System Status Monitoring Guide. McAfee Network Security Platform 6.1

Transcription

1 System Status Monitoring Guide McAfee Network Security Platform 6.1

2 COPYRIGHT Copyright 2011 McAfee, Inc. All Rights Reserved. No part of this publication may be reproduced, transmitted, transcribed, stored in a retrieval system, or translated into any language in any form or by any means without the written permission of McAfee, Inc., or its suppliers or affiliate companies. TRADEMARK ATTRIBUTIONS AVERT, EPO, EPOLICY ORCHESTRATOR, FOUNDSTONE, GROUPSHIELD, INTRUSHIELD, LINUXSHIELD, MAX (MCAFEE SECURITYALLIANCE EXCHANGE), MCAFEE, NETSHIELD, PORTALSHIELD, PREVENTSYS, SECURITYALLIANCE, SITEADVISOR, TOTAL PROTECTION, VIRUSSCAN, WEBSHIELD are registered trademarks or trademarks of McAfee, Inc. and/or its affiliates in the US and/or other countries. McAfee Red in connection with security is distinctive of McAfee brand products. All other registered and unregistered trademarks herein are the sole property of their respective owners. LICENSE INFORMATION License Agreement NOTICE TO ALL USERS: CAREFULLY READ THE APPROPRIATE LEGAL AGREEMENT CORRESPONDING TO THE LICENSE YOU PURCHASED, WHICH SETS FORTH THE GENERAL TERMS AND CONDITIONS FOR THE USE OF THE LICENSED SOFTWARE. IF YOU DO NOT KNOW WHICH TYPE OF LICENSE YOU HAVE ACQUIRED, PLEASE CONSULT THE SALES AND OTHER RELATED LICENSE GRANT OR PURCHASE ORDER DOCUMENTS THAT ACCOMPANY YOUR SOFTWARE PACKAGING OR THAT YOU HAVE RECEIVED SEPARATELY AS PART OF THE PURCHASE (AS A BOOKLET, A FILE ON THE PRODUCT CD, OR A FILE AVAILABLE ON THE WEBSITE FROM WHICH YOU DOWNLOADED THE SOFTWARE PACKAGE). IF YOU DO NOT AGREE TO ALL OF THE TERMS SET FORTH IN THE AGREEMENT, DO NOT INSTALL THE SOFTWARE. IF APPLICABLE, YOU MAY RETURN THE PRODUCT TO MCAFEE OR THE PLACE OF PURCHASE FOR A FULL REFUND. 2 McAfee Network Security Platform 6.1 System Status Monitoring Guide

3 Contents Preface 7 About this guide Audience Conventions Finding product documentation Using the Threat Analyzer 9 Defining terms The life cycle of an alert Understanding the alert cache and the database Host Intrusion Prevention alerts Navigating to the Threat Analyzer 13 Real-Time Threat Analyzer Historical Threat Analyzer Selecting time constraints for Historical Threat Analyzer Sample drill-down scenario Threat Analyzer Home Alert Aggregation in Network Security Central Manager 19 Threat Analyzer of the Central Manager Understanding alert aggregation and monitoring in Central Manager Navigating to the Threat Analyzer from the Central Manager Central Manager Threat Analyzer Home Viewing Alerts Dashboards 23 NSP Health view How to customize Dashboards and Monitors Monitoring Sensor Performance metrics Messages from McAfee Status of Activities Operational Status Summary Sensor Update Summary Viewing Operational Status Viewing IPS alerts summary Time view Consolidated View View NAC summary NTBA List of NTBA default monitors List of NTBA additional default monitors List of NTBA custom monitors Alerts and Scans McAfee Network Security Platform 6.1 System Status Monitoring Guide 3

4 Contents 5 Viewing Alerts details 65 Viewing alert attributes Action buttons Alerts view: Right-click options Sorting alerts by attributes Viewing data in the Count view Sorting alerts using multiple criteria Creating display filters for alerts Acknowledging alerts Show details of a specific attack Viewing the Attack-Type Performing a response action Viewing a packet log Sending a TCP Reset Blocking further DoS packets for statistical attacks Configuring attack filter association Viewing and editing attack responses Running a script Viewing and saving an Evidence Report IPS Quarantine options in Alerts page Add hosts for IPS Quarantine from the Alerts page Quarantine of hosts from Alert Details Manual Quarantine of a Host Quarantine options for NTBA policy violation, botnet, and behavioral alerts Performing an NSLookup Querying host details from the epo server Viewing details of Source and Destination Hosts Viewing host details using IP address Deleting alerts Hiding alerts Creating incidents Adding alerts to an incident Adding occurences to an incident Exporting incidents Identifying new attacks in the Threat Analyzer Setting preferences for viewing new threats Viewing the first seen alerts in the Alerts page Assigning a new threats monitor to a new dashboard Viewing Hosts details 121 Viewing host attributes Hosts view: right-click options NAC options in the Hosts page Creating display filters for hosts Viewing historical host data using display filter IPS Quarantine options from the Hosts page Using Incident Viewer 131 Viewing incidents Viewing Host Forensics 133 Viewing McAfee epo Information Viewing host details using IP address Launching McAfee epo console form the Host Forensics page Viewing Latest events from the Host Forensics page On-demand Scan of Hosts listed in Alerts in the Threat Analyzer McAfee Network Security Platform 6.1 System Status Monitoring Guide

5 Contents Viewing Vulnerability Manager scans Vulnerability Manager scan option Rescanning the host Concurrent scans Fault messages for Vulnerability Manager on-demand scan Vulnerability Manager scan from Hosts page Network scenarios for Vulnerability Manager scan Setting Preferences 149 General Panel Enabling IP address name resolution Alerts View Panel Hosts View Panel Watch List Historical Constraints Monitoring Operational Status 157 Operational Status Condition Indicator Operational Status interface Viewing a summary of selected fault messages Fault window action buttons Viewing the details of a specific fault Action buttons System fault messages Index 163 McAfee Network Security Platform 6.1 System Status Monitoring Guide 5

6 Contents 6 McAfee Network Security Platform 6.1 System Status Monitoring Guide

7 Preface This guide provides the information you need to configure, use, and maintain your McAfee product. Contents About this guide Finding product documentation About this guide This information describes the guide's target audience, the typographical conventions and icons used in this guide, and how the guide is organized. Audience McAfee documentation is carefully researched and written for the target audience. The information in this guide is intended primarily for: Administrators People who implement and enforce the company's security program. Conventions This guide uses the following typographical conventions and icons. Book title or Emphasis Title of a book, chapter, or topic; introduction of a new term; emphasis. Bold User input or Path Code Text that is strongly emphasized. Commands and other text that the user types; the path of a folder or program. A code sample. User interface Hypertext blue Words in the user interface including options, menus, buttons, and dialog boxes. A live link to a topic or to a website. Note: Additional information, like an alternate method of accessing an option. Tip: Suggestions and recommendations. Important/Caution: Valuable advice to protect your computer system, software installation, network, business, or data. Warning: Critical advice to prevent bodily harm when using a hardware product. McAfee Network Security Platform 6.1 System Status Monitoring Guide 7

8 Preface Finding product documentation Finding product documentation McAfee provides the information you need during each phase of product implementation, from installation to daily use and troubleshooting. After a product is released, information about the product is entered into the McAfee online KnowledgeBase. Task 1 Go to the McAfee Technical Support ServicePortal at 2 Under Self Service, access the type of information you need: To access... User documentation Do this... 1 Click Product Documentation. 2 Select a product, then select a version. 3 Select a product document. KnowledgeBase Click Search the KnowledgeBase for answers to your product questions. Click Browse the KnowledgeBase for articles listed by product and version. 8 McAfee Network Security Platform 6.1 System Status Monitoring Guide

9 1 Using 1 the Threat Analyzer The Threat Analyzer is used for the analysis of the alerts detected by your McAfee Network Security Platform [formerly McAfee IntruShield ] Sensors as well as those processed by an integrated Host Intrusion Prevention Server. The Threat Analyzer works in conjunction with the policies applied to your McAfee Network Security Sensor and Host Intrusion Prevention Sensors. For more information on policies, see IPS Configuration Guide. When a transmission violating your enforced security policies is detected by a Sensor, the Sensor compiles information about the offending transmission and sends this "attack" data to in the form of an alert. Alert details include transmission data such as source and destination IP addresses in the packet, as well as security analysis information (performed by the Sensor) such as attack type and severity. Alerts are backed up to the database and archived in order of occurrence. Security analysis information can be determined by a signature match, set threshold parameters, and abnormal spiking in traffic levels. All of these measures are enforced through policy configuration and application. The Threat Analyzer opens in a separate browser window from that of the Manager Home page, providing a concentrated view for alert analysis. When you open the Threat Analyzer, you specify a time frame to retrieve alerts from the database. The Manager retrieves the alerts matching your criteria and displays them in the Threat Analyzer. By examining and acknowledging the alerts, you can use the information your analysis provides to determine your system weaknesses and modify your defenses. If you make configuration changes while maintaining an open Threat Analyzer session, your configuration changes will not take affect in regards to actually seeing the changes in the Threat Analyzer. The Threat Analyzer must be closed and re-opened to view your changes. Configuration changes can include changing the policy of a VIPS, splitting a port pair into two single ports and applying a separate policy to each port; exporting User-defined Signature to the Manager's attack database, then applying a policy containing custom attacks to a VIPS; and so forth as configuration changes that affect policy application are made. Contents Defining terms The life cycle of an alert Understanding the alert cache and the database Host Intrusion Prevention alerts Defining terms An attack is any violation of your set McAfee Network Security Platform policy parameters. An alert is one or more attack instances. McAfee Network Security Platform 6.1 System Status Monitoring Guide 9

10 1 Using the Threat Analyzer The life cycle of an alert In many cases, an alert represents a single detected attack. A multi-attack alert is generated when multiple instances of identical attacks (same source IP, destination IP, specific attack name, and VIPS [interface or sub-interface ID where alert was detected]) are detected within a two-minute period (by default); data for all attacks is throttled into one alert instance; however, you can also choose to configure how many of each throttled attacks you want to see in an individual alert (For more information, see Configuring alert suppression with packet log response, Device Configuration Guide). Each of the two main views of the Threat Analyzer distinguishes between attacks and alerts, thus it is important to note the difference. See also Navigating to the Threat Analyzer on page 3 The life cycle of an alert Alerts exist in one of three states: Unacknowledged Acknowledged Marked for deletion When an alert is raised, it appears in (Manager) in an unacknowledged state. Unacknowledged means that you have not officially recognized its presence by marking it acknowledged. An alert remains in an unacknowledged state until you either acknowledge it or delete it. Unacknowledged alerts display in the Unacknowledged Alert Summary section of the Home page and in the Real-Time Threat Analyzer. Acknowledging alerts dismisses them from these views. Acknowledged alerts display only in the Historical Threat Analyzer and in reports. Deleting an alert both acknowledges it and marks it for deletion. The alert is not actually deleted until a scheduled Disk Space Maintenance takes place. At that time, McAfee Network Security Platform deletes those alerts marked for deletion and those alerts meeting the deletion criteria specified in the scheduler-older than 30 days, for example, whether or not they have been manually marked for deletion. Alerts are backed up to the database and archived in order of occurrence. Deleted alerts are removed from the database. Understanding the alert cache and the database The Threat Analyzer facility operates in the following manner: Manager receives alerts from the Sensors and organizes the alerts by timestamp (the most recent alerts are listed first). All alerts are stored in the database, while a preset number of the most recent alerts are also maintained in a cache, known as the alert cache. The alert cache contains only unacknowledged alerts, and is exclusive to a Real-Time Threat Analyzer query; a Historical Threat Analyzer query only pulls alerts from the database. Alert cache and database operation 10 McAfee Network Security Platform 6.1 System Status Monitoring Guide

11 Using the Threat Analyzer Understanding the alert cache and the database 1 Lettering in illustration (a) (b) Description All alerts are received by the Manager from the reporting Sensors. The alerts are sent to both the alert cache and the database. Once the alert cache's buffer begins to overflow, the oldest alerts are dropped from the cache. Since no modifications have been made, the database version is maintained and the cached version is deleted. ) A Real-Time View query is started requesting x number of alerts. These alerts are pulled from the alert cache. (d) (e) (f) If during a Real-Time analysis an alert is acknowledged or deleted, the altered alert file is forwarded to the database and the database version is updated with the recent changes. The interaction between a Real-Time Threat Analyzer and the database is one way; that is, alert record changes can be pushed from the Real-Time Threat Analyzer, but a Real-Time Threat Analyzer does not receive any data from the database. During a Real-Time analysis, new alerts are received from the alert cache as they are reported, refreshing every 5 seconds. Since the Real-Time Threat Analyzer has a maximum number of alerts that can be viewed at a time, the oldest alerts are dropped to accommodate new alerts. Since no modifications have been made, the database version is maintained and the cached version is deleted. A Historical query pulls alerts only from the database; there is no interaction between the alert cache and a Historical query. There is no refresh of newer alerts because the Historical Threat Analyzer, only requests alerts from a specific time frame. Any alert file alteration (such as acknowledgment, deletion) is simultaneously saved to the database. Thus, the Historical Threat Analyzer can pull and push alert records directly from the database. McAfee Network Security Platform 6.1 System Status Monitoring Guide 11

12 1 Using the Threat Analyzer Host Intrusion Prevention alerts Host Intrusion Prevention alerts If integration with Host Intrusion Prevention is enabled, the Host Intrusion Prevention alerts start to appear as soon as you start the Host Intrusion Prevention server on the epo console. All Host Intrusion Prevention alert data is parsed and formatted by the Manager to resemble the Network Security Platform alert style. Note the following: Alerts sent by Host Intrusion Prevention are maintained by the Host Intrusion Prevention server. All Host Intrusion Prevention alerts are categorized as Exploit alerts. You cannot initiate responses to Host Intrusion Prevention alerts. Any responses must be sent via the Host Intrusion Prevention console. If a Host Intrusion Prevention alert is in Mark as Read state before sent through Integrator, the alert appears as Acknowledged to Manager. Thus, any Mark as Read alerts can only be seen using a Historical Threat Analyzer query. For more information, see Integrating Host Intrusion Prevention for alert management. 12 McAfee Network Security Platform 6.1 System Status Monitoring Guide

13 2 Navigating 2 to the Threat Analyzer You can view the overall summary of alerts in Home page - Unacknowledged Alert Summary section. This view displays all of the unacknowledged alerts in the logged-in domain. Within the Threat Analyzer, alerts are presented in multiple views for detailed analysis. Alerts are organized by system impact severity level: High, Medium, Low, and Informational (For more information on how McAfee Network Security Platform calculates severity level, see IPS Configuration Guide.) Item Description 1 Unacknowledged alerts by severity 2 Current "monitored domain" 3 Click to open Real-time Threat Analyzer 4 Click to open Historical Threat Analyzer To view further details on alerts, select Real-time Threats or Historical Threats from the Manager Home page. The Threat Analyzer Home page opens displaying the Dashboards by default. The Threat Analyzer takes a few seconds to load. You can open multiple Threat Analyzer windows at a single time. You can also open both Real-Time Threat Analyzer and Historical Threat Analyzer at the same time from the same client. The number of alerts the Threat Analyzer can display has a direct correlation to your system's memory. Since you can access (Manager) from the localhost or a remote connection, this depends on the machine used for Manager login. The memory overhead for alerts, including the code base and Java virtual machine, is approximately 1 KB per alert when there are at least 10,000 alerts in the Threat Analyzer (more KBs when there are fewer alerts).mcafee recommends 1 GB of RAM in your system which enables you to handle up to 1,000,000 total alerts. If your available memory does not meet minimum requirements or is not properly set, you could experience memory problems. See also Defining terms on page 9 McAfee Network Security Platform 6.1 System Status Monitoring Guide 13

14 2 Navigating to the Threat Analyzer Real-Time Threat Analyzer Contents Real-Time Threat Analyzer Historical Threat Analyzer Real-Time Threat Analyzer The Real-Time Threat Analyzer sets the attack filter to display information retrieved from the alert cache for a specified number of unacknowledged alerts. Once opened, the Real-Time Threat Analyzer refreshes frequently to display the alerts that are being detected by your Sensors, thus you can view the alerts as they happen in real time. Historical Threat Analyzer The Historical Threat Analyzer sets the filter to retrieve information for both acknowledged and unacknowledged alerts archived in the database during a specified time. The Historical Threat Analyzer does not refresh with new alerts, thus you can focus on analyzing all alerts within the time frame you requested. Selecting time constraints for Historical Threat Analyzer When you click Historical Threat Analyzer from the Network Security Platform Security Manager Home page, the Historical Constraints page is displayed. Task 1 Select the Start Time and End Time for viewing alerts historical data from the database. 2 (Optional) Click More Constraints to select filtering parameters for your historical query. 14 McAfee Network Security Platform 6.1 System Status Monitoring Guide

15 Navigating to the Threat Analyzer Historical Threat Analyzer 2 The parameters available for filtering your historical alerts data query are as follows: Start Time: date and time to start range. Format is yyyy-mm-dd hh:mm:ss. End Time: date and time to stop range. Format is yyyy-mm-dd hh:mm:ss. Additional Constraints: this feature enables filtering of Historical alerts only. When this dialog is opened, one or more of the following parameters can be queried to narrow your Historical Threat Analyzer analysis: IP Address Type: IPv4 or IPv6 Destination Port Source IP Attack Source Port Sensor Destination IP Application Protocol 3 Click OK, when finished. For historical queries, the maximum number of alerts that can be viewed from the database for the search are limited. Thus, if there are 130,000 alerts within your selected Start and End times, you will only see the most recent 100,000 alerts in that time period. Sample drill-down scenario This example focuses on analyzing attacks originating from a specific source IP address. For this scenario, the source IP is , and a Historical search is selected to find all of the attacks from this source in the last 2 months. To find information specific to this source IP address, do the following: Task 1 Open the Historical Threat Analyzer. The End Time lists the current system time. Configure the Start Time to two months prior to today, thus change the month field (yyyy-mm-dd), and click OK 2 Select Drilldown from the Threat Analyzer detail view, then select Source IP as the category. 3 Find in the Source IP column of the Count View table. 4 Once found, select (left-click) the row for , then right-click for further drill-down options. 5 Select Drilldown, then select Attack to view the attacks from Repeat Step 4 and Step 5 to continue to drill-down into to view Severity, Destination IP address, and other drill-down categories to focus your forensic analysis for this source IP address. Threat Analyzer Home The Threat Analyzer Home page is the central interface of the Threat Analyzer and displays the Dashboards page showing the NSP Health tab by default. The Dashboards page is logically divided into 2 sections: the top menu bar and the lower display area. McAfee Network Security Platform 6.1 System Status Monitoring Guide 15

16 2 Navigating to the Threat Analyzer Historical Threat Analyzer Item Description 1 Menu Bar area 2 Display area Menu Bar Area: The menu bar of the Threat Analyzer Home page presents you with the following navigation options: Dashboards: links to the Threat Analyzer NSP Health view page. The Dashboards page provides two default dashboards namely, NSP Health and IPS. Alerts: links to the Threat Analyzer Alerts view page. It lists all of the attacks for the selected time span in order of occurrence. Hosts: links to the Hosts page. You can view the list of NAC hosts as well as IPS hosts. Incident Viewer: links to the Incident Viewer page. You can create user-generated incidents to track alerts by parameters. Host Forensics: links to the Host Forensics page. You can view the epo and Vulnerability Manager scan information. Preferences: links to the Preferences page. Enables you to personally set various options related to Threat Analyzer functionality and presentation. Display Area: The display area of the Dashboards view page presents the following data for the NSP Health and IPS default dashboards: NSP Health:Sensor TCP/UDP Flow Utilization, Sensor Throughput Utilization, Messages from McAfee, Status of Activities, Operational Status Summary, Sensor Update Summary. IPS: Attack Severity Summary, Attack Result Summary, RFSB Attack Summary, IPS Quarantine Summary, Attacks Over Time (All Alerts, Attacks, Result Status, Source IP, Destination IP). 16 McAfee Network Security Platform 6.1 System Status Monitoring Guide

17 Navigating to the Threat Analyzer Historical Threat Analyzer 2 NAC: System Health Summary,McAfee NAC Client Summary, User Type Summary, System State Summary. NTBA: Ten default NTBA monitors. For more information see NTBA Monitoring Guide. Custom dashboards can be created using Options on the top right corner of the dashboards page. See also How to customize Dashboards and Monitors on page 24 McAfee Network Security Platform 6.1 System Status Monitoring Guide 17

18 2 Navigating to the Threat Analyzer Historical Threat Analyzer 18 McAfee Network Security Platform 6.1 System Status Monitoring Guide

19 3 Alert Aggregation in Network Security Central Manager McAfee Network Security Central Manager provides you with a single sign-on mechanism to manage the authentication of global users across all Managers configuration. Threat analysis tasks are performed at the Manager level and aggregated at the Network Security Central Manager(Central Manager). Local Managers attached to the Central Manager push new alerts and modifications into the Central Manager. These alerts are aggregated in the Central ManagerThreat Analyzer. Alerts from the Managers managed by the Central Manager can be monitored and managed from the Central Manager. The Real-Time Threat Analyzer of the Central Manager consolidates alerts from the local Managers and displays them for monitoring purposes. Contents Threat Analyzer of the Central Manager Understanding alert aggregation and monitoring in Central Manager Navigating to the Threat Analyzer from the Central Manager Central Manager Threat Analyzer Home Threat Analyzer of the Central Manager The Threat Analyzer in the Central Manager aggregates, alert information from the Managers attached to the Central Manager. The Threat Analyzer is used for analysis of alerts detected by yourmcafeenetwork Security Sensors integrated and configured through the Managers attached to the Central Manager. The Threat Analyzer works in conjunction with the policies applied to yourmcafee Network Security Sensor and Host Intrusion Prevention Sensors. For more information on policies, see IPS Configuration Guide. When a transmission violating your enforced security policies is detected by a Sensor, the Sensor compiles information about the offending transmission and sends this "attack" data to the Manager in the form of an alert. Alert details include transmission data such as, source and destination IP addresses in the packet, as well as security analysis information (performed by the Sensor) such as attack type and severity. Alerts are backed up to the database and archived in order of occurrence. Alerts generated in the Sensors are aggregated and displayed in the Threat Analyzer of the Central Manager. Security analysis information can be determined by a signature match, set threshold parameters, and abnormal spiking in traffic levels. All of these measures are enforced through policy configuration and application. McAfee Network Security Platform 6.1 System Status Monitoring Guide 19

20 3 Alert Aggregation in Network Security Central Manager Understanding alert aggregation and monitoring in Central Manager The Threat Analyzer opens in a separate browser window from that of the Central Manager Home page, providing a concentrated view for alert analysis. The Threat Analyzer of the Central Manager aggregates alerts in real time. By examining and acknowledging the alerts, you can use the information your analysis provides to determine your system weaknesses and modify your defenses. If you make configuration changes while maintaining an open Threat Analyzer session, your configuration changes will not take affect in regards to actually seeing the changes in the Threat Analyzer. The Threat Analyzer must be closed and re-opened to view your changes. Configuration changes can include changing the policy of a VIPS, splitting a port-pair into two single ports and applying a separate policy to each port, exporting custom attacks to the Manager's attack database, then applying a policy containing the custom attacks to a VIPS and so forth as configuration changes that affect policy application are made. Understanding alert aggregation and monitoring in Central Manager Alert monitoring in the Central Manager extends the model of alert monitoring in the local Manager. Local Managers managed by the Central Manager push alerts to the Central Manager. The Alerts from the local Managers are aggregated in the Central Manager Threat Analyzer. Any changes triggered by a Threat Analyzer that is connected to a local Manager, are placed in the notification cache in the local Manager. These notifications are sent to the Central Manager too. Once the Central Manager receives these notifications, it queues them in its notification cache. The letters below correspond to the lettering in the illustration. 1 The key components of live alerts received from Sensors are extracted and cached in the alert cache. 2 The Threat Analyzer connects to the Manager for retrieving live alerts. In the local Manager, a secured communication is established between the local Manager and the Threat Analyzer. 3 Each local Manager pushes new alerts and modifications into the Central Manager. 4 The Threat Analyzer of the Central Manager connects to the Central Manager for retrieving live alerts. 20 McAfee Network Security Platform 6.1 System Status Monitoring Guide

21 Alert Aggregation in Network Security Central Manager Navigating to the Threat Analyzer from the Central Manager 3 Navigating to the Threat Analyzer from the Central Manager You can view the overall summary of alerts in McAfee Network Security Central Manager Home page - Unacknowledged Alert Summary section. This view displays all of the unacknowledged alerts in the logged-in domain. Within the Threat Analyzer, alerts are presented in multiple views for detailed analysis. Alerts are organized by system impact severity level: High, Medium, Low, and Informational (For more information on how McAfee Network Security Platform calculates severity level, see IPS Configuration Guide.) Item Description 1 Unacknowledged alerts by severity 2 Click to open Real-Time Threat Analyzer To view further details on alerts, you can access the Real-time Threat Analyzer from the Central ManagerHome page. To start an analysis of generated alerts, do the following: 1 Select the Real-time Threats option from the Central ManagerHome page. 2 The Central Manager Threat Analyzer Home page opens displaying the Dashboards view by default. The Threat Analyzer takes a few seconds to load. You can open multiple Threat Analyzer windows at a single time. The number of alerts the Threat Analyzer can display has a direct correlation to your system's memory. Since you can access the Central Manager from the local host or a remote connection, this depends on the machine used for the Central Manager logon. The memory overhead for alerts, including the code base and Java virtual machine, is approximately 1 KB per alert when there are at least 10,000 alerts in the Threat Analyzer (more KBs when there are fewer alerts).mcafee recommends 1 GB of RAM in your system which enables you to handle up to 1,000,000 total alerts. If your available memory does not meet minimum requirements or is not properly set, you could experience memory problems. Central Manager Threat Analyzer Home The Central Manager Threat Analyzer Home page is the central interface of the Threat Analyzer and displays the Dashboards page by default. The Threat Analyzer pages are logically divided into 2 sections: the top menu bar and the lower display area. McAfee Network Security Platform 6.1 System Status Monitoring Guide 21

22 3 Alert Aggregation in Network Security Central Manager Central Manager Threat Analyzer Home Item Description 1 Menu Bar area 2 Display area Menu Bar Area: The menu bar of the Threat Analyzer Home page presents you with the following navigation options: Dashboards: links to the Threat Analyzer Dashboards view page. The Dashboards page provides one default dashboard namely, IPS. Alerts: links to the Threat Analyzer Alerts view page. It lists all of the attacks for the selected time span in order of occurrence. Preferences: links to the Preferences page. Enables you to personally set various options related to Threat Analyzer functionality and presentation. Display Area: The display area of the Dashboards view page presents the following data for the IPS default dashboard. IPS: Attack Severity Summary, Attack Result Summary, RFB Attack Summary, IPS Quarantine Summary, Attacks Over Time (All Alerts, Attacks, Result Status, Source IP, Destination IP). NTBA: Administer the Network Threat Behavior Analyzer environment. Custom dashboards can be created using Options on the top right corner of the Dashboards page. Using the Central Manager Threat Analyzer is similar to using the Manager Threat Analyzer. Specific differences between Central Manager Threat Analyzer and Manager Threat Analyzer are indicated where relevant in Using the Threat Analyzer. 22 McAfee Network Security Platform 6.1 System Status Monitoring Guide

23 4 4 Viewing Alerts Dashboards The Dashboards page provides the following sections: NSP Health: a dashboard to display the operation status of the Sensor. Clicking on the chart enables you to view the faults received on each Sensor. IPS: the default dashboard displayed in the Dashboards page to view a summary of IPS alerts. Clicking on the chart on the IPS tab automatically takes you to the Alerts page to view further details. NAC: a new dashboard to display NAC alerts summary. As in the IPS tab, clicking on the chart takes you to the Hosts page. For more information, see NAC Configuration Guide. NTBA: offers the full range of Network Threat Behavior Analysis (ntba) functionality. For more information see NTBA Monitoring Guide. In the Central Manager Threat Analyzer, the Dashboards page provides a single dashboard namely, IPS. Contents NSP Health view Viewing IPS alerts summary View NAC summary NTBA NSP Health view The Alerts Dashboards - NSP Health tab enables you to view/perform the following: Monitoring Sensor TCP/UDP flow utilization:sensor TCP/UDP flow utilization status for all the devices configured in the Manager. Monitoring Sensor throughput utilization:sensor throughput utilization status for all the devices configured in the Manager. Viewing Messages from McAfee: displays the latest updates, the current version of signature set applied to your Sensor. Status of Activities: displays the status of all the Sensors configured in the Manager. McAfee Network Security Platform 6.1 System Status Monitoring Guide 23

24 4 Viewing Alerts Dashboards NSP Health view Operational Status Summary: displays the operational status from the Manager Home page. This Operational Status view cannot be operated in the same manner as the Operational Status available from the Manager Home page that is, faults are not selectable. This view is available for a quick glance usage so that you do not have to leave the Threat Analyzer to get an update on possible system faults. Sensor Update Summary:displays the current versions of the Sensor software and signature set of the logged-in domain. The Update Now button updates the Sensor configuration. To view the NSP Heath settings Dashboards in the Threat Analyzer, do the following: Task 1 Click the Real-time threats from the Manager Home page. 2 Select NSP Health tab. How to customize Dashboards and Monitors The Threat Analyzer allows you to add your own dashboard (s) using Options on the top right corner of the Dashboards page. You can then add monitor (s) to your dashboard (s). A monitor is a customized page to view alerts and threats. You can either use the default monitors or create your own. When you add a dashboard, it is initially made up of a single window where you can assign a monitor. Once you assign or create the first monitor, you can right-click on the name display area of the monitor (that you have just added) to split the window vertically or horizontally. In the split window, you can add another monitor to further build the dashboard of your choice. You can resize each monitor window size using the drag and drop method. Note that inside the monitors, you can switch between viewing the alerts data in bar chart or pie chart format by clicking the small icon on the monitor's name display area. You can create as many dashboards as you need. If the number of dashboards increases, the Threat Analyzer automatically provides scroll bars for ease of use. You can perform the following actions using dashboards: Create customized dashboards and name/rename them accordingly. Create/edit/delete multiple dashboards. Switch between two dashboards pages in a default dashboard using toggle. 24 McAfee Network Security Platform 6.1 System Status Monitoring Guide

25 Viewing Alerts Dashboards NSP Health view 4 Move to the next and back page of multiple dashboards using the scroll bar. Move custom dashboards using the Move left/move right buttons. See also Threat Analyzer Home on page 15 Creating a Dashboard To create a dashboard: Task 1 Open the Real-time Threat Analyzer from the Manager Home page. The Dashboards page opens. 2 Click Options Dashboard New. 3 Enter a name for the dashboard and click OK. No blanks spaces or special characters are allowed in the Dashboard Name. McAfee Network Security Platform 6.1 System Status Monitoring Guide 25

26 4 Viewing Alerts Dashboards NSP Health view Creating a Monitor To create a new monitor: Task 1 Open the Real-time Threat Analyzer from the Manager Home page. 2 Click Options Monitor New. Alternatively, you can create a monitor while assigning a monitor to a dashboard. See Assigning a New Custom Monitor. 3 New Monitor dialog appears. 4 Type a name for the monitor in Monitor name. 5 Select Alerts, Hosts,Sensor Performance, or NTBA to be displayed as Data Source. 26 McAfee Network Security Platform 6.1 System Status Monitoring Guide

27 Viewing Alerts Dashboards NSP Health view 4 6 Click OK. The Display Filter window is displayed. McAfee Network Security Platform 6.1 System Status Monitoring Guide 27

28 4 Viewing Alerts Dashboards NSP Health view 7 Define the fields and assign a value for the parameters and click Next. The fields are listed in the Filter Criteria. To select a field to be defined, click the right arrow button displayed next to the field. To remove a field, click the left arrow button displayed near the selected field. 8 Use the Add and Remove buttons to include or remove fields as desired. You can use the Up and Down buttons to arrange the order of the fields in Show These Fields in This Order. Click Previous if you want to move to the previous page. 9 Click Finish. Only a super user or an administrator can create monitors. Tasks Editing a Monitor on page 29 Deleting a Monitor on page McAfee Network Security Platform 6.1 System Status Monitoring Guide

29 Viewing Alerts Dashboards NSP Health view 4 Editing a Monitor Task 1 Click Options Monitor. 2 Click Edit. 3 Select the created monitor from the Custom Monitor list and click Edit. 4 Define the fields desired and click Next. 5 Use the Add and Remove buttons to include fields as desired. You can use the Up and Down buttons to specify the order. 6 Click Finish. Deleting a Monitor Task 1 Click Options Monitor. 2 Click Delete. 3 Select the created monitor from the list and click Delete. Only user-created monitors can be edited deleted. McAfee Network Security Platform 6.1 System Status Monitoring Guide 29

30 4 Viewing Alerts Dashboards NSP Health view Viewing Default General Monitors The list of existing monitors available under Type - NSP Health are: Messages from McAfee:Enables you to view any product or security-related messages from McAfee. The messages can be related to operating system patches, signature set release,manager software update, and so on. Operational Status Summary: Enables you to view the Operational Status summary. Sensor Update Summary: Enables you to update Sensor configurations and download SSL keys. Status of Activities: Displays the status of currently In-Progress activities on your system that Network Security Platform identifies as long running processes To assign an existing NSP Health type monitor to a dashboard: Task 1 Click Options Dashboard New to open the Create New Dashboard dialog. 2 Enter a name for the new dashboard in the Dashboard Dialog. 3 Click Assign Monitor to view the Assign Monitor Dialog. 30 McAfee Network Security Platform 6.1 System Status Monitoring Guide

31 Viewing Alerts Dashboards NSP Health view 4 4 Select Assign an existing Monitor. 5 Under Category, select Default Monitors. 6 Under Type, select General. 7 Under Monitor, select a default monitor, and click OK. Viewing Default IPS Monitors The list of existing monitors available under Type - IPS are: Attack Result: depicts alerts ratio based on estimated result of detected attacks; whether the attack was Successful, Unknown, Failed, Blocked, or the alert was raised for suspicious, but not necessarily malicious, traffic. Attack Severity: depicts alerts ratio based on severity level - High, Medium, Low, Informational. Attacks Overtime: depicts the number of overtime attacks. IPS Quarantine: depicts the number of hosts that are quarantined, and the number of hosts that are not quarantined by Network Security Platform. New Threats: depicts the number of new threats. Non-RFSB Attack depicts the number of attacks that were not recommended for blocking (RFSB). RFSB Attack: depicts the number of attacks recommended for blocking (RFSB). McAfee Network Security Platform 6.1 System Status Monitoring Guide 31

32 4 Viewing Alerts Dashboards NSP Health view To assign an existing IPS monitor to a dashboard: Task 1 Click Options Dashboard New to open the Create New Dashboard dialog. 2 Enter a name for the new dashboard in the Dashboard Dialog. 3 Click Assign Monitor to view the Assign Monitor Dialog. 4 Select Assign an existing Monitor. 5 In Category, select Default Monitors. 6 In Type, select IPS. 7 In Monitor, select a default monitor, and click OK. See also Attack result status on page 57 View Default NAC Monitors The list of existing monitors available under Type - NAC are: McAfee NAC client: represents the quantity of hosts that were detected as VPN employees, guest users, and Local employees. System health: a bar chart representing the quantity of host with six different System Health Levels. 32 McAfee Network Security Platform 6.1 System Status Monitoring Guide

33 Viewing Alerts Dashboards NSP Health view 4 System State: represents the quantity of hosts currently in any of the following states: Identity Required via Guest Portal IPS Quarantined Determining IBAC Policy Health Level Required via Guest Client Admitted Bad System Health User type: represents the quantity of hosts that were detected as VPN employees, guest users, and Local employees. To assign an existing NAC monitor to a dashboard: Task 1 Click Options Dashboard New to open the Create New Dashboard dialog. 2 Enter a name for the new dashboard in the Dashboard Dialog. 3 Click Assign Monitor to view the Assign Monitor Dialog. 4 Select Assign an existing Monitor. Figure 4-1 Assigning an Existing Default Monitor- NAC 5 Under Category, select Default Monitors 6 Under Type, select NAC. 7 Under Monitor, select a default monitor, and click OK. Viewing Default NTBA Monitors The NTBA tab in the Dashboards page of the Threat Analyzer displays the following default monitors. McAfee Network Security Platform 6.1 System Status Monitoring Guide 33

34 4 Viewing Alerts Dashboards NSP Health view Table 4-1 Monitor Name Throughput Enterprise Traffic (Bytes) Drill-Down Monitors Not Applicable Host Threat Factor Host Information Service Traffic Summary Host Profile Application Traffic Summary DoS Profile Active Services Host Interaction Monitor Active Applications Layer7 Activity Active Ports Host Traffic NSLookup Information Monitor Traffic Volume (Bytes) - Top Source Hosts Bandwidth Utilization (%) - Interfaces Top Files Top URLs Application Traffic (Bytes) Protocol Distribution (Bytes) Hosts - New (Last 1 day ) Host Information Layer7 Activity Host Profile Host Interaction Monitor DoS Profile NSLookup Information Monitor Interface Traffic - Throughput (bps) Interface Traffic - Show All Interface Traffic - Packet Rate (pps) Top Bandwidth Consumers Bandwidth Utilization (%) Service Traffic Summary Show File Activity Show URL Activity Application Profile Not Applicable Host Information Active Applications Layer7 Activity Active Ports Active Services NSLookup Information Monitor Traffic Volume (Bytes) - Zones Zone Traffic Zone Files Zone Services Traffic Zone URLs Top Bandwidth Consumers Zone DoS Profile The following additional default monitors, and custom monitors can be assigned to new dashboards. Additional Default Monitors Table 4-2 Monitor Name Applications - Active (Last 1 hour) Services Traffic (Bytes) Applications - New (Last 1 day) Hosts - Active (Last 1 hour) Services - Active (Last 1 hour ) Services - New (Last 1 day) Top External Hosts by Reputation Top URLs by Category Top URLs by Reputation 34 McAfee Network Security Platform 6.1 System Status Monitoring Guide

35 Viewing Alerts Dashboards NSP Health view 4 Custom Monitors Table 4-3 NTBA Appliance Type Throughput Enterprise Traffic (Bytes) Application Traffic (Bytes) Services Traffic (Bytes) Bandwidth Utilization (%) - Interfaces Traffic Volume (Bytes) - Zones Services - New (Last 1 day) Services Traffic (Bytes) Top External Hosts by Reputation Top URLs by Category Top URLs by Reputation Host Threat Factor Hosts Active (Last 1 hour) Traffic Volume (bytes) - Top Source Hosts Applications Active (Last 1 hour) Applications - New (Last 1 day) Services - Active (Last 1 hour) Hosts New (Last 1 day) Top URLs Top Files Protocol Distribution (Bytes) Zone Type Zone Traffic Summary Zone Service Traffic (Bytes) Zone Files Zone URLs Top Zone Conversations Alerts and Scans Start Vulnerability Scan,McAfee epo Scan, Show All Alerts, Show IPS Alerts, and Show NTBA Alerts options are available in the right-click options of various monitors as follows: Start Vulnerability Scan and McAfee epo Scan options are available in the right-click menu of Traffic Volume (Bytes) - Top Source Hosts, Host Threat Factor and Hosts - New (Last 1 day) monitors if McAfee Vulnerability Manager, and McAfee epolicy Orchestrator are integrated with and enabled in McAfee Network Security Manager. Scan information on vulnerability and McAfee epo scans are displayed in the Host Forensics page of the Threat Analyzer. Show IPS Alerts and Show All Alerts options are available in the right-click menu of the Host Threat Factor monitor, and redirects the user to the Alerts page where information on the selected Host is displayed in a new tab. Show NTBA Alerts option is available in the Host Threat Factor and Traffic Volume (Bytes) - Zones monitors. For more information on NTBA monitors, see, NTBA Monitoring Guide. McAfee Network Security Platform 6.1 System Status Monitoring Guide 35

36 4 Viewing Alerts Dashboards NSP Health view Viewing Default Sensor Performance Monitors Sensor performance statistics can be viewed in the Threat Analyzer by creating a new dashboard and by choosing monitors that display different type of Sensor statistics. The list of monitor available for Sensor performance statistics are: Statistics - Flow: Statistical view of the TCP and UDP flow data processed by a device. Checking your flow rates can help you determine if your device is processing traffic normally, while also providing you with a view of statistics such as the maximum number of flows supported as well as the number of active TCP and UDP flows. Statistics - IP Spoofing: Statistics on the number of IP spoofing attacks detected by Network Security Platform. Statistics are displayed per direction. Statistics - Malware:Statistics of the malware detected for a given device. Statistics - Port Packet Drop: Packet drop rate on a port. Statistics - Rate Limiting: Rate limiting statistics provides the estimated number of packets dropped/ bytes dropped by the device. You can view rate limiting statistics for each device (per port), listed in the resource tree of Manager. Statistics - Rx/TX:Statistics of the total number of packets received (Rx) and transmitted (Tx) for a given device. Statistics -Sensor Packet Drop: Packet drop rate on a device. The statistics is displayed on a per device basis. The statistics includes the count of number of packets dropped by device due to set rate limiting on the device and sanity check failures. Follow this procedure to view Sensor performance statistics (this example demonstrates steps for creating Flow Statistics): Task 1 Click Options Dashboard New to open the Create New Dashboard dialog. 2 Enter a name for the new dashboard in the Dashboard Dialog. 3 Click Assign Monitor to view the Assign Monitor Dialog. 36 McAfee Network Security Platform 6.1 System Status Monitoring Guide

37 Viewing Alerts Dashboards NSP Health view 4 4 Select Assign an existing Monitor. 5 Under Category, select Default Monitors. 6 Under Type, select Sensor Performance. McAfee Network Security Platform 6.1 System Status Monitoring Guide 37

38 4 Viewing Alerts Dashboards NSP Health view 7 Under Monitor, select Statistics - Flows, and click OK. 8 Select the device for which you wish to view flow statistics and click Refresh to view the flow statistics for the selected device. 9 Follow a similar procedure and select other Monitors for Sensor Performance to view the relevant Sensor Statistics. Monitoring Sensor Performance metrics Core Sensor performance metrics can be monitored using the Threat Analyzer. The core metrics are CPU Utilization, Sensor TCP/UDP Flow Utilization, and Sensor Throughput Utilization. Monitoring of core metrics is possible only if Performance Monitoring is enabled under the Device List node or the Device_Name node from the Manager Configure pages. See also Monitoring Sensor TCP/UDP flow utilization on page 38 Monitoring Sensor throughput utilization on page 40 Monitoring Sensor CPU utilization on page 45 Monitoring Sensor TCP/UDP flow utilization Follow this procedure to view the consolidated Sensor TCP/UDP flow utilization status for all the devices configured in the McAfee. Task 1 Open the Real-time Threat Analyzer from the Manager Home page. 2 The NSP Health tab of the Dashboards page of the Threat Analyzer opens by default. 38 McAfee Network Security Platform 6.1 System Status Monitoring Guide

39 Viewing Alerts Dashboards NSP Health view 4 3 The Senor TCP/UDP flow utilization pie chart displays the consolidated TCP/UDP flow utilization status for all the devices configured in the Manager. The pie chart portions are color coded for "High", "Medium", "Low", "Metric Disabled", and "Disconnected" categories. Click on a colored portion of the pie chart to display a list of devices and their utilization percentages relating to that portion. 4 Select the device for which you wish to view information in a time chart and click Chart to create time charts for the selected device. McAfee Network Security Platform 6.1 System Status Monitoring Guide 39

40 4 Viewing Alerts Dashboards NSP Health view 5 If you wish to view real time data, click Real-Time Threats to start the real time polling of Sensor TCP/ UDP flow utilization. 6 Click Yes to view the chart based on real time polling. Normal interval for utilization charts is one minute. When the real-time mode is chosen, data is polled and plotted every 10 seconds. Real time polling is done for a block of 10 minutes. User intervention is required to re-run real-time polling if needed after this block of time. This acts as a check for utilizing bandwidth in a deliberate manner. See also Monitoring Sensor Performance metrics on page 38 Monitoring Sensor throughput utilization Follow this procedure to view the consolidated Sensor throughput utilization status for all the devices configured in the Manager. Task 1 Open the Real-time Threat Analyzer from the Manager Home page. 2 The NSP Health tab of the Dashboards page of the Threat Analyzer opens by default. 3 The Sensor throughput Utilization pie chart displays the consolidated Sensor throughput utilization status for all the devices configured in the Manager. The pie chart portions are color coded for High, Medium, Low, Metric Disabled and Disconnected categories. Click on a colored portion of the pie chart to display a list of devices and their utilization percentages relating to that portion. 40 McAfee Network Security Platform 6.1 System Status Monitoring Guide

41 Viewing Alerts Dashboards NSP Health view 4 4 Select the device for which you wish to view information in a time chart and click Chart to create time charts for the selected device. 5 If you wish to view real time data, click Real-Time Threats to start the real time polling of Sensor throughput utilization. 6 Click Yes to view the chart based on real time polling. Normal interval for utilization charts is one minute. When the real-time mode is chosen, data is polled and plotted every 10 seconds. Real time polling is done for a block of 10 minutes. User intervention is required to re-run real-time polling after this block of time. This acts as a check for utilizing bandwidth in a deliberate manner. See also Monitoring Sensor Performance metrics on page 38 McAfee Network Security Platform 6.1 System Status Monitoring Guide 41

42 4 Viewing Alerts Dashboards NSP Health view Monitoring Port throughput utilization Follow this procedure to view the port throughput threshold status for all the devices configured in the Manager. Task 1 Open the Real-time Threat Analyzer from the Manager Home page. The NSP Health tab of the Dashboards page of the Threat Analyzer opens by default. 2 Click Options Dashboard New. 3 Enter a name for the new dashboard in the Dashboard Dialog. 4 Click Assign Monitor to view the Assign Monitor Dialog. 5 Under Category, select Default Monitors. 6 Under Type, select Sensor Performance. 7 Under Monitor, select Utilization - Port Throughput, and click OK. 42 McAfee Network Security Platform 6.1 System Status Monitoring Guide

43 Viewing Alerts Dashboards NSP Health view 4 8 Select the ports for which you want to view throughput utilization from the Available device Ports list in the left pane of the Port Throughput Utilization dialog and click Add to move them to the Selected device Ports pane on the right. McAfee Network Security Platform 6.1 System Status Monitoring Guide 43

44 4 Viewing Alerts Dashboards NSP Health view 9 Click Finish to view the Port Throughput utilization time chart. 44 McAfee Network Security Platform 6.1 System Status Monitoring Guide

45 Viewing Alerts Dashboards NSP Health view 4 10 If you wish to view real time data, click Real-TimeThreatsto start the real time polling of Port throughput utilization. 11 Click Yes to view the chart based on real time polling. Normal interval for utilization charts is one minute. When the real-time mode is chosen, data is polled and plotted every 10 seconds. Real time polling is done for a block of 10 minutes. User intervention is required to re-run real-time polling if need be after this block of time. This acts as a check for utilizing bandwidth in a deliberate manner. Monitoring Sensor CPU utilization Follow this procedure to view the consolidated CPU utilization status for all the Sensors configured in the Manager. Task 1 Open the Real-time Threat Analyzer from the Manager Home page. The NSP Health tab of the Dashboards page of the Threat Analyzer opens by default. McAfee Network Security Platform 6.1 System Status Monitoring Guide 45

46 4 Viewing Alerts Dashboards NSP Health view 2 Click Options Dashboard New. 3 Enter a name for the new dashboard in the Dashboard Dialog. 4 Click Assign Monitor to view the Assign Monitor Dialog. 5 Under Category, select Default Monitors. 6 Under Type, select Sensor Performance. 7 Under Monitor, select Utilization -SensorCPU, and click OK. 46 McAfee Network Security Platform 6.1 System Status Monitoring Guide

47 Viewing Alerts Dashboards NSP Health view 4 8 Select the device for which you want to view Sensor CPU utilization from the Available Sensors list in the left pane of the Sensor CPU Utilization dialog and click Add to move them to the Selected Sensors pane on the right. McAfee Network Security Platform 6.1 System Status Monitoring Guide 47

48 4 Viewing Alerts Dashboards NSP Health view 9 Click Finishto view the Sensor CPU Utilization time chart. 48 McAfee Network Security Platform 6.1 System Status Monitoring Guide

49 Viewing Alerts Dashboards NSP Health view 4 10 If you wish to view real time data, click Real-Time Threats to start the real time polling of CPU utilization. 11 Click Yes to view the chart based on real time polling. Normal interval for utilization charts is one minute. When the real-time mode is chosen, data is polled and plotted every 10 seconds. Real time polling is done for a block of 10 minutes. User intervention is required to re-run real-time polling if need be after this block of time. This acts as a check for utilizing bandwidth in a deliberate manner. See also Monitoring Sensor Performance metrics on page 38 Messages from McAfee The Messages from McAfee feature enables you to view any product or security-related messages from McAfee. The messages can be related to operating system patches, signature set release,manager software update, and so on. The Manager checks McAfee's Update Server for such messages every 15 minutes and displays messages that are relevant to the version of Manager and signature set that you are using. This feature ensures that all relevant messages from McAfee Network Security Platform [formerly McAfee IntruShield ] support team reach you on time. Since the new messages are displayed on the General tab the chances of you missing out on any message are remote. McAfee Network Security Platform 6.1 System Status Monitoring Guide 49

50 4 Viewing Alerts Dashboards NSP Health view Status of Activities The Status of Activities section of the NSP Health tab displays the status of currently In-Progress activities on your system that Network Security Platform identifies as long running processes. When a long running process is taking place on your Manager, the status is displayed as "In progress". Operational Status Summary You can view the Operational Status summary from the NSP Health tab. This Operational Status view cannot be operated in the same manner as the Operational Status available from the Manager Home page: faults are not selectable. This view is available for quick glance usage so that you do not have to leave the Threat Analyzer to get an update on possible system faults. Sensor Update Summary The Update Summary (Sensor Update Summary) section enables you to update Sensor configurations and download SSL keys. Click Update Now to view the Update Sensor Configuration page. Sensor Name: the Sensor name. Last Update: the last time the Sensor configuration was updated. Update Require (Reason): the reason a Sensor configuration update is required. Update: select to specify the Sensor configuration should be updated. SSL Key Update: select to specify whether the SSL Key should be updated. Update: click to update the Sensor configuration. Viewing Operational Status You can view the Operational Status summary from the Dashboards view, NSP Health tab. This Operational Status view cannot be operated in the same manner as the Operational Status available from the Manager Home page: faults are not selectable. This view is available for quick glance usage so that you do not have to leave the Threat Analyzer to get an update on possible system faults. 50 McAfee Network Security Platform 6.1 System Status Monitoring Guide

51 Viewing Alerts Dashboards Viewing IPS alerts summary 4 Operational Status displays the status of the Sensor and. Sensor Throughput Utilization: displays the status of all the Sensors configured in the Manager. Messages from D: displays the latest updates, the current version of signature set applied to your Sensor. Status of Activities: displays the CPU utilization. Operational Status Summary: displays the operational status from the Manager Home page. Sensor Update Summary: displays the current versions of the Sensor software and signature set of the logged-in domain. The Update Now button updates the Sensor configuration. Viewing IPS alerts summary When you open the Real-time Threat Analyzer and click on the IPS tab, the IPS summary view is displayed. At the top of the IPS tab, the following types of Summary views are available in a pie chart format: Attack Result Summary:depicts alerts ratio based on estimated result of detected attacks; whether the attack was Successful, Unknown, Failed, Blocked, or the alert was raised for suspicious, but not necessarily malicious, traffic. Attack Severity Summary: depicts alerts ratio based on severity level - High, Medium, Low, Informational. Attacks Overtime: IPS Quarantine Summary: depicts the number of hosts that are quarantined, and the number of hosts that are not quarantined by Network Security Platform. New Threats: Non-RFSB Attack Summary: RFSB Attack Summary: depicts the number of attacks recommended for blocking (RFSB). McAfee Network Security Platform 6.1 System Status Monitoring Guide 51

52 4 Viewing Alerts Dashboards Viewing IPS alerts summary When you click on a sector of the pie chart, you are redirected to the Alerts or Hosts page to display details. For example, in the Attack Severity Summary view, if you double-click on High severity sector of the pie chart, the Alerts page displays with a new view created for you, which is sorted on severity of alerts. In case of the IPS Quarantine Summary view, a double-click action redirects you to the Hosts page. 52 McAfee Network Security Platform 6.1 System Status Monitoring Guide

53 Viewing Alerts Dashboards Viewing IPS alerts summary 4 The IPS tab also provides the following views: 1 Time view: the number of attacks in intervals of time. 2 Consolidated view: attacks split into multiple panes (categories). McAfee Network Security Platform 6.1 System Status Monitoring Guide 53

54 4 Viewing Alerts Dashboards Viewing IPS alerts summary Table 4-4 Item Description 1 Time View 2 Alerts consolidated View The Summary view of the Central Manager displays only the IPS tab. See also Attack result status on page 57 Time view on page 54 Time view This window displays a bar graph with the number of attacks that have been detected in the specified time frame. Each bar contains information related to the number of attacks and a time frame in which the attacks were detected. To view the information for a bar, do the following: Task 1 Click the center of a bar. The selected bar shades. You can only select/view one bar at a time. 2 View the displayed information: Configured Time Span: In Historical Threat Analyzer, the configured time span consists of the Start and End times you entered. In Real-time Threat Analyzer, this space reads "Attacks over last 2 hours." Time When Attacks Occurred: time span when attacks in the selected bar were detected. Number of Attacks During Span: the number of attacks in the selected bar. Item Description 1 Selected bar See also Viewing IPS alerts summary on page McAfee Network Security Platform 6.1 System Status Monitoring Guide

55 Viewing Alerts Dashboards Viewing IPS alerts summary 4 Consolidated View The Alerts consolidated view displays alerts split into five panes (categories) for statistical review. Note that the Time view pane also becomes part of the Consolidated view. Each pane is a bar graph, and each bar represents several alerts grouped by a specific parameter. An alert may appear in a bar in more than one pane if that alert has met the statistical parameters of multiple categories. You can select a bar in more than one pane, but you cannot select more than one bar in a single pane. The categories are described as follows: All Alerts: lists alerts by Severity: lists alerts by severity level: High, Medium, Low, or Informational. Zoom: lists alerts by time level: Minute, 5 Minute, 10 Minute, 20 Minute, 30 Minute, Hour, Day, Week, Month, Quarter, Year Attack: lists the top 5 most common attacks. Result Status: lists alert count by estimated result of detected attacks. Refer to Alert Result Status. Source IP: lists the 5 most common source IP addresses by number of triggered alerts. Destination IP: lists the 5 most-targeted destination IP addresses by number of triggered alerts. Item Description 1 Selected Bar 2 Name 3 Occurrences Left-click and right-click view options To view information for a specific bar within a bar chart: Task 1 Click the center of a bar. The selected bar shades. 2 View the displayed information. McAfee Network Security Platform 6.1 System Status Monitoring Guide 55

56 4 Viewing Alerts Dashboards Viewing IPS alerts summary 3 Left-click on a bar in any of the panes to display the alert name and number of alerts. Changing the Severity level refreshes the bar graph to show the alerts for the chosen alerts. 4 Use Zoom In and Zoom Out to refresh the bar graph according to the time level chosen. 5 Right-click on a bar graph to enable detailed forensic analysis of alerts. Note the following options: Detail View: redirects you to the Alerts page. Displays all details for alerts within the selected bar. Drilldown: Sorting alerts by categories: multiple category-specific views for sorting and analyzing the alerts in an alert group. Acknowledge: acknowledges all alerts in a bar. If working in a Real-Time Threat Analyzer, acknowledged alerts are removed from the current view, and can only be seen using a Historical Threat Analyzer. Delete: deletes all alerts in a selected bar. If working in a Real-Time Threat Analyzer, deleted alerts are removed from the current view, and can only be seen using a Historical Threat Analyzer. Alerts marked for deletion are no longer available for viewing once disk space maintenance for alerts has occurred. For more information on Disk Space maintenance, Managing your database's disk space, Manager Server Configuration Guide. Tasks Acknowledge on page 56 See also Alerts view: Right-click options on page 70 Acknowledge You can acknowledge all of the alerts in the Alerts consolidated view by right-clicking a bar and selecting Acknowledge. Acknowledging an alert means you recognize the alert has occurred and is familiar with the alert's information; thus, you want to archive the alert for later referral. Acknowledgement removes the alert from the statistical values presented in the Network Attack Status field, and the alert is only retrieved from the database for subsequent Historical searches. Real-Time Threat Analyzer alert queries only retrieve unacknowledged alerts. If you acknowledge an alert, you can unacknowledge this alert in a Historical Threat Analyzer. However, once an alert has been acknowledged, it is dropped from the Real-Time Threat Analyzer cache, and can only be seen in a Historical Threat Analyzer. 56 McAfee Network Security Platform 6.1 System Status Monitoring Guide

57 Viewing Alerts Dashboards Viewing IPS alerts summary 4 Task 1 Right-click a bar in any Alerts consolidated view pane. 2 Select Acknowledge to acknowledge all of the alerts in your selected bar. Attack result status The Alert Result Status display, located in the Consolidated View as well as by drill-down action, is a determination of the result of detected attacks. Result determination is based on the parameters of the current applied policy. For example, if you are protecting the DMZ in Tap mode with the DMZ policy and an attack is detected that matches the policy parameters, the attack will (typically) be successful in impacting the target system. Similarly, if an attack targets a Windows operating system vulnerability, but you have enforced the UNIX Serverpolicy for your UNIX environment, the attack will fail. For alert result status, both the Consolidated View and the drilldown Count View display the five result categories along with the matching number of alerts per category. In the Consolidated View, the Alert Result Status displays the count for all alerts within your present Threat Analyzer session. For a drilldown, the resulting table displays alert count per result category for the alerts in a selected bar, rather than all alerts. The Alert Result Status categories for alerted attacks are as follows: Successful: the attack was either successful or possibly successful. To easily find out if high-severity attacks have been successful, create a drill down alert result status for High Severity > Inbound > Successful. Keep this window open to know immediately when there is an attack that requires your immediate attention. Unknown: the result of the attack is not known. This is most likely due to a generic policy, such as the Default or All-Inclusive policy where the policy rules are not environment specific. For example this may be the result if an attack occurs against an irrelevant node. Failed: the attack had no impact. Suspicious: the alert was raised for suspicious, but not necessarily malicious, traffic. This result is common for Reconnaissance attacks due to the nature of port scanning and host sweeping. Blocked: attacks blocked by a "Drop packets" Sensor response. McAfee Network Security Platform 6.1 System Status Monitoring Guide 57

58 4 Viewing Alerts Dashboards View NAC summary Blocking Activated: applies to DoS traffic and indicates that the Sensor has identified traffic that is suspicious in nature that is exceeding its learned threshold or is not recognized based on its profile. The Sensor has started blocking unknown traffic, while attempting (on a packet-by-packet basis) to block only DoS traffic from a trusted source. The Sensor attempts to allow legitimate traffic to flow from the trusted source. Because of the nature of DoS attacks, one cannot be certain that 100% of bad traffic was blocked, nor that 100% of 'good' traffic was permitted. For more in-depth description of McAfee Network Security Platform's DoS handling, see Special Topics Guide Denial-of-Service. See also Viewing IPS alerts summary on page 51 Viewing Default IPS Monitors on page 31 Acknowledging alerts on page 78 Sorting alerts by attributes on page 74 Viewing Alerts details on page 4 View NAC summary In the Real-time Threat Analyzer, you can view the summary of NAC settings from the Dashboards page. 58 McAfee Network Security Platform 6.1 System Status Monitoring Guide

59 Viewing Alerts Dashboards NTBA 4 Task 1 Open the Real-time Threat Analyzer from McAfee Network Security Platform Home page. 2 Select the NAC tab. Figure 4-2 NAC tab in the Threat Analyzer Dashboards page In the page displayed, following NAC-related summary can be viewed: McAfee Network Access ControlMcAfee NAC Client Summary represents the quantity of hosts that were detected as VPN employees, guest users, and Local employees. System Health Summary bar chart representing the quantity of host with six different System Health Levels. System State Summary represents the quantity of hosts currently in any of the following states: Identity Required via Guest Portal Health Level Required via Guest Client Determining IBAC Policy Bad System Health Admitted NAZ Assigned by Admin IPS Quarantined User Type Summary represents the quantity of hosts that were detected as VPN employees, guest users, and Local employees. When the user double-clicks a graph, the user can drilldown to the respective page (either to Alerts or Hosts). NTBA McAfee's Network Threat Behavior Analysis Appliance (NTBA Appliance) is a network device that is managed through. The NTBA Appliance offers the full range of network threat behavior analysis functionality. The NTBA Appliance collects flow information from NetFlow-enabled devices, like routers, and analyzes it for malicious behavior. The benefit of NTBA to IPS administrators is the additional visibility and insight it provides. Examples of this include numerous network usage and network security monitors, such as Active Applications and Top Files transferred, as well as explicit alerting when suspicious traffic or shifts in traffic patterns are detected. McAfee Network Security Platform 6.1 System Status Monitoring Guide 59

60 4 Viewing Alerts Dashboards NTBA The network wide data generated by the NTBA Appliance can be monitored through the Threat Analyzer. The NTBA dashboard in the Threat Analyzer displays 10 default monitors. To view the NTBA Appliance default monitors in the Threat Analyzer: Task 1 Click the Real-time Threats option from the Manager home page. The Threat Analyzer home page opens displaying the Dashboards - NSP Health view by default. The Dashboards page also includes the IPS, NAC and NTBA tabs. 2 Click the NTBA tab. The default NTBA dashboard is displayed. For more information, see NTBA Monitoring Guide. List of NTBA default monitors Ten monitors are displayed in the default NTBA dashboard. Some of the default monitors have drill-down options in the right-click menu. You can view related information in drill-down monitors. Table 4-5 NTBA default and drill-down monitors Monitor name 1 Throughput Enterprise Traffic (Bytes) None Drill-down monitors 2 Host Threat Factor Host Information Service Traffic Summary Host Profile DoS Profile Host Interaction Layer7 Activity Host Traffic Application Traffic Summary Active Services Active Applications Active Ports NSLookup Information 3 Traffic Volume (Bytes) - Top Source Hosts Host Information Layer7 Activity Host Profile DoS Profile Host Interactions NSLookup Information 4 Bandwidth Utilization (%) - Interface Interface Traffic - Throughput (bps) Interface Traffic - Show All Interface Traffic - Packet Rate (pps) Bandwidth Utilization (%) Top Bandwidth Consumers Service Traffic Summary 5 Top Files Show File Activity 6 Top URLs Show URL Activity 7 Application Traffic (Bytes) Application Profile 8 Protocols Distribution (Bytes) None 60 McAfee Network Security Platform 6.1 System Status Monitoring Guide

61 Viewing Alerts Dashboards NTBA 4 Table 4-5 NTBA default and drill-down monitors (continued) Monitor name Drill-down monitors 9 Hosts New (Last 1 day) Host Information Active Applications Layer7 Activity Active Services Active Ports NSLookup Information 10 Traffic volume (Bytes) - Zones Zone Traffic Zone Files Zone Services Traffic Top Bandwidth Consumers Zone URLs Zone DoS Profile Figure 4-3 Accessing right-click monitors - an example List of NTBA additional default monitors NTBA additional default monitors provide an enterprise-wide view of various components of network traffic. You can create new dashboards and assign additional monitors to suit your monitoring requirements. Table 4-6 NTBA additional default monitors Monitor name 1 Applications - Active (Last 1 hour) None Drill-down monitors 2 Applications - New (Last 1 day) Application Profile 3 Hosts - Active (Last 1 hour) None 4 Services - Active (Last 1 hour ) None 5 Services - New (Last 1 day) None 6 Services Traffic (Bytes) None 7 Top External Hosts by Reputation None 8 Top URLs by Category Show URLs 9 Top URLs by Reputation None McAfee Network Security Platform 6.1 System Status Monitoring Guide 61

62 4 Viewing Alerts Dashboards NTBA List of NTBA custom monitors The NTBA custom monitors display NTBA Appliance or zone specific information in new dashboards. All the NTBA default and additional default monitors can be assigned to new dashboards as NTBA Appliance specific custom monitors. In addition you can also create zone specific custom monitors and assign them to new dashboards. Each custom monitor has parameters that are customizable. Table 4-7 Custom monitors - NTBA Appliance-specific Monitor Parameters 1 Hosts - Threat Factor Top N, Time Period [Last Minute, Last 10 min, Last Hour, Last 24 Hour, Custom (Start Time and End Time)] 2 Top External Hosts By Reputation Top N, Time Period [Last Minute, Last 10 min, Last Hour, Last 24 Hour, Custom (Start Time and End Time)] 3 Protocol Distribution (Bytes) Top N, Direction (Bi-directional, Inbound, Outbound), Frequency (1 min, 10 min, hourly, daily), Customize (Start Time, End Time) 4 Top URLS By Reputation Top N, Time Period [Last Minute, Last 10 min, Last Hour, Last 24 Hour, Custom (Start Time and End Time)] 5 Applications Traffic (Bytes) Top N, Direction (Bi-directional, Inbound, Outbound), Frequency (1 min, 10 min, hourly, daily), Customize (Start Time, End Time) 6 Top Files Top N, Customize (Start Time, End Time) 7 Top URLs By Category Time Period [Last Minute, Last 10 min, Last Hour, Last 24 Hour, Custom (Start Time and End Time)] 8 Traffic Volume (Bytes) - Zones Top N, Direction (Bi-directional, Inbound, Outbound), Frequency (1 min, 10 min, hourly, daily), Customize (Start Time, End Time) 9 Traffic Volume (Bytes) - Top Source Hosts 10 Services - New (Last 1 day) Top N Top N, Direction (Bi-directional, Inbound, Outbound), Frequency (1 min, 10 min, hourly, daily), Customize (Start Time, End Time) 11 Applications - Active (Last 1 hour) Top N, Time Period [Last Minute, Last 10 min, Last Hour, Last 24 Hour, Custom (Start Time and End Time)] 12 Applications - New (Last 1 day) Top N 13 Bandwidth Utilization (%) - Interfaces Top N 14 Hosts - Active (Last 1 hour) Top N, Time Period [Last Minute, Last 10 min, Last Hour, Last 24 Hour, Custom (Start Time and End Time)] 15 Hosts - New (Last 1 day) Top N 16 Services - Active (Last 1 hour) Top N, Time Period [Last Minute, Last 10 min, Last Hour, Last 24 Hour, Custom (Start Time and End Time)] 17 Services Traffic (Bytes) Top N, Direction (Bi-directional, Inbound, Outbound), Frequency (1 min, 10 min, hourly, daily), Customize (Start Time, End Time) 18 Throughput Enterprise Traffic (Bytes) Frequency (1 min, 10 min, hourly, daily), Customize (Start Time, End Time) 19 Top URLS Top N, Customize (Start Time, End Time) Table 4-8 Custom monitors - zone specific Monitor Parameters 1 Top Zone Conversations Direction (Bi-directional, Inbound, Outbound), Time Period [Last Minute, Last 10 min, Last Hour, Last 24 Hour, Custom (Start Time and End Time)] 2 Zone DoS Profile Direction (Inbound, Outbound), Measure Name (tcp_syn_fin_pkt, udp_pkt, non-tcp_udp_icmp_pkt, tcp_rst_pkt, icmp_echo_or_reply_pkt, icmp_pkt) 3 Zone Files Top N, Customize (Start Time, End Time) 4 Zone Services Traffic (Bytes) Top N, Direction (Bi-directional, Inbound, Outbound), Frequency (1 min, 10 min, hourly, daily), Time Period [Last Minute, Last 10 min, Last Hour, Last 24 Hour, Custom (Start Time and End Time)] 62 McAfee Network Security Platform 6.1 System Status Monitoring Guide

63 Viewing Alerts Dashboards NTBA 4 Table 4-8 Custom monitors - zone specific (continued) Monitor Parameters 5 Zone Traffic Summary Frequency (1 min, 10 min, hourly, daily), Customize (Start Time, End Time) 6 Zone URLS Top N, Time Period [Last Minute, Last 10 min, Last Hour, Last 24 Hour, Custom (Start Time and End Time)] Alerts and Scans The NTBA Appliance detects threats, and displays alerts in the Alerts page of the Threat Analyzer. In the case of Hosts that need to be investigated for their security status, McAfee epo, and Vulnerability scan options are available. Alerts and scan options are available in relevant monitors as follows: The Alerts option is provided in the right-click menu of the Host Threat Factor monitor, and thetraffic Volume - Zones monitor. The Host Threat Factor monitor's right-click option enables viewing of All Alerts, IPS Alerts, andntba Alerts though the Alerts page. The right-click menu of the Traffic Volume - Zones monitor enables viewing of NTBA Alerts. Host scan options are available in the right-click menu for the Traffic Volume - Top Source Hosts, Host Threat Factor, and Hosts - New (Last 1 day) monitors. Selected Host can be scanned using McAfee epo Scan,and Vulnerability Scan. McAfee epo, and Vulnerability Scan options are available when McAfee Vulnerability Manager, and McAfee epolicy Orchestrator are integrated with, and enabled in the. McAfee Network Security Platform 6.1 System Status Monitoring Guide 63

64 4 Viewing Alerts Dashboards NTBA 64 McAfee Network Security Platform 6.1 System Status Monitoring Guide

65 5 5 Viewing Alerts details The Alerts page lists attacks on a real time basis in the Real-time Threat Analyzer and for the selected time span in the Historical Threat Analyzer in order of occurrence, with most recent being listed first. Attack details are presented using multiple columns, known as attributes. The attributes represent packet fields such as source and destination IP, as well as Sensor analysis fields such as attack severity and type. You can right-click and select Show Details to view further details for an attack. The All Alerts view displays all attacks present in the current query view (in real time in the Real-time Threat Analyzer or for a selected time span in the Historical Threat Analyzer). When the Group By option is selected, the display shows the Alert, Attack counts and other parameters for the chosen group attribute. The Alert count displays the number of times each attack has been reported within the parameters. For example, in the figure below, for the present query there are two reported alerts (Alert Count = 2) and two reported attacks (Attack Count = 2) for the "ARP: ARP Spoofing Detected" attack. Thus, the "ARP: ARP Spoofing Detected" attack was detected and reported exactly twice during the queried period. Also in the figure, notice the Alert Count and Attack Count for the "Samba Trans2Open Buffer Overflow" attack: 74 alerts have been generated for this attack; however, there were 2133 attack instances. One or more attack instances was suppressed according to the configuration set. For more information, see Configuring alert suppression with packet log response, Device Configuration Guide. The All Alerts view also displays pertinent information for each attack, including severity, benign trigger probability, and so forth. McAfee Network Security Platform 6.1 System Status Monitoring Guide 65

66 5 Viewing Alerts details See also Sorting alerts by attributes on page 74 Attack result status on page 57 Contents Viewing alert attributes Action buttons Alerts view: Right-click options Sorting alerts by attributes Viewing data in the Count view Sorting alerts using multiple criteria Creating display filters for alerts Acknowledging alerts Show details of a specific attack Performing a response action Configuring attack filter association Viewing and editing attack responses Running a script Viewing and saving an Evidence Report IPS Quarantine options in Alerts page Quarantine options for NTBA policy violation, botnet, and behavioral alerts Performing an NSLookup Querying host details from the epo server Deleting alerts Hiding alerts Creating incidents Identifying new attacks in the Threat Analyzer 66 McAfee Network Security Platform 6.1 System Status Monitoring Guide

67 Viewing Alerts details Viewing alert attributes 5 Viewing alert attributes You can view the following attributes for an alert using the Alerts page: Use the scroll bar to see all attributes for your alerts. Acknowledged: for Historical only, indicates state of recognition. If box is unchecked, you have not yet manually acknowledged this alert. If box is checked, you have examined the alert and Acknowledged it. See Acknowledging alerts. All unacknowledged alerts are counted in the Manager Home page. Acknowledged alerts can only be viewed in Historical queries. Deleted: for Historical only, indicates if the attack has been selected for deletion during current analysis session. Destination OS: Operating system on the target machine where attack was destined. Time: time when the attack occurred. Attacks are listed from most (top of the list) to least (bottom) recent. Severity: system impact severity posed by the attack: H[igh], M[edium], L[ow], or I[nformational]. Source IP: IP address where the attack originated. Source Port: port on source machine where attack originated. Destination IP: IP address the attack was targeting. Destination Port: port on target machine where attack was destined. Attack: specific name of the attack that triggered the alert. Source OS: Operating system on the source machine where attack originated Domain: admin domain in which the attack was detected. Sensor Name ID: (name) of the Sensor from where the alert was generated. If you have created a failover pair while maintaining an open Threat Analyzer window, the Threat Analyzer continues to report alerts from both the Primary and Secondary Sensors, respectively. This may cause confusion in the event that both Sensors detect identical alerts. (In true failover pair operation, if both Sensors detect the same alert, the Primary Sensor reports the alert.) Proper alert reporting by the failover pair will not be reflected until a restart of the Threat Analyzer is enacted. The same is true in reverse if a failover pair is deleted. You must restart the Threat Analyzer to view alerts separately from each Sensor. Interface:Sensor interface where the attack was detected. Type: the type of attack. The choices are: Exploit: an attack matching a known exploit attack signature. Host Intrusion Prevention alerts are categorized as Exploit alerts. Host Sweep: a reconnaissance attack attempting to see which IP addresses have live systems attached to them. Port Scan: a reconnaissance attack attempting to see what services a particular system is offering. Simple Threshold: denial of service attack against your set DoS threshold limits. Statistical: denial of service attack against your set DoS learning mode parameters. Application Protocol: application protocol discovered in attack data. McAfee Network Security Platform 6.1 System Status Monitoring Guide 67

68 5 Viewing Alerts details Viewing alert attributes Result: alert result status categories for alerted attacks. Attack Count: number of times a particular attack was detected for a single alert instance. Direction: direction (inbound or outbound) of traffic where attack was detected. Category: general attack type. Sub-category: within attack type, the specific classification (for example, virus, Trojan Horse). Detection Mechanism: method used to detect attack. Each method relates to a specific attack Category. All methods are defined below, including attack category relative to each mechanism: Signature: a well-known string was matched in the attack data (Exploit or Policy Violation) Threshold: attack breached a pre-set threshold value (Reconnaissance or DoS Threshold Mode) Multi-flow correlation:sensor correlated data from all of its interfaces and determined a port scan or host sweep occurred (Reconnaissance) Protocol anomaly: protocol data in the attack deviated from the protocol's specification (Policy Violation) Statistical anomaly: significant change detected in packet rate for a particular traffic measure (DoS Learning Mode) Application anomaly: this type of attack is caused when a large number of bytes comes from an HTTP browser than that are actually going onto it (Buffer Overflow) Multi method correlation: Multiple detection methods are used to correlate the attacking traffic in order to identify different phrases of the attack behaviors. Examples of such correlation are attack signature, McAfee Network Security Platform shellcode detection, and statistical correlation. Flow correlation:sensor correlates the bi-directional traffic of each session in order to increase the accuracy of the attack detection as well as impact of the attack. Multi Sensor correlation: (Manager) correlates the attack detection information from multiple intrusion detection systems (Sensors) in order to identify different phrases of the attack behaviors. Protocol discovery:sensor determines protocol anomaly on well-known ports such as P2P software running on a well-known ports. Vulnerability Relevance: an alert is generated for a specific attack in the Manager, the CVE ID for this attack is compared with the vulnerability report data imported into Manager database. If a matching CVE ID /Bug Track ID is found, then those alerts are marked as Relevant. VLAN ID: ID used for configuring VLANs on switches UUID: alert id of an alert. Policy Name: policy applied to attack. McAfee NAC Info: If you have configured Network Security Platform-McAfee Network Access Control (McAfee NAC) integration in such a way that the details of an attack were forwarded to the McAfee NAC server, then the McAfeeNAC server indicates to McAfee Network Security Sensor (Sensor)) whether the source host is a managed or unmanaged system. This column displays this information in addition to the quarantine and remediation status of the host. The following are the notations used in this column: UIndicates that the attacking host is unmanaged. That is, the source host does not have an active epo agent. MIndicates that the attacking host is managed. That is, the source host has an active epo agent. 68 McAfee Network Security Platform 6.1 System Status Monitoring Guide

69 Viewing Alerts details Viewing alert attributes 5 QIndicates that the attacking host is quarantined by the Sensor. RIndicates that the attacking host is remedied by the Sensor.?Indicates that the attack details were forwarded to McAfee NAC server but the Sensor did not quarantine or remedy the attacking host. - Indicates that the attack details were not forwarded to k po NAC server Source User: user logged on in the source machine where attack originated. Destination User: user logged on in the target machine where attack was destined. Manager: The name of the Manager of the source machine. URL: displays the target URL of the http alert. See also Alerts View Panel on page 152 Deleting alerts on page 108 Viewing data in the Count view on page 75 McAfee Network Security Platform 6.1 System Status Monitoring Guide 69

70 5 Viewing Alerts details Action buttons Action buttons The following action buttons are available on the Alerts view page: Search Alert: You can search for alerts from the Threat Analyzer both in Manager and Central Manager. In Manager, select the Sensor from the Sensor drop down list and type in the Alert ID to view details about the alert in question. In Central Manager, select the Manager and the Sensor from the respective drop down lists, type the Alert ID to view the details about the alert in question. Save as CSV: save the selected view (any selected Threat Analyzer table or graph) as a CSV file. A comma separated values (CSV) file is a file format used as a portable representation of a database. You can save this CSV file to your client system. You can view this file with Excel by using the Import/ Chart feature to display the CSV file as a graph. Save as PDF: save the selected view (any selected table or graph) as a PDF file. You can save this PDF file to your client system, then view the saved file with Adobe Acrobat. For example, you are working in a Real-Time Threat Analyzer and you want to save the Attack Details View table to view alert details. Save View: Customize and save views for future reference. Saved Views: lists previously saved views. You can open, rename or delete the saved views. Alerts view: Right-click options You can right-click in the All Alerts view to perform various actions on the alerts received. 70 McAfee Network Security Platform 6.1 System Status Monitoring Guide

71 Viewing Alerts details Alerts view: Right-click options 5 Table 5-1 Item Description 1 Attributes 2 Scroll to view more attributes Right-click an alert instance row to do one of the following: Table 5-2 Right-click option Acknowledge Show Details Assign Attack Filter Edit Attack Settings Run a Script Related Evidence Report Description acknowledges a selected alert. opens an alert-specific view. associate attack filters for the following: Admin Domain Sensor Interface / SubInterface view or edit the attack response at either: Current Policy Settings Default Attack Settings pass the Threat Analyzer parameters and run a third-party script. opens view with all attacks within the present query that exactly match the attack name, source IP, destination IP, and interface where detected. opens a complete, easy-to-read view of all of the details (vertically) for a selected alert row. McAfee Network Security Platform 6.1 System Status Monitoring Guide 71

72 5 Viewing Alerts details Alerts view: Right-click options Table 5-2 (continued) Right-click option Add to IPS Quarantine Description add the host from which the alert originated into the quarantine zone for: 15 Minutes 30 Minutes 45 Minutes 1 Hour Until Explicitly Released For more information on Quarantine options, see Using IPS Quarantine. NSLookup Start Vulnerability Scan McAfee epolicy Orchestrator (McAfee epo) Host Information NTBA resolves the hostname of a source or destination IP. starts the Vulnerability Manager scanning Source IP: queries the Source IP for vulnerability attacks. Destination IP: queries the Destination IP for vulnerability attacks. query the epo database for the details of the host or destination host. allows drill down for the following monitors related to Network Threat Behavior Analysis ( NTBA): Host Information: displays Host name, Host IP, Zone, VLAN and Last Seen (Time/ Date) for the selected host. Host Profile: displays the following information for the selected host; Host IP address/name, whether the host is internal, Is Active, Zone (name), VLAN, OS Type, Bytes Received, Bytes Sent, Total Bytes, Threat Factor and the Last Updated (Date/Time). Layer7 Activity: displays Layer 7 information like Destination IP, Destination Zone, Name, Count, Activity and Last Accessed information for the selected host. Touched Hosts: displays a graphical view of the selected host with arrows indicating the hosts with whom the selected host is communicating. The thickness of the arrow indicates the number of connections. For more information, see NTBA Monitoring Guide. 72 McAfee Network Security Platform 6.1 System Status Monitoring Guide

73 Viewing Alerts details Alerts view: Right-click options 5 Table 5-2 (continued) Right-click option TrustedSource Information Vulnerability Manager Acknowledge All Delete All Delete Show only Hide Description query McAfee's for the details of the source or destination host based on IP address Source IP: query TrustedSource using the IP of the attack source. Destination IP: query TrustedSource using the IP of the attack destination Note the following regarding TrustedSource: You can only query on IPv4 addresses. The results of a query on the TrustedSource web site are for the last 30 days from the time of your query and not from the time of the alert. You do not need a TrustedSource account to query but the Manager client must be connected to the Internet. Verifying the host name returned by NSLookup and TrustedSource queries, may confirm that TrustedSource is displaying the details of the host for which you queried. The reputation value of private IP addresses return as Neutral. options to request an on-demand Vulnerability Manager scan of the host, by specifying the Source or Destination IP address. acknowledges all of the alerts in the view. deletes all alerts in the current view. deletes a selected alert. shows only alerts based on column attributes for a selected alert. hides the alerts based on column attributes for a selected alert. Create New Incident creates a new incident for a selected alert. Add to incident enables addition of a single alert to a user-generated incident. Historical Threat Analyzer The following options are available only in the Historical Threat Analyzer right-click menu: Unacknowledge: unacknowledges an alert that has been previously acknowledged. An acknowledged alert that has been unacknowledged will not appear in a Real-Time query. Undelete: for a deleted attack (selected during current query with both Acknowledge and Deleted fields checked), the deleted filed is unchecked if Undelete is selected. Historical Threat Analyzer is applicable to the Manager Threat Analyzer alone. Central Manager Threat Analyzer You can right-click in the Central ManagerThreat Analyzer and perform all the actions that can be performed using the right-click menu options in the local Manager except those relating to Add to IPS Quarantine, McAfee epolicy Orchestrator (McAfee epo) Host Information, Create New Incident and Add to incident. See also Left-click and right-click view options on page 55 Viewing details of Source and Destination Hosts on page 100 Creating incidents on page 109 McAfee Network Security Platform 6.1 System Status Monitoring Guide 73

74 5 Viewing Alerts details Sorting alerts by attributes Sorting alerts by attributes The Drilldown or Group By option offers several categorical views for all or selected alerts. Each drilldown lists the category name along with the number of times alerts occurred for an element in that category. Category elements are not listed in any particular order. Drilldown and Group By options are identical in the local Manager Threat Analyzer and Central Manager Threat Analyzer. You can perform a drilldown as follows: Select a bar in any Summary view consolidated pane: View all alerts in the selected bar by a specific Drilldown category. Since each bar represents several alerts, these alerts can be separated into multiple categories for analysis. Group By option from Threat Analyzer Alerts view enables you to categorize all of the alerts in your present query by a single category. Item Description 1 Drilldown category 2 Drilldown element To sort alerts for further analysis, do the following: Task 1 Do one of the following: Select Group By from the Threat Analyzer Alerts page. Right-click a bar in the Summary page, consolidated view pane and select Drilldown. Right-click the white space to the right side of the bars in the Severity pane and select Drilldown. 2 Select a category based on which you wish to view alerts: Table 5-3 Group By option Admin Domain App Protocol Attack Name Category Description by admin domain where alerts were captured. by the application protocol of the detected attack by attack name. general attack type 74 McAfee Network Security Platform 6.1 System Status Monitoring Guide

75 Viewing Alerts details Viewing data in the Count view 5 Table 5-3 Group By option Dest IP Dest OS Dest Port Dest User (continued) Description by destination (target) IP addresses by operating system on the target machine where attack was destined. by port on the target machine where attack was destined. by user logged on in the target machine where attack was destined. Detection Mechanism method used to detect attack. Each method relates to a specific attack category. All methods are defined below, including attack category relative to each mechanism Device Type Direction Interface Manager Name Policy Name Relevance Result Sensor Severity Src IP Src OS Src Port Src User Sub-category Type Zone The type of Sensor device. For example: IPS Sensor transmission destination in regards to internal network (inbound or outbound) by interface The name of the Manager of the source machine. by policy name indicates if the host is vulnerable to this particular attack. by estimated result of detected attacks. by the Sensors where alerts were captured by severity. by source IP addresses by operating system on the source machine where attack originated by port on source machine where attack originated. user logged on in the source machine where attack originated. within attack type, the specific classification (for example, virus, Trojan Horse). For more information, see Impact subcategories. by attack type. The zone to which the host has been assigned to. The views created are displayed as 'Unsaved Views'. Once created, you can name and save these views by clicking Save. See also Attack result status on page 57 Viewing Alerts details on page 4 Viewing data in the Count view Alerts can be grouped by: Admin Domain Severity App Protocol Src IP Attack Name Src OS Category Src Port Dest IP Src User McAfee Network Security Platform 6.1 System Status Monitoring Guide 75

76 5 Viewing Alerts details Sorting alerts using multiple criteria Dest OS Sub-Category Dest Port Type Dest User Interface Detection Mechanism Policy Name. Direction Manager Name Relevance Zone Result Device Type Sensor Each Group By (sorting) process opens a window in Count view. For all groupings, the Count view page displays three columns: Drilldown-category Alerts Count Attack Count When alerts are grouped by Interface or Attack Name, the following additional columns are displayed: Interface: Sensor (details) Attack Name: Severity, H(High), L(Low), I(Informational), Benign Trigger, Probability, Application Protocol, Category, Sub-Category, and Detection Mechanism. You can drill down further within the Count View. Right-click a table row and select Drilldown and a category to further refine your analysis of alerts. See also Viewing alert attributes on page 67 Sorting alerts using multiple criteria From the Threat Analyzer page, you can perform a single sort or sequentially sort on as many categories as you like. To do a single sort, click the category header on which you want to sort and the Threat Analyzer toggles the column in ascending or descending order. To multi-sort, hold down the Ctrl with each successive click for the category header on which you want to sort. Threat Analyzer toggles in the order in which you select. For example, if you select Attack as your first item and hold down the Ctrl key when pressing Direction and Source IP, respectively, Threat Analyzer sorts in the following order: Priority 1 Attack Column Header 2 Direction 3 Source IP The sort is arranged in order first by type or name of Attack followed by Direction and Source IP. 76 McAfee Network Security Platform 6.1 System Status Monitoring Guide

77 Viewing Alerts details Creating display filters for alerts 5 To sort the alerts, do the following: Task 1 Open the Real-time Threat Analyzer from the Manager Home page. 2 Click Alerts. 3 Click the column header of the first category on which you want to sort. 4 Hold down the Ctrl key and click the next category. 5 Repeat Step 3 to select all categories on which information needs to be sorted. Creating display filters for alerts In addition to the Group By option, you can search for alerts based on one or more attributes through the use of Display Filters. When you opt to create a display filter, the Threat Analyzer allows you to specify your own criteria for filtering the alerts with the help of a wizard. The filter can be saved, and is displayed as a tab in the Alerts page. You can close display filters anytime using the right-click option. To set display filters: Task 1 Click Alerts from the menu bar. 2 Select Display Filter New. 3 Enter a name for the filter. 4 Define the filter properties and enter a value for the parameters. 5 Click Save and Apply to save the filter name. Click Apply once to save the filter name temporarily. Closing the Display Filter / Threat Analyzer will delete the filter name. In both the cases, a new dashboard opens containing alerts that match the applied display filter. You can Edit or Delete the display filters anytime using the Display Filter list. McAfee Network Security Platform 6.1 System Status Monitoring Guide 77

78 5 Viewing Alerts details Acknowledging alerts Acknowledging alerts When you have examined an alert and have determined a course of action, acknowledging the alert is the next step. The Acknowledge field provides a simplistic visual checklist to help you differentiate between the alerts you have examined and those you have yet to review. When you acknowledge an alert, the alert is removed from the statistical values of the "Unacknowledged Alert Summary" field, and the alert is only retrieved from the database for subsequent Historical Threat Analyzer searches and IDS Reports. For example, if you are analyzing alerts using the Real-Time Threat Analyzer, you may want to acknowledge all of the medium severity alerts at once by selecting M[edium] in the Severity pane of the Consolidated View and selecting Acknowledge. After a few minutes, you close the Real-Time Threat Analyzer and open a Historical Threat Analyzer session to view all alerts (both unacknowledged and acknowledged) during a specific time period. Since the information does not refresh, you can take your time and go through the alerts to determine a course of action to harden your network security parameters. Alerts remain in the unacknowledged state until manual acknowledgement. To acknowledge an alert, do the following: Task 1 Right click the attack instance row. 2 Click Acknowledge to acknowledge the selected alert, or click Acknowledge All to acknowledge all of the alerts in your present search. 3 (Historical Threat Analyzer only) Check the Attack Details window to verify alert acknowledgement: an acknowledged alert has a check mark in the Ack column next to the acknowledged alert instance. See also Attack result status on page 57 Show details of a specific attack You can view the details of a specific attack for a clearer picture of the key information related to the attack. The information can then be used to augment your policy settings and/or to initiate a response action, such as a TCP Reset or Host quarantine rule. Host Intrusion Prevention alerts are formatted the same way as McAfee Network Security Platform alerts. To view the details of a specific attack, do the following: Task 1 Click Alerts from the menu bar. 2 Right-click an attack instance row. 3 Click Show Details. The fields are the same as those in the Alerts View. The exceptions are: Attack Description: Click to open the verbose attack description. Edit Attack Settings: Edit the attack details at Current Policy level and Default Attack Settings. Save as Evidence Report 78 McAfee Network Security Platform 6.1 System Status Monitoring Guide

79 Viewing Alerts details Show details of a specific attack 5 Enabling Blocking: Block attack packets at Current Policy level and Default Attack Settings. Show Packet Log: View packet logs for a specific attack. Advanced Configuration: Enable Quarantine and TCP Reset response settings. See also Viewing the Attack-Type on page 79 Viewing the Attack-Type All alerts have a tab that relates to the attack type. For an Exploit attack, the region is named Exploit; for a port scan attack, the region is named Port Scan; and so forth. Each attack type has unique fields, but all (except Statistical) include Source and Target IP of the attack. Exploit alerts Single instance exploit Throttled instance Host Intrusion Prevention alert detail Host Sweep alerts McAfee Network Security Platform 6.1 System Status Monitoring Guide 79

80 5 Viewing Alerts details Show details of a specific attack Port Scan alerts Simple Threshold alerts Statistical alerts See also Show details of a specific attack on page 78 Exploit alerts There are three types of Exploit alerts: single instance; multiple instances, also known as a throttled exploit; and Host Intrusion Prevention alerts. Single instance exploit A single unique exploit was detected by a well-known string match. Exploit ID the ID of the signature that matched information in the attack packet. An exploit attack may have several signatures that can be used to detect an attack. If the ID is 1, this means the first signature listed for the exploit detected the attack. Name: the name of the signature that matched information in the attack packet. This name corresponds to the Exploit ID. Network Protocol: the transport protocol used for the transmission. Application Protocol: the application protocol in the attack transmission. Source IP: port on source machine where attack originated. Source Port: destination IP address Destination IP: destination IP address Destination Port: port on target machine where attack was destined. Benign Trigger Probability: probability that the alert was raised falsely. 80 McAfee Network Security Platform 6.1 System Status Monitoring Guide

81 Viewing Alerts details Show details of a specific attack 5 Single instance tabs Configured Response: displays the response actions configured for an attack. By default, the only pre-configured response is packet logging for TCP and UDP attacks. A green check mark denotes a configured response, while a red "X" denotes no automated response has been configured. For more information on setting automatic responses, see Customizing responses for an exploit attack. Signature Description: displays the triggering mechanism. If triggered by a signature match, the signature is displayed. If triggered by protocol field checking, the message reads, "This was triggered based on the protocol anomaly checks only." URL The URL captures and displays the target URL of the http alert. The URL is displayed only for alerts of those attacks targeting the Server. The following are the instances where the URL may not get captured and displayed. URL is not enabled Client targeted http attacks Non-http attacks No packet log for http attacks Delay in packet log reaching the Manager Best effort is made for capturing the URL information Throttled instance Multiple instances of the same exploit, from the same source IP to the same destination IP, and detected by the same VIPS (interface/sub-interface) within a configured period of time. The number of instances was greater than a set threshold. Throttling alerts saves on alert overhead, thus database space. For more information on configuring throttle settings, see Configuring alert suppression with packet log response. McAfee Network Security Platform 6.1 System Status Monitoring Guide 81

82 5 Viewing Alerts details Show details of a specific attack Attack Count: number of times this attack was detected within the duration. This value is equal to or greater than the set Alert Suppression value. Duration: interval within which the set limit of alerts occurred for the attack. This value is equal to or less than the set Alert Suppression value. Host Intrusion Prevention alert detail Host Intrusion Prevention alert detail appears under the Exploit tab. The Source or Destination IP address of a Host Intrusion Prevention alert will be identical to the Agent IP since Host Intrusion Prevention is a host-based IDS; thus, the host was either the origin or the target of an attack. The following information is unique to Host Intrusion Prevention alerts: Agent Name: user-given name of the Host Intrusion Prevention agent. Agent IP: IP address of the agent's host. User: user who installed the agent software on the agent host. Host Sweep alerts Host Sweep alerts are those sweeps in violation of Reconnaissance policy threshold settings. Source IP: the value (: n) after the IP address represents the source port where the attack originated. If the value is 0, multiple source ports were used in the sweep. Destination Port: port targeted on each host by the attack. Destination IPs: list of IP addresses targeted by the attack. 82 McAfee Network Security Platform 6.1 System Status Monitoring Guide

83 Viewing Alerts details Show details of a specific attack 5 Port Scan alerts Port Scan alerts are those scans in violation of Reconnaissance policy threshold settings. Source IP: the value (: n) after the IP address represents the source port where the attack originated. If the value is 0, multiple source ports were used in the scan. Destination IP: target IP address of port scan victim. Destination IP Ports: list of ports on targeted host scanned by the attack. Simple Threshold alerts Simple Threshold alerts are those in violation of DoS Threshold Mode settings. Threshold ID: this ID corresponds to where this threshold attack is listed in the DoS Threshold Mode catalog. Observed Value: the number of times the instance occurred. Since an alert was sent, this value is larger than the Threshold Value. Threshold Duration: the time limit value set within DoS Threshold Mode customization for the attack instance. This compliments the Threshold Value. This duration is run to the end to capture all instances within the time limit rather than stopping after the first value over the threshold is detected. Threshold Value: the limit set within DoS Threshold Mode customization for the attack instance and compliments the Threshold Duration. McAfee Network Security Platform 6.1 System Status Monitoring Guide 83

84 5 Viewing Alerts details Show details of a specific attack Statistical alerts Statistical attacks are those in violation of DoS Learning Mode settings. Measures tab: displays bar graphs with packet rate data relating to the violated Learning Mode measure. The violated measure(s) is displayed with the corresponding packet rate over the last 10 minutes. The graph displays the learned long-term rate (as established by the DoS profiling process) against recent activity, or short-term rate. The short-term rate is for the most recent 10 minutes (approximately). When the short-term rate is greater than the long-term rate and exceeds the specified response sensitivity (Low, Medium, or High - from DoS Learning Mode settings), an alert is generated. The Percentage value represents the percentage of all traffic for which the noted measure accounted. For example, if the "normal" percentage for IP fragments is approximately 2.5%, then IP fragments make up 2.5% of all traffic through the monitored segment. For example, in the following figure, the percentage of fragmented IP packets in the traffic during an interval was significantly higher than the established long-term percentage, which indicates an IP Fragment Flood attack. Packet Rate tab: displays the violated measure's packet rate for the last minute when the alert was raised. Packet rates are shown in five (5) second intervals. 84 McAfee Network Security Platform 6.1 System Status Monitoring Guide

85 Viewing Alerts details Performing a response action 5 DoS IP Range tab: displays the ranges of IP addresses, both source and destination, that were involved in the DoS attack. The packet type and total number of packets that were a part of the attack are also noted. Min[imum] refers to the first address in the range and Max [imum] refers to the last address in the range. Total Packet Count is the number of DoS packets seen from the given source and destination range. This includes both benign ("good") and attacking ("bad") packets. All packets of various packet types (such as TCP SYN) destined to the particular network are displayed in the alert. The first DoS alert shows packets counts received for 5 seconds before the alert. The subsequent suppressed alerts show the number of packets received since the last alert. If you choose to drop packets, the Sensor drops only the "bad" packets. Thus, the Sensor may not always drop packets from what is determined as a "good" source IP address. For more information on DoS packet dropping response, see Acknowledging alerts. For more information on understanding Statistical DoS Alert details, see McAfee KnowledgeBase article NAI Performing a response action A key element to effective network protection is the ability to respond to a detected attack. During policy configuration, you have the option of setting response actions for detected exploit and statistical (DoS) attacks. For most attacks, responses are not enabled by default. Some attacks do have packet logging enabled by default. Packet logging and sending a TCP Reset are examples of response actions. For more information, see Customizing responses for an exploit attack. Besides the "Drop Further Packets" (in-line mode) response, which is performed in real time, responding to an attack is performed during Threat Analyzer analysis. The following sections detail the various response choices: Viewing a packet log Sending a TCP Reset Acknowledging alerts Viewing a packet log A packet log is created by a Sensor capturing the network traffic of and around an offending transmission. An expert in protocol analysis can use the log information to determine what caused the alert and what can be done to prevent future alerts of the same nature. Packet logs are set by default McAfee Network Security Platform 6.1 System Status Monitoring Guide 85

86 5 Viewing Alerts details Performing a response action for a number of Exploit attacks. If you want to view packet data for a specific attack that does not automatically generate a packet log, you can set this attack response by creating or cloning a new policy and setting the packet log response for the selected attack. Sensor save all packet logs in library packet capture (libpcap) format, and store them in Manager database. You can examine log files using Ethereal. Ethereal is a network protocol analyzer for Unix and Windows servers that enables you to examine the data captured by your Sensor. For information on downloading and use of Ethereal, go to You must have already installed Ethereal and set its location before attempting to view a packet log. Follow the procedure in Preferences. Also, you must install Ethereal on all client (remote Manager login) machines for packet log viewing. Logging packets for attacks applies only to Exploit attacks. Packet logs can be deleted from the database by setting a deletion schedule as described in Setting a schedule for file pruning.. To view a packet log, do the following: Task 1 Select Show Details. 2 Click Show Packet Log tab. 86 McAfee Network Security Platform 6.1 System Status Monitoring Guide

87 Viewing Alerts details Performing a response action 5 3 Select one of the following: Attack Packets Only: show only the information related to the attack packet. Unless disabled during policy editing, this includes the 128 bytes before the attack packet. Attack Packets and n subsequent packets: type a number of packets around the attack packet to include in your log view. For example, if you enter 2 at this prompt, your packet log includes the attack packets plus the 2 packets after the attack packets, and includes the previous 128 bytes before the attack packets. The 128 bytes before are a fragmented into two "dummy packets which appear as bogus Ethertype packets ("FFFF") in the packet log. Show Entire Flow: show all packets in the same flow as the attack. Even if you select Show Entire Flow, the Sensor may not be able to continue logging if it fails. Show All Related Flows: display all related packet logs based on all of the following elements being the same: AttackID + VIPS (interface/sub-interface) + Source IP + Destination IP. 4 Click Display Packet Log (opens Ethereal for log viewing). You must have previously established the location of the Ethereal program as it relates to your Manager or client machine. For more information, see General Panel. Sending a TCP Reset A TCP Reset is a network response that disconnects an established TCP transmission. The TCP RST shuts down an attack from a malicious source, ends a transmission to a vulnerable destination, or drops both ends of a source-to-destination transmission. Sending a TCP Reset applies only to TCP protocol-based attacks. If Sensor is in in-line mode, it will drop all further packets instead of sending TCP Resets. Task 1 Right-click the row of a TCP-based attack instance. 2 Select Show Details. 3 Click Advanced Configuration. 4 Click the TCP Reset tab. 5 Click the TCP Reset button. McAfee Network Security Platform 6.1 System Status Monitoring Guide 87

88 5 Viewing Alerts details Configuring attack filter association Blocking further DoS packets for statistical attacks For a Statistical attack, that is, a short-term spike matched against a learned long-term DoS profile measure, you can block further packets of the same DoS measure type for a configurable period of time. Once you initiate the blocking response, a DoS filter is activated to protect your network from further attacks against the same measure. This response is different from enabling the dropping of DoS packets during policy configuration. If you enable dropping of DoS packets during policy configuration, you do not have to initiate the action manually; rather, the response is automatic. For this automatic response, the DoS blocking filter is only active as long as the short-term measure is in violation of the long-term measure. To enable automatic dropping of DoS packets, see Customizing Denial of Service (DoS) modes. To block further malicious DoS packets, do the following: Task 1 Click Alerts from the menu bar. 2 Right-click a Statistical attack instance row from the Alerts view. 3 Click Block. 4 Type the number of minutes you want the DoS filter to actively block further DoS packets of the same measure. 5 Click Block. For more information on viewing the DoS filter, see Managing DoS filters, Device Configuration Guide. To enable blocking of attacks, "Outbound TCP OTX Segment Volume Too High" and " Inbound TCP FIN Volume Too High" you need to set TCP Flow violation to Deny. For more information on setting TCP Flow violations, see Configuring TCP settings, Device Configuration Guide. Configuring attack filter association You can select a particular alert and configure an Attack Filter. If necessary, you can create a new Attack Filter and apply it to the selected alert. You apply an Attack Filter to the resource for which the attack is raised and the direction of the attack. 88 McAfee Network Security Platform 6.1 System Status Monitoring Guide

89 Viewing Alerts details Configuring attack filter association 5 To configure an Attack Filter association, do the following: Task 1 Open the Real-time Threat Analyzer from the Manager Home page. 2 Click Attacks. 3 Right-click an alert and select Assign Attack Filter Admin Domain Sensor Interface/Sub-Interface. The Filter Assignment window is displayed. 4 Select filters from the Available Attack Filters list. 5 Click Add to move the alert or alerts to the Selected Attack Filters list. To remove an alert from the Selected Attack Filters list, select the alert and click Remove. 6 To add additional attack filters under the Available Attack Filters list, click Manage Attack Filters. The Manage Attack Filters window displays. McAfee Network Security Platform 6.1 System Status Monitoring Guide 89

90 5 Viewing Alerts details Viewing and editing attack responses 7 You can New, Clone, View/Edit, or Delete attack filters. For information on the various alert management tasks, see Managing attack filters and attack responses, IPS Configuration Guide. 8 Click Save. Otherwise, click Cancel. Viewing and editing attack responses To view and edit attack responses, do the following: Task 1 Open the Real-time Threat Analyzer from the Manager Home page. 2 Click Alerts. 3 Right click an alert and select Edit Attack Settings Current Policy Only. The Edit Attack Details for Attack: <attack name> window displays. You do not manage and configure attack filters for attacks using this window. Running a script The Run a Script action enables you to run third-party scripts using parameter that are passed on from Network Security Platform. For example, a script can be run, to use with a trouble ticketing system that uses Threat Analyzer directly from Network Security Platform. To run a script using Threat Analyzer parameters, do the following: Task 1 Right click the attack instance row. 2 Click Run a Script. 90 McAfee Network Security Platform 6.1 System Status Monitoring Guide

91 Viewing Alerts details Running a script 5 3 Run a Script for Attack <attack name> dialog is displayed. 4 Do one or more of the following: Load a script: From the Load script content from list, select either a Local File or Manager script to load. Click Load to load the script. Click RUN to run the script. Write a script: In the Content area, type the script you want to run. Select an attribute from the Alert/ Attack Attribute list and click Add to Content to include it in your script. Click Run to run the script. Use quotations marks (") to ensure that attributes are not truncated when passed to a script (for example "ALERT_ID"). Save a script: From the Store script content to list select either Local File or Manager to determine where your script is stored. Click Store to save your script. You can access the recently accessed scripts through the option available in the right-click short-cut menu. Upto 10 are available. McAfee Network Security Platform 6.1 System Status Monitoring Guide 91

92 5 Viewing Alerts details Viewing and saving an Evidence Report Viewing and saving an Evidence Report The Evidence Report action opens a complete view of a selected alert row in a separate window. There are several columns in the Attack Details table, and not all of them can be viewed at the same time due to the size of column headers. This feature enables a vertical view (rather than horizontal view) of an alert's details, as well as the option to save the alert information, including a packet log (if available), as a CSV file that is zipped for easy delivery. You can use a spreadsheet program such as Excel to view the CSV file. 92 McAfee Network Security Platform 6.1 System Status Monitoring Guide

93 Viewing Alerts details IPS Quarantine options in Alerts page 5 To view and save an Evidence Report, do the following: Task 1 Right click the attack instance row. 2 Click Evidence Report. 3 (Optional) Select the Save Packet Log check box to save the packet log data along with the alert details. 4 Add comments for the attack in the Comments field by placing your cursor in the white space and typing text. 5 (Optional) Click Save to keep a copy of an alert's details for future reference; the location of the saved file is determined by the user. IPS Quarantine options in Alerts page The Alerts page provides the following options for IPS Quarantine of hosts: Adding hosts for IPS Quarantine from Alerts page Quarantine of hosts from Alert Details McAfee Network Security Platform 6.1 System Status Monitoring Guide 93

94 5 Viewing Alerts details IPS Quarantine options in Alerts page See also Add hosts for IPS Quarantine from the Alerts page on page 94 Quarantine of hosts from Alert Details on page 95 Add hosts for IPS Quarantine from the Alerts page You can quarantine hosts from the list of alerts displayed in the Alerts page in Threat Analyzer. Task 1 Open Real-time Threat Analyzer from the Manager. 2 Select Alerts. The All Alerts tab is displayed with the list of all the alerts. 3 Select the alert (host) which you want to quarantine. Right click on the alert. 4 Select Add to IPS Quarantine. Following options are displayed: 15 Minutes 30 Minutes 45 Minutes 1 Hour Until Explicitly Released You can choose to quarantine the host for the above time limits for Quarantine Duration. For example, you can quarantine the host for 15 minutes. Figure 5-1 Adding hosts to IPS Quarantine from Alerts page A pop-up displays to confirm that you want to quarantine the selected host (IP address). 5 If the host is added to the list of quarantined hosts, a message is displayed that Quarantine is successful. If the host is already quarantined, a message displays that the host IP is already present in the Quarantined Host List. See also IPS Quarantine options in Alerts page on page McAfee Network Security Platform 6.1 System Status Monitoring Guide

95 Viewing Alerts details IPS Quarantine options in Alerts page 5 Quarantine of hosts from Alert Details You can add hosts for quarantine from the details of the alert. To add a host for quarantine from the Alert Details view, do the following: Task 1 Open Real-time Threat Analyzer from the Manager Home page. 2 Select Alerts. The All Alertstab is displayed with the list of all the alerts. 3 Select the alert (host) and right click on the alert. 4 Select Show Details. The Alert Details is displayed. Figure 5-2 Quarantine from Alert Details 5 Click on Advanced Configuration. Two options are displayed: Quarantine and TCP Reset. McAfee Network Security Platform 6.1 System Status Monitoring Guide 95

96 5 Viewing Alerts details IPS Quarantine options in Alerts page 6 Select Quarantine. The Quarantine window is displayed. Here you can view the currently available quarantine rules for the Sensor. Figure 5-3 Quarantined hosts for the Sensor Following fields are displayed in the list of quarantine rules in the above window. Table 5-4 Field Name Src IP Address Description Source IP address of the host you want to quarantine Filter End Time This field represents the present value of the Filter End Time for the quarantine rule. The current value of Filter End Time is a combination of Quarantine Duration configured in the Manager and the present clock time. For more information, see NAC options in the Hosts page. Host Type Action Status The Host Type field is relevant for McAfee NAC-response-based Quarantine and Remediation. This field can be Managed Host or UnManaged Host or Not Applicable. The Action Status field represents the status of Sensor's response action for the reference attack. This can be Quarantine or Remediation. 7 In the Quarantine window, enter the IP address for the host you want to quarantine in Quarantine Host. This can be an IPv4 or IPv6 address. You can have up to 1000 IPS Quarantine rules for an IPv4 addresses, and up to 500 IPS Quarantine rules for IPv6 addresses, for each Sensor. 8 You can change the Quarantine Duration, if required. 9 Click Add to IPS Quarantine. The rule is displayed in the Quarantine window. 10 The quarantine rules created here are reflected in the Hosts tab. For more information, see Hosts page. 11 To close the Quarantine window, click Close. See also IPS Quarantine options in Alerts page on page 93 Manual Quarantine of a Host You can manually quarantine a host even before it is detected on the network. This is applicable only for IPS and IPS + NAC Sensors and is not applicable for NAC-only Sensors. You can manually quarantine a host only on ports where IPS Quarantine is enabled. 96 McAfee Network Security Platform 6.1 System Status Monitoring Guide

97 Viewing Alerts details Quarantine options for NTBA policy violation, botnet, and behavioral alerts 5 Task 1 In the Threat Analyzer, select Alert / Hosts tab. 2 Click Quarantine. The Quarantine Host dialog appears. 3 In the IPAddress field, type the source IP Address. 4 Select the Quarantine Duration from the drop down list. The quarantine duration can be for: 15 Minutes 30 Minutes 45 Minutes 1 Hour 5 Select the Sensor from the drop down list. 6 Click Quarantine to quarantine the host. Quarantine options for NTBA policy violation, botnet, and behavioral alerts You can choose to quarantine policy violation, botnet attacks, and behavioral NTBA alerts. The quarantine response action needs to be enabled at the policy level per zone. If the attack was detected at a third party router, the NTBA Appliance quarantines that host by setting an ACL at the router for 5 minutes by default. If the attack was detected at a Sensor, the NTBA Appliance sends the quarantine details as part of the alert to the Manager. In response to this, the Manager sends the corresponding source host as part of host quarantine to the Sensor. The quarantine details sent in the alert are exporter id, response action, and source interface. The period for which quarantine is effective is 5 minutes by default. If you wish to change this value, contact McAfee Technical Support. Add to Quarantine right-click options on an alert listed in the Alerts page of the Threat Analyzer provide specific quarantine period options (15 Minutes, 30 Minutes, 45 Minutes, 60 Minutes, or Until Explicitly Released). Figure 5-4 Add to Quarantine right-click options McAfee Network Security Platform 6.1 System Status Monitoring Guide 97

98 5 Viewing Alerts details Performing an NSLookup Quarantine response - Sensor as an exporter In respect of NTBA alerts emanating from a Sensor acting as an exporter, the quarantine settings at IPS Quarantine page of the IPS settings node (IPS Settings >IPS Quarantine >Default Port Settings) overrides the Add to Quarantine options that can be set for an NTBA alert in the Alerts page of the Threat Analyzer. Figure 5-5 IPS Quarantine page Quarantine Response - third party exporters In respect of NTBA alerts emanating from third party routers acting as exporters, the Add to Quarantine options that can be set for an NTBA alert in the alerts page of the Threat Analyzer is applicable. Performing an NSLookup You can perform an NSLookup to resolve the hostname corresponding to a source or destination IP address. The hostname may provide a quicker means of recognizing the host being attacked, or another means of identifying the attacking source. To perform an NSlookup, do the following: Task 1 Open Real-time Threat Analyzer from the Manager Home page. 2 Select Alerts. The All Alerts tab is displayed with the list of all the alerts. 3 Right click the attack instance row. 4 Select NSLookup and choose from the following: Source IP: resolve hostname of the source. Destination IP: resolve hostname of the destination. If there is no hostname or the hostname cannot be resolved, the Resolved Name displays as the IP address of the address that was looked up or as "Address Not Resolved". 5 (Optional) Click the Who Is button to read information about the registered host. Click OK to close the Who Is window. 98 McAfee Network Security Platform 6.1 System Status Monitoring Guide

99 Viewing Alerts details Querying host details from the epo server 5 Querying host details from the epo server After you enable Network Security Platform-ePO integration at an admin domain level, you can query for and view the details of the corresponding network hosts using the Threat Analyzer. If you have installed McAfee Host Intrusion Prevention software and if the Host Intrusion Prevention is running on the host, then you can view the top 10 Host Intrusion Prevention events for a host as well. Consider the following example. My Company is the root admin domain and HR and Finance are its child domains. Sensor-HR and Sensor-Fin are the respective McAfee Network Security Sensor of the two child domains. Assume that the Manager-ePO integration is enabled only for Finance. For an attack detected by Sensor-Fin, you can view the details of the source and destination hosts from the Threat Analyzer because epo integration is enabled for the Finance admin domain. Note that for you to view the details, the information should be available on the epo server. For example, if an attack is from outside your network, then your epo server may not have any information about this source host. A host can belong to one of the following three types: Managed Hosts: These are hosts currently managed by epo agent. Unmanaged Hosts: These are hosts recognized by epo but are not currently managed by any epo agent. Unrecognized Hosts: These are hosts about which epo has no information. In the Threat Analyzer, an unrecognized host is represented by a series of ellipses (- - -). You can view the details of the source and destination hosts in an alert. Alternatively, you can also enter the IP address and get the details from the epo server. These details may enable you to troubleshoot and fix any security-related issues in those hosts. In the Threat Analyzer, you can view the details of managed and unmanaged hosts but not for unrecognized hosts. If you modify the epo server settings, re-launch the Threat Analyzer to view the host details. See also Viewing host details using IP address on page 103 McAfee Network Security Platform 6.1 System Status Monitoring Guide 99

100 5 Viewing Alerts details Querying host details from the epo server Viewing details of Source and Destination Hosts To view the details of the source or destination host in an alert: Task 1 Open the Real-time or Historical Threat Analyzer. 2 Click Alerts. Right-click an alert, select McAfee epo Host Information and then, select Source IP or Destination IP. You can also right-click on many alerts and query the server. An informational message is displayed stating that the McAfee epo query is successful. You should have enabled Network Security Platform-McAfee epo integration at the domain level to see the McAfee epo option in the right-click menu. You can query many IP address at a single time. For example, RFC-Overflow alert has 11 destination addresses. You can query all of them using a single query. You can query the McAfee epo server for host information from the Alerts page as well as Hosts page. Right-click on an IP on the Hosts page and select View McAfee epo Information. The Manager notifies you if your McAfee epo query is successful and then allows you to navigate to the Host Forensics page to display the query results. 3 Click Yes. The Host Forensics page with the summary of the host details is displayed. The name or the IP address of the McAfee epo server is also displayed in parentheses next to McAfee epo Host Information. 4 For a managed or unmanaged host, double-click a row of information in McAfee epo Host Information to view the additional details. The details are displayed in a tabbed region named after the host's IP address. If a double-click does not display the additional details then it could be that the host is an unrecognized host or you 100 McAfee Network Security Platform 6.1 System Status Monitoring Guide

101 Viewing Alerts details Querying host details from the epo server 5 had earlier queried for the same managed/unmanaged host and the tabbed region for the host is still available. You can also view the details of source and destination hosts from the Hosts page. Right-click options in the Host Forensics page McAfee Network Security Platform 6.1 System Status Monitoring Guide 101

102 5 Viewing Alerts details Querying host details from the epo server You can select an McAfee epo query and right-click to view the following: View Details: Viewing additional details of managed/unmanaged hosts. Query again: Querying the host once again. Delete: Deleting the queried host information. Delete All: Deleting all rows in the host information section. See also Additional details for Unmanaged Hosts on page 107 Alerts view: Right-click options on page 70 Viewing mouse-over summary You can mouse over an IP address in the Alerts page to display a summary of essential host data, such host name, user, and OS version. 102 McAfee Network Security Platform 6.1 System Status Monitoring Guide

103 Viewing Alerts details Querying host details from the epo server 5 You need to enable this option from the Enable epo Integration page. The summary is visible in the Alerts page only when epo integration is also enabled in the Manager. Viewing host details using IP address You can query using a host's IP address in the Host Forensics page to view the details of the host. You can view the details of up to 100 hosts at a time. If the number of queries exceeds 100, then the earliest row of detail is deleted. To view host details using the IP address: Task 1 Open the Real-time or Historical Threat Analyzer. 2 Click Host Forensics tab. 3 Enter the IP address. 4 Select the admin domain name that is configured to the epo database. McAfee Network Security Platform 6.1 System Status Monitoring Guide 103

104 5 Viewing Alerts details Querying host details from the epo server 5 Click Query now. The source or destination IP is listed in epo Host Information of the Host Forensics page. The name or the IP address of the epo server is also displayed in parentheses next to epo Host Information. If you are querying an unknown host and then click on that row for information (the row has only dashes displayed), a pop-up message is shown stating that the data is not available. 6 For a managed or unmanaged host, double-click a row of information in epo Host Information to view the additional details. When you double-click on a row of information, then the details are displayed in a tabbed region named after the host's IP address. If double-click does not display the additional details then it could be that the host is unrecognized or you had earlier queried for the same managed/unmanaged host and the tabbed region for the host is still available. Tasks Launching McAfee epo console on page McAfee Network Security Platform 6.1 System Status Monitoring Guide

105 Viewing Alerts details Querying host details from the epo server 5 See also Additional details for managed hosts on page 105 Additional details for Unmanaged Hosts on page 107 Querying host details from the epo server on page 99 Viewing Host Forensics on page 4 Additional details for managed hosts For managed and unmanaged hosts, you can double-click on a row of information in the Summary tabbed region of the Host Forensics page to view additional details. These additional details are related to the point-products installed by epo on the host. If you have installed Host Intrusion Prevention and if it is also running on the host, then you can view the last 10 Host Intrusion Prevention events in the host as well. Note that the last 10 events displayed are sorted based on their severity levels. A Host Intrusion Prevention event is an alert generated by Host Intrusion Prevention regarding an activity on the host. For more information, see McAfee Host Intrusion Prevention documentation. Based on the additional details and the events, you can tune the security applications on the host for the best possible protection. You can view the following are the details for the managed hosts under the Host Information tab: Field Host Name IP address MAC Address Host Type Description Name of the managed host. IP address of the managed host. The Media Access Control address of the host. A managed host has a functional McAfee Agent, which communicates with the same epo server integrated with the admin domain. Operating system The version of the operating system. For example: Windows 2003 (5.2 - Service Pack 2) User (s) Domain / workgroup Source epo server Information query time Last McAfee Agent Update Installed Products Network Security Platform<version number> Engine Version DAT Version The operating system user names of the host. The domain or workgroup to which the host belongs. IP address of the queried epo server. Displays the time when the Manager sent a query to the epo server. Last Agent reported time to epo. Point-products installed by epo on the host. For example, it can be VirusScan or Host Intrusion Prevention. The version of the product installed is displayed in parenthesis Version of the product's engine, if applicable. Version of the DAT file of the product, if applicable. Click the Latest Events tab to view the following information on the latest 10 Host Intrusion Prevention and anti-virus events. Last 10 AntiVirus Events Event Time Threat Name Threat Type Action Taken Date and time when the event was received by the anti-virus agent. The name of the threat that caused the event to appear The type of the threat that triggered the event. Action taken by the anti-virus agent on the reported event. McAfee Network Security Platform 6.1 System Status Monitoring Guide 105

106 5 Viewing Alerts details Querying host details from the epo server Last 10 AntiVirus Events File Path Analyzer Detection Method The path to the affected file that caused the event. The method used to detect the anti-virus event. Last 10 McAfee Host Intrusion Prevention Events Time Signature Name Signature ID Severity User Process Source IP Reaction Date and time when the event was received by the Host Intrusion Prevention agent. The name of the signature that caused the event to appear. The ID of the Host Intrusion Prevention signature that caused the event to appear. The severity level of the Host Intrusion Prevention event. The user at the time the event was initiated. The application process that triggered the event. Source IP address for the event. The reaction set to take place when the event is triggered. See also Viewing host details using IP address on page 103 Launching McAfee epo console The Host Forensics page allows you to view additional details for a host by launching McAfee epo console from the Threat Analyzer itself. Task 1 Open the Real-time or Historical Threat Analyzer. 2 Click Host Forensics. 3 Enter an IP address and click Query now. 106 McAfee Network Security Platform 6.1 System Status Monitoring Guide

107 Viewing Alerts details Querying host details from the epo server 5 4 Double-click on a managed host. A detailed view of Host information page is displayed. 5 Click Open McAfee epo console. The actions that you can do on the epo console will be based on the privileges assigned to the user credentials that you enter during McAfee epo server configuration. Additional details for Unmanaged Hosts Unmanaged hosts do not have an epo agent to manage their point-products. The following are the additional details that you can view for unmanaged hosts: Field DNS NetBIOS name IP Address MAC Address Host Type Description DNS name of the host. NetBIOS name of the host. IP address of the host. MAC address of host. One of the following is displayed as Host Type: UNMANAGED (No Agent): This indicates that there is no McAfee Agent installed on the host. UNMANAGED (MANAGED): This indicates that the host has a McAfee Agent but there is no active communication channel between the Agent and epo server integrated with the admin domain. Last detection time The date and time when the host was detected on the network. Operating system The operating system platform on the host. For example: Windows User (s) Source epo server Operating system user names of the host. The IP of the epo server that sent the unmanaged host details. See also Viewing details of Source and Destination Hosts on page 100 Viewing host details using IP address on page 103 McAfee Network Security Platform 6.1 System Status Monitoring Guide 107

108 5 Viewing Alerts details Deleting alerts Deleting alerts Beyond acknowledging alerts, the Threat Analyzer enables you to delete alerts entirely from the database, thus from any further alert queries. Deleting old alerts saves database space, thus improving system performance. Deleted alerts are cleared at a scheduled time; For more information, see Managing your database's disk space, Manager Server Configuration Guide. To mark an alert for systematic deletion, do the following: Task 1 Open the Real-time Threat Analyzer from the Manager Home page. 2 Click Alerts tab. 3 Right click an attack instance row. 4 Select Delete. 5 Confirm the deletion. If during your session you want to remove deletion status from an alert, left-click the alert and select Undelete. See also Viewing alert attributes on page 67 Hiding alerts You may display or hide alerts in either real-time or historical reports based on particular criteria (such as attack type, source or destination IP, and so on). When you enable or disable this option,manager creates another tab and displays the results immediately. Note that there is one filter for each Threat Analyzer window. You may add or remove items from the filter, but the changes are made to one filter. To control the view in the Threat Analyzer, do the following: Task 1 Open the Real-time Threat Analyzer from the Manager Home page. 2 Click Alerts tab. 3 Highlight the alert (s), right-click, and select Hide. The Threat Analyzer displays another tab that conceals all alerts you wish to hide. You can choose to hide alerts on the new tab that displays. The Threat Analyzer updates the Alerts view with an additional modified tab each time you hide more alerts. A modified tab displays a down-arrow symbol, which can be expanded with a click to display a list of hidden alerts. To remove hidden alerts, click the tab containing the alerts you want to see. The Threat Analyzer discards all tabs you created after the selected tab. To remove all hidden alerts, click the All Alerts tab. 108 McAfee Network Security Platform 6.1 System Status Monitoring Guide

109 Viewing Alerts details Creating incidents 5 Creating incidents You can create incidents to track alerts by parameters relevant to your forensic analysis. Similar to the Incident Generator/Incident Viewer, this tool enables you to create incidents without needing to match a configured scenario (for example, 100 attacks from the same source in 15 minutes). You can use this tool to select multiple alerts from the Threat Analyzer Alerts view in order to define an incident. Defining an incident enables you to build a file for research, use in an investigation, or any other assortment of forensic analysis uses. You can build incidents from a single attack, then add to that created record over time. Incident creation is only available using a Real-Time Threat Analyzer query. To create an incident, do the following: Task 1 Open the Real-time Threat Analyzer from the Manager Home page. 2 Click Alerts tab. 3 Right-click a row in the Alerts page and select Create New Incident. McAfee Network Security Platform 6.1 System Status Monitoring Guide 109

110 5 Viewing Alerts details Creating incidents 4 Type a Name and Description in the New Incident dialog. Click Delete if you wish to delete the alert. 5 Click on More Options. You can assign a user and add comments. Assign to: assign the incident to a user. Comments: Add your comments in the space provided. 6 You can either move the incident to a PENDING state or to an OPEN state. Keep Incident Pending: You can keep the incident in a pending state. You can add more alerts to the same incident using the Add to Incident option by right-clicking an alert. All incidents in PENDING State and can be viewed in the Incident Viewer Summary page. You can Publish the incidents to move them to an OPEN State by right-clicking the incident or clicking Publish in the Incident Viewer Summary page. All Pending State incidents do not have a ID. 110 McAfee Network Security Platform 6.1 System Status Monitoring Guide

111 Viewing Alerts details Creating incidents 5 Publish Incident: You can move incidents to an OPEN state using this option. All published incidents can be seen in the Incident Viewer Summary page in an OPEN state. Tasks Adding alerts to an incident on page 111 Adding occurences to an incident on page 112 Exporting incidents on page 113 See also Alerts view: Right-click options on page 70 Adding alerts to an incident To add alerts to an existing user-generated incident, do the following: You can only add to user-generated incidents that have not been exported to the Incident Viewer. Task 1 Open the Real-time Threat Analyzer from the Manager Home page. 2 Click Alerts tab. 3 Right-click a row in the Alerts page and select Add to Incident. McAfee Network Security Platform 6.1 System Status Monitoring Guide 111

112 5 Viewing Alerts details Creating incidents 4 Select the incident to add to from list. 5 Verify the added alerts in the Incident Viewer page. Adding occurences to an incident You can add occurrences to an incident using one of the following options. Option 1 To add multiple occurrences to your custom incident, do the following: Task 1 Select the incident to modify, then click Edit. 2 Click Submit after making any changes in the Edit Incident window. 3 Click New in the "Incident Occurrence List" screen to add a new occurrence. A new occurrence row appears in the table. 4 Select the new occurrence, then click Next. 5 Verify the new occurrence has zero alerts in the "Edit Incident" window, then click Next. 6 Click Finish to save the modified incident. 7 Click Ok to confirm. The confirmation message informs you that you have to export your incident to the Incident Viewer in order to work with the alert data in the incident. Option 2 You can also add new occurrences to a custom incident by performing an Add to Incident from the Alerts page. To add new occurrences in this manner, do the following: 1 Right-click a row in an Attack Details View table and select Add to Incident. 2 Select the incident to add to from "Pending Incident List", then click Add. 3 Click New in the "Incident Occurrence List" screen to add a new occurrence. A new occurrence row appears in the table. 112 McAfee Network Security Platform 6.1 System Status Monitoring Guide

113 Viewing Alerts details Identifying new attacks in the Threat Analyzer 5 4 Select the new occurrence, then click Next. 5 Verify the new occurrence contains the newly added alert (Add to Incident) in the "Edit Incident" screen, then click Next. 6 Click Finish. 7 Click OK to confirm. The confirmation message informs you that you have to export your incident to the Incident Viewer in order to work with the alert data in the incident. Exporting incidents Once you are finished building a custom incident, you can export your incident to the Incident Viewer for analysis. To export a user-generated incident to the Incident Viewer, do the following: Task 1 Select the incident to export from the Pending Incident List, then click Export. 2 Click Finish to close the User-Generated Incident dialog. 3 Verify your custom incident appears in the Incident Viewer. 4 Analyze your incident by following the steps in Using Incident Viewer. Identifying new attacks in the Threat Analyzer New attacks that have been seen for the first time in the past X days compared to previous Y days can be identified in the Threat Analyzer. For example, out of all the attacks detected in the past 2 days (value of X), user can choose to highlight those attacks which have been triggered for the first time in the past 30 days (value of Y - the maximum configurable value in the ems.properties file is 30 days). This helps to quickly identify new attacks that were discovered and help prioritize responses to the newly discovered attacks. The settings for identification of new attacks is done in the General tab of the Preferences page of the Threat Analyzer. See also Setting preferences for viewing new threats on page 113 Assigning a new threats monitor to a new dashboard on page 116 Viewing the first seen alerts in the Alerts page on page 116 Setting preferences for viewing new threats Follow this procedure to set preferences for highlighting new threats in the Threat Analyzer: McAfee Network Security Platform 6.1 System Status Monitoring Guide 113

114 5 Viewing Alerts details Identifying new attacks in the Threat Analyzer Task 1 Click Preference in the menu bar of the Threat Analyzer to view the General tab. 2 Click the Threats New if First Seen row in the value column and make the required choice. 3 Select Disable or Enable against Highlight New Threats to enable or disable highlighting of new threats. 114 McAfee Network Security Platform 6.1 System Status Monitoring Guide

115 Viewing Alerts details Identifying new attacks in the Threat Analyzer 5 Highlighting of New Threats option is applicable only in the All Alerts View. New Threats are not highlighted when the alters are grouped by using the Group By option. See also Identifying new attacks in the Threat Analyzer on page 113 McAfee Network Security Platform 6.1 System Status Monitoring Guide 115

116 5 Viewing Alerts details Identifying new attacks in the Threat Analyzer Viewing the first seen alerts in the Alerts page Follow this procedure to view the "First Seen Alerts" in the Alerts page: Task 1 Click Alerts in the Threat Analyzer menu bar to view the All Alerts page where new threats are highlighted. 2 Move the mouse over the highlighted attack entries to display a tooltip text indicating that it's a "New Threat - First Seen Today" or "New Threat - First Seen Since Yesterday" or "New Threat - First Seen Within past 'X' days" or "New Threat - First Seen Within past 1 Week". The value of X depends on the value chosen against the Threats New if First Seen row in the General tab of the Preferences page of the Threat Analyzer by the User. See also Identifying new attacks in the Threat Analyzer on page 113 Assigning a new threats monitor to a new dashboard Follow this procedure to assign a "New Threats Summary" monitor to a new dashboard in the Threat Analyzer. The procedure is the same for Local and Central Manager Threat Analyzer: 116 McAfee Network Security Platform 6.1 System Status Monitoring Guide

117 Viewing Alerts details Identifying new attacks in the Threat Analyzer 5 Task 1 Click Options Dashboard New. 2 Enter a name for the new dashboard in the Dashboard Dialog and click OK. 3 Click Assign Monitor in the newly created dashboard. McAfee Network Security Platform 6.1 System Status Monitoring Guide 117

118 5 Viewing Alerts details Identifying new attacks in the Threat Analyzer 4 Select the Assign an existing Monitor radio button. Select Default Monitors against Category, IPS against Type and New Threats against Monitor. 118 McAfee Network Security Platform 6.1 System Status Monitoring Guide

119 Viewing Alerts details Identifying new attacks in the Threat Analyzer 5 5 Select the period against Threats First Seen. Click OK. 6 The New Threats Seen page is displayed. New threats if any during the chosen period is displayed. See also Identifying new attacks in the Threat Analyzer on page 113 McAfee Network Security Platform 6.1 System Status Monitoring Guide 119

120 5 Viewing Alerts details Identifying new attacks in the Threat Analyzer 120 McAfee Network Security Platform 6.1 System Status Monitoring Guide

121 6 Viewing 6 Hosts details When a host is detected on a Sensor port for which you have configured NAC (Standard NAC, DHCP, or IBAC) the Sensor sends the available details of the host to the Manager. These details are displayed in the Host page of the Threat Analyzer. As and when the Sensor gathers more information, this entry in the Host page is updated in real time. A similar entry is created for attacking hosts if you have configured IPS Quarantine. To view the host details, you need to select the details that you want to view in the Preferences page. Then the Hosts page in the Real-time Threat Analyzer displays these details. McAfee Network Security Platform 6.1 System Status Monitoring Guide 121

122 6 Viewing Hosts details You can right-click on an entry in the Hosts page for additional options. You can double-click on an entry in the Hosts page to see the details in a pop-up window. 122 McAfee Network Security Platform 6.1 System Status Monitoring Guide

123 Viewing Hosts details Viewing host attributes 6 Contents Viewing host attributes Hosts view: right-click options NAC options in the Hosts page Creating display filters for hosts IPS Quarantine options from the Hosts page Viewing host attributes You can view the following attributes for a host using the Hosts page: Use the scroll bar to see all attributes for the host. You can customize the attributes view using Preferences Hosts View. UUID: Unique Identifier for each host event.sensor assigns this to each event detected by the Sensor. Session Start: This is the creation time of the host event. Last Modified: Last modified time of the host event. IP Address: IP address of the host. MAC Address: MAC address of the host. Host Name: NETBIOS name of the host. Current User: The current user logged on to the host. User Type: The type of user. For example, a user can be a guest, local employee, or a VPN employee. McAfee NAC Client: The status of the McAfee NAC Client on the host. It can be installed, absent., etc. Health Level: The health of the host reported by McAfee NAC. Network Access Zone: The NAZ to which the host has been assigned to. NAC Deployment Mode: This is the NAC deployment mode for the host. It can be Standard NAC or DHCP. NAC Detection Mode: This can be L2, L3, or VPN for Standard NAC and it will be DHCP for DHCP mode. McAfee Network Security Platform 6.1 System Status Monitoring Guide 123

124 6 Viewing Hosts details Hosts view: right-click options Matched IBAC Policy: The IBAC policy applied on the monitoring port that detected the host. Sensor: The Sensor that detected the host. Monitoring Port: The monitoring port that detected the host. OS: The OS of the host machine. State: The current state of the detected host. For example, for managed hosts it would be connected state and for unmanaged and quarantined hosts, it would be quarantine state. Production VLan: The production VLAN ID (PVLAN) is typically the default VLAN that you configure for a switch port. The protected network segment, such as the server farm could be assigned the PVLAN. Therefore, only those hosts that qualify for full access can access this portion of the network. Quarantine VLan: The Quarantine VLANs (QVLANs) are configured as a set of VLAN IDs with restricted network access. Switch: Switch Port: Switch Port Group: Switch Port Group as a virtual switch with ports from one or more real switches. Hosts view: right-click options You can perform the following actions on a host using the right-click option: Add to IPS Quarantine: add the host from which the alert originated into the quarantine zone for: 15 Minutes 1 Hour 30 Minutes Until Explicitly Released 45 Minutes Delete: deletes the selected host at real time. Extend IPS Quarantine: extend the quarantine time for a host. Release from IPS Quarantine: remove a host from the quarantine zone. Start Vulnerability Manager Scan: request a Vulnerability Manager on-demand scan on individual alerts. TrustedSource Information: query McAfee's for the details of the source or destination host based on IP address. View epo Information: view details of a host as obtained from the epo server. See also NAC options in the Hosts page on page 124 NAC options in the Hosts page The Hosts page in the Threat Analyzer gives additional options for NAC. NAC-related options for a host 124 McAfee Network Security Platform 6.1 System Status Monitoring Guide

125 Viewing Hosts details NAC options in the Hosts page 6 Task 1 In the Threat Analyzer, select Hosts page. 2 Select a host and right click on it. Figure 6-1 NAC options in the Hosts page Following NAC options are available: Add to NAC Exclusions list - adds the selected host to the NAC Exclusions list. The host is removed from the currently assigned Network Access Zone. For more information on NAC exclusions, see Configuring NAC Exclusions. Assign Network Access Zone - changes the Network Access Zone currently assigned to the host. For more information on network access zones, see Adding network access zones. Add to IPS Quarantine: quarantine hosts from the list of alerts. You can quarantine the host for a specific time limit. Show NAC History - displays the NAC history of the selected host in a separate window in the Hosts page. Start Vulnerability Manager Scan - scan hosts using Vulnerability Manager based on the source or destination IP addresses. View McAfee epolicy Orchestrator (McAfee epo) Information - enables you to send queries to the McAfee epo server to obtain details of the hosts on your network. View Details - displays the details of the selected host. The fields in the Hosts page are displayed. McAfee Network Security Platform 6.1 System Status Monitoring Guide 125

126 6 Viewing Hosts details Creating display filters for hosts TrustedSource Information - query the details of the source or destination host based on IP address. Move to Production - moving from quarantine to production network. Figure 6-2 Details of a host from the View Details option in Threat Analyzer See also Hosts view: right-click options on page 124 Creating display filters for hosts Task 1 Open the Threat Analyzer from the Manager Home page. 2 Click Hosts from the Menu bar. 3 Select New from Display Filter in the drop down list. 4 Enter the filter name. 5 Define the filter properties. 6 You can also select filter properties and define the value for parameters using the various comparison operators. 7 Click Save and Apply or Apply Once. Pre-defined display filters are displayed while selecting Apply from the display filter drop down. You can also edit as well as delete the display filters. Tasks Viewing historical host data using display filter on page McAfee Network Security Platform 6.1 System Status Monitoring Guide

127 Viewing Hosts details Creating display filters for hosts 6 Viewing historical host data using display filter The Display Filter in the Hosts page in Real-time Threat Analyzer provides an option called Session Start. This option can be used along with other options in the Display Filter, to get historical host information within a specified time period. Note that Session Start helps you to view the historical data retrieved from the Manager database within the selected time period. When you choose the other filter criteria without selecting Session Start, you will be able to view the real-time data only. Following example explains how you can use Session Start in the Real-time Threat Analyzer: Task 1 Open Real-time Threat Analyzer. 2 Go to Hosts Display Filter New. 3 In the Display Filter, enter a Filter Name. 4 Select Session Start. You can enter the Start Time and End Time for this option. McAfee Network Security Platform 6.1 System Status Monitoring Guide 127

128 6 Viewing Hosts details IPS Quarantine options from the Hosts page 5 You can also choose other filter criteria, say for example, Health Level. 6 Select Apply Once. The filter output is displayed as per the selected criteria in a separate tab in the Hosts page. The Save and Apply option is grayed out when you choose Session Start. You cannot save a Display Filter when you choose Session Start. Once the filter is executed it cannot be edited. IPS Quarantine options from the Hosts page The Hosts page in Threat Analyzer gives two options for IPS Quarantine: 1 Extend IPS Quarantine 2 Release from IPS Quarantine 128 McAfee Network Security Platform 6.1 System Status Monitoring Guide

129 Viewing Hosts details IPS Quarantine options from the Hosts page 6 To select the above options for a quarantined host, do the following: Task 1 In the Threat Analyzer, select Hosts page. 2 Select the host where you want to use the quarantine options, and right click on it. Figure 6-3 IPS Quarantine settings from Hosts page The options are displayed for IPS Quarantine: Add to IPS Quarantine - add the host from which the alert originated Extend IPS Quarantine - extends the time for which a host is quarantined (Quarantine Duration). Following options are displayed: 15 Minutes 1 Hour 30 Minutes Until Explicitly Released 45 Minutes You can choose to extend the Quarantine Duration for the host with the above time limits. For example, you can extend IPS Quarantine for the host for another 15 minutes. Release from IPS Quarantine - removes a host from IPS Quarantine. When you select this option, a message is displayed to confirm if you want to release the host from IPS Quarantine. Select the required option. McAfee Network Security Platform 6.1 System Status Monitoring Guide 129

130 6 Viewing Hosts details IPS Quarantine options from the Hosts page 130 McAfee Network Security Platform 6.1 System Status Monitoring Guide

131 7 7 Using Incident Viewer Incidents provide users to package one or more alerts of interest for further review. Incidents are organized as a collection of occurrences and each occurrence consists of one or more alerts. Incidents can be generated either manually or by using the Incident Generator. In the Threat Analyzer Alert view, the user can select multiple alerts and use the Create Incident to create the Incident or add to existing created incidents using Add to Incident. Once the Incident is created, it goes into the PENDING or OPENstate. The PENDING state incident so generated is local to the Threat Analyzer and needs to be exported to the Manager to take effect and be visible in other Threat Analyzer views. This is done by using the Publish option. Incident Generator is an independent application that can be launched to generate Incidents based on rules specified (for example, x number of alerts from a single IP Address in y minutes). The incidents so generated by the Incident generator are also pushed to (Manager). The Incident Viewer is the interface used to analyze your generated incidents. The Incident Viewer allows for life cycle management of the Incidents - displays all the Incidents, show details about selected incident and deletion of incidents. It also provides a workflow for adding comments as well as assigning the incident to another user for further review. One can see details of the incident by clicking on the incident in the list. Here one can see the occurrences that comprise the Incident as well as ability to view the individual alerts that comprise them. The Incident Viewer is the interface used to analyze your generated incidents. Each incident corresponds to the conditions set in the Incident Generator configuration file. For more information on the Incident Generator, see Enabling and starting the Incident Generator service. You must start the Real-Time Threat Analyzer to open the Incident Viewer. McAfee Network Security Platform 6.1 System Status Monitoring Guide 131

132 7 Using Incident Viewer Viewing incidents Item Description 1 Incident Statistics 2 Incident Description The Incident Viewer displays incident statistics, provides a comments area for case management purposes, and enables deletion of incidents. All incidents that are in PENDING state have no ID. Once the incident is published using the Publish option, an ID is generated for that incident. Viewing incidents To view your incidents, do the following: Task 1 Open Real-Time Threat Analyzer. 2 Select Incident Viewer tab.the Incident Viewer opens. Incidents are listed in chronological order, with the most recent incident listed first. The table columns are as follows: ID: database ID of the incident data. Name: name of incident from configuration file and the manually created user incident. Status: current status of incident. Open indicates the incident is currently operational. Closed indicates the incident is finished. Resolved indicates the incident is analysed by the admin. Creation time: time of last alert in the incident. Average Severity: average severity of all alerts in the incident. The average severity is displayed as: [N.N](H,M,L). The N values represent severity as a number (for example, 5.5=an average severity of Medium). The H value represents the number of High severity attacks within the incident, the M value represents the number of Medium attacks, and the L value represents the number of Low attacks. Assigned to: person responsible for incident research. 132 McAfee Network Security Platform 6.1 System Status Monitoring Guide

133 8 Viewing 8 Host Forensics Using the Host Forensics page, you can specify the IP address of a host on your network to view its details. The epo section of the Host Forensics page enables you to query the epo database for the details of a host. This section also displays the last 10 Host Intrusion Prevention events for the host. The Vulnerability Manager section enables you to start a Vulnerability Manager scan of a host in the domains in which Vulnerability Manager is installed and configured. You can view the vulnerabilities for the host after the scan is complete. Thus, using the Host Forensics page you can view the details of a host from epo, Host Intrusion Prevention, and Vulnerability Manager. You can use these details to tune your security-related applications on a host for maximum protection. See also Viewing host details using IP address on page 103 On-demand Scan of Hosts listed in Alerts in the Threat Analyzer on page 137 Contents Viewing McAfee epo Information On-demand Scan of Hosts listed in Alerts in the Threat Analyzer Viewing McAfee epo Information Integrating McAfee Network Security Platform and epolicy Orchestrator (McAfee epo ) enables you to send queries to the epo server to obtain details of the hosts on your network. The details that are fetched from the McAfee epo server include the host type, host name, user name, operating system details, and the details of system security products installed on the host. These details are displayed in the Threat Analyzer. If you have installed McAfee Host Intrusion Prevention as part of your McAfee epo installation, then you can also view the last 10 Host Intrusion Prevention events for a specific host. These details provide increased visibility and relevance for security administrators performing forensic investigation of security events seen on the network. Viewing host details using IP address You can query using a host's IP address in the Host Forensics page to view the details of the host. You can view the details of up to 100 hosts at a time. If the number of queries exceeds 100, then the earliest row of detail is deleted. To view host details using the IP address: Task 1 Open the Real-time or Historical Threat Analyzer. 2 Click Host Forensics tab. 3 Enter the IP address. McAfee Network Security Platform 6.1 System Status Monitoring Guide 133

134 8 Viewing Host Forensics Viewing McAfee epo Information 4 Select the admin domain name that is configured to the epo database. 5 Click Query now. The source or destination IP is listed in epo Host Information of the Host Forensics page. The name or the IP address of the epo server is also displayed in parentheses next to epo Host Information. If you are querying an unknown host and then click on that row for information (the row has only dashes displayed), a pop-up message is shown stating that the data is not available. 6 For a managed or unmanaged host, double-click a row of information in epo Host Information to view the additional details. When you double-click on a row of information, then the details are displayed in a tabbed region named after the host's IP address. If double-click does not display the additional details then it could be that the host is unrecognized or you had earlier queried for the same managed/unmanaged host and the tabbed region for the host is still available. Tasks Launching McAfee epo console on page McAfee Network Security Platform 6.1 System Status Monitoring Guide

135 Viewing Host Forensics Viewing McAfee epo Information 8 See also Additional details for managed hosts on page 105 Additional details for Unmanaged Hosts on page 107 Querying host details from the epo server on page 99 Viewing Host Forensics on page 4 Launching McAfee epo console form the Host Forensics page Task 1 Open the Real-Time or Historical Threat Analyzer from the Network Security Manager Home page. 2 Click Host Forensics. 3 Enter an IP address and click Query now. McAfee Network Security Platform 6.1 System Status Monitoring Guide 135

136 8 Viewing Host Forensics Viewing McAfee epo Information 4 Double-click on a managed host. A detailed view of Host information page is displayed. 5 Click Open McAfee epo console. The McAfee epo server opens with the host details displayed. You can update the dat file and policies at this page. 136 McAfee Network Security Platform 6.1 System Status Monitoring Guide

137 Viewing Host Forensics On-demand Scan of Hosts listed in Alerts in the Threat Analyzer 8 Viewing Latest events from the Host Forensics page Task 1 Open the Real-Time or Historical Threat Analyzer from the Network Security Manager Home page. 2 Click Host Forensics. 3 Enter an IP address and click Query now. 4 Double-click a managed host. A detailed view of Host information page is displayed. 5 Click Latest events. The latest 10 Anti virus events and the latest 10 Host Intrusion events are displayed. On-demand Scan of Hosts listed in Alerts in the Threat Analyzer The on-demand scan functionality helps you to scan hosts using Vulnerability Manager, based on the source or destination IP addresses, in the Real-time, and Historical Threat Analyzer. When you request an on-demand scan for an IP listed under Vulnerability Scan Information in Host Forensics page, or for an alert listed in the Alerts page, the selected IP address is sent from the Threat Analyzer to the API Server of McAfee Vulnerability Manager. The API Server acts as a gateway interface between the Manager and McAfee Vulnerability Manager. McAfee Network Security Platform 6.1 System Status Monitoring Guide 137

138 8 Viewing Host Forensics On-demand Scan of Hosts listed in Alerts in the Threat Analyzer The API Server delegates the scan request from Manager to the Scan Engine. Once the scan is successfully completed,manager queries the API Server for Vulnerability Assessment data. The Vulnerability data returned by the API server is processed and stored in McAfee Manager database. This data is also updated in the memory cache maintained in the Manager. The Manager uses SOAP/SSL channel to communicate with the API Server of McAfee Vulnerability Manager. On an average, the Scan engine takes 4 minutes to scan the host for vulnerabilities. The Scan engine scans the host, and provides the vulnerability assessment data tomanager over a SOAP/ SSL response. The vulnerability data is processed and stored in the (Manager) database. This data is also updated in the cache maintained in Threat Analyzer client. For requesting an on-demand scan from Threat Analyzer, you need to configure Vulnerability Manager settings in the Manager client interface. For more information, see Configuring Vulnerability Manager settings in Manager. On-demand scan from Threat Analyzer On Demand scan of Source or Destination IP for alerts in the Alerts Page, or for the IP listed in the Host Forensics page, uses the Scan Configuration configured, or inherited from the parent admin domain level. You can request a Vulnerability Manager on-demand scan on individual alerts from the right-click menu for an entry listed in the All Alerts page of the Threat Analyzer. Right-click the alert, and select Start Vulnerability Scan Scan Source IP or Start Vulnerability Scan Scan Destination IP option. 138 McAfee Network Security Platform 6.1 System Status Monitoring Guide

139 Viewing Host Forensics On-demand Scan of Hosts listed in Alerts in the Threat Analyzer 8 When you select either option (Scan Source IP or Scan Destination IP), and the scan matches a scan added in the relevant admin domain in the Manager, a message pop-up indicating that the scan falls within the IP range of a named scan added in themanager and that this particular scan will be used. When the IP address of the host on which the scan is initiated does not fall within the range of any of the scans added to the Manager, a message pop-up indicates that a default scan will be used. If you want to view the scan results, select Yes in the pop-up that follows. You are re-directed to the Host Forensics page. See also On-demand scan of hosts on page 145 Viewing Host Forensics on page 4 Viewing Vulnerability Manager scans The Host Forensics page in Threat Analyzer indicates the progress of the Vulnerability Manager scans of alerts from the Threat Analyzer. To view the list of all Vulnerability Manager scan processes in a domain, select Host Forensics from the Threat Analyzer, and select a domain from the drop-down. The Vulnerability Scan Information for the selected domain is displayed under Summary Vulnerability Scan Information, as shown below. McAfee Network Security Platform 6.1 System Status Monitoring Guide 139

140 8 Viewing Host Forensics On-demand Scan of Hosts listed in Alerts in the Threat Analyzer Following information is displayed in the Vulnerability Manager Host Information section. Field Name Target IP Scan start time Status Description The IP address of the host which is scanned Starting time of the Vulnerability Manager scan This field shows the status of completion of the Vulnerability Manager scans. Depending on the progress of the scan, Status field displays the following: Status Queued Description The Queued status indicates that requested Vulnerability Manager scans are queued. %n Complete The percentage of completion of the scan, where n ranges from 0 to 100. Retrieved Failed This status indicates that the Vulnerability Manager scan is complete, and the host vulnerability information is available to the user (to be viewed). Vulnerability Manager scan has failed. Scan TimedOut If a scan takes more then 30 minutes,manager cancels the scan by setting the status to Scan TimedOut. Vulnerability Manager scan results displayed in the Status field are stored in the cache. Note that when Manager is restarted, the scan results are not seen in the Status field. In case, you want to view the scan results for the same host, you need to scan the host once again from the Host Forensics page. When you select a domain in Host Forensics Summar Vulnerability Scan Information, you see the scans for that domain and for the domains that are set to Inherit from it. For example; if FORD-Child1 domain has HR1, and HR2 as child domains, and these domains are set to Inherit from parent domain in the Manager, the Host Forensics page of FORD-Child1 will show the scans of FORD-Child1, HR1, and HR McAfee Network Security Platform 6.1 System Status Monitoring Guide

141 Viewing Host Forensics On-demand Scan of Hosts listed in Alerts in the Threat Analyzer 8 Vulnerability Manager scan option You can also scan a host by entering the host IP address in the Scan field in Vulnerability Manager Host Information section, and then clicking the Scan button. The Scan button is enabled only when you completely fill in the IP address. All the domains in which Vulnerability Manager is configured are displayed in the drop down list. You can select the domain, enter the IP address and click Scan to start an on demand scan: While initiating an on demand scan, you need to select the admin domain in which you have already configured the intended scan (Admin_Domain_Name / Integration Vulnerability Manager Scans). You also need to ensure that the IP address entered is part of the intended scan configuration. If this is not ensured, the default scan as per configuration in the Vulnerability Manager is used. If there are overlapping configurations for two scans from a single admin domain, you can choose the scan you wish to apply. In this case a cancel option is also given. If you want to see the detailed scan result for a host that was scanned, select the required Scan entry from host Forensics page, and right click on it to view the Rescan, Show Details, and Delete options. McAfee Network Security Platform 6.1 System Status Monitoring Guide 141

142 8 Viewing Host Forensics On-demand Scan of Hosts listed in Alerts in the Threat Analyzer Select Show Details option. Here the message pops up depending on two conditions: If the scan is in progress, a pop-up is displayed in the same screen, with the percentage level of completion (a value between 0 and 100). If the scan is complete and status is seen as Retrieved, if you right-click on the scan, and select Show Details, a new page under the sub tab Vulnerability Information (the main tab displays the IP address of the scanned host) displays vulnerability information. The Vulnerability Information page displays details such as the total number of vulnerabilities found, scan configuration for the on-demand scan, and details of the vulnerabilities identified in the host. By default, the vulnerabilities are sorted in the order of severity and are displayed in a tabular format. Each row in the table contains additional vulnerability details such as severity, vulnerability name, vulnerability description, recommendation details that lists the steps or patches that needs to be applied to the identified vulnerability, CVE ID and IAVA (Information Assurance Vulnerability Alert) Reference Number. For a scanned host, data on vulnerabilities (such as target IP, CVE or BugTraq ID) is stored in the Manager database. Note that the information is not stored in the format for display in the Vulnerability Information page. So, when you restart Manager, this information is not seen in the Vulnerability Information page. You need to perform the scan again to view the information. In the Vulnerability Information window, when you click on the CVE ID link for a vulnerability, you are re-directed to the CVE page ( as shown below. 142 McAfee Network Security Platform 6.1 System Status Monitoring Guide

143 Viewing Host Forensics On-demand Scan of Hosts listed in Alerts in the Threat Analyzer 8 You can also just double-click on any IP scan listed in the Vulnerability Scan Information to view the Vulnerability Information for that IP. Rescanning the host You can rescan the host which was once scanned by Vulnerability Manager. Right-click the scan in the Vulnerability Manager Host Information page, and select Rescan. The host will be scanned once again by Vulnerability Manager, and the vulnerability information is retrieved and displayed as before. Concurrent scans Threat Analyzer supports concurrent Vulnerability Manager scans. The maximum poolsize (maxpoolsize) for concurrent scans is three. Maxpoolsize represents total number of threads available in the ThreadPool. (ThreadPool is a component for working with pools of threads and asynchronously executing tasks.) If scan requests exceed the maxpoolsize, they are queued, and processed depending on the free pool size. It is recommended to run a maximum of three concurrent Vulnerability Manager scans from the Manager, for optimal results. See also Concurrent scan of hosts on page 146 McAfee Network Security Platform 6.1 System Status Monitoring Guide 143

144 8 Viewing Host Forensics On-demand Scan of Hosts listed in Alerts in the Threat Analyzer Fault messages for Vulnerability Manager on-demand scan The following table shows the fault messages associated with Vulnerability Manager on-demand scan: Fault displayed On-demand scan failed because connection was refused to FoundScan engine Severity Description Critical This fault can be due to two reasons- the user has not specified the Fully Qualified Domain Name OR the FoundScan engine is shutdown. For more information on using Fully Qualified Domain Name, see Vulnerability Manager Installation. You can view the faults from the Operational Status menu in Manager. When you click on the fault link, you can view the details of the fault and the possible actions to be taken to correct the fault. The fault detail for "on-demand scan failed" is shown below. Vulnerability Manager scan from Hosts page In the Hosts page, you can request for a Vulnerability Manager scan. To request a Vulnerability Manager scan from Hosts page, do the following: 144 McAfee Network Security Platform 6.1 System Status Monitoring Guide

145 Viewing Host Forensics On-demand Scan of Hosts listed in Alerts in the Threat Analyzer 8 Task 1 From the Threat Analyzer, select Hosts. Right-click on an entry. 2 To initiate an on-demand scan of the selected IP address, select Start Foundstone Scan. If the IP address does not fall under any of the defined scans in Manager, then a message pop-up shows that the default scan configuration (defined in Manager) will be used to scan the IP. 3 In the pop-up message, select Yes if you want to view the scan results. You are re-directed to the Host Forensics page. The product names, "Foundstone", and "Vulnerability Manager" refer to the same product. Network scenarios for Vulnerability Manager scan In this section, you can find network scenarios related to: On-demand scan of hosts Concurrent scan of hosts On-demand scan of hosts While reviewing the alerts in Real-time or Historical Threat Analyzer, assume that you want to: view the current status of a particular host listed in the list of alerts scan the particular host using Vulnerability Manager, from the Threat Analyzer know the relevancy of the scanned alert/event. This is possible by the on-demand scan functionality in the Threat Analyzer for individual alerts. You can request for a Vulnerability Manager scan from the Threat Analyzer, by selecting either the Source IP address or the Destination IP address of the host to be scanned. The status of the scan - whether the scan is relevant, is displayed in the Threat Analyzer. You can maintain up to N number of scan information (N default is 100) in the Threat Analyzer. See also On-demand Scan of Hosts listed in Alerts in the Threat Analyzer on page 137 McAfee Network Security Platform 6.1 System Status Monitoring Guide 145

146 8 Viewing Host Forensics On-demand Scan of Hosts listed in Alerts in the Threat Analyzer Concurrent scan of hosts When concurrent on-demand scan of many hosts is initiated from the Threat Analyzer, you need to first define scan configuration in the Manager in order to get error free results. Scenario: Consider the scenario, where you initiated the on-demand scan of three host IP addresses concurrently from the Vulnerability Scan Information pane in the Host Forensics page of the Threat Analyzer. Assume that the host IP addresses do not fall in the IP ranges specified by any of the scan configurations defined in Manager. Further, you have not defined any scan configuration in Manager. Scan process when scan configuration is not defined: In Vulnerability Manager, when you request for multiple on-demand scans, all the scans are executed with the default scan configuration and with the same name, that is, QuickScan_<User Name>. This is because, the same user name that you used to login to Vulnerability Manager gets associated with the three scan names. Since all the three scans have the same name, only one of the three concurrent scans is successfully completed. That is, Scan engine does not permit concurrent scans to be run with the same scan name. Similar behavior can be seen if multiple on-demand scans are executed from the Threat Analyzer. All the scans executed from Threat Analyzer will have the same name QuickScan_<User Name>, For example, if you have logged into Vulnerability Manager as admin, then the scan configuration names for all the three hosts will be QuickScan_admin. In the scenario described above, when you initiate three concurrent on-demand scans without any scan configuration defined in Manager, Scan engine uses its default scan configuration for scanning the hosts, with the default scan name "QuickScan_<User Name>". The three scans will have the same name, for the reason mentioned earlier. The first scan will be executed successfully, and the remaining two scans result in concurrent task exception. Therefore, using the Scan default scan configuration settings, you cannot run concurrent on-demand scans from Threat Analyzer. Recommended solution: It is recommended that for concurrent scans, you should define at least one scan configuration in Scan engine and add the same to Manager. This scan configuration will be used as the default one. If more than one scan configuration is defined in Manager, you can change the default scan settings. For more information on setting the default scan, see Adding Vulnerability Manager scan configurations. When you have defined the default scan configuration in Manager as well as in Vulnerability Manager, and when the concurrent on-demand scans are requested, Manager will make use of the scan configuration ID and set a unique name for each host that is scanned. Manager creates scan name in the format Network Security Platform_<Actual Scan Name>_Thread-N where N=1,2,3,.. etc. Each scan configuration name will be different, for example, the scan names will be Network Security Platform_<Actual Scan Name>_Thread-1, Network Security Platform_<Actual Scan Name>_Thread-2, and Network Security Platform_<Actual Scan Name>_Thread-3. So, all the concurrent scans are successfully completed. 146 McAfee Network Security Platform 6.1 System Status Monitoring Guide

147 Viewing Host Forensics On-demand Scan of Hosts listed in Alerts in the Threat Analyzer 8 When any one scan in the execution pool completes its task, the next scan request waiting in queue for execution is pushed into the execution pool for execution. The scan requests are executed in order or First In First Out (FIFO). Threads are created in the Manager depending upon the threadpool size. If the threadpool size is set to 3, three worker threads (Thread-1,Thread-2 and Thread-3) are created in the pool to service the scan requests. If the threadpool size is set to 3, and if more then 3 concurrent scans requests are sent to Scan engine, only 3 scans will be executed in the engine, and the rest of the scan requests are queued. Before adding a scan to the Manager, you need to run the newly defined scan configuration at least once in the Scan engine. Each scan configuration defined in the Vulnerability Manager is associated with a Scan engine. When you run the scan configuration for the first time at the Vulnerability Manager side, the Scan engine in which the scan configuration is executed, gets associated with that scan configuration. This step is essential for successfully adding the scan configuration to Manager. See also Concurrent scans on page 143 McAfee Network Security Platform 6.1 System Status Monitoring Guide 147

148 8 Viewing Host Forensics On-demand Scan of Hosts listed in Alerts in the Threat Analyzer 148 McAfee Network Security Platform 6.1 System Status Monitoring Guide

149 9 Setting 9 Preferences The Preferences section enables you to personally set various options related to Threat Analyzer functionality and presentation. The Reset to Defaults returns all current panel fields to default values. The Preferences tabbed sections are as follow: General: Location of Ethereal, Default Time Format, Time Zone, Whois Server URL, No. of Alerts at startup, Max. No. of Alerts, IP Address Name Resolution, IP Address Name Resolution Maximum Timeout (milliseconds), Warn about Impact of Real-Time Sensor Performance Polling, Highlight New Threats, Threats New if First Seen, Proxy Server. Alerts View: customize Alerts view column layout and presentation. Hosts View: customize hosts view column layout and presentation. Watch List: create a coloring scheme for highlighting specific alert information that is crucial to your monitoring environment. Historical Constraints: displays the information of the historical query selected while opening the Historical Threat Analyzer. The Central Manager Threat Analyzer Preferences page contains only the General, Alerts View, and Watch List Panels. See also Watch List on page 153 Contents General Panel Alerts View Panel Hosts View Panel Watch List Historical Constraints General Panel The General Panel sets preferences for basic program functions. There available options are: Ethereal: The location of your Ethereal program for packet log viewing. The first time you open the Threat Analyzer, set the location of the Ethereal program by browsing (...) through your system. Default Time Format: Click to edit the time format to how you want your alerts to be time stamped. Default time format is MM-dd HH:mm:ss McAfee Network Security Platform 6.1 System Status Monitoring Guide 149

150 9 Setting Preferences General Panel Time Zone: The time zone format to be used in time-related display columns of the Threat Analyzer. Available formats are Client Host Time Zone (default) and UTC/GMT. Whois Server URL: The URL of the 'Whois' Server. No. of Alerts at startup: The number of alerts that are displayed at startup.the default is 20,000 alerts. Max. No. of Alerts: Maximum amount of alerts that can be viewed in the Threat Analyzer. IP Address Name Resolution: The IP address name is displayed if enabled. IP Address Name Resolution Maximum Timeout (milliseconds): Time taken to resolve IP address name. Default is 1000 milliseconds Warn about Impact of Real-Time Sensor Performance Polling: When enabled, the Threat Analyzer displays a warning message about the impact of Real-Time Sensor Performance polling. Default is enabled. Highlight New Threats: To enable preferences for highlighting new threats in the Threat Analyzer. Threats New if First Seen: To view the First Seen Alerts in the Alerts page. Enable Auto Scan: To enable or disable automatic Vulnerability Scan of new hosts discovered by the NTBA Appliance (applicable ifmcafee Vulnerability Manager is integrated). Proxy Server: proxy server is set or not set. Default is disabled. Enabling IP address name resolution The Threat Analyzer can resolve host name via the DNS if the IP address name resolution option is enabled from the General Panel of the Threat Analyzer. Follow these steps to enable IP address name resolution. Task 1 Open the Threat Analyzer. 2 Navigate to Preferences General. 3 Enable the IP Address Name Resolution option. 150 McAfee Network Security Platform 6.1 System Status Monitoring Guide

151 Setting Preferences General Panel 9 4 Set the appropriate value for IP Address Name Resolution Maximum Timeout (milliseconds). This is the time set for the DNS server to resolve an IP address name. Default is 1000 milliseconds. 5 Navigate to Alerts tab. 6 Wait for a few minutes for the IP addresses to get resolved. The user can see the IP Address resolution for resolvable IP addresses in the Alerts view. 7 After the addresses have been resolved, save the Alerts as csv or pdf by clicking on Save as CSV or Save as PDF buttons at the bottom of the Alerts View. The IP address name resolution is visible in the saved alerts in the Src IP and Dest IP columns. McAfee Network Security Platform 6.1 System Status Monitoring Guide 151

152 9 Setting Preferences Alerts View Panel Alerts View Panel The Alerts View panel enables you to customize your view of alerts as displayed in the All Alerts page with the Details radio button selected. The columns displayed in the Alerts View panel are determined by the selections in the Alerts View panel. You can customize the following information: Visibility: a check means you want to see this category in a Detail View. A box left unchecked means you do not want to see this category. Click the Visibility box to turn on/off viewing for a category. Column: the current name of the Detail View column. Abbr: the current name of the Detail View column. Double-click an Abbr cell and type the abbreviation you want to see. Width: width of the cell for a particular category. Double-click a Width cell and type the number of millimeters wide you want the cell to be. Align: the alignment of the category name in the column. Click an Align cell and select your alignment preference from the drop-down list. The choices are Left, Right, or Center. Position: gives the column location in the Detail View window. The up and down arrows enable you to select a row in the Detail Panel and move that row up or down in order. Subsequently, when working in a Detail View, the columns reflect the established order. See also Viewing alert attributes on page 67 Hosts View Panel The Hosts View enables you to customize your view of hosts as displayed in the Hosts page. In this view, hosts contain data that fall into various categories, or columns (Column in the Hosts page). 152 McAfee Network Security Platform 6.1 System Status Monitoring Guide

153 Setting Preferences Watch List 9 You can customize the following information: Visibility: a check means you want to see this category. A box left unchecked means you do not want to see this category. Click the Visibility box to turn on/off viewing for a category. Column: the current name of the Hosts View column. Abbr: the current name of the Hosts View column. Double-click an Abbr cell and type the abbreviation you want to see. Width: width of the cell for a particular category. Double-click a Width cell and type the number of millimeters wide you want the cell to be. Align: the alignment of the category name in the column. Click an Align cell and select your alignment preference from the drop-down list. The choices are Left, Right, or Center. Position: gives the column location in the Host page. The up and down arrows enable you to select a row in the Hosts page and move that row up or down in order. Subsequently, when working in a Hosts page, the columns reflect the established order. Watch List The Watch List enables you to set up highlighting of Detail View cells for specified alert data. For example, if you want to readily see if a certain destination IP address is being targeted, you would add that destination IP address to the watch list and select a color to highlight that address when detected. If identical entries already exist, those cells are highlighted with the specified color. For example, if you want to be aware of any attacks from Source IP , create a Watch List entry with the color green. Once saved, all cells where appear (both in the past and incoming) as the Source IP, those cells are highlighted in green. You can add netmasks to IP addresses added to your Watch List. For example, you can specify destination IP address with a netmask of 32 by typing /32. The Watch List enables you to change the coloring scheme of alert severities as displayed in the Detail View tables of the Threat Analyzer. McAfee Network Security Platform 6.1 System Status Monitoring Guide 153

154 9 Setting Preferences Watch List To add to the Watch List highlighting rules, do the following: Task 1 Select Preference tab from the menu bar section of the Threat Analyzer window. 2 Click the Watch List tab. 3 Click Add; a new row appears at the bottom of the Watch List table. 4 Add a Watch Entry dialog is displayed. 5 Select the Attribute. The drop-down has the following options: Severity: all severities have pre-set colors. If you want to change the color of a severity, click the Color cell for a severity row and pick a new color. Attack: highlight a particular attack name. Source IP: highlight a particular source IP. Source Port: highlight a particular source port. Destination IP: highlight a particular destination IP. Destination Port: highlight a particular destination IP. The Attribute cell corresponds to the Value cell. You must select an Attribute before selecting a Value. 154 McAfee Network Security Platform 6.1 System Status Monitoring Guide

155 Setting Preferences Watch List 9 6 Select the Value. cell, The drop-down has the following options: For Severity: select one of the available severity levels. For Attack: select a single attack name from the entire attack name list. For Source IP: enter an IP address by highlighting the numbers and typing new values. For Source Port: enter a port number by highlighting the default number and typing a new value. For Destination IP: enter an IP address by highlighting the numbers and typing new values. For Destination Port: enter a port number by highlighting the default number and typing a new value. 7 Click the Color cell; the "Pick a Color" dialog opens. 8 Pick a color for highlighting your stated value. Each tab has a Preview pane at the bottom to aide you in color selection. The palette tab options are: Swatches: select a color from a standard color palette table. HSB: Hue-Saturation-Brightness. RGB: Red-Green-Blue. 9 Click OK when done with color selection to return to the Watch List table. 10 Click the Apply check box to enable the new attribute. A check mark in the box denotes that the feature is enabled. 11 Click OK when you are finished with your Watch List entry. McAfee Network Security Platform 6.1 System Status Monitoring Guide 155

156 9 Setting Preferences Historical Constraints See also Setting Preferences on page 5 Historical Constraints The Historical Constraints page displays the information of the historical query selected while opening the Historical Threat Analyzer. Note that this tab is visible only while opening the Historical Threat Analyzer. The Historical Constraints page displays the Start time, End time, Source IP, Source Port, Destination IP, Destination Port, Attack, Sensor, and Application Protocol. 156 McAfee Network Security Platform 6.1 System Status Monitoring Guide

157 10 Monitoring Operational Status Operational Status details the functional status for all of your installed McAfee Network Security Platform IPS components, including the communication with integrated Host Intrusion Prevention Management Servers. Messages are generated to detail the system faults experienced by McAfee Network Security Platform. Contents Operational Status Condition Indicator Viewing a summary of selected fault messages Operational Status Condition Indicator The Operational Status is first visible from the Home page. To view Operational Status information click Operational Status tab form the menu bar. McAfee Network Security Platform 6.1 System Status Monitoring Guide 157

158 10 Monitoring Operational Status Operational Status Condition Indicator Item Description 1 Operational Status on the Home page Operational Status interface The Operational Status interface's main screen displays a quick view of each of your installed Network Security Platform components. There are three tables: one for (Manager), one for all installed Sensors, and a third table displaying generic information about Manager database. Manager and Sensor tables each reflect the current status of component connection and the number of fault messages. The number of fault messages is displayed as two numbers separated by a slash mark (n/ n). The number to the left of the slash indicates the number of unacknowledged (by the user) faults. The number to the right indicates the total number of faults. The Last Retrieved time is also displayed. For more information, see Viewing the Last Retrieved time, Quick Tour. Item Description 1 Click for Sensor status. 2 Click any n/n link to see message information for that link. 3 Time when Operational Status was last updated - updates every 60 seconds. Operational Status color scheme The color scheme of the Operational Status table cells except for the component Status column reflects the number of current unacknowledged alerts. Green: If all cells are green, there are no unacknowledged alerts for that component. Blue: If cells for a component are blue, there are one or more unacknowledged Informational alerts for that component. Yellow: If cells for a component are yellow, there are one or more unacknowledged Warning alerts for that component. 158 McAfee Network Security Platform 6.1 System Status Monitoring Guide

159 Monitoring Operational Status Operational Status Condition Indicator 10 Orange: If cells for a component are orange, there are one or more unacknowledged Error alerts for that component. Red: If cells for a component are red, there are one or more Critical alerts that are unacknowledged for that component. Acknowledging a fault means that you are aware of the problem and plan to take appropriate action. In Figure Operational Status View there are a total of two Critical faults, both of which have been acknowledged (noted by the 0/0), and 2 unacknowledged Error faults (noted by the 2/2). Here is another scenario: You log in to Manager: the System Health status in the Home page reads Critical (red). You open the Operational Status to view the fault. After examining the fault, you manually Acknowledge it. You close the Operational Status and return to the Manager Home page. After 30 seconds, the Home page refreshes and the Operational Status displays Up/Active. The problem may still exist, but since you acknowledged the fault, Manager determines all other system issues are good, and you are taking the steps to fix the fault issue. Thus, you are not constantly reminded of the fault. Some faults clear on their own, and disappear from view. For example, if someone removes one of the power supplies from an I-4000 Sensor, a Critical (red) fault appears, describing the situation. When the power supply is re-inserted, another fault appears describing the new situation, along with a third indicating that there is no power. When power is detected on the supply, the power supply is considered operational again, and Manager clears all three fault messages. Operational Status fields The fields in the Operational Status table are as follows: Network Security Platform Manager:Manager controlling the system. There is only one instance, always named "Manager." Sensor: the user-given name of the Sensor or failover pair. Model: Network Security Sensor model type (I-series, M-series or N-450 Sensors) or Host Intrusion Prevention for an Host Intrusion Prevention Management Server. Status: operational status of component. For Manager, Up indicates proper functioning; Down indicates the component is not functioning. Fault Level: The Critical, Error, and Warning fields relate to the impact of a system fault. Each of these fields has two numbers (n/n): the number of faults that are still unacknowledged by the user / the total faults (both acknowledged and unacknowledged). Critical: major faults, such as component failure. Error: medium faults, such as a stopped process, incorrect port speed configuration, or a session time-out (automatic logout). Warning: minor faults, such as multiple bad logins or an attempt to delete a resource in System Configuration without properly clearing fields. Informational: informational faults that relay information such as the successful download of a signature set, the completion of a schedule archive, and the like. Total: total messages per component, per message category, or all messages in the system. Database Type: MySQL. Database URL: the navigation used by Manager to find the database. Status: the state of the database connection. Up means Manager-to-database communication is good; Down means the communication has been broken or another error exists. McAfee Network Security Platform 6.1 System Status Monitoring Guide 159

160 10 Monitoring Operational Status Viewing a summary of selected fault messages Sensor Status details The Status column against the Sensor listed in the Operational Status page displays one of the following status for the listed Sensors: Active: all channels are up. Attention: one or two communication channels are down. Disconnected: all three communication channels are down. Standby: the Command Channel is still being set up. Uninitialized: there is a failure in the initial setup. Unknown: displayed when a Sensor has been added to the Network Security Platform user interface, but the actual Sensor has not been set up yet to communicate with the Manager. Clicking the link in the Status cell for a Sensor opens the "Sensor Status Detail". For Sensors, status is determined by the state of three communication channel parameters: Command Channel, Alert Channel, and Packet Log Channel. The "Sensor Status Detail" page displays information on Sensor health and the three communication channel parameters. Backbutton: returns you to the Operational Status page. Viewing a summary of selected fault messages Selecting a message value (n/n) under Critical, Error, Warning, Informational or Total columns from the Status interface changes the view to display the fault messages for the selected category. This is known as the "Faults of Type" screen. Each message has a date and time of occurrence. The following figure displays the messages for McAfee Network Security Platform Sensor in the Operational Status page. 160 McAfee Network Security Platform 6.1 System Status Monitoring Guide

161 Monitoring Operational Status Viewing a summary of selected fault messages 10 Item Description 1 Click link for specific fault detail. 2 Action buttons. The fields in the fault window are as follows: Check box: select the check box of one or more fault instances to perform an action on the fault. If you select the top check box (in the heading row of the table), all faults are checked and acted on as one. Ack: manual recognition of fault. A check denotes you have selected the fault check box and clicked the Acknowledge action button. No check indicates you have not yet acknowledged the fault. Date: date and time when the fault was logged. Manager Name: the name of the synchronized Manager. Severity: severity of the fault. Fault Type: short description of the fault. This is a link that can be clicked for a closer look at the fault's detail. Fault window action buttons The action buttons in the fault window are as follows: Refresh: refreshes the page and displays the latest faults detected by your Managers. Acknowledge: marks the fault as recognized. Acknowledging a fault means "Yes, I know this fault exists." The Ack[nowledge] field displays a check mark upon manual acknowledgement. Acknowledging a fault means that you are aware of the problem and plan to take appropriate action. Unacknowledge: sets the Ack [nowledge] field to be blank, therefore unacknowledged. All faults are unacknowledged by default. You can unacknowledge an acknowledged fault. Delete: removes the selected fault(s) completely from the Operational Status view. A deleted fault will no longer appear in the n/n counts. This is different from Acknowledge because Delete is a complete removal, while Acknowledge leaves the fault in the Operational Status for later analysis. Back: goes back one screen (exits current view). Viewing the details of a specific fault McAfee Network Security Platform 6.1 System Status Monitoring Guide 161