Symantec Event Collector 4.3 for Cisco PIX Quick Reference

Transcription

1 Symantec Event Collector 4.3 for Cisco PIX Quick Reference

2 Symantec Event Collector for Cisco PIX Quick Reference The software described in this book is furnished under a license agreement and may be used only in accordance with the terms of the agreement. Legal Notice Copyright 2008 Symantec Corporation. All rights reserved. Symantec, the Symantec Logo, LiveUpdate, Symantec AntiVirus, Symantec Mail Security, Symantec Backup Exec, Symantec NetBackup, Symantec Endpoint Protection, Symantec Scan Engine, Symantec Control Compliance Suite, Symantec Critical System Protection, Symantec Enterprise Security Manager, Symantec Intruder Alert, Symantec Sygate Enterprise Protection, Symantec Mail Security, and Symantec Security Response are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners. The product described in this document is distributed under licenses restricting its use, copying, distribution, and decompilation/reverse engineering. No part of this document may be reproduced in any form by any means without prior written authorization of Symantec Corporation and its licensors, if any. THE DOCUMENTATION IS PROVIDED "AS IS" AND ALL EXPRESS OR IMPLIED CONDITIONS, REPRESENTATIONS AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT, ARE DISCLAIMED, EXCEPT TO THE EXTENT THAT SUCH DISCLAIMERS ARE HELD TO BE LEGALLY INVALID. SYMANTEC CORPORATION SHALL NOT BE LIABLE FOR INCIDENTAL OR CONSEQUENTIAL DAMAGES IN CONNECTION WITH THE FURNISHING, PERFORMANCE, OR USE OF THIS DOCUMENTATION. THE INFORMATION CONTAINED IN THIS DOCUMENTATION IS SUBJECT TO CHANGE WITHOUT NOTICE. The Licensed Software and Documentation are deemed to be commercial computer software as defined in FAR and subject to restricted rights as defined in FAR Section "Commercial Computer Software - Restricted Rights" and DFARS , "Rights in Commercial Computer Software or Commercial Computer Software Documentation", as applicable, and any successor regulations. Any use, modification, reproduction release, performance, display or disclosure of the Licensed Software and Documentation by the U.S. Government shall be solely in accordance with the terms of this Agreement.

3 Symantec Corporation Stevens Creek Blvd. Cupertino, CA USA

4 Technical Support Symantec Technical Support maintains support centers globally. Technical Support s primary role is to respond to specific queries about product feature and function, installation, and configuration. The Technical Support group also authors content for our online Knowledge Base. The Technical Support group works collaboratively with the other functional areas within Symantec to answer your questions in a timely fashion. For example, the Technical Support group works with Product Engineering and Symantec Security Response to provide alerting services and virus definition updates. Symantec s maintenance offerings include the following: A range of support options that give you the flexibility to select the right amount of service for any size organization A telephone and web-based support that provides rapid response and up-to-the-minute information Upgrade insurance that delivers automatic software upgrade protection Global support that is available 24 hours a day, 7 days a week worldwide. Support is provided in a variety of languages for those customers that are enrolled in the Platinum Support program Advanced features, including Technical Account Management For information about Symantec s Maintenance Programs, you can visit our Web site at the following URL: Contacting Technical Support Customers with a current maintenance agreement may access Technical Support information at the following URL: Before contacting Technical Support, make sure you have satisfied the system requirements that are listed in your product documentation. Also, you should be at the computer on which the problem occurred, in case it is necessary to recreate the problem. When you contact Technical Support, please have the following information available: Product release level Hardware information

5 Available memory, disk space, and NIC information Operating system Version and patch level Network topology Router, gateway, and IP address information Problem description: Error messages and log files Troubleshooting that was performed before contacting Symantec Recent software configuration changes and network changes Licensing and registration Customer service If your Symantec product requires registration or a license key, access our technical support Web page at the following URL: Customer service information is available at the following URL: Customer Service is available to assist with the following types of issues: Questions regarding product licensing or serialization Product registration updates such as address or name changes General product information (features, language availability, local dealers) Latest information about product updates and upgrades Information about upgrade insurance and maintenance contracts Information about the Symantec Value License Program Advice about Symantec's technical support options Nontechnical presales questions Issues that are related to CD-ROMs or manuals

6 Maintenance agreement resources Additional Enterprise services If you want to contact Symantec regarding an existing maintenance agreement, please contact the maintenance agreement administration team for your region as follows: Asia-Pacific and Japan: Europe, Middle-East, and Africa: North America and Latin America: Symantec offers a comprehensive set of services that allow you to maximize your investment in Symantec products and to develop your knowledge, expertise, and global insight, which enable you to manage your business risks proactively. Enterprise services that are available include the following: Symantec Early Warning Solutions These solutions provide early warning of cyber attacks, comprehensive threat analysis, and countermeasures to prevent attacks before they occur. Managed Security Services Consulting Services Educational Services These services remove the burden of managing and monitoring security devices and events, ensuring rapid response to real threats. Symantec Consulting Services provide on-site technical expertise from Symantec and its trusted partners. Symantec Consulting Services offer a variety of prepackaged and customizable options that include assessment, design, implementation, monitoring and management capabilities, each focused on establishing and maintaining the integrity and availability of your IT resources. Educational Services provide a full array of technical training, security education, security certification, and awareness communication programs. To access more information about Enterprise services, please visit our Web site at the following URL: Select your country or language from the site index.

7 Contents Technical Support... 4 Chapter 1 Introducing Symantec Event Collector for Cisco PIX... 9 About this quick reference... 9 Compatibility requirements for Cisco PIX Event Collector System requirements for the Cisco PIX Event Collector computer About the installation sequence for Cisco PIX Event Collector About configuring Cisco PIX to work with the collector Setting the Cisco PIX severity level Disabling the timestamp option Enabling Cisco PIX syslog event forwarding Disabling the Cisco PIX EMBLEM format logging Sensor properties for Cisco PIX Event Collector About syslog event forwarding About Syslog Director Running LiveUpdate for collectors Chapter 2 Implementation notes Product ID for Cisco PIX Event Collector Event example Schema packages Event mapping for Information Manager Chapter 3 Event filtering and aggregation Event filtering and aggregation for Cisco PIX Event Collector... 25

8 8 Contents

9 Chapter 1 Introducing Symantec Event Collector for Cisco PIX This chapter includes the following topics: About this quick reference Compatibility requirements for Cisco PIX Event Collector System requirements for the Cisco PIX Event Collector computer About the installation sequence for Cisco PIX Event Collector About configuring Cisco PIX to work with the collector Sensor properties for Cisco PIX Event Collector About syslog event forwarding About Syslog Director Running LiveUpdate for collectors About this quick reference This quick reference includes information that is specific to Symantec Event Collector for Cisco PIX. General knowledge about installing and configuring collectors is assumed, as well as basic knowledge of Cisco PIX. For detailed information on how to install and configure event collectors, please see the Symantec Event Collectors Integration Guide. For information on Cisco PIX, see your product documentation.

10 10 Introducing Symantec Event Collector for Cisco PIX Compatibility requirements for Cisco PIX Event Collector Compatibility requirements for Cisco PIX Event Collector The collector is compatible with the following Cisco PIX products: Cisco PIX Security Appliance Software 6.34, 7.0.1, or 8.0 Cisco PIX Firewall Software 6.2 The collector runs on the following operating systems: Microsoft Windows 2000 with Service Pack 4 or later Microsoft Windows Advanced Server 2000 with Service Pack 4 or later Microsoft Windows Server 2003 Enterprise Edition with Service Pack 1 or later You can install version 4.3 collectors on both 32-bit and 64-bit versions of Windows Server Microsoft Windows Server 2003 Standard Edition with Service Pack 1 or later Windows XP with Service Pack 2 or later You can install version 4.3 collectors on both 32-bit and 64-bit versions of Windows Server Red Hat Enterprise Linux AS 3.0 Red Hat Enterprise Linux AS 4.0 Red Hat Enterprise Linux AS 5.0 Note: You can install version 4.3 collectors on both 32-bit and 64-bit versions of Windows Server 2000/2003. System requirements for the Cisco PIX Event Collector computer Minimum system requirements for a remote collector installation are as follows: Intel Pentium-compatible 133-MHz processor (up to and including Xeon-class) 512 MB minimum, 1 GB of memory recommended for the Symantec Event Agent 35 MB of hard disk space for collector program files 95 MB of hard disk space to accommodate the Symantec Event Agent, the JRE, and the collector

11 Introducing Symantec Event Collector for Cisco PIX About the installation sequence for Cisco PIX Event Collector 11 TCP/IP connection to a network from a static IP address About the installation sequence for Cisco PIX Event Collector The collector is preinstalled on the Information Manager 4.6 appliance. You can also install this collector on a remote computer or on an Information Manager 4.5 appliance. The collector installation sequence is as follows: Configure Cisco PIX to work with the collector. Close the Symantec Security Information Manager Client console. Register the collector for all off-appliance collector installations. If you use Information Manager 4.6, the collector has been pre-registered. You do not have to register it. Install the Symantec Event Agent on the collector computer. You must install the agent for all remote installations. Symantec Event Agent build 12 or later is required. Run LiveUpdate on earlier collectors. If you install a 4.3 collector on a computer that has an earlier collector on it, you must first run LiveUpdate on all components of the earlier version of the collector. You must update the earlier collector before you install the 4.3 collector. See Running LiveUpdate for collectors on page 16. Install the collector component. The collector is preinstalled on the Information Manager 4.6 appliance. If you want to use the collector on a remote computer, you must install it on the remote computer. You can install the collector on the Information Manager 4.5 appliance. However, you must first apply Information Manager with Maintenance Release 1 (or later) upgrade package on the appliance. Configure the sensor. Configure Syslog Director, optional. See About Syslog Director on page 16. Run LiveUpdate. See Running LiveUpdate for collectors on page 16.

12 12 Introducing Symantec Event Collector for Cisco PIX About configuring Cisco PIX to work with the collector For all procedures that are not covered in the quick reference, see the Symantec Event Collectors Integration Guide. About configuring Cisco PIX to work with the collector Use the configuration tools that are provided with Cisco PIX, to complete the following steps: Set the Cisco PIX severity level. See Setting the Cisco PIX severity level on page 12. Disable the Cisco PIX timestamp option. See Disabling the timestamp option on page 13. Enable Cisco PIX syslog event forwarding. See Enabling Cisco PIX syslog event forwarding on page 13. Disable Cisco PIX EMBLEM format logging, if it is enabled. The EMBLEM format is not supported by the collector. See To disable Cisco PIX EMBLEM format logging on page 14. You can use Syslog Director along with your on-appliance collector. You must configure Cisco PIX to send syslog event data to port 514 with the UDP protocol. Syslog Director is preconfigured to listen for all syslog events through port 514. See the Symantec Event Collectors Integration Guide. Setting the Cisco PIX severity level Severity levels range from 0 (for emergency messages only) to 7 (the highest severity level, used primarily for debugging). Each level includes the levels below it. For example, severity level 4 includes all log messages of severity 0-4. When you select the appropriate severity level, you must balance the need for detailed log information against additional network traffic and disk space that is used by the log data. The collector functions regardless of the severity level that is selected. However, a high severity level provides the collector with more data to analyze and report to Information Manager. A severity level of 6 or 7 detects successful connection activity. If the severity level is set to 5 or lower, the collector does not process and report successful connection activity. Severity level 5 or higher detects more firewall management events, such as remote management connections and changes to the firewall's saved configuration.

13 Introducing Symantec Event Collector for Cisco PIX About configuring Cisco PIX to work with the collector 13 Severity level 4 or higher detects most denied connections and dropped packets. These events are often important indicators of an attack or scan. For this reason, do not set the severity level lower than 4. To set the Cisco PIX severity level At the Cisco PIX command prompt, type the following command: logging trap severity_level Disabling the timestamp option You must disable the Cisco PIX timestamp option in order for Cisco PIX to work with the collector. To disable the Cisco PIX timestamp option At the Cisco PIX command prompt, type the following command: no logging timestamp Enabling Cisco PIX syslog event forwarding You must enable Cisco PIX syslog event forwarding in order for Cisco PIX to work with the collector.

14 14 Introducing Symantec Event Collector for Cisco PIX Sensor properties for Cisco PIX Event Collector To enable Cisco PIX syslog event forwarding At the Cisco PIX command prompt, type the following command: logging host interface_name IP_address udp/port_number where: interface_name is the Cisco PIX network interface that is used to send the syslog messages IP_address is the IP address of the computer that receives the syslog messages (the collector computer in most cases) udp is the default protocol. This parameter needs to be entered only if the port_number is not 514. [/port_number] is the syslog port number preceded by a / An example command that uses UDP as the syslog protocol and port 514 is as follows: logging host dmz An example command that uses a port other than 514 is as follows: logging host dmz udp/516 Disabling the Cisco PIX EMBLEM format logging You must disable the Cisco PIX EMBLEM format logging in order for Cisco PIX to work with the collector. To disable Cisco PIX EMBLEM format logging At the Cisco PIX command prompt, type the following command: no logging emblem Sensor properties for Cisco PIX Event Collector Table 1-1 shows the sensor properties for the syslog sensor.

15 Introducing Symantec Event Collector for Cisco PIX About syslog event forwarding 15 Table 1-1 Syslog sensor properties Sensor properties Protocol Host Names Description Specify UDP or TCP. UDP is the syslog standard protocol and is faster than TCP; however, UDP provides few error recovery services, and there is no guarantee that events are delivered. TCP is slower than UDP, but it guarantees event delivery by establishing a connection. Specify the IP addresses or names of the host computers that the collector monitors. Specify * (or any) to allow any host to send events to the collector, or specify multiple host names. Separate multiple host names with commas or semicolons. Port Number Specify the port number to which you have configured Cisco PIX to send syslog messages. The default port number is Time Offset Specify a time offset to convert timestamps of all logged events to the time zone of the collector computer. You can use a time offset value if both the following statements are true: The time zone of the collector computer and the point product are different The timestamps in the point product data are not Coordinated Universal Time (UTC). You do not need to use this property if the collector and the point product computers are in the same time zone. Acceptable formats are: +HH, -HH, +HH:MM, -HH:MM, where HH is the number of hours (-99 to +99), and MM is the number of minutes (0 to 59). The default value is +00:00. For example, if Pacific Standard Time (PST) is the time zone of the collector computer, you can specify -3 to convert incoming events with an Eastern Standard Time (EST) to Pacific Standard Time. You can specify +3 to convert incoming events with a Hawaii-Aleutian Standard Time (HST) standard to Pacific Standard Time. If you enter and distribute an erroneous time zone offset, the collector automatically resets the offset value to the default value of +00:00. An error message is posted in the collector s log. About syslog event forwarding If you forward events to a standard syslog server, you can use a syslog forwarder on that server rather than change the settings on your security device. A syslog forwarder can receive and forward events to both Information Manager and your existing syslog server.

16 16 Introducing Symantec Event Collector for Cisco PIX About Syslog Director About Syslog Director If you use the collector on the Information Manager appliance, you can set up this collector to use Syslog Director. Syslog Director accepts syslog events from any device or application that sends events to the standard port for syslog messages, UDP port 514. (You can also configure Syslog Director to listen on other UDP or TCP ports.) Syslog Director identifies the incoming events by their signatures (specific patterns that identify each collector) and redirects the events that are received to the appropriate collector. All events that are not identified by a signature are sent to the Generic Syslog Collector. You can upgrade Syslog Director 4.2 to Syslog Director 4.3 on your Symantec Security Information Manager 4.5 appliance. For a detailed procedure, see the Symantec Event Collectors Integration Guide. Note: In all deployments, you must list the Generic Syslog Collector last, and you must leave its Collector Signature empty. The default Syslog Director settings for this collector are as follows: Collector name Collector signature Default port Cisco(R) PIX(R) Event Collector %PIX, %ASA For detailed procedures on Syslog Director, see the Symantec Event Collectors Integration Guide. Running LiveUpdate for collectors You can run LiveUpdate to receive collector updates such as support for new events and query updates. If you install a collector on Information Manager 4.5, you must complete the following procedures in the order presented: Run LiveUpdate for collectors added to the Information Manager 4.5 appliance. See To run LiveUpdate for collectors added to the Information Manager 4.5 appliance on page 17. Verify that LiveUpdate ran successfully on Information Manager 4.5. See To verify that LiveUpdate ran successfully on Information Manager 4.5 on page 18.

17 Introducing Symantec Event Collector for Cisco PIX Running LiveUpdate for collectors 17 If you install a collector on Information Manager 4.6, or if you use a collector that is preinstalled on Information Manager 4.6, you must complete the following procedures in the order presented: Use the Administrator Web page to run LiveUpdate. Use the Administrator Web page to verify that LiveUpdate ran successfully. See To run LiveUpdate from the Administrator Web page on page 17. If you installed the collector on a separate computer, you must complete the following tasks in the order presented: Run LiveUpdate for a collector installed on a separate computer. See To run LiveUpdate for a collector installed on a separate computer on page 18. Verify that LiveUpdate ran successfully for a collector installed on a separate computer. See To verify that LiveUpdate ran successfully for a collector installed on a separate computer on page 19. For information on running LiveUpdate on internal LiveUpdate servers, see the Symantec LiveUpdate Administrator User's Guide. To run LiveUpdate from the Administrator Web page 1 From a Web browser, navigate to the Information Manager Administrator Web page, and then log in with administrator credentials. 2 From the list on the left, click LiveUpdate. 3 In the list of products, to select the items to update, in the corresponding check box, check Update. At the bottom of the page, you can also click Check All. 4 At the bottom of the page, click Update. If LiveUpdate runs successfully, the status column in the Summary page displays Success. 5 To troubleshoot a problem with LiveUpdate, under Session Log, click View Log File. To run LiveUpdate for collectors added to the Information Manager 4.5 appliance 1 Connect to the Information Manager 4.5 appliance, and log in as root. 2 Navigate to the collectors directory. The default directory is /opt/symantec/sesa/agent/collectors/pix

18 18 Introducing Symantec Event Collector for Cisco PIX Running LiveUpdate for collectors 3 At the command prompt, type the following command: sh./runliveupdate.sh 4 To stop the Symantec Event Agent, type the following command: service sesagentd stop 5 To change the ownership of the updated collector files, type the following command: chown -R sesuser.ses * 6 Navigate to the Symantec Event Agent directory. The default directory is /opt/symantec/sesa/agent/ 7 To restart the Symantec Event Agent, type the following command: service sesagentd start To verify that LiveUpdate ran successfully on Information Manager Connect to the Information Manager 4.5 appliance, and log in as root. 2 Navigate to the collectors subdirectory of the Symantec Event Agent directory. The default directory is as follows: /opt/symantec/sesa/agent/collectors/pix 3 Verify that a file named LiveUpdate-Collector.txt exists. This text file shows the date of the last LiveUpdate and contains information about any defects that were addressed and any enhancements that were added. 4 Navigate to the LiveUpdate directory. The default directory is as follows: /opt/symantec/liveupdate 5 To view the last 100 lines of the liveupdt.log file, type the following command: tail -100 liveupdt.log more The first part of the log is in text format; the second part of the log repeats the information in XML format. If LiveUpdate was unsuccessful, a status message that notes the failure appears at the end of the log file. For example, Status = Failed (return code ). To run LiveUpdate for a collector installed on a separate computer 1 On the collector computer, navigate to the collector directory as follows:

19 Introducing Symantec Event Collector for Cisco PIX Running LiveUpdate for collectors 19 On Windows, the default directory is as follows: C:\Program Files\Symantec\Event Agent\collectors\pix On UNIX, the default directory is as follows: /opt/symantec/sesa/agent/collectors/pix 2 At a command prompt, do one of following tasks: On Windows, type the following command: runliveupdate.bat On UNIX, as the root user, type the following command: runliveupdate.sh To verify that LiveUpdate ran successfully for a collector installed on a separate computer 1 On the collector computer, navigate to the collector directory as follows: On Windows, the default directory is as follows: C:\Program Files\Symantec\sesa\Event Agent\collectors\pix On UNIX, the default directory is as follows: /opt/symantec/sesa/agent/collectors/pix 2 Verify that a file named LiveUpdate-Collector.txt exists. This text file shows the date of the last LiveUpdate and contains information about any defects that were addressed and any enhancements that were added. 3 Navigate to the LiveUpdate directory as follows: On Windows, the default LiveUpdate directory is as follows: C:\Documents and Settings\All Users\Application Data\Symantec\Java LiveUpdate On UNIX, the default LiveUpdate directory is as follows: /opt/symantec/liveupdate 4 To view the liveupdt.log file, do one of the following tasks: On Windows, use a text editor such as Notepad to view the liveupdt.log file. On UNIX, to view the last 100 lines of the liveupdt.log file, type the following command: tail -100 liveupdt.log more The first part of the log is in text format; the second part of the log repeats the information in XML format.

20 20 Introducing Symantec Event Collector for Cisco PIX Running LiveUpdate for collectors If LiveUpdate was unsuccessful, a status message that notes the failure appears at the end of the log file. For example, Status = Failed (return code ).

21 Chapter 2 Implementation notes This chapter includes the following topics: Product ID for Cisco PIX Event Collector Event example Schema packages Event mapping for Information Manager Product ID for Cisco PIX Event Collector The product ID of the collector is Event example Sep 04 16:21: %PIX : Inbound TCP connection denied from /8181 to /21 flags ACK on interface outside Sep 04 16:21: %PIX : protocol Connection denied by outbound list Moe src /21 dest / 9898dest faddr Sep 04 16:21: %PIX : SMTP replaced : out in data:mail from: root Event structure: Syslog time, followed by proxy machine, followed by vendor code. "from"/"for" is followed by source IP and source port, or by user name. "to" is followed by

22 22 Implementation notes Schema packages Schema packages destination IP and destination port. Additional information is described in the mapping tables. Table 2-1 shows the schema event class packages that are used by the collector. Table 2-1 Information Manager event class symc_fw_conn_stats symc_firewall_network symc_network Schema packages Comment Events that contain information about PIX firewall bytes sent and received are sent as firewall statistics class event. Most of the events belong to firewall class, depending on their type event ID is selected Included as a parent class for previous class, no events from network class are sent Event mapping for Information Manager Table 2-2 shows event mapping. Table 2-2 Information Manager field name Category ID Description Destination Host Name Destination Interface Name Event Date Elapsed Time (seconds) Event Count Event Type ID Event mapping Relationship to the Cisco PIX event Application or Security Description of the event that is captured Destination host name if it exists; otherwise the destination IP address Interface of the destination that is used Date and time of the event Duration of the connection, in seconds REPETITION Event ID that is associated to each event Indicates whether the event is a firewall, VPN, connection statistics, or Base or Configuration event Host MAC MAC address of the client computer, if necessary.

23 Implementation notes Event mapping for Information Manager 23 Table 2-2 Information Manager field name ICMP Code ICMP Type Event mapping (continued) Relationship to the Cisco PIX event Code number that provides more information about the ICMP operation ICMP protocol operation type number Stores the actual ICMP Type number IP Destination Address IP Destination Port IP Source Address IP Source Port Network Protocol Proxy Machine Rule Source Host Name Source Interface Name Target Resource Destination IP address of the event Destination port of the event, if available Source IP address of the event Source port of the event, if available Protocol that is associated with the event PIX information Name of the rule that is associated with the event that is logged, if it exists Source host name if it exists; otherwise, the source IP address Interface of the source that is used The target of the intended event Any URL, user name, or file server s IP address, if available in the event TCP Flags Translated Destination IP Address Translated Destination Port Translated Source IP Address Translated Source Port User Name Standard string abbreviations that indicate the TCP flags that are set in the packet header Translated destination IP address, if it exists Translated destination port, if it exists Translated source IP address, if it exists Translated source port, if it exists User name User name may exist after the key phrase User: or at the end of the event (USER_NAME) Vendor Signature Signature to identify and distinguish various PIX events (%PIX-n-XXX)

24 24 Implementation notes Event mapping for Information Manager

25 Chapter 3 Event filtering and aggregation This chapter includes the following topics: Event filtering and aggregation for Cisco PIX Event Collector Event filtering and aggregation for Cisco PIX Event Collector VPN or firewalls generate many events that may not be required for correlating events. Depending on your environment, these events may be considered excess events. You can filter or aggregate similar events, provided that the role of Symantec Security Information Manager is not the retention of all events. Possible filters and aggregators include the following examples: Connection rejected Connection rejected events indicate that the firewall is operating as it is configured. These events do not ordinarily pose security threats and can be filtered at the collector. This filter removes ICMP traffic that was rejected at the firewall. Filter or aggregator properties are set as follows: Network Protocol ID = Event Type ID = Connection accepted Connection accepted events are generated by legitimate network traffic. You can filter or aggregate these events by IP address. If an individual event from

26 26 Event filtering and aggregation Event filtering and aggregation for Cisco PIX Event Collector an unwanted connection is accepted, and defense-in-depth theories are properly applied, the intrusion detection system identifies and reports the attack. This aggregation consolidates successful ICMP Echo Request connections from a single source. Filter or aggregator properties are set as follows: ICMP Type ID = 8 Event Type ID = IP Source Address as the similar property