icon (the plus symbol). 4 Click the first drop-down box, and then click an event field that you want to use as a filter. 5 Click the drop-down box to the right of the event field, and then click an operator, for example the equals (=) symbol. 6 Click the drop-down box at the far right, and then click or type a value. 7 Do any of the following actions: To filter on only one field, go to step 8. To add more conditions, repeat steps 2 through 6. Use the AND and OR logical operators as needed. The default operator is AND. To change it to OR, press Ctrl and click on the desired boxes, then click OR. To remove a field, click on the row and then click the icon (the minus sign).

216 216 Managing event archives Querying event archives To ungroup conditions, select two or more rows (Ctrl + click) and then click Ungroup. 8 Click Preview if you want to view the filtering statement that you created. Click Preview again if you want to add or change filtering criteria. 9 When you finish creating the query, click OK. A new table displays only events that meet the criteria in the query. The table has a tab at the top that is labeled Untitled. 10 Do any of the following actions: Querying event archives To save the displayed view as a query, click the Save View icon above the table. Then type the query name and click OK. If you are viewing event data from a local archive, you will not be able to save the view as a query. Saving a query works only when you are viewing event data from the live archive on the Information Manager appliance. To filter the displayed data even further, repeat the previous steps, or use the procedure for filtering on a table cell. See To filter on a table cell on page 213. To delete the table, click the red X in the right corner above the table. If no events meet the filter criteria, Information Manager displays a blank table. If there is a very large number of events that meet the filter criteria, it may take a long time for the data to display. If you want to stop the search and view the events that Information Manager has found so far, click Cancel. You can query the event archives in these ways: Use any of the search templates that are listed in the left pane of the Events page. See Using the search templates on page 217. Manipulate the archive parameters displayed in the console and save them as a summary query for future use. See To create a summary query on displayed data on page 221. Import a query from another location and save it in the My Queries folder or the Published Queries folder. See To import a query on page 226. Use the Query Wizard to create a query against the event archives (event query). See To create an event query on page 221.

217 Managing event archives Querying event archives 217 Use the Query Wizard to create a query against the summarized event data (summary query). See To create a summary query on page 223. Use the Query Wizard to create a custom SQL query against the summarized event data (SQL query). See To create an SQL query on page 225. After you create and save a query, you can insert it on the dashboard and use it in reports. Creating query groups When you create a query using the Query Wizard, you can save it to the My Queries folder, which is available only to you, or to the Published Queries folder, which is available to you and other users. You can also create query group subfolders in each of these folders, and you can save your new queries in these subfolders. To create a query group Using the search templates 1 In the left pane of the Events page, navigate to the event archive where you want to create a query group. 2 Right-click either My Queries or Published Queries, and then click Add Query Group. 3 Type the group name and (optional) the group description, and then click OK. The name of the new query group appears as a subfolder under the folder you selected in step 2. Information Manager provides the following search templates, which let you run some basic queries on the event archives: Recent Events IP Address Activity Host Activity User Activity Displays a table that contains the most recent event information in table form. Displays a search template that lets you query for event records that include a specific IP address. Displays a search template that lets you query for event records that include a specific host name. Displays a search template that lets you query for event records that include a specific user name.

218 218 Managing event archives Querying event archives Port Activity Displays a search template that lets you query for event records that include a specific port number. These templates are listed in the left pane, under Events. The templates make it easy for you to run some of the most commonly requested queries. After you create a query with a template, you can save the query for future use. To view recent events 1 In the left pane of the Events page, navigate to the desired event archive. 2 Expand Events, and then click Recent Events. In the right pane, a table displays the most recent event information in table form. The table displays up to 5,000 events at a time. To see more events, click the Next Events arrow in the lower-right corner of the window. Each time you click this arrow, Information Manager displays the next group of events, in reverse chronological order, until you reach the beginning of the archive. To run an IP Address Activity query 1 In the left pane of the Events page, navigate to the desired event archive. 2 Expand Events, and then click IP Address Activity. 3 In the IP Address box, type the IP address that you want to use in the query. 4 In the View drop-down list, select the period of time that you want to include in the query. 5 Select, with check marks, the column names that you want to use in the query. For example, if you want to locate all events that have a certain IP address as the IP Destination Address, check only that column name. 6 Click the Run icon. The query searches the event archive for events that have the specified IP address in the selected columns. A table in the lower section of the right pane displays a list of events that meet the query criteria. 7 If you want to save the query, do the following: Click the Save icon in the toolbar above the table. In the Save Query window, type the name that you want to assign to the query. Click OK. The query name appears under My Queries in the left pane.

219 Managing event archives Querying event archives 219 To run a Host Activity query 1 In the left pane of the Events page, navigate to the desired event archive. 2 Expand Events, and then click Host Activity. 3 In the Host Name box, type the host name that you want to use in the query. 4 In the View drop-down list, select the period of time that you want to include in the query. 5 Select, with check marks, the column names that you want to use in the query. For example, if you want to locate all events that have a certain host name as the Source Host Name, check only that column name. 6 Click the Run icon. The query searches the event archive for events that have the specified host name in the selected columns. A table in the lower section of the right pane displays a list of events that meet the query criteria. 7 If you want to save the query, do the following: Click the Save icon in the toolbar above the table. In the Save Query window, type the name that you want to assign to the query. Click OK. The query name appears under My Queries in the left pane. To run a User Activity query 1 In the left pane of the Events page, navigate to the desired event archive. 2 Expand Events, and then click User Activity. 3 In the User name box, type the name that you want to use in the query. 4 In the View drop-down list, select the period of time that you want to include in the query. 5 Select, with check marks, the column names that you want to use in the query. 6 Click the Run icon. The query searches the event archive for events that have the specified name in the selected columns. A table in the lower section of the right pane displays a list of events that meet the query criteria. 7 If you want to save the query, do the following: Click the Save icon in the toolbar above the table.

220 220 Managing event archives Querying event archives In the Save Query window, type the name that you want to assign to the query. Click OK. The query name appears under My Queries in the left pane. To run a Port Activity query 1 In the left pane of the Events page, navigate to the desired event archive. 2 Expand Events, and then click Port Activity. 3 In the Port box, type the port number that you want to use in the query. 4 In the View drop-down list, select the period of time that you want to include in the query. 5 Select, with check marks, the column names that you want to use in the query. 6 Click the Run icon. The query searches the event archive for events that have the specified port number in the selected columns. A table in the lower section of the right pane displays a list of events that meet the query criteria. 7 If you want to save the query, do the following: Click the Save icon in the toolbar above the table. In the Save Query window, type the name that you want to assign to the query. Click OK. The query name appears under My Queries in the left pane. Creating custom queries This section describes the various ways that you can create a custom query and save it for reuse. When you create a query, you must assign it a unique name. Be sure to follow these rules for assigning a valid query name: It must not be null. It must have at least one alphanumeric character. It must consist only of alphanumeric characters and white spaces created with the space bar. It must not exceed 64 characters, including alphanumeric characters and white spaces.

221 Managing event archives Querying event archives 221 To create a summary query on displayed data 1 Manipulate the event archive parameters as described in the discussion of archive viewing. See Manipulating the event data histogram on page After you have set the parameters the way you want to save them, click Top N by Field in the left pane. A chart replaces the histogram and event details table. By default, the chart is Top 5 Events by Product. 3 Choose the chart criteria: In the Top drop-down list, select a number. In the field name drop-down list, select the field you want to sort by. In the View drop-down list, select the time period to display. The chart changes to reflect the criteria that you set. 4 Click on a segment of the chart to drill down to the events represented by that segment. A table below the chart lists the events that are represented by the segment. You click on different chart segments until the table displays the data that you want to save. 5 To save the query, click the Save View icon above the table. 6 In the Save Query dialog box, type the query name. Be sure to use only alphanumeric characters in the query name. 7 Click OK. The name of the query appears under My Queries in the left pane. If you want to save the query in a query group, use the mouse to drag the query name to the desired group. To create an event query 1 In the left pane of the Events page, navigate to the location where you want to save the query. You can save the query in My Queries (available only to you), Published Queries (available to you and other users), or a query group folder under either of these folders. 2 Right-click on the name of the folder where you want to save the query, and then click Query Wizard. 3 On the first panel of the Query Builder Wizard, select Event Query, and then click Next. 4 Select the event query type, and then click Next.

222 222 Managing event archives Querying event archives Event Details generates a table that contains all of the fields in the event archive. Event Counts by Field generates a Top N summary query that is sorted by the field that you select in the By box. You also select the event count value in the Top box. 5 Specify the time range and filter criteria: If you select View, select a time-period option from the drop-down list. If you select Between, use the calendar drop-down lists to set the time range. If you select Complete, Information Manager queries the entire event archive. If you want to filter the data, specify the filter criteria. See To filter with the advanced filter option on page Click Next. One of the following panels appears: If you selected Event Details in step 4, the Archive Events panel appears. Go to step 10. If you selected Event Counts by Field in step 4, the Chart Presentation panel appears. Go to step 7. A panel displays a sample table that is based on the filtering options that you selected. 7 Use the Chart Type drop-down box to select a type, for example, a pie chart or a table. You may also change the chart's orientation, and you may choose to show the legend for chart types other than Table. Optionally, you may assign the following labels: A title to appear above the table or graph (not necessarily the same as the query name) Labels for the y-axis and the x-axis, for some chart types A footer, for table charts 8 If you want to see a preview of the query results, click Preview. 9 When you finish customizing the appearance of the chart, click Next. A chart sample appears, displaying the title and any labels that you assigned.

223 Managing event archives Querying event archives In the Query Name box, type the name that you want to appear in the left pane. Be sure to use only alphanumeric characters in the query name. If this is an Event Details query, you can click Preview to see a preview of the query results. 11 Click Finish. The query is saved, and its name appears under the folder that you selected in the left pane. The query results appear in the right pane. To create a summary query 1 In the left pane of the Events page, navigate to the location where you want to save the query. You can save the query in My Queries (available only to you), Published Queries (available to you and other users), or a query group folder under either of these folders. 2 Right-click on the name of the folder where you want to save the query, and then click Query Wizard. 3 On the first panel of the Query Builder Wizard, select Summary Query, and then click Next. 4 In the Summary Table box, expand Events, and then select a table from the list of presummarized tables in the database. A description of the table appears in the Table Description box. The icon next to the table name indicates its type, which is spelled out in the Legend box. 5 After you select the table that you want, click Next. 6 Select a column index from the drop-down list. A list of indexed fields from the database index appears in the Display Columns area. 7 Click to select one or more columns to display in the query, and then click Next. 8 Specify the time range: If you select View, select a time-period option from the drop-down list. If you select Between, use the calendar drop-down lists to set the time range. If you select Complete, Information Manager queries the entire event archive. 9 If you want to filter the data, specify the filter criteria, and then click Next. For instructions on filtering, see To filter with the advanced filter option on page 215.

224 224 Managing event archives Querying event archives 10 Sort the columns in the query (optional for use with the Table format). See To sort columns in a summary query on page Use the Chart Type drop-down box to select a type, for example, a pie chart or a table. You may also change the chart's orientation, and you may choose to show the legend for chart types other than Table. Optionally, you may assign the following labels: A title to appear above the table or graph (not necessarily the same as the query name) 12 Click Next. Labels for the y-axis and the x-axis, for some chart types A footer, for table charts A query sample appears, displaying the title and any labels that you assigned. 13 In the Query Name box, type the name that you want to appear in the left pane. Be sure to use only alphanumeric characters in the query name. 14 Click Finish. The query is saved, and its name appears under the folder that you selected in the left pane. The query results appear in the right pane. To sort columns in a summary query 1 On the right side of the Column Sorting panel, click Add Column. 2 Click in the Sort Column column, and then select a field to be sorted in the query table. 3 Click Asc (ascending) or Desc (descending) to determine the way the data in the column will appear. 4 Repeat steps 1 through 3 if you want to sort more fields. 5 Use the other buttons (for example, Move Up) until you have the columns arranged in the proper order. 6 For Max Rows Return, do one of the following actions: To return every row in the database, click All. To return a specific number of rows, click Top, and then select a number. 7 Click Next to continue creating a summary query. Return to the step in which you select the format for the query results in the procedure called To create a summary query on page 223.

225 Managing event archives Querying event archives 225 To create an SQL query 1 In the left pane of the Events page, navigate to the location where you want to save the query. You can save the query in My Queries (available only to you), Published Queries (available to you and other users), or a query group folder under either of these folders. 2 Right-click on the name of the folder where you want to save the query, and then click Query Wizard. 3 On the first panel of the Query Builder Wizard, select Advanced SQL Query, and then click Next. 4 In the text box, type or paste an SQL statement. The following actions are optional: In the Maximum rows box, select the maximum number of rows to appear in the table. View a list of tables and fields in the database by clicking Show Schema. 5 Click Test Query. Information Manager runs the SQL query and displays the result in table form. While the query runs, you may stop it by clicking Stop Query. 6 Repeat steps 4 and 5 until you are satisfied with the query, and then click Next. 7 Use the Chart Type drop-down box to select a type, for example, a pie chart or a table. You may also change the chart's orientation, and you may choose to show the legend for chart types other than Table. Optionally, you may assign the following labels: A title to appear above the table or graph (not necessarily the same as the query name) Labels for the y-axis and the x-axis, for some chart types A footer, for table charts 8 If you want to see actual data in a preview chart, click Preview. 9 When you finish customizing the appearance of the chart, click Next. A chart sample appears, displaying the title and any labels that you assigned. 10 In the Query Name box, type the name that you want to appear in the left pane. Be sure to use only alphanumeric characters in the query name. 11 Click Finish. The query is saved, and its name appears under the folder that you selected in the left pane. The query results appear in the right pane.

226 226 Managing event archives Querying event archives Editing queries If you want to modify some of the properties of a query, you can edit it. Note: You can edit only the queries under My Queries and Published Queries. You cannot edit or delete System Queries. However, you can drag a query from System Queries into My Queries or Published Queries, and then edit and save it. Importing queries To edit a query 1 In the left pane of the Events page, navigate to the query that you want to modify. 2 Right-click on the query name, and then click Edit Query. 3 Use the fields on the Edit dialog box to modify the query. The available fields depend on the type of query that you selected. For example, if it is an SQL query, you can modify the SQL statement. 4 When you finish editing the query, click OK. The results of the modified query appear in the right pane. Information Manager lets you import a query (a file with the.qml extension) from a folder on your computer. You can place the query in the My Queries folder, the Published Queries folder, or in any query group in one of those folders. To import a query 1 In the left pane of the Events page, click on the location where you want to save the query. You can save the query in My Queries (available only to you), Published Queries (available to you and other users), or a query group folder under either of these folders. 2 On the toolbar, click Import Query. 3 Browse to the location where the query resides, and then click the name of the query file. 4 Click Open. The name of the query appears in the left pane under the folder that you selected. The results of the query appear in the right pane.

227 Managing event archives Querying event archives 227 Exporting queries Publishing queries Deleting queries You may want to save a query in a different location, for example, as a file on a computer hard drive or CD. You can then attach the query to an message or copy it to another computer. The export feature also lets you export a System Query, which you can then import into My Queries or Published Queries for editing. To export a query to a file 1 In the left pane of the Events page, click the name of the query that you want to export. The query results appear in the right pane. 2 On the toolbar, click Export Query. 3 In the Save dialog box, navigate to the location where you want to save the file and type a name in the File Name box. 4 Select the file type from the Files of Type drop-down list. If you want to be able to edit the file, select QML Files as the file type. 5 Click Save. Information Manager saves the query in the location you specified. You are the only user who can access the queries in the My Queries folder and its subfolders. If you want to make a query available to other users, you can copy it to the Published Queries folder. To publish a query 1 In the left pane of the Events page, locate the query under My Queries that you want to publish. 2 Right-click the query name, and then click Publish Query. 3 Click Yes to confirm that you want to publish the query. The query name appears under the Published Queries folder in the left pane. 4 If you want to move the query into a query group under Published Queries, use the mouse to drag the query name to the desired group. If you no longer need a query, you can delete it.

228 228 Managing event archives Querying event archives Note: You can delete only the queries under My Queries and Published Queries. You cannot delete System Queries. To delete a query 1 In the left pane of the Events page, navigate to the query that you want to delete. 2 Right-click on the query name, and then click Delete Query. 3 Click Yes to confirm that you want to delete the query. The query name is removed from the list in the left pane.

229 Chapter 21 Maintaining the Symantec Security Information Manager database This chapter includes the following topics: About data maintenance Checking database status Backing up and restoring the database About purging event summary and incident data Reviewing maintenance history About data maintenance The Symantec Security Information Manager appliance uses an IBM DB2 database to store event summary, incident, ticket, and report data. These elements are stored in separate tablespace containers in the database. The most common maintenance tasks have been automated to make the database largely self-maintaining. The status of the database is checked regularly, and such tasks as database reorganization and statistics gathering occur automatically as they are required. Note: Raw event data is stored in the Information Manager event archives. In previous releases, raw event data was stored using DB2, but this is no longer the case.

230 230 Maintaining the Symantec Security Information Manager database Checking database status Purges are performed automatically on a daily basis to prevent the database from filling to capacity. You can adjust the purge parameters to purge or retain particular types of data. You can back up and restore the database, and you can enable automatic backups. Information Manager provides utilities that you can use to do the following: Check the status of the database See Checking database status on page 230. See Reviewing maintenance history on page 238. Control regularly scheduled database maintenance activities See Enabling and scheduling automated backups on page 232. See About purging event summary and incident data on page 234. Back up the database at will See Initiating a backup on page 233. Restore the database to a backup image See Restoring the database from a backup image on page 233. Purge events and incidents at will See Initiating a purge on page 236. Checking database status The Status pane displays current information about the overall health of the Information Manager database. The Status pane also displays the status of maintenance jobs that run to keep the database healthy. The information in the Status pane is updated automatically as conditions change. The Status pane includes the following sections: Database Health Monitor Indicates the current health status of the database. See About the health monitor service on page 231. Database Space Displays the amount of space that is currently used by the incidents and tablespaces. For each tablespace, the value is expressed as a percentage of the total space that is available to that tablespace. Job Status Lists the current status of data maintenance activities. Regularly scheduled jobs are listed, along with any jobs that you initiate manually.

231 Maintaining the Symantec Security Information Manager database Backing up and restoring the database 231 To check database status 1 From the Information Manager Web configuration interface, click Database Utilities. 2 On the Database Utilities page, click Status. 3 To refresh the status information immediately, click Refresh. About the health monitor service The database on the Symantec Security Information Manager appliance includes a health monitor service that checks the health status of the database at regular intervals. In the Status pane, the Database Health Monitor section displays one of the following status indicators: OK, Warning, Alarm, or Critical. The Warning, Alarm, and Critical status indicators appear in the following circumstances: The Warning indicator appears if a tablespace reaches 60 percent of total capacity, or whatever percentage you specify for the Safe Level parameter in the Options pane. The Alarm indicator appears if a tablespace reaches 70 percent of total capacity, or whatever percentage you specify for the Alarm Level parameter in the Options pane. If a tablespace reaches the Alarm threshold, data is purged automatically until the size falls below the configured safe level. The Critical indicator appears if the tablespace reaches 95 percent of total capacity. The tablespace size can reach the critical level in certain situations. For example, a scheduled health check might be delayed by a lengthy backup at the same time that a high number of new incidents are generated. In this case, the tablespace size could reach the critical level before the health check is run. If the tablespace size reaches the critical level, data is purged automatically. Event logging and correlation are suspended during the purge. Event logging and correlation resume once the size falls below the configured safe level. See Adjusting the thresholds for size-based purges on page 236. Backing up and restoring the database When Symantec Security Information Manager is installed, a full, offline backup of the database is performed. Subsequently, all backups that are performed are

232 232 Maintaining the Symantec Security Information Manager database Backing up and restoring the database full, online backups. An online backup is performed while the database is running to ensure the continuous availability of data to the Information Manager console. During a backup, all DB2 data is backed up, along with all of the logs and other metadata that DB2 requires to restore the database. This backup does not affect the event archives, which are not stored using DB2. You can enable automatic backups in the Options pane. You can initiate a manual backup in the Backup pane. Note: A full backup can be a lengthy operation and server performance can be affected during the backup. Other health maintenance jobs will not start until the backup is completed. See Enabling and scheduling automated backups on page 232. See Initiating a backup on page 233. See Restoring the database from a backup image on page 233. See Specifying a third-party backup solution on page 233. Enabling and scheduling automated backups You can enable automated daily backups of the database. The online backup method is used to create the backup image, which is stored on the Information Manager appliance. If necessary, backup images are deleted to prevent the disk from filling up. You can specify the time of day at which the backups begin. To minimize any impact on server performance, choose a time that corresponds to typical periods of low activity. The default maintenance time is 1:00 A.M. To enable and schedule automated backups 1 From the Information Manager Web configuration interface, click Database Utilities. 2 On the Database Utilities page, click Options. 3 In the Options pane, in the Automated Backup section, click Enabled. 4 To set the time of day for backups, in the General Maintenance section, select an option from the Maintenance time drop-down list. 5 To apply your changes, click Apply.

233 Maintaining the Symantec Security Information Manager database Backing up and restoring the database 233 Initiating a backup You can initiate a full, online backup of the database at any time in the Backup pane. This backup operation is independent of the automated backup operations that may be enabled. To initiate a backup 1 From the Information Manager Web configuration interface, click Database Utilities. 2 On the Database Utilities page, click Backup. 3 In the Backup pane, click Back Up. 4 When you are prompted to confirm your action, click OK. Restoring the database from a backup image You can restore the database from a backup image at any time. All available backup images are listed according to the date and time that each backup was created. The server is taken offline during the restore operation. The server restarts automatically when the operation is complete. Warning: When you restore the database to a backup image, all other backup images, whether older or newer, are deleted from the appliance. To restore the database from a backup image 1 From the Information Manager Web configuration interface, click Database Utilities. 2 On the Database Utilities page, click Restore. 3 In the Restore from drop-down list, select the backup image that you want to restore. 4 Click Restore. Specifying a third-party backup solution You can implement a customized database backup solution that uses third-party software to archive the Information Manager database to an external storage medium. If you do so, be sure to disable automated purging of the database archive logs. Archive logs, or transaction logs, are required for online backups. In normal operation, Information Manager purges older archive logs automatically on a

234 234 Maintaining the Symantec Security Information Manager database About purging event summary and incident data regular basis. You must disable the automated archive log purge to ensure that the necessary archive logs are always available to the third-party backup software. The third-party backup software becomes responsible for backing up the database to external storage and deleting old archive logs on the appliance. To specify a third-party backup solution 1 From the Information Manager Web configuration interface, click Database Utilities. 2 On the Database Utilities page, click Options. 3 In the Automated Backup section of the Options pane, click Done by third-party. 4 To apply your change, click Apply. About purging event summary and incident data Summary events and incidents are purged as follows: Daily maintenance purge An automatic daily purge of all data that does not meet the configured retention criteria. You can configure the retention period for data. You can also configure the types of incidents that are retained or purged, based on their status. See Adjusting parameters for daily automated purges on page 235. Size-based purge A purge that is performed automatically whenever a tablespace exceeds a configured percentage of its total storage capacity. During a size-based purge of event summaries, event summaries are purged progressively, starting with the oldest data. During a size-based purge of incidents, closed incidents are purged first, from oldest to newest. If necessary, expired incidents are purged next, from oldest to newest. Finally, open incidents are purged, if necessary, from oldest to newest. The amount of space that is currently used by each tablespace is calculated during the regularly scheduled health check. You can configure the safe and alarm thresholds. See Adjusting the thresholds for size-based purges on page 236. Manual purge A purge of data that you can initiate at any time. See Initiating a purge on page 236.

235 Maintaining the Symantec Security Information Manager database About purging event summary and incident data 235 The database is automatically reorganized after a purge whenever necessary. Note: In some situations, the size of a tablespace could reach the critical level, which is 95 percent of total capacity. When this threshold is reached, a purge is initiated automatically, and event logging and correlation are suspended until the size falls below the safe level. Adjusting parameters for daily automated purges During the daily maintenance purge, data is purged automatically using the following default criteria: All summary events that are more than 7 days old are purged from the event data. All summary events that are more than 30 days old are purged from the event data. Summary event data is used in event reports. By default, report data is retained for 30 days. All closed incidents that are more than 30 days old are purged. You can adjust the parameter values for the daily maintenance purge to suit your needs. Do not increase the retention periods unless it is necessary, however. Depending on your deployment, event data can fill the tablespace quickly and lead to frequent size-based purges. To adjust parameters for daily automated purges 1 From the Information Manager Web configuration interface, click Database Utilities. 2 On the Database Utilities page, click Options. 3 In the Automated Purge section of the Options pane, to change the retention value for summary events or incidents, type a new number of days in the appropriate box. 4 To specify the types of incident to purge, select one of the following: Closed Incidents Expired and Closed Incidents Open, Expired, and Closed Incidents 5 To apply your changes, click Apply.

236 236 Maintaining the Symantec Security Information Manager database About purging event summary and incident data Adjusting the thresholds for size-based purges In most deployments you do not need to adjust the thresholds for size-based purges. They are designed to help maintain the appliance automatically, and to help you evaluate database usage on the appliance. For example, if the alarm threshold for summary events is triggered frequently, you could consider ways to reduce the flow of data to the appliance instead of increasing the threshold values. If necessary, however, you can configure the following parameters for size-based purges: Alarm Level This is the percentage of total tablespace capacity at which the automated, size-based purge is triggered. The Alarm Level value must be less than the critical level, which is 95 percent of total capacity. The critical level cannot be changed. By default, the Alarm Level for both events and incidents is 70 percent. Safe Level This is the percentage of total capacity at which the size-based purge operation stops. The Safe Level value must be at least 10 percent less than the Alarm Level. By default, the Safe Level for both summary events and incidents is 60 percent. Initiating a purge The summary events and incidents tablespaces are monitored independently. For example, the thresholds for incidents apply to the size of the incidents tablespace, regardless of the size of the summary events tablespace. To adjust the thresholds for size-based purges 1 From the Information Manager Web configuration interface, click Database Utilities. 2 On the Database Utilities page, click Options. 3 In the Automated Purge section of the Options pane, to change the Safe Level or Alarm Level value for events or incidents, type a new percentage value in the appropriate box. 4 To apply your changes, click Apply. You can purge summary events and incidents manually at any time. All data older than the age you specify, in days, is purged from the database. For example, you

237 Maintaining the Symantec Security Information Manager database About purging event summary and incident data 237 can select summary events as the data type to purge, and specify seven days for the retention value. In this case, all events that are more than seven days old are purged. You can also purge all incidents or all summary events, or both. In this case, the server restarts automatically after all of the selected data is purged. Note: Always ensure that the database is backed up before purging data. See Backing up and restoring the database on page 231. To purge selected data 1 From the Information Manager Web configuration interface, click Database Utilities. 2 On the Database Utilities page, click Purge. 3 In the Purge section, to specify the type of data to purge, check or uncheck the Event summary data (short term), Event summary data (long term), and Incidents check boxes. 4 In the box where you specify how many days of data to retain, type a number. The default data retention value is seven days. Only the summary events and incidents that are more than seven days old are purged. 5 If you selected to purge incidents, select one of the following to specify the types of incident to purge: Closed incidents Expired and closed incidents Open, expired, and closed incidents 6 Click Purge. To purge all data 1 From the Information Manager Web configuration interface, click Database Utilities. 2 On the Database Utilities page, click Purge. 3 In the Purge All section, to specify the type of data to purge, check or uncheck the Event Data and Incidents check boxes. 4 Click Purge All.

238 238 Maintaining the Symantec Security Information Manager database Reviewing maintenance history Reviewing maintenance history You can view a history log at any time in the History pane. The log lists each maintenance job, along with the start time, end time, and whether the job completed successfully. To review maintenance history 1 From the Information Manager Web configuration interface, click Database Utilities. 2 On the Database Utilities page, click History. 3 Do either of the following: Click View History to display the history as a table in the current pane. Click Download History to save the history log to disk.

239 Section 6 Appendices Ports used by Information Manager Installing and configuring a Symantec Direct Attached Storage D10 device Managing security certificates Antivirus Rules Policy Compliance rules Vulnerability Assessment rules Firewall rules Network IDS (NIDS) rules Host IDS (HIDS) rules System Monitor rules Windows event rules Event filters

240 240

241 Appendix A Ports used by Information Manager This appendix includes the following topics: Ports used by Information Manager Ports used by Information Manager Table A-1 shows the list of ports that Symantec Security Information Manager uses, along with the service that uses that port, whether or not the service is blocked by the firewall that is running on the appliance, and the network protocol associated with the service. Table A-1 Ports used by Information Manager Port Service Blocked by Firewall Protocol :10050 HelpDeskEvent Sink Yes TCP :10020 Information Manager statistics server Yes TCP :8005 Shutdown port for Information Manager Tomcat service Yes TCP :35622 Information Manager agent No TCP :8009 modjk connector for Information Manager Tomcat service Yes TCP

242 242 Ports used by Information Manager Ports used by Information Manager Table A-1 Ports used by Information Manager (continued) Port Service Blocked by Firewall Protocol :9005 Shutdown port for Global Intelligence Network Tomcat service Yes TCP :5998 Information Manager agent No TCP :10030 Information Manager Database Management Utility Yes TCP :8015 modjk connector for Information Manager Tomcat event service Yes TCP :80 IBM Apache Web server (HTTPD) Yes TCP :50000 IBM DB2 database service No TCP :9009 modjk connector for Global Intelligence Network Tomcat service No TCP :8019 modjk connector for Information Manager Tomcat event service Yes TCP :3539 IBM Tivoli (LDAP) Directory Service Yes TCP :123 NTP Yep TCP/UDP :3700 IBM DB2 database service No TCP :8086 Information Manager agent No TCP :22 Linux Secure Shell (SSH) service No TCP :10040 Information Manager Rule Testing service Yes TCP :10010 Information Manager server No TCP

243 Ports used by Information Manager Ports used by Information Manager 243 Table A-1 Ports used by Information Manager (continued) Port Service Blocked by Firewall Protocol Event forwarding port No TCP 8029 Mod jk connecotr for wsrf for Tomcat instance No TCP :8090 Information Manager Tomcat event service Yes TCP :443 Secure Sockets Layer (HTTPS) No TCP :636 IBM Tivoli (LDAP) Directory Service No TCP :55550 Rx protocol service Yes TCP :18777 Information Manager service monitor No UDP

244 244 Ports used by Information Manager Ports used by Information Manager

245 Appendix B Installing and configuring a Symantec Direct Attached Storage D10 device This appendix includes the following topics: About the Symantec Direct Attached Storage D10 About using third-party DAS devices with Information Manager Installation overview Installation prerequisites Installing the DAS Configuring Information Manager to use the DAS About the Symantec Direct Attached Storage D10 Symantec Security Information Manager includes support for external data storage on a direct attached storage device. The Symantec Direct Attached Storage D10 device (DAS) contains 15 disk drives in a RAID-5 configuration, providing approximately 4.5 terabytes of raw storage for event data.

246 246 Installing and configuring a Symantec Direct Attached Storage D10 device About using third-party DAS devices with Information Manager About using third-party DAS devices with Information Manager Although it is possible to use DAS devices other than the Symantec Direct Attached Storage D10, this is the only device that Symantec has tested with Information Manager. If you decide to use a third-party DAS device, make sure that it meets the following requirements: Configured as RAID-5 Uses drivers for Red Hat E4 Installation overview Uses SCSI adapters that supports PCIe Supported by the Dell 1950 or 2950 platform (Information Manager 9600-series appliance) If you encounter difficulties, notify your Symantec Services contact person. This section lists the tasks that you must complete to enable the DAS. Note: You must install the Information Manager software on the Information Manager appliance before you configure the DAS. To enable the DAS, you must complete these tasks: Rack mount the DAS and connect the cables. See Rack mounting the Symantec Direct Attached Storage D10 device on page 247. Install the PERC 5/E adapter in your Information Manager appliance. See Installing the PERC 5/E adapter on page 247. Configure Information Manager to work with the DAS. See Configuring Information Manager to use the DAS on page 248. Note: If your DAS is a Dell PowerVault MD1000 that was not purchased from Symantec, you must also configure the DAS. Use a RAID-5 configuration. If you already have a DAS installed with Information Manager, remove the virtual disks from the DAS before you proceed. The tasks in this case are the following:

247 Installing and configuring a Symantec Direct Attached Storage D10 device Installation prerequisites 247 Remove the DAS virtual disks. Install Information Manager version 4.5. Reconfigure the DAS virtual disks. Installation prerequisites Installing the DAS Before you install the DAS, make sure that you have the following items: Available rack space or a sturdy tabletop for the device next to the Information Manager appliance A grounded electrical outlet, preferably connected to an uninterruptible power supply (UPS) To install the DAS, complete the following steps: Rack mount the DAS and connect the cables. Install the PERC 5/E adapter in your Information Manager appliance. Rack mounting the Symantec Direct Attached Storage D10 device Refer to the product documentation that ships with your Symantec Direct Attached Storage D10 device (DAS) for information on rack mounting. Be sure to mount the DAS in a position that allows the cable to connect to both the DAS and the Information Manager appliance. Installing the PERC 5/E adapter To save event archive files on the Symantec Direct Attached Storage D10 device, you must install the PERC 5/E adapter in your Information Manager appliance. To install the PERC 5/E adapter 1 Disconnect the power cables and any attached peripherals from your Information Manager appliance. 2 Remove the metal lid of the Information Manager appliance, and pull the blue handle to release the riser bracket. 3 Remove the riser assembly, being careful not to dislodge the connected cables. 4 Using a Phillips screwdriver, remove the metal slot cover from PCI slot 1 (the bottom-most slot) on the riser assembly.

248 248 Installing and configuring a Symantec Direct Attached Storage D10 device Configuring Information Manager to use the DAS 5 Insert the PERC 5/E adapter into PCI slot 1. 6 Use the screw that previously held the metal slot cover in place to secure the PERC 5/E card in the PCI slot. 7 Carefully replace the riser assembly, making sure to line up with the motherboard connectors. 8 Push the blue handle back into position, so that it is flush with the chassis. 9 Replace the metal lid on the Information Manager appliance. 10 Reattach any peripherals that you disconnected earlier. 11 Reconnect the power cable. Configuring Information Manager to use the DAS After you install the DAS, restart the Information Manager appliance. Then use the procedure in this section to configure Information Manager to use the DAS to store raw event archive data, or summarized event data, or both.

249 Installing and configuring a Symantec Direct Attached Storage D10 device Configuring Information Manager to use the DAS 249 To configure Information Manager to use the DAS 1 In the Information Manager Web configuration interface, click Off Box Storage. The Off box Storage Configuration page displays the following read-only parameters: No of Logical Disks Max Size of Off-box storage Size currently in use Size Available EventArchive Size EventData Size Total No of Partitions This value is always 1, because the DAS is preconfigured as RAID-5. The maximum amount of storage space on the DAS. Immediately after you install the DAS, this value is 0. After you begin using the DAS storage, the value will be incremented. The amount of storage space on the DAS that is not currently in use. The total amount of space that is allocated for storing event archive files on the appliance and on the DAS. The total amount of space that is allocated for storing DB2 data files on the appliance and on the DAS. The number of partitions on the DAS. If no values appear on this page, restart the Information Manager appliance, so that Information Manager recognizes the DAS. 2 To allocate additional raw event archive storage on the DAS, type a numeric value in the box called Size to be allocated to EventArchive (MB). The value is the number of megabytes to be added to the existing storage allocation, represented by EventArchive Size in the read-only parameters. 3 To allocate additional database storage on the DAS, type a numeric value in the box called Size to be allocated to EventDatabase (MB). The value is the number of megabytes to be added to the existing storage allocation, represented by EventData Size in the read-only parameters. Database storage usually comprises summarized event data, but it can also include raw event data. 4 Click Apply Configuration. If you typed a value in either step 2 or 3, one or both of the following happens:

250 250 Installing and configuring a Symantec Direct Attached Storage D10 device Configuring Information Manager to use the DAS If you typed a value for Size to be allocated to EventArchive, the value of EventArchive Size increases. If you typed a value for Size to be allocated to EventDatabase, the value of EventData Size increases.

251 Appendix C Managing security certificates This appendix includes the following topics: About managing security certificates Managing security certificate information for the appliance About managing security certificates By default, Symantec Security Information Manager uses a self-signed security certificate for authentication between the on- and off-appliance components. The Information Manager web configuration interface lets you view certificate information, delete a certificate, create a new self-signed certificate, request a signed certificate from a CA authority (such as VeriSign), or import a certificate from a CA authority. You can also add a new root certificate to the server, to use as a basis for new certificates. When you generate a security certificate, you can base it upon either the IP address of the appliance or the host name of the appliance. Basing the certificate upon the host name makes it convenient to change the IP address of the appliance. However, you may need to add an entry to the domain name server (DNS) to help ensure that the host name always resolves to the correct address. If you are unable to update the DNS, you may add the appliance IP address and host name to the hosts file on the computers that communicate with the appliance.

252 252 Managing security certificates Managing security certificate information for the appliance Note: For a SESA Manager to be able to forward events to the Information Manager appliance, the SESA Manager must be able to resolve the appliance host name. To make the appliance known to the SESA Manager, you can either add an appliance entry to the domain name server (DNS), or add the appliance IP address and host name to the hosts file of the SESA Manager. However, adding the appliance entry to the hosts file will not work on Microsoft Windows-based SESA Managers due to an inconsistency in the Sun Java Virtual Machine (JVM) for that platform. If you generate a new certificate for the appliance that is based upon its IP address, the SESA Manager will be able to forward events to the appliance. Managing security certificate information for the appliance You can use the Information Manager web configuration interface to perform the following certificate management tasks: View security certificate information for the appliance Delete a security certificate from the appliance keystore Create a new self-signed security certificate Request a signed certificate from a certificate authority (CA) Receive a certificate from a certificate authority Add a certificate authority root certificate If you install a CA certificate, you must import the certificate to the computers that communicate with Information Manager, such as computers that run the Information Manager console or computers that run event collectors. Note: The password for accessing the appliance SSL database to manually add or remove certificates is: symantecsecretkey! However, in most cases you can use the Information Manager web configuration interface to perform these operations. To view security certificate information for the appliance 1 From the Information Manager web configuration interface, click Certificate Management. 2 To view detailed information about the certificate that the appliance is using for authentication for HTTP and LDAP communications, click Show Default Certificate.

253 Managing security certificates Managing security certificate information for the appliance To view detailed information about any certificate that is contained in the appliance keystore, click Show All Server and CA Root Certificates. In the Get Details for a Certificate area, select the security certificate from the Key Label drop-down, and then click Get Details. 4 To view a list of all certificate requests, click Show Certificate Requests. To create a new self-signed security certificate 1 From the Information Manager web configuration interface, click Certificate Management and then click Create Self-Signed. 2 In the Common Name drop-down, select whether you want to generate the certificate based upon the IP address or the host name of the appliance. 3 In the Organization box, type the name of your organization. 4 In the Organization Unit box, type the name of the unit. 5 In the Locality box, type the region for the appliance. 6 In the State/Province box, type the name of the state or province where the appliance resides. 7 In the Country Code box, type the two-character country code where the appliance resides. For example, in the United States, you would type US. 8 In the Label field, type a name for this certificate. For example, the default label for the certificate that Information Manager uses is SESA. 9 In the Key size drop-down, select either 512 or 1024 bit encryption. 10 In the Validity Period box, type the number of days (between 1 and 7300) that the certificate is to be valid. 11 In the Username (DN) box, type the name of an administrator account, such as cn=root. 12 In the Password box, type the password that corresponds with the administrator account that you typed in the previous step. 13 Click Submit. To delete a security certificate 1 From the Information Manager configuration interface, click Certificate Management. 2 Click Show All Server and CA Root Certificates. 3 In the Delete a Certificate area, from the Key Label drop-down, select the certificate that you would like to delete, and then click Delete Certificate.

254 254 Managing security certificates Managing security certificate information for the appliance To request a signed certificate from a CA authority 1 From the Information Manager configuration interface, click Certificate Management. 2 Click Create CSR. 3 In the Organization box, type the name of your organization. 4 In the Organization Unit box, type the name of the unit. 5 In the Locality box, type the region for the appliance. 6 In the State/Province box, type the name of the state or province where the appliance resides. 7 In the Country Code box, type the two-character country code where the appliance resides. For example, in the United States, you would type US. 8 In the Label field, type a name for this certificate. For example, the default label for the certificate that Information Manager uses is SESA. 9 In the Key size drop-down, select either 512 or 1024 bit encryption. 10 Click Submit. 11 Click Download Certificate Signing Request to download the certificate request to a file. 12 Submit the request file to the certificate authority of your choice. To add a signed certificate to the collection of acceptable certificates 1 After you have received the signed certificate from the certificate authority, from the Information Manager web configuration interface, click Certificate Management. 2 Click Receive Signed. 3 In the Certificate File option, click Browse, and then navigate to the signed certificate file. 4 In the Key Label drop-down, select the label you specified for the certificate when you created the request. 5 In the Username (DN) box, type the name of an administrator account, such as cn=root. 6 In the Password box, type the password that corresponds with the administrator account that you typed in the previous step. 7 Click Receive.

255 Managing security certificates Managing security certificate information for the appliance 255 To add a certificate authority root certificate 1 From the Information Manager web configuration interface, click Certificate Management. 2 Click Add Certificate Authority Root Certificate. 3 In the Certificate File option, click Browse, and then navigate to the root certificate file. 4 In the Key Label box, type a name for this root certificate. 5 Click Add. To import a CA certificate on a computer running the Information Manager console 1 On each computer that runs the Information Manager console, click Start, click Run, and then type cmd. 2 Use the Java Keytool program to import the new CA Root certificate into the cacerts file. Use the syntax: keytool -import -alias <AliasName> -file <CertificateFilePath> -keystore "<cacertsfilepath>" -storepass changeit Where <AliasName> refers to the name of the CA Root certificate, <CertificateFilePath> refers to the path of the new CA Root certificate file that you created, and <cacertsfilepath> refers to the location of the cacerts file used by the Information Manager console. By default, the Information Manager console keystore is installed in: C:\Program Files\Symantec\Security Information Manager\ jre\lib\security\ cacerts To import a CA certificate on a computer that runs an Information Manager agent or an event collector 1 On each computer that runs the Information Manager agent or event collector, click Start, click Run, and then type cmd. 2 Use the Java Keytool program to import the new CA Root certificate into the cacerts file. Use the syntax: keytool -import -alias <AliasName> -file <CertificateFilePath> -keystore "<cacertsfilepath>" -storepass changeit Where <AliasName> refers to the name of the CA Root certificate, <CertificateFilePath> refers to the path of the new CA Root certificate file that you created, and <cacertsfilepath> refers to the location of the cacerts file used by the Information Manager agent and event collectors. By default, the Information Manager agent and event collector keystore is installed in: C:\Program Files\Symantec\SESA\Agent\ jre\lib\security\cacerts

256 256 Managing security certificates Managing security certificate information for the appliance

257 Appendix D Antivirus Rules This appendix includes the following topics: About the antivirus rules About the antivirus rules Information Manager includes a set of predefined correlation rules that help to identify potential threats. For step-by-step instructions on customizing the default rule set, see the Information Manager online Help. Table D-1 describes the predefined antivirus rules that are included with the default installation.

258 258 Antivirus Rules About the antivirus rules Predefined rule Table D-1 Description Antivirus predefined rules Customizations AntiVirus Disabled Monitor for events that indicate a computer's antivirus software has been shut down. This rule uses the Symantec Event Code 3825 (Antivirus Scanning Disabled) to determine when antivirus programs have been disabled. Using the Symantec Event Code for this purpose rather than using individual event codes used by point products allows this rule to apply to multiple antivirus products that are mapped to the Symantec Event Code. The antivirus products that are mapped to this value use the Symantec AntiVirus collector and the Symantec Trend collector. Events that match this criteria are tracked using the Symantec Event Code field. The following settings have been applied: Rule type: Single Event Number of events required: 1 Conclusion Severity: 2

259 Antivirus Rules About the antivirus rules 259 Predefined rule Table D-1 Description Antivirus predefined rules (continued) Customizations Examples of customization: If you use an antivirus product on your network that is not included in the list of antivirus products that are associated with the Symantec Event Code, you will need to determine a value that can be detected that determines when this event occurs. For example, a point product may use a proprietary event code that can be parsed that indicates that the antivirus program has been disabled. To implement this customization, you could use the Vendor Event Code field to specify the event code that the point product uses. This event triggers an incident any time a detectable antivirus software program has been disabled. You can include exceptions to this rule when antivirus programs may be temporarily intentionally disabled by network administrators. For example, if you are rolling out an installation that requires an antivirus program to be temporarily disabled while the product installs, you might create a new rule based on the AntiVirus Disabled rule. In the new rule, you can add criteria that cause a conclusion to be created unless it comes from a particular set of IP addresses (the known addresses that will be disabling the antivirus program), or a logical network segment if you are rolling out the installation incrementally across the network. After the rollout is complete, you should disable the rule that contains the exception. For example, if you have a subnet named marketing.example.com specified in your network table, using an AND condition, you would add a criteria to the rule specifying that the rule will only fire if all other conditions are met, and Source Network Name does not equal

260 260 Antivirus Rules About the antivirus rules Predefined rule Table D-1 Description Antivirus predefined rules (continued) Customizations marketing.example.com. By default, this rule is set to correlate by Conclusion Type. This means that all conclusions will be contained in a single incident. You can customize the settings for this rule to correlate based on alternate values to achieve specific results. On the Actions tab, in the Correlate by drop-down list, if you change the setting Source and Conclusion Type, for example, Information Manager will create a new incident for every source that disables antivirus. Changing the Correlate By value to Source will add other events that are detected from this source to the incident, and removes the restriction that they be Antivirus Disabled events. Critical Malicious Code Detection Monitor for virus, worm, or trojan activity on systems flagged as having a medium (3) or higher CIA value. This rule uses a combination of the Mechanism type and the CIA values set for each asset listed in the Asset table to determine whether a conclusion is logged. Events that match this criteria are tracked using the IP Source Address field. The following settings have been applied: Rule type: Single Event Number of events required: 1 Conclusion Severity: 3 Each system on the network should be included in the Asset table and customized with Confidentiality, Integrity, and Availability settings. Note that each asset in the Asset table includes default CIA values of 1, which means that any asset that has not been elevated to a 3 or greater would not trigger this rule. You should review and configure the entry for each system listed in the Asset table using appropriate CIA values. This rule can be tuned to specific network needs. By default, this rule correlates events based on the Source. In this case, using the Source setting in the Correlate By field will add any additional activity on the source machine to the existing incident, and will create a new incident for every critical machine infected. Changing the Correlate By field to Conclusion Type will create a single incident for these conclusions, and all critical machines will be contained within that incident. Changing the Correlate By field to Source and Conclusion Type will ensure a new incident for every machine, but will not correlate additional events on that source to the same incident.

261 Antivirus Rules About the antivirus rules 261 Predefined rule Table D-1 Description Antivirus predefined rules (continued) Customizations Malicious Code Not Quarantined Monitor for events where a virus, worm, or trojan is detected but could not be cleaned or quarantined. This rule uses a combination of the Mechanisms, Status, and Event Type fields. If the Mechanisms field contains a Virus, Worm, or Trojan value, or the Status field is equal to Uncorrected, Unknown, or Infected, the Event Type does not equal Expanded Threat Content, and the Product ID does not equal 3012, a conclusion is created. This rule correlates additional events using the Source and Conclusion Type setting in the Conclusion Creation area. This signifies that a new incident is created for every source infected. To tune this to a network's specific needs, you can change the Conclusion Creation area to Conclusion Type, which will correlate each new infection into a single incident. You could also use Resource and Conclusion Type, which will correlate each new instance of malicious code into a new incident. Expanded Threat Content signifies code which may or may not be malicious, but is qualified as a security risk on the host computer. This includes adware, spyware, jokeware, hacktools, and so forth. Events that match this criteria are tracked using the IP Source Address and Target Resource fields. The following settings have been applied: Rule type: Single Event Number of events required: 1 Conclusion Severity: 3

262 262 Antivirus Rules About the antivirus rules Predefined rule Table D-1 Description Antivirus predefined rules (continued) Customizations Malicious Code Outbreak Monitor for events indicating that a virus, worm, or trojan has infected multiple computers on the network. This rule tracks events using the Event Resource, Mechanisms, and Event Type fields to determine when 5 or more virus, worm, or trojan events have taken place on any computers on the network during any 10 minute period. If the rule triggers a conclusion, the conclusion will continue to track subsequent events that meet the criteria. The rule uses the One-Many field to track which event resource is used, and the Many-One field to track the multiple Destination IP addresses. The event is then tracked based on the Target Resource. The following settings have been applied: Rule type: Many to One Number of events required: 5 over the span of 10 minutes Conclusion Severity: 4 The table size by default is 20,000. If the number of nodes on your network suggest that you may generate a large number of events for this kind of conclusion, you should increase the table size. For example, you should ensure that the table size is equivalent to at least the number of hosts that may be susceptible to this kind of outbreak. If the event data exceeds the table size, new events may overwrite the existing event record in sequential order starting from first to last. By default, the number of events required is 5 in the span of 10 minutes. This value should be adjusted to match the security policy of your organization. By default, this rule correlates events using the Resource and Conclusion Type setting in the Conclusion Creation area. This will create a new incident for every unique virus detected on the network that matches the conclusion criteria. It is not recommended that this setting be changed to anything with "Source" as a variable. In the event of a true outbreak, to declare a new incident on every source will result in large amounts of incidents that are displayed in the Information Manager console.

263 Antivirus Rules About the antivirus rules 263 Predefined rule Table D-1 Description Antivirus predefined rules (continued) Customizations Malicious Code Propagation Monitor for viruses, worms, or trojans that have infected a computer, and are attempting to infect other computers. This rule uses the Transitive Traffic rule type to track whether a virus, worm, or trojan infection is attempting to propagate across the network in the span of 10 minutes. The Mechanisms field is used to determine the type of infection. Only point products or events that report both a source_ip and a destination_ip will be able to generate traffic that can trigger this rule. Transitive Traffic rules track the destination IP of an event, and check all following events to ensure that this value does not appear as a source IP in events appearing within the time window specified. Any type of event can be the first event in a Transitive Traffic rule. In this case, the traffic must have a Mechanism of Virus, Worm, or Trojan Horse for the destination IP to be tracked against future events. The table size by default is 19,000. If the number of nodes on your network suggest that you may generate a large number of events for this kind of conclusion, you should increase the table size. If the event data exceeds the table size, new events may overwrite the existing event record in sequential order starting from first to last. The default time setting is 10 minutes. In certain circumstances, such as when you are experiencing an unusual number of outbreaks or when you notice that an outbreak spreads between computers over a greater length of time than 10 minutes, you may want to adjust the time span to make this conclusion more inclusive. The timestamp for each event is contained in the event_dt field. The following settings have been applied: Rule type: Transitive Traffic Number of events required: 1 over the span of 10 minutes Conclusion Severity: 4

264 264 Antivirus Rules About the antivirus rules Predefined rule Table D-1 Description Antivirus predefined rules (continued) Customizations Spyware Not Quarantined Monitor for events where a spyware or adware installation is detected but could not be cleaned or quarantined. This rule uses the Event Type and Data Status ID fields to determine whether a spyware or adware installation could not be cleaned or quarantined. If the Event Type is categorized as Expanded Threat Content and the Data Status ID value is Uncorrected, Unknown, or Infected, a conclusion is created. Expanded Threat Content signifies code which may or may not be malicious, but is qualified as a security risk on the host computer. This includes adware, spyware, jokeware, hacktools, and so forth. By default, this rule correlates events using the Source and Conclusion Type setting in the Conclusion Creation area. This will create a new incident for every source infected. To tune this to a network's specific needs, you could change the Conclusion Creation setting to Conclusion Type, which will correlate each new infection into a single incident. You could also choose the Resource and Conclusion Type, which will correlate each new instance of malicious code into a new incident. Events that match this criteria are tracked using the IP Source Address and Target Resource fields. The following settings have been applied: Rule type: Single Event Number of events required: 1 Conclusion Severity: 3

265 Antivirus Rules About the antivirus rules 265 Predefined rule Table D-1 Description Antivirus predefined rules (continued) Customizations Spyware Outbreak Monitor for events indicating that a spyware or adware installation has been detected on multiple computers on the network. This rule determines whether the Symantec Event Code has been populated and whether Spyware or Adware has been included in the Mechanisms field, or Expanded Threat Content has been used in the Event Type field, either of which indicate an adware or spyware installation is taking place. The Event Type field uses Expanded Threat Content to indicate installations such as spyware or adware. When 5 or more events occur over the span of 10 minutes, a conclusion is created. Expanded Threat Content signifies code which may or may not be malicious, but is qualified as a security risk on the host computer. This includes adware, spyware, jokeware, hacktools, and so forth. Events that match this criteria are tracked using the Symantec Event Code field. The following settings have been applied: Rule type: Many to One Number of events required: 5 over the span of 10 minutes Conclusion Severity: 4 The table size by default is 20,000. If the number of nodes on your network suggest that you may generate a large number of events for this kind of conclusion, you should increase the table size. If the event data exceeds the table size, new events may overwrite the existing event record in sequential order starting from first to last. By default, this rule correlates events using the Resource and Conclusion Type setting in the Conclusion Creation area. This will create a new incident for every unique virus detected on the network that matches the conclusion criteria. It is not recommended that this setting be changed to anything with "Source" as a variable. In the event of a true outbreak, to declare a new incident on every source will result in large amounts of incidents on the Information Manager console. The number of events required is 5 in the span of 10 minutes. This value should be adjusted to match the security policy of your organization. Additional antivirus rules examples This section provides common scenarios for creating custom rules that extend the conclusion coverage provided by the default rules. In most cases, the rules suggestions use one of the predefined rules as a template from which a new rule can be derived. Custom rules for specific infections In certain cases, you may want to monitor your network for specific infections, regardless of whether those infections were quarantined or whether they are found on specific hosts. For example, you may want to monitor attempts to install

266 266 Antivirus Rules About the antivirus rules malicious code in any instance, even if the installation does not meet the outbreak situation criteria. You can create a rule that accomplishes this task by specifying the Virus Name within the Event Resource field. You could create a Single Event rule type using the Event Resource field that equals Code Red. This will track every instance of Code Red to this incident.

267 Appendix E Policy Compliance rules This appendix includes the following topics: About the Policy Compliance rules About the Policy Compliance rules Information Manager includes a set of predefined correlation rules that help to identify potential threats. For step-by-step instructions on customizing the rule set, see the Information Manager online Help. Table E-1 describes the predefined Policy Compliance rules.

268 268 Policy Compliance rules About the Policy Compliance rules Predefined rule Table E-1 Description Predefined Policy Compliance rules Customizations Policy Compliance Violation Triggers an incident when a policy violation occurs. A custom rule could be created to add customer-specified policies. This rule uses the Event Class ID and the Compliance Status ID fields to determine if the event has been flagged as a compliance failure event. It then compares the Destination Host Policies field to determine whether the contents of that field match any of the policies specified in the rule. If a match is found, an incident is triggered. Events that match this criteria are tracked using the IP Destination Address field. The following settings have been applied: Rule type: Single Event Number of events required: 1 Conclusion Severity: 2 In some cases, you may decide to allow a system to be in violation of an internal policy for business reasons. In such cases, you could create a custom rule that filters those systems from creating incidents based on an acception to your policy for that system. You may also consider creating a variation of this rule that sends an alert or declares a conclusion with a higher severity if the system that triggers the event is of greater business importance. For example, an alert or a high severity conclusion could be generated if a compliance violation event originates from financial or payroll system, a laptop used by a user with higher security clearance, and so forth.

269 Appendix F Vulnerability Assessment rules This appendix includes the following topics: About the Vulnerability Assessment rules About the Vulnerability Assessment rules Information Manager includes a set of predefined correlation rules that help to identify potential threats. For step-by-step instructions on customizing the rule set, see the Information Manager online Help. Table F-1 describes the predefined Vulnerability Assessment rules.

270 270 Vulnerability Assessment rules About the Vulnerability Assessment rules Predefined rule Table F-1 Description Vulnerability Assessment predefined rules Customizations Vulnerability Scan Monitors vulnerability events logged by vulnerability scanners and consolidates those events into a single incident per computer. This rule uses a combination of the Product, Event Class ID, Severity ID, and Vendor Signatures to determine whether an event has been generated by a vulnerability scanner. If the event matches one of the descriptions of events that are generated by the supported VA scanners, an event based on the IP Destination Address is generated. The products that trigger this event include the following: This rule could be customized to trigger based on vendor-specific event codes that may be included in the event data. Symantec Vulnerability Assessment IIS Internet Scanner Qualys Guard Nessus ncircle Events that match this criteria are tracked using the Destination IP field. The following settings have been applied: Rule type: Single Event Number of events required: 1 Conclusion Severity: 2 Additional Vulnerability Assessment rules examples This section provides common scenarios for creating custom rules that extend the conclusion coverage provided by the default rules. In most cases, the rules suggestions use one of the predefined rules as a template from which a new rule can be derived. Custom rules for vulnerability scans that use IP hopping A common vulnerability scan technique is to use IP hopping as a means of concealing reconnaissance attacks. A rule that detects malicious IP hopping activity could use the Many Events, One Target rule type. In order to conceal their presence, an attacker may attempt one type of attack from one IP address, and then change to a different IP address to try a different attack, and so forth, until the most useful vulnerabilities have been identified. This is one method that is

271 Vulnerability Assessment rules About the Vulnerability Assessment rules 271 used by attackers to avoid detection as a vulnerability scan, since most common vulnerability scanners operate from a single source. Using a combination of Vendor Event Codes and the Many Events, One Target rule type, you can detect conditions where multiple attack types are targeted at a single host, regardless of the attack origin.

272 272 Vulnerability Assessment rules About the Vulnerability Assessment rules

273 Appendix G Firewall rules This appendix includes the following topics: About the Firewall rules About the Firewall rules Information Manager includes a set of predefined correlation rules that help to identify potential threats. For step-by-step instructions on customizing the rule set, see the Information Manager online Help. Table G-1 describes the predefined Firewall event rules that are included with the default installation.

274 274 Firewall rules About the Firewall rules Predefined rule Table G-1 Description Predefined Firewall event rules Customizations Block Scan Monitor for computers performing reconnaissance scans (port scans) of multiple network computers. This rule uses the Mechanisms and Source Host Policies fields to determine whether the event is a Port Scan. If the Mechanism field does not contain Port Sweep but does contain Port Scan, and the Source Host Policies field does not contain both Firewall and Proxy, and 3 or more of these events occur within 10 minutes, then a conclusion is created. If you have systems on your network that have been identified as critical, you could create an additional rule based on this rule that triggers when the critical IP address is the target, possibly elevating the Conclusion Severity. To help reduce false positives, you can also create exceptions to this rule for the firewalls, proxies, and NAT devices in the Asset table. The following settings have been applied: Rule type: Many Targets, One Source Number of events required: 3 in a 10 minute span Conclusion Severity: 2 Check FTP Transfers Monitor for file transfers that may indicate malicious activity, or the violation of security policies. This rule uses the Target Resource, and IP Destination Port fields to determine if a file being transferred using common FTP ports (20 and 21) is contained in the sensitive_files table. If the criteria are met, a conclusion is created. Events that match this criteria are tracked using the IP Source Address field. The following settings have been applied: This rule uses the common FTP ports 20 and 21. If you have configured your network to use alternate ports for FTP traffic, you will need to customize this rule to track those ports as well. You should also ensure that the file profiles listed in the sensitive files table are up to date. The sensitive files table includes a set of default values that are used to evaluate file names (for example, System.ini or passwd). If you have additional sensitive files, these should be added to the list. Rule type: Single Event Number of events required: 1 Conclusion Severity: 3

275 Firewall rules About the Firewall rules 275 Predefined rule Table G-1 Description Predefined Firewall event rules (continued) Customizations DoS High Volume Monitor for high quantities of denial of service events that are targeted at a computer. This rule uses the Effects and Mechanisms fields to determine if a DoS attack appears to be occurring. If the Effects field contains Degradation and the Mechanisms field contains either Overloading Congestion or Overloading Saturation, and if 30 similar events occur within the span of 10 minutes from a single source IP to a single IP Destination Address, a conclusion is created. The table size by default is 35,000. During an ongoing attack it may be necessary to increase the table size. If the event data exceeds the table size, new events may overwrite the existing event record in sequential order starting from first to last. If you have systems on your network that regularly produce false positives, you could create an exclusion based on the IP address of the source of the false positives (for example, sourceip!= X.X.X.X). This rule also uses the Tracking Keys to specify which single elements (IP Destination Address and IP Source Address) and which multiple elements (multiple events containing the same Event ID) are used to trigger the conclusion. Although the IP Source Address and IP Destination Address must be the same in each event, the rule also identifies each event as unique based on the Unique Event ID value, which is unique for each event. The event threshold count is incremented based on each unique event. When this conclusion is triggered, event tracking begins based on events that have the same IP Source Address and IP Destination Address. The following settings have been applied: Rule type: Many to One Number of events required: 30 within 10 minutes Conclusion Severity: 3

276 276 Firewall rules About the Firewall rules Predefined rule Table G-1 Description Predefined Firewall event rules (continued) Customizations Distributed DoS High Volume Monitor for high quantities of denial of service events that are targeted at a computer. This rule uses the Effects and Mechanisms fields to determine if a DoS attack appears to be occurring. If the Effects field contains Degradation and the Mechanisms field contains either Overloading Congestion or Overloading Saturation, and if 30 similar events occur within the span of 10 minutes from many sources to a single computer, a conclusion is created. The table size by default is 35,000. During an ongoing attack it may be necessary to increase the table size. If the event data exceeds the table size, new events may overwrite the existing event record in sequential order starting from first to last. If you have systems on your network that regularly produce false positives, you could create an exclusion based on the IP address of the source of the false positives (for example, sourceip!= X.X.X.X). Unlike the DoS High Volume rule, this rule is not dependent on whether a single source computer is sending traffic to a single target. The rule is primarily focused on the effect on the target computer. The following settings have been applied: Rule type: Many Sources, One Target Number of events required: 15 over the span of 10 minutes Conclusion Severity: 3

277 Firewall rules About the Firewall rules 277 Predefined rule Table G-1 Description Predefined Firewall event rules (continued) Customizations External Port Sweep Monitor for attempts to determine which systems are using a specific service. This rule uses the conditions in the Event Criteria list to detect if the IP Destination Port field is populated, the Source Host Policies field does not contain Firewall or Proxy, the IP Source Address is populated, the IP Destination Address field is populated, and the Source Host is Internal field is false. Ten events over the span of five minutes must occur that match all of these criteria to trigger the conclusion. In addition, the Tracking Keys specify which single elements (IP Source Address and IP Destination Port) and which multiple elements (multiple events containing the same IP Destination Address) are used to trigger this conclusion. When this conclusion is triggered, event tracking begins based on events that have the same Source value. The following settings have been applied: Rule type: Many to One Number of events required: 10 over 5 minutes Conclusion Severity: 3 The table size by default is 10,000. During an ongoing attack it may be necessary to increase the table size. If the event data exceeds the table size, new events may overwrite the existing event record in sequential order starting from first to last. Note that the primary difference between this rule and the Internal Port Sweep rule is the Source Host is Internal field. If you create a custom rule based on this rule, changes to the corresponding internal port sweep rule may also need to be implemented. To help reduce false positives, you can also create exceptions to this rule for the firewalls, proxies, and Network Address Translation (NAT) devices in the Asset table. You should also be sure to add all network information to the Network table. The Network table is in the Systems pane, under the Network tab. This information enables the correlation engine to determine whether a network resource is internal or external.

278 278 Firewall rules About the Firewall rules Predefined rule Table G-1 Description Predefined Firewall event rules (continued) Customizations Internal Port Sweep Monitor for attempts to determine which systems are using a specific service. This rule uses the conditions in the Event Criteria list to detect if the IP Destination Port field is populated, the Source Host Policies field does not contain Firewall or Proxy, the IP Source Address is populated, the IP Destination Address field is populated, and the Source Host is Internal field is true. Ten events over the span of five minutes must occur that match all of these criteria to trigger the conclusion. In addition, the Tracking Keys specify which single elements (IP Source Address and Destination Port) and which multiple elements (multiple events containing the same IP Destination Address) are used to trigger this conclusion. When this conclusion is triggered, event tracking begins based on events that have the same Source value. The following settings have been applied: Rule type: Many to One Number of events required: 10 over 5 minutes Conclusion Severity: 3 The table size by default is 10,000. During an ongoing attack it may be necessary to increase the table size. If the event data exceeds the table size, new events may overwrite the existing event record in sequential order starting from first to last. Note that the primary difference between this rule and the External Port Sweep rule is the Source Host is Internal field. If you create a custom rule based on this rule, changes to the corresponding external port sweep rule may also need to be implemented. To help reduce false positives, you can also create exceptions to this rule for the firewalls, proxies, and Network Address Translation (NAT) devices in the Asset table. You should also be sure to add all network information to the Network table. The Network table is in the Systems pane, under the Network tab. This information enables the correlation engine to determine whether a network resource is internal or external.

279 Firewall rules About the Firewall rules 279 Predefined rule Table G-1 Description Predefined Firewall event rules (continued) Customizations IP Watchlist Rule Monitor for activity from computers on the IP Watchlist. Events that match this criteria are tracked using the IP Source Address field. The following settings have been applied: Rule type: Single Event Number of events required: 1 Conclusion Severity: 4 This rule catches any event with a IP Source Address that matches an IP address that has been added to the ip_watchlist table. If you detect a significant number of events that originate from the same IP on the watchlist, you can create an additional rule that correlates all events from that IP. Note: The ip_watchlist table is a user configurable table that is available for manually tracking known bad IP addresses. A separate internal IP Watch List is maintained via LiveUpdate and/or Symantec DeepSight updates, which contains a list of IP addresses that are known to be malicious in the larger Internet environment. Updates to this internal list do not affect the IP Watch List that is visible in the Information Manager console. IRC Bot Net Monitors for connection events indicating IRC traffic. This rule uses the IP Destination Port field to identify traffic ports 6667, 6666, and 7000 which are commonly used for IRC. IRC traffic typically violates security policies, and can indicate an attempt to remotely control trojan software. This rule correlates events based on a single source communicating with one or more targets. If 5 events of this type occur over the span of 10 minutes, a conclusion is created. Security policies often prevent the use of IRC applications and traffic on the network. However, if you support IRC as a means of communication across your network, it is advisable to use a custom port for IRC traffic, establishing rules that carefully monitor that traffic for signs of malicious intent. The following settings have been applied: Rule type: Many Targets, One Source Number of events required: 5 over 10 minutes Conclusion Severity: 3

280 280 Firewall rules About the Firewall rules Predefined rule Table G-1 Description Predefined Firewall event rules (continued) Customizations Malicious URL Monitors firewall events for URLs that contain known strings that are used by worms or exploits. This rule uses a combination of the Target Resource and IP Destination Port fields to determine a match. If the Target Resource contains a string or substring that is contained in the sensitive_urls table, and the IP Destination Port equals 80, a conclusion is created. This rule catches any event that uses a URL string or substring that matches an entry in the sensitive_urls table. If you detect a significant number of events that match the entries in that table from a single IP, you can create a custom rule that monitors for multiple events with the same criteria from the same IP. Events that match this criteria are tracked using the IP Source Address field. The following settings have been applied: Rule type: Single Event Number of events required: 1 Conclusion Severity: 3 Single Event DoS Monitor for denial of service exploit events that are targeted at a computer. This rule uses a combination of the Effects and Mechanisms fields to determine if a Denial of Service attack has been attempted or is underway. If the Effects field contains Degradation and the Mechanisms field contains either Buffer Overflow or Application Exploit, a conclusion is created. Events that match this criteria are tracked using the IP Destination Address field. The following settings have been applied: Rule type: Single Event Number of events required: 1 Conclusion Severity: 3 The table size by default is 100. During an ongoing attack it may be necessary to increase the table size. If the event data exceeds the table size, new events may overwrite the existing event record in sequential order starting from first to last. If you have systems on your network that regularly produce false positives, you could create an exclusion based on the IP address of the source of the false positives (for example, sourceip!= X.X.X.X). Filters or exclusions can be added for both systems that generate a large number of false positives, or IDS signatures that are detected often and are considered to be false positives. IDS signatures are usually best dealt with in filters. For the most detailed filters, restrict the discarding of events to systems known to generate it as a false positive so that valid occurrences are not filtered accidentally.

281 Firewall rules About the Firewall rules 281 Predefined rule Table G-1 Description Predefined Firewall event rules (continued) Customizations Ping Scan Detector Monitor for attempts to determine active network computers by sending multiple pings. This rule uses the Symantec Event Code for Generic Ping Probe (481) to indicate ICMP pings that are generated from the same IP address to one or more computers. If 10 of these events occur in the span of 5 minutes, a conclusion is created. Using the Symantec Event Code allows events detected by multiple point products to be correlated under the same event type. The following settings have been applied: Rule type: Many Targets, One Source Number of events required: 10 over 5 minutes Conclusion Severity: 3 You should test this setting with the products that you use to detect ping scans since some product signatures are not included in the Symantec Event Code. If you are using a product that does not trigger this rule based on the Symantec Event Code, you may need to create an additional set of criteria that identifies the product signature or event code that is generated by that product. For example, if the point product is not mapped to Symantec Signature 481, you need to use the Vendor Signature criteria to look for instances of the ping probe from the point product. The IDS/Firewall documentation provided with your device should list the events that are logged. You should be able to reference that list to determine what the Vendor Signature value will be. You may want to customize the time span and table size depending on the type and volume of traffic that is occurring. You can also create additional rules based on this framework that will identify fewer pings over longer periods of time by adjusting the Event Count and Span values.

282 282 Firewall rules About the Firewall rules Predefined rule Table G-1 Description Predefined Firewall event rules (continued) Customizations Port Scan Detector Monitor for activity that may indicate attempts to determine the services that are available on a computer. This rule uses a combination of the IP Destination Port and Source Host Policies fields to determine whether a possible port scan has occurred. If Destination Port has been populated and Source Host Policies does not contain Firewall or Proxy, and if 10 similar events occur with the span of 10 minutes, a conclusion is created. If you use a Vulnerability Assessment tool to analyze your network, you may want to create an additional set of criteria that identifies when the VA is conducting a safe scan of available services. To filter false positives, you should ensure that all Vulnerability Assessment systems are identified in the Network and Asset tables, and are associated with the Vulnerability Scanner policy. This rule also uses the Tracking Keys to specify which single elements (IP Source Address and IP Destination Address) and which multiple elements (multiple events containing the same Destination Port) are used to trigger this conclusion. When this conclusion is triggered, event tracking begins based on events that have the same Source value. Events that match this criteria are tracked using the IP Source Address and IP Destination Address fields. The following settings have been applied: Rule type: Many to One Number of events required: 10 over 10 minutes Conclusion Severity: 3

283 Firewall rules About the Firewall rules 283 Predefined rule Table G-1 Description Predefined Firewall event rules (continued) Customizations Scan Followed By Exploit Monitor for reconnaissance attempts that are followed by an exploit. For the X portion, this rule uses the Mechanisms field to identify when a source computer uses a known pattern (Network Sweep, Host Sweep, Port Sweep, or Port Scan) to interact with a target. For the Y portion, this rule uses the Mechanisms field to determine if the IP Source Address from the X criteria is using a different pattern of attack on the same IP Destination Address. If the Mechanisms field contains Buffer Overflow, Application Exploit, or Remote Execution, the Y criteria of the rule are met. If the conditions for both the X and Y portions of the rule criteria are met using the same source IP and IP Destination Address within 10 minutes, a conclusion is created. The following settings have been applied: Rule type: X Followed by Y Number of events required: 1 over 10 minutes Conclusion Severity: 3 If you have systems on your network that regularly produce false positives, you could create an exclusion based on the IP address of the source of the false positives (for example, sourceip!= X.X.X.X).

284 284 Firewall rules About the Firewall rules Predefined rule Table G-1 Description Predefined Firewall event rules (continued) Customizations Smurf Attack Firewall Trojan Connections Monitor for ping reply events that are sent from multiple sources to a single target. This rule uses a combination of the Source Host Policies field, the ICMP Type ID, and the Symantec Event Code field to identify a Smurf Attack. A Smurf attack uses a forged origination IP (changed to be the same as the IP of the victim IP) and ICMP echo commands (ping) to flood a victim with ping replies. The attacker sends a large volume of ping requests to the host, and the host in turn replies to the forged IP with a large volume of replies. The following settings have been applied: Rule type: Many Sources, One Target Number of events required: 100 over 10 minutes Conclusion Severity: 3 Monitor for firewall connections that are established using known back door ports. This rule uses a combination of the IP Destination Port and Event Type ID fields to determine if a source IP is trying to use a known backdoor port on a IP Destination Address. If the IP Destination Port is not null and is listed in the trojans table, and the Event Type ID field contains either Connection Statistics or Connection Accepted, a conclusion is created. Events that match this criteria are tracked using the IP Source Address and IP Destination Port fields. The following settings have been applied: The Smurf Attack is similar to the Fraggle Attack. The Fraggle Attack uses the same techniques to create a packet storm, but uses the UDP protocol rather than ICMP. You can use this rule as a framework to create a custom Fraggle Attack rule, or you can extend this rule to include UDP attacks using additional Symantec Event Codes (Generic UDP Portscan Probe (298) or Generic UDP Loopback Denial of Service Attack (299), for example). Similar to the Ping Scan Detector rule, if the collector does not map to the signatures used in the rule, it may be necessary to add additional criteria to the rule to look for the point product's signature for ICMP Echo replies. If you are using custom ports on your network, you will want to be sure to understand the implications of the traffic that you are allowing across those ports. If protocols have been remapped to custom port values, you may need to update the trojans table with the ports you are using that may be vulnerable to known attacks. In addition, you may discover that the ports that are listed in the trojans table have acceptable uses on your network within the parameters of the Network Type that this rule uses. You can adjust this rule to create an exception for the use you support on a particular port. Rule type: Single Event Number of events required: 1 Conclusion Severity: 2

285 Appendix H Network IDS (NIDS) rules This appendix includes the following topics: About the Network IDS (NIDS) rules About the Network IDS (NIDS) rules Information Manager includes a set of predefined correlation rules that help to identify potential threats. For step-by-step instructions on customizing the rule set, see the Information Manager online Help. Table H-1 describes the predefined NIDS event rules that are included with the default installation.

286 286 Network IDS (NIDS) rules About the Network IDS (NIDS) rules Predefined rule Table H-1 Description Network IDS predefined rules Customizations Attempted DNS Exploit Monitor for events that indicate a computer is the target of a DNS exploit. This rule uses a combination of the Resources, Destination Host Services, and Mechanisms fields to determine whether an event suggests that a computer is a target of a DNS exploit. If the Resources field contains DNS, the Destination Host Services field contains 53 - Domain Name Server (DNS), and the Mechanisms field contains Buffer Overflow, Application Exploit, or Remote Execution, a conclusion is created. Ensure that you have added Services information for each asset in the Asset table. This rule uses Services information to determine whether an event is a match. In addition, transactions between DNS servers may product false positives. You may want to exclude IP Source Address addresses that have a running DNS server (Source Host Services field contains 53). Events that match this criteria are tracked using the IP Source Address and IP Destination Address fields. The following settings have been applied: Rule type: Single Event Number of events required: 1 Conclusion Severity: 3 Attempted FTP Exploit Monitor for events that indicate a computer is the target of an FTP exploit. This rule uses a combination of the Resources, Destination Host Services, and Mechanisms fields to determine whether an event suggests that a computer is a target of an FTP exploit. If the Resources field contains FTP, the Destination Host Services field contains 21 - File Transfer Protocol (FTP), and the Mechanisms field contains Buffer Overflow, Application Exploit, or Remote Execution, a conclusion is created. Ensure that you have added Services information for each asset in the Asset table. This rule uses Services information to determine whether an event is a match. Events that match this criteria are tracked using the IP Source Address and IP Destination Address fields. The following settings have been applied: Rule type: Single Event Number of events required: 1 Conclusion Severity: 3

287 Network IDS (NIDS) rules About the Network IDS (NIDS) rules 287 Predefined rule Table H-1 Description Network IDS predefined rules (continued) Customizations Attempted Service Exploit Monitor for events that indicate a computer is being attacked on an available service. This rule uses a combination of the Destination Port is Open and Mechanisms fields to determine whether an event suggests that a computer is being attacked on an available service. If the Destination Port is Open flag is true and the Mechanisms field contains Buffer Overflow, Application Exploit, or Remote Execution, a conclusion is created. Ensure that you have added Services information for each asset in the Asset table. This rule uses Services information to determine whether an event is a match. Events that match this criteria are tracked using the IP Source Address and IP Destination Address fields. The following settings have been applied: Rule type: Single Event Number of events required: 1 Conclusion Severity: 3 Attempted WWW Exploit Monitor for events that indicate a computer is the target of an HTTP exploit. This rule uses a combination of the Resources, Destination Host Services, and Mechanisms fields to determine whether an event suggests that a computer is a target of an HTTP exploit. If the Resources field contains Web, the Destination Host Services field contains either 80 - HTTP or Secure HTTP, and the Mechanisms field contains Buffer Overflow, Application Exploit, or Remote Execution, a conclusion is created. Ensure that you have added Services information for each asset in the Asset table. This rule uses Services information to determine whether an event is a match. Events that match this criteria are tracked using the IP Source Address and IP Destination Address fields. The following settings have been applied: Rule type: Single Event Number of events required: 1 Conclusion Severity: 3

288 288 Network IDS (NIDS) rules About the Network IDS (NIDS) rules Predefined rule Table H-1 Description Network IDS predefined rules (continued) Customizations Block Scan Monitor for computers performing reconnaissance scans (port scans) of multiple network computers. This rule uses the Mechanisms and Source Host Policies fields to determine whether the event is a Port Scan. If the Mechanisms field does not contain Port Sweep but does contain Port Scan, and the Source Host Policies field does not contain both Firewall and Proxy, and 3 or more of these events occur within 10 minutes, then a conclusion is created. If you have systems on your network that have been identified as critical, you could create an additional rule based on this rule that triggers when the critical IP address is the target, possibly elevating the Conclusion Severity. To help reduce false positives, you can also create exceptions to this rule for the firewalls, proxies, and NAT devices in the Asset table. The following settings have been applied: Rule type: Many Targets, One Source Number of events required: 3 in a 10 minute span Conclusion Severity: 2

289 Network IDS (NIDS) rules About the Network IDS (NIDS) rules 289 Predefined rule Table H-1 Description Network IDS predefined rules (continued) Customizations DoS High Volume Monitor for high quantities of denial of service events that are targeted at a computer. This rule uses the Effects and Mechanisms fields to determine if a DoS attack appears to be occurring. If the Effects field contains Degradation and the Mechanisms field contains either Overloading Congestion or Overloading Saturation, and if 30 similar events occur within the span of 10 minutes from a single source IP to a single IP Destination Address, a conclusion is created. The table size by default is 35,000. During an ongoing attack it may be necessary to increase the table size. If the event data exceeds the table size, new events may overwrite the existing event record in sequential order starting from first to last. If you have systems on your network that regularly produce false positives, you could create an exclusion based on the IP address of the source of the false positives (for example, source_ip!= X.X.X.X). This rule also uses the Tracking Keys to specify which single elements (IP Destination Address and IP Source Address) and which multiple elements (multiple events containing the same Event ID) are used to trigger the conclusion. Although the IP Source Address and IP Destination Address must be the same in each event, the rule also identifies each event as unique based on the Unique Event ID value, which is unique for each event. The event threshold count is incremented based on each unique event. When this conclusion is triggered, event tracking begins based on events that have the same IP Source Address and IP Destination Address. The following settings have been applied: Rule type: Many to One Number of events required: 30 within 10 minutes Conclusion Severity: 3

290 290 Network IDS (NIDS) rules About the Network IDS (NIDS) rules Predefined rule Table H-1 Description Network IDS predefined rules (continued) Customizations Single Event DoS Monitor for denial of service exploit events that are targeted at a computer. This rule uses a combination of the Effects and Mechanisms fields to determine if a Denial of Service attack has been attempted or is underway. If the Effects field contains Degradation and the Mechanisms field contains either Buffer Overflow or Application Exploit, a conclusion is created. Events that match this criteria are tracked using the IP Destination Address field. The following settings have been applied: Rule type: Single Event Number of events required: 1 Conclusion Severity: 3 The table size by default is 100. During an ongoing attack it may be necessary to increase the table size. If the event data exceeds the table size, new events may overwrite the existing event record in sequential order starting from first to last. If you have systems on your network that regularly produce false positives, you could create an exclusion based on the IP address of the source of the false positives (for example, source_ip!= X.X.X.X). Filters or exclusions can be added for both systems that generate a large number of false positives, or IDS signatures that are detected often and are considered to be false positives. IDS signatures are usually best dealt with in filters. For the most detailed filters, restrict the discarding of events to systems known to generate it as a false positive so that valid occurrences are not filtered accidentally.

291 Network IDS (NIDS) rules About the Network IDS (NIDS) rules 291 Predefined rule Table H-1 Description Network IDS predefined rules (continued) Customizations Distributed DoS High Volume Monitor for high quantities of denial of service events that are targeted at a computer. This rule uses the Effects and Mechanisms fields to determine if a DoS attack appears to be occurring. If the Effects field contains Degradation and the Mechanisms field contains either Overloading Congestion or Overloading Saturation, and if 30 similar events occur within the span of 10 minutes from many sources to a single computer, a conclusion is created. The table size by default is 35,000. During an ongoing attack it may be necessary to increase the table size. If the event data exceeds the table size, new events may overwrite the existing event record in sequential order starting from first to last. If you have systems on your network that regularly produce false positives, you could create an exclusion based on the IP address of the source of the false positives (for example, source_ip!= X.X.X.X). Unlike the DoS High Volume rule, this rule is not dependent on whether a single source computer is sending traffic to a single target. The rule is primarily focused on the effect on the target computer. The following settings have been applied: Rule type: Many Sources, One Target Number of events required: 30 in the span of 10 minutes Conclusion Severity: 3

292 292 Network IDS (NIDS) rules About the Network IDS (NIDS) rules Predefined rule Table H-1 Description Network IDS predefined rules (continued) Customizations Intrusion Threshold Monitors for excessive amounts of intrusion events from a single source system. This rule uses the Event Type ID field to determine if the aggregation of 500 similar events over 10 minutes suggests a network intrusion event. This rule also uses the Tracking Keys to specify which single element (IP Source Address) and which multiple element (multiple events containing a Unique Event ID) are used to trigger the conclusion. When this conclusion is triggered, event tracking begins based on events that have the same Conclusion Type. Events that match this criteria are tracked using the IP Source Address field. The following settings have been applied: Rule type: Many to One Number of events required: 500 over 10 minutes Conclusion Severity: 1 This rule may need to be adjusted depending on the thresholds that are acceptable within your security policy (more or less than 500 events over 10 minutes), and depending on the applications that may trigger non-threatening IDS events. This rule can also indicate that the source IP may be configured incorrectly, and may be causing false positives to occur. Typically if a source is generating a large number of intrusion events, there is either an attacker on that system, an infection from a virus or worm, or the IDS is malfunctioning and detecting normal traffic as malicious. The Intrusion Threshold rule could also trigger for activity coming through a firewall, proxy, or Network Address Translation (NAT) device, since the IP address would be masked to an internal IP. This rule can be particularly useful as a template for creating other rules that monitor for specific threats, like large numbers of occurrences of a specific Vendor Signature. IP Watchlist Rule Monitor for activity from computers on the IP Watchlist. Events that match this criteria are tracked using the IP Source Address field. The following settings have been applied: Rule type: Single Event Number of events required: 1 Conclusion Severity: 4 This rule catches any event with a IP Source Address that matches an IP address in the ip_watchlist table. If you detect a significant number of events that originate from the same IP on the watchlist, you can create an additional rule that correlates all events from that IP. Note: The ip_watchlist table is a user configurable table that is available for manually tracking known bad IP addresses. A separate internal IP Watch List is maintained via LiveUpdate and/or Symantec DeepSight updates, which contains a list of IP addresses that are known to be malicious in the larger Internet environment. Updates to this internal list do not affect the IP Watch List that is visible in the Information Manager console.

293 Network IDS (NIDS) rules About the Network IDS (NIDS) rules 293 Predefined rule Table H-1 Description Network IDS predefined rules (continued) Customizations IRC Bot Net Monitors for connection events indicating IRC traffic. This rule uses the IP Destination Port field to identify traffic ports 6667, 6666, and 7000 which are commonly used for IRC. IRC traffic typically violates security policies, and can indicate an attempt to remotely control trojan software. This rule correlates events based on a single source communicating with one or more targets. If 5 events of this type occur over the span of 10 minutes, a conclusion is created. Security policies often prevent the use of IRC applications and traffic on the network. However, if you support IRC as a means of communication across your network, it is advisable to use a custom port for IRC traffic, establishing rules that carefully monitor that traffic for signs of malicious intent. The following settings have been applied: Rule type: Many Targets, One Source Number of events required: 5 over 10 minutes Conclusion Severity: 3

294 294 Network IDS (NIDS) rules About the Network IDS (NIDS) rules Predefined rule Table H-1 Description Network IDS predefined rules (continued) Customizations NULL Login Authentication Violation Monitors for Windows null login events that are followed closely by an authentication violation event. For the X portion, this rule uses the Symantec Event Code field to determine if a null login event has occurred. If the Symantec Event Code field contains either Microsoft NT NetBIOS NULL Session Attack (390) or Microsoft NT Null Login Probe (2660), the X criteria are met. For the Y portion, this rule uses the Intrusion Outcome Id field combined with the Mechanisms field to determine if an authentication violation has occurred. If the Intrusion Outcome ID field contains , which is the value for a failed intrusion attempt event in the Intrusion event schema, and the Mechanisms field contains Login, the Y criteria are met. You should test this setting with the collectors and products that you use to detect null login events since some product signatures are not included in the Symantec Event Code. If you are using a collector or product that does not trigger this rule based on the Symantec Event Code, you may need to create an additional set of criteria that identifies the product signature or event code that is generated by that product. For HIDS devices, a null session is typically logged as either an Unknown or an Anonymous connection. In this case, you should update the rule with the Vendor Signature referenced when these type of connections are logged. For more information on the fields available in the Intrusion schema, see the Symantec Collector Studio Event Reference Guide. If the conditions for both the X and Y portions of the rule criteria are met using the same source IP and IP Destination Address within 10 minutes, a conclusion is created. The following settings have been applied: Rule type: X Followed by Y Number of events required: 1 in a 10 minute span Conclusion Severity: 2

295 Network IDS (NIDS) rules About the Network IDS (NIDS) rules 295 Predefined rule Table H-1 Description Network IDS predefined rules (continued) Customizations Ping Scan Detector Monitor for attempts to determine active network computers by sending multiple pings. This rule uses the Symantec Event Code for Generic Ping Probe (481) to indicate ICMP pings that are generated from the same IP address to one or more computers. If 10 of these events occur in the span of 5 minutes, a conclusion is created. Using the Symantec Event Code allows events detected by multiple point products to be correlated under the same event type. The following settings have been applied: Rule type: Many Targets, One Source Number of events required: 10 over 5 minutes Conclusion Severity: 3 You should test this setting with the products that you use to detect ping scans since some product signatures are not included in the Symantec Event Code. If you are using a product that does not trigger this rule based on the Symantec Event Code, you may need to create an additional set of criteria that identifies the product signature or event code that is generated by that product. For example, if the point product is not mapped to Symantec Signature 481, you need to use the Vendor Signature criteria to look for instances of the ping probe from the point product. The IDS/Firewall documentation provided with your device should list the events that are logged. You should be able to reference that list to determine what the Vendor Signature value will be. You may want to customize the time span and table size depending on the type and volume of traffic that is occurring. You can also create additional rules based on this framework that will identify fewer pings over longer periods of time by adjusting the Event Count and Span values. Return Trojan Traffic Monitor for Trojan horse control traffic exchanged between systems. This rule uses the Mechanisms field to detect when Trojan traffic passes from a single source IP to a single IP Destination Address, and then returns from the target to the source within 10 minutes. If you have systems on your network that regularly produce false positives, you could create an exclusion based on the IP address of the source of the false positives (for example, source_ip!= X.X.X.X). The following settings have been applied: Rule type: Symmetric Traffic Number of events required: 1 in 10 minutes. Conclusion Severity: 3

296 296 Network IDS (NIDS) rules About the Network IDS (NIDS) rules Predefined rule Table H-1 Description Network IDS predefined rules (continued) Customizations Scan Followed By Exploit Monitor for reconnaissance attempts that are followed by an exploit. For the X portion, this rule uses the Mechanisms field to identify when a source computer uses a known pattern (Network Sweep, Host Sweep, Port Sweep, or Port Scan) to interact with a target. For the Y portion, this rule uses the Mechanisms field to determine if the IP Source Address from the X criteria is using a different pattern of attack on the same IP Destination Address. If the conditions for both the X and Y portions of the rule criteria are met using the same source IP and IP Destination Address within 10 minutes, a conclusion is created. The following settings have been applied: Rule type: X Followed by Y Number of events required: 1 over 10 minutes Conclusion Severity: 3 If you have systems on your network that regularly produce false positives, you could create an exclusion based on the IP address of the source of the false positives (for example, source_ip!= X.X.X.X).

297 Network IDS (NIDS) rules About the Network IDS (NIDS) rules 297 Predefined rule Table H-1 Description Network IDS predefined rules (continued) Customizations Smurf Attack IDS Monitor for ping reply events that are sent from multiple sources to a single target using the Many-One Fields criteria. This rule uses a combination of the Source Host Policies field and the Symantec Event Code field to identify a Smurf Attack. A Smurf attack uses a forged origination IP (changed to be the same as the IP of the victim IP) and ICMP echo commands (ping) to flood a victim with ping replies. The attacker sends a large volume of ping requests to the host, and the host in turn replies to the forged IP with a large volume of replies. The following settings have been applied: Rule type: Many Sources, One Target Number of events required: 100 over 10 minutes Conclusion Severity: 3 The Smurf Attack is similar to the Fraggle Attack. The Fraggle Attack uses the same techniques to create a packet storm, but uses the UDP protocol rather than ICMP. You can use this rule as a framework to create a custom Fraggle Attack rule, or you can extend this rule to include UDP attacks using additional Symantec Event Codes (Generic UDP Portscan Probe (298) or Generic UDP Loopback Denial of Service Attack (299), for example). Similar to the Ping Scan Detector rule, if the collector does not map to the signatures used in the rule, it may be necessary to add additional criteria to the rule to look for the point product's signature for ICMP Echo replies.

298 298 Network IDS (NIDS) rules About the Network IDS (NIDS) rules Predefined rule Table H-1 Description Network IDS predefined rules (continued) Customizations TFTP from WebServer Monitors for attempts by an asset identified as a Web server to retrieve worm or Trojan horse software. This rule uses a combination of the Symantec Event Code, the IP Destination Port, and the Source Host Services fields to determine if a Web server is retrieving worm or trojan horse software. If the Symantec Event Code field contains Generic TFTP Get Request Attack (3755) or the IP Destination Port field is 69 (TFTP), and the Source Host Services field contains either 80 - HTTP or Secure HTTP, a conclusion is created. Events that match this criteria are tracked using the IP Source Address field. The following settings have been applied: Rule type: Single Event Number of events required: 1 Conclusion Severity: 2 Ensure that you have added Services information for each asset in the Asset table. This rule uses Services information to determine whether an event is a match. This rule identifies Source Host Services for ports 80 and 443. You should test this setting with the collectors and products that you use to detect TFTP Get request attacks, since some product signatures are not included in the Symantec Event Code. If you are using a collector or product that does not trigger this rule based on the Symantec Event Code, you may need to create an additional set of criteria that identifies the product signature or event code that is generated by that product. For example, IDS products typically log an event for TFTP Traffic (ideally TFTP Get events). To identify these signatures, you need to update the rule to monitor for the Vendor Signature value associated with those events. If you are using custom ports on your network for either HTTP traffic or TFTP traffic, you will need to customize the port settings in this rule to match your network. Worms and trojans that are known to exploit the TFTP port include W32.Cycle and W32.Mockbot.A.Worm. You can create a customized version of this rule by tracking port traffic that occurs after this event has been identified. For example, the W32.Cycle attempts to connect to TCP port 445 on any computer at a randomly generated IP address. In addition, it uses TCP port 3332 on the remote computer to evaluate if infection has already occurred. You could create an X Follows Y rule that will track this type of infection using this port information.

299 Network IDS (NIDS) rules About the Network IDS (NIDS) rules 299 Predefined rule Table H-1 Description Network IDS predefined rules (continued) Customizations Malicious Code Propagation Create a conclusion when the specified pattern of events is detected from a single source IP address to a single IP Destination Address address, and then from that IP Destination Address address to a new IP Destination Address address within the specified time period. This rule uses the Transitive Traffic rule type combined with the Mechanisms field to determine if malicious code is moving from source to target, and then from target to new target. The following settings have been applied: Rule type: Transitive Traffic Number of events required: 1 in the span of 10 minutes Conclusion Severity: 4 If you have systems on your network that regularly produce false positives, you could create an exclusion based on the IP address of the source of the false positives (for example, source_ip!= X.X.X.X). Vulnerability Scan Monitor vulnerability events logged by vulnerability scanners and consolidate those events into a single incident per computer. The following settings have been applied: Rule type: Single Event Number of events required: 1 in the span of 1 minute Conclusion Severity: 2 A possible customization for this rule would be to exclude systems that have known vulnerabilities that have been granted an exception for business purposes.

300 300 Network IDS (NIDS) rules About the Network IDS (NIDS) rules Predefined rule Table H-1 Description Network IDS predefined rules (continued) Customizations Vulnerability Scan Detector Web Vulnerability Scan Monitor for hostile vulnerability scans on the network. This rule uses a combination of the Source Host Policies field and the Mechanisms field to determine if an event suggests that a malicious network probe may have taken place, or is occurring. If the Source Host Policies field does not contain the strings Firewall or Proxy, and the Mechanisms field contains any one of the six specified values, and five similar events occur over the span of 20 minutes from the same IP address, a conclusion is created. The following settings have been applied: Rule type: Many Events, One Source Number of events required: 5 over 20 minutes Conclusion Severity: 3 Monitor for HTTP-based vulnerability scans (for example, Whisker). This rule uses a combination of the Resources, Source Host Policies, and Mechanisms fields to determine if an event suggests that a malicious Web services probe may have taken place, or is occurring. If the Resources field contains Web and the Source Host Policies field does not contain VulnerabilityScanner, and if the Mechanisms field contains any one of the five specified values, and 20 similar events occur over the span of 10 minutes from the same IP address, a conclusion is created. The following settings have been applied: Rule type: Many Events, One Source Number of events required: 20 over a span of 10 minutes Conclusion Severity: 3 The table size by default is 33,000. During an ongoing attack it may be necessary to increase the table size. If the event data exceeds the table size, new events may overwrite the existing event record in sequential order starting from first to last. To help reduce false positives, you can also create exceptions to this rule for the firewalls, proxies, and Network Address Translation (NAT) devices in the Asset table. Since NAT devices mask the original IP with an internal IP, false positives can be triggered for a single masked IP despite the fact that a broad number of external sources are actually accessing the NAT device from the outside. The table size by default is 10,000. During an ongoing attack it may be necessary to increase the table size. If the event data exceeds the table size, new events may overwrite the existing event record in sequential order starting from first to last. To help reduce false positives, you can also create exceptions to this rule for the firewalls, proxies, and Network Address Translation (NAT) devices in the Asset table. Since NAT devices mask the original IP with an internal IP, false positives can be triggered for a single masked IP despite the fact that a broad number of external sources are actually accessing the NAT device from the outside.

301 Appendix I Host IDS (HIDS) rules This appendix includes the following topics: About the Host IDS (HIDS) rules About the Host IDS (HIDS) rules Information Manager includes a set of predefined correlation rules that help to identify potential threats. For step-by-step instructions on customizing the rule set, see the Information Manager online Help. Table I-1 describes the predefined HIDS event rules that are included with the default installation.

302 302 Host IDS (HIDS) rules About the Host IDS (HIDS) rules Predefined rule Table I-1 Description Host IDS predefined rules Customizations DoS High Volume Monitor for high quantities of denial of service events that are targeted at a computer. This rule uses the Effects and Mechanisms fields to determine if a DoS attack appears to be occurring. If the Effects field contains Degradation and the Mechanisms field contains either Overloading Congestion or Overloading Saturation, and if 30 similar events occur within the span of 10 minutes from a single source IP to a single IP Destination Address, a conclusion is created. The table size by default is 35,000. During an ongoing attack it may be necessary to increase the table size. If the event data exceeds the table size, new events may overwrite the existing event record in sequential order starting from first to last. If you have systems on your network that regularly produce false positives, you could create an exclusion based on the IP address of the source of the false positives (for example, source_ip!= X.X.X.X). This rule also uses the Tracking Keys to specify which single elements (IP Destination Address and IP Source Address) and which multiple elements (multiple events containing the same Event ID) are used to trigger the conclusion. Although the IP Source Address and IP Destination Address must be the same in each event, the rule also identifies each event as unique based on the Unique Event ID value, which is unique for each event. The event threshold count is incremented based on each unique event. When this conclusion is triggered, event tracking begins based on events that have the same IP Source Address and IP Destination Address. The following settings have been applied: Rule type: Many to One Number of events required: 30 within 10 minutes Conclusion Severity: 3

303 Host IDS (HIDS) rules About the Host IDS (HIDS) rules 303 Predefined rule Table I-1 Description Host IDS predefined rules (continued) Customizations IP Watchlist Rule Monitor for activity from computers on the IP Watchlist. Events that match this criteria are tracked using the IP Source Address field. The following settings have been applied: Rule type: Single Event Number of events required: 1 Conclusion Severity: 4 This rule catches any event with a source IP that matches an IP address in the ip_watchlist table. If you detect a significant number of events that originate from the same IP on the watchlist, you can create an additional rule that correlates all events from that IP. Note: The ip_watchlist table is a user configurable table that is available for manually tracking known bad IP addresses. A separate internal IP Watch List is maintained via LiveUpdate and/or Symantec DeepSight updates, which contains a list of IP addresses that are known to be malicious in the larger Internet environment. Updates to this internal list do not affect the IP Watch List that is visible in the Information Manager console.

304 304 Host IDS (HIDS) rules About the Host IDS (HIDS) rules Predefined rule Table I-1 Description Host IDS predefined rules (continued) Customizations Account Guessing Attack Monitors for multiple failed attempts to authenticate using a single user account. This rule uses a combination of the Target Resource, Event Type ID, Mechanisms, and Intrusion Outcome ID fields to determine if a set of events indicates a possible account guessing attack. If the Target Resource field is populated, and either the Event Type ID field equals User Authentication Failed or the Mechanisms field contains Login and the Intrusion Outcome field contains Failed, and 2 similar events occur over a span of 10 minutes, a conclusion is created. This rule also uses the Tracking Keys to specify which single element (IP Destination Address) and which multiple elements (Target Resource) are used to trigger this conclusion. When this conclusion is triggered, event tracking begins based on events that have the same Target value. The following settings have been applied: Rule type: Many to One Number of events required: 2 over 10 minutes Conclusion Severity: 2 The number of events or the span of time can be adjusted as necessary.

305 Host IDS (HIDS) rules About the Host IDS (HIDS) rules 305 Predefined rule Table I-1 Description Host IDS predefined rules (continued) Customizations Password Guessing Attack Monitors for multiple failed attempts to authenticate using a single user account. This rule uses a combination of the Target Resource, Event Type ID, Mechanisms, and Intrusion Outcome fields to determine if a set of events indicates a possible password guessing attack. If the Target Resource field is populated, and either the Event Type field equals User Authentication Failed or the Mechanisms field contains Login and the Intrusion Outcome field contains Failed, and 2 similar events occur over a span of 10 minutes, a conclusion is created. This rule also uses the Tracking Keys to specify which single elements (IP Destination Address and Target Resource) and which multiple elements (Unique Event ID) are used to trigger this conclusion. When this conclusion is triggered, event tracking begins based on events that have the same Target value. The following settings have been applied: Rule type: Many to One Number of events required: 2 over the span of 10 minutes Conclusion Severity: 2 The number of events or the span of time can be adjusted as necessary.

306 306 Host IDS (HIDS) rules About the Host IDS (HIDS) rules Predefined rule Table I-1 Description Host IDS predefined rules (continued) Customizations Multiple Files Modified Monitors events for indications of multiple file modifications on a computer. This often indicates root kit or Trojan horse installations. This rule uses a combination of the Intrusion Target Type ID, Intrusion Action ID, and Target Resource fields to determine if an event is a file modification. If the Intrusion Target Type ID field contains File, Intrusion Action ID contains Modify, and Target Resource has been populated, the event criteria have been met. This rule also uses the Tracking Keys to specify which single element (IP Destination Address) and which multiple element (multiple Target Resource values) are used to trigger the conclusion. Some point products report files that are missing on startup as being modified. This may result in a false positive declaration of this rule. To reduce false positives, you could create an exception for the Vendor Signature for Monitored file deletion events. The table size by default is 9,000. During an ongoing attack it may be necessary to increase the table size. If the event data exceeds the table size, new events may overwrite the existing event record in sequential order starting from first to last. If 5 file modification events occur on the same IP with multiple Resource values over the span of 10 minutes, a conclusion is created. When this conclusion is triggered, event tracking begins based on events that have the same Target. The following settings have been applied: Rule type: Many to One Number of events required: 5 over the span of 10 minutes Conclusion Severity: 2

307 Host IDS (HIDS) rules About the Host IDS (HIDS) rules 307 Predefined rule Table I-1 Description Host IDS predefined rules (continued) Customizations NULL Login Authentication Violation Monitors for Windows "null" login events that are followed closely by an authentication violation event. For the X portion, this rule uses the Symantec Event Code field to determine if a null login event has occurred. If the Symantec Event Code field contains either Microsoft NT NetBIOS NULL Session Attack (390) or Microsoft NT Null Login Probe (2660), the X criteria are met. For the Y portion, this rule uses the Intrusion Outcome ID field combined with the Mechanisms field to determine if an authentication violation has occurred. If the Intrusion Outcome ID field equals failed, which is the value for a failed intrusion attempt event in the Intrusion event schema, and the Mechanisms field contains Login, the Y criteria are met. You should test this setting with the collectors and products that you use to detect null login events since some product signatures are not included in the Symantec Event Code. If you are using a collector or product that does not trigger this rule based on the Symantec Event Code, you may need to create an additional set of criteria that identifies the product signature or event code that is generated by that product. For HIDS devices, a null session is typically logged as either an Unknown or Anonymous connection. In this case, you should update the rule with the Vendor Signature referenced when these type of connections are logged. For more information on the fields available in the Intrusion schema, see the Symantec Collector Studio Event Reference Guide. If the conditions for both the X and Y portions of the rule criteria are met using the same source IP and IP Destination Address within 10 minutes, a conclusion is created. The following settings have been applied: Rule type: X Followed by Y Number of events required: 1 in a 10 minute span Conclusion Severity: 2

308 308 Host IDS (HIDS) rules About the Host IDS (HIDS) rules Predefined rule Table I-1 Description Host IDS predefined rules (continued) Customizations Single Event DoS Monitor for denial of service exploit events that are targeted at a computer. This rule uses a combination of the Effects and Mechanisms fields to determine if a Denial of Service attack has been attempted or is underway. If the Effects field contains Degradation and the Mechanisms field contains either Buffer Overflow or Application Exploit, a conclusion is created. Events that match this criteria are tracked using the IP Destination Address field. The following settings have been applied: Rule type: Single Event Number of events required: 1 Conclusion Severity: 3 The table size by default is 100. During an ongoing attack it may be necessary to increase the table size. If the event data exceeds the table size, new events may overwrite the existing event record in sequential order starting from first to last. If you have systems on your network that regularly produce false positives, you could create an exclusion based on the IP address of the source of the false positives (for example, source_ip!= X.X.X.X). Filters or exclusions can be added for both systems that generate a large number of false positives, or IDS signatures that are detected often and are considered to be false positives. IDS signatures are usually best dealt with in filters. For the most detailed filters, restrict the discarding of events to systems known to generate it as a false positive so that valid occurrences are not filtered accidentally.

309 Host IDS (HIDS) rules About the Host IDS (HIDS) rules 309 Predefined rule Table I-1 Description Host IDS predefined rules (continued) Customizations Scan Followed By Exploit Monitor for reconnaissance attempts that are followed by an exploit. For the X portion, this rule uses the Mechanisms field to identify when a source computer uses a known pattern (Network Sweep, Host Sweep, Port Sweep, or Port Scan) to interact with a target. For the Y portion, this rule uses the Mechanisms field to determine if the IP Source Address from the X criteria is using a different pattern of attack on the same IP Destination Address. If the conditions for both the X and Y portions of the rule criteria are met using the same source IP and IP Destination Address within 10 minutes, a conclusion is created. The following settings have been applied: Rule type: X Followed by Y Number of events required: 1 over 10 minutes Conclusion Severity: 3 If you have systems on your network that regularly produce false positives, you could create an exclusion based on the IP address of the source of the false positives (for example, source_ip!= X.X.X.X).

310 310 Host IDS (HIDS) rules About the Host IDS (HIDS) rules Predefined rule Table I-1 Description Host IDS predefined rules (continued) Customizations Trojan Connections Monitor for firewall connections that are established using known backdoor ports. This rule uses a combination of the IP Destination Port and Event Type ID fields to determine if a source IP is trying to use a known backdoor port on a IP Destination Address. If the IP Destination Port is not null and is listed in the trojans table, and the Event Type ID field contains either Connection Statistics or Connection Accepted, a conclusion is created. Events that match this criteria are tracked using the IP Destination Address and IP Destination Port fields. The following settings have been applied: If you are using custom ports on your network, you will want to be sure to understand the implications of the traffic that you are allowing across those ports. If protocols have been remapped to custom port values, you may need to update the trojans table with the ports you are using that may be vulnerable to known attacks. In addition, you may discover that the ports that are listed in the trojans table have acceptable uses on your network within the parameters of the Network Type that this rule uses. You can adjust this rule to create an exception for the use you support on a particular port. Rule type: Single Event Number of events required: 1 Conclusion Severity: 2 Vulnerability Scan Monitor vulnerability events logged by vulnerability scanners and consolidate those events into a single incident per computer. The following settings have been applied: Rule type: Single Event Number of events required: 1 in the span of 1 minute Conclusion Severity: 2 A possible customization for this rule would be to exclude systems that have known vulnerabilities that have been granted an exception for business purposes.

311 Host IDS (HIDS) rules About the Host IDS (HIDS) rules 311 Predefined rule Table I-1 Description Host IDS predefined rules (continued) Customizations Vulnerability Scan Detector Web Vulnerability Scan Monitor for hostile vulnerability scans on the network. This rule uses a combination of the Source Host Policies field and the Mechanisms field to determine if an event suggests that a malicious network probe may have taken place, or is occurring. If the Source Host Policies field does not contain the strings Firewall or Proxy, and the Mechanisms field contains any one of the six specified values, and 5 similar events occur over the span of 20 minutes from the same IP address, a conclusion is created. The following settings have been applied: Rule type: Many Events, One Source Number of events required: 5 over 20 minutes Conclusion Severity: 3 Monitor for HTTP-based vulnerability scans (for example, Whisker). This rule uses a combination of the Resources, Source Host Policies, and Mechanisms fields to determine if an event suggests that a malicious Web services probe may have taken place, or is occurring. If the Resources field contains Web and the Source Host Policies field does not contain VulnerabilityScanner, and if the Mechanisms field contains any one of the five specified values, and 20 similar events occur over the span of 10 minutes from the same IP address, a conclusion is created. The following settings have been applied: Rule type: Many Events, One Source Number of events required: 20 over a span of 10 minutes Conclusion Severity: 3 The table size by default is 33,000. During an ongoing attack it may be necessary to increase the table size. If the event data exceeds the table size, new events may overwrite the existing event record in sequential order starting from first to last. To help reduce false positives, you can also create exceptions to this rule for the firewalls, proxies, and Network Address Translation (NAT) devices in the Asset table. Since NAT devices mask the original IP with an internal IP, false positives can be triggered for a single masked IP despite the fact that a broad number of external sources are actually accessing the NAT device from the outside. The table size by default is 10,000. During an ongoing attack it may be necessary to increase the table size. If the event data exceeds the table size, new events may overwrite the existing event record in sequential order starting from first to last. To help reduce false positives, you can also create exceptions to this rule for the firewalls, proxies, and Network Address Translation (NAT) devices in the Asset table. Since NAT devices mask the original IP with an internal IP, false positives can be triggered for a single masked IP despite the fact that a broad number of external sources are actually accessing the NAT device from the outside.

312 312 Host IDS (HIDS) rules About the Host IDS (HIDS) rules

313 Appendix J System Monitor rules This appendix includes the following topics: About the System Monitor rules About the System Monitor rules Information Manager includes a set of predefined System Monitor rules that help to identify potential threats. System Monitor rules are Java-based rules that monitor systems for unexpected system changes or periods of inactivity that may indicate a potential security threat. Table J-1 describes the predefined System Monitor rules. Table J-1 Predefined rule Asset Detector System Monitor predefined rules Description Asset Detector monitors vulnerability scan events to create or update assets. Customization For this release, the Auto-assign and Notifications features are not supported. System State Monitor System State Monitor continuously monitors the SSIM Agents and Event Collectors. It will create an incident if no events are seen from a particular agent or collector for the pre-defined time interval. You should customize the Auto-assign and Notifications settings to meet your requirements.

314 314 System Monitor rules About the System Monitor rules

315 Appendix K Windows event rules This appendix includes the following topics: About the Windows event rules About the Windows event rules Information Manager includes a set of predefined correlation rules that help to identify potential threats. For step-by-step instructions on customizing the rule set, see the Information Manager online Help. Table K-1 describes the predefined Windows event rules that are included with the default installation.

316 316 Windows event rules About the Windows event rules Predefined rules Table K-1 Description Predefined Windows event rules Customizations Account Guessing Attack Monitors for multiple failed attempts to authenticate using a single user account. This rule uses a combination of the Target Resource, Event Type ID, Mechanisms, Firewall Event Details, and Intrusion Outcome ID fields to determine if a set of events indicates a possible account guessing attack. If the Target Resource field is populated, the Firewall Event Details string matches, and either the Event Type field equals User Authentication Failed or the Mechanisms field contains Login and the Intrusion Outcome ID field contains Failed, and 2 similar events occur over a span of 10 minutes, a conclusion is created. This rule also uses the Tracking Keys to specify which single element (IP Destination Address) and which multiple elements (Target Resource) are used to trigger this conclusion. When this conclusion is triggered, event tracking begins based on events that have the same Target value. The following settings have been applied: Rule type: Many to One Number of events required: 2 over 10 minutes Conclusion Severity: 2 The number of events or the span of time can be adjusted as necessary.

317 Windows event rules About the Windows event rules 317 Predefined rules Table K-1 Description Predefined Windows event rules (continued) Customizations Password Guessing Attack Monitors for multiple failed attempts to authenticate using a single user account. This rule uses a combination of the Target Resource, Event Type ID, Mechanisms, Firewall Event Details, and Intrusion Outcome ID fields to determine if a set of events indicates a possible password guessing attack. If the Target Resource field is populated, the Firewall Event Details string matches, and either the Event Type field equals User Authentication Failed or the Mechanisms field contains Login and the Intrusion Outcome ID field contains Failed, and 2 similar events occur over a span of 10 minutes, a conclusion is created. This rule also uses the Tracking Keys to specify which single elements (IP Destination Address and Target Resource) and which multiple elements (Unique Event ID) are used to trigger this conclusion. When this conclusion is triggered, event tracking begins based on events that have the same Target value. The following settings have been applied: Rule type: Many to One Number of events required: 2 over the span of 10 minutes Conclusion Severity: 2 The number of events or the span of time can be adjusted as necessary.

318 318 Windows event rules About the Windows event rules Predefined rules Table K-1 Description Predefined Windows event rules (continued) Customizations Windows Security Violation Monitors for Windows events that may indicate violations of security policies or other malicious activity. This rule is disabled by default. This rule uses the Product and Vendor Signature fields to identify a possible security policy violation or malicious activity. If the Product field contains Symantec Event Collector for Windows, and the Vendor Signature field contains a value that is in the windows_events table, a conclusion is created. The Conclusion Severity field may need to be adjusted according to the security policies in place for your organization. This rule is used primarily to indicate that further investigation is necessary; it does not necessarily indicate that a security breach has occurred. This rule is a catch-all for all Windows events that are potential security threats. Events that match this criteria are tracked using the Windows Source Computer Name field. The following settings have been applied: Rule type: Single Event Number of events required: 1 Conclusion Severity: 2

319 Windows event rules About the Windows event rules 319 Predefined rules Table K-1 Description Predefined Windows event rules (continued) Customizations Windows Account Lockout Monitors for Windows events indicating that an account has been locked out. This rule uses the Windows Event ID field to determine whether an account has been locked out. If the Windows Event ID field contains 539 (Logon Failure - Account locked out) or 644 (User Account Locked Out), a conclusion is created. The Conclusion Severity field may need to be adjusted according to the security policies in place for your organization. This rule is used primarily to indicate that further investigation is necessary; it does not necessarily indicate that a security breach has occurred. This event ID is logged on the computer on which the login failure occurred. If the login attempt was attempted from a remote computer, this event is not logged on the remote computer. Events that match this criteria are tracked using the windows_source_computer_name field. The following settings have been applied: Rule type: Single Event Number of events required: 1 Conclusion Severity: 2

320 320 Windows event rules About the Windows event rules Predefined rules Table K-1 Description Predefined Windows event rules (continued) Customizations Windows Audit Log Cleared Monitors events that indicate the Windows audit log has been cleared. This rule could be modified to focus on a particular system that appears to be vulnerable. This rule uses the Windows Event ID and Windows Message fields to indicate that the audit log has been cleared. If the Windows Event ID field contains 517 (The audit log was cleared) and the Windows Message field contains the string, "The audit log was cleared," a conclusion is created. This rule also tracks information on the system and user name of the person who cleared the log. The Primary User Name field (contained in the windows_source_computer_name Information Manager field) identifies the system name, and the Client User Name field (contained in the option5 and option4 Information Manager fields) identifies the user. Events that match this criteria are tracked using the windows_source_computer_name field. The following settings have been applied: Rule type: Single Event Number of events required: 1 Conclusion Severity: 2 To reduce false positives, this rule could be modified to exclude certain accounts that are permitted to clear the log file. For example, the System account or an Administrator account could be specified as an exclusion criteria.

321 Windows event rules About the Windows event rules 321 Predefined rules Table K-1 Description Predefined Windows event rules (continued) Customizations Windows Privileged Activities by User Monitors for Windows activity where the user is using the SeTcbPrivilege flag to gain elevated privileges. This rule uses a combination of the Windows Message, Windows User Name, and Windows Event ID fields to determine whether a specific user is attempting to elevate privileges using the SeTcbPrivilege flag. If the Windows Message field contains SeTcbPrivilege and the Windows User Name does not equal SYSTEM (which is an acceptable use of SeTcbPrivilege), and the Windows Event ID field contains either 577 (Privileged Service Called) or 578 (Privileged object operation), a conclusion is created. If you need to track more general changes to privileges than those that use only the SeTcbPrivilege flag, this rule could be customized to trigger if the Windows Event ID field contained related privileges changes, such as Windows security events 608, 609, 620, and 621, which are used primarily to document changes to permissions. To reduce false positives, this rule could be modified to exclude certain accounts that are expected to modify privileges settings. For example, the System account or an Administrator account could be specified as an exclusion criteria. Events that match this criteria are tracked using the windows_source_computer_name and Windows User Name fields. The following settings have been applied: Rule type: Single Event Number of events required: 1 Conclusion Severity: 2

322 322 Windows event rules About the Windows event rules

323 Appendix L Event filters This appendix includes the following topics: About the event filters Custom event filters example About the event filters Information Manager includes a set of predefined event filters that help to identify false positives. Table L-1 describes the filters that are included with the default installation. Predefined filter Table L-1 Description Predefined event filters Customizations Application Status Events Asset Not Vulnerable This filter uses a combination of the Vendor Signature and Event Type ID fields to determine if an event can be filtered. If the Vendor Signature does not equal ScanningDisabled and the Event Type ID is either Application Start or Application Stop, the event is filtered. This filter uses the Vulnerable field to determine if the asset is vulnerable. If the Vulnerable field equals False, the event is filtered. This filter is disabled by default. None. You can create an exception for this filter if you want to be notified of all events related to a critical system.

324 324 Event filters About the event filters Predefined filter Table L-1 Description Predefined event filters (continued) Customizations Internal DNS Zone Transfer Internal ICMP Internal NetBIOS Traffic The Internal DNS Zone Transfer filter monitors for connection events between two systems flagged as DNS servers within the Asset table. This filter uses a combination of the Source Host Services, Target Host Services, IP Destination Port, and Source Port fields to determine if the traffic between two DNS servers is expected behavior between the two resources. If the Source Host Services and Target Host Services Fields contain 53 - Domain Name Server (DNS), and the IP Destination Port and Source Port fields equal 53, the event is filtered. The Internal ICMP filter monitors for internal ICMP traffic that is typically on most networks and discards those events. This filter uses a combination of the Network Traffic Direction and Mechanisms fields to determine whether events that are flagged as ICMP traffic should be filtered. If the Network Traffic Direction field equals Internal and the Mechanisms field contains Network ICMP, the event is filtered. The Internal NetBIOS Traffic filter discards events identified as NetBIOS traffic and having both a source and target flagged as internal. This filter uses a combination of IP Destination Port, IP Source Port, and Network Traffic Direction fields to identify acceptable NetBIOS traffic events. If the IP Destination Port equals a port that transports NetBIOS traffic, and the IP Source Port equals an acceptable port, and the Network Traffic Direction field equals Internal, the event is filtered. This filter assumes that you are using the standard DNS ports for DNS traffic. In some cases, a custom port may be used on your network (for example, if you are using a DNM server that performs zone transfers on a separate port). If you are using a custom port for DNS traffic, you should update this filter with the corresponding port in the Source Port and IP Destination Port fields. You should also be sure to enter the appropriate profile information for each of your DNS servers in the Asset table. This filter will not fire if you have not specified the target and source DNS servers as such in the Asset table. As a general rule, if ICMP is permitted on a network, ICMP traffic should be carefully monitored for excessive or unusual activity. ICMP sits on the IP layer and does not utilize authentication. Denial of Service attacks are one of the primary vulnerabilities to networks that allow ICMP traffic. This filter assumes that you are using the standard ports for NetBIOS traffic. If you are using custom ports for this purpose, you will need to update this filter accordingly.

325 Event filters About the event filters 325 Predefined filter Table L-1 Description Predefined event filters (continued) Customizations Network Manager Traffic The Network Manager Traffic filter discards events identified as ICMP or SNMP traffic originating from a system flagged as a Network Manager in the Asset table. You should be sure to enter the appropriate profile information for each of your computers acting as Network Manager resources in the Asset table. SIM Events SSIM Statistics Timed Out HTTP Traffic This filter uses a combination of the Source Host Policies, IP Destination Port, Mechanisms, and Resources fields to determine if an event that identifies ICMP or SNMP traffic should be discarded. If the Source Host Policies field contains NetworkManager, and the IP Destination Port equals 161, the Mechanisms field contains Network ICMP, or the Resources field contains SNMP, the event is filtered. The SIM Events filter discards Security Information Manager (SIM) generated events such as Incident Create and Incident Update. To avoid creating a positive feedback loop, this filter should not be disabled. This filter uses the Event Class ID field to determine if the traffic is Information Manager statistical information. This filter should not be disabled. The Timed Out HTTP Traffic filter discards failed firewall connection events where the events are indicative of HTTP traffic being rejected due to the firewall losing the state of the connection. This filter uses a combination of the IP Destination Port, Event Type ID, and IP Source Port fields to determine a match. The event is filtered if the following conditions exist: the IP Destination Port is greater than or equal to 1024; the Event Type ID field is equal to either Connection Dropped or Connection Rejected; and the Source Port is 80, 443, or This filter should always be enabled. This filter should always be enabled. This filter assumes that you are using the standard ports for firewall connection traffic. If you are using custom ports, you should update this filter accordingly.

326 326 Event filters Custom event filters example Predefined filter Table L-1 Description Predefined event filters (continued) Customizations Vulnerability Scans The Vulnerability Scans filter discards exploit and reconnaissance events where the source is flagged as a VulnerabilityScanner in the Asset table. This filter uses a combination of the Source Host Policies field and the Mechanisms field to determine a match. If the Source Host Policies field contains VulnerabilityScanner, and the Mechanisms field contains Remote Execution, Buffer Overflow, or Application Exploit, the event is filtered. Vulnerability scanners typically use Remote Execution, Buffer Overflow, and Application Exploit tests to assess vulnerability. If you are using a VA scanner that uses additional techniques, you may need to update this filter to match those additional settings. Custom event filters example This section provides common scenarios for creating custom rules that extend the conclusion coverage provided by the default rules. In most cases, the rules suggestions use one of the predefined rules as a template from which a new rule can be derived. IIS RealSecure Smurf Attack false positive filter example One common filter is to exclude events based on Vendor Signature values. For example, IIS RealSecure incorrectly identifies the activity of several firewall monitoring tools as Smurf Attack traffic. A simple filter would be discarding events from RealSecure where the Vendor Signature is Smurf_Attack and the source is a firewall.

327 Index A access rights 34 See also permissions console 34 account Administrator 48 default password 47 Information Manager Web configuration interface default 156 Linux 47 Account Guessing Attack rule 304, 316 Agent configuring Manager failover 192 Agent Configurations 195 batch logging 195 for 1.1 Agent 195 Agent to Manager failover configuring 192 aggregation tables 106 Antivirus Disabled rule 258 Antivirus rules for specific infections 266 appliances correlation designation 206 Application Status Events filter 323 archives. See event archives assets identifying 163 Assets table 112 CIA values 127 correlation overview 126 filtering based on operating system 130 importing assets 127 locked and unlocked assets 129 overview 125 policies 132 Services tab overview 131 using a vulnerability scanner to populate the table 129 using CIA values to identify critical events 131 using Severity settings 131 using to reduce false positives 129 Assets table (continued) vulnerability information 128 attacks sample EMR values 122 Attempted DNS Exploit rule 286 Attempted FTP Exploit rule 286 Attempted Service Exploit rule 287 Attempted WWW Exploit rule 287 auto-refresh rate configuring 188 B backup directory 201 batch logging, Agent 195 blacklisting, configuring 196 Block Scan rule 274, 288 BugTraq 112 business information users 52 C Category field. See EMR certificates 251 managing 252 Check FTP Transfers rule 274 client validation, configuring 184 Collector filtering and aggregation antivirus examples 148 creating specifications 142 events generated by specific internal networks 145 examples 144 firewall examples 145 overview 137 policy compliance 138 preparation 140 suggestions 139 vulnerability assessment examples 150 Windows Event Log examples 151

328 328 Index collectors registering products 168 column sorting in queries 224 Command servlet, configuring 186 computers adding configurations 74 adding to organizational units 66 creating 66 defined 65 deleting 79 distributing configurations 77 editing with agent 68 without agent 69 identification information 70 modifying permissions 78 moving 78 specifying IP addresses 70 MAC addresses 70 viewing service properties 75 services 75 with agents 65 conclusions described 21 escalating based on severity 106 Confidentiality, Integrity, and Availability (CIA) valuesjeremy, indexterm elements cannot contain punctuation.--fran assigning 127 Configuration service, configuring 186 configurations adding to computers 74 organizational units 62 Agent Configurations 195 Agent Connection Configurations 192 distributing by way of computer Service properties 75 to computers 77 using organizational units 77 Manager 184 Manager components 186 connection failures Information Manager Directory logging 191 console access rights adding to roles 34 contact information users 52 correlation designating appliance 206 correlation manager described 83 knowledge base 84 rule set 84 correlation rules. See rules critical systems. See assets Critical Virus Infection rule 260 D DAS. See Symantec Direct Attached Storage D10 data retention 205 database alarm level 236 archive logs 234 backing up 231 automatically 232 manually 233 to external archive 233 capacity critical level 231 viewing percentage used 230 health monitoring 231 job status 230 maintenance history log 238 purging 234 archive logs 233 purge types 234 restoring from a backup 233 safe level 236 status indicators 231 date setting 158 date values for events 211 DeepSight. See Global Intelligence Network DeepSight Threat Management normalization and 113 Default Processing rule 86, 136 direct attached storage 205, 246. See Symantec Direct Attached Storage D10 See also Symantec Direct Attached Storage D10 third-party devices 246 directory. See security directory directory service accounts 48 diskspace, configuring minimum free space 185

329 Index 329 Distribute menu option 77 Distributed DoS High Volume rule 276, 291 domain 156 domain access adding to an Information Manager appliance 76 Domain Administrator role 27 permissions 43 domain name 156 DoS High Volume rule 275, 289, 302 double-byte characters, for exported Information Manager reports 188 E effects. See EMR address notification 56 EMR described 115 Effects values 116 effects 116 examples 122 Mechanisms values 120 mechanisms 117 Resource values 122 resources 120 EMR values 86 Ending Event Date column 211 environment diagram. See Visualizer errors authentication event archives about 205 adding and removing table columns 212 calendar setting 210 date and time range 210 event details 211 event date values 211 filtering modifying table columns 212 exporting a query 227 graph 209 histogram 209 importing a query 226 live 208 local 208 creating 207 event archives (continued) local (continued) viewing 209 querying Event Query wizard 221 naming rules 220 SQL Query wizard 225 summarizing displayed data 221 Summary Query wizard 223 removing an archive from event viewer 209 saving data from event viewer 209 settings 206 viewing 208 zooming 210 Event Count rule setting 106 Event Criteria field 103 operators 104 event data backing up 231 purging 234 restoring from a backup 233 Event Date column 211 event forwarding configuring default forwarder 170 creating a forwarder 172 deleting a forwarder 172 described 165 from a collection appliance 170 from a SESA Event Logger 173 Event Logger 165, 173 event logging configuring for Agent 195 Event Query wizard 221 Event to Conclusion Correlation fields 106 Events accessing event data in the console 142 events 111 See also normalization described 21 filters predefined 323 mapping during normalization 113 role for viewing 29 External Port Sweep rule 277 F failover configuring Agent to Manager 192

330 330 Index failover (continued) configuring (continued) Manager to Information Manager Directory 190 fields Event Criteria 103 Event to Conclusion Correlation 106 operators for event criteria 104 filters event data 213 forwarding events. See event forwarding Free Space Quota setting 207 G gateway 156 Global Intelligence Network content updates 177 exporting content 179 importing content 179 license registration 176 managing security content 175 viewing status 176 H heartbeat configuring monitor settings 186 history log maintenance 238 Host Activity query 219 host criticality. See assets HTTP Server restricting access 197 I incident data backing up 231 purging 234 restoring from a backup 233 incidents described 21 Information Manager appliance adding domain access 76 Information Manager console Move menu option 78 preventing timeout 188 Information Manager Directory configuring failover 190 logging connection failures 191 Information Manager Web configuration interface accessing 156 described 155 installation collectors 168 Direct Attached Storage D10 device 247 PERC 5/E adapter 247 Internal DNS Zone Transfer filter 324 Internal ICMP filter 324 Internal NetBIOS Traffic filter 324 Internal Port Sweep rule 278 Intrusion Threshold rule 292 inventory, configuring for Agent 195 IP address 156 specifying for computers 70 IP Address Activity query 218 IP Watch list 86 IP Watchlist rule 279, 292, 303 IRC Bot Net rule 279, 293 K knowledge base configuring tables 86 correlation manager 84 L LDAP backup. See security directory ldifbackup file 202 Linux account 47 LiveUpdate 181 normalization and 113 running from Information Manager console 182 running from Information Manager Web configuration interface 181 logging configuring for Agent 195 logon failure, configuring blacklisting 196 Lookup Tables M MAC addresses specifying for computers 70 Malicious Code Not Quarantined rule 261 Malicious Code Outbreak rule 262 Malicious Code Propagation rule 263, 299 Malicious URL rule 280

331 Index 331 Manager configuring 184, 186 Agent connections 192 Manager connections 189 Max Archive Quota setting 207 mechanisms. See EMR minimum free disk space, configuring 185 Multiple Files Modified rule 306 N Network Manager Traffic filter 325 network settings changing 156 Network table 112 networks specifying 162 normalization described 111 example 113 files 113 modifying 113 notification address 56 user information 56 address 56 pager numbers 57 times 58 NTP server specifying 158 NULL Login Authentication Violation rule 294, 307 O off-box storage. See Symantec Direct Attached Storage D10 operators Event Criteria 104 organizational units adding computers to 66 creating 62 deleting 65 deleting computers 79 description 61 distributing configurations 77 editing 64 modifying permissions 64 moving computers 78 name length limits 63 Original Ending Event Date column 211 Original Event Date column 211 P pager numbers 57 password Information Manager Web configuration interface default 156 Password Guessing Attack rule 305, 317 passwords changing 52, 159 security recommendation 48 PERC 5/E adapter 247 permissions 34 See also access rights description 43 in roles 35, 37 modification examples 40 modifying 45 computers 78 organizational units 64 propagating 44 user 58 Permissions dialog box 45 Ping Scan Detector rule 281, 295 policy adding 162 Port Activity query 220 Port Scan Detector rule 282 publishing queries 227 Purge After setting 207 purging data automatically 235 manually 236 purge types 234 size-based purge 236 Q queries column sorting 224 deleting 227 editing 226 event 221 exporting 227 groupings 217 Host Activity query 219 importing 226 IP Address Activity query 218

332 332 Index queries (continued) naming rules 220 Port Activity query 220 publishing 227 SQL 225 summarizing displayed data 221 summary 223 User Activity query 219 query groups 217 R reboot. See restarting Recent Events 218 reports, exporting configuring character set 188 resources. See EMR restarting 159 restoring security directory 202 Return Trojan Traffic rule 295 role membership assigning to users 53 roles adding users 32 console access rights 34 creating 29 deleting 42 description 27 Domain Administrator 27 permissions 43 editing 32 management of policies and configurations 29 permissions 37 examples 40 planning 28 product access assignment modifying 35 SES Administrator 27 permissions 43 SIM permissions 35 viewing events 29 rsync 205 rules antivirus 257 categories 99 components 99 creating 91 criteria 100 custom 95 rules (continued) default 84 Default Processing rule 86, 135 development process 96 editor 106 enabling/disabling 91 firewall 273 host IDS 301 network IDS 285 policy compliance 267 query naming 220 settings 106 strategy 95 System Monitor 313 test feature 97 tuning 96 types 100 vulnerability assessment 269 Windows event 315 S Scan Followed By Exploit rule 283, 296, 309 scp 205 search templates 217 security certificates 251 managing 252 security directory backing up 201 registering a collection appliance 167 restoring 202 security domain registering with 169 security environment diagram. See Visualizer security policy adding 162 Sensitive Files list 86 Sensitive URLs list 86 services viewing for a computer 75 viewing properties 75 SES Administrator role 27 permissions 43 SESA Event Logger 165, 173 SESA logs configuring SESA Manager servlet 198 SESA Manager servlet logs 198 shutdown 159 SIM Events filter 325

333 Index 333 Single Event DoS rule 280, 290, 308 Smurf Attack false positive filter example 326 Smurf Attack rule 284, 297 Span rule setting 106 Spyware Not Quarantined rule 264 Spyware Outbreak rule 265 SQL Query wizard 225 standard event code 111 state information, configuring for Agent 195 Subcategory field. See EMR Summary Query wizard 223 Symantec Direct Attached Storage D about 245 configuring 248 installation overview 246 prerequisites 247 procedure 247 PERC 5/E adapter installation 247 rack mounting 247 Symantec Event Code 112 Symantec Security Information Manager about 17 configuration process overview 161 features 18 Functional overview 20 Symantec Signature incident mapped to 112 system criticality. See assets T Table Size rule setting 106 Tables Lookup 87 tables aggregation 106 tablespace containers 229 technical support 23 templates for quick search 217 TFTP from WebServer rule 298 throttling, configuring 184 time specifying NTP server 158 time setting 158 Timed Out HTTP Traffic filter 325 timeout, preventing, in Information Manager console 188 Trojan Connections rule 284, 310 U User Activity query 219 user groups deleting 59 modifying 58 users adding to a role 32 assigning role membership 53 business information 52 contact information 52 creating 49 deleting 59 description 48 notification information 56 addresses 56 notification times 58 pager numbers 57 permissions 58 properties 51 V viewing maintenance history log 238 Visualizer about 71 modifying properties 73 tools 72 Vulnerability Scan Detector rule 300, 311 Vulnerability Scan rule 270 Vulnerability Scans filter 326 W Web server, configuring 184 Web Vulnerability Scan rule 300, 311 Windows Account Lockout rule 319 Windows Audit Log Cleared rule 320 Windows Events list 86 Windows Privileged Activities by User rule 321 Windows Security Violation rule 318 wizards Event Query 221 SQL Query 225 Summary Query 223