Вы находитесь на странице: 1из 342

Advanced Technical Training

Lecture Manual July 23, 2009

Sentinel 6.1

Date

BOOKNAME

Legal Notices
Novell, Inc., makes no representations or warranties with respect to the contents or use of this documentation, and specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose. Further, Novell, Inc., reserves the right to revise this publication and to make changes to its content, at any time, without obligation to notify any person or entity of such revisions or changes. Further, Novell, Inc., makes no representations or warranties with respect to any software, and specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose. Further, Novell, Inc., reserves the right to make changes to any and all parts of Novell software, at any time, without any obligation to notify any person or entity of such changes. Any products or technical information provided under this Agreement may be subject to U.S. export controls and the trade laws of other countries. You agree to comply with all export control regulations and to obtain any required licenses or classification to export, re-export or import deliverables. You agree not to export or re-export to entities on the current U.S. export exclusion lists or to any embargoed or terrorist countries as specified in the U.S. export laws. You agree to not use deliverables for prohibited nuclear, missile, or chemical biological weaponry end uses. See the Novell International Trade Services Web page (http://www.novell.com/info/exports/) for more information on exporting Novell software. Novell assumes no responsibility for your failure to obtain any necessary export approvals. Copyright 2009 Novell, Inc. All rights reserved. No part of this publication may be reproduced, photocopied, stored on a retrieval system, or transmitted without the express written consent of the publisher. Novell, Inc., has intellectual property rights relating to technology embodied in the product that is described in this document. In particular, and without limitation, these intellectual property rights may include one or more of the U.S. patents listed on the Novell Legal Patents Web page (http://www.novell.com/ company/legal/patents/) and one or more additional patents or pending patent applications in the U.S. and in other countries. Novell, Inc. 404 Wyman Street, Suite 500 Waltham, MA 02451 U.S.A. www.novell.com Online Documentation: To access the latest online documentation for this and other Novell products, see the Novell Documentation Web page (http://www.novell.com/documentation).

Novell Trademarks
For Novell trademarks, see the Novell Trademark and Service Mark list (http:// www.novell.com/company/legal/trademarks/tmlist.html).

Third-Party Materials
All third-party trademarks are the property of their respective owners.

Contents
SECTION 1
Objective 1 Objective 2 Objective 3

Introduction to Sentinel 6.1


Overview Define the Problem in SEIM Conceptual Architecture

11
12 14 21

SECTION 2
Objective 1

Active Views
Learn How to Create Active Views and Apply Filters in the Control Center

43
44

Active Views - Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Active Views Creation - Step 1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Active Views Creation - Step 2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Active Views Creation - Step 3 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Objective 2 Understand How to Modify the Parameters for Display of the Active View

44 45 48 49
50

Active Views Manipulation 1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50 Active Views Manipulation 2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51 Active Views Top Ten . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52
Objective 3 Understand How to Modify the Columns of the Event Table 53

Active Views Event Table . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Active Views Columns 1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Active Views Columns 2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Active Views - Multiple Views . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Objective 4 Summary

53 54 55 56
57

SECTION 3
Objective 1

Filters
Creating Filters

59

60 Filters Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60 Filter Builder. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62 65

Objective 2

Filter Language

Matching . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Meta-tags . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Multiple Clauses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Precedence . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .


Objective 3 Complex Filters

65 67 68 69
71

SECTION 4
Objective 1

Analysis
Analysis Tools

73
74

Show Details . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Snapshots . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Investigating Events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Show Graph . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

74 76 77 78

Version 1

Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.

Sentinel 6.1

Objective 2

Historical Event Queries

80

Searching Historical Events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Active Browser . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Asset Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Vulnerability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Advisor Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Objective 3 Objective 4 Objective 5 Right Click Menu Tools Correlated Events Summary

80 81 82 83 84
86 87 88

SECTION 5
Objective 1 Objective 2 Objective 3

Incidents
Understanding Incident Management Create New Incidents Reviewing Incidents

89
90 91

92 Incident Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92 Incident Basic Info . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93 Events List. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94 Assets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95 Vulnerabilities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96 Advisor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97 iTrac . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98 History. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99 Attachments. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 100 Menu Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101 102 103

Objective 4 Objective 5

Attachment Viewers Summary

SECTION 6
Objective 1

iTRAC
iTrac Incident Tracking

105
106

iTrac Definitions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106 iTrac Components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107


Objective 2 Process and Work Management 110

Process Management. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 110 Work List and Work Item . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 112 Accept Work Item . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113
Objective 3 Incident Integration 114

Incident Integration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 114 User Interaction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 115


Objective 4 Objective 5 iTrac Lifecycle Role Management 116 117

SECTION 7

Administration

121

Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.

Version 1

Objective 1

User Tools

123

Administration Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . User Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Permissions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Roles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Sessions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .


Objective 2 Global Filters

123 124 125 127 128


129

Global Filters Description. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 129 Creating Global Filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 130 Filter Manager. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 131
Objective 3 Objective 4 DAS Statistics Menu Tools 133 134

Right-Click Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 134 Creating and Editing Menu Tools. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135


Objective 5 Objective 6 Objective 7 Objective 8 Objective 9 Servers View Event Configuration Color Filters Mapping Configuration Summary 137 138 139 140 141

SECTION 8
Objective 1 Objective 2 Objective 3 Objective 4 Objective 5 Objective 6 Objective 7 Objective 8 Objective 9 Objective 10 Objective 11 Objective 12

Reporting
Reporting Analysis Trends Reporting Communication Reporting Installation Report Templates Starting Crystal Reports Infoview Scheduling Reports Reporting Settings Sentinel Reporting Configuration Running a Report Output Summary

143
145 146 147 148 150 151 152 153 155 157 158 159

SECTION 9

Database
Events

161
161

SECTION 10
Objective 1

RuleLG I
Correlation Wizard

181
182

Version 1

Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.

Sentinel 6.1

Description . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 182 Correlation Rule Types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 183


Objective 2 Objective 3 Correlation Logic Sentinel Rule Language 184 186

Constructs and Operators . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Filters. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Actions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Action Configuration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Basic Correlation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Simple and Aggregrate Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Filter Syntax . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Filter Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Trigger. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Trigger Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Trigger Details. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Grouping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Trigger Example (Freeform) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Trigger Example (Wizard) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Aggregrate Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Filter Verses Trigger . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Composite Rule . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Composite Rule Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Objective 4 Summary

187 190 194 196 197 198 199 200 201 202 203 204 205 207 208 209 210 213
214

SECTION 11
Objective 1 Objective 2 Objective 3

RuleLG II
Correlation Updates Sequence Window

215
216 217 218

Window Enhancement . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Window Basic Function . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Window Syntax . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Window Filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Window Example 1. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Window Example 2. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Window Example 3. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Window Example 4. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Window Thresholds . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Objective 4 Objective 5 Dynamic Lists Summary

218 219 220 222 224 227 228 229 232


233 234

SECTION 12
Objective 1 Objective 2 Objective 3

Correlation Actions

235
236

Email and Correlated Event Action Dynamic List Actions

238 239

Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.

Version 1

Objective 4 Objective 5 Objective 6 Objective 7

Incident Acions Command Actions Execute Script Actions Java-based Actions

240 241 242 244

SECTION 13
Objective 1 Objective 2 Objective 3 Objective 4 Objective 5 Objective 6 Objective 7 Objective 8 Objective 9 Objective 10

Troubleshooting
The Sentinel Processes Sentinel Log Files Adjusting Logging Levels Troubleshooting Reporting Unable to Login An Event Doesnt Show Up System Throttles When Mapping Doesnt Work When the Asset Map Doesnt Work When Vulnerability Doesnt Work

247
249 250 252 254 255 256 257 258 259 260

SECTION 14
Objective 1 Objective 2 Objective 3 Objective 4 Objective 5 Objective 6 Objective 7 Objective 8

Collectors and Connectors


Collectors Existing Collectors Pre-defined Collectors Collectors VS Connectors Advisor Feed Collector Updates Novell Audit Event Collectors Summary

265
267 269 270 271 273 274 275 276

SECTION 15
Objective 1 Objective 2 Objective 3 Objective 4 Objective 5 Objective 6 Objective 7 Objective 8

Architecture and Business Relevance


Collector Manager Port Architecture Collector Architecture Collector Components Event Router Mapping Service Global Filters

277
279 280 282 283 285 286 287 288

Version 1

Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.

Sentinel 6.1

Objective 9 Objective 10 Objective 11 Objective 12

Business Relevance Business Relavance Explanation TRANSLATE() Mapping Service

289 290 291 293

Architecture. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 293 Map Definitions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 294


Objective 13 Objective 14 Objective 15 Objective 16 Objective 17 Adding A Map Meta-tag Reference Map Reference Names and Variables Summary 296 297 298 299 300

SECTION 16
Objective 1

Event Source Management


Event Source Management Overview

301
302

What is Event Source Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ESM User Interface. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ESM Views . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ESM Plugins . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Graphical Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ESM Terminology. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ESM Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ESM Data Offsets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Status Monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Troubleshooting Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Collector Debugger . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Advanced Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Objective 2 Sentinel 5.1.3 Collector Update

302 303 304 305 306 307 308 309 310 311 312 313
314

Collector Scripts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Development and Debugging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Connectors. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Port Configuration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Collector Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Health Monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5.1.3 Sentinel Update Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Objective 3 Summary

314 315 316 317 318 319 320


321

SECTION 17
Objective 1 Objective 2 Objective 3 Objective 4 Objective 5

Solution Pack Management


What are Solution Packs Anatomy Controls Solution Designer Creating Solution Packs

323
324 326 328 330 332

Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.

Version 1

SECTION 18
Objective 1 Objective 2 Objective 3 Objective 4

JavaScript Collectors

335
336

Parsing Meta-Tags Script Files Collector Development

338 339 340

Version 1

Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.

Sentinel 6.1

10

Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.

Version 1

Introduction to Sentinel 6.1

SECTION 1

Introduction to Sentinel 6.1

Version 1

Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.

11

Introduction to Sentinel 6.1

Objective 1

Overview

Sentinel 6.1 ATT - Objectives Novell provides a single, unified view of your entire security infrastructure. Novell Sentinel software allows for easy collection of security event information from any source to analyse, resolve and prevent future threats. The Sentinel 6.1 User Training section of the class is designed to develop the skills and techniques necessary to operate a Sentinel system. The class is a combination of lecture and hands-on activities that demonstrate the Sentinel environment.

12

Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.

Version 1

Introduction to Sentinel 6.1

Version 1

Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.

13

Introduction to Sentinel 6.1

Objective 2

Define the Problem in SEIM

Problem Description Part I

The essential problem with network security data is that theres too much of it:

Many devices on your network, performing many different tasks. Producing lots of different logs with different formats and semantics. Stored in many different locations: local hard disk, syslog server, database, SNMP, etc.

14

Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.

Version 1

Introduction to Sentinel 6.1

Problem Description - Part II

Every device type on your network will produce a different log format, and even a single device may produce different types of log messages. One challenge is to figure out what each parameter in a given log message means. This often requires extensive research in device manuals and so forth. With hundreds of different device types and thousands of log message formats, it can be very difficult to remember the syntax of any given message.

The Windows WMI service alone can produce more than 11,000 different possible log messages.

Version 1

Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.

15

Introduction to Sentinel 6.1

Problem Description Part III

Security logs are difficult to analyse in part because there is so much data to look through. Ferreting out the relevant security events can be a long, arduous manual process. Furthermore, we want to be able to detect patterns over time, e.g. look for concerted password hacking attempts, or other patterns of network behaviour that are known to be malicious. We should be able to correlate these patterns across multiple security devices for a more accurate view of potential security incidents.

16

Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.

Version 1

Introduction to Sentinel 6.1

Problem Description Part IV

Even when important, actionable security events are found, there is the problem of interpreting the data. Even if we know the log syntax, there are always parameters that require further research. We therefore have the problem of finding referential data. We would like to avoid having to go to other systems and tools (e.g. LDAP directories, vulnerability scanners, etc) for IP information, port information, and more extensive queries like is this host vulnerable to an exploit at that port?

Version 1

Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.

17

Introduction to Sentinel 6.1

Problem Description Part V

Once security problems are identified, a comprehensive incident tracking solution is necessary to ensure that problems get resolved completely and in a timely fashion. We need to keep track of the state of each incident, attach relevant information (hopefully in as automated a fashion as possible), and ensure that the incident gets resolved within a defined time window.

18

Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.

Version 1

Introduction to Sentinel 6.1

Problem Description Part VI

We also want to be able to respond quickly and efficiently to an audit, and provide demonstrable evidence of a good faith effort to comply with internal policies and Federal mandates (Sarbanes Oxley, HIPAA, GLBA, FISMA, NISPOM, DCID 6/3, DITSCAP).

Version 1

Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.

19

Introduction to Sentinel 6.1

Problem Description Summary

The problem of Security Information and Event Management (SIEM) is a problem of data. Most organizations have too many devices generating too much security event data, in too many formats. SIEM tries to bring order to this data, to present it in a usable and manageable format. Furthermore, it tries to track security issues as they arrive, and ensure compliance with internal or external policies and regulations.

To do this for a large organization is a challenge. High event rates require scalability and a quick way to store the event data, but at the same time we must be able to analyze past events and produce reports that help us summarize the gathered data through time.

20

Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.

Version 1

Introduction to Sentinel 6.1

Objective 3

Conceptual Architecture

Sentinel 6.1 Manage. Measure. Comply.

Novell's SIEM product, Sentinel, helps organizations reduce security and compliance costs, manage risk more effectively, and improve security metrics and compliance reporting by replacing manual processes with a continuous monitoring and reporting solution for IT controls. Sentinel enables real-time security and continuous compliance monitoring in distributed heterogeneous IT environments, and provides security and compliance teams with an enterprise-wide view of their security and compliance posture.

Sentinel enables organizations to collect, correlate, monitor, and display data from thousands of events per second in real-time. Users gain always-current reports on the organizations security and compliance health instead of relying on reports generated for the last security or compliance audit.

Version 1

Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.

21

Introduction to Sentinel 6.1

Sentinel 6.1 iSCALE

Sentinel 6.1 works by gathering together all the disparate security events in your enterprise into one location. The sheer volume of this data can be daunting: many GB/day or thousands of Events Per Second (EPS). Sentinel 6.1 uses a Services Oriented Architecture (SOA) based around the iSCALE messaging bus to obtain the extremely high data-flow rates necessary. Components can be distributed across machine, network, and geographic boundaries to share processing load, and will transparently communicate across the iSCALE bus. The bus uses a Publish/Subscribe methodology to provide flexible distribution of data to multiple components without loading any particular component.

22

Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.

Version 1

Introduction to Sentinel 6.1

Sentinel 6.1 Collectors

Sentinel 6.1 addresses the problem of having many various devices speaking different languages by using Collectors. These translators run on a Event Source Management (Collector Manager) host this architecture is distributed, so you can share the load of collection across multiple hosts and take the information from each of the various source devices, normalizes it, and then passes it to the rest of the Sentinel system. Collectors are custom-written per device; we provide many prewritten Collectors for popular source devices.

Creating new Collectors is a lot of work. One needs to handle all the various possible messages the device might produce and decide how this information should be presented in normalized fashion. However, once this is complete the data is normalized and accessible for viewing in the Active Views.

Please note that in earlier versions of the product, Collectors were called Agents. You will still see this terminology in some interfaces and literature.

Version 1

Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.

23

Introduction to Sentinel 6.1

Sentinel 6.1 Collectors

Collectors take the information present in incoming event logs and normalize it into preset categories for easy viewing. Data can come from files, network connections (such as syslog), SNMP sources, ODBC/JDBC, processes, and more.

The data in the system is only as good as the data that gets sent to it. This means that source devices need to be carefully configured to ensure that they are generating timely and appropriate messages.

Furthermore, Sentinel does not replace other security products on the network (except perhaps logging servers). We supplement and provide a central management point for security events, as well as performing analysis and correlation on all events received. Further, we provide incident management for identified issues on the network.

24

Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.

Version 1

Introduction to Sentinel 6.1

Sentinel 6.1 - Database

Sentinel 6.1 stores all normalized event data in a database for easy retrieval. The database can be Oracle or MS-SQL, and is comprised of a number of tables which store the raw events, referential data (more on that later) and various summary and statistics tables. We currently support Oracle running under Solaris, Linux, and MS SQL Server running on Windows.

The Sentinel installer will configure the basic database layout, but archiving and partitioning is a separate process which is handled either by the supplied Sentinel Data Manager tool, or with third-party products from Oracle or Microsoft.

Version 1

Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.

25

Introduction to Sentinel 6.1

Sentinel 6.1 Control Center

To get a good look at data passing through the system, Sentinel has a Control Center which displays event data in real-time as it passes through the system. The Control Center can also be used to look at historical data, and is the administration point for many Sentinel functions. Much of this class will cover using the Control Center to perform various functions.

Control Center receives a parallel stream of event data, and does not affect the database insertions.

26

Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.

Version 1

Introduction to Sentinel 6.1

Sentinel 6.1 Control Center

The Control Center provides a highly customizable view of incoming event data. It displays events in a normalized table format and on summary charts to give users an intuitive feel for the state of the system. The Control Center also allows users to drill-down to look in detail at the incoming data and perform analysis and investigation tasks.

Version 1

Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.

27

Introduction to Sentinel 6.1

Sentinel 6.1 Filters

Filters can be added to the system in several different locations to screen out irrelevant data.

First, global filters can be applied that can screen out broad classes of events from certain of the system components. For example, all low-severity messages can be dumped to the database without displaying in the console.

Second, events can be filtered at the Collector level. A Collector for an operating system, for instance, might filter out all messages relating to disk space issues on temp volumes.

Third, filters can be applied to individual Active Views at the Control Center.

Fourth, individual users can have a filter applied to their account to restrict access to viewing specified event data.

28

Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.

Version 1

Introduction to Sentinel 6.1

Sentinel 6.1 Filters

Designing the appropriate filters for your environment can be critical to creating a usable Sentinel system. Most environments produce far more data than can be effectively dealt with raw.

Version 1

Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.

29

Introduction to Sentinel 6.1

Sentinel 6.1 Correlation

Sentinel 6.1 incorporates a Correlation Engine, which can watch the incoming event data for specific patterns of events. This allows for more sophisticated or subtle network attacks to be detected, as well as for local policies, business, and compliance logic to be applied across the enterprise.

The Correlation Engine receives a parallel data stream. When it sees a pattern it is looking for, it will issue a single, new Correlated Event that will be logged and displayed at the Control Center for further processing. The Correlation Engine can also kick off various processes for Incident Response.

30

Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.

Version 1

Introduction to Sentinel 6.1

Sentinel 6.1 Correlation

Watchlists are extremely simple correlation rules, and basically act as a filter. It is common to have an Active View that just shows Correlated Events; this display would show a Correlated Event for every raw event matched by a Watchlist.

Version 1

Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.

31

Introduction to Sentinel 6.1

Sentinel 6.1 Correlation

This type of correlated event is far more powerful than a simple watchlist. You can look for worms and viruses jumping from machine to machine, for DDOS attacks, for account policy violations, and much more. Much of the data processed by Advanced Correlation will come from IDSs in conjunction with device data.

32

Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.

Version 1

Introduction to Sentinel 6.1

Sentinel 6.1 Asset, Vulnerability, Advisor

In order to leverage Correlation Rules and enhance system usability, Sentinel 6.1 injects additional data from several sources into the event data stream. This referential data is used to enhance the event data to make it more immediately usable, and for other advanced features such as Exploit Detection.

Version 1

Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.

33

Introduction to Sentinel 6.1

Sentinel 6.1 Asset, Vulnerability, Advisor

The meta-data included by these streams can be extremely powerful, and can make your filters and correlation rules simpler and easier to understand. The data listed above can be gathered from several sources, and is stored in the Sentinel database. You can also elect to purchase the third-party Advisor tool, which will tie together the Vulnerability data gathered from network scans, and live attack data gathered from IDSs to detect whether attacks are against vulnerable systems, and provide remediation information.

34

Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.

Version 1

Introduction to Sentinel 6.1

Sentinel 6.1 Asset, Vulnerability, Advisor

The meta-data included by these streams can be extremely powerful, and can make your filters and correlation rules simpler and easier to understand. The data listed above can be gathered from several sources, and is stored in the Sentinel database. You can also elect to purchase the third-party Advisor tool, which will tie together the Vulnerability data gathered from network scans, and live attack data gathered from IDSs to detect whether attacks are against vulnerable systems, and provide remediation information.

Version 1

Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.

35

Introduction to Sentinel 6.1

Sentinel 6.1 iTRAC

Once actionable security events are detected (manually or via correlation rules), an Incident can be created to handle the resolution of the problem. Sentinel 6.1 uses a workflow solution called iTRAC to manage this process; incidents can also be passed to third-party ticket systems like Remedy or HP-OpenView.

36

Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.

Version 1

Introduction to Sentinel 6.1

Sentinel 6.1 Incident Tracking

The base component of the iTRAC process is an Incident:

Incidents can be created manually or via Correlation Rules Incidents are usually based on a set of events that indicate some sort of occurrence that needs remediation. Incidents can have various additional data associated with them, such as additional events, attachments of output from other tools (such as network scans), and so forth. Incidents can be modified to assign them to analysts, change state, and so on.

Version 1

Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.

37

Introduction to Sentinel 6.1

Sentinel 6.1 iTRAC

Incidents are then attached to an iTRAC process for management. iTRAC allows the incident to be managed by different roles, via manual or automated processes. The intent is to ensure that every incident is resolved in a timely and efficient manner, with documented results.

38

Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.

Version 1

Introduction to Sentinel 6.1

Sentinel 6.1 Compliance

The combination of Correlation Rules, iTRAC, and additionally Reporting (based on Crystal Reports) helps organizations achieve a demonstrable level of effort at achieving compliance goals.

With Sentinel, organizations are better able to meet demanding and labor-intensive compliance requirements by providing:

Version 1

Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.

39

Introduction to Sentinel 6.1

Sentinel 6.1 Compliance

This is an example of a report from the Crystal Reports system.

40

Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.

Version 1

Introduction to Sentinel 6.1

Sentinel 6.1 Summary

Sentinel 6.1 provides an extremely powerful set of tools to enhance your security posture, to aid you in compliance efforts, and to bring automation to your security response.

Version 1

Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.

41

Introduction to Sentinel 6.1

42

Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.

Version 1

Active Views

SECTION 2

Active Views

This section will introduce you to the Control Center and to Active Views. Active Views are used to view event data in real time. You can see both a graphical and a tabular view of event data, and can manipulate the display in many ways. We will explore these various ways and learn how to apply them during Active View definition and to existing Active Views.

The following are the Objectives for this section: Learn how to create Active views in the Control Center Understand how to modify the parameters for display of an Active View Understand how to apply filters to the Active View Understand how to modify the columns of the Event Table

Version 1

Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.

43

Active Views

Objective 1

Learn How to Create Active Views and Apply Filters in the Control Center

Active Views - Introduction

Active Views are created from within Sentinel Control Center, and are used for display of real-time data as well as investigation and analysis. A full Active View consists of three parts: a time-series chart, which displays a summary of events over several time periods; an event count dynamic graph and Top Values list, which displays more detailed summary data; and the event table, which displays event details for each individual event in the Active View. You can hide each individual part of this display temporarily by dragging the divider bars to the edge of the screen. Each of these sections is configurable in many different ways, and can be filtered and categorized based on numerous criteria. You can also create an Active View with no Event Table, which can save on processing time for the Active View.

44

Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.

Version 1

Active Views

Active Views Creation - Step 1

Active Views are created using the Active View Wizard; during creation you can specify all parameters for the Active View. The first screen of the Wizard presents three options: Attribute for z-axis: this attribute will be used for categorizing the data in events for the chart and the event count summary, and each distinct category will be assigned a color for display. For categories with low cardinality (e.g. 25 distinct values) such as Severity (only 0-5), each color will represent a unique category and will appear in the charts. For categories with high cardinality (such as Source IP), the most popular ten categories are selected in the first display interval and assigned colors; other categories are lumped into the Other category. Over time as traffic patterns change, the Other category may end up with most events in it; Sentinel will not change the color once assigned. For that reason, it is best to choose categories with low cardinality if possible. Filter: event data is filtered as it enters the Active View; only the events that match the filter criteria will be displayed. The PUBLIC:ALL filter will match all incoming events, so every event will be displayed. You can select other filters from a prepopulated list, or if system policies allow, create new ones.

Version 1

Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.

45

Active Views

NOTE: Select the desired filter from the list and click the Select button.

Display Events: Select whether you want to display the events table, which lists all available event details. Select No to save processing time and screen space. You can select any of the 242 possible event fields to use as the z-axis attribute. You can also create filters against any of the 242 fields this will be covered in the next chapter. Once these three parameters are selected, you can short-circuit the Wizard and use defaults for the rest of the parameters by clicking Finish.

46

Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.

Version 1

Active Views

Version 1

Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.

47

Active Views

Active Views Creation - Step 2

The second step in the Active View Wizard allows you to set parameters for the chart display. In most circumstances, all these parameters can be changed dynamically once the chart is created. The choices are: Display Interval: Specify the desired period over which you want to summarize and display data, e.g. the length of time that goes into an individual bar of a bar chart. Possible values range from 30 seconds to 1 hour. The Active View will gather data for this time period, then collate the results into a single displayed x-axis value. Refresh Rate: How often you wish to refresh the display set this to be the same as the Display Interval if you want to see a new chart datapoint each Interval. Possible values vary depending on Display Interval setting. Total Display Time: Select the overall length of time you wish to display on the graph. Values vary depending on the Display Interval, but for example you can display a full days worth of 1-hour Intervals (24 bars), but only 4 hours worth of 30second Intervals (480 bars). Finally, you can select whether to display an absolute count on the y-axis or a rate count per second.

48

Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.

Version 1

Active Views

Active Views Creation - Step 3

The third step is to select a Chart Type, from four available options. The 3D options (Bar 3d and Ribbon) will allow you to rotate and spin the chart for better views depending on the data displayed. The default type is Stacked Bar 2D. Each data point set (e.g., a single stacked bar in the 2D Bar Chart, or a vertical set of points in the line chart) will summarize data for the last Display Interval.

Version 1

Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.

49

Active Views

Objective 2

Understand How to Modify the Parameters for Display of the Active View
The following are the Objectives for this section:

Active Views Manipulation 1

Once you have an Active View open, it will start to display data after the first Display Interval (30s above) has passed. For new Active Views, you will have to wait the Total Display Time (15m above) before the entire horizontal axis is filled with data. Sentinel now has caching built in, however, so that for most commonly-used Active Views display data will be cached even when you are logged out of the system. When you reopen those Active Views or ones based on similar display parameters, the entire chart will be filled with data when you create the Active View. There are a number of ways to manipulate your Active Views live. Use the Navigation Buttons on the left of the chart to: Increase/Decrease Total Display Time (stopwatch icons): these buttons allow you to interactively increase and decrease the overall length of time displayed (up to the same min/max as during creation).

50

Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.

Version 1

Active Views

Increase/Decrease Display Interval (footstep icons): these buttons allow you to increase and decrease the period over which events are summarized for display (up to the same min/max as during creation). The top button (lock) will be explained in a later chapter. Use the Right-click Menu to: Select the Chart Type: Interactively switch between the various chart types to highlight different features. Bring up the Properties Wizard for the Active View: From the Properties Wizard you can change most of the display parameters.

Active Views Manipulation 2

By right-clicking on the chart and selecting Properties, you can bring up the Properties Wizard for the chart, which is much the same as the regular Active View Wizard. The first screen (Parameters tab) allows you to change the same Display Interval and Total Display Time parameters, as well as the Refresh Rate and y-axis setting. The second screen (Chart Type tab) allows you to set the Chart Type.

Version 1

Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.

51

Active Views

To change the z-axis attribute or the base filter, you must create a new Active View.

Active Views Top Ten

The Event Count Summary pane has another tab, the Top Ten tab. This tab displays the Top Ten values in the z-axis attribute for the last five minutes, with some details about total counts.

52

Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.

Version 1

Active Views

Objective 3

Understand How to Modify the Columns of the Event Table


The following are the Objectives for this section:

Active Views Event Table

When selecting a bar on the chart, the data that is displayed on the Event Table is the one that corresponds to the selected time interval, in this case 30 seconds. A gray bar (refresh marker) will separate one Display Interval from the next. In this example, the selected bar has a total of 165 events but only 150 were displayed. The limit is determined by the display refresh property of the Active View, by default 30 seconds; the limit is up to 250 events in a period of 10 seconds, or a total of 750 in a period of 30 seconds. The Event Table will display a red line in the split panel if more than the 50 events were received in 10 seconds. The line indicates that there were more events in that time interval, which the Active View cannot display. The remaining events can be obtained through a drill-down on the graph.

Version 1

Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.

53

Active Views

Active Views Columns 1

Columns in the Event Table can be dynamically resized, positioned, and sorted: To resize a column, drag the boundary between two columns in the header row left or right. To reposition a column, grab the column header and drag the entire column left or right. To change the sort order of a column, click on the column header. An arrow will appear indicating the sort direction. Clicking again will swap the sort direction (ascending/descending/none).

54

Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.

Version 1

Active Views

Active Views Columns 2

Alternatively, you can change the sort order of the columns using the Manage Columns dialog. This allows you to hide columns entirely, i.e. unused Reserved or Customer fields. Select column names on the left and Add (to the end of the list) or Insert (below the selection on the right) columns as you wish. Or select columns on the right and Remove them from the Event Table. Change the order using the Up and Down arrows to the right of the right-hand column list. Often it is easier and faster to find columns to bring to the front of the list through this dialog rather than searching for them on the Event Table itself. Every meta-tag has a short name (such as sip for Source IP) and a long name (SourceIP). The long name may be changed by the Sentinel administrator. A list of commonly-used meta-tags is included in the Appendix in the back of this manual.

Version 1

Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.

55

Active Views

Active Views - Multiple Views

You can manipulate the overall display of the Active Views using the Windows menu or the toolbar buttons: Hide Navigation Window hides the navigation and work list panes on the left, giving you more screen real-estate to display your views. Tile Active Views will tile the various windows onscreen. Cascade Active Views will cascade the windows onscreen. Display settings such as which Active Views are open, column order, and so forth are saved between user sessions (if you answer Yes to the question Save User Settings? on logout, or click the Save User Settings toolbar button); column width and precise window placement are not (yet) saved between sessions.

56

Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.

Version 1

Active Views

Objective 4

Summary

Active Views provide a flexible and configurable view into the real-time data passing through your system. Multiple charts and the event table give you different ways to access your events and see what is happening in your environment.

Version 1

Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.

57

Active Views

58

Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.

Version 1

Filters

SECTION 3

Filters

This section introduces filters and how to build a library of them for your enterprise. The following are the objectives for this Chapter:
1. 2. 3.

Creating Filters on page 60 Filter Language on page 65 Complex Filters on page 71

Version 1

Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.

59

Filters

Objective 1

Creating Filters
In this section you willl learn the following:

Filters Overview on page 60 Filter Builder on page 62

Filters Overview

Sentinel filters allow you to customize many aspects of the system and help prevent data overload. Building a library of useful filters for easy recall can be critical for system usability, and to help present relevant aspects of data unique to your environment.

Filters are used throughout the Sentinel system to tailor various aspects of the environment, including what data gets displayed in Active Views. There are a number of pre-built filters, plus users can usually create new ones depending on the permissions granted to them.

60

Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.

Version 1

Filters

The standard filter selection dialog box (for example, this dialog appears when creating an Active View and clicking on the Filter selection) allows you to perform most operations on filters: The Owner column specifies who owns the filter; this is usually the person who created it, but can be reassigned. Filters can also be assigned to PUBLIC, which typically means anyone can use it. Typically users see filters assigned to themselves and to PUBLIC. The Filter Name column contains a short descriptive name that the creator of the filter gave it. The Expression String column contains the actual filter expression, or as much of it as will fit in the display. You can sort on any of these columns; for instance the PUBLIC:ALL filter is much easier to find if you sort on the Filter Name column. The default is to sort by expression. PUBLIC:ALL is a filter that accepts all incoming data.

Filters work on selection sets by simply matching against criteria embedded in the event. Any incoming event is matched against the filter expression string; if the match is TRUE, then the event is passed through to the Active View or other

Version 1

Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.

61

Filters

function. If the expression string results in FALSE, the event is blocked (for that View, anyway). For example, if we have the expression string: filter( e.SourceIP = 192.163.12.1 ) Then this filter will be TRUE if the incoming event has a Source IP that equals 192.163.12.1. No other events will be included by the filter. The PUBLIC:ALL filter has the expression string: filter( 1=1 ) This expression is always true, so every event will pass through the filter. The expressions that go into the filter operator are simple math expressions, and simple evaluations. Any available event field (meta-tag) from the list of 235 options (35 regular fields, 100 reserved, 100 customer) can be included in the filter as a variable to be matched against; a list of commonly used fields appears in the back of this manual. Filter syntax: (for use in free-form editor or while looking at raw expression string) Fields are specified by the text string: e.{meta-tag}, where {meta-tag} can be the short or long name for the field, such as SourceIP or sip. The e stands for current event. Examples: e.sip, e.SourceIP. Case is significant. Note that long names can be reassigned by a Sentinel administrator.

Filter Builder
The Filter Details screen is where you build or modify filters.

62

Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.

Version 1

Filters

There are two methods in Filter Builder that can be used to write new filters; switch between them using the Use free-form/table editor button on the right. The Builder allows you to build a filter step-by-step using drop-downs and selection boxes, the free-form editor is just a text editor where you type the filter language in directly. As you become comfortable with the filter syntax you may start using the free-form editor. The first drop-down allows you to select an owner for the filter you are building. You can also assign filters to PUBLIC depending on user permissions. The second field is where you specify the filter name. This can be anything you like the more descriptive the better. You can not use the following characters in filter names: ~ , < > [ ] { } @ * - + / & : ! . ^ and the space character. Next there is the filter builder itself here is where you add matching clauses to your filter. We will discuss this in more detail in a moment. The bottom box in the dialog allows you to see the actual expression string developing as you build it. This is the free-form text version of the builder code above; if you go to the free-form editor this is all you will see. There are some expressions that are not possible to create with the Builder, and therefore must be created in the free-form editor. Once you have started to edit the filter in the free-form editor, you can usually not return to the Builder mode.

Version 1

Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.

63

Filters

64

Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.

Version 1

Filters

Objective 2

Filter Language
The following section is an introduction to the Filter Language. In this section you willl learn the following:

Matching on page 65 Meta-tags on page 67 Multiple Clauses on page 68 Precedence on page 69

Matching

Event fields or parameters can hold a number of different types of things. For instance, a Destination Port field would typically contain a number, a Source IP field would contain an IP address, and a Message field would contain a text string. To handle these various cases, each event parameter field is assigned a Data Type, either Integer, String, IP, or Date Time. In the background, IP and Date Time are actually stored as integers, but are processed in special ways. When you are using a particular field in a filter, you can match against it in different ways depending on the Data Type.

Version 1

Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.

65

Filters

Numeric: = : standard numeric equality match < , > , <= , >= : standard numeric greater-than, less-than, and so on. != : standard numeric not equal to match between, not between : the parser will check if the parameter lies between or not between the two numbers listed, strictly numerically. Note that in this case you specify Value 2 as well as Value 1 in the Builder. String: Uses the same matching as above, but does an ASCII comparison for the greaterthan/less-than and between comparisons, e.g. it uses the ASCII values of the characters in the string to perform the matches. In most cases, this will work for alphabetic comparisons, although differing cases will not work, e.g. b is not between A and C. Adds a match regex comparison that allows you to use standard Regular Expression syntax to match substrings and so forth. For instance, filter( e.Resource match regex("Lon") ) will match events with a Resource of Lon, and also London, Lonnie, etc. The filter: filter( e.Resource match regex("\w\w\w\s\w\w\w\d") ) will match things like Lon don2, Be2 are3, and The val234. IP: Uses the same matches as Integer, treating the IP as a straight numeric value. Also adds a match subnet clause which allows you to specify a subnet in standard notation (e.g. 192.168.1.0/24) and match whether the events source or destination IP falls in that subnet. Date Time: Uses the same matches as Integer above, treating time as a straight integer for greaterthan/less-than and between matches. Note that when you select a Date Time field, such as DateTime, and you go to enter a Value, a calendar selector popup will appear allowing you to interactively specify the date.

66

Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.

Version 1

Filters

Meta-tags

A list of common meta-tags with all associated short and long names, datatypes, and meaning is in the Appendix. The short names are the fixed, unchangeable names for the meta-tags; the long names are aliases that can be changed if necessary (this is done through the Sentinel Database Manager application). In general, only Customer or Reserved tags are re-aliased, and the Control Center typically displays the long name, although the short name can be typed in for filters and is stored internally in the filter definition. The base meta-tags have meaning-specific data-types, but the Customer and Reserved meta-tags have the following data-types (and should be allocated according to the data-type of the data to be stored in that meta-tag): CustomerVar1-10 and ReservedVar1-10: Numeric data-type CustomerVar11-20 and ReservedVar11-20: Datetime data-type CustomerVar21-100 and ReservedVar21-100: String data-type

Version 1

Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.

67

Filters

Multiple Clauses

When building filters, you can combine multiple clauses together using operators such as AND, OR, and NOT. Back in high school you learned how these operators worked on sets of data like the event data entering the Sentinel system the logical Boolean operations of AND, OR, and NOT are slightly different than the intuitive everyday versions. Lets take some examples. If we have two filters: Filter X: e.SourceIP = 192.168.12.3 Filter Y: e.Country = United States Then: X AND Y will give you all events that have both Source IP set to 192.168.12.3 and Country set to United States. X OR Y will give you all events that have either Source IP set to 192.168.12.3 or Country set to United States. NOT of course inverts the logic of the operation, so you can say things like all events except those with Source IP set to 192.168.12.3.

68

Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.

Version 1

Filters

Precedence

You can always add parentheses to ensure that your logic is clear, and we recommend that you do so for maintainability. For the above example, an event with Severity of 4 (or 2, or 1) and SourcePort of 139 would match the first filter, but not the second.

Version 1

Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.

69

Filters

You can always add parentheses to ensure that your logic is clear, and we recommend that you do so for maintainability. For the above example, an event with Severity of 4 (or 2, or 1) and SourcePort of 139 would match the first filter, but not the second.

70

Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.

Version 1

Filters

Objective 3

Complex Filters

When using the Builder, you select whether to AND or OR together the various clauses you create (the + button to the right adds a clause to the list) using the Match If section of the Builder. This selection applies to all clauses in the list: If One or more conditions are met is selected: Clause1 OR Clause2 OR Clause3 OR If All conditions are met is selected: Clause1 AND Clause2 AND Clause3 To produce more complex filters, with nested ANDs and ORs, or NOTs, you must use the Free-form Editor. You can always start with the Builder and create all your clauses, and then go into the Free-form Editor to add in the grouping logic. Example 2 from the previous slide would not be possible in the Builder; you must therefore use the Free-form Editor.

Version 1

Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.

71

Filters

Filters will allow you to tailor the data you see to remove all the irrelevant information that clutters up your display. Sentinels ability to create filters based on any of its 235 event parameters allows you to highly customize the data you see.

72

Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.

Version 1

Analysis

SECTION 4

Analysis

This section introduces analysis and the various tools used for analysis of Sentinel data.

The following are the objectives for this Chapter:


1. 2. 3. 4. 5.

Analysis Tools on page 74 Historical Event Queries on page 80 Right Click Menu Tools on page 86 Correlated Events on page 87 Summary on page 88

Version 1

Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.

73

Analysis

Objective 1

Analysis Tools
The following are topics of this section:

Show Details on page 74 Snapshots on page 76 Investigating Events on page 77 Show Graph on page 78

The Sentinel system does not merely provide a real-time view of your network, but also puts a wide variety of analysis tools at your disposal for when you want to explore attacks or other events on your network. There are a number of built-in tools, plus a configurable menu that allows for infinite possibilities. This chapter will introduce you to the tools available for analyzing and investigating events you see in Active Views more deeply. This may involve looking at similar events from the past that may give more insight into the current event, and/or may involve calling up various types of referential or visualization information. Sentinel allows you to perform most if not all of the required analysis from within one interface.

Show Details

74

Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.

Version 1

Analysis

Show Details is a way to get a quick summary of all relevant information in an event without scrolling rightward through all the columns. To access Details, right click on the Event Table and select Show Details. A pane will appear in the left-hand portion of the Event Table that shows each populated field [meta-tag] of whatever event is selected in the Event Table. You can also double-click on an event to open or close the Details pane. The Details pane is broken up into sections based on the type of meta-tag. Not all events will have populated fields in every category. You should see the Base set of parameters, but you will only see Custom, Asset, Exploit, and Reserved if data exists in those fields.

Version 1

Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.

75

Analysis

Snapshots

On occasion it is desirable to take a snapshot of the data in the realtime display, either for reference or to include in an incident or report, or for further analysis. There are a number of ways to achieve this: Lock display: The lock button will freeze the real-time display and prevent new events from appearing on the console so the event of interest will not scroll out of view. You can also select a bar in the chart to lock it. While locked, you can perform additional actions on the chart: Zoom in: you can zoom in on the chart for a better view of the data Zoom to selection: if you select a particular chart bar you can zoom in to that selection to get a better view of the data. Drill-down: If you right-click on a bar in the chart and select Drill-down, a new window will appear that shows only the events that occurred during the time frame summarized in that particular chart period. Snapshot button in menu bar: This button produces a new window that contains a static list of events that are currently on the display. This list can be manipulated without fear that new events will displace old ones, and can be exported in various formats. This form of snapshot gives the Event Table only.

76

Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.

Version 1

Analysis

Snapshot button in chart button area: This version of snapshot produces a static webpage that contains a graphic of the current chart as well as the current Event Table. The drill-down operation listed above actually run queries against the database for events during the time periods implicitly specified by the operation. This is an example of a Historical Event Query (although for a very recent time period) of which we will soon see other examples. To unlock the display again, click on the lock button. The suppressed events will appear and the Active View will resume real-time display of incoming events.

Investigating Events

Beyond stopping the realtime display and taking snapshots of specific time periods, we can also look for additional events related to the event(s) of interest. If we select a specific event in the Table and right-click on it, we can select the Investigate submenu to get a pre-defined set of relationship queries that we can perform. The options to perform an investigative query are:

Version 1

Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.

77

Analysis

Destination IP address (Show More Events to this target) this looks up recent events that have the same Destination IP as the currently selected event, e.g. events that are targeted at the same host. Source IP address (Show More Events from this source) this looks up recent events that came from the same source host. Event Name (What are the target objects of this event?) this looks up recent events of the same type, based on the Event Name field. The above are all examples of ad hoc investigative queries of the database, searching for events that have specific parameters related to the currently selected event as listed above.

Show Graph

The last option under the Investigate menu is not a Historical Event Query, but instead a visualization tool. Select a set of interesting events using Shift- or CtrlClick, then right-click and select Show Graph to see a topological graph of the event traffic you have selected in the Event Table. You can change the layout of the graph to highlight different aspects of the traffic. The event count for events that match the traffic pattern along a particular branch are

78

Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.

Version 1

Analysis

listed alongside the relevant arrow. This tool can give you a rough visual sense for the traffic patterns on your network and the flow of a particular set of events, to help you determine relationships between events of interest.

Version 1

Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.

79

Analysis

Objective 2

Historical Event Queries


Historical Event queries allow the user to investigate past event and develop data trends.

Searching Historical Events on page 80 Active Browser on page 81 Asset Data on page 82 Vulnerability on page 83 Advisor Data on page 84

Searching Historical Events

You can also perform a completely ad hoc Historical Event Query, based on parameters that you specify interactively. To do so, click on the Historical Event Query button in the Menu Button Bar. Select an existing filter from the list or create a new one, then further constrain your query by selecting specific Severities to match and a specific time/date range. You

80

Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.

Version 1

Analysis

can then run the query and the result will be events that match the filter AND the Severities listed AND lie within the time/date range specified, You can choose the batch size to return watch the status bar at bottom to see how many events have been returned thus far, and click on the blue arrow at top to fetch the next set of results.

Active Browser

Version 1

Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.

81

Analysis

Asset Data

Right-click on an event in the Event Table and select the Analysis dropdown. There are additional tools under this menu; the first we will look at is Asset Data. Some Asset Data is included in the event record itself by either the Collector or the Mapping service, both of which can look up and embed asset data from static files. Additionally, you can use special Collectors to import Asset Data from a third-party asset scanner such as NMAP. These tools will scan your network and produce reports about each host which includes Asset information. Novell Collectors can then import that data into the Sentinel database, and you can call up that data interactively using the Asset Data right-click menu option. You can use this information to more quickly identify the hosts that you see in event traffic in your Active Views, and react as appropriate.

82

Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.

Version 1

Analysis

Vulnerability

The Analysis submenu has an additional option: Vulnerability. Sentinel can provide a graphical representation of vulnerability data against real-time data by processing vulnerability scans from Nessus, ISS, Foundstone, eEye and Qualys. These scanners will monitor the hosts on your network and produce reports that list which hosts are vulnerable to certain attacks. The Information Agents use outputs from vulnerability scanners to parse the results and store them in the Vulnerability tables of the Sentinel schema. This feature allows you to use vulnerability scans to check for vulnerabilities in your networks as they relate to real-time events. Vulnerability Visualization has two options: XSLT an report that displays IP, host, vulnerability and port/protocol information Graphical circular, hierarchical, orthogonal visualization of scanner, destination ips and ports.

Version 1

Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.

83

Analysis

Advisor Data

The Advisor service provides additional information about observed attacks on machines on your network, but you must purchase the optional Advisor subscription for this to work. When selecting an event in the Event Table, you can use the rightclick, Analysis submenu and select Advisor Data. This will use the DeviceAttackName meta-tag to look up the observed attack in a database of attacks downloaded on a regular basis from the Advisor service. This feed will provide you with detailed information about the observed attack, including impact and remediation information. The Advisor service only provides information for attacks detected by a specific set of IDS devices (these are the source devices that generate events which indicate an attack). This is because each IDS might call a given type of attack a different name; the Advisor service tracks attack names used by certain IDS devices and maps them to a single Advisor ID, which can in turn be used to reference other classification resources such as CVE values. When a new attack type comes out, the Advisor service will update the Sentinel system with the new mappings from the various IDS names to a single Advisor ID, which is linked to the impact and remediation information. Intrusion Detection Systems Supported: Cisco Secure IDS, Enterasys Dragon Host Sensor, Enterasys Dragon Network Sensor, ISS BlackICE, ISS RealSecure Desktop, ISS RealSecure Network, ISS RealSecure Server, ISS

84

Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.

Version 1

Analysis

RealSecure Guard, Snort, Symantec Network Security 4.0 (ManHunt ), Symantec Intruder Alert, McAfee IntruShield, Cisco IOS Firewall The combination of Vulnerability information from a vulnerability scanner and the Advisor subscription service can provide you with advanced Exploit Detection. The Advisor feed provides a cross-reference between real-time IDS attack signatures (these must be from IDS devices on our list of compatible IDSs), vulnerability scans of your network (again the scanner must be on our list), and Advisors knowledge base of vulnerabilities. The aim is to detect whether attacks are being made against vulnerable systems. Vulnerability Scanners Supported: eEYE Retina, Foundstone Foundscan, ISS Database Scanner, ISS Internet Scanner, ISS System Scanner, ISS Wireless Scanner, Nessus, nCircle IP360

Version 1

Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.

85

Analysis

Objective 3

Right Click Menu Tools

The right-click menu options listed thus far are defaults that are included with the system. Sentinel also provides a fully-configurable menu tool system that allows you to embed any command you wish into the right-click menu system. Any event parameter can be passed to the selected command, and based on those parameters the scripts attached to the menu can perform arbitrarily complex additional processing SQL lookups against the database, network scans of associated IPs, port shutdowns, initiate virus scans on affected hosts, and so forth. The default Menu Tools included simple pings and traceroutes and the like are merely examples of the types of things you can do. Your Sentinel administrator will set up Menu Tools appropriate for your environment. You can then use these tools to react to events that appear in your Active Views.

86

Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.

Version 1

Analysis

Objective 4

Correlated Events

Correlated Events are special types of events that are triggered by other raw events. The Correlation Engine watches the raw events looking for specific patterns of events; when these patterns are detected, the Correlation Engine produces a new Correlated Event which summarizes the common parameters from the trigger events. These Correlated Events can be detected in Active Views by looking at the SensorType parameter. Correlated Events have a SensorType of W or C. There is a pre-defined PUBLIC filter to look just at Correlated Events. Since Correlated Events are based on some set of 1 or more raw events, the Sentinel system provides a way to call up the raw events which triggered the displayed Correlated Event. Right-click on a Correlated Event and select View Trigger Events. The result will be a database query that produces the raw trigger events for that Correlated Event.

Version 1

Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.

87

Analysis

Objective 5

Summary

The Sentinel system offers a number of useful tools embedded into Active Views to speed investigation, analysis, and response to events. The system presents all sorts of business relevance and exploit information in easy-to-use formats for quick processing. Plus, you can add any additional response tools you like to enhance the functionality of the system.

88

Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.

Version 1

Incidents

SECTION 5

Incidents

The Objectives of this Chapter are:


1. 2. 3. 4. 5.

Understanding Incident Management on page 90 Create New Incidents on page 91 Reviewing Incidents on page 92 Attachment Viewers on page 102 Summary on page 103

After completing this chapter, the student will be able to understand incident management using Sentinel. There are several ways to create incidents, this chapter focuses on the two manual methods to create an incident and to add events to a new or existing incident. In addition, this chapter describes the Incident tab functionality for creating incidents, which includes attaching referential data such as asset or vulnerability data to an incident. The iTRAC chapter will describe the management of an incident through a predefined workflow process.

Version 1

Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.

89

Incidents

Objective 1

Understanding Incident Management

In the enterprise, it is critical to provide a comprehensive and effective solution for Incident Response. This process can be complex and difficult, and with more stringent compliance requirements we must be able to not only handle the incidents, but prove that we did so. Sentinel provides several tools that work together to ease Incident Response in the enterprise. The first step in Incident Response is to identify an incident. Sentinel allows you to do this manually simple select the event(s) in an Active View that you think constitute an incident, right-click, and select Create Incident. This can also happen automatically, via a Correlation Rule that is set to create an incident when it generates a Correlated Event. In Sentinel, an incident is simply a collection of events with some associated meta-data. The Incident will be created with the relevant events included, but you can always add additional events via Active Views or Historical Event Queries. You can additionally attach documents, look up asset, vulnerability, and advisor data, and so on we covered this during User Training. You can perform work on this Incident manually, through the Incidents tab of the Control Center, or you can attach the Incident to a workflow to automate the process and make it auditable.

90

Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.

Version 1

Incidents

Objective 2

Create New Incidents

There are three ways to create incidents in Sentinel 6: Active Views manually through the event tables by selecting one or many events to create a new incident or add events to an existing incident. Right-click and select Create Incident. Incidents tab manually by creating a new incident by clicking on the Create a New Incident Menu Button. Note that the incident will be empty, events can only be added to an incident through the Active View tab. Correlation Engine automatically through rules that generate Correlated Events

Version 1

Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.

91

Incidents

Objective 3

Reviewing Incidents
Tracking and reviewing incidents can be accomplished via iTrac or by third party products. Novell also supports HP Openviw and Remedy for incident tracking. The Objectives for this section are:

Incident Management on page 92 Incident Basic Info on page 93 Events List on page 94 Assets on page 95 Vulnerabilities on page 96 Advisor on page 97 iTrac on page 98 History on page 99 Attachments on page 100 Menu Options on page 101

Incident Management

92

Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.

Version 1

Incidents

The Incident tab allows you to view and manage incidents. The Incidents tab has an Incident View Manager window that contains incident views. Your system administrator should set up views that will be useful within your organization. Use these views to see summaries of which incidents are open, closed, and so forth.

Incident Basic Info

The left side of the Incident display contains all relevant information of the incident, such as Title, internal ID, name, state. The information in this tab contains: Title name of the incident State status of the incident (open, acknowledge, assigned, investigating, false positive, verified, approved, closed)\ Severity average of severity Priority organization-specific coding of the importance Category Type of incident; this list can be changed

Version 1

Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.

93

Incidents

Originator who created the incident Responsible who should handle the incident Description A typed description of what the incident is Resolution A typed description of how the incident was resolved

Events List

The Events tab of the Incident View contains a list of all the events that make up the Incident. If the incident was created manually, this is just a list of the events that were selected when you created the incident. Events can also be added to this list, by simply selecting them from the Event table in an ActiveView or from any Event Query, right-clicking, and selecting Add to Incident.

94

Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.

Version 1

Incidents

Assets

The Assets tab contains asset information for the events that make up the incident. This tab is only populated if an asset agent (information agent) has populated the database with data. The asset information related to the destination IP addresses in the events, will be listed here with the following: Asset Name IP Address Host Name Criticality

Version 1

Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.

95

Incidents

Vulnerabilities

The Vulnerability tab contains vulnerabilities associated with the destination IP address of the events that make up the incident. The vulnerability information related to the destination IP addresses in the events, will be listed here with the following: Vulnerability ID Name Severity Description

96

Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.

Version 1

Incidents

Advisor

The Advisor tab provides information on attacks associated with the destination IP address of the events that make up the incident. The attack information related to the destination IP address of the events contain the following: Attack ID Name Severity Category Note that Advisor is a separate subscription service that maintains information about system vulnerabilities based on CVE and other classification services. It combines that information with knowledge about specific IDS attack signatures. Sentinel can take Advisor data and incorporate it into its database for use in Exploit Detection and remediation information.

Version 1

Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.

97

Incidents

iTrac

Under this tab you may assign a process from the drop-down list. The Process Monitor displays the process and states, including the current state marked in red. We will cover the iTRAC process in much more detail in the next chapter.

98

Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.

Version 1

Incidents

History

The History tab provides the audit trail of activity for the selected incident. This tab serves as an incident monitoring tool to identify the actions taken on the incident.

Version 1

Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.

99

Incidents

Attachments

The Attachments tab allows the user to associate a text file or document to the selected incident. Network scans, script output, incident write-ups, and any other type of document can be attached for later reference.

100

Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.

Version 1

Incidents

Menu Options

The Incident View menu allows you to perform several operations related to the Incident: File > Save Incident: will save any changes you have made File > Delete Incident: will delete the Incident, but not associated events Actions > Execute Incident Action: will execute the next iTRAC process step Actions > E-mail Incident: will e-mail Incident details Actions > Send to [HP-OVO|Remedy|HP-SD]: will send the Incident to various third-party ticketing tools, if installed Options > Add Attachment: will add an attachment to the Attachment tab The buttons below the menu provide shortcut access to some of these items.

Version 1

Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.

101

Incidents

Objective 4

Attachment Viewers

For incidents alone, there are only a few things to manage. Incident Information: You can change the set of available categories available for selection to classify incidents. Attachment Viewers: Use the Configure Attachment Viewers button to call up a dialog from which you can specify viewers for each attachment file type (by extension). Incident Views: Add new Views or modify existing ones to change how existing incidents are presented to users (different groupings, sortings, etc). Delete Incidents: You can delete old or unused incidents through the Incident View Manager interface (right-click).

102

Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.

Version 1

Incidents

Objective 5

Summary

Incidents are the collection of events, which are stateless. Incidents have states associated to them, so that an event or collection of events can be investigated in a group. Incidents work closely with iTRAC, explained in the next chapter, to manage the incident process.

Version 1

Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.

103

Incidents

104

Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.

Version 1

iTRAC

SECTION 6

iTRAC

The objectives for this Chapter are:


1. 2. 3. 4. 5.

iTrac Incident Tracking on page 106 Process and Work Management on page 110 Incident Integration on page 114 iTrac Lifecycle on page 116 Role Management on page 117

Version 1

Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.

105

iTRAC

Objective 1

iTrac Incident Tracking


The objectives of this section are:

iTrac Definitions on page 106 iTrac Components on page 107

Sentinel's unique iTRAC incident tracking and remediation system originally shipped with Sentinel 5.1. The incident remediation templates that shipped with the original iTRAC were based on SANS and other common methodologies but were somewhat rigid. Customers could change what step 5 did, for example, but couldn't change a 7 step process to a 6 step process. Sentinel 6 expands the iTRAC system to allow complete customization of the workflow. Customers, consultants, or partners can build a template that exactly matches an organization's existing process for resolving security and compliance incidents.

iTrac Definitions

106

Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.

Version 1

iTRAC

A recent Gartner Hype Cycle claimed that SIEM was dropping into the Trough of Disillusionment. This is likely in part a reflection of the difficulty of configuring, managing, and troubleshooting the data collection aspect of SIEM tools. Sentinel 6 completely re-works the way collectors are configured, with an intuitive and powerful UI that integrates all aspects of managing the flow of event data into Sentinel.

iTrac Components

Version 1

Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.

107

iTRAC

Wizards walk customers through the process of connecting to an event source and selecting a method of parsing the data. UI for collectors is now in the Sentinel Command Center instead of the Agent Builder Collectors are stored centrally on the Sentinel Server and deployed from there onto the various collector managers. Simplifies version control, updating collectors, etc. More granular filtering allows collection of only the relevant data from a particular device supports Regular Expression filtering Data tap shows the raw data coming from an event source, collector, or collector manager in real time Right click action to create an ActiveView or dashboard of the data coming from a specific component only

108

Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.

Version 1

iTRAC

This is a screenshot of the new interface for creating and customizing incident response templates. This particular template demonstrates a simple template for responding to a virus or malware threat. It demonstrates automated and manual steps, variable usage, and conditional based branching. This UI can be used to create new templates from scratch, or to customize the templates that are delivered with Sentinel

Version 1

Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.

109

iTRAC

Objective 2

Process and Work Management


The objectives of this section are:

Process Management on page 110 Work List and Work Item on page 112 Accept Work Item on page 113

Process Management

110

Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.

Version 1

iTRAC

Version 1

Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.

111

iTRAC

Work List and Work Item

112

Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.

Version 1

iTRAC

Accept Work Item

Version 1

Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.

113

iTRAC

Objective 3

Incident Integration

Incident Integration

114

Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.

Version 1

iTRAC

User Interaction

Version 1

Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.

115

iTRAC

Objective 4

iTrac Lifecycle

116

Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.

Version 1

iTRAC

Objective 5

Role Management

Version 1

Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.

117

iTRAC

118

Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.

Version 1

iTRAC

Version 1

Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.

119

iTRAC

120

Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.

Version 1

Administration

SECTION 7

Administration

The objectives for this Chapter are:


1. 2. 3. 4. 5. 6. 7. 8. 9.

User Tools on page 123 Global Filters on page 129 DAS Statistics on page 133 Menu Tools on page 134 Servers View on page 137 Event Configuration on page 138 Color Filters on page 139 Mapping Configuration on page 140 Summary on page 141

Version 1

Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.

121

Administration

122

Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.

Version 1

Administration

Objective 1

User Tools

Administration Tools on page 123 User Manager on page 124 Permissions on page 125 Roles on page 127 Sessions on page 128

Sentinel includes a flexible and comprehensive permissions model for users, allowing the system administrator to grant granular access to various parts of the system. Users can also be assigned to Roles for use by iTRAC workflow processing. Configure this functionality through the Admin tab. Filters can be applied in several places, including at a global level, to users, and to Active Views.

Administration Tools

Most of the general system administration tasks are to be found under the Admin tab of the Control Center, which will be visible to all who have been given permission to

Version 1

Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.

123

Administration

see it. Under this tab, there are several subsections, listed on the left. Many of these will be discussed in later chapters. This section will cover: User Manager Role Manager Filter Manager Global Filter Configuration Together, these topics will help you understand how to selectively present data to any given system component, or to individual users. We will also cover Collector management later in the chapter.

User Manager

The Sentinel Control Center allows for the management of users through the User Configuration / User Manager. All new users are created as database users. User Management: Through the User Manager Window, the admin user can modify, add, delete, and edit user permissions.

124

Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.

Version 1

Administration

When creating a new user, the following fields are listed: User ID First Name (optional) Last Name (optional) Phone (optional) Email (optional) In addition, each user is assigned a filter, known as a security filter. The user can only see data that passes through the filter. Individual permissions for Sentinel are assigned per user (more on this in a moment).

Permissions

Each individual user is given permissions which control the access to interface tabs, menus and functionality. Permissions can be grouped in the following categories: General to modify other users filters

Version 1

Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.

125

Administration

Private Filters Public Filters Active Views Menu Items Summary Displays iTRAC Incidents Agent Health Analysis tab option, requires Crystal Enterprise installation and setup Advisor tab option, requires prior installation of Advisor Administration tab option Cloned users inherit the original users permissions. Cloning is often a much quicker way to create a set of similar users. All users can be assigned to Roles, which are used by iTRAC to delegate Activities in workflows.

126

Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.

Version 1

Administration

Roles

Roles are groups of users that are assigned to an iTRAC Activity. The Role Manager contains the default roles (Admin and Analyst) that come with the product. New Roles can be defined by clicking on the Add Role button. Double-click to edit an existing Role. Roles can include any number of users in the system. A user can belong to zero or more roles, and can be added to roles via either the User Manager or Role Manager.

Version 1

Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.

127

Administration

Sessions

In addition to creating new users, an Administrator can monitor active user sessions through this window. The window will list the users logged into the system as well as the IP address and login time. The Administrator (or anyone with permissions to do so) can terminate a users session at any time.

128

Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.

Version 1

Administration

Objective 2

Global Filters

Global Filters Description on page 129 Creating Global Filters on page 130 Filter Manager on page 131

Filters can be applied in the Publisher Channel as well as in Active Views. The following section describes Global Filters.

Global Filters Description

The first level of Filtering is done at the Collector Manager level through Global Filters. Global Filters contain criteria that is applied to events coming into the system. These filters apply equally to all events generated from all Collector Managers in the system. Global Filters allow for the following actions on events, which in turn constitute the filtering: Drop events Route events to the Database only

Version 1

Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.

129

Administration

Route events to the Database and Sentinel realtime GUI interface, which includes the Correlation Engine This type of filter is processed by the Collector Manager; Global Filters are created through the Sentinel interface in the Admin tab under the Global Filter Configuration. Global filters can be enabled and disabled as necessary; they apply to all Collector Managers in the system. Note that filters are applied sequentially in the list; if an event does not get processed by any of the filters, it will perform the default action listed at the bottom of the screen. Do not set the default action to Drop, unless you have a specific reason to do so.

Creating Global Filters

The Global Filter Configuration allows for creation and management of Global Filters: Enter Filter Name, Active status, Action, Expression Select the Default Action:

130

Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.

Version 1

Administration

Database Only events will be sent directly to the database, bypassing the GUI realtime channel Database and GUI events will be sent to the GUI and the database GUI includes all real-time processing, e.g. Control Center and Correlation Engine. Global Filters work on a first match wins basis, e.g. incoming events are passed through each filter in turn from top to bottom. If a filter matches the current event, then the event completes the action for that filter. If the filter matches none of the listed Global Filters, then it performs the Default Action.
IMPORTANT: Select the default action in the event that no events match the selected filters before saving. This action will usually be Database and GUI.

Filter Manager

Filters for use as User, Active View, or Correlation Rule filters are created through the Admin tab under the Filter Manager window. The Filter Manager window shows a list of filters with the following fields:

Version 1

Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.

131

Administration

Owner Filter Name Expression String There are two ways of constructing filters, a graphical interface through the Filter Builder and a Freeform option. We covered the creation of filters in earlier in the training.

132

Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.

Version 1

Administration

Objective 3

DAS Statistics

You can use the DAS Statistics tool from the Admin tab of the Control Center to monitor the performance of various components of the system. Statistics are broken down as follows: Service name of service Time time since last update Num number of requests processed for this entry WaitTime average wait time in seconds for a request before processing starts Runtime average time in seconds to process a request #wait average size of the wait queue #run average size of the run queue

Version 1

Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.

133

Administration

Objective 4

Menu Tools

Right-Click Tools on page 134 Creating and Editing Menu Tools on page 135

Right-click menu tools make some administration tasks easier to complete.

Right-Click Tools

As we saw when researching Incidents or live events at the Console, the User has access to the right-click menu for further analysis. The lower section of this menu is the Menu Tools section; it contains user-definable tasks that can be run as part of the analysis. Configuring this with useful commands can be an integral part of researching Incidents to resolution. To configure these commands, use the Menu Configuration selection of the Admin tab in Control Center. This brings up the Menu Configuration dialog, which lists the commands assigned to the Menu Tools menu. You must click Modify before you can edit the tools, which protects users from overwriting each others work. You can create new tools from scratch, or clone existing ones and modify them. You can also move tools up and down within the menu list, and deactivate them to temporarily hide them.

134

Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.

Version 1

Administration

Creating and Editing Menu Tools

To create a Menu Tool, click on the New button in the Menu Configuration (or click Clone to copy an existing rule, or Details on an existing Tool). From the Details dialog, you can set the name that appears in the right-click menu you can also create submenus by simply separating the menu selections with a forward slash /. There is no inheritance going on here, the prefixes before the slash merely serve as menu entries. There are two possible actions: Execute Command and Invoke Browser. The former allows you to invoke an arbitrary script and the latter allows you to start up a browser pointed at a specific URL. All scripts must live in the ESEC_HOME\sentinel\bin directory to be executable by Sentinel. The Command/URL field is where you specify the script name, or the URL that will be passed to the browser. Do not include any arguments on this line. In the Parameters field, specify any static arguments, and any meta-tags you wish to pass to the script or URL. Meta-tags are specified using %<var>% syntax, such as %SourceIP%. You can see a list of the possible variables by clicking on the Help button.

Version 1

Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.

135

Administration

Commands are invoked on the Sentinel server, and any text output is displayed in a window at the Control Center. Interaction with the command is not possible through the standard interface. You can create Menu Tools to do many things connect to firewalls to block SouceIPs, send event parameters into a database, perform SQL queries against the database based on passed parameters pretty much anything you can think of.

136

Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.

Version 1

Administration

Objective 5

Servers View

Version 1

Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.

137

Administration

Objective 6

Event Configuration

138

Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.

Version 1

Administration

Objective 7

Color Filters

Version 1

Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.

139

Administration

Objective 8

Mapping Configuration

140

Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.

Version 1

Administration

Objective 9

Summary

Most basic administration of the Sentinel system is performed through the Admin tab. We have discussed the tools for basic administration; in later chapters we will look at the additional tools we did not yet cover (Database, Correlation, Reporting, and so on).

Version 1

Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.

141

Administration

142

Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.

Version 1

Reporting

SECTION 8

Reporting

The objectives of this Chapter are:


1. 2. 3. 4. 5. 6. 7. 8. 9.

Reporting Analysis Trends on page 145 Reporting Communication on page 146 Reporting Installation on page 147 Report Templates on page 148 Starting Crystal Reports on page 150 Infoview on page 151 Scheduling Reports on page 152 Reporting Settings on page 153 Sentinel Reporting Configuration on page 155

10. Running a Report on page 157

Version 1

Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.

143

Reporting

11. Output on page 158 12. Summary on page 159

An important component of network security is running reports. Reports, which provide a longer-term historical view of network activity, can help highlight trends and issues that might not be obvious during short-term analysis.

144

Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.

Version 1

Reporting

Objective 1

Reporting Analysis Trends

Sentinel provides a centralized management window to analyze data in real-time. The Real Time tab is used to analyze most of the real-time data. However, if event rates are very high, the use of Quick Queries allows the user to retrieve a static set of information from the database in the range of minutes to hours. Historical Analysis is useful to identify trends or do forensic analysis. The Analysis tab contains a series of Reports that allow for daily, weekly or date range reports.

Version 1

Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.

145

Reporting

Objective 2

Reporting Communication

The Crystal Reports Enterprise server sits outside the Sentinel system, and does not use the iSCALE Message Bus. Instead, it uses standard SQL Queries to fetch information from the database. Likewise, the Control Center communicates with the Crystal Reports server using standard XML web requests. There are in fact a number of ways to load and run Crystal Reports. You can: Use the Analysis tab in Control Center, with the built-in browser : this method loads and displays the reports directly inside the Control Center. Use the Analysis tab in Control Center, with an external browser : this method starts up a browser and sends the report query to it, and the external browser connects to the Crystal server. The browser is invoked on the same box as the Control Center. Use the Crystal-provided InfoView : this method is completely outside the Sentinel system, and just accesses the Sentinel database. You can run the browser from any computer on the network.

146

Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.

Version 1

Reporting

Objective 3

Reporting Installation

Chapters 9 and 10 of the Sentinel 6.1 Installation Guide discusses setting up the Reporting system for Sentinel. We will cover the Sentinel-specific portions here, and assume: You have Crystal Reports Enterprise XI R2 installed on a Windows or Linux machine on your network You have an SQL Server installed on the same machine, for Crystal to store data in If using Windows, you have IIS and ASP.NET installed so other machines can talk to the Crystal server The Crystal server, Control Center, and Sentinel database can see each other over the network The system has been tested and can run the Crystal sample reports correctly

Version 1

Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.

147

Reporting

Objective 4

Report Templates

Next, we load the Sentinel Report Templates into the Crystal system. Crystal provides a Publishing Wizard tool to upload reports into the folder structure maintained on the Crystal Reports server. Run Start All Programs Crystal Reports Server Publishing Wizard Log in to the Crystal system, then click Add Folder (check Include Subfolders) and select: For Crystal Reports (Oracle users): \3rdparty\reporting\crystal\oracle For Crystal Reports (MSSQL users): \3rdparty\reporting\crystal\ODBC Accept the defaults, but in the Specify Location window, create a new folder called eSecurity_Reports. For the remaining screens: Duplicate the folder hierarchy Create a category, such as esecurity for the reports

148

Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.

Version 1

Reporting

Let users update the object Enable All for Repository Refresh Enable all for Keeping Saved Data Publish reports without modifying properties The above instructions will also apply if Novell releases additional or updated reports that you wish to install into your Sentinel system. Once this operation is complete, you will be able to run the reports through the Crystal InfoView interface (note: for Top 10 reports to work, aggregation must be turned on). You should check that the Sentinel reports appear in InfoView and that they can pull data from the Sentinel database.

Version 1

Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.

149

Reporting

Objective 5

Starting Crystal Reports

In most configurations, Crystal starts automatically when the host system in started. To check on the status of the various Crystal components, however, the Central Configuration Manager tool is provided an part of the Crystal install. This tool shows the state of all Crystal modules and a place to stop/start/restart them. For Sentinel reports to run, the modules shown above must be in the active state. (Note: According to Novell Sustaining Engineering, there is a slight possibility that the Central Configuration Manager tool might get out of sync with the actual state of the Crystal modules. In this case, use the web-based Administration Launchpad which contains a very similar tool).

150

Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.

Version 1

Reporting

Objective 6

Infoview

The direct web browser interface to the Sentinel reports is shown above if you use this you will need to navigate into the eSecurity_Reports folder to see the Sentinel reports. This interface is also where you would schedule reports and set various properties for the reports. To run reports through this interface, simple select the report name. You will be prompted for a set of parameters.

Version 1

Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.

151

Reporting

Objective 7

Scheduling Reports

To schedule reports, select Schedule under the report of interest. You must specify the appropriate default parameters as well as the schedule for running the report. Once the report is complete, it will display as one of the report Instances.

152

Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.

Version 1

Reporting

Objective 8

Reporting Settings

The web-based version of the Central Management Console (accessed via the Administration Launchpad) provides many more features than the standalone executable. This tool is where you manage users, servers, connections, and detailed report settings.

Version 1

Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.

153

Reporting

Various report settings can be defaulted so that they are not prompted when a report is run interactively. This option is enabled by modifying the report parameters through the Central Management Console. From the front page of the Console, navigate to: Folders eSecurity_Reports <report folder> <click on report name> Process tab Parameters. Each parameter can be pre-set or prompted during report creation.

154

Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.

Version 1

Reporting

Objective 9

Sentinel Reporting Configuration

The final step is to connect Sentinel to the Crystal server, so you can run reports from within Sentinel. This connection is mediated through the script GetReports.asp, which lives at the root of the webserver on the Crystal machine. Sentinel will use this connection to load the list of reports and display them under the Control Center Analysis tab. Under the Admin tab, select Report Configuration. The resulting dialog (above) is where we configure Reporting and Advisor Reports. In the Analysis URL field, type: http://<hostname_or_IP_of_web_server>/ GetReports.asp?APS=<hostname>&user=Guest&password=&tab=Analysis (where <hostname_or_IP_of_web_server> is the address of the Crystal machine) If you have Advisor installed, type the following in the Advisor URL field: http://<hostname_or_IP_of_web_server>/GetReports.asp?APS=<hostname>&user= Guest&password=&tab=Advisor

Version 1

Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.

155

Reporting

Once complete, click on the Refresh buttons to test the connection. The button should turn green and you should get a note about quitting and restarting the Control Center. You may also specify whether you want to use an external browser or the built in browser. If you choose an external browser, then it will be invoked outside of Sentinel when you run reports. Once this process is complete, your reports should be ready and available through the Analysis tab in Control Center.

156

Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.

Version 1

Reporting

Objective 10

Running a Report

Once you are connected to the reporting system, the system automatically loads the requested report. The first parameter you pass the report is the user that Crystal will use to log in to the Sentinel database; by default, this is set up as user esecrpt. The report parameter screen then loads, which will vary depending on the type of report you are running. Specifying larger sets of data e.g. larger date ranges, a wider set of parameters to accept such as severity, and so on will take more resources to run your report.

Version 1

Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.

157

Reporting

Objective 11

Output

The report output appears onscreen in the browser window.

158

Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.

Version 1

Reporting

Objective 12

Summary

Reporting can be critical for showing long-term trends in the network environment, and for tracking compliance with various IT policies. Sentinels reporting system, through Crystal reports, leverages the extensive Sentinel database to provide comprehensive reports for your enterprise.

Version 1

Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.

159

Reporting

160

Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.

Version 1

Database

SECTION 9

Database

Tne objectives of this Chapter are:

Events

Version 1

Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.

161

Database

162

Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.

Version 1

Database

Version 1

Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.

163

Database

164

Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.

Version 1

Database

Version 1

Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.

165

Database

166

Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.

Version 1

Database

Version 1

Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.

167

Database

168

Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.

Version 1

Database

Version 1

Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.

169

Database

170

Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.

Version 1

Database

Version 1

Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.

171

Database

172

Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.

Version 1

Database

Version 1

Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.

173

Database

174

Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.

Version 1

Database

Version 1

Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.

175

Database

176

Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.

Version 1

Database

Version 1

Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.

177

Database

178

Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.

Version 1

Database

Version 1

Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.

179

Database

180

Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.

Version 1

RuleLG I

SECTION 10

RuleLG I

The objectives of this Chapter are:


1. 2. 3. 4.

Correlation Wizard on page 182 Correlation Logic on page 184 Sentinel Rule Language on page 186 Summary on page 214

Version 1

Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.

181

RuleLG I

Objective 1

Correlation Wizard
The objectives of this section are:

Description on page 182 Correlation Rule Types on page 183

Description

Sentinel 6.1 Correlation Wizard simplifies correlation rules to allow the building of more advanced correlation rules. There are new constructs and operators. Sentinel 6.1 also has in-memory correlation as well as the ability to collect and store asset data for enhanced correlation and reporting. Sentinel 6.1 requires less administrative overhead by centrally managing correlation engines. This central administration allows starting and stopping the engine, enabling and disabling the rules and deploying and undeploying rules. The graphically monitored status and activity information displays rules status, the number of events processed by the engine or rule and the number of times the rules fire.

182

Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.

Version 1

RuleLG I

There is a new Correlation tab (this functionality used to be located under the Admin tab). Rules can still be created using the freeform editor, or created using the new Wizard.

Correlation Rule Types

Version 1

Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.

183

RuleLG I

Objective 2

Correlation Logic

184

Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.

Version 1

RuleLG I

Version 1

Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.

185

RuleLG I

Objective 3

Sentinel Rule Language


The objectives of this section are:

Constructs and Operators on page 187 Filters on page 190 Actions on page 194 Action Configuration on page 196 Basic Correlation on page 197 Simple and Aggregrate Rules on page 198 Filter Syntax on page 199 Filter Example on page 200 Trigger on page 201 Trigger Example on page 202 Trigger Details on page 203 Grouping on page 204 Trigger Example (Freeform) on page 205 Trigger Example (Wizard) on page 207 Aggregrate Example on page 208 Filter Verses Trigger on page 209 Composite Rule on page 210 Composite Rule Example on page 213

186

Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.

Version 1

RuleLG I

Constructs and Operators

Version 1

Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.

187

RuleLG I

We have discussed several times how the output from one function can be sent to the next function. This is implemented with the flow operator: Filter( e.sev = 3) flow trigger(3,60) (only severity 3 events go into the trigger function) The Basic and Advanced Correlation wizard build up rules using the flow operator. In addition, we can combine the outputs from functions in other ways. Two operators, INTERSECTION and UNION, provide exact analogs with AND and OR to combine output sets from multiple RuleLG functions.

188

Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.

Version 1

RuleLG I

Version 1

Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.

189

RuleLG I

Filters

190

Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.

Version 1

RuleLG I

Version 1

Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.

191

RuleLG I

192

Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.

Version 1

RuleLG I

Version 1

Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.

193

RuleLG I

Actions

194

Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.

Version 1

RuleLG I

Version 1

Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.

195

RuleLG I

Action Configuration

196

Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.

Version 1

RuleLG I

Basic Correlation

We have looked at the three basic functions of Correlation based on how they are used by the wizards, now lets look at them again in more detail, and look at how they can be combined. The Correlation Engine is built around three fundamental operations. These operations are combined to form a rule with additional operators such as flow, union and intersection. The two fundamental operations are: Filter Trigger
NOTE: Another operation used here is the Window but we will discuss the Window in the next Chapter

The rule language directly reflects these operations and how they can be combined in an intuitive fashion to define correlation rules. Each operation has been specifically designed and implemented for high performance. Additionally, you can combine these functions using three operators:

Version 1

Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.

197

RuleLG I

flow union intersection.

Simple and Aggregrate Rules

There are only three basic functions that the RuleLG language supplies, here we remind you of the basic function of the filter() and trigger() commands. Filter: simply looks at each single raw event coming into the rule and compares it to a pattern. If it matches, the output set is the matched single event after which the filter resets. This is very similar to the filters we saw in Active Views. Trigger: looks for a certain number of events over a certain time period. For instance, you can look for three events in 60 seconds. Trigger has an additional parameter that allows you to group the incoming events by one or more of the event parameters. This allows you to look for three events on any particular machine without making individual rules per machine. The output set is the set of events that triggered the rule, e.g. the events that matched the pattern. The trigger does not reset until it no longer sees the pattern in the time window.

198

Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.

Version 1

RuleLG I

Filter Syntax

The filter operation allows filtering according to the content of the current single event. The filter operator uses a Boolean expression that is evaluated at run time. Filters operate on the current event, evaluating the expression for the current event: The filter operation returns the input set if the Boolean expression evaluates to true. The filter operation returns an empty set if the Boolean expression evaluates to false. Output from multiple filter() operations can be combined further using the union or intersection operators; however, it is more efficient to use and and or within the Boolean evaluation expression than to use multiple filter() operations with union and intersection. In any correlation rule, the final output is a Correlated Event that is stored in the Events table. The relationship between the correlated event and the events that make it up are stored in the Associations table and in the Correlated_Events table. If filter() is the last function of a Rule, then the output from filter() is used to generate a Correlated Event.

Version 1

Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.

199

RuleLG I

Filter Example

The current event will be evaluated against the two meta-tags in the Boolean expression in the filter. If the current event meets the condition then the output set will contain that current event. filter( (e.sip = 128.103.54.12 or e.sip = 128.103.54.16) and ( e.dp = 80 )) Heres a more complicated example: Interpretation: matches if traffic is from IP .12 or .16, and sent to port 80. Note how parentheses are used to group the evaluation expressions. filter( e.all match regex(root) ) Matches if any event meta-tag has the text root in it.

200

Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.

Version 1

RuleLG I

Trigger

The trigger() operation counts a number of events for a specified duration. The trigger() command defines a threshold count of events within a time condition and applies an optional discriminator that identifies unique buckets on which to apply the threshold count and time window conditions. Note that trigger() itself does not apply any filtering; every event that enters the trigger() function gets put in a bucket and is counted. If you wish to trigger() on certain types of events, you must pre-filter the events and then flow that output into trigger(). Output: If the specified count is reached within the specified duration, then a set of events containing all of the events maintained by the trigger is output. This occurs independently for each bucket the trigger() maintains. If the specified count is not reached within the specified duration, an empty set is output (e.g., nothing). It is possible to combine multiple trigger() commands together with union or intersection, and to pass output to another command using flow, but this is uncommon. Usually trigger is the last function in a Correlation rule, and is used to determine multiples of previous calculations. When trigger() is the last function, its output is used to generate a Correlated event. The relationship between the Correlated

Version 1

Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.

201

RuleLG I

event and the events that make it up are stored in the Associations table and in the Correlated_Events table. With trigger(), each Correlated event will typically refer to multiple raw events.

Trigger Example

202

Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.

Version 1

RuleLG I

Trigger Details

The trigger operation receives as input a set of events to be returned as part of the output set if the specified count, duration and discriminator(s) combination of the previous input sets and the current input set meet the criteria defined by the trigger operation. If the duration in the trigger command is equal to zero, a trigger operation just compares the number of events in the input set with count and outputs the input set if this number is greater than or equal to count. Filter(1=1) flow trigger(2,0) will not work because there will only be one event in the input set of the trigger coming from the filter. Window(e.sip=w.sip,10) flow trigger(3,0) will work if there were two previous events with the same source IP (totaling three). In all this case only the current event is sent as the Correlated Event (more on this later). When receiving a new event, a trigger first discards the outdated events that were in its storage more than the duration and then inserts the new event. If the number of resulting events is greater than or equal to the specified count, then the trigger outputs a set containing all of the events that have not been outputted before. If a trigger is the only or last operation of a correlation rule, then the output set of the trigger is used to construct a Correlated Event (in general). Any common meta-tags across all input elements will be copied to the Correlated Event, and all trigger events will be added to the associations table for that Correlated Event.

Version 1

Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.

203

RuleLG I

If a trigger is not the last operation of a correlation rule, e.g. if there is a flow operator to its right, then the output set of a trigger is used as the input set to other operations through the flow operator. After the first time the trigger operation criteria are met and the trigger operation outputs a set of events, if the criteria are met again with a set containing at least one of the previously outputted events and the trigger is the last operation, then the Correlation Engine does not construct a new correlated event but instead constructs an update to the previous Correlated Event. In other words, if an attack pattern causes a trigger to fire, events that match the ongoing attack will add to the existing Correlated Event, until the attack ceases.

Grouping

Lets quickly review another trigger() feature; grouping by meta-tag. Suppose you want to detect three failed login attempts in a given 60-second period. The obvious thing to do here is simply to set up a trigger looking for 3 or more failed logins in 60 seconds. But this will generate output regardless of which machine the login is occurring on. One solution would be to set up a separate rule for each machine, but this quickly becomes cumbersome. A better approach is to have the trigger function create groups

204

Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.

Version 1

RuleLG I

for you, and treat them independently. You do this through the Group similar events by the following meta-tags dialog. As each raw event comes into the trigger function, the function will create a bucket for each distinct event it sees (distinct only w.r.t. the meta-tag selected). So, for instance, if you group by DestIP, then every new DestIP the trigger function sees will get its own bucket. The rest of the trigger functionality is then applied in parallel and separately to each bucket. Note that you can specify multiple meta-tags for the discriminator. In this case, each distinct combination of tags gets its own bucket. Example: SIP and DIP are specified Event 1: SIP A, DIP X Create bucket A/X Event 2: SIP B, DIP Y Create bucket B/Y Event 3: SIP A, DIP Y Create bucket A/Y Event 4: SIP B, DIP Y Put into bucket B/Y

Trigger Example (Freeform)

Version 1

Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.

205

RuleLG I

In this example, the input event is placed in buckets that match the discriminator (e.sip) and each bucket is counted for 5 events in 10 seconds. Whenever the criteria is met the operation outputs a set with the events in the bucket. Lets assume we see 10 events in 10 seconds, one event per second, to a particular SourceIP: After 5 seconds the rule will trigger for the first time a correlated event. After 6 seconds it will find that again there are 5 events in 10 seconds from time 1-6 the rule triggers again but finds that events 1-5 are in common with previous triggering so instead it sends an update containing event 6. After 7 seconds the rule will see 5 events from time 2-7 that pass the condition - the rule triggers again but finds that events 2-6 are in common with the previous triggering so we send an update containing event 7 and so on. When this trigger() does not see 5 events in 10 seconds to a particular source IP, it will reset its buckets and start counting again.

The threshold count is an integer value specifying the number of events that need to occur within the duration of the window to output a non-empty set. The duration is an integer value specifying the length of time in seconds events are maintained by the trigger operation.

206

Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.

Version 1

RuleLG I

The discriminator is a comma-delimited list of meta-tags. A trigger operation keeps different counts for each distinct combination of the discriminator meta-tags. In the example, the trigger will alert when 5 events between the same source and destination IP address have occurred within 180 seconds.

Trigger Example (Wizard)

Version 1

Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.

207

RuleLG I

Aggregrate Example

208

Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.

Version 1

RuleLG I

Filter Verses Trigger

Simple filter() rules will pass any events that match the filter expression. Each and every incoming event is processed separately and passed to the output; each and every passed event will generate a Correlated event. When the output of filter() is passed to trigger(), trigger() groups the output events. In the case that the group size is one (as in Rule 2), trigger() will immediately create output. For the first event passed to this trigger(), therefore, the output will appear to be identical to Rule 1. Further events within the 30 second time window, however, will still match the trigger() specification. These new events will not generate new Correlated events, but will instead be added to the existing Correlated event. Following a simple filter() with a 1-event trigger(), therefore, will help prevent many Correlated events being created for a single incident.

Version 1

Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.

209

RuleLG I

Composite Rule

210

Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.

Version 1

RuleLG I

Version 1

Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.

211

RuleLG I

212

Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.

Version 1

RuleLG I

Composite Rule Example

Version 1

Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.

213

RuleLG I

Objective 4

Summary

The Sentinel Correlation technology can be used to detect all sorts of traffic patterns on your network. Virus attacks, worms, password crack attempts, account policy violation, and so forth are all possible, as long as the data you need is being collected from your source devices. You can use the Correlation Engine to automate many of your IT controls and to implement automatic incident handling and resolution.

214

Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.

Version 1

RuleLG II

SECTION 11

RuleLG II

The objectives of this Chapter are:

1. 2. 3. 4. 5.

Correlation Updates on page 216 Sequence on page 217 Window on page 218 Dynamic Lists on page 233 Summary on page 234

Version 1

Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.

215

RuleLG II

Objective 1

Correlation Updates

216

Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.

Version 1

RuleLG II

Objective 2

Sequence

Version 1

Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.

217

RuleLG II

Objective 3

Window
The objectives of this section are:

Window Enhancement on page 218 Window Basic Function on page 219 Window Syntax on page 220 Window Filters on page 222 Window Example 1 on page 224 Window Example 2 on page 227 Window Example 3 on page 228 Window Example 4 on page 229 Window Thresholds on page 232

Window Enhancement

218

Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.

Version 1

RuleLG II

Window Basic Function

There are only five basic functions that the RuleLG language supplies, but these functions are fairly subtle and can be combined in arbitrarily complex ways. These functions should be considered somewhat like the filters weve already seen: they take an input set of data, and if the rule matches, there is some output data. Unlike the filters weve seen, however, RuleLG can filter based on previous information. Window: allows you to temporarily store events of interest, and then use those stored events as a way to filter the incoming raw events. For instance, lets say you want to watch for someone attempting to log in multiple times. You collect login events and store them in your window (for some time period), and then when a new event comes in you match it against the stored events; if the username matches, the output will be the new raw event that came in plus the stored events that it matched. Any event parameter can be matched against any other event parameter for more sophisticated correlations.

Version 1

Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.

219

RuleLG II

Window Syntax

The window operation works on the current event in relation to a window of past events. Past events are maintained by the window operation itself. The window operator defines the connection between the current event (e) and each past event (w). The storage filter determines which events are stored in the window based on its evaluation expression, but note that although the storage filter references e. in this case the evaluated event is the current event with respect to that filter operation, e.g. one event behind the main flow of events. Output: If the current event did not match the evaluation expression the output of a window is an empty set. If the current event matched the evaluation expression the output of a window is a set containing the current event and all of the past events for which the evaluation expression and storage filter is true (in general; we will cover special cases later). If window() is the last element of a rule, its output is used to generate a Correlated event. Often, output from window() is flowed into the trigger() function.

220

Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.

Version 1

RuleLG II

The window() operator includes an evaluation expression section that is similar to the evaluation expression in a filter, except: Only one clause may appear in the window() evaluation expression Not all comparison operators available in filter() are available in window() window() adds the ability to match against stored (windowed) events by using the w.<metatag> construct (these appear in the GUI as =Metatag and the like) window() adds additional comparison operators such as in and not in to speed comparisons. These will be explained in more detail later.

Version 1

Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.

221

RuleLG II

Window Filters

The incoming raw stream of events is split before it arrives at the window() function. The window storage filter therefore sees a complete stream of raw events, and applies its filter to the entire stream. It stores matched events in the window, which are then compared against the current event. Note that if the same event passes through the storage and any window() pre-filter (if for example the filters are identical or NULL), then the storage window is guaranteed to be delayed by one event to ensure that an automatic match does not occur. It is critical to design your storage and pre-window filters as tightly as possible to minimize the resources used by the window() operator. The window will store a copy of every event within the specified time period, and although it only stores the UUID and the relevant meta-tag for comparison, greedy storage filters will still use lots of memory.

222

Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.

Version 1

RuleLG II

The incoming stream of raw events is copied and split, so both the input to window() and window()s storage filter see the complete stream of events (with the latter delayed by one event). If the same filter is used a a prefix to filter and in the storage filter, then window() will be adding the current event to the storage window once it has been compared against past events. This is not a requirement, however; the input and storage filters are completely independent. In the example on the slide, for instance, we are storing firewall events (rv32 is the DeviceCategory meta-tag) in our window, and then comparing against incoming IDS events. This implies that we are seeing events on the inside of our network that have previously been seen by the firewall, meaning that an attacker made it through the firewall (you would need additional filtering based on event name and source IP for this to be truly valid).

Version 1

Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.

223

RuleLG II

Window Example 1

In the above example, if the past event has a Source IP address in the subnet specified by address xxx.xx.x.x/yy with CIDR subnetmask it is stored in the window for 60 seconds. If the current events Source IP address matches with one of the stored past events Source IP, a correlated event is sent with the current event.

224

Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.

Version 1

RuleLG II

Version 1

Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.

225

RuleLG II

226

Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.

Version 1

RuleLG II

Window Example 2

Version 1

Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.

227

RuleLG II

Window Example 3

228

Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.

Version 1

RuleLG II

Window Example 4

Version 1

Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.

229

RuleLG II

230

Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.

Version 1

RuleLG II

The above example is very similar to the previous example, but additional filtering has been added to show how memory and CPU resources would be maximized even with complex rules. The initial filter ensures that current events are detected as IDS Attack events, using the eSecTaxonomyLevel3 meta-tag. All the window storage filters are similar; in this case, all events we are comparing are supposed to be IDS attacks. The window() functions use the in comparison operator rather than =; this can speed processing but has output implications to be explained in the next few slides. The final trigger() function ensures that successive events will get added to our existing Correlated event (and incident) as opposed to creating new Correlated events.

Version 1

Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.

231

RuleLG II

Window Thresholds

A special case of the trigger operator of the form trigger( n, 0) is used only after window() functions. Note that if this form of trigger() (with n>1) is used after a filter(), it will never trigger because of the zero-second bucket; filter() outputs one event at a time and therefore the trigger() will never fill its bucket(s) with enough events. Note also that window() with the in or not in comparison operations will also never produce output if followed by the trigger( n, 0) (where n>1) function, as these modes only output the single current event. If, however, you use a window() function as shown on the slide above, then the output will be the set of past events that match the comparison operation. If five or more past events have the same sip as the current event, then the trigger will fire. This provides a form of thresholding, where the rule comparison is checking for multiples of past events.

232

Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.

Version 1

RuleLG II

Objective 4

Dynamic Lists

Version 1

Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.

233

RuleLG II

Objective 5

Summary

The Sentinel Correlation technology can be used to detect all sorts of traffic patterns on your network. Virus attacks, worms, password crack attempts, account policy violation, and so forth are all possible, as long as the data you need is being collected from your source devices. You can use the Correlation Engine to automate many of your IT controls and to implement automatic incident handling and resolution.

234

Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.

Version 1

Novell Training Services (en) 15 April 2009

Correlation Actions

SECTION 12

Correlation Actions

Version 1

Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.

235

Novell Training Services (en) 15 April 2009

Correlation Actions

Objective 1

236

Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.

Version 1

Novell Training Services (en) 15 April 2009

Correlation Actions

Version 1

Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.

237

Novell Training Services (en) 15 April 2009

Correlation Actions

Objective 2

Email and Correlated Event Action

238

Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.

Version 1

Novell Training Services (en) 15 April 2009

Correlation Actions

Objective 3

Dynamic List Actions

Version 1

Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.

239

Novell Training Services (en) 15 April 2009

Correlation Actions

Objective 4

Incident Acions

240

Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.

Version 1

Novell Training Services (en) 15 April 2009

Correlation Actions

Objective 5

Command Actions

Version 1

Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.

241

Novell Training Services (en) 15 April 2009

Correlation Actions

Objective 6

Execute Script Actions

242

Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.

Version 1

Novell Training Services (en) 15 April 2009

Correlation Actions

Version 1

Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.

243

Novell Training Services (en) 15 April 2009

Correlation Actions

Objective 7

Java-based Actions

244

Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.

Version 1

Novell Training Services (en) 15 April 2009

Correlation Actions

Version 1

Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.

245

Novell Training Services (en) 15 April 2009

Correlation Actions

246

Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.

Version 1

Troubleshooting

SECTION 13

Troubleshooting

The objectives for this Chapter is:


1. 2. 3. 4. 5. 6. 7. 8. 9.

The Sentinel Processes on page 249 Sentinel Log Files on page 250 Adjusting Logging Levels on page 252 Troubleshooting Reporting on page 254 Unable to Login on page 255 An Event Doesnt Show Up on page 256 System Throttles on page 257 When Mapping Doesnt Work on page 258 When the Asset Map Doesnt Work on page 259

10. When Vulnerability Doesnt Work on page 260

Version 1

Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.

247

Troubleshooting

248

Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.

Version 1

Troubleshooting

Objective 1

The Sentinel Processes

Version 1

Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.

249

Troubleshooting

Objective 2

Sentinel Log Files

This is the same slide we used for Sentinel 5. The architecture hasn't changed in Sentinel 6, as our architecture was already a product strength and we have built upon that strong foundation. This slide shows the major the areas of focus for Sentinel 6: Correlation next generation correlation engine to allow more powerful rules Event Source Management management and configuration of everything below the component labeled ISCALE MESSAGE BUS ITRAC Dramatically improved incident management and remediation system

250

Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.

Version 1

Troubleshooting

This is the same slide we used for Sentinel 5. The architecture hasn't changed in Sentinel 6, as our architecture was already a product strength and we have built upon that strong foundation. This slide shows the major the areas of focus for Sentinel 6: Correlation next generation correlation engine to allow more powerful rules Event Source Management management and configuration of everything below the component labeled ISCALE MESSAGE BUS ITRAC Dramatically improved incident management and remediation system

Version 1

Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.

251

Troubleshooting

Objective 3

Adjusting Logging Levels

252

Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.

Version 1

Troubleshooting

Version 1

Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.

253

Troubleshooting

Objective 4

Troubleshooting Reporting

254

Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.

Version 1

Troubleshooting

Objective 5

Unable to Login

Version 1

Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.

255

Troubleshooting

Objective 6

An Event Doesnt Show Up

256

Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.

Version 1

Troubleshooting

Objective 7

System Throttles

Version 1

Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.

257

Troubleshooting

Objective 8

When Mapping Doesnt Work

258

Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.

Version 1

Troubleshooting

Objective 9

When the Asset Map Doesnt Work

Version 1

Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.

259

Troubleshooting

Objective 10

When Vulnerability Doesnt Work

260

Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.

Version 1

Troubleshooting

Version 1

Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.

261

Troubleshooting

262

Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.

Version 1

Troubleshooting

Version 1

Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.

263

Troubleshooting

264

Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.

Version 1

Collectors and Connectors

SECTION 14

Collectors and Connectors

Version 1

Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.

265

Collectors and Connectors

The objectives of this Chapter are:


1. 2. 3. 4. 5. 6. 7. 8.

Collectors on page 267 Existing Collectors on page 269 Pre-defined Collectors on page 270 Collectors VS Connectors on page 271 Advisor Feed on page 273 Collector Updates on page 274 Novell Audit Event Collectors on page 275 Summary on page 276

266

Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.

Version 1

Collectors and Connectors

Objective 1

Collectors

Version 1

Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.

267

Collectors and Connectors

268

Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.

Version 1

Collectors and Connectors

Objective 2

Existing Collectors

TIP: http://support.novell.com/products/sentinel/secure/sentinel61.html

Version 1

Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.

269

Collectors and Connectors

Objective 3

Pre-defined Collectors

There are lots of connectors and collectors available for a magnitude of different systems. You can find a current list at: http://support.novell.com/products/sentinel/ secure/sentinel6.html .

270

Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.

Version 1

Collectors and Connectors

Objective 4

Collectors VS Connectors

Version 1

Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.

271

Collectors and Connectors

272

Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.

Version 1

Collectors and Connectors

Objective 5

Advisor Feed

Version 1

Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.

273

Collectors and Connectors

Objective 6

Collector Updates

274

Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.

Version 1

Collectors and Connectors

Objective 7

Novell Audit Event Collectors

The Sentinel Syslog Proxy has been extended to accept Novell's audit events. It now listens on port 289, in addition to the normal syslog ports, for SSL connections initiated by applications instrumented to the Novell Audit API. The Novell Audit event is received in a binary format and delivered to the agent through the Syslog Connector as name-value-pair fields embedded in a syslog message. Instrumented applications have the ability to cache data locally if the connection is lost or slow. The Syslog Proxy takes advantage of this and stalls the client instead of dropping events if the input rate is too high. There is a filtering facility at the instrumented client-side that will prevent the reporting of identified events for that application. This is done through an xml file stored with the Proxy Server that defines the filtering on a per-application basis. A future management gui for filtering should be considered.

Version 1

Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.

275

Collectors and Connectors

Objective 8

Summary

276

Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.

Version 1

Architecture and Business Relevance

SECTION 15

Architecture and Business Relevance

The objectives for this Chapters are:


1. 2. 3. 4. 5. 6. 7. 8. 9.

Collector Manager on page 279 Port Architecture on page 280 Collector Architecture on page 282 Collector Components on page 283 Event Router on page 285 Mapping Service on page 286 Global Filters on page 287 on page 288 Business Relevance on page 289

10. Business Relavance Explanation on page 290

Version 1

Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.

277

Architecture and Business Relevance

11. TRANSLATE() on page 291 12. Mapping Service on page 293 13. Adding A Map on page 296 14. Meta-tag Reference on page 297 15. Map Reference on page 298 16. Names and Variables on page 299 17. Summary on page 300

Although the Collector systems architecture is fairly simple, there are a number of data sources and interrelated components that converge at the Collector Manager level. We must understand how these will all work together to provide the rich dataset that Sentinel can provide.

278

Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.

Version 1

Architecture and Business Relevance

Objective 1

Collector Manager

Collector Manager is implemented as a wrapper service or daemon (wrapper[.exe]) on a particular host. There can only be one Collector Manager on a host, but you can have many Collector Managers on your network. The service/daemon is usually set to start automatically, and starts other java processes to handle all other Collection functions (and will monitor these processes to ensure they continue to function). Collector Manager incorporates a number of components including the Event Router, which handles data post-Collector (more on this later). It also starts a shell Collector Engine for each Collector started on the Collector Manager. The Collector Engine parses and initializes the Collector, and provides a number of services for its operation. One such service is to provide a Port (not a TCP port), which is a dataaccess abstraction allowing the Collector to ignore the details of how data is actually gathered from a particular source device. Collectors can circumvent the Port construct, however, and use built-in functions to access the data directly.

Version 1

Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.

279

Architecture and Business Relevance

Objective 2

Port Architecture

Collectors can access data in a wide variety of ways: Port-level access: The Collector Engine provides a data-access abstraction called a Port which allows the Collector to ignore many details of data access. Under this methodology, a Port is created which specifies what connection method will be used (file, process, network) and where the data lives (file, process name, network port). The Collector Engine then takes care of fetching each data record and presents it to the Collector in a Receive Buffer. The Collector can therefore ignore all details of fetching data and can simply process the data in the buffer. When it needs the next line, it can simply request it. For more complex data access methods such as ODBC or raw events which reside in multiple files, the Collector can use native access methods. Built-in routines provide file read, database SELECT, and other access methods, but the Collector must track file or DB location and worry about opening and closing connections. In certain circumstances more complex methods are required to access data than simple read operations. Authenticated access on remote hosts, syslog connections that expect a syslog daemon to connect to, and similar types of access can not bee easily handled with the built-in routines. In this case, we use a Connector to handle the data access: this is typically a small script which performs the access required, reformats the data into a single log message line, and then outputs the data. You can

280

Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.

Version 1

Architecture and Business Relevance

then configure the Port to connect to the Connector as a simple process-style or socket-style connection.

Version 1

Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.

281

Architecture and Business Relevance

Objective 3

Collector Architecture

Internally, each Collector can be considered as a series of states, which can be connected in flexible ways. Usually, connected to these states is the input stream of events; the Collector will specify certain parameters such as how to detect the end of a single event record but the details of the communications are handled at the Port level. Each state corresponds to a small action script, of which there are several types: receive data, branch based on a true/false decision, process data, jump to another state, etc. The Collector typically reads each input record (a single event from the source device), processes it to normalize the data into the Sentinel standard meta-tags, and then forwards the normalized data to the Collector Manager. It then loops back to some initial state which starts the process again. Collectors can be created with arbitrarily complex state structures, but most Collectors use a standard set of states. We will look more closely at the standard structure of Collectors later in the course.

282

Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.

Version 1

Architecture and Business Relevance

Objective 4

Collector Components

Although the states represent the core of the Collector, Collectors also utilize a set of ancillary files to perform various functions. These represent the modular components of the Collector, and each one is a separate file (all ASCII text) on disk. State File : contains the main code for the Collector implemented via states. A given Collector can have multiple State Files, which represent entirely different sets of code. Parameter File : contains all parameters (somewhat like global variables) for the Collector. Again, a given Collector can have multiples. Script Files : The Template File and Parameter File are compiled together to make a Script File. The startup and backout Sequences (or chains) select which script to use based on various inputs. In most cases the single Script file will be listed in the startup chain, which means that only that script will run. The Script file can reference two additional data files: Lookup Files : contain subroutines for code separation and reuse. You can have as many of these as you like. Note that these are not true subroutines but execute in the environment of the main script, and are therefore more like macros.

Version 1

Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.

283

Architecture and Business Relevance

Translate Files : contain data tables so the code can pull in referential data. All of these objects appear in the IDE except for the Translate files.

284

Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.

Version 1

Architecture and Business Relevance

Objective 5

Event Router

The Event Router performs post-Collector data manipulation. There are two major functions: Mapping and Global Filters. The Mapping function applies system-wide maps to the incoming event data, transforming and enhancing the data across all Collector Managers. These maps are provided and updated by the Sentinel Server to all Collector Managers simultaneously. Global Filters use data embedded in the incoming event to determine what to do with that event: drop it in the trash, publish to the DB channel, or publish to the DB and realtime channels. If network communications are interrupted and the Event Router cannot publish the event data to the iSCALE Message Bus, then the data will be temporarily stored in transmit buffers. In extreme cases, the data will be written to local compressed files. The Sentinel system should be architected to avoid this eventuality.

Version 1

Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.

285

Architecture and Business Relevance

Objective 6

Mapping Service

In Sentinel , Collectors parse source data and construct a normalized event based on Sentinels meta-tag definitions. In addition to parsing the raw event, the Collector Manager can add referential data to an event, such as asset information. This can either be accomplished via the Collector code internal TRANSLATE command (specific to an individual Collector), or via the global Mapping Service. DAS_Query has a component, the Mapping Service, that checks for new or updated maps and distributes them to the Collector Managers. There are several maps which can be auto-populated using special Information Collectors; these are asset and vulnerability maps. Additionally custom maps can be defined to hold any sort of data which can be pulled into events based on raw event data.

286

Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.

Version 1

Architecture and Business Relevance

Objective 7

Global Filters

Global filters are specified in the Control Center, Admin tab, Global Filter Configuration tool. Filters from the standard filter library are used to construct the Global filters; in addition the Action that is applied to data that matches the filter is specified. Recall from the Administration course that the possible actions are: Drop drop the event entirely Database Only events will be sent directly to the database, bypassing the GUI realtime channel Database and GUI events will be sent to the GUI and the database GUI includes all real-time processing, e.g. Control Center and Correlation Engine. Global filter definitions (filter and action) are distributed to each Collector Manager and the CM applies the filters to the incoming data stream.

Version 1

Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.

287

Architecture and Business Relevance

Objective 8

The Sentinel Data Collection system is designed to provide the maximum level of flexibility for gathering source device data and normalizing it for the Sentinel system, while also pulling in referential data based on the data in the raw source events. There are a number of tools and architectural components which enable this flexibility. Deploying Collectors is fairly simple in most environments, but additionally custom Collectors can be created to handle new device types for which Tier 1 Collectors do not yet exist. The system can be tuned to pull in many sorts of referential data, as long as that data is available in the customer environment.

288

Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.

Version 1

Architecture and Business Relevance

Objective 9

Business Relevance
The objectives for this Chapter are:

Version 1

Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.

289

Architecture and Business Relevance

Objective 10

Business Relavance Explanation

There are two methods used to pull in data using keys that are present in the incoming raw event data: TRANSLATE() and the Mapping Service. Both of these methods use a simple key-based recall method to determine which row of data to return, although the Mapping service allows for multiple-key selections. For both methods, you must define which input data will be used as the key, and where the return data (from each column) will be placed. TRANSLATE() is run from within each individual Collector and references CSV files maintained in an individual Collector directory structure. The Mapping service is defined at a global level and maps are distributed to all Collector Managers and applied universally to all events passing through the system.

290

Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.

Version 1

Architecture and Business Relevance

Objective 11

TRANSLATE()

The TRANSLATE() pulls data from CSV files located in the individual Collector directory. It uses the specified key value (which can be a literal string or string variable) to select a particular row of the CSV file, and then (optionally) returns each of the comma-separated values on the same line into specified variables. If it runs out of variables to fill, it stops returning data. The base case is to include no return variables, in which case the TRANSLATE() command merely indicates whether the key appeared in the CSV file. To speed processing, the command loads the mapping file (.csv) in memory, allowing for a fast lookup of whether the key entry is contained in the file and allows the retrieval of other data associated with the key. If the format of the CSV file is as follows: Key1,data1,data2,data3 Bob,blue,25,210 Alice,green,19,110 Pat,purple,36,145 To find if a particular friend is in your friends.csv file the command would look like:

Version 1

Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.

291

Architecture and Business Relevance

TRANSLATE (Bob, friends.csv, i_found) To return Bobs favorite color, age, and weight: TRANSLATE (Bob, friends.csv, i_found, s_favColor, s_Age, s_Weight) CSV File : The CSV file is a relative path from a Collectors script directory. The editing of these files is currently not supported within Agent Builder, but the files can be edited using Excel or Notepad. Found Status : The found status is set to 1 if the key is contained in the CSV file and 0 if the key is not contained in the CSV file. Variables : A variable number of arguments to indicate into which variables to store the return data. Variables can be string, integer, or float.

292

Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.

Version 1

Architecture and Business Relevance

Objective 12

Mapping Service
Mapping services is the function of adding asset information to the event router.

Architecture on page 293 Map Definitions on page 294

Architecture

The Mapping Service works in a similar fashion as TRANSLATE(), but is applied after the Collector had finished processing the data and has passed the data to the Event Router. The Mapping Service is provided by a part of DAS, DAS_Query, that checks for new or updated maps and distributes them to the Collector Managers. There are several maps which can be auto-populated using special Information Collectors; these are asset and vulnerability maps. Additionally custom maps can be defined to hold any sort of data which can be pulled into events based on raw event data. Asset and Vulnerability maps: Consist of database tables which contain the asset and vulnerability information. Map definitions are also stored in the DB, and cannot be changed. These maps are updated using Information Collectors.

Version 1

Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.

293

Architecture and Business Relevance

Custom maps consist of two parts: Map source data, which are persisted as csv files under the {ESEC_HOME}/sentinel/ bin/map_data/ directory Map definition definition of keys and data; stored in the MD_CONFIG table in the DB These maps are updated by uploading new CSV files to the Sentinel server. Key-Value pairs and custom map definitions are viewed and defined in Sentinel Data Manager.

Map Definitions

Business Relevance Map Definitions

The Mapping tab allows you to manage referential data that Collectors will use. Here is where we define our maps by specifying the input files rows and columns. A simple wizard allows you to construct a custom map. Mapping options:

294

Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.

Version 1

Architecture and Business Relevance

Add new map definitions Edit map definitions Delete map definitions

Version 1

Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.

295

Architecture and Business Relevance

Objective 13

Adding A Map

When you add a new map definition you must specify: A map name you may add this name to an existing folder or create a new folder Assign a CSV file map file (local or remote to the location of the SDM) Define parameters of your CSV map file: Delimiter (pipe, comma, semicolon, etc) Row to start on (it is useful to include a header row to aid in naming/typing, and then hide it using this field once you are done) Key columns (only these columns can be used to select rows to return) Name your columns, define their type (string, integer, IP address or date) Column filter (key, number of columns, column name, etc.)

296

Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.

Version 1

Architecture and Business Relevance

Objective 14

Meta-tag Reference

The Events tab is the mechanism that centrally manages how Maps are applied to incoming events. For each meta-tag that you wish to be populated from a Map, you must specify where that data will be found and how it can be identified. There are two types of data sources: External the default, this means that the data is generated in the Collector and not modified in Event Router. Referenced from Map retrieves information from a map file to populate the metatag When you select a meta-tag from the column at left, that meta-tags current alias and the source of its data are displayed at right.

Version 1

Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.

297

Architecture and Business Relevance

Objective 15

Map Reference

In TRANSLATE() we could specify multiple return variables and pull in an entire rows worth of data. Here, we must pull in each column separately. First, select the meta-tag you wish to populate from the map. Alias the tag if you wish at top. Select Referenced from Map to indicate that this value will come from a Map (a small icon will appear in the column header in Control Center indicating that the data came from a Map). Specify the Map name from which the data will be fetched. If you defined a custom map, this would be the name you gave it. Select the Map Column which holds the data you wish to fetch. Usually the meta-tag you are populating and the Map Column should have the same or similar names. The Map Column name was defined when you defined the Map. Under Key Configuration, the Map Columns that were specified as keys will appear. Select existing event meta-tags from the drop-down list at right to match against the key columns. These meta-tags must be populated by the Collector with data that will appears in the Map Key field to select the correct row.

298

Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.

Version 1

Architecture and Business Relevance

Objective 16

Names and Variables

Custom variables have default names as shown in the table above, but can be aliased to different names for display in the Control Center. Some Reserved and a couple Customer variables are already aliased in the default system. Here are some examples: s_RV32 = DeviceCategory s_RV39 = MSSPCustomerName s_RV50-s_RV53 = eSecTaxonomyLevel1 4 s_RV56-s_RV77 = Source IP Asset data (built-in map) s_RV78-s_RV99 = Destination IP Asset data (built-in map) s_CV90-s_CV94 = Compliance information s_CV95-s_CV96 = Source/Dest IP Country information A full list is in the Appendix.

Version 1

Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.

299

Architecture and Business Relevance

Objective 17

Summary

TRANSLATE() and the Mapping Service provide powerful tools to aid in the normalization and enhancement of event data. From simple alpha Month to numeric Month translations to complex referential data searches, these tools can be used to help enrich event data and speed identification and analysis of event traffic.

300

Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.

Version 1

Event Source Management

SECTION 16

Event Source Management

The objectives of this Chapter are:


1. 2. 3.

Event Source Management Overview on page 302 Sentinel 5.1.3 Collector Update on page 314 Summary on page 321

Version 1

Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.

301

Event Source Management

Objective 1

Event Source Management Overview


What is Event Source Management on page 302 ESM User Interface on page 303 ESM Views on page 304 ESM Plugins on page 305 Graphical Configuration on page 306 ESM Terminology on page 307 ESM Configuration on page 308 ESM Data Offsets on page 309 Status Monitoring on page 310 Troubleshooting Tools on page 311 Collector Debugger on page 312 Advanced Features on page 313

What is Event Source Management

302

Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.

Version 1

Event Source Management

ESM User Interface

Version 1

Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.

303

Event Source Management

ESM Views

304

Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.

Version 1

Event Source Management

ESM Plugins

Version 1

Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.

305

Event Source Management

Graphical Configuration

306

Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.

Version 1

Event Source Management

ESM Terminology

Version 1

Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.

307

Event Source Management

ESM Configuration

308

Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.

Version 1

Event Source Management

ESM Data Offsets

Version 1

Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.

309

Event Source Management

Status Monitoring

310

Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.

Version 1

Event Source Management

Troubleshooting Tools

Version 1

Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.

311

Event Source Management

Collector Debugger

312

Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.

Version 1

Event Source Management

Advanced Features

Version 1

Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.

313

Event Source Management

Objective 2

Sentinel 5.1.3 Collector Update


Collector Scripts on page 314 Development and Debugging on page 315 Connectors on page 316 Port Configuration on page 317 Collector Parameters on page 318 Health Monitoring on page 319 5.1.3 Sentinel Update Conclusion on page 320

Collector Scripts

314

Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.

Version 1

Event Source Management

Development and Debugging

Version 1

Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.

315

Event Source Management

Connectors

316

Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.

Version 1

Event Source Management

Port Configuration

Version 1

Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.

317

Event Source Management

Collector Parameters

318

Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.

Version 1

Event Source Management

Health Monitoring

Version 1

Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.

319

Event Source Management

5.1.3 Sentinel Update Conclusion

320

Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.

Version 1

Event Source Management

Objective 3

Summary

Version 1

Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.

321

Event Source Management

322

Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.

Version 1

Novell Training Services (en) 15 April 2009

Solution Pack Management

SECTION 17

Solution Pack Management

Version 1

Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.

323

Novell Training Services (en) 15 April 2009

Solution Pack Management

Objective 1

What are Solution Packs

324

Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.

Version 1

Novell Training Services (en) 15 April 2009

Solution Pack Management

Version 1

Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.

325

Novell Training Services (en) 15 April 2009

Solution Pack Management

Objective 2

Anatomy

326

Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.

Version 1

Novell Training Services (en) 15 April 2009

Solution Pack Management

Version 1

Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.

327

Novell Training Services (en) 15 April 2009

Solution Pack Management

Objective 3

Controls

328

Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.

Version 1

Novell Training Services (en) 15 April 2009

Solution Pack Management

Version 1

Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.

329

Novell Training Services (en) 15 April 2009

Solution Pack Management

Objective 4

Solution Designer

330

Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.

Version 1

Novell Training Services (en) 15 April 2009

Solution Pack Management

Version 1

Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.

331

Novell Training Services (en) 15 April 2009

Solution Pack Management

Objective 5

Creating Solution Packs

332

Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.

Version 1

Novell Training Services (en) 15 April 2009

Solution Pack Management

Version 1

Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.

333

Novell Training Services (en) 15 April 2009

Solution Pack Management

334

Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.

Version 1

Novell Training Services (en) 15 April 2009

JavaScript Collectors

SECTION 18

JavaScript Collectors

Version 1

Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.

335

Novell Training Services (en) 15 April 2009

JavaScript Collectors

Objective 1

336

Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.

Version 1

Novell Training Services (en) 15 April 2009

JavaScript Collectors

Version 1

Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.

337

Novell Training Services (en) 15 April 2009

JavaScript Collectors

Objective 2

Parsing Meta-Tags

338

Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.

Version 1

Novell Training Services (en) 15 April 2009

JavaScript Collectors

Objective 3

Script Files

Version 1

Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.

339

Novell Training Services (en) 15 April 2009

JavaScript Collectors

Objective 4

Collector Development

340

Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.

Version 1

Novell Training Services (en) 15 April 2009

JavaScript Collectors

Version 1

Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.

341

Novell Training Services (en) 15 April 2009

JavaScript Collectors

342

Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.

Version 1

Вам также может понравиться