Network sensors are responsible for generating and sending alarms to the Event Viewer. The Event Viewer host must then receive and display these alarms for security personnel. To insure the integrity of the network, you must understand how to view and manage the alarms, while also understanding the significance of each generated alarm. The Event Viewer provides a GUI interface to assist you with the display and management of your alarm data.
Note? |
This section describes and details the Event Viewer included with CSPM. |
The Event Viewer is a GUI application used to display each alarm and its critical information, as well as provide status information generated by the sensor daemons. A single intrusion on your network can generate a large number of alarms, which can quickly fill the Event Viewer screen. If multiple sensors are installed on the network each sensor can detect the same intrusion, resulting in multiple alarms for a single attack. Your competence and efficiency with the Event Viewer will enable you to disseminate the information received and respond to intrusions in a timely fashion, without being overwhelmed. To assist you in building a thorough understanding of the Event Viewer, this section discusses the following topics:
Managing Alarms
Event Viewer Customization
Preference Settings
Alarms are generated by the sensors and sent to the Event Viewer host via the PostOffice protocol. Once received, these alarms are stored in a database. This database can then be viewed with the Event Viewer. This section discusses the following topics that deal with alarm management:
Opening the Event Viewer
Alarm Fields
Resolving Host Names
Viewing the Context Buffer
The Network Security Database
Suspending New Alarms
Deleting Alarms
The Event Viewer can be accessed via CSPM’s tool menu. To start the Event Viewer, choose Tools | View Sensor Events | Database. When the View Database Events window appears, you can choose to view all alarms or you can limit the number of displayed alarms by selecting the start time and/or the stop time.
Start Time—The start time is used to view alarms generated after the specified time. Alarms generated before the start time aren’t displayed.
Stop Time—The stop time is used to limit the number of alarms received. Alarms generated after the stop time aren’t displayed.
Event Type—This is the IDS alarm type. CIDS Alarms is the only option that can be selected.
To open and view alarms using the Event Viewer, use the following steps:
Log in to the CSPM host using the administrative account.
From within CSPM, select Tools | View Sensor Events | Database.
Either select to view all events or specify the start and stop times to limit the scope of alarms displayed.
You can open multiple instances of the Event Viewer. Once an Event Viewer window is open, it can be customized and its display characteristics can be modified independently of all other instances of the Event Viewer. This enables you to open different Event Viewer windows containing the same or different alarms, while adjusting the characteristics of each instance to fulfill a particular need.
Each alarm viewed with Event Viewer is displayed as a row in a table. Each row is made up of fields that contain specific data about the alarm. The fields and explanations are provided in Table 26-3.
Field |
Description |
---|---|
Count |
Similar alarms are sometimes consolidated into a single row. The count field specifies the number of alarms consolidated into this row. |
Name |
The name of the alarm. |
Source Address |
The source IP address associated with the alarm listed in this row. |
Destination Address |
The destination IP address associated with the alarm listed in this row. |
Destination Port |
The destination UDP or TCP port associated with the alarm. |
Source Port |
The source UDP or TCP port associated with the alarm. |
Details |
Contains information specific to the signature that generated the alarm. If the signature was a string signature, the string that generated the alarm is listed in this field |
Source Location |
IN indicates the source IP address is on the local or trusted network. OUT indicates the source IP address is located on a remote or untrusted network. |
Destination Location |
IN indicates the destination IP address is on the local or trusted network. OUT indicates the destination IP address is located on a remote or untrusted network. |
Signature ID |
The numeric ID of the signature that generated the alarm. |
Subsignature ID |
If the signature that generated the alarm has an associated subsignature. the subID is listed in this field. Otherwise, this field is blank. |
Severity |
The severity of the signature that generated the alarm. |
Level |
The level, one to five, of the signature that generated the alarm. |
Organization Name |
The organization name of the sensor that generated the alarm. |
Sensor Name |
The name of the sensor that generated the alarm. |
Application Name |
The name of the daemon that generated the alarm. All intrusion alarms are generated by packetd. |
Local Date |
The date, as recorded by the sensor, when the alarm was generated. |
Local Time |
The time, as recorded by the sensor, when the alarm was generated. |
While viewing alarms in the Event Viewer window, you can easily identify the host names of both the attacking host and the host that was attacked. To resolve the host names, right-click the alarm in question, and then choose Resolve Host Names. A Host Name Resolution window appears, showing the source and destination IP addresses, as well as their associated host name. If the host name can’t be resolved, the window displays Cannot be resolved.
For TCP-based, series 3000 signatures, the sensor captures up to 256 characters of the TCP stream. This information is called the context buffer and you can use the Event Viewer to display it. By viewing the context buffer, you can determine if this alarm was generated by an actual intrusion attempt or simply an accident.
To view the context buffer, right-click the alarm in question, and then choose Context Buffer from the Shortcut menu. A new window will appear, displaying the information contained in the context buffer. If no context buffer is available, the Shortcut menu won’t contain the Context Buffer option.
Cisco provides a database of network vulnerability information that can be accessed via an HTML browser. If you need additional information for any alarm listed in the Event Viewer, you can search the NSDB for additional information. If the Event Viewer contains an alarm you want to examine, you can open the NSDB to view information about that specific alarm. To open the NSDB, you use the following steps:
From the Event Viewer, right-click the alarm in question.
Choose Network Security Database.
A second method for opening the NSDM is as follows:
Select the alarm to examine.
Choose Tools | NSDM from the Event Viewer menu bar.
The NSDB Exploit Signature Page contains additional information about the signature that triggered the alarm. Information provided on the NSDB Exploit Signature page includes the following:
Signature name
ID
SubID
Recommended alarm level
Signature type
Signature structure
Implementation
Signature description
Benign triggers
Related vulnerability
User notes
STUDY TIP? |
Be aware of how to open and view the NSDB. |
Once you gain additional information about the matched signature, you might want or need additional information on the related vulnerability. You can select the link provided on the Exploit Signature page to research additional information about the vulnerability. You can learn the following Information via the Vulnerability page:
Vulnerability name
Alias
ID
Severity level
Vulnerability type
Exploit type
Affected systems
Affected programs
Vulnerability description
Consequences
Countermeasures
Advisory/related information links
Patch/fix/upgrade links
Exploit links
User notes
Both the Exploit Signatures and Vulnerability page provides a User Notes section. This link allows security administrators to record additional information about the signature or vulnerability. This user-added information is stored permanently in the NSDB database on the CSPM host.
If desired, you can prevent the Event Viewer from displaying any new or additional alarms. You can use this feature when you’re investigating a previous alarm, and you want to prevent any additional alarms from being displayed in the specific Event Viewer window. The alarms are still recorded and stored in the alarm database, and any other instances of the Event Viewer will continue to display additional alarms. To suspend new alarms in a Event Viewer window, do the following:
Choose Edit | Suspend New Events on the Event Viewer menu bar.
or
Click the Pause Live Feed button on the Event Viewer toolbar.
To resume receiving new alarms:
Choose Edit | Resume New Events on the Event Viewer menu bar.
or
Click the Resume Live Feed button on the Event Viewer toolbar.
Once you deal with an alarm in the Event Viewer, you might want to remove the alarm record from the view or from the entire alarm database. You can choose to delete an alarm from the current Event Viewer window, from all Event Viewer instances, or from the CSPM database. To delete the alarm from the current Event Viewer window:
Right-click the alarm and choose Delete Record.
Select From This Grid.
To delete the alarm from all Event Viewer windows:
Right-click the alarm and choose Delete Record.
Select From All Grids.
To delete the alarm from the entire database:
Right-click the alarm and choose Delete Record.
Select From Database.
Caution? |
If the selected row contains multiple alarms (indicated by a count greater that one) and you choose any of the deletion options, all alarms represented by that row will be deleted. To delete a single alarm represented in a row with multiple alarms, first expand the row, then select the appropriate alarm, and then choose Delete Record. |
Event Viewer combines the functionality of a browser (such as Explorer) with that of a spreadsheet (such as MS Excel) to create a collection of audit event data called a drillsheet. The drillsheet allows groups of similar audit-event records to be displayed on a single row, allowing you—quickly and easily—to detect patterns in the data.
Traditional event viewers display events in a single list. Each event fills one row in the list and each data element within an event fills one cell in the row. This display of events is appropriate when the number of events is small. When the number of alarms is large, however, or when events appear quickly, this linear display isn’t practical.
The Event Viewer groups alarms together into one row, based on similar information to both alarms. By default, the Event Viewer consolidates or collapses alarms, based on the first two field columns. For example, you might have ten alarms present in the event viewer all triggered by the same signature. Rather than listing ten different rows for each alarm, Event Viewer creates one record (row) listing the name of the alarm with a count field value of 10. Any information common to all ten alarms is listed in the record. Any information different among the ten alarms is listed as a + symbol, indicating additional information exists. You can view the additional information by expanding the record. To expand the record, simply double-click the + sign.
As previously mentioned, the Event Viewer is configured by default to collapse alarms into one record, based on identical information contained in the first two field columns. To view additional information about each alarm, you must expand the columns until the information you need is shown. You can expand the additional information by selecting the row you want to expand, and then click the Expand This Branch One Column to the Right button on the tool bar.
If you want to expand the entire row all the way to the right, select the Expand This Branch all the way to the Right button, located on the Event Viewer tool bar. You can collapse a row back to the left by choosing the Collapse This Branch One Column to the Left button or the Collapse This Branch to the Currently Selected Column button on the Event Viewer tool bar.
Note? |
Neither of these changes is permanent. If the Event Viewer is closed, all changes to the expanded rows are lost. |
By default, all rows are expanded to at least the first two columns. If you want to increase the expansion for all rows beyond the second column, you can configure Event Viewer to do this automatically. To set the default expansion boundary:
Select the column which you want to expand.
Choose Edit | Set Event Expansion Boundary from the Event Viewer menu bar.
Columns can be moved to any position in the Event Viewer. To move a column, click-and-drag the column to the new position. This isn’t a permanent change: if one Event Viewer is closed and reopened, the default column placement will be used.
You can delete columns from the Event Viewer Grid. To delete a column, right-click the column you want to delete, and then select Delete Column from the Shortcut menu. Deleting a column isn’t a permanent change.
You can also select which columns you want Event Viewer to display, as well as how the information in the columns is sorted. To add or remove a column, use the following steps:
Choose Edit | Insert/Modify Column(s) from the Event Viewer menu bar.
Select the columns you want to view by placing an X in the show field.
Click OK.
This section describes the preference options that can be configured in the Event Viewer. To configure Event Viewer preferences, click the Preferences option from the Edit menu. The following sections make up the Preferences window:
Actions
Cells
Status Events
Boundaries
Event Severity Indicator
Severity Mapping
The Actions section of the Preference window enables you to set the following parameters:
Command Timeout—This parameter configures how long (in seconds) the Event Viewer should wait for a response from a sensor before it should consider the connection as down. This setting shouldn’t be changed unless you’ve been experiencing excessive timeout errors.
Time To Block—This parameter specifies how long (in minutes) a sensor should block traffic from a specified source when the Block command is issued from the Event Viewer. This block time period applies only to Blocks initiated manually from the Event Viewer, not automatic blocks initiated by the sensor. The default is 1,440 minutes (one day), and can be changed to 1 to 525,600 minutes.
Subnet Mask—The subnet mask is applied to any manually blocked address. If you only want to block the actual attacking host, you should use a netmask of 255.255.255.255. This default subnet mask will be used for all manual blocking.
The Cells section of the Preference window enables you to configure the following parameters:
Blank-Left—This configures the Event Viewer not to repeat repetitious information in the most left hand column. If ten alarms are all generated by the same signature, Event Viewer lists the name of the alarm in the first row and it won’t list anything for that column for the next nine rows below. By default, Blank-left is selected.
Blank-Right—Blank-right affects how the collapsed cells display in the Event Viewer beyond the expansion boundary. By default, Blank-right isn’t selected.
The Status Events section enables you to decide whether Event Viewer should list status events (route down, route up, PostOffice messages) in the Event Viewer grid. If this option isn’t selected, then status events won’t be listed in the grid. If you choose Display Popup Window, then all route down messages will generate a pop-up window and other status events won’t be displayed.
The Boundaries section in the Preferences window enables you to configure the following:
Default Expansion Boundary—Persistent setting that configures the default expansion boundary. By default, this is set to two.
Maximum Events Per Grid—Configures the maximum amount of rows a single instance of Event Viewer will display. The default is 250,000 alarms and can be changed from 1 to 4,000,000,000.
Event Batching Timeout—Configures how often, in seconds, the Event Viewer is updated during an alarm flood. The default is 0, meaning the Event Viewer is constantly updated with new alarms as they’re generated.
The Event Severity Indicator section of the Preferences window enables you to configure the color and icons used to represent the different signature alarm severities. The colors affect the background of the Count field for each alarm. You can also change the icon used to represent the severity listed for each alarm. The default colors and icons used for each severity are listed in Table 26-4.
Alarms are assigned a level of severity from one to five. These alarm levels are mapped to a severity of Low, Medium, or High. Table 26-2 shows the default mapping of alarm levels to severity levels. You can change the default mapping of alarm levels to severity levels using the Severity Mapping section of the Preferences window.