Symantec Event Collector for Cisco NetFlow version 3.7 Quick Reference
Symantec Event Collector for Cisco NetFlow Quick Reference The software described in this book is furnished under a license agreement and may be used only in accordance with the terms of the agreement. Documentation version 4.0 Legal Notice Copyright 2007 Symantec Corporation. All rights reserved. Symantec, the Symantec logo, LiveUpdate, Symantec AntiVirus, and Symantec Security Response are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners. Microsoft, Windows, and Window 2000 are trademarks or registered trademarks of Microsoft Corporation. This product includes software that was developed by the Apache Software Foundation. Other brands and product names mentioned in this manual may be trademarks or registered trademarks of their respective companies and are hereby acknowledged. Cisco NetFlow is a trademark of Cisco Systems, Inc. worldwide. The product described in this document is distributed under licenses restricting its use, copying, distribution, and decompilation/reverse engineering. No part of this document may be reproduced in any form by any means without prior written authorization of Symantec Corporation and its licensors, if any. THE DOCUMENTATION IS PROVIDED "AS IS" AND ALL EXPRESS OR IMPLIED CONDITIONS, REPRESENTATIONS AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT, ARE DISCLAIMED, EXCEPT TO THE EXTENT THAT SUCH DISCLAIMERS ARE HELD TO BE LEGALLY INVALID. SYMANTEC CORPORATION SHALL NOT BE LIABLE FOR INCIDENTAL OR CONSEQUENTIAL DAMAGES IN CONNECTION WITH THE FURNISHING, PERFORMANCE, OR USE OF THIS DOCUMENTATION. THE INFORMATION CONTAINED IN THIS DOCUMENTATION IS SUBJECT TO CHANGE WITHOUT NOTICE. The Licensed Software and Documentation are deemed to be commercial computer software as defined in FAR 12.212 and subject to restricted rights as defined in FAR Section 52.227-19 "Commercial Computer Software - Restricted Rights" and DFARS 227.7202, "Rights in Commercial Computer Software or Commercial Computer Software Documentation", as applicable, and any successor regulations. Any use, modification, reproduction release, performance, display or disclosure of the Licensed Software and Documentation by the U.S. Government shall be solely in accordance with the terms of this Agreement.
Symantec Corporation 20330 Stevens Creek Blvd. Cupertino, CA 95014 USA http://www.symantec.com
Technical Support Symantec Technical Support maintains support centers globally. Technical Support s primary role is to respond to specific queries about product feature and function, installation, and configuration. The Technical Support group also authors content for our online Knowledge Base. The Technical Support group works collaboratively with the other functional areas within Symantec to answer your questions in a timely fashion. For example, the Technical Support group works with Product Engineering and Symantec Security Response to provide alerting services and virus definition updates. Symantec s maintenance offerings include the following: A range of support options that give you the flexibility to select the right amount of service for any size organization A telephone and web-based support that provides rapid response and up-to-the-minute information Upgrade insurance that delivers automatic software upgrade protection Global support that is available 24 hours a day, 7 days a week worldwide. Support is provided in a variety of languages for those customers that are enrolled in the Platinum Support program Advanced features, including Technical Account Management For information about Symantec s Maintenance Programs, you can visit our Web site at the following URL: www.symantec.com/techsupp/ Contacting Technical Support Select your country or language under Global Support. The specific features that are available may vary based on the level of maintenance that was purchased and the specific product that you are using. Customers with a current maintenance agreement may access Technical Support information at the following URL: www.symantec.com/techsupp/ Select your region or language under Global Support. Before contacting Technical Support, make sure you have satisfied the system requirements that are listed in your product documentation. Also, you should be at the computer on which the problem occurred, in case it is necessary to recreate the problem.
When you contact Technical Support, please have the following information available: Product release level Hardware information Available memory, disk space, and NIC information Operating system Version and patch level Network topology Router, gateway, and IP address information Problem description: Error messages and log files Troubleshooting that was performed before contacting Symantec Recent software configuration changes and network changes Licensing and registration Customer service If your Symantec product requires registration or a license key, access our technical support Web page at the following URL: www.symantec.com/techsupp/ Select your region or language under Global Support, and then select the Licensing and Registration page. Customer service information is available at the following URL: www.symantec.com/techsupp/ Select your country or language under Global Support. Customer Service is available to assist with the following types of issues: Questions regarding product licensing or serialization Product registration updates such as address or name changes General product information (features, language availability, local dealers) Latest information about product updates and upgrades Information about upgrade insurance and maintenance contracts Information about the Symantec Value License Program
Advice about Symantec's technical support options Nontechnical presales questions Issues that are related to CD-ROMs or manuals Maintenance agreement resources Additional Enterprise services If you want to contact Symantec regarding an existing maintenance agreement, please contact the maintenance agreement administration team for your region as follows: Asia-Pacific and Japan: contractsadmin@symantec.com Europe, Middle-East, and Africa: semea@symantec.com North America and Latin America: supportsolutions@symantec.com Symantec offers a comprehensive set of services that allow you to maximize your investment in Symantec products and to develop your knowledge, expertise, and global insight, which enable you to manage your business risks proactively. Enterprise services that are available include the following: Symantec Early Warning Solutions These solutions provide early warning of cyber attacks, comprehensive threat analysis, and countermeasures to prevent attacks before they occur. Managed Security Services Consulting Services Educational Services These services remove the burden of managing and monitoring security devices and events, ensuring rapid response to real threats. Symantec Consulting Services provide on-site technical expertise from Symantec and its trusted partners. Symantec Consulting Services offer a variety of prepackaged and customizable options that include assessment, design, implementation, monitoring and management capabilities, each focused on establishing and maintaining the integrity and availability of your IT resources. Educational Services provide a full array of technical training, security education, security certification, and awareness communication programs.
To access more information about Enterprise services, please visit our Web site at the following URL: www.symantec.com Select your country or language from the site index.
Contents Technical Support Chapter 1 Chapter 2 Introducing Symantec Event Collector for Cisco NetFlow About this Quick Reference... 11 Compatibility requirements... 11 Compatibility requirements for Cisco NetFlow... 12 System requirements for the collector machine... 12 Preinstallation requirements for the Cisco NetFlow Event Collector... 13 Configuring your security product to work with the collector... 13 Configuring Cisco NetFlow to work with the collector... 13 About the installation sequence... 13 Sensor configuration... 13 Sensor settings for Cisco NetFlow Event Collector... 14 About LiveUpdate... 14 Implementation notes Implementation notes for Cisco NetFlow Event Collector... 15 Product ID... 15 Method of data collection... 15 Schema Packages... 15 Event mapping for Information Manager version 4.5... 16 Index
10 Contents
Chapter 1 Introducing Symantec Event Collector for Cisco NetFlow This chapter includes the following topics: About this Quick Reference Compatibility requirements Preinstallation requirements for the Cisco NetFlow Event Collector Configuring your security product to work with the collector About the installation sequence Sensor configuration About LiveUpdate About this Quick Reference This quick reference includes information that is specific to Symantec Event Collector for Cisco NetFlow. For detailed information on how to install and configure event collectors, please see the Symantec Event Collectors Integration Guide. Compatibility requirements The collector is compatible with specific versions of the security product and is compatible with certain operating systems.
12 Introducing Symantec Event Collector for Cisco NetFlow Compatibility requirements Compatibility requirements for Cisco NetFlow The collector is compatible with the following Cisco appliances: 11.1CA, 11.1CC v1, v5 11.2, 11.2P v1 11.2P v1 11.3, 11.3T v1 12.0 v1, v5 12.0T v1, v5 Cisco 7200, 7500, RSP7000 Cisco 7200, 7500, RSP7000 Route Switch Module (RSM), ver 11.2(10)P and later Cisco 7200, 7500, RSP7000 Cisco 2600, 3600, 4500, 4700, AS5800, 7200, ubr7200, 7500, RSP7000, RSM Cisco 1000*,1600*,1720**, 2500*,2600, 3600, 4500, 4700, AS5800, 7200, ubr7200, 7500, RSP7000, RSM, MGX8800 RPM The collector runs on the following operating systems: Microsoft Windows 2000 with Service Pack 4 Microsoft Windows 2000 Advanced Server with Service Pack 4 Microsoft Windows 2003 Server Enterprise Edition with Service Pack 1 Microsoft Windows 2003 Server Standard Edition with Service Pack 1 Microsoft Windows XP with Service Pack 2 Red Hat Enterprise Linux AS 3.0 Red Hat Enterprise Linux AS 4.0 System requirements for the collector machine The machine on which you install the collector must meet the following minimum system requirements: Intel Pentium -compatible 133-MHz processor (up to and including Xeon -class) 512 MB minimum, 1 GB of memory recommended for the Agent 35 MB of hard disk space for collector program files 95 MB of hard disk space to accommodate the Agent, JRE, and the collector TCP/IP connection to a network with a fixed IP address
Introducing Symantec Event Collector for Cisco NetFlow Preinstallation requirements for the Cisco NetFlow Event Collector 13 Preinstallation requirements for the Cisco NetFlow Event Collector There are no preinstallation requirements. Configuring your security product to work with the collector After you have installed the necessary collector components, you must configure Cisco NetFlow so that event information is available to the collector. For detailed information on configuring Cisco NetFlow, see your security product documentation. Configuring Cisco NetFlow to work with the collector In order for the collector to harvest events, Cisco NetFlow must be enabled on the router. The port number that is configured on the router for flow export will be specified in the port number field when configuring the collector sensor. About the installation sequence The collector installation sequence is generally as follows: Register the collector Note: The SSIM Client console should be closed before registering the collector. Install the Agent Install the collector component For more information, see the Symantec Event Collectors Integration Guide. Sensor configuration The collector uses a sensor that must be configured to receive security events. After the sensor is configured, the settings must be distributed to the collectors on the target computers. The collector can not use the configuration named Default. You must create a new one.
14 Introducing Symantec Event Collector for Cisco NetFlow About LiveUpdate The collector includes the following features: Raw events Sensor statistics Importing and exporting of sensor settings, and filtering and aggregation rules Global updating of sensor settings For more information, see the Creating collector configurations section located in the Symantec Event Collectors Integration Guide. Sensor settings for Cisco NetFlow Event Collector About LiveUpdate The collector uses a special sensor with the following properties: Hosts' Names Leave * to allow any host to send events to the collector. Port Number Specify a port number to which Cisco NetFlow will send data. The default port number is 2100. LiveUpdate is not supported on this collector.
Chapter 2 Implementation notes This chapter includes the following topics: Implementation notes for Cisco NetFlow Event Collector Implementation notes for Cisco NetFlow Event Collector This section describes the implementation details for the collector. Cisco NetFlow is primarily used to monitor traffic on a network. Product ID The product ID for Symantec Event Collector for Cisco NetFlow is: 3144. Method of data collection Schema Packages The collector uses a special sensor called the Flow Sensor to collect events. The Flow Sensor will open an UDP socket to the Cisco Netflow application and retrieve binary data. The collector uses the following schema packages: Firewall Events Network events
16 Implementation notes Implementation notes for Cisco NetFlow Event Collector Event mapping for Information Manager version 4.5 Table 2-1 Information Manager field name event_id eventclass_id category_id event_code severity source_ip source_host_name source_port destination_ip destination_host_name destination_port next_hop_ip in_if out_if packet_count byte_count flow_duration flow_protocol flow_tos flow_flags Event mapping Cisco NetFlow field name n/a n/a n/a n/a n/a srcaddr srcaddr srcport dstaddr dstaddr dstport nexthop input output dpkts doctets Last First prot tos flags Comment 2042000 - Netflow symc_flow 30007606 - Security 3995 1 - Informational source IP address source host name source port destination IP address destination host name destination port IP address of next hop router Interface index (ifindex) of input interface Interface index (ifindex) of output interface Packets in the flow Total number of Layer 3 bytes in the packets of the flow Last - SysUptime at the time the last packet of the flow was received; First - SysUptime at start of flow IP protocol type (for example, TCP=6, UDP=17) IP type of service (ToS) Cumulative OR of TCP flags
Implementation notes Implementation notes for Cisco NetFlow Event Collector 17 Table 2-1 Information Manager field name flow_src_as flow_dst_as flow_src_ mask flow_dst_ mask Event mapping (continued) Cisco NetFlow field name src_as dst_as src_mask dst_mask Comment Autonomous system number of the source, either origin or peer Autonomous system number of the destination, either origin or peer Source address prefix mask bits Destination address prefix mask bits
18 Implementation notes Implementation notes for Cisco NetFlow Event Collector
Index C Cisco NetFlow configuration 13 compatibility requirements 11 configuring Cisco NetFlow 13 sensor 13 I implementation notes 15 installation 13 L LiveUpdate 14 M mapping 15 P preinstallation requirements 13 R requirements compatibility 11 preinstallation 13 system 11 S sensor configuration 13 system requirements 11